LEA Administrators

Target Applications

Our Target Applications page lists all Opt-in Target Applications that are currently being integrated (and so much more) to NCEdCloud account.

Requests for opt-in to approved Target Application (for example, Canvas, DiscoveryEd, Destiny, Clever, etc.) can be submitted, suggestions for new Target Application can be made, and a form can be submitted to remove a Target Application from NCEdCloud for your PSU (for example, when you decide to not renew your contract with a vendor for an application you used).

The process of disabling users in NCEdCloud

A LEA Administrator can disable a user account from the People view, so the user can’t access the NCEdCloud. This function should only be used for “emergency” disables related to terminations or security compromises. You may need to override the nightly source data system updates to enable or disable accounts. NCEdCloud IAM service accounts are ultimately controlled (enabled and disabled) by those source data systems. You can read more about all of this in the document linked below.

Information about LEA administrators

There is information specific to LEA Administrators on this page. To access some content (such as opt-in webforms), you must log into NCEdCloud. A section below contains FAQs specific to LEA Administrators, in addition to the content presented here and on the linked pages.

Assistance with escalation (LEA Administrators)

You may be able to find an answer to your support issue based on what you see on the NCEdCloud IAM Service status page at https://status.ncedcloud.org, before submitting a support ticket. Check out the FAQs at the bottom of this page and the Main FAQ page (Top Navigation) for common issues or the Account Claiming Issues page for new users if that isn’t what you’re looking for.  Identity Automation Support should be contacted for NCEdCloud IAM Service issues that cannot be resolved within the LEA.

You can only open a ticket in Identity Automation if you have the LEA Administrator role in NCEdCloud.

You can reach the Customer Support Community at https://identityautomation.force.com/support/s

For support, please email identityautomation.com

For more information, please call +1 (919) 747-4923

 NCEdCloud IAM Service Applications can also be accessed by clicking the Identity Automation Support Community icon (shown left).


How can IAM Service Profiles users view the “My Students” tab?

Employees who log into the Rapid Identity Portal under Profiles view will be able to see the “My Students” tab depending on whether they have the designated “Teacher Job Code.” NCDPI sets up job codes, which employees receive from their payroll system and store in their UID. Employees can access the My Students tab by using the following job codes (sometimes referred to as object codes).  This tab allows employees to reset passwords for students within PowerSchool who have been assigned to them as primary teachers (typically for their classes).

The following job codes are available:

  • 121 Teacher
  • 122 Interim Teacher
  • 123 JROTC Teacher
  • 124 Foreign Exchange (VIF)
  • 125 New Teacher Orientation
  • 126 Extended Contracts
  • 127 Master Teacher
  • 128 Re-Employed Retired
  • 131 Instructional Support I
  • 132 Instructional Support II
  • 134 Teacher Mentor
  • 135 Instructional Facilitator
  • 142 Teacher Assistant NCLB
  • 162 Substitute Teacher Regular – Teacher Absence
  • 164 Substitute Teacher – Full Time Certified

Those employees that do not have the above job codes, but have students assigned to them, can optionally request the “My Students for Non-teachers” exception role in the IAM Service. When granted, this role allows employees who are teaching classes but do not fall within the previous job codes, to view their assigned students via the “My Students for Non-teachers” tab in the IAM service.  As this role expires on June 30th of the school year after it is granted, you must request it each year.

Employees would request this role by logging into my.ncedcloud.org and following the instructions:

On the left, click “Workflow” -> Click “Requests” -> Check “My Students for non-Teachers” -> Click “Submit Request”

The approval request would then be forwarded to an employee with the role of LEA Administrator in your LEA/Charter School.

Whenever I try to log on, I get an error message. What should I do?

It’s likely that you reached the Login Screen (where you enter your username) after using the “back button” or setting a “bookmark” on it. 

You can access your applications or change/reset your password using the IAM Service by going to my.ncedcloud.org. Bookmark the page where you see your applications. If you click on the bookmark you created for the Applications page again in the future, it will redirect you to NCEdCloud and then the Logon page. It may error out if you attempt to log in directly by bookmarking the login screen. The IAM Service does not know where to send you after logging in (e.g. RapidIdentity, PowerSchool, etc.).

Is it possible to get an IAM Service account for a contract employee?

When contract employees aren’t in the payroll system of their PSU (which is how most employees create records in the Staff UID System) they can create their records directly in the Staff UID System and get an account in the NCEdCloud IAM Service. On the NCDPI website, you can find information about the UID System. For information about obtaining non-PSU employee IDs, click Acquiring Staff IDs for Non‐Payroll Staff.

You will need to add Contract employees to your PowerSchool instance, making sure that their UID number is in the StatePrid field, because it is used when the NCEdCloud IAM Service is used to access PowerSchool.

Does the IAM Service have an opt-in option?

Currently, all Home Base applications are included in the NCEdCloud IAM Service, which is no longer an opt-in service (you must go through the NCEdCloud portal to access Home Base / statewide applications). Users can log into the NCEdCloud IAM Service with Single Sign-On (SSO) once, then access the Home Base applications and any other applications/resources integrated with the IAM Service for your PSU without relogging in again with the Single Sign-On (SSO) feature.

If you want these integrated with the NCEdCloud for your PSU, visit the Target Applications page to see what’s available. Non-home base Target Applications will remain an opt-in option for PSUs.

What is the difference between disabling accounts from source updates and disabling accounts from account disables?

Users with the LEA Administrator role can access three features in the People view of the NCEdCloud IAM Service:

  1. Disable/Enable buttons for user accounts
  2. Make sure the checkbox for Disable Updates from Source Data is checked
  3. Overrides for LEA employees, students, and parents (left navigation)

Users are temporarily prevented from logging into the IAM Service, but the next morning the account will be reenabled if the uploaded user data still shows the status as “Active”.

Second, disable the IAM Service account AND check the Disable update from Source Data checkbox, so the account will become disabled if you disable it AND check the checkbox.

Thirdly, you can see which accounts are currently disabled from nightly updates. This is important if transferring staff or students can’t log in. Until the previous PSU unchecks the disable from source updates box, the previous PSU will not be able to login or see your applications (if their LEA Code hasn’t been updated with the new PSU’s code).

When setting up Challenge Questions, what are the criteria?

Challenge questions should meet the following criteria:  

  • There are 10 questions listed, 5 of which must be answered
  • 3 or more characters are required for the answers
  • The same answer cannot be given to more than one question

Moreover, there is no case difference in the answers.

For example, if you initially answer only 5 of the questions, you will be challenged with two of those five questions in the password recovery process if a question is not answered. A question you did not answer during setup will never be asked again. If you initially answer 6 questions, you will be challenged with 2 of those 6.

What is the best way to update a user that appears in more than one PSU at the same time?

The majority of the time, when an employee transfers from another PSU to the Staff UID system, the former payroll system is not updated in a timely manner (and therefore the Staff UID system is not updated). Whenever you find that one of your users still lists their former PSU in their profile, you will have to get in touch with them (usually payroll, but a peer may be able to assist you) and ask them to update it (to “inactive” for the former PSU).

On the NCDPI website, you can find contact information for the PSUs in the NC EDDIE system, which can be found here: https://www.dpi.nc.gov/districts-schools/district-operations/financial-and-business-services/eddie.

Steps to be taken:

  • There needs to be a mark of “Inactive” applied to the employee’s payroll record at the former PSU.
  • In order for the record to become “inactive”, it must be uploaded to the Staff UID System, which will trigger the marking of the record at the former district as “inactive”.
  • There will no longer be any pull of old data into the IAM Service on the following business day, and as a result “old” information should no longer appear in the IAM Service Profile of the user.

There is an option to escalate the issue with Identity Automation (see Escalating Support on the LEA Administrators page) if you are having difficulty getting it resolved directly. Identity Automation will then work with NC DPI to resolve the issue for you.

Is it possible to log in using an email address?

Staff and students have the option to choose an “Alias ID” as their default username. In addition to the numeric state UID (up to 10 digits), we also implemented an enhancement to allow PSUs to opt-in to use an “Alias ID”. In the case of a nightly file upload, the PSU will provide a “local ID”, usually the local username in Active Directory or another directory.

The Alias ID page under Opt-In Features is also linked above if LEA Administrators are interested in using an Alias ID.

Employees and students need an email address to access the IAM Service?

NCEdCloud’s IAM Service can be accessed without an email address in the account data of both staff and students, however there are some drawbacks.

  1. There are some internal messages (in the IAM Service) that require an email to function – for example, I forgot my password
  2. An email address is required when users login to some Target Applications. Users won’t be able to login to the application if it isn’t present in the source data (e.g. PowerSchool, LINQ HR, HRMS), and therefore some functionality will be limited if it isn’t updated in the IAM Service.
  3. Users who do not have an email address in the IAM Service cannot use Alias ID if a PSU opts in to Alias ID (and uses an email address rather than a numeric UID to log in).

Is it possible to change the email address associated with an NCEdCloud account?

The IAM Service does not allow users to edit their profiles to add/change their email addresses. Email addresses are derived from nightly source data. The email address of every student always comes from their Student System record. In the nightly data feed, the first email address found for an employee is used. It prioritizes PowerSchool records, LINQ HR, and finally HRMS.  In the nightly updates, only the PowerSchool address will be captured if a teacher has an email address in PowerSchool AND in HRMS.

As some target applications require email addresses for user accounts, PSUs should populate email addresses for all their users. These target applications may have significant limitations if email is not associated with the provisioned/rostered user account.

Our process for populating employee emails into NCEdCloud accounts has been intermittent for several years. While certain parts of this process have been repaired and improved, it still isn’t working reliably.

There are rarely any problems with employee emails populating correctly in NCEdCloud from NC SIS (PowerSchool).

NCEdCloud accounts will not be reliably populated with employee emails from LINQ or HRMS. This data may or may not be consistent across PSUs.

Last but not least, if the PSU chooses to use Alias ID with an email address, users without an email address will only be able to log into the NCEdCloud IAM Service with their UID as their username.

When an employee’s email address in NCEdCloud IAM Service is incorrect or missing, what should I do?

In order to get employee email addresses, two or three source systems must be searched in a specific order. PowerSchool is checked first, followed by LINQ HR (if used by the LEA), then HRMS. Upon discovering an email populated for a user, the process stops.  NCEdCloud may show a mismatch if HR updates HRMS and the employee has a new record in PowerSchool – but the email in PowerSchool appears in NCEdCloud.

Furthermore, if an employee’s email address is to be passed to the IAM Service, the “school identifier” in the source data must match the “schoolID” in the UID system (3-digits identifies the school, or 6-digits with the LEA code + the school code). The “homeschool” field in PowerSchool corresponds to the LINQ schoolID, the HRMS schoolID is the HRMS schoolID.  In each scenario, the school identifier found in PowerSchool, LINQ HR, or HRMS must match the school identifier in the user’s active UID record. A user whose email address and homeschool code are listed in PowerSchool, but which are listed in UID with the System Office code (000), will not have a matching email address in the IAM Service if the records do not match. IAM Service is not displaying emails for an employee as a result of this.

Verify that the school code is contained in the fields listed above and matches the value of the school ID in NCEdCloud’s UID system when troubleshooting why a staff member’s email is not populated.

Is there a way to view a list of employees or students at my university?

Using the “Search” function in the People View in the IAM Service, you can select the users you want to look up by clicking on the Manage LEA Employees or Manage LEA Students tabs (on the left). To search for users, you need to enter some criteria. Searching for asterisks in the search window and clicking the Search button is the simplest way. Any query can only return 1000 records that match, however.  Alternatively, you can enter P + asterisk (P) in the search window and click Search to find all users beginning with P.

In order to apply filters to your search, click on Advanced Search Mode and then “Open LDAP Builder”, then enter more specific criteria in the search box. Enter the first filter first, then the operator (e.g. =), and then the value or a combination of letters and wildcards. Click on Update at the bottom to update the filter string. When you return to the list view, it should display the filter string (with the magnifying glass symbol) in the search box.  A list of users matching your search string should appear after clicking on the magnifying glass. 

To get users whose last names may be followed by generational qualifiers such as Jr., III, etc., it’s always useful to enter an asterisk wildcard after the last name.

A query of user data can serve two purposes. The first is to obtain answers about your data. The second is to take action based on the results. For example, resetting student passwords to their IAM “default passwords”.

What is the process for requesting privileged roles?

If the PSU is a new charter school, the Tech Director or Chief Technology Officer should be the one to claim the account and request the LEA Administrator role.  

Prior to granting the LEA Administrator role, NCDPI support staff will vet the first request from a PSU. In addition to being able to approve future requests, an LEA Administrator will also have access to administrative functions in the IAM Service for their PSU’s employees and students once granted. The LEA Administrator website will also be accessible to them where more protected content can be found.

All LEA Administrators for their PSU will receive an email notifying them that a request for a privileged role is waiting for their approval when another employee requests a privileged role. The LEA Administrator (the first to approve an approval) can then check for any outstanding requests under Tasks -> Approvals and either approve it or deny it.

What happened to some of my employees in the NCEdCloud IAM Service?

If your PSU has employees who used accounts in the IAM Service, but the accounts are no longer available, the first place to check is typically the payroll system (Charter Schools may need to contact the management company). Employees who have been employed for 10 or 11 months sometimes experience this when their start dates in the payroll system are not present or are not included in the upcoming school year.

It is the payroll system that identifies which employees should be active in your PSU and is the authoritative source of data for the Staff UID system. All active UID accounts are sent their data nightly to the IAM Service (as active records). You can see how staff and student data enters the IAM Service by viewing the source data workflow here.

The Staff UID system will mark employees as inactive if your payroll system does not show them as “active” when the CEDARS UID extract is sent. Inactive UID staff data is not sent to the NCEdCloud IAM Service during the nightly updates, so if their IAM Service account does not appear, it will be marked as inactive. When this happens, the user won’t be able to log in and it won’t be visible in the NCEdCloud IAM Service. In the UID system, the user record is still there; however, until the user record is marked Active and picked up by the DPI feed on a nightly basis, the account will remain “missing”.

You will need to update your existing job record with a new Start and End date in order to keep your 10, 10.5, or 11 month employee jobs active within the IAM Service if your current payroll practice is to end jobs for your 10, 10.5, or 11 month staff. If an employee does not have a future or active start date within payroll, the CEDARS UID Export will indicate them as Inactive.

Single Sign-On (SSO) doesn’t always work, and I must sign in to each application individually. Why does this happen?

Opened web browser tabs or windows in “private” or “incognito” mode will prevent the sharing of session information among other tabs/windows. NCEdCloud IAM applications cannot be accessed in a new private tab or window because there is no “memory” of logins done within other tabs. 

To use Single Sign On with NCEdCloud Target Applications (e.g. PowerSchool, Amplify, Destiny, etc), you must disable private or incognito mode.

How do I add Grades 5/6 to my PSU’s Amplify icon?

The Amplify Request Form can be submitted by your PSU for students in grades 5 and 6 if it has purchased ADDITIONAL Amplify coverage. As we cannot currently manage school-level icons for the entire state, the icon will be displayed to ALL students in the selected grades once enabled. It is required that a PSU staff member with the LEA Administrator role fill out and submit this form.

Can an employee request roles with elevated privileges?

LEA Administrators, LEA Data Auditors, LEA Help Desks, LEA Student Help Desks, School Help Desks, or School Student Help Desks can all be requested through the Request process. When an employee needs one of these roles, they should select the Request view at the top of the page (where “Applications” is usually displayed), and request it.

A PSU LEA Administrator decides whether the request should be granted or denied, as well as determines whether the employee’s needs are met.

Note: It is not necessary for LEA Administrators to also have other roles, since they automatically have all the privileges of LEA Data Auditor, LEA Help Desk, and LEA Student Help Desk, etc.

Is there a way to get New Teachers into the IAM Service within a few days?

The UID process is required for all users, including new teachers, to be able to access the IAM Service. Please follow the steps below for a detailed explanation…

A brief summary of the UID: 

A new employee with a future start date is eligible to receive a UID as soon as he or she is hired and has access to professional development tools. For the current fiscal year, some payroll systems (such as LINQ) include new hires with future start dates in the UID export. Our recommendation is that you contact your vendor and request that they fix the UID export file issue as soon as possible if you do not see new employees with future start dates in your payroll system. In the meantime, these new employees can be manually added to the Staff UID system using the “Add Staff” feature available to authorized users.

Staff UID System’s “Add Staff” feature provides a staff member with a UID, activates them at the appropriate location(s), and provisioned the staff member’s account outside of the payroll file export process to downstream systems (NCEdCloud, PowerSchool, etc.).

Is there a default timeout for NCEdCloud IAM Service and its target applications?

  • Each application has its own timeout – they vary from application to application
  • RapidIdentity Portal for NCEdCloud IAM Services:
    • Timeout for inactivity at the login screen (visiting the login screen but not logging in) = 5 minutes
      • Whenever you time out in the login window, close the window/tab, open a new one, and try again. (NEVER use the Back arrow or button.)
    • As soon as you log into the NCEdCloud portal, your inactivity timeout will be 8 hours
  • In SAML, assertions have a 5-minute timeout (the assertion itself).
    • The SAML assertion will be checked if the timeout is > 5 minutes, and the application will handle it according to its configuration.
  • When users are finished with their browser session (Chrome, Safari, Firefox, etc.), they should completely shut down their browser.
    • A good example is Google Apps. When a user logs in to Google Apps and the IAM Service is integrated, they remain logged in until they close their browser, which could be days or weeks later.

Are there any differences between setting up a student account for a primary and a secondary student?

The PSU must always distribute usernames (student number or Alias ID) and passwords directly to primary students (grades PK-5). This may include default passwords or reset/changed passwords (see Teachers section). For primary students, there is no claim account process (or challenge questions). PSUs can also use NCEdCloud badges (QR codes) or pictographs.

It is possible for PSUs to distribute the usernames and default passwords directly to secondary students (grades 6 and higher), or they may choose to have them claim their own accounts. Secondary students need their pupil number, grade, birthday in YYYMMDD format, and PSU (LEA) code to claim their account.  It is required for secondary students to answer at least five challenge response questions during the account claiming process (or at the first login if usernames and passwords are provided to them). Secondary students cannot receive student badges or pictographs (see: Student Account Claiming).

The RapidIdentity Portal cannot be used to perform “operations” (e.g. change passwords) on both Primary and Secondary students since the password policies for each are different.

How do I know when updated source data must be included in the IAM service the next day?

After normal school hours (usually 5:00 PM or later) on Monday through Friday, DPI processes user data provided to NCEdCloud IAM, and on Sunday evening, in order to pick up any weekend changes. Monday through Saturday, processing continues into early morning. It is provided to the IAM service the following morning if a user record in one of the source systems is updated before the evening cut-off time of that source system (PowerSchool, LINQ HR, Payroll, etc.). Due to the fact that DPI processing does not take place on Saturday evenings, updates are usually not provided to the IAM service on Sundays.

How can teachers prevent their students from changing their passwords? 

As we understand that some PSUs are concerned about teachers setting their students’ passwords, we did not make the feature an option for PSUs that wanted it, since the IAM Service is a solution for the state as a whole. However, please keep in mind that ALL password changes are audited within the service, so a record of any password transaction is captured along with who made the change.

If my email address is invalid or missing, how can I locate it in NCEdCloud?

In order to find accounts with an invalid or missing email address, follow these steps: 

  • Choose the Manage LEA Students or Manage LEA Employees tabs (under People).
  • Make sure the “Advanced Search” box is checked and the “Open LDAP Builder” box is selected
  • For the field, select “email”, !* for the operator (does not equal), and enter @.* for the value

In the search window, click the magnifying glass at the end of the search box (“search”), and then click the Update button at the bottom.

The equation: email  !=  @.*  means that it is not equal to [email protected] (where the “wildcard” specifies any value).

All users with incorrect email addresses (e.g. [email protected]) or without an email address will be returned by this search.

If you would like to narrow your search further, you can also enter other filter values, such as Campus Code = xxxxxx, or Last Name = Gre.

If an employee’s “Privileged Roles” have been revoked, how can this be done?

You can revoke privileged roles (e.g. LEA Administrator, LEA Data Auditor, School Help Desk, School Student Help Desk, etc.) in one of two ways:

Using the same workflow process as when they first requested the role, the elevated privilege user can self-revoke a role.

The following steps can be taken after logging into the IAM Service:

  • Select Requests from the dropdown menu under Applications
  • My Entitlements (along the left side)
  • Revoke the role by unchecking it
  • You can request a quote by clicking the Request button at the bottom of the page

There would be an immediate revocation of the privileged role.

What is the process for reclaiming an account?

The employee (or secondary student) does not need to go through this process if they have been using their account and transfer to another PSU. They then log into their account as usual and see the new PSU’s applications.

The account can be reset if a “new” user does not remember his or her challenge questions or password (or cannot claim the account), as described below.

An account can be restored to unclaimed status by following these steps:

  • You can retrieve the account of a LEA employee (or student) by entering their UID number in “People” > Manage LEA Employees (or Students).
  • Click Details when you hover over the record (or click on the checkbox)
  • Click on “Edit Profile”
  • Uncheck the “Disable Account Claiming” box
  • Changes can be saved by clicking “Save”
  • Select the user record by clicking on the box at the left
  • You will be prompted to confirm “Yes” once you have clicked on “Reset Challenge Responses” at the bottom of the page.

As of now, you can begin the claim process by clicking the “Claim” button. Note that your PSU’s LEA Code and UID (which you can provide) are required for the claim process, so you don’t need to change or reset the password.

What is the process for teachers to change the passwords of their students?

Changing a student’s password

Teachers can change students’ passwords by following the same steps as above and clicking on the “Change Password” button at the bottom.

The New Password box will require you to enter your new password, and the box below it will require you to verify it. Click Save and tell them what password they should use going forward, or check the box for “User must change password at next login” if you want to require them to do so. When they log in, they will be forced to enter a new password. Once you click Save, note any confirmation messages.

What is the process for changing the Default Password for students?

It is possible for LEA administrators to regenerate the DEFAULT passwords for their students as follows:

  • for the entire PSU
  • by School (Campus Code), or
  • by Grade
    • for the entire PSU or
    • within a single School

Students can also be forced to change their passwords when they first log in using the workflow Request that changes the Default Password.

Claiming an account

  • For information on what types of situations can result in a user being unable to successfully claim their account, please visit the Account Claiming Issues page (and FAQs).
  • If you choose to have 6-12 graders “claim” their accounts (also see the Teachers page), you can see what the claiming process looks like on the Student Account Claiming page. In order to reset their passwords, older students (6-12 grade) must still answer security challenge questions when they login for the first time.
  • Badges can also be used by younger students (grades PK-5).

Information about data security

You may be protected by a number of Federal and State regulations, privacy laws, and guidelines as an LEA Administrator of employee and student data. Before downloading any files to your devices, make sure you understand your responsibilities regarding protecting and securing your LEA data. The following link provides some resources.