Privileged Roles

LEA Administrator

Initially, NC DPI will vet a request for an LEA Administrator in a PSU, before granting it. A new Charter School will be the only place where this is common. As soon as they are granted this role, they will have access to administrative and management functions within the NCEdCloud MFA, as well as approve future requests from staff in their PSU. A webform will also be available for opting in to Target Applications and other opt-in features.

Employees are also able to acquire the LEA Data Auditor Role (which is primarily intended for Data Coordinators and Managers to view user profiles and access student and employee data files), the LEA Help Desk, and the LEA Student Help Desk roles. Using the Help Desk role, a user can look up an employee or student and reset their passwords. The LEA Student Help Desk role is the same as the LEA Help Desk role, but only allows access to student accounts. Support is also available for users within a specific school through School Help Desks and School Student Help Desks.

Roles that are “School-only”:

In addition, PSUs may request help desk roles for school personnel (e.g. Instructional Technology Facilitators (ITFs), guidance counselors, etc.).

It is possible for staff members to request a role for more than one school if they support more than one school through their School Help Desk or School Student Help Desk roles. As with all other roles, school roles are requested through the same process, except for the 6 digit Campus Code (3-digit LEA Code + 3 digit School Code). The center section of this page displays this information.

Privileged role requests:

Note: Privileged Role employees must use Multi-factor authentication (MFA) to access their accounts.

  • Under Requests, you can request one of the Privileged Roles for your PSU if it is required for your position.
  • To the right of Applications, click the dropdown arrow.
  • Choosing “Requests” is the next step.
  • Click on Entitlements/Catalog down the left side of the Requests view.
  • Choose a role (such as LEA Administrator, School Help Desk, etc.).
  • When you click on a role, you will see a “Request” button at the bottom.
  • You will be asked to enter the following information once you click on the Request button:
    • Your three-digit LEA code (Charter School codes end with a letter) for all PSU-wide roles.
    • In school-level roles (e.g. Student Help Desk), your 6-digit Campus Code is required.

Frequently Asked Questions

What is the purpose of NCEdCloud requiring MFA?

Since NCEdCloud privileged users (LEA Administrators, LEA Data Auditors, LEA Help Desks, LEA Student Help Desks, School Help Desks, and School Student Help Desks) have access to student and employee data, it will be mandatory for all users with any of these roles to use Multi-Factor Authentication (MFA) in the NCEdCloud IAM Service in order to access student and employee data. From 2019, NCDPI implemented multi-factor authentication for privileged users statewide. Here is more information about MFA.

What are the procedures for requesting privileged roles?

In the case of new charter schools, the Tech Director or CTO should be the first to claim their account and request the LEA Administrator role.

Before granting the LEA Administrator role to a PSU, NCDPI support staff will vet the first request. Upon granting an LEA Administrator access, their PSU’s employees and students will be able to approve future Requests and have access to administrative functions in the IAM Service. Additionally, they will be able to access protected content on the LEA Administrator website.

All LEA Administrators for their PSU will receive an email notifying them that a request is awaiting their approval when another employee requests a privileged role. Once an approval has been submitted, the LEA Administrator (the first one to act) will go to Requests and check under Tasks -> Approvals for any outstanding requests and approve them or deny them.

Can an employee request roles with elevated privileges?

LEA Administrators, LEA Data Auditors, LEA Help Desks, LEA Student Help Desks, School Help Desks, and School Student Help Desks are all roles employees can request using the Request process. The Request view is usually displayed at the top of the page (where “Applications” is usually displayed), and employees can request the appropriate role using this view.

Depending on the employee’s needs, the LEA Administrator for the PSU may grant or deny the request.

It is not necessary to have other roles in addition to LEA Administrator in order to have all the privileges of LEA Data Auditor, LEA Help Desk and LEA Student Help Desk, etc.

Can employees’ “Privileged Roles” be revoked in the IAM Service?

There are two methods to revoke privileged roles (e.g. LEA Administrators, LEA Data Auditor, LEA Help Desks, LEA Student Help Desks, Schools Help Desks, and/or School Student Help Desks):

By using the same workflow process they used in request to acquire the role, the user with the elevated privilege can revoke the role on their own.

Following a successful login to the IAM Service, for instance:

  • Choose Requests from the drop-down menu under Applications.
  • The My Entitlements section is located on the left side of the screen.
  • Revoke the role by unchecking it.
  • In the bottom left corner, click the Request button.
  • As soon as possible, the privileged role will be revoked.

In order to remove roles at the PSU, LEA Administrators must open a Sales Force ticket with Identity Automation by following these steps:

  • Click on the Identity Automation Support Community icon in Applications.
  • For customer support, please go to or contact us.
  • You can reach us by sending an email to: [email protected]

NOTE: While an LEA Administrator does not have the ability to directly remove another employee’s elevated privileges, if necessary, an LEA Administrator is able to immediately disable an account. In the Training Videos, you’ll find instructions on how to disable someone’s account (under the Applications tab -> Training -> LEA Administrator Training).

Roles and responsibilities management

  • Reviewing and approving other users’ requests for roles.
  • In order to be granted the LEA Administrator role, the Technology/School Leadership must identify others in the district or school who need the privileged roles listed here, and have them submit role requests. A PSU’s LEA Administrators Group (all employees with the LEA Administrator role) will approve new staff requests once there is at least one LEA Administrator in the PSU. LEA Administrator Role has all available privileges and does not require any other role to see pending requests. These pending requests can be found under Tasks / Approvals on the left side of the Requests View. Data Managers with the LEA Data Auditor role can also request the LEA Help Desk Role if they wish to reset passwords for other employees (possibly in a small LEA or charter school).

Role-based management of privileged users

In order to execute these commands, you will need an LEA Administrator role. If your school does not have an LEA Administrator, please follow the instructions on this page.

An instruction sheet is provided below, along with documentation on revoking privileges and resetting the OTP for those who are not familiar with how to check who has privileged roles in your PSU.