Even In Complex Education Environments, Access Management Doesn’t Have to Be a Boondoggle

Featured article by Dean Wiech, managing director of Tools4ever

Education entities of all stripes – small to large, independent to charter and primary to post-secondary – share many of the same challenges, certainly in regard to the administration of information and access to it. Perhaps no more important to the information being shared with students is providing access to it, through the use of education and learning portals, grading systems and even student information systems. But information in education doesn’t just from the organization to students, but also staff and educators must be considered when conceiving an effective information loop, and sometimes, parents.

The issue with access is usually a number of problems related to user account management and maintenance, or user-encountered issues like lockouts or forgotten passwords. In technology managed-environments, these issues might be more easily managed, but in environments where manual management is still the norm, access can be a boondoggle.

Even is complex environments, access doesn’t have to be.

Tangipahoa Parish School District, in Louisiana, encompasses 37 schools ranging from kindergarten to 12th grade, with more than 4,000 employees and 19,000 students. Management of the district’s user database an overwhelming task for a small IT department tasked with the role. This situation was made even more problematic because many of the district’s schools are only two grade levels, resulting in frequent movement of students from one school to another as they grow into older grade levels. Thus, each time there was a move in the student population, each student and employee also needed to be placed in the appropriate security group so they were able to access the resources required of their “position.” Because of the many associated problems district technology leaders faced, they came to the conclusion that there was a need to find a more efficient solution and began to look for a product to automate the process.

Through its discovery process, district leaders determined they needed to implement many changes to the more than 23,000 user accounts on file, which had to be completed before the beginning of the next school year, at the time just a few weeks away. An access management solution was implemented to take on the task, which also led to the HR department being added to loop, allowing for its members to lead the employee side of providing and managing access rights. Now the district’s HR team can make all the changes to employee accounts as needed in one step, and the updates are correspondingly made in all other appropriate systems. To handle student access, student services essentially took on the same task for the district’s students. Prior to this, the district’s technology, HR, payroll and student information departments all made their own changes, which made it difficult to communicate who was doing what.

Fitchburg State University, in Massachusetts, faced a similar quandary. It possessed more than 44,000 records in student and staff roles and the number of stale accounts that were no longer needed was much larger. After several attempts to delete users from the school’s roles, based largely on account inactivity and inadvertently deleting hundreds of active users, system admins at the college realized they needed help with the process. “We weren’t able to integrate active directory information and the student record system to accurately report information,” said Sherry Horeanopoulos, information security officer at Fitchburg State University.

The university, too, moved forward with an identity and access management solution. Doing so has automated its student onboarding process enormously. Now when students start a new semester, the team at Fitchburg can make sure accounts are set up as soon as the student is registered, paid and confirmed.

Prior to automating the process, a variety of departments and people inputting information on the back end meant there had been a consistent condition to automate account creation. Now, each time an account creation occurs, Horeanopoulos receives an email notification of the new account.

The automated solution queries the student information system searching for new students, changes to existing records and records that exist in AD. When a new record is present, an account is created along with a home directory, password and group memberships. When a record is eliminated from the student information system, the account is automatically disabled and moved to a separate group. After 18 months of being disabled, the accounts are purged from the system.

Back at Tangipahoa Parish School District, while only one department handles all accounts and access, there has been a major reduction in time spent managing account management overall; it’s 100 percent hands off for the technology department now for user management. While HR handles all of account management, employees within that department only enter the information once and don’t alter it frequently after that. With the time saved on user management, the technology department can now focus on other areas, such as classroom technology.

Fitchburg saw similar results: Time spent managing accounts was reduced by 75 percent and the university saw a reduction in errors when creating and deleting accounts. Additionally, if a “terminated” or “graduated” flag is set in the student information system, the account is disabled, according to pre-defined rules. If something has changed since the last synchronization, the account may be re-provisioned or specific attributes updated.

The Fitchburg IT team can now easily target each population of users with different conditions. Employees who are retiring keep their accounts for up to 18 months, but employees who are terminated are deleted immediately. If employment is terminated, with one click the person is out of the system, significantly reducing security issues, and work, for the university.

Overall, for both education entities, automating the process has meant freeing up more resources, saving money and allowing them greater control over who has access to their systems and not allowing accounts to language in Active Directory purgatory.

Dean Wiech is managing director of Tools4ever, a provider of access and identity management software solutions to more than 700 educational entities throughout North America.