Student Management System

Groups,Users and Privileges:

A Deep Dive (plus bonus tips!)

​

Kieran O’Connor, ESM Schools

Presentation: esmschools.org/oconnor

Scan me!

(if you trust me)

Kieran O’Connor

• East Syracuse Minoa Schools
• Exec Dir: Planning, Dev., & Technology
• Data Privacy Officer
• PreK-12--3,500 students, CNY
• koconnor@esmschools.org
• 315-434-3008 desk
• Schools I’ve gone to

​

2

Goals of Presentation

• Provide examples of how you can think about and manage your SMS groups/users
• Provide strategies you can bring to your District
• Collaborate on real life examples
• Address audience questions/scenarios
• Plus, bonus content!

Overview

We will discuss/think about:

​

• Setting up groups in your SMS, and assigning privileges to those groups
• Adding/managing people in user groups, based on their job needs
• Performing self audits

Question:

• Have you reviewed your SMS groups in the
• Last year
• Two years
• Five years
• Ever?
• How about a review of users assigned to those groups?

• Review your user groups in the Student Management System
• Do you have the right groups?
• Do you need to consolidate or create new groups?
• Only THEN assign privileges to your groups.

• Your list of groups should be simple enough that whoever assigns SMS access knows what to do
• Teachers get the “Teacher Group,” etc
• Create whatever groups you need
• You may need to add/delete them over time
• If in doubt, UNDER privilege your groups

​

​

​

​

​

Here are some of the permissions one of our groups has

​

​

​

• ***Demo of SMS groups report
• Now that you have reviewed your groups and privileges, the next step is to review WHO is in each group
• Take the time to go over the lists carefully
• If in doubt, remove the person from the group. DO NOT HESITATE!

​

• Better to remove user access and let them ask for it back. No one ever says “I have too much access”
• Create an account matrix, add BOCES/other partners too (next slide)
• ***Demo of SMS user report

​

​

​

FAKE DATA

FAKE DATA

​

​

FAKE DATA

FAKE DATA

• You will also find:
• Staff have changed roles, and need to shift to other groups, or lose access completely
• Some need additional privileges. If so, give them an additional group(s) (“stacking”), don’t add the privilege to the current group

​

Things to think about

• Staff/parent accounts should be separate for data security! Don’t use school email for parent access--why?
• You may need help with account management from HR, or other office(s)

• It’s not personal! It’s “need to know”
• It’s also about risk reduction
• Exceptions need a formal request from a supervisor, and approval from the SMS admin
• Document the request and approval! No exceptions. We get audited!

​

​

• When staff leave, remove their SMS group from their SMS user account
• We use retirees a lot, but their roles are different. HR guy is now on special projects.
• Watch for account re-use: Student→ Parent→ Staff. You are editing history

• Superusers--should be limited
• BOCES & Mindex staff: create a Superuser lite, move people as needed
• Do partners have MFA?

• OK, you’ve done all the work, you’re done, right? Nope, now do an audit of
• Groups--adjust them if needed, including privileges (every other year)
• Users--confirm users in groups (annual)
• July 1 disable all BOCES/Partner accounts/SMS provider/etc

​

Final Thoughts

• It’s painful
• It will take hours to do it
• People won’t like you
• But chip away at it!
• “Security always wins” (bonus tips)

​

​

Bonus 1: Registration Communications

• How are you sending and receiving records
• Externally--encrypted email, secure portal, fax, US Mail, other?
• Internally-- (next slides)

​

Bonus 2: Registration Docs

• Sort and categorize your registration docs. Add in buckets
• Info is “need to know,” not one packet

​

​

​

Bonus 3: Registration Communications

• Internal: don’t send registration files or info, just send the ID and refer them to your SMS
• Prevents data leaks

​

Bonus 4: Registration Email/VMail

• Setup Group email addresses, NOT forwarders
• register@esmschools.org
• FEOffice@esmschools.org
• Route voicemails to the group email addresses
• Provides for coverage, keeps things moving
• Quick demo

​

Bonus 5: Registration Office

• Our parents are mid 20’s: not using voicemail or answering calls
• Cell phone for the office, to make it easier to contact parents.
• We are testing, after trying in HR

​

Bonus 6: Superuser

• You really shouldn’t be a superuser for your everyday account.
• Create a separate account to use as superuser when you need it
• It’s about RISK, not trust

​

​

Bonus 7: Google/O365 Logins

• Default is to force login to once a week, set it to 20 hours in “session control”
• Turn off “allow user to trust the device” for MFA
• Why do this? It’s your login for SMS--staff are logged in at home….

​

​

Special Thanks

• Terri Clark, CNYRIC. Schooltool Consultant onsite with us.
• Amanda Hardin, CNYRIC. Sr. Database Designer. Created the reports!

​

Scan for this presentation, or

esmschools.org/oconnor

(if you trust me)

• Questions?
• Scenarios?
• Discussion topics?

Thanks!

Kieran O’Connor

koconnor@esmschools.org

315-434-3008 Desk

​

(references, next slide)

​

​

​

Resources

IT Governance, NY Comptroller

Data Classification template

​