Security Role Overview

Overview

Each Veracross user account is a member of one or more security roles. These security roles determine which data the user can view and update. Primary roles form the basis of a user’s security and roughly correspond to the person’s job function. Supplemental roles provide access to additional blocks of Veracross functionality. It is not uncommon for a user to be a member of multiple roles. This article provides an overview of what each role has access to.

These definitions represent the default security configuration, and may have been altered for your school during or subsequent to implementation.

This article does not attempt to list every field to which each role has access. With the exception of the Person table, a role typically has access to all fields in a given table or none at all. The Person table contains several sensitive fields that some roles have access to and others do not. Since most schools have different security configurations with respect to the Person table, this document will not attempt to list all the Person fields each role has access to. The following data are considered to be sensitive and unless explicitly noted are not available to the various roles:

• Medical data
• Admissions Applications
• Financial Aid data
• Donations and Pledges
• Grades, GPAs, and Transcripts
• Birth Year for staff/faculty

Assigning/Removing Security Roles

There are two ways to assign people security roles: through the Security Roles tab on a person's security admin record and adding/removing people from the security role detail screen itself.

Through the Security Role Detail Screen

This method is the most efficient way to add the same security role to multiple people.

The Members tab of the Parent security role record.

1. Navigate to the Identify & Access Management homepage.
2. Click the "Security Roles" link.
3. Pick a security role and click it.
4. On the security role detail, click the Members tab.
5. On the Members tab, add or remove people.
   • To add a person, click Add Record and select the person, then click Update. You can add multiple people before clicking Update.
   • To remove a person from a security role, click the red X, then click update. You can remove multiple people before clicking update.

Through the Security Roles Tab

This method is the mosty efficient way to add multiple security roles to the same person.

The Security Roles tab of a person's Security Admin record.

1. Navigate to the System homepage.
2. Click the Find User Accounts link and then query for the person you are looking for. Once you find them, click the "Security Admin" link in the Security Admin column.
3. On the Security Roles tab, add or remove security roles.
   • To add security roles, click the security role option in the left column so that it appears in the right column, then click Update. You can add multiple security roles before clicking Update.
   • To remove a person from a security role,  click the security role option in the right column so that it no longer appears in there, then click Update. You can remove multiple security roles before clicking Update.

Primary Staff Roles

Most users only belong to one primary role, however, some combinations of primary roles are valid for users who need access to more than one Veracross module. Examples include teachers who are also division heads and staff who also need access to Admissions or Development in addition to their other responsibilities.

Admissions

• Admissions_1
  • read-write access to all admissions data
  • add person roles to user accounts
  • add person reference numbers to people
  • with the addition of the supplemental impersonation security role, can impersonate current families and admission families
• Admissions_2
  • read-only access to all admissions data

Development

• Development_1
  • read-write access to all development data, including donations, pledges, and development events
  • add profile codes and person roles
  • add person reference numbers to people
  • grants access to staff/faculty age data (like the Employment and Board security roles)
  • no ability to add funds or donor giving categories
• Development_2
  • read-only access to all development data, including donations, pledges, and development events

Division Heads

• Division_Head_0 (intended for pre-school division heads)
  • read-write access to pre-school and lower school data
  • read-write access to schedule documents
  • add person roles to person records
  • grants access to all action menu items on the Grade & Comment Review homepage
• Division_Head_1 (intended for lower school division heads)
  • read-write access to lower school and pre-school data
  • read-write access to schedule documents
  • add person roles to person records
  • read-write access to locker and locker combination data
  • grants access to all action menu items on the Grade & Comment Review homepage
• Division_Head_2 (intended for middle school division heads)
  • read-write access to middle and upper school data
  • read-write access to schedule documents
  • add person roles to person records
  • read-write access to locker and locker combination data
  • grants access to all action menu items on the Grade & Comment Review homepage
• Division_Head_3 (intended for upper school division heads)
  • read-write access to upper and middle school data
  • read-write access to transcript data
  • read-write access to schedule documents
  • add person roles to person records
  • read-write access to locker and locker combination data
  • grants access to all action menu items on the Grade & Comment Review homepage

Faculty

Note: GPA results will only be correct for users who have SysAdmin, Faculty_3, or Division Head security roles, because those are the only security roles that grant full access to relevant grades data.

• Faculty_1
  • read-write access to assignments, academic documents, and grades for all classes taught by the teacher
  • applying the Grades_Reader security role to a Faculty_1 user does not grant access to all grades. Instead, they should grant the user a Faculty_3 role, which also grants access to report cards for advisees
• Faculty_2
  • read-write access to assignments and grades for any of the teacher’s students in any of their classes
  • read-write access for advisors to access their advisees’ assignments, academic documents, and grades
• Faculty_3
  • read-write access to all assignments, academic documents, and grades

Security around behavior and comments does not mirror the increase in grade-viewing security across these three roles. All three roles have the ability to see and edit all behavior and comments for students that they teach. All faculty security roles are able to see employee birthdays (but not birth years — it will always display as the current year).

Staff

• Staff_1
  • read-write access to all households, people, and organizations
  • add person roles
  • read-write access to education records and student trip data
  • read-only access to attendance data
  • does not grant access to the following:
    • admissions data
    • donations and pledges
    • grades and transcripts
    • medical data
  • granting the Grades_Reader security role gives read-only access to all grades and access to academic documents for advisees
• Staff_2
  • read-only access to all data available to Staff_1
• Staff_3 and Staff_4
  • both are identical to Staff_2

All staff security roles are able to see employee birthdays (but not birth years — it will always display as the current year).

Business

Business roles grant access to Households, People, and Organizations and are almost always supplemented by one or more Accounting/Student Billing supplemental roles. Additionally, business security roles can access/update admissions notes and alerts if they have the proper additional qualifying security roles. These are: 

• Business_1
  • read-write access to all households, people, and organizations
  • add person roles
  • with the addition of the supplemental impersonation security role, can impersonate current families, program families, and admission families
• Business_1_RO
  • read-only access to all households, people, and organizations

Employment

• Employment
  • read-write access to the Employment homepage and Employment related tabs on the faculty/staff detail screens
  • read-write access to the age of staff/faculty (like the Board and Development security roles)
  • add person roles
  • does not include access to compensation data

Medical

Medical roles are disallowed from viewing Medical Alerts on a person record in the event that the Admissions_1 role is also present. Medical roles can view all COVID-19 screening data.

• Medical_1
  • read-write access to the Health module
• Medical_2
  • read-only access to the Health module

Guidance

• Guidance_1
  • read-write access to the Guidance module — including college applications and standardized test scores
  • view transcript documents, transcript items, and progress reports
  • does not have access to report cards or grade records

Coaches

• Coach
  • read-write access to schedule events such as practices, games, tournaments, etc.

Head-of-School

• Head_of_School
  • read-only access to behavior/comments
  • Consider also granting the “Admissions_2” and “Development_2” roles for access to admissions and development information.

Board

• Board
  • grants access to some administrative data including the age of Staff/Faculty and the ability to view Transcript Items
  • grants access to the Board Portal. Board Portal security is typically customized for each school. This role may be allowed to add person roles to user accounts
  • the Trustee person role allows for the creation of a user account with the Board security role when the Create User Accounts procedure is run

System Administrator (SysAdmin)

System Administrator (SysAdmin) security roles are “super-user” roles that grant access to all data within Veracross, including all emails sent by users.
Please note: an exception to this is that access to Data Consent is restricted to ‘Data_Privacy_Admin’ and ‘Data_Privacy_User’ supplemental roles to best to comply with GDPR standards; these types of security roles may be combined with System Administrator roles to allow full access to users as schools deem necessary.

• SysAdmin_1
  • read-write access to all data in Veracross
  • update security roles of current VC users
  • add person roles
• SysAdmin_2
  • read-only access to all data in Veracross

Client Portal Users

• Client_Portal_User
  • grants access to the Client Support Portal for a non-SysAdmin user

Portal Roles

Portal security roles dictate which content portals a user has access to.

Parent

Parent security roles are removed in the nightly scripts unless the “Parent” person role is also applicable to the person. However, if the person has Portal Access flagged on their relationship record to the student, the parent security role will remain even in the event that the parent person role is not applied. For example, a grandparent would not have the person role of parent but could retain their portal access so long as the parent security role is applied and Portal Access is flagged on the relationship record.

• Parent
  • grants access to the Parent Portal
  • Parent Portal viewing can be customized for each school (e.g. behavior event, grade detail, and assignment views). Speak to an Account Manager for further details

Student

• Student
  • grants access to the Student Portal
  • Some Student Portal security can be customized for each school (e.g., grade detail and assignment views). Speak with an Account Manager for more further details

Applicant Portal

These security roles are only available for schools who have purchased the Applicant Portal.

• Parent_of_Applicant
  • grants “Parent” access to the Applicant Portal for their applicant children
• Applicant
  • grants access to the Applicant Portal

Alumni

These security roles are only available for schools who have purchased the Alumni Portal.

• Alumni
  • grants access to the Alumni Portal

Program

These security roles are available for schools that have purchased the Other Programs module and use public registration.

• Program_Parent
  • grants parents of program students access to online program registration for their household
• Program_Student
  • grants program students access to online program registration

Future

These security roles do not grant access to Portals, and are designed for schools who wish to ease workflows by entering person information before they change to Parents/Students.

• Future Parent
• Future Student

Solicitors

These security roles are available for schools that have purchased the Solicitor Portal.

• Solicitor
  • grants access to the Solicitor Portal

Supplemental Roles

Supplemental Roles are designed to be granted alongside a Primary Staff Role — they are intended to grant access to a small amount of specialized data that would not normally be accessible by a Primary Staff Role.

Admissions Reviewers

• Admissions_Reviewer
  • read-only access to all application records on which the user has been specified as a reviewer for the application
  • grants access to all admissions reviewer data including application review and application review criteria records for the application records owned by the user

Financial Aid

• Financial_Aid
  • grants access to the Financial Aid module

Registrar

• Registrar
  • read-write access to all scheduling-related functionality (adding/updating courses, classes, and rosters)
  • grants access to the Veracross Scheduler
  • grants access to the Scheduler Prep Homepage
  • grants access to class permissions
  • read-write access to locker and locker combination data
  • grants access to all action menu items on the Grade & Comment Review homepage
  • does not allow access to grades

Grades Reader

• Grades_Reader
  • read-only access to grade data including Progress Reports and Report Cards
  • does not grant access to predicted grades
  • does not grant access to transcript grade data

Attendance

• Attendance_UPDATE
  • grants ability to update staff and student attendance records for classes that the user has access to, as dictated by their Faculty security role
  • if a user with this role also has the Other_Programs security role, the Attendance_UPDATE role no longer functions. To restore the permissions, add the Staff_1 role to the user.

Behavior

Users with Behavior security roles can access Behavior/comment data for all students whose school level matches one of the user’s school levels on the Classifications tab on their person record.

• Behavior_Reader
  • read-only access to Behavior/Comment data
• Behavior_Admin
  • read-write access to Behavior/Comment data

Other Programs

• Other_Programs
  • read-write access to the Other Programs module
  • read-write access to administer all aspects of the school’s after-school programs

Athletic Program

• Athletic Program
  • read-write access to the Athletics module
  • read-write access to administer all aspects of the school’s athletic program
  • grants ability to run procedures to copy athletic classes (i.e. teams) and athletic events from the Athletics homepage action menu

Extended Care

• Extended_Care
  • read-write access to the Extended Care module
  • read-write access to administer all aspects of the school’s Extended Care program

Calendars

• Calendar_Reader
  • read-only access to all events on school calendars
• Calendar_ADMIN
  • read-write access to all events on school calendars

Resource Scheduling

• Resource_Scheduler_1
  • read-write access to the Resource Scheduling module
• Resource_Scheduler_2
  • read-only access to the Resource Scheduling module

Employment

• Employment_Extended
  • read-write access to compensation data
  • All users with this role must have the ‘Employment’ primary staff role
• Employment_Time_Off
  • read-write access to and management of all time-off related data, including the time-off tab and time-off allotment calculation functionality per faculty/staff member
• Employment_Time_Off_Approval
  • grants the ability to make edits to existing time off requests
  • Usually paired with the Employment_Time_Off security role
• Employment_Application
  • read-write access to all employee application data including references, application, reviews, and more
• Employment_Continuing_Education
  • read-write access to continuing education data

Transportation

• Transportation
  • read-write access to the Transportation module

Substitute Coordination

• Substitute_Coordinator
  • read-write access to the Substitute tab on attendance records
  • read-write access to the Substitute Notes field on a staff/faculty detail screen

Volunteer Coordinator

• Volunteer_Coordinator
  • read-write access to the Volunteer Coordinator module

Athletic Injury

• Athletic_Injury
  • grants the ability to query and add new Injuries and Treatments from the Athletic Program homepage

Communication

• Communications_Email_User
  • grants access to the Communications homepage
  • can view any emails sent by themselves on the homepage as well as channels to which they are given access
  • read-only access to the tabs relating to emails in the channel detail screen
• Communications_News_User
  • grants access to the Communications: News homepage (if purchased)
  • can view any news items published by themselves on the homepage as well as channels that they are given access to
  • read-only access to the email and news sections of the channel detail screen
• Communications_Email_Reader
  • grants read-only access to emails sent by all users

Online Enrollment

• Online_Enrollment_Management
  • read-write access to Online (Re)-Enrollment configuration data and enrollment data including person enrollment records, contract amendments, enrollment amounts, enrollment signatures, and enrollment payments

Household Profile Update

• HPU_Management
  • read-write access to HPU data including HPU form configuration data and HPU journal updates

Policies

• Policy_Management
  • read-write access to school policies

Communications Administration

These security roles should not be combined with the Communications_Email_User, Communications_Email_Reader, Communications_News_User, or SMS_Sender security roles.

• Communications_ADMIN
  • read-write access to all communication homepages and all items on the channel detail screen, including form visibility and channel security
  • read-write access to add/edit themes and channel categories
  • editing access to system email templates
  • read-only access to recipients, engagement and diagnostics information on the email record

SMS

• SMS_Sender
  • read-write access to the Communications: SMS homepage
  • read-only access to anything related to SMS as well as any channels that they are given access to
  • read-only access to the SMS section of the channel detail screen

Portals Administration

• Portals_ADMIN
  • read-write access to the Portal Admin homepage
  • read-write access to Portal Links

Accounting

All accounting roles below that end with “_Public” are intended for Veracross users that need to see some of the accounting data. The read-only nature of these roles do not allow any editing, even if the user has a security role that allows it, so these roles should be placed deliberately.

• Accounting_AP
  • read-write access to the Accounts Payable module
• Accounting_AP_Checks
  • used for segregation of duties so that the person creating a vendor may not also cut a check
• Accounting_AP_Vendors
  • used for segregation of duties so that the person creating a vendor may not also cut a check
• Accounting_AR
  • read-write access to the Accounts Receivable module
• Accounting_Billing
  • read-write access to the Student Billing module
• Accounting_DEV
  • read-write access to the VCA Development module
• Accounting_GL
  • read-write access to the General Ledger module
• Accounting_GL_Mgr (intended for non-Accounting users)
  • grants access to the General Ledger module only for the specific purpose of running reports
• Accounting_GL_Public (intended for non-Accounting users)
  • grants access to the General Ledger module only for the specific purpose of viewing budget reports
  • this read-only access on these reports is granted only on GL Accounts and/or Cost Centers to which a given user has been assigned
• Accounting_JC
  • read-write access to the Project Accounting module
• Accounting_PC
  • read-write access to the Property-Control module
• Accounting_PO
  • read-write access to the Purchase Order module
• Accounting_PO_Public (intended for non-Accounting users)
  • grants access the Purchase Order module only for the specific purposes of adding or approving Purchase Requisitions
• Accounting_PO_Rec (intended for non-Accounting users)
  • grants access to the Purchase Order module for the specific purpose of receiving packages
• Accounting_Pymt_Accts
  • read-write access to the Payment module for cash processing
• Accounting_JC_Public (intended for non-Accounting users)
  • grants access to projects the user is connected to in the Project Accounting module

Standardized Test Reader

• Standardized_Test_Reader
  • read-only access to Standardized Test Score data for all students whose school level matches one of the user’s school levels

Directory Administration

• Directory_Admin
  • read-write access to manage Portal directories
  • grants access to directory-related links on the Portal Admin homepage

Standardized Test Administration

• Standardized_Test_Admin
  • read-write access to Standardized Test Score data for all students whose school level matches one of the user’s school levels

Attendance Administration

• Attendance_ADMIN
  • grants ability to update staff and student attendance records
  • grants ability to delete all Master and Class attendance records
  • if a user with this role also has the Other_Programs security role, the Attendance_ADMIN role no longer functions. To restore the permissions, add the Staff_1 role to the user.

Data Packages

• Data_Package_Admin
  • read-write access to set up, configure, and maintain data package categories, as well as assign security permissions related to data packages
  • grants ability to run data packages
• Data_Package_User
  • Grants ability to run and open data packages in categories that the user has permission to access. Example: To send and open data packages that someone with Development_1 access can see, they would need to have both the Development_1 and Data_Package_User security roles

Implementation Administrator

• Implementation_ADMIN
  • This role allows for schools in the process of implementation to perform various implementation-related tasks in their pre-live database, as well as basic access to data in the database. i.e. the ability to look at standard person record information.  It also grants access to the Implementation Project Management homepage, milestones, and assigned milestone Items, and therefore this security role may be useful to grant for anyone involved in an implementation task, even long after core database go-live.
  • Required for any Business Office users who need to view the Chart of Accounts Mapper (maps legacy accounts to new GL accounts for use during the data import process.)

Data Privacy (GDPR)

Users are able to perform all the tasks needed as related to GDPR and the various Veracross consent collection tools.

• Data_Privacy_Admin
  • grants ability to assign Data_Privacy_User security role
  • read-write access to consent policies
  • read-write access to GDPR actions
  • can batch-add data consent policies
• Data_Privacy_User
  • read-write access to consent policies
  • read-write access to GDPR actions
  • can batch-add data consent policies

COVID-19 Screening

Users who need access to COVID-19 screening data but do not have a Medical or System Administrator security role can have this role applied to them. If someone has a Medical or Sys_Admin primary role, they do not need this supplemental role.

• COVID_19_Screen_ADMIN
  • can view existing COVID-19 screenings and add new ones via a set of links on the Today homepage
  • cannot see any other medical information other than medical visits with the purpose of “COVID-19 Screening”
  • cannot access the Health homepage

Cohort Functionality

Users who need to create and update cohort records must have the Cohort_Admin security role. The following security roles have read-only access to cohort records:

• Admissions_1
• Admissions_2
• Board
• Business_1
• Development_1
• Development_2
• Division_Head_0
• Division_Head_1
• Division_Head_2
• Division_Head_3
• Faculty_1
• Faculty_2
• Faculty_3
• Medical_1
• Medical_2
• Other_Programs
• Staff_1

You can read more about cohort functionality here.

Academic Documents

Users seeking to access and adjust academic document configuration records can be given access through adding one of these supplemental roles.

• Academic_Document_Admin
  • allows you to create and manage academic documents
• Academic_Document_Reader
  • allows you to view academic document records
• Person_Race_Admin
  • read/write access to the race tab, which allows race and race configuration on person records
  • view the "Race" and "Races (all)" fields in person queries
  • view the "Add Race to Multiple People," "Person Races," and "Add Person Races" links on the System homepage
  • Those without SysAdmin or the Person_Race_Admin security role will not be able to view or configure races.

Restricting Access to Axiom

You can restrict access to Axiom for certain people by assigning one or both of these security roles to their user account:

• Restrict_Browsing_VC_Axiom
  • forbids browsing axiom.veracross.com
• Restrict_Browsing_Accounting
  • forbids browsing accounting.veracross.com
  • This security role is only relevant if you have VC Accounting.

System Roles

User Account Administration

This security role is intended for users who need to manage all aspects of user accounts, but who don’t need to have the SysAdmin_1 security role.

• User_Account_Admin
  • grants ability to manage user accounts, with the exception that it cannot add the SysAdmin_1 or SysAdmin_2 security roles to an existing account. It also grants access to: 
    • assign/remove Google accounts
    • convert a user account to a Solicitor account
    • send VC Welcome emails
    • create workspaces
    • create/update user and portal accounts/access

Merging Records

• Merge_Records
  • grants access to merge (dedupe) Households, People, and Organizations

Legacy Portals Administration

• Group_Portals_Admin
  • grants access to the administrative tools for managing the legacy alumni and/or division portals (if purchased)

Beta Testing

• Beta_Tester
  • grants a Portals user access to see and test features that are in beta_testing mode.
  • Note: not all features in the portals can be put in beta_testing mode.

Disabling Portals Accounts

• PORTAL_ACCOUNT_DISABLED
  • disables access to the Teacher, Parent and Student portals.

Impersonation Roles

Impersonation roles are supplementary roles designed specifically to grant impersonation access to users who are not system administrators.

• Impersonate_Admissions_Families
  • grants ability to impersonate both Applicants and Parents of Applicants in the Admissions Portal
• Impersonate _Current_Families
  • grants ability to impersonate Parents, Students, Future Parents, and Future Students in Portals
• Impersonate_Faculty
  • grants ability to impersonate all Faculty security roles
• Impersonate_Program_Families
  • grants ability to impersonate Program Students and Parents of Program Students in the Portals