User Accounts and Security FAQ

How do I convert an account to a staff account?

When someone becomes a member of the school faculty or staff, some changes must be made to convert a "non-staff account" to a "staff account". Follow these steps below to change a non-staff account to a staff account:

The Security Admin link column in the Find User Accounts query.

  1. Update the individual person record on the Roles tab to add the Faculty/Staff role as needed.
  2. Navigate to the System homepage and open the Find User Accounts query. Search for the person (remember, last name then first name!) and then run the query.
  3. Click the Security Admin link in the Security Admin column next to the person you are converting to open their person account record.
  4. Click on the Action menu and run the "Convert Parent Account to Staff Account" procedure.
  5. At this point, the account is set up be be a staff account. Click on the Security Roles tab to apply the appropriate security role to this new faculty or staff member.

You may also find the following articles useful:

How do I create staff/faculty accounts in batch?

There will be times when you want to create a large amount of accounts for your faculty and staff. You could do this on a one-by-one basis, but we also can create these accounts for you in batch. Due to the configuration work that must be done for this process, batch creating staff/faculty accounts can only be done by Veracross.

If you want to create staff/faculty accounts in batch, you should open a ticket with Veracross support to facilitate this process. To expedite this task, you should include:

  • a link to a saved query containing all people that you want to generate staff/faculty accounts for
  • a date when these accounts should be created (if not ASAP)

Are future faculty/staff automatically updated to faculty/staff when their hire date passes?

The Date Hired field on a person record. This field does NOT allow you to automatically update future fac/staff to regular fac/staff.

When people designated as "Future Staff" or "Future Faculty" reach their hire date, the system does not automatically update them to "Staff" or "Faculty" — this must be done manually.

How can I remove multiple user accounts at once?

To remove a large number of user accounts at once, there is a short process you should complete. This process is built on the fact that the nightly scripts automatically remove user accounts where the person has no assigned security roles. There are several exceptions to this rule to be aware of:

  • Students may lack a "Student" security role for a short time between when they are promoted from future student to student and when student user accounts are created.
  • Future students and their parents are allowed to have accounts without any security roles.
  • "Staff" and "Faculty" may have accounts without security roles.
  • "Program Students" and "Future Program Students" may have accounts without security roles.

This method works best for users who only have one security role. It also works for users with more than one, but you will need to navigate to more than one security role to complete this process.

The Members tab of the Admission_1 security role record.

  1. Determine which security roles people have that you with to remove user accounts for.
  2. Navigate to the System homepage and click on the Security Roles link
  3. Click on the link to the security role in question, and then click on the Members tab.
  4. Click the red X next to the people you wish to remove the security role from and then click Update.
  5. Repeat this process until these people have no security roles.

At this point, all of these users' accounts will be removed the next time the nightly scripts run.

Removing Accounts Individually

To remove a single user's account, complete the following steps:

  1. Navigate to the individual's person record.
  2. From the Action menu, run the "Remove VC User Account" procedure.

Do the "Create User Accounts" procedures overwrite existing user accounts?

The "Create User Accounts" procedures on the System homepage create user accounts for everyone specified that does not already have an account — existing accounts are not affected.

Some of the "Create User Accounts" procedues available in the Action menu on the System homepage.

You may also find the following articles useful:

Where can I see and edit username conventions for my constituents?

Username conventions are the format that user accounts are given for each security role. These conventions are set up using merge fields listed in this article. Depending on what role a person has at a school, you may want to set a username convention differently than other Veracross users. You can view/edit username conventions for constituents in the database from the Security Roles query on the System homepage. To change username conventions, you must have a Sys_Admin1 security role.

The Security Roles query on the System homepage. The Primary Username Convention and Secondary Username Convention fields are indicated.

To change a username convention:

  1. Double click into the Primary Username Convention or Secondary Username Convention field.
    • Primary Username Conventions are the default convention for user accounts created with each security role.
    • Secondary Username Conventions are used if the primary username convention creates a username that is already in use.
    • For most circumstances, you will only need to set a primary username convention. In cases where there is no secondary username convention set and a duplicate username is created, the system instead appends a number to the end of the username.
  2. Update the convention. Review the list of acceptable merge fields for usernames here.
  3. Select the Update Records button.

How do I enter a termination date and remove user accounts for staff/faculty who are not returning?

When an employee leaves the school, you can populate the "Date Terminated" field on the HR tab of their person record. Then, when the date arrives (you can populate a future date), the system does several things automatically, including removing the user account in the overnight scripts. This functionality does not require the Employment module. 

Populating the Date Terminated field on the HR tab of a former employee's person record will remove their user account in the nightly scripts.

To remove user accounts for former employees, perform the following steps:

  1. Navigate to the Person record of the employee who was terminated and click on the HR tab in the Employment category section.
  2. Populate the "Date Terminated" field with the date they were terminated.
  3. Click Update
  4. Wait for the nightly scripts to run. When the date passes:
    • the staff or faculty person role is removed
    • Former Faculty/Staff person classifications are populated with a start date based on the staff or faculty member’s termination date
    • the person's user account is removed

If you need to remove their user account immediately:

  1. Navigate to the former employee's person record.
  2. Open the Action menu and run the Remove VC User Account procedure.

You may also find the following articles helpful:

Why can't a new teacher who is also a parent access the faculty portal?

If a parent becomes a teacher, you need to update their user account so that they can access the faculty portal. To do this:

  1. Navigate to the 'Find User Accounts' query on the System homepage.
  2. Query the person and — in the query results — click the 'Security Admin' link.
  3. Run the *Convert Parent Account to Staff Account* procedure from the Action menu.
  4. Ensure that the person has the 'Faculty' security role on the Security Roles tab.

You should also double check their portal membership:

  1. Portal Admin homepage > Faculty Portal > Membership (Enabled) tab.
    • If they aren't enabled, check the "Disabled" tab and flip their status to "Enabled."
    • If they were automatically added as "Disabled," it means that the default membership role is disabled, which you can check on the General tab of the portal record. 

How do I update a person's security role?

Security roles are important as they determine how screens appear as well as what users have access to. A person's security role is updated on the Security Roles tab on their User Account record.

The Security Roles tab of a person's User Account record.

To update a person's security role, perform the following steps:

  1. Navigate to the "Find User Accounts" query on the Identity & Access Management homepage.
  2. Once you find the record you want to update, click on the Security Admin link on the query results screen, bringing you to the User Account record.
  3. Click on the Security Roles tab in the pane on the left.
    • To add a security role, simply click on the role in the left hand column which will make it appear in the right hand column and click Update.
    • To remove a security role, click on the role in the right hand column and click Update.

You may also find the following articles useful:

Who can view the 'Communication' tab on a faculty/staff person record?

A communication tab on a person record. Note that the emails are displaying in the query on the lower half of the screen.

The 'Communications' tab on a person record is visible to anyone who has a security role that is able to view Staff or Faculty person records. The emails on the Communication tab are hidden from all but a few people, which are:

  • System Administrators (those with SysAdmin security roles)
  • the person themself
  • someone who has access to the communications channel that the email was sent through.

Faculty members are unable to see the Communications homepage without a supplemental role such as Communications_ADMIN or Communications_Email_User.

You may also find the following articles helpful:

How can I tell which user account types have AD/LDAP enabled?

To quickly see if user accounts have AD/LDAP enabled:

  1. Navigate to "Security Roles" query on either the Identity & Access Management or System homepage.
  2. Check the "Password Syncing Enabled" field for the relevant security role(s).
If "Password Syncing Enabled" is enabled, AD/LDAP is enabled for users with that role. 

How can I give someone update permissions for our portals?

In order for someone to be able to update a portal, the following must be true:

They must have the Portals_ADMIN security role. To add this security role to someone's user account, follow these steps:

  1. From the Identity & Access Management homepage, click on the Find User Accounts query link.
  2. Query on the person you want to add this security role for, and then click on the Security Admin link.
  3. Click the Security Roles tab and then click on the Portals_ADMIN option in the left column so it appears in the right column.
  4. Click Update.

They must have permissions on the individual portal in question. To do this, perform the following steps:

  1. Navigate to the Portal Admin homepage and, inside the "Find Portals" section, click into the portal you would like this user to have permissions for.
  2. Click on the “Admins” tab, click “Add Record” and add the individual in which you would like to have permission to edit this portal.
  3. Click Update.

Is there a way to update security roles in batch?

Security roles are a fundamental part of Veracross that help determine what users can create, update, and access within Axiom. Security roles can be added and removed in batch to multiple people through the process highlighted below.

New people can be added to Security roles via the Members tab on a security role record.

  1. Navigate to the Identify & Access Management homepage and click on the "Security Roles" query.
  2. Click into a security role record. Once in the security role detail screen, click the Members tab.
    • To add a person, click Add Record and select the person, then click update. You can add multiple people before clicking update.
    • To remove a person from a security role, click the red X, then click update. You can remove multiple people before clicking update.

Is it possible to create Veracross accounts for Future Students?

Yes, you can create accounts for future students! To do this:

  1. Run the procedure "Create Future Student Accounts (no Portals access)" from the action menu on the system homepage.

Although future students will have user accounts created, they will not be given portal access until school has started and they become students.

Can I send change password links on a person-by-person basis?

Yes! There are three different ways to send "forgotten password" emails to individual people in Axiom. 

The fastest method is to run the "Send Forgot Password Email" procedure on their person record.

On the Person Record (Procedure)

From the person record, click on the Action menu and run the "Send Forgot Password Email" procedure to send the system "forgotten password" email to the Email 1 associated with this user.

On the Person's Security Detail Record (Procedure)

By navigating to the person's Security Detail record through the Find User Accounts query on the System homepage, you can run the "Send Forgot Password Email" procedure to send the system "forgotten password" email to the Email 1 associated with this user.

Through the Person's Security Detail Record (Link) 

By navigating to the person's Security Detail record through the Find User Accounts query on the System homepage, you can copy and paste the Change Password link for that specific user on the General tab.  You may send the user the link directly via email to allow them the ability to change their password.

You can find more information on user accounts by reading the User Account Management article in Learn Veracross.


Can files on student records be viewable only by certain people?

Yes!

  1. Navigate to the System homepage and click the "File Security" link.
  2. Select a file classification record and click the Security tab.
  3. Adjust the active security contexts by selecting them on the left.

File security configuration falls into two categories:

  1. Those preceded by "S:" are based on the relationship of the user to the student, i.e. student's teacher.
  2. Those preceded by "R:" have security based on the user's security role.

Additional classifications can be created by selecting "File Security" from the "+Add" menu on the System homepage. Read more about file security.

Can users change their own username?

Usernames are determined by username conventions set for certain roles at the school. Outside of this, someone at your school may wish to change their username to something else for a number of reasons, such as an updated email address. There is no self-service feature to change your own username through portals, however, you as the school are able to change it for them, should you so choose.

Should you wish to change someone's username on a one-off basis, it can be done from the Security Admin detail screen.

If you wish to update someone's username on a one-off basis, perform the following steps:

  1. Navigate to the Identity & Access Management homepage and click on the Find User Accounts query.
  2. Find the person you are looking for and click on the Security Admin link.
  3. Adjust the value of the Username field to be the new username and click Update.

Which security roles have access to birth date data?

The following security roles have access to birth date data (mm/dd/yyyy) in Axiom: Board, Development_1, Employment, Medical_1, Solicitor and SysAdmins.

We have a new staff member at our school. How do I create their user account so that they can access Axiom?

To add a user account for a new staff member, perform the following steps once you've added their person role and assigned them with a Staff role:

  1. Click on the Action Menu (lightning bolt) from the person record and run the Create VC User Account procedure.
  2. Run the Send VC Welcome Email procedure, which sends an email to the user and prompts them to set up their Axiom password.

Who is able to create Alumni accounts?

Alumni accounts are used to access the alumni portal if purchased. Only people with the following security roles are able to create user accounts for alumni (or any other user):

  • SysAdmin_1
  • User_Account_Admin

They are created by running the “Create Alumni Accounts” procedure from the Action menu on the System homepage.

What security role do I need to give someone that needs to assign MFA status for users?

In order to assign MFA status to users, you must have User_Account_Admin or SysAdmin_1 security role access.  To learn more about Multi-Factor Authentication, review this article here



How can I see which area of Veracross a user logged in to?

The "Application" column on the Login History tab of the Person Account record shows what platform the user utilized to access Veracross.

Sometimes, it can be easy to forget that "Veracross" isn't just what's known as Axiom or Portals — there are many other platforms people can use to access data throughout the Veracross system. To see what platform a user used to access this information, you cansee it on the Login History tab on a person's user account record.

To navigate to this, perform the following steps:

  1. Beginning on the Identity & Access Management homepage, click on the Find User Accounts query.
  2. Search for the person in question by applying criteria to the fields on the query design screen and running the query.
  3. Click on the link in the "Username" column to navigate to the user account record ond click on the Login History tab.
  4. The "Application" column in the embedded query displays what platform the user utilized to access Veracross.

Why can't faculty members view the results in a Behavior/Comments query?

The Find Behavior/Comments query on the School level homepages can be used to see instances of behaviors and comments that occur during classes.

Users with any Faculty security role can see and edit all behavior and comments for students that they teach. If they do not teach any students, they will need either of the following security roles to see all behaviors/comments:

  • Behavior_Reader (read-only access)
  • Behavior_Admin (read-write access)

When is the Parent of Applicant security role removed from a user account?

The Parent_of_Applicant security role is removed from a user account once the related child(ren) no longer have any of the following roles:

  • Prospect
  • Applicant
  • Future Student
  • Applicant - Former

Does Veracross support Transport Layer Security (TLS) 1.2?

Transport Layer Security — or TLS — are protocols designed to provide communications security over a computer network. TLS 1.2 is used throughout Veracross both internally and externally. Additionally, if you use a service that connects to Veracross and is retiring TLS 1.0 or 1.1, no action is required.

Who can impersonate a user with the SysAdmin security role?

There is not a security role that can impersonate a SysAdmin and SysAdmins cannot impersonate each other. This is done due to the very open security permissions surrounding the SysAdmin security roles.

I have the SysAdmin security role, why can't I add a new OAuth application record?

Any user (including SysAdmins) looking to add records must have the OAuth_App_Admin supplemental security role.

Once this security role is added, you can follow the process outlined here to create new OAuth application records.

I tried enabling a scheduled job but got an error message about not having the right security role. Who can enable/disable scheduled jobs?

Enabling or disabling a scheduled job can only be done by a Veracross Account Manager or Engineer; those with the SysAdmin security role are able to edit the schedule records within the scheduled job, but cannot enable/disable the job itself.

Please submit a ticket on our client support portal to request that we enable/disable the scheduled job, including a link to the specific job record.

Can we change the text or instructions on the “Reset Your Password” page?

Schools can determine the overall branding of all Login Pages (including the Reset Your Password page) on the Login Page branding configuration link located on the System homepage. Schools are not able to adjust the text on this page, however; it is standard across all Veracross schools.

Are usernames updated if someone’s email address changes when {email} is used as the username convention?

If you are using {email} as the username convention, the system does not prompt users to make the update to someone’s username if they are updating the Email 1 field on their person record.

Because of this, users making the update to the person record must also manually update the username or notify the point person responsible for user accounts to make the update.

What does the User_Account_Admin security role provide access to?

The User_Account_Admin security role allows a user to add/remove all security roles, except SysAdmin_1 or SysAdmin_2, for all users including themselves. This role also allows a user to:

  • assign/remove Google accounts
  • convert a user account to a Solicitor account
  • send VC Welcome emails
  • create workspaces
  • create/update user and portal accounts/access

You can learn more about other security roles in the Security Role Overview article.

Does Veracross track what IP address is used when logging into the system?

Yes, Veracross stores IP address information,  should you ever need to reference it.

To view IP address data, please follow the steps below:

  1. Navigate to the System homepage.
  2. Open and run the Find User Accounts query.
  3. Click into the User Account record by selecting the Security Admin link in the Security Admin column.
  4. Once you are on the User Account record, navigate to the Login History tab to view the IP addresses of recent logins for that user.

What security roles allow a user to post/lock grades?

Users with the SysAdmin_1 or any Division_Head security role can post/lock grades.

More information about what is possible with each of the Division_Head security roles can be found in the Primary Staff Roles documentation.