Though in many cases users can be set up and rarely need to be amended, there will inevitably be circumstances in which you will need to edit the accounts, privileges and roles of users. At the end of their time with the Local Authority – or in a commissioned role – you will also need to ensure that you terminate their access to the NCER Nexus system.
Only staff with the Can Add, Delete and Manage Users permission can create, edit and terminate the account of another user within the organisation.
Amendment of user accounts is handled through Admin > Users
Hint:
By default, Admin > Users will display your LA users, but any user has the option to select any other LA. You can only edit and create users within your own LA, but this capability can be useful if you wish to make contact with users in another LA.
When you select a user (in your own LA) details about that user will be displayed including their username, email and any school groups they have been assigned to – some of which can be edited by the Administrator by clicking ‘Edit User Details’ and some are automatically assigned (such as the Local Authority).
Most of these options are self-explanatory but the ‘Default School Group’ option allows you to set a default for the user – which is picked up in reporting - for group options that will appear when the report opens. This saves that user time if their area of interest will usually be a specific group of schools.
Three tabs are displayed at the bottom of the screen:
Communications – this tab is under the control of the user themselves. It allows the user to their communications preferences in terms of what they wish to receive. (NCER recommends that all users subscribe to ‘NCER & Nexus News & Updates’ communications.)
Schools – this tab is visible to anyone with the and editable by anyone with the It allows you to select and add any school in the Local Authority to the user's profile. This allows them to pick ‘My Schools’ when reporting in Nova reports and run reports on that custom grouping or to view them in the Schools tab.
Typically you would use this to help a School Improvement officer or commissioned consultant who is focused on only certain schools and wants to access information on them quickly rather than see all the others mixed in.
For each school added, you can also record the role that the user performs in relation to that school. There is an extensive list of roles, but typically – if you are restricting users to certain schools – ‘School Improvement Partner’ and ‘Consultant’ roles will be more common (particularly if they are commissioned and not an LA salaried employee.) This role is largely for information and has no real effect on the rest of the system.
By clicking the ‘Remove’ link at the end of any line, you can remove existing schools that a user previously had included in ‘My Schools’
Hint:
In some LA's it may need to be an annual or termly task to update and modify this assignment of schools, particularly where that may be a product of the LA’s assessment of risk in the school.
Privileges – This tab is where the user permissions are assigned. You will note that the ‘Type of User’ is specified at the top of this section, with a dropdown pick list. By picking a role for the user the privileges further down the section and automatically populated but they can be amended by ticking and unticking specific permissions.
For more information on this tab, click here.
Reset of Two Factor Authentication
Users with Nexus Admin permissions will now be able to see a Two Factor Authentication reset button for each user in their LA. This feature will allow them to deal with any issues users experience around 2FA or where a user has a new phone and has reinstalled their authentication app. For more details, see the Two Factor Authentication for Nexus help page
Terminating a User Account
Nexus users with the Can Add, Delete and Manage Users permission have the ability to choose whether to delete or archive user accounts.
Once deleted, a user’s account cannot be recovered and would need to be set up again if done in error. There is also an option to archive the account (preventing access but can be recovered without re-creating it) as an alternative. This may be appropriate where you are not certain whether the account will come back into use and need to check.
If the account is archived then it will be suspended for 30 days, during which time it can be recovered if it is still required. At the end of 30 days, it will automatically be deleted.
The account can still be deleted outright where you are already certain that the user has left or no longer requires access in a different or changed role.
Regular Review of All Accounts
Due to the requirements of data protection legislation, Local Authorities will wish to ensure that all of their Nexus account holders are:
- Still employed by the Local Authority (directly or in a commissioned role) – remember that standard LA IT account close down procedures rarely include systems such as Nexus or DfE Sign-in systems.
- Still in posts requiring access to Nexus – if a user has changed role they should not be left with access to Nexus just because they have always had it
- Have the ability to see pupil level information (or not) as appropriate to their role – some users with only summary data permissions may benefit from the addition of pupil level data but others may need this taken away – ‘Include access to batch reporting and pupil level reports’ should be ticked/unticked as necessary
- Have access (or not) to CiN / CLA information as appropriate to their role. The addition of CLA permissions should be agreed with the Virtual Head, but if a user no longer supports those functions then the permissions should be reviewed
One indication of whether a user requires access is how long it is since they last logged in. New functionality in the Users screen now allows you to specify users who have not logged in for a user-defined number of months or greater.
No user who has left the employment of the LA will ever have any legitimate reason to access Nexus via an LA provided log-in and if this should ever occur it should be considered a data breach, reported to LA Information Governance for investigation and appropriate action.
Hint:
You should remember that Nexus can be accessed from personal devices from anywhere in the world. As such, the termination of access to the Local Authority network by the ICT team when a member of staff leaves does not prevent them from logging into Nexus. Nexus Administrators using personal devices for 2FA means that an ex-employee with high level permissions could disrupt, view or modify the system and data held in it. Shutting down the account for leavers is essential and even more so for users with high level permissions allowing them to add, delete or modify another user's account.
The NCER Nexus Admin Digest email – received by users with system administration permissions on a weekly basis – includes a section highlighting users who have not accessed the system for some time. The same facility to identify these users exists in the Admin > Users screen where the last login is displayed and a filter for the period since the last login is now available. As a matter of good practice, accounts that have been inactive for more than a year (i.e. more than a full assessment cycle) should be considered for either deletion or archiving.
Automatic Archiving of Nexus Accounts
From the 21st February 2024 update to Nexus, we have introduced a new automatic archival process for all Nexus users with automated alerts to keep key people informed.
This does not amend the responsibility to ensure that there is no inappropriate access to Nexus by staff no longer employed (or no longer needing access for their current role)
Nexus users will be automatically archived if the account is inactive (i.e. no log-ins) for 18 months. The user will be warned by automatically generated emails at 15, 16 and 17 months since their last log-in that their account is at risk of being archived. If the account is still inactive, it will be archived at 18 months and the user will be notified - all warning and notification emails will include information on who to contact within the LA if they are having trouble logging in. The contact(s) given will be users with the permission 'Can Add, Delete and Manage Users' enabled; we refer to users with this permission enabled as the LA Admin account(s). Please note that archived Nexus users do not receive regular email communications, even if they opted in on the My Account > Communications page.
If an account due to be archived is an LA admin account, this will be alerted to any other admin users within the same LA by email. If there are no other admin accounts within the LA, NCER and Nexus Support will be notified so that they can liaise with the LA and ensure they maintain access to Nexus within the LA.
If an archived user wants to re-activate their account, they can request this through their LA Admin(s). Please note that all archived Nexus accounts are locked until an LA Admin user restores the account from the Archived Users page accessed from the Users page.
Automatic Account Deletion
Once an account has been archived for 18 months, it will be permanently deleted. This will enable usernames to be re-used within Nexus where previously they were kept in the archived account, and this caused problems for some Nexus Admins trying to create new accounts with the same names.
Comments
0 comments
Please sign in to leave a comment.