Roles list and tasks (New Version)
Tip: This help topic refers to the new interface for managing roles and tasks. For help with the legacy interface, see Security roles (old version).
Tasks determine what each user can see and do in Education Management.
Each task may be enabled or disabled for various security roles. For example, multiple admin roles may be able to create emergency bulletins.
Users can be members of multiple roles. If a task is enabled for at least one of the user's roles, then the user has access to all data and actions for that task—even if the task is disabled for one of the user's other roles.
As a platform manager:
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list. Then select the role name.
Alternatively, on the role's row, select (...) and then select Manage roles - NEW.
-
Select Tasks. A list appears.
-
Related tasks are organized into groups, sometimes known as "domains."
-
Expand each domain to view its tasks.
-
A green check mark indicates when a task is enabled. Grey checks indicate disabled tasks.
Tip: Select Hide disabled to only show enabled tasks and their domains. Clear this option to see all tasks and domains.
-
-
Select a task name. Details appear. This includes:
-
the name of the domain.
-
a description of what the task enables users to see and do.
-
whether the task is enabled or not enabled.
-
a list of other roles that have the task enabled.
-
As a platform manager:
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list. Then select the role name.
Alternatively, on the role's row, select (...) and then select Manage roles - NEW.
-
Select Tasks. A list appears.
-
Search for a task or find it within a "domain" of related tasks. Select a task to view its details. This includes:
-
the name of the domain.
-
a description of what the task enables users to see and do.
-
a list of other roles that have the task enabled.
-
-
Select Edit tasks.
-
Then Confirm you want to enable the task for the role and all its members.
A green check mark appears beside the task name, in the list of domains and tasks.
Tip: Tell users to log out and then sign in again to see the changes associated with their role membership.
As a platform manager:
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list. Then select the role name.
Alternatively, on the role's row, select (...) and then select Manage roles - NEW.
-
Select Tasks. A list appears.
-
Search for a task or find it within a "domain" of related tasks. Select a task to view its details. This includes:
-
the name of the domain.
-
a description of what the task enables users to see and do.
-
a list of other roles that have the task enabled.
-
-
Select Edit tasks.
-
Then Confirm you want to disable the task for the role and all its members.
A green check mark no longer appears beside the task name, in the list of domains and tasks.
Tip: Tell users to log out and then sign in again to see the changes associated with their role membership.
Platform managers can clone a role to assign it to a user. When you clone the role, you can omit some of the tasks from the original role. However, you can't add additional roles to the clone.
Note: Clones of the platform manager can't impersonate non-clone-platform managers; they can't grant themselves additional security access. We recommend schools grant the platform manager role sparingly.
As a platform manager:
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list.
-
Select the ellipsis (...) at the start of the row. Then select Clone role.
Alternatively, select the role name. Then on the role's page, select Clone role.
-
Enter a unique Role name for the new role.
-
Select Tasks. A list appears.
-
To view the status of all tasks, select the down arrows under Find in this list. The domains expand to show their corresponding tasks.
-
Tasks that are enabled for the role are indicated with a green check mark.
-
Select a task to view its details, including the name of the domain, a description of what the task enables users to see and do, and a list of other roles that have the task enabled.
-
To collapse the list of tasks, select the up arrows.
-
-
To edit tasks in bulk:
-
Select Edit tasks beside Find in this list.
-
Select Enable all or Disable all.
-
Expand the domains to see the tasks. A black check mark indicates when a task is enabled. Select a task to view its details, including the name of the domain, a description of what the task enables users to see and do, and a list of other roles that have the task enabled.
-
Select or clear the checkbox to enable or disable specific tasks.
-
Select Save.
-
-
To edit specific tasks:
-
Search for a task or find it within a "domain" of related tasks. Select a task to view its details, including the name of the domain, a description of what the task enables users to see and do, and a list of other roles that have the task enabled.
-
To remove a task from the clone, select Edit tasks under the task details. Clear the Enabled option. Then select Save.
-
To re-enable a task you previously disabled, select Edit under the task details. Select Enabled and then select Save.
-
-
Tell users to log out and then sign in again to see the changes associated with their role membership.
We recommend describing new roles in your school's "policies and procedures" guide. If a role should be granted to additional users or removed from users at a later date, include this plan in your guide.
Note: Most employees who are responsible for keeping user profile data updated should have the contact card manager role instead of platform manager role (and its clones). Contact card managers can handle personal data common to any user (including contact information, demographics, relationships, emergency contacts, business, and education information). From Core, you can use the People finder to go to a user's profile and Contact card to make changes. From Core, Users, you can also select Handle profile changes to review the changes users have made or that other administrators made on a user’s behalf.
Warning: Review release notes regularly. When features are updated or added, the original role may gain new tasks. Existing tasks may gain new functionality (such as a new button on an existing screen). Review your school's clones to enable or disable tasks based on those updates to ensure the clone has appropriate access.
Tip: To limit directory results by school level, campus location (for a school with multiple campuses), or other groupings, we recommend you create a clone of the "friend" role for each desired grouping. Then add users to the appropriate role. Finally, create a new directory or edit an existing one to use the new roles.
If your school created a new role by cloning a system role, then you can delete the clone. However, you can't delete system roles created by Blackbaud.
When you remove a role, users who had that role may lose access to features enabled by that role's tasks. If users have other roles that enable the same tasks, then they may retain access via their other roles.
As a platform manager:
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list. Then select the role name.
-
Select Remove role.
-
Then Confirm you want to delete the role.
-
Tell users to log out and then sign in again to see the changes associated with their role membership.
Blackbaud requires faculty, admin, and staff users of Blackbaud Education Management® (BBEM) at all schools to use multi-factor authentication (MFA) on their Blackbaud ID (BBID) username and password. These users have security roles with application, employee, or volunteer types.
-
When enabled for a role that does not login with
-
a single sign on (SSO),
-
Sign in with Apple ID,
-
or Sign in with Google,
all users in the affected role are required to use Blackbaud's MFA with their BBID.
Note: Users who login with single sign on (SSO), Sign in with Apple ID, or Sign in with Google, aren't prompted to use Blackbaud's MFA, even when MFA is required for one of their roles. However, they may be prompted to use an MFA from the identity provider (IdP) instead. For example if your school uses Azure Active Directory (AD) or Google G Suite, those users may use MFA if Microsoft, Apple, or Google are configured to require it.
-
-
When MFA is enforced for a user's security role, they must authenticate with two or more verification factors, such as
-
a password and a code received via SMS text message
-
or a password and a code from a mobile authentication app.
-
Security roles which are constituent or other types are exempt from BBID's MFA enforcement. Thus, users who only have these roles (such as students, alums,
Platform managers can chose to require MFA for a security role that's usually exempt. This increases security for the users. If your school chooses to require MFA for a security role that's usually exempt (students, etc.), then a platform manager can also disable the MFA requirement for that role.
-
Select Core.
-
Select Security.
-
Select Roles.
-
Find the role in the list.
-
Select the ellipsis (...) at the start of the row. The configure enforcement:
-
Select Enforce MFA and confirm the change. The next time a user with the affected role attempts to log in, they're prompted to configure and use MFA.
-
Select Remove MFA enforcementand confirm the change. When disabled, users in the affected roles may still prompted to login with MFA. However, after logging in, the user can go to their individual BBID profile to opt out of MFA.
-
Tip: To learn more about MFA or BBID , view the online help.