Security roles (Old Version)

This help topic describes the legacy interface for managing roles and tasks. A new interface is now available to all schools. To learn more and try it, see Roles and tasks (new version).

Platform managers configure roles and make each user a member of one or more roles. Each role grants the user access to specific "tasks" (capabilities or functional areas and related information) that control what users can access, view, edit, and do in Education Management for your school.

Roles also determine some of the communications that users receive, such as a message to users with an "incoming student" role.

Personas are based on the user's enrollment, current roles, and past roles.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

For each role, the list shows:

  • The role name

  • Role type (such as application, employee/volunteer, or constituent)

  • Whether the role is a clone of another role and if so, what its based on.

    If "none" appears in the "cloned from" column, then the role is not a clone.

  • Status (active or inactive)

  • Number of members

  • Number of reports the role has access to

Like many other lists, you can:

  • Search the list

  • Drag and drop columns to rearrange the data

  • Select a column heading to sort the data

  • Select the ellipsis (...) on a row for more options.

Platform managers can clone a role to assign it to a user, while omitting some of the tasks normally associated with the role.

For example, you might clone a "coach" role and name the clone "athletic trainer"; then omit the tasks that enable the user to schedule games or post scores.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Select + Create Role.

  5. Enter a Role name for the new role.

  6. Select an existing role that's similar to one you want to create.

    When you clone the role, you can omit some of the tasks from the original role. However, you can't add additional roles to the clone.

    Clones of the platform manager can't impersonate non-clone-platform managers; they can't grant themselves additional security access.

  7. Then select Next.

  8. Select the navigation tasks to associate with the new role and select Next.

  9. To add members to the role, search for each user by selecting any combination of the following criteria in the "Enter Search Criteria" box:

    1. Role - Select from any of the Active roles listed.

    2. Grad year - Choose a specific Grad year or search using All.

    3. Search in - Choose from Last name, First name, Email, Maiden name, Business name, User ID, Host ID.

  10. Select the right arrows (>>) to add the users.

  11. Select Save & exit.

  12. If a user is currently working when their tasks or roles are changed, tell them to sign out and then sign back in to see the changes.

  13. We recommend describing new roles in your school's "policies and procedures" guide. If a role should be granted to additional users or removed from users at a later date, include this plan in your guide.

Review release notes regularly. When features are updated or added, the original role may gain new tasks. Existing tasks may gain new functionality (such as a new button on an existing screen). Review your school's clones to enable or disable tasks based on those updates to ensure the clone has appropriate access.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Edit.

  6. Enter a new name for the role.

  7. Select Save & exit.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Edit.

  6. If the role should be assigned to users and it's tasks enables for those members, select Active.

    Otherwise, clear the Active option to disable the role and it's tasks. Members will lose access, unless they have another role that grants them access.

  7. Select Save & exit.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Members.

  6. Find the user in the list. On their row, select Remove.

  7. Confirm the change.

  8. If a user is currently working when their tasks or roles are changed, tell them to sign out and then sign back in to see the changes.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Members.

  6. Select Add.

  7. To add members to the role, search for each user by selecting any combination of the following criteria in the "Enter Search Criteria" box:

    1. Role - Select from any of the Active roles listed.

    2. Grad year - Choose a specific Grad year or search using All.

    3. Search in - Choose from Last name, First name, Email, Maiden name, Business name, User ID, Host ID.

  8. Select the right arrows (>>) to add the users.

  9. Select Save & exit.

  10. If a user is currently working when their tasks or roles are changed, tell them to sign out and then sign back in to see the changes.

  1. Select Core.

  2. Select Security .

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Tasks (from the left).

  6. Select Edit (next to the task name).

  7. Enter a new label in the Task name field.

  8. Select Save & exit.

  1. Select Core.

  2. Select Security .

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Tasks (from the left).

  6. Select Edit (next to the task name).

  7. Enter a numeric value for the Sort orderto indicate how it should be listed.

    The sort order only changes the task order on Manage Tasks screen. It does not change the order anywhere else in the system.

  8. Select Save & exit.

  1. Select Core.

  2. Select Security .

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Tasks (from the left).

  6. Select Edit (next to the task name).

  7. Select or clear the Desktop and App options for the task that should be enabled or disabled for the role.

  8. Select Save & exit.

  9. If a user is currently working when their tasks or roles are changed, tell them to sign out and then sign back in to see the changes.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Reports.

  6. A list of legacy reports appears.

    Some schools also call other Analysis features "reports." Those are not listed here. For example, Sky Reporting Dashboards and Sky Lists may not appear in this list of reports.

Cloned roles can be deleted. To remove a non-cloned role, mark it inactive instead.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Remove role.

  6. A confirmation message appears. To permanently remove the role from all users, select Delete.

  7. If a user is currently working when their tasks or roles are changed, tell them to sign out and then sign back in to see the changes.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list. On the role's row, select (...) and then select Manage roles - Old.

  5. Select Audit history.

  6. A list of memberships updates appears. It indicates

    • which users were added or removed from the role,

    • who made the change,

    • and when.

    The list is sorted from most recent to least.

Blackbaud requires faculty, admin, and staff users of Blackbaud Education Management® (BBEM) at all schools to use multi-factor authentication (MFA) on their Blackbaud ID (BBID) username and password. These users have security roles with application, employee, or volunteer types.

  • When enabled for a role that does not login with

    • a single sign on (SSO),

    • Sign in with Apple ID,

    • or Sign in with Google,

    all users in the affected role are required to use Blackbaud's MFA with their BBID.

    Users who login with single sign on (SSO), Sign in with Apple ID, or Sign in with Google, aren't prompted to use Blackbaud's MFA, even when MFA is required for one of their roles. However, they may be prompted to use an MFA from the identity provider (IdP) instead. For example if your school uses Azure Active Directory (AD) or Google G Suite, those users may use MFA if Microsoft, Apple, or Google are configured to require it.

  • When MFA is enforced for a user's security role, they must authenticate with two or more verification factors, such as

    • a password and a code received via SMS text message

    • or a password and a code from a mobile authentication app.

Security roles which are constituent or other types are exempt from BBID's MFA enforcement. Thus, users who only have these roles (such as students, alums, parents, and non-administrative users) aren't required to use MFA for their BBID.

Platform managers can chose to require MFA for a security role that's usually exempt. This increases security for the users. If your school chooses to require MFA for a security role that's usually exempt (students, etc.), then a platform manager can also disable the MFA requirement for that role.

  1. Select Core.

  2. Select Security.

  3. Select Roles.

  4. Find the role in the list.

  5. Select the ellipsis (...) at the start of the row. The configure enforcement:

    • Select Enforce MFA and confirm the change. The next time a user with the affected role attempts to log in, they're prompted to configure and use MFA.

    • Select Remove MFA enforcementand confirm the change. When disabled, users in the affected roles may still prompted to login with MFA. However, after logging in, the user can go to their individual BBID profile to opt out of MFA.

To learn more about MFA or BBID , view the online help.