Are you the database administrator, technology specialist for your school district? As school districts move from paper textbooks (remember those book closets filled with textbooks that few ever used, or worse, students had access to) to digital ebooks, they face a host of challenges. This 3 part article explores a few of those challenges, then offers several solution providers. You may also want to check out this presentation resource site, Identity Crisis: Managing User Accounts.
1-Exploring The Problem
School districts have been caught flat-footed in the last two years, facing an onslaught of digital textbook providers who follow no standard data file creation process. This problem is called “user provisioning,” (a.k.a. account provisioning) a fancy way of saying that you have to create usernames and passwords in EVERY online system students and staff will need to use.
|Image Source: http://cognisec.com/wp-content/themes/cognisec/images/workspace-home.png
The gold standard is single sign-on–ONE username and ONE password–that provides access to and is updated in ALL systems a user connects to. Simplicity–remembering one login and password–and security is the focus. To make this happen, user provisioning (a.ka. rostering) has to happen in the background.
There are a variety of single sign-on providers that already have partnerships with other vendors. Some SSO providers include ClassLink (video), Global Grid for Learning (video), and Bitium’s Passkey (video). Please note that this issue is greater than “single sign-on,” however. We will explore the different levels of solutions later.
Some of the challenges include:
- Getting data out of your Student Information System (SIS)
- Blending student and staff data (e.g. usernames, passwords, student/staff IDs)
- Knowledge of complex database tools and file format conversions (e.g. CSV to XML)
- Unnecessarily complex usernames to represent different textbooks within the same digital textbook system
- Multiple usernames and passwords for students and staff that do NOT match their District username and password.
To facilitate navigation of these challenges, what follows is a walkthrough each of the items above. Let’s begin with WHERE schools get their data in the first place.
Student Information Systems (SISs)
The “big database in the sky,” or think of it as a lake from which critical information flows, for most school districts is their Student Information System. There are a variety of SIS solutions, including the Education Service Center, Region 20’s iTCCS, as well as TXEIS (so two solutions from ESC-20!), Skyward, eSchoolPlus, and many others. In Texas, most districts have standardized on either ESC-20’s iTCCS or Texas Enterprise Information System (affectionately known as TxEIS), or opted for Skyward.
From their Student Information System, school districts can export data about students and staff. But this is not the end of the fun. Down the stream from this lake of data (e.g. SIS), school district technology departments create user accounts that allow people to log into computers (a.k.a. Active Directory) and create email accounts (e.g. GoogleApps for Education, MS Exchange, Office 365).
Most districts have some automated process for accomplishing this. For example, here’s the process one Texas school district follows:
- A person is approved as a new hire.
Person(s) Responsible: Personnel Staff
- Insertion into SIS/Payroll System. A person’s critical information–FirstName, LastName, Location, EmployeeID#, EmployeeType–is entered into the SIS/Payroll System.
Person(s) Responsible: Payroll staff
- Automated Creation of Digital Accounts. The Identity Automation System takes those new hires put into SIS/Payroll System prior to 2:00am and generates accounts (e.g. Eduphoria, AESOP, SchoolWires, Payroll, TxGradebook, Active Directory and GoogleApps, Discovery Video*, TCMPC, AESOP) for people with the default password.
- Email Sent to Person with Digital Account Information. The Identity Automation System generates an email for all accounts generated and sends a copy to 1) the new hire; 2) the campus secretary; and 3) Technology.
- New Hire, who is now a district employee, logs-in. If a password needs to be changed, any authorized staff member can do so via an easy to access web console.
As you might imagine, the process BREAKS DOWN for many districts in step 3 shown above. The difference in the process above is that the Identity Automation System referenced is a user provisioning solution that handles all the legwork. The process is MUCH MORE difficult without this type of user provisioning solution. The process WITHOUT user provisioning is as follows:
- A person is approved as a new hire.
- Insertion into SIS/Payroll System. A person’s critical information–FirstName, LastName, Location, EmployeeID#, EmployeeType–is entered into iTCCS.
- Payroll emails a daily list of users with their unique employee ID to a designated contact in the Technology Department.
- The Tech Dept contact takes the person’s critical information–FirstName, LastName, Location, EmployeeID#, EmployeeType–and generates unique user IDs following the naming convention for digital accounts needed while trying to provide a consistent username and password in all systems for people with the default password.
- A paper document with a New Hire’s Digital Account Information is provided. This is usually a mail merge or a typed letter created by the person(s) creating accounts.
- New Hire, who is now a district employee, logs-in. If a last name or password needs to be changed, either someone in Technology does it or it has to be done system by system.
In the example above, there are 38 different district information systems. Can you imagine ONE person, or even a team of people, working full-time to maintain account usernames and passwords across all those different systems? The answer is, “Not hardly, but what can I do? It has to get done!” So most districts try to create data files that include all the information for easy import into multiple systems. The problem is, creating these data files can be quite difficult.
Blending Student and Staff Data
Few school districts have the technical wherewithal to generate the quantity of data files required by digital textbook providers. For example, a textbook provider may ask for the following fields (e.g. Harcourt Teacher Data File used to create teacher usernames and passwords):
While that is a short list, combine it with student data and it can become much tougher!
Knowledge of Complex Database Tools and File Format Conversions
Requests can become increasingly complex, especially as you try to JOIN students in secondary classes to ONE teacher. Take a look how this interaction plays out with Pearson’s EasyBridge solution, which is supposed to make it all work. For example, Pearson EasyBridge requires multiple data fields, as well (e.g. LEA District#, List of schools, List of classes, List of teachers, List of students, Associated teacher to class, Associated student to teacher, City, State, Address of School, Zip, and Phone number).
|Image Source: http://www.w3schools.com/sql/img_innerjoin.gif
Generating these multiple data fields that are inter-related is a daunting task, requiring complex Structured Query Language (SQL) JOIN statements. What’s that, you don’t know about SQL JOIN statements? Well, most technology specialists tasked with generated these data files for different vendors don’t know about them either…and since SQL is used to interact with a big database, this presupposes that your district even HAS a large database with ALL student and staff data–organized in tables–it can query.
Note: Think of these databases housing confidential student and staff data as giant Excel workbooks in the sky, each sheet (or tab) in the workbook housing data related to other data in a different tab. Somehow, you have to combine/join disparate data from multiple sheets (a.k.a. tables in database-speak) into the ONE you want. This can be a complex proposition, made all the more difficult
Unnecessarily Complex Usernames
McGraw-Hill, another of “the Big 3 Publishers,” also can get convuluted. For example, McGraw-Hill requires a student file with only a few fields (e.g. lastname, firstname, gender, gradelevel, username, and password), but things get complicated. The fields have to be arranged in a specific order. If out of order, then the data transfer will not work. And, even when successful, for the teacher, life is complicated. Imagine if you had to create fictional usernames for each textbook you needed to use with your students, resulting in two handfuls of usernames…just so you can access the same digital textbook students are using! For example, if your username is “MiguelGuhlin,” for each of your classes, the username would be something like
In one local school district, my username for email is “firstname.lastname@example.org” and that is my username. It’s unique in my district, but if I want to access textbooks, then I have to use one of the monster usernames shown above.
Question to Ponder: Were schools made for digital textbook publishers, or the other way around? Is the tail wagging the dog?
Usernames and Passwords that Do NOT Match District Usernames and Passwords
Worse yet, most students and staff ALREADY have a username and password for their “schoolwork.” That username and password is their Active Directory and/or email username and password. I don’t know about you, but asking a 2nd grader to remember more than one username (like what they use to login into a computer, a Chromebook or send email) would require a pretty awesome digital textbook. automated their student and staff user account names, using that foothold on automation to then branch out. Branching out means automating other systems (e.g. Istation, Think Through Math, Khan Academy), using the core list of usernames and passwords.
2-Exploring Solution Providers
“At the end of the day,” says Steve Young, Chief Technology Officer in Texas, “I think any sizable district who has not automated identity management needs to look at these two products in the very least.” In this section, we will explore more than just two products.
When I first began exploring this issue, a local 10,000 student district suffered a wicked problem. All user account management was done manually. That is, all accounts for staff were created in Payroll in the District’s Student Information System, then someone had to create or maintain those accounts across many different systems. The wicked problem was that there were always people whose account information was wrong and did not work. Keeping their information up to date resulted in a full-time task that one or more people had to support. At the start of the school year, it was IMPOSSIBLE.
WICKED PROBLEM…SOLVED! When considering price, ask yourself, “Does the District want to continue dealing with centralized account management by giving the job to one or more people, who may or may not do a less than adequate job managing those accounts?” When you’re considering Active Directory, account management for GoogleApps (or take your pick of system), Student Information System (SIS), the flavor of the month textbook adoption, this job can be a bear with a sore tooth locked in your office.
At the time we selected Identity Automation, I had a smaller team of staff and account management, as well as creating data files for systems was problematic. That problem alone delayed implementation of several key initiatives. However, afterwards, we were able to accomplish quite a bit. We’ve slowly consolidated account management into a 1-person job that doesn’t occupy all his time.
That’s the real problem with failed account management processes…they eat up one or more people’s times because there is no standardization. The “wicked problem”–the bear with a sore tooth–had been solved.
In one district I worked in, it took 3 years to implement an identity management solution that worked with disparate systems. Thank goodness I started upon taking the job as technology director, because THE TEXAS DIGITAL TEXTBOOK DATA NIGHTMARE was headed our way. How did banish the nightmare?
Banishing the Nightmare
To banish the nightmare, after heavy research, two steps needed to be taken:
- Hire someone who could slice and dice data files. This person needed to be comfortable with SQL databases, Access/Filemaker database queries, and love Excel, file formats (e.g. CSV, tab, XML), and more. While I could do some of this, with 38 different district information systems, I didn’t imagine that there would be time left over to do much of anything else. You can find the job description online at the bottom of this blog entry.
- Select a turn-key identity management solution. Checking with multiple school districts in the State via TCEA TEC-SIG group, I was able to identify two available solutions, although there are now more.
Unfortunately, the turn-key identity management solution came first. “Turn-key” was important because, whether I could get someone (let’s call them a systems interface specialist) or not, the job had to get done.
LEVELS OF SOLUTION PROVIDERS
If we had to group solution providers mentioned in this article in categories, it could be like this:
- Level 5 – A district staff member works collaboratively with a user provisioning solution (such as those listed below) to maintain data file creations, and connects with a Single Sign-On (SSO) solution.
- Level 4 – District data specialist extracts data from the Student Information System, customizing it, relying on a user provisioning system like Identity Automation, Tools4Ever’s UMRA to automatically set up nightly uploads needed by vendors.
- Level 3 – District staff or data specialist creates data files (or gets them from the student information system) and manually imports them into external vendor systems. Vendor partners may or may not work together with a regional education service center to obtain data files directly from their source.
- Level 2 – Integration of SSO + Data File Management and Select Vendor Partners Only like Clever.com and ClassLink’s OneRoster (free).
- Level 1 – Single Sign-On Providers like ClassLink (SSO only), Global Grid for Learning, and Bitium’s Passkey
- Level 0 – Classroom teachers or campus staff create student and staff accounts, maintaining it themselves via some graphical interface or uploading an Excel file.
Given these levels, where is YOUR district?
Here are some potentialNow, school districts have access to a variety of solution providers, each of which may offer “modules” that expand the power of each.
Solution Provider #1 – EST Group and Identity Automation
This turn-key solution provider is one that I heartily endorse. The process of working with them involved creating data files for student and staff. These were exports from our Student Information System/Payroll, and had to be placed automagically on our Secure File Transfer Protocol (SFTP) server nightly. Then, these files were “sucked into” the Identity Automation solution, and magic things started to happen.
From these data files, Identity Automation is able to control our Active Directory, GoogleApps for Education and the 38 district information systems staff and/or students have to interact with. We also had to setup two servers that would enable the transfer of data, remote access for Identity Automation support staff. While this seems complicated, consider that they eliminated our data creation mess for various solutions, solving our account management “wicked problem.”
“We use Identity Automation. They are out of Houston. And I highly recommend them!”
–CTO from a Texas School District
Identity Automation, however, can be expensive to launch ($30K for Year 1, and about $8K thereafter annually). Of course, you are getting great support and this can be a life-saver in small to mid-size school districts who can’t afford a dedicated systems interface specialist position.
Find out more:
- View list of Texas School Districts using product
- Contact Info: EST Group ((817) 271-3178) + Identity Automation ((281) 220-0021); Primary Contacts are
Mark Hanna and Tim Till (email@example.com), respectively.
- Videos: Watch Intro Video | School Case Study
Solution Provider #2 – Tools4Ever’s UMRA
User Management Resource Administrator (UMRA), described by some as being less “turn-key” than Identity Automation, requires someone on staff who can knowingly work with the solution. “It’s like Active Directory Tool but on steroids!!” shared one colleague. This is a capable solution used by several Texas school districts and one of the top two middle to large sized school districts should consider.
Tools4Ever’s solution has a great video explaining the challenges and the solution offerings they have:
As one school district CTO put it:
UMRA is an upfront purchase, rather than a subscription) product for managing network accounts, home directories, Exchange, Lync, Google Apps, etc. for students and teachers. We use UMRA from Tools4Ever and have a superb experience with their support and programming teams, having used their product for about 7 years. Teachers and students can log into the school district network, GAFE, and many other things using their AD credentials.
Solution #3 – Encore Software Solutions
This is a solution a large Texas school district is using, and that is also endorsed by the Education Service Center, Region 11:
Region 11 is partnering with Encore to provide an Identity Life Cycle/Federated Security/Single Sign on Application called Encore Software Solutions. Encore Software Solutions automates the most important and often the most complex functions required to connect users to necessary resources. ESS provides user management (creation, change, archival, removal and self service), provisioning of resources (applications, information and data) and seamless secure access (Federation and Single Sign on) to those resources for resources both on premise and hosted 3rd party platforms. Read more.
You can watch a 1-hour demo of their product online, but here’s a shorter video, too.
Find out more:
AND (not necessarily OR yet),
Solution #4 – Clever.com
While not perceived to be a 100% solution–given that it doesn’t facilitate access (yet?) to the big 3 publishers or the new out of the ordinary vendor that just pops up unexpectedly (for example, the San Antonio, Texas Municipal Court is looking to get student/staff data to help Texas districts comply with new truancy laws…and they need data files!)–it takes a novel approach to banishing the nightmare.
That approach is to provide their Single Sign-On service to school districts at no charge (yes, sign-up is free!), asking districts to provide only 5 data files (easy), which they, in turn, use to interface with over 250 vendor partners (e.g. Khan Academy). The vendors are charged. This solution makes a lot of sense, bypassing the problem districts face in generating data files for all their potential partners and allowing Clever.com to deal with all the issues, such as student data privacy, syncing data nightly or more with others.
“Why is Clever of value, especially to school districts that may already have another solution in place?” I asked. The response was a cool “Do you want to manage all those point to point integrations or let Clever handle one to many integrations?” With that answer, one immediately realizes the benefits that Clever offers–why waste some dynamic individual’s time slicing and dicing data files for various vendors? Instead, have that person create 5 files and let Clever do the hard work.
The main challenge Clever.com faces, though, is getting large district textbook publishers to take advantage of their Application Programming Interface (API) to allow the flow of data from the District’s Student Information System (SIS) to the vendor partners.
“Clever is very transparent about our commitment to privacy and security. We are their [school districts and smaller vendors] security infrastructure. We have invested in the resources so districts, as well as some of our vendors, don’t have to.”
Once you are sending your 5 data files to Clever in an automated manner, Clever represents that data in a dashboard that allows the District access to ALL of the vendor partners Clever has. For example, if you want all students in the District to get access to Code.org or Khan Academy, you just indicate that via the panel. Or, if you only want math students at a certain campus to get access, then you make those selections and submit the request. The interface appears easy and straightforward.
Once data is syncing on a regular schedule, students have the option to login to ANY of the systems with a single sign-on.
As I reflect on the solutions available, I am inclined to combine solutions at this point–one of the first 3 solutions at cost plus Clever at no charge. The main benefit of this approach is that schools build the capacity needed in-house to slice and dice data, but also capitalize on Clever.com’s pre-existing vendor partner relationships. Instead of the arduous process of building data files needed for 250 partners, you just connect with Clever and focus on the data files that Clever does NOT support, but which you need. This is a much smaller number!
Find out more:
- Watch intro video
- Student Data Privacy
- What Schools Are Saying about Clever
- A Case Study: Sunnyside Schools
While a potentially complex topic, one perspective that needs to be discussed is, Why are digital textbook publishers not getting together with the Texas Education Agency or state agency to make this user provisioning process easier for school districts? Probably what is needed is a federal agency to require states to standardize their student/staff information systems so that vendors work with ONE set of data files, rather than one per school district. Is that likely to happen? No, because this nightmare is perpetrated on all by partisan politics that are divisive and built-by committees of rivals.
So, if you’re a school district, I recommend you take the following steps:
- Hire someone who can slice and dice data. A job description exists already for you to start with.
- Select a turn-key solution provider, whether it’s Identity Automation, UMRA, Encore, that is up to you.
- Sign up with Clever. Since it is free, there is no cost and you can connect to many different providers with a single sign-on, eliminating problems you would face otherwise doing things yourself.
- Lobby, demand, protest legislators to take the steps needed to eliminate the daily horrors that begot The Texas Digital Data Nightmare.
Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure