Groupcall IDaaS, Active Directory Provisioning, and Personal Data

About this Document

This document is an appendix to the Groupcall IDaaS Data Sharing Agreement; it specifically covers the additional release of data when a school has enabled Active Directory Provisioning functionality for their users. Schools may wish to use this information within their fair use policy in instances where the provisioned AD is not within their direct control.

This document also explains the technical construction of Active Directory attributes populated by Groupcall IDaaS when provisioning into Active Directory.

Transfer and Use of Personal Information

  1. Personal information about pupils who are currently on roll:
    • Your Groupcall IDaaS username
    • Your internal MIS record ID
    • Your name
    • That you are a student
    • The school(s) at which you study
    • Your year group, and optionally also your house group, registration group and class groups.

 

  1. Personal information about adults currently in the employ of the school:
    • Your Groupcall IDaaS username
    • Your internal MIS record ID
    • Your name and title
    • Whether you are Teaching or Non-Teaching staff
    • The school(s) at which you work
    • Your association with any year group, and optionally with any house group, registration group or class groups.

 

  1. Personal information about pupil contacts with parental responsibility:
    • Parental contacts are not provisioned into Active Directory unless they are also a Staff (or Pupil, strictly)

 

  1. Information about your school:
    • School establishment number

Use of Data

The Use of Data policy is provided for schools to ensure that, as data controllers they have the ability to share data, and that they consider there to be appropriate measures in place, ensuring that the data is held securely and confidentially.

This document sets out how Groupcall supports these objectives.

Groupcall and its suppliers will be acting as ‘data processors’ as defined by the 1998 Data Protection Act. Groupcall has taken all reasonable measures to ensure the safety and security of the personal information, and continues to review these measures on an on-going basis.

AD Provisioning Data Security

This information is an appendix to that detailed in the Groupcall IDaaS Data Sharing Agreement and applies specific additions when using Groupcall IDaaS in conjunction with Active Directory Provisioning.

When provisioning Active Directory using Groupcall IDaaS there is Personally Identifiable Information (PII) both released to and stored by third parties.  As Groupcall IDaaS is a service provided to third party companies it is expected that you have signed a data sharing agreement with that third party, of which this appendix formed a part.  The nature of released PII is covered within this document in both summary and detail.

During provisioning data is transferred over industry standard SSL encryption.

Obtaining Support

Your first port of call for support should be the partner organisation that provided Groupcall IDaaS to you, who are fully trained in IDaaS support.  Should the partner organisation need further assistance then they will escalate their case to Groupcall.

You are reminded that you should avoid sending personal information, such as student records, to Groupcall directly.  You certainly should only send such information when supported by strong encryption, if there is a specific requirement to do so.  Groupcall staff will advise the most secure method for transfer in such cases.

AD Provisioning Data Lifecycle

Your data’s point of origin remains in the school MIS. Changes made in the MIS are transmitted to Groupcall IDaaS which in turn will then transmit to Active Directory.

Technical implementation of Active Directory provisioning

Groupcall IDaaS implements the following behaviours when provisioning into Active Directory.

Firstly, an IDaaS username can belong to more than one person; this means that a username cannot be assumed (as is the classic case) to be only a single role:school combination and therefore cannot be placed into e.g. a per-school OU or a role-based OU.  Consequently an IDaaS username is provisioned into Active Directory in a single OU container for all users, and group memberships are used to indicate role:school assignments.  This has some implications for GPO but they are addressed below.

For IDaaS each role:school assignment for a username is called a presence, for example a person may have one username for IDaaS which links to their part-time teaching role in three different schools by virtue of each of the three school MIS products having an unrelated record for that person as a teacher.  In IDaaS terminology we would say that there is one IDaaS Login which is linked to three IDaaS Presences, where the Presence is the role:school assignment interpreted from the school MIS record.

Each IDaaS Presence will then have membership of groups within the applicable school based on MIS data, for example a student or teacher presence will have links to (for differing reasons) year groups, house groups, registration groups, and academic classes.

Attributes for an Active Directory User

userPrincipalName

This is populated with the Groupcall IDaaS login username and appended with a suffix of your selection.  The suffix is granular down to role and school, for example it is possible for staff and students in the same school to have a different suffix.

sAMAccountName

This is typically left to AD to populate automatically.  It is possible to populate it with the Groupcall IDaaS login username but these can be longer than the 20 character legacy limit on this attribute.

EmployeeNumber

This is populated with ‘IDaaS-LoginId-{LoginId}’ where LoginId is the IDaaS internal key for the Groupcall IDaaS login username

Attributes for an Active Directory Group

groupName

This is the display name of the group, taking the format of:

  • {LAID}_Students
  • {LAID}_Teaching
  • {LAID}_Year_{DisplayName}
  • {LAID}_Reg_{DisplayName}

 Where LAID is the school LA/DfE number and DisplayName is the name of the group in MIS.

 adminDescription

Contains ‘IDaaS-ESTAB{LAID}-{GroupId}’ which is used as a glue record to issue further updates to the group.

Life Cycle of an AD User

An Active Directory user is created or updated when a Groupcall IDaaS login has a new presence assigned to it and that presence is linked to a school that is provisioned into one or more Active Directories.  In each case the login in AD will be created if not already in existence (IDaaS looks for its marker in employeeNumber) and then the presence is assigned a role group membership and a set of school group memberships.  If the AD user already exists during provisioning and is marked disabled at that time then it is re-enabled by the provisioner.

When a presence is removed from a Groupcall IDaaS login, or a presence is removed from the school MIS (usually because the person has left) IDaaS removes the applicable school group and role group memberships from the AD user.  If the AD user has no groups left then the AD user itself is disabled.

Life Cycle of an AD Group

When applicable an AD group is created as soon as a new MIS group is seen at IDaaS; the group persists in AD (referenced by the IDaaS marker stored in adminDescription) until it is no longer seen in the groups active in the source MIS.

 

Next Steps...

If you need any further assistance or get in to any difficulty, then please contact Groupcall Support. If the issue affects Groupcall Partner products you should refer to the support arrangements for that specific Groupcall Partner.

…And Finally

Have you followed Groupcall on Twitter and Facebook? Stay informed, get the latest news, updates and useful tips on all of our products!


 

Print Friendly