Question

Is there a way to disable a Google user account with IIQ


Userlevel 1
Badge

We use Google SSO to set up accounts for both our staff and students. Our SIS app (Infinite Campus) pulls in stuff like courses, grades, and status. But, when these students leave or graduate, their status in the SIS gets switched to inactive. That's all good because we've set up data mappings to change their roles from "Student" to "No Access." This way, we can keep track of the number of students and devices we have throughout the year.

The issue we're running into is that IQ isn't assigning the "No Access" role because of a message we get from the SIS sync. It says “This user is inactive, but we can't change the role to NOACCESS because they've still got an active SSO account and the role mapping isn't set up for this app." I've talked to IIQ support, and they're saying that since the best way to make users is through Google SSO, I would need to disable these users Google accounts first.

So I'm looking for a way to use IIQ to help me disable these users Google account based on the SIS status info the same way that it’s also marking these account to be given the “NO Access” role in the first place. Or is there a way I can download the logs that have the error about active SSOs and disable them manually?


11 replies

Userlevel 7
Badge +12

@JBarrett 943750d scschools Thank you for submitting your question to our Community.

There is not a way to have iiQ write back to your Google SSO via SIS sync. @SMillsTVSD @jclark16 @mcsdwes @MattHenry @bclark any thoughts on this question?? 

Userlevel 6
Badge +12

We use both SIS and Google SSO as well. We use Google SSO to create/sync users, set roles, and obviously for authentication. We only use our SIS for supplemental info in iiQ, but not to control roles. So a disabled account in Google is set to “No Access” in iiQ.

It is worth noting, we have a provisioning system that reads from our SIS as a source of information and will enable/disable or move accounts between OU’s based on that. So, if a user is made inactive in our SIS, that Google account is automatically disabled that same day, and from that is set as “No Access” overnight when the sync between iiQ and Google runs.

Userlevel 5
Badge +4

@JBarrett 943750d scschools - Our setup is similar to  jclark’s post above.  Instead of Google we use Active Directory so when an account is disabled in AD then overnight it will sync that over to IIQ which will set the status to No Access.  In our case when a student is withdrawing from Infinite Campus our custom scripts will update our Data Warehouse which is then feed into Active Directory and the overnight sync into IIQ will disable them there as well.  Hope this helps and let me know if you have any follow up questions.

Userlevel 1
Badge

Thanks for the replies. 

We use both SIS and Google SSO as well. We use Google SSO to create/sync users, set roles, and obviously for authentication. We only use our SIS for supplemental info in iiQ, but not to control roles. So a disabled account in Google is set to “No Access” in iiQ.

It is worth noting, we have a provisioning system that reads from our SIS as a source of information and will enable/disable or move accounts between OU’s based on that. So, if a user is made inactive in our SIS, that Google account is automatically disabled that same day, and from that is set as “No Access” overnight when the sync between iiQ and Google runs.

What provisioning system are you using? For us, since iiQ can't do it. I can run a report from our SIS and script GAM to move and disable accounts. I just wanted to make sure with iiQ before I went in that direction. Thanks for the responses.

Userlevel 5
Badge +4

@JBarrett 943750d scschools - We wrote our own provisioning system.  We have two main data sources, Infinite Campus (student data), BusinessPlus (HR, Payroll,etc- employee data).  When a new student or employee is entering/leaving the district then we send that data to a SQL Server database.  That database holds all student and employee data.  From there we send that data to Active Directory which will sync IIQ and other systems including Google. We also insert our employees into Infinite Campus by creating them a user account, district employment, district assignment, etc...

Having all the data consolidated in one database has lots of benefits.

Userlevel 7
Badge +12

Thank you@jclark16 for sharing! @mcsdwes I knew you would have a great suggestion! 

Userlevel 1
Badge

@JBarrett 943750d scschools - We wrote our own provisioning system.  We have two main data sources, Infinite Campus (student data), BusinessPlus (HR, Payroll,etc- employee data).  When a new student or employee is entering/leaving the district then we send that data to a SQL Server database.  That database holds all student and employee data.  From there we send that data to Active Directory which will sync IIQ and other systems including Google. We also insert our employees into Infinite Campus by creating them a user account, district employment, district assignment, etc...

Having all the data consolidated in one database has lots of benefits.

Thanks I'll look at doing something similar. Appreciate your suggestion.

Userlevel 6
Badge +12

Thanks for the replies. 

We use both SIS and Google SSO as well. We use Google SSO to create/sync users, set roles, and obviously for authentication. We only use our SIS for supplemental info in iiQ, but not to control roles. So a disabled account in Google is set to “No Access” in iiQ.

It is worth noting, we have a provisioning system that reads from our SIS as a source of information and will enable/disable or move accounts between OU’s based on that. So, if a user is made inactive in our SIS, that Google account is automatically disabled that same day, and from that is set as “No Access” overnight when the sync between iiQ and Google runs.

What provisioning system are you using? For us, since iiQ can't do it. I can run a report from our SIS and script GAM to move and disable accounts. I just wanted to make sure with iiQ before I went in that direction. Thanks for the responses.

@JBarrett 943750d scschools Sorry for the delay. We are now using Rapid Identity, but previously we used an in-house developed setup to do the same thing.

Userlevel 6
Badge +12

@JBarrett 943750d scschools  also - Depending on the size of your district, it might be pretty manageable to use GAM on a VM like you mentioned, and just run it from a scheduled task for some automation.

Userlevel 7
Badge +12

Loving this collaboration! 😄

Userlevel 2
Badge +3

@JBarrett 943750d scschools  also - Depending on the size of your district, it might be pretty manageable to use GAM on a VM like you mentioned, and just run it from a scheduled task for some automation.

Same environment as jclark, we do use GAM on a scheduler within a Windows server for some of the tasks, but mainly we rely on 30 mins sync with GCDS to control users and groups in Google from AD.

Regarding the original request on departing students, we are faced with the same issue with our SIS (PowerSchool). What we chose to do is once a student is set to Inactive in SIS, our custom PowerSchool to Active Directory connector is able to set an AD Attribute (in our case Employee Type) to STUX (something I can trigger on). Then I sync that data to Google and then to IIQ. In IIQ I am able to do a search (view) on Google attribute “Employee Type” = STUX and Has Assets Assigned and find the students who have left the district and still have Chromebooks assigned to them. 

Going by role No Access due to Google’s disabled accounts didn’t work for us, because of a lot of students who are disabled in the system due to discipline or AUP violations. Their account is temporary disabled, but they still have an asset assigned to them for when they come back. So looking for users with “No Access” and assigned device provided a lot of false positives and more work for my techs to figure out if the student really left the district or not. 

I know this process is convoluted but I hope it helps you see a different approach. 

 

Reply