Managing users & access reviews

Keeping the user list accurate — right people, right roles, nothing stale — is one of an administrator's most important recurring jobs. This page covers adding and deactivating staff, resetting passwords, periodic access reviews and two-factor authentication.

Where to find it — App drawer → EduPrime → Transfers.

Adding staff

Open SettingsUsers & CompaniesUsers, click New, enter the name and email, assign the minimum roles for the job, and send password-reset instructions. The user sets their own password from the email — you never need to know it.

HR dashboard listing staff
Staff records in HR feed the picture of who works at the school; system access is granted separately under Users.

Deactivating leavers

Important — When a staff member leaves, deactivate their user the same day — do not delete it. Deleting orphans the records they created; deactivating revokes all access while preserving history and audit trails.
  1. Open the user.
  2. Toggle Active off (archive the user).
  3. Confirm they can no longer log in by checking the user no longer appears in the active list.
  4. Reassign any ownership (classes, queues) to a current staff member.

Resetting passwords

If a user is locked out, open their record and click Send Password Reset Instructions. They receive a secure link to set a new password. As administrator you should never type a user's password for them.

Periodic access review

Run a structured review at least once a term:

  1. Export or list all active users with their roles.
  2. Confirm each person still works here and still needs each role.
  3. Remove roles that exceed current duties (role creep) — for example a teacher who briefly covered admissions.
  4. Deactivate anyone who has left but was missed.
  5. Check the Administrator role — it should belong to a tiny, named group only.
  6. Record who did the review and when.
Review itemWhy it matters
Dormant accountsUnused logins are a breach risk; disable them
Over-privileged usersLeast privilege limits damage from a compromised account
Administrator countFewer admins means a smaller, auditable blast radius

Two-factor authentication

Two-factor authentication (2FA) adds a one-time code on top of the password. Require it for every privileged user.

  1. Each user opens PreferencesAccount Security and enables two-factor authentication.
  2. They scan the QR code with an authenticator app and confirm a code.
  3. From then on, login asks for the 6-digit code.
Tip — Mandate 2FA for Administrators, the Bursar and HR at minimum — these accounts can move money or expose personal data, so a stolen password alone must never be enough.
Was this page helpful?