New to onCourse 9.7 is the Security section, found in File > Preferences > Security. Along with some standard security-related preferences, here you will find a full list of users with login access to your onCourse application and data, along with the different user roles you have defined within onCourse.
The first section is called 'Settings', containing onCourse's main security related preferences, including rules around enforcing two-factor authentication. You have the following preferences to switch on or off:
Automatically disable inactive accounts - this will disable accounts that haven't logged in after a set number of days.
Require better passwords - when enabled, this feature demands the use of a more secure password. When enabled, it will typically reject any common passwords and enforce a higher standard of password to be used by all users.
Require password change every <x> days - When enabled, this feature will demand users change their password every set number of days. You can change the number of days manually by clicking the number in the field.
Require two-factor authentication every <x> hours - When enabled, this will require all users to get a new authorisation via a third-party authorisation app after the set number of hours. You can change the number of hours manually by editing the number in the field.
You then have the abiltiy to add new users or edit existing users details such as their name, email address, access level or password. Only users with admin rights will be able to see, edit and add users, everyone else can only edit their own user settings. There are no limits to the number of users in onCourse. Users should be deactivated if they leave your organisation.
Every person in the organisation who uses onCourse should have their own user account. We do not recommend users 'share' a login as various user layout preferences are saved against each user account. Important records created in onCourse like invoices, payments and enrolments are linked to the user who created them. If you need to follow up any discrepancies, this is made much easier when your staff each have their own login and their user name is something easy to identify the person by, like their first name.
Login - What you use along with the password to login into onCourse, usually something simple to remember like 'John'.
Password - this is where you enter a new user's password. Only visible when creating a new user.
Reset Password - reset the selected user's password.
Default administration centre - The Default administration centre refers to the physical site where your staff are working. Select the site from the drop down menu. This is important if you take physical cash, cheque or eftpos payments at these venues and you need the site banking process to correctly tally the location balances.
Email - the users primary email address (this email address will be used for the CMS login process).
Active - selecting this allows the user to login to onCourse. If active is not selected, the user will receive an "authentication failed" message at the onCourse login screen.
Admin - Checking this will allow the user to be an admin, they will have full access rights and can assign roles and rights to other users.
Last logged in - not editable, just tells you when that user last logged into onCourse.
Can edit CMS - this is a special permission that allows this user to login to your website via the CMS URL and make changes to the website pages directly. You do not need this permission to edit website content like courses, classes and products via onCourse.
2FA status - displays whether this user has two-factor authentication enabled or not.
A user can change their own password by going File -> Preferences -> and click on the option 'Change my password' at any time. Once they do this a window will pop up asking them to enter what they would like their new password to be.
If your College has more than one Administration Centre, it is possible to switch between these centres whilst a user is logged in by selecting the relevant centre from the home splash screen of the onCourse client as shown in the following example.
An administrator can request a user change their password at their next login by hitting the 'require password change' button under 'Users'.
If you have this setting enabled, the application will demand a better quality of password from your users, rejecting simple passwords e.g. a sequence of numbers or anything containing the word 'password'. If a user logs in and their password is deemed unsecure, they will see a pop up prompting them to create a new one.
If you try and log into onCourse with the same login credentials as a user that is already logged in, then a window will pop up asking you what you want to do. You will then have the option to quit your log in attempt, or log in and kick the other user using the same log in details out. So to prevent this from happening it's best to always have your own username and password to log in with.
Access rights restrict what parts of onCourse users can modify, print, view or delete. This is an advanced feature, available for onCourse "Professional and Enterprise" customers. Four pre-defined user roles are available within the system, Enrolment Officer, Administration Manager, Course Manager and Financial Manager. You can modify these and create new access rights groups as needed. Each user within your organisation can be given Admin access rights (full access) or be added to any of your access groups. Select the access rights when creating or editing user profiles, as above.
To access the "Users" menu, in onCourse go to File > Preferences > Access.
Here you can create roles for users, such as "Administration Manager." Some default access roles have been created in onCourse however you should edit these and create roles applicable to your own organisation.
Each onCourse user should be assigned to a user role that defines their access levels, by default all new users created will have full admin access to all aspects of onCourse.
You can edit an existing access role by double clicking on it, or create new access roles using the + button in the top right hand corner of the window.
Before we delve into the specifics of the Access menu, it's important to know what each option means. If an option like "create" is greyed out, it means that part of onCourse can't be restricted.
View: A view permission only allows the contact to see data already created, but does not allow existing records to be edited or new records to be created.
Edit: Allows both edit and view rights.
Create: Allows the creation of new records, edit and view rights.
Delete: Allows record deletion where permitted by onCourse validation. Linked and locked records can not be deleted just because a user has delete rights.
Print: Allows printing of reports associated with this record type
Hide: Some processes only have one level of access - allow. If this option is not ticked, it means the ability to run the process is denied and the element is hidden from use.
What can you edit in the "Access" menu?
Name: here you define the name of the role, e.g; "Administration Manager".
People and companies
Contact: this refers to all onCourse students, tutors and companies. Full create rights are recommended for any user who needs to process enrolments as new contacts are often created at this time.
Course: permission to work with any course type, including traineeships, Vocational and non-vocational courses
VET course details: this only relates to adding or removing unit of competency details from a course
Class: permission to work with any class type
Enrolment outcomes: only edit rights are editable. This allows the user to set outcome results or change the outcomes linked to a student's record
Budget: viewing the class budget can be disabled
Session: this permission relates to sessions as they belong to classes
Waiting list: permission to work with all wait list records
Mailing list: permission to work within existing and create new mailing lists
Qualification reference data: the only permission available here is edit, allowing you to add your choice of nominal hours. All reference data is centrally managed by ish.
Certificate: this relates to VET Statements of Attainment and Qualifications only. All contacts with class print permissions can create non-vocational certificates of attendance.
Print certificate without verified USI: This allows VET certificates to be printed when the student has a USI on record that has not yet been verified. A warning to the user will still be shown. This only applies to certificates created after 1/1/2015
Print certificate without USI: This allows VET certificates to be printed when the student has no USI on record. A warning to the user will still be shown. This only applies to certificates created after 1/1/2015
Site: view can not be disabled, allows user to create new and edit current Sites.
Room: view can not be disabled, allows user to create new and edit current Rooms.
Enrolment: Create permission needed for an onCourse user to use Quick Enrol
Custom enrolment discount: Allow permission gives the ability for any manual discount to be added to any enrolment processed through Quick Enrol.
Applications: Lets the user access course applications from prospective students.
Discount: This permission relates to the creation of discount strategies. Discounts will auto apply to any applicable enrolment regardless of permission here. Also the ability to link discounts to classes, corporate passes, concession types and membership types.
Tutor roles: These roles determine pay rates for teaching staff.
Tutor pay: This permission relates to the creation and editing of payslips.
Override tutor session payable time: allows user to unlock and modify a tutor's payable time manually
Bulk confirm tutor wages: allows users to click the 'confirm now' button in the Generate tutor payroll sheet that confirms all the unconfirmed paylines
Invoice: This permission relates to the creation of manual invoices (invoices not created as part of the Quick Enrol process).
Credit note: Allow the creation of manual credit notes. This permission is not needed for the creation of automatic credit notes during enrolment or class cancellation.
Payment In: Permission relates only to manual payment in records, not those created during Quick Enrol.
Payment Out: This permission is about creating refunds, usually processed in real time back to payer's credit cards.
Payment Method: This allows the user to change the payment method when accepting payments.
Account: Account settings for onCourse chart of accounts
Transaction: general ledger transaction records created during all financial transactions. These can only be viewed, never edited or manually created.
Financial preferences: The onCourse preferences that set the default accounts for various transaction types
Banking: Allow permission to run the bank process
Reconciliation: Allow permission to reconcile payments
Corporate pass: Permissions relating to the creation or editing or CorporatePass. This permission is not required to process a website enrolment that uses a CorporatePass for payment.
Payment plan: Permissions relating to the creation or editing Payment plans.
Summary extracts: Permission that allows a user to export/print MYOB Export and Trial Balance from the Financial menu.
Class duplication/rollover: Allow duplication of one or more classes from existing class(es)
Class cancellation: Cancellation process that prevents further enrolments and creates credit notes for existing enrolments
Exporting to XML: Export of class information for brochure production
Creating certificate from class: Bulk certificate creation process for VET and non-VET enrolments
Contact merging: Merge duplicate student records
Enrolment cancellation and transferring: Cancel or transfer individual enrolments and create a credit note
Export AVETMISS: Export training data for government reporting
Data import: import data into onCourse
Override tutor payrate: Allow a local override at the class level to any manually set payrate
Edit/Delete Notes: Gives permission to edit and delete record note items
Email up to 50 contacts: This permission is useful for admin staff who may need to notify a class of students about changes.
Email over 50 contacts: This permission is most appropriate to marketing staff.
SMS up to 50 contacts: This permission is for admin staff who may need to notify a class of students about changes.
SMS over 50 contacts: This permission is most appropriate to marketing staff.
Web and content management
Documents: Permissions relating to documents used on the public website, inside onCourse and available via the portal
Private Documents: Permissions relating to documents set as Private within onCourse. Can only view, edit and create. Cannot delete or print.
Tag: Permission relating to all tag groups, including those that drive the website navigation. This permission is not required to add tags to records, only to edit tag groups.
Product: This permission relates to the creation and editing of Products
Memberships: This permission relates to the creation and editing of Memberships
Vouchers: This permission relates to the creation and editing of Vouchers
Sales: This permission relates to the creation and editing of Sales
Report: Permissions to view, modify and print reports.
Email Template: Permission to modify Email Templates.
Export Template: Permission to modify Export Templates.
Scripts: Permission to modify Scripts.
Funding contract: Allows user to view/modify Funding Contracts
Funding upload: Allows user to access Funding Uploads
Audit logging: Allows user to access Audit Logs
Contact relation types: Permissions to view/modify contact types.
General preferences: Relates to onCourse application preferences that affects all users
Change administration centre: Allows user to change administration centre details
Concession type: Permission to modify available concessions. This permission is not needed to add concession types to contact records.
Require two factor authentication: If this is allowed then a user who logs in without two factor authentication enabled is immediately shown the "Enable two factor authentication" dialog
Two factor authentication (2FA) is an added layer of security for users accessing onCourse cloud instances, in particular, but also useful for locally hosted onCourse servers with VPN access enabled. From onCourse 9.7 onwards, you will be encouraged at every login attempt to enable 2FA.
2FA means that there are two 'secrets' a user needs to know to successfully log in to your onCourse application. One secret is the password set for the user account. The second 'secret' is a code that requires a device such as a smart phone with an application such as Google Authenticator installed, with an account linked to the onCourse user account. This service generates a unique code every 30 seconds. To login successfully you will need both the user password and a current token.
When 2FA is enabled, after initial login there is a third field that asks for the 6 digit code provided by your TOTP application. If you try to log in with the wrong Token or Password, then you will get an error message saying 'Authentication failed'.
To enable 2FA, simply click 'Enable' when prompted at the login window.
Have your mobile phone handy while you do this as you will need to install the TOTP software as the first part of the process. Search for 'Google Authenticator' in your phone's app store and install it.
When you first run the Authenticator app and click 'Begin setup' you may also be asked to install a QR code reader if you don't already have one. You do not have to do this, as you can choose to manually add an account by selecting 'Enter provided key', however there is less chance of data entry error if you scan the code.
The account name you create in Google Authenticator can be anything you like, such as "My onCourse login". It does not have to match your onCourse user name.
You will be shown a six-digit code hat will change every 30 seconds. Enter this code into the authentication code field in onCourse and click Login.
If a user has two factor authentication enabled and they wish to disable it, in the Security preferences click on the User's account name, then click 'Disable 2FA'.
A window will appear confirming that you definitely want to disable this feature and explaining how to re-enable it. To confirm, click on the 'Disable' button.
You should follow this process if you have bought a new smart phone and need to set up Google Authenticator again.
An admin user has the power to change a users password or disable a users two factor authentication, for example, if they have forgotten their mobile phone. You can do this by going to File -> Preferences -> Security -> double click on the user you want to change, then click on the button 'Reset Password'.
Once you click on the button 'Reset authentication' and the user has their two factor authentication disabled then the sheet that appears, as shown below, will only allow the admin user to reset their password.
Only the user can enable their own two factor authentication.
An admin user can see a list of all users that have this feature enabled in the Security window by looking at the User accounts listed under 'Users'. Any user with 2FA enabled will have a small icon appear next to their name.
Should you lock yourself out of your onCourse Server because you have lost or forgotten the last admin login, there is a way to recreate or reset the 'admin' user password.
You need to do the following:
Add "admin_password_reset=true" to the onCourse.cfg file on the server.
Restart the onCourse Server
Watch for the following lines in the log file and write down the password (it will be randomly generated every time)
********** Administrator password reset command found in onCourse.cfg
********** Account with name "admin" now has password "hggd74"
********** onCourse Server will now shut down. Remove the line starting "admin_password_reset" before restarting
Remove "admin_password_reset=true" from onCourse.cfg
Start up onCourse Server one more time
Log in with the user "admin" and the password as given above. TOTP will be disabled and this user will be made into an admin level account if they were not already.