Support for online Delegated Authorisers
This guide is intended to familiarise yourself with the key ESL Online Delegated Authoriser functions and responsibilities. It will show you how to invite staff to your organisation, and also how to maintain ESL user accounts for staff at your organisation.
Your role as an online Delegated Authoriser
As an ESL Delegated Authoriser, you will use ESL Online to view and maintain the ESL user accounts for your organisation and their access to Education Sector applications.
ESL Online provides a delegated authoriser with the ability to:
- send invites to your staff so they can access applications on behalf of your organisation
- maintain user details and access for your staff
- unlock accounts for your staff that have 'Locked' their account
- reset ESL passwords for your staff
- generate a report with access details for your staff.
There are two ways to access ESL Online as a Delegated Authoriser:
- Logon via Self Service and use the Delegated Authoriser option on the black footer
To logon via Self Service, refer to How to use ESL: Self Service
- Logon via ESL Online for Delegated Authorisers:
a. Go to ESL Online for Delegated Authorisers:
ESL Online for Delegated Authorisers
We recommend you save this URL as a favourite on any web browsers you use.
b. Enter your ESL username and password and select ‘Login’.
You will be taken to the Delegated Authoriser Landing page.
Please Note: You must have the ESL Delegated Authoriser access role on your ESL user account to be able to login successfully.
How to get an Education Sector Login
The Delegated Authorisers Landing page should display your name next to the 'Logout' button on the top right of the screen. (If someone else's name is displayed please advise the Education Service Desk straight away.)
A list of your staff that have an ESL user account is displayed to the right of "Search user". By default, up to 20 users can be shown on the screen at one time. Use ‘Previous’/’Next’ for more users. User details displayed are name, email address, username, and preferred name.
Please note: This section to the right will be empty if your organisation has no ESL users.
This landing page's main function is to search for users within your organisation.
You can search for one or more users by using the various searchable fields. You can choose a user by selecting their name (shown as hyperlinked in blue) to view their account details. See details below about how to search User accounts.
The left hand menu allows a Delegated Authoriser to carry out to additional user management functions such as invite user, search invites and run a report.
You can also switch between Delegated Authoriser access and Self-Service access. Self Service access allows you to view and manage some of your own ESL user account details. See instructions below about these options.
Please note: if you are a Delegated Authoriser for more than one organisation you must select the organisation you are wanting to administer from the Organisation field on the Search Users screen.
You can find a user at your organisation by performing a search on the ‘search users’ page.
Note: This is the same page as the Delegated Authoriser landing page (above).
Select the "Search users' function from the left hand navigation menu.
Enter search criteria and then press the ‘Search’ button.
Search user criteria available are:
- Given name
- Preferred Name
- Email address or,
- Date of Birth
- Wildcards may be used
You need to enter a search criteria and then press the ‘search’ button.
In the search results, the Name field contains a link for each user. Click on the link for the user and the details screen will be displayed for that user.
Common ways to search for users are via an Exact search or a Wildcard search. Examples of these search types are provided below.
The search will return user details that are an exact match on the criteria that you enter.
For example: if your search criteria is Roberts (Surname field), then all users with a last name of Roberts will be returned.
Wildcards take the place of one or more characters in a search term. A question mark (?) is used for single character searching. An asterisk (*) is used for multiple character searching. You can perform a wildcard search to return a larger group of users.
For example: if your search criteria is Roberts* (surname field), then all users with a last name that contains Roberts will be returned (i.e. Robertson will be returned as well as Roberts).
New staff that require ESL user access to Education Sector Applications at your organisation must be invited. This applies even if the Staff Member has an existing ESL account, as the invite allows them to connect their account with your organisation.
An invitation is not an ESL account. It is the mechanism for connecting an ESL account to the DA’s organisation. The person then has the opportunity to either create a new ESL account or connect their existing ESL account. It is recommended to use an existing account because it is easier for someone to manage and remember one account. Most ESL applications work using a single account.
Select the ‘Invite user’ option from the left-hand menu and you will see the below screen.
Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation. The fields with a red asterisk are mandatory (shown above with a green star).
E-mail address requirements
ESL does not allow ‘Generic’ e-mail addresses. A generic e-mail is an address which multiple people have access to, such as ‘office@...’ or ‘admin@...’. If the user has supplied an e-mail like this, you need to request another e-mail address that only they can access.
If the e-mail address you enter is already in use in ESL, the user will be prompted to enter a different e-mail address while accepting the invite. The user may already have an ESL account with this address, which they should link to this invite.
There are application access roles available for a DA to allocate. There may also be roles that a user might need that are not showing to a DA. The reason these roles are unavailable for a DA to give is the access provisioning must be carried out by the technical support teams for the application. There will be access request forms available for these application roles.
This screen shows your Organisation Name and a list of available applications.
Here is where you will select the user’s Standard roles for the organisation that are necessary for them to carry out their responsibilities.
Clicking on the name of the applications will expand to show the user roles available. By giving them a role, you are enabling access to that application.
Note: The Education Sector Applications available to your organisation will vary, depending on your organisation type. Select at least one user role when inviting a new user.
No role selected warning message will appear if you attempt to send an invite without selecting any role(s).
You may proceed with the invite if you are certain that the user doesn’t require any roles (i.e., access to any applications).
Generally, you should select the ‘Cancel’ button to go back to the invite user screen to select the relevant role/s for the staff member before choosing the invite button to proceed.
To send the user their e-mail invitation select ‘Invite’.
An email invitation will be sent to the user to complete the process, the below message will display in the top right corner of your page.
Note: The invite will expire after 14 days if the user does not complete the invite process. If this happens, you can resend the invite.
Refer to 'Accept invitation' section on How to use ESL: User invitation - create a new account page.
Before you send staff an email invite, you need to confirm that you have sighted their Evidence of Identity documents. You can read more about EOI requirements at:
If you cannot see the ESL user’s EOI (Evidence of Identity) documents in-person then the process is as follows depending on who you are:
|For the person requiring the ESL||
|For the Delegated Authoriser||
On receipt of the four photos:
Please note that:
|For a new Delegated Authoriser||
|For an MOE Internal staff member||
|For an Education Sector Organisation||
Some application roles are set to Education Service Desk provisioned only. The checkbox is disabled. For Education Service Desk to add this role to the user, please download and complete an appropriate form (details below). You can find the forms here How to get an Education Sector Logon | Applications & Online Systems or use the link in ESL, see example below.
Education Service Desk Provisioned only - ESL forms
|User cohort||Application||ESL Form|
|Early Childhood Users||Early Learning information (ELI)||ESL 21 Form|
|Secure Data Portal||ESL 39 Form|
|School Users||Attendance Service Application (ASA)||Contact Education Service Desk|
|Tertiary Users||Attendance Service Application (ASA)||Contact Education Service Desk|
|NZQA Extranet||ESL 120 Form|
You can provision and de-provision application roles for your users by using the ‘edit roles and organisations’ function. Do this by finding the user in the ‘Search users’ screen and click on their Name to view their account details.
From the user’s account details screen, select the one of ‘edit roles and organisations’ options below.
From the edit roles and organisations page, make the required adjustments by selecting or de-selecting application roles.
- The user’s EOI date must be valid for you to add any roles/access to their ESL account. (An invalid EOI is null/blank or a default, 01/01/1900)
- Some access roles need approval requiring Education Service Desk intervention (including Helios, ENROL and Ngā Kete). All other role changes you make in ESL online are available to your users immediately.
- The Education Sector Applications available to your organisation will vary, depending on your organisation type.
It is the Delegated Authoriser's responsibility that staff at their organisation only have the access they need to do their job.
Use ‘Reset login details’ function, if a user has forgotten their username or password, or they are locked out of their ESL user account. Once you have searched and selected a user account this function will appear in the menu on the left, select the ‘Reset login details’ option.
As the Delegated Authoriser, you must confirm the identity of the user requesting any of the following three account recovery actions;
Using this function will email a one-time password to the user. This one-time password will expire after 4 hours.
- Once you have confirmed the identity of the staff member who requires one of the three account recovery actions please select the radio box confirming that As the delegated authoriser, I confirm the identity of the user requesting the account recovery action.
- The user needs to login to ESL Self Service and use this one-time password with their username to complete the password reset process. This must be done before the one-time password expires, the email advises the user of the expiry date and time.
Using this function will send the username to the user's email address from the user details section.
This option can only be used to unlock an account that has an account status of Locked. This is useful to use when the user has been locked out of their account (by an incorrect password being used too many times), but they can remember what their password is.
- When a user has entered their security questions incorrectly, ESL will lock out this feature. The user will need to request a password reset. If they tell you that they are unsure of the answers to their Security Questions please advise them that once they have reset their password the Self-Service page will display. On this page there will be an option for them to view the questions and change them.
- Check that a user’s account is unlocked before resetting their password. They will not be able to update their password if the account is locked.
- Check that the user is not using an expired reset password login link (this only lasts 4 hours).
- Allow enough time for e-mail delivery before resending a reset password link. The user must use the last password reset link sent, as this is the only valid one.
If a user’s invite has 'timed out' (invites expire after 14 days) before the user completed the invite process, or the invite was sent to an incorrect email address, then you can resend the invite.
- Select the "Search invites' function from the left hand navigation menu.
Search for the user’s invite by entering relevant search information, then select ‘Search’. In the search results the Name field contains a link for each user. Select the link for the user you want, then the invite details screen for that user will show.
Note: the search invite function has a default setting to find pending and timed out invites (see checkboxes). You may change these to suit your search.
When you have the search results the Name field contains a link for each user, when clicking the link for the user you want it will take you to the invite details screen for that user.
- From the invite details screen, click on ‘resend invite’.
Check and – if required – update the email address before you resend the invite.
You can ‘Cancel invite…’ to delete the invitation. Use this if details have been entered incorrectly, multiple invites have been sent or for any other reason the invite is no longer needed.
The invite will stay in the system for 30 days.
A user can edit their own contact details (Preferred name, email address or phone number) by using ESL Self Service.
Any changes to a users personal details (Given names, Surname, Date of Birth or Gender) must be done by a DA or the Education Service Desk.
Any changes to identity details requires a new Evidence of Identity check be completed before the user can be updated. Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation.
Following the ‘Search Users’ instructions, find and select the user account for update.
You can select ‘Edit user details’ from either of the places indicated above. This will display the below screen where you can update the user’s details.
Change any information you deem necessary and select ‘Update’. This message will show in the top right corner of your page. The user will receive an automated email from ESL confirming that their details have been updated, the email will only confirm that there has been an update not the specifics of what has been updated.
To log in to ESL as a Delegated Authoriser, you must first complete the following training:
- ESL Delegated Authoriser Training Module
- ESL Security Awareness and Privacy Best Practice Guide
You will be contacted by our Training Services team to book this training. Within 3 working days of completing the module you will be given the Delegated Authoriser Access.
To access and complete this training login to the Education Learning Management System - training.education.govt.nz
A Delegated Authoriser functionality is pending status means your application has been processed, however you may not have completed the two training modules in our Learning Management System - https://training.education.govt.nz/.
There are two training modules:
- ESL Delegated Authoriser training and
- ESL Security Awareness and Privacy Best Practice Guide.
Once you have completed both training modules it can take up to 3 working days before you will be given Online Delegated Authoriser access. If after this time, you have not received an email stating you are now an Online Delegated Authoriser, please contact Education Service Desk on 0800 422 599 (NZ) or email Service.Desk@education.govt.nz
The User Status field on the User Details screen indicates whether a user is Enabled or Disabled:
If a user’s status disabled, they will not be able to log in to any application with their ESL account.
There are two ways a user status could have been set as disabled:
- A Service Desk Analyst has disabled the user.
- If the user has not logged in for 18 months or more, they will be automatically disabled by the ESL.
Re-enabling a disabled user
Delegated Authorisers cannot currently edit the user status field i.e., they cannot re-enable a user.
To re-enable a disabled account, the Delegated Authoriser should contact the Education Service Desk who will be able to re-enable the account after verifying that the user requires continued access.
Review users’ access feature facilitates the review of all users and their roles in your organisation. It enables you to periodically confirm or reject their ongoing access in this screen. As a Delegated Authoriser you will be reminded to review each of your users’ roles after they have been assigned for 18 months, and subsequently again whenever 18 months pass since the last review.
Navigating to review users’ access
There are two ways to navigate to Review users’ access:
- By clicking the link under User Management.
- If you have roles ready for review, you will see a pop-up message when you log in. The message contains a link to Review users’ access:
The total number of reviews pending will also be displayed on the menu link:
What you need to do
If you are a Delegated Authoriser at more than one organisation, select the organisation you want to review from the drop-down menu.
On the screen, there will be a line representing each user-role relationship. Eg if a user has 5 different roles, you will see 5 entries for them on the screen which require review:
Each line on the screen has two decision buttons: ‘Confirm’ and ‘Reject’. By clicking ‘Confirm’ you are verifying that the user still requires that role. If you click ‘Reject’, the role will be removed from that user as it is no longer required.
Once you ‘Confirm’ the role for a user, it will disappear from the list. You will see a confirmation message on top of the screen:
If you reject a role, you will be presented with a message informing you the role will be removed:
You can sort on any of the rows by clicking on the top of the row.
You can search within any of the rows by typing in the search boxes at the bottom of the list.
If a user is leaving your organisation then you will need to remove your organisation from the user’s ESL account to they cannot access applications on behalf of your organisation.
Please note: this action removes the user’s connection to your organisation, it does not remove their ESL account
Removing your organisation and access from a user
Search for the Users account and select ‘Edit roles and organisations’.
In the bottom right corner select the red option ‘Remove user from organisation’, when the pop-up appears select ‘Confirm’.
You can use the Reports functionality to get a list of all ESL user accounts at your organisation and their associated applications and access. Select the ‘Create’ link under Reporting in the left-hand side menu, the below will be displayed.
A report can be created to:
- generate a list of all of your ESL users and their access for all Education Sector applications (you can do this by leaving the application field blank)
- generate a list of your ESL users for a specific Education Sector application (you can do this by selecting an application from the application field)
Once you ‘Create report’ it may take a few moments, or even up to a few minutes to generate the report. The below message will be displayed in the top right corner when you generate the report.
Once the report is generated the page will refresh and the status will show as COMPLETED you can download the report by selecting the hyperlinked Report name, see below.
A open or save message will show at the foot of the screen.
The report will be generated as a Microsoft Excel download in CSV format.
Once you have finished using ESL Online always use the logout link in the top right corner to terminate your session. This is a security requirement as an ESL user.