Support for online Delegated Authorisers

Education Sector Logon (ESL)

Support for online Delegated Authorisers

This guide is intended to familiarise yourself with the key ESL Online Delegated Authoriser functions and responsibilities. It will show you how to invite staff to your organisation, and also how to maintain ESL user accounts for staff at your organisation.

Situation where no contact/remote
Process for getting an ESL account when in-person is not possible, eg during Covid-19
Process for getting an ESL account when in-person is not possible, eg during Covid-19

Your role as an online Delegated Authoriser

As an ESL Delegated Authoriser, you will use ESL Online to view and maintain the ESL user accounts for your organisation and their access to Education Sector applications.

ESL Online provides a delegated authoriser with the ability to:

  • send invites to your staff so they can access applications on behalf of your organisation
  • maintain user details and access for your staff
  • unlock accounts for your staff that have 'Locked' their account
  • reset ESL passwords for your staff
  • generate a report with access details for your staff.

There are two ways to access ESL Online as a Delegated Authoriser:

  • logon to ESL Self Service and use the Delegated Authoriser option on the black footer
  • logon to ESL Online.

ESL on-line Delegated Authoriser training

To log in to ESL as a Delegated Authoriser, you must first complete the following training:

  • ESL Delegated Authoriser Training Module
  • ESL Security Awareness and Privacy Best Practice Guide

You will be contacted by our Training Services team to book this training. Within 3 working days of completing the module you will be given the Delegated Authoriser Access.
To access and complete this training login to the Education Learning Management System (

Logon via Self Service

To logon via Self Service, refer to How to use ESL: Self Service.

ESL Online Logon


Go to ESL Online for Delegated Authorisers:

ESL Online for Delegated Authorisers

We recommend you save this URL as a favourite on any web browsers you use.


Enter your ESL username and password and select ‘Login’.

You will be taken to the Delegated Authoriser Landing page.

Please Note: You must have the ESL Delegated Authoriser access role on your ESL user account to be able to login successfully.

How to get an Education Sector Login

Delegated Authoriser Landing page

The Delegated Authorisers Landing page should display your name next to the 'Logout' button on the top right of the screen. (If someone else's name is displayed please advise the Education Service Desk straight away.)

Support for ESL

A list of your staff that have an ESL user account is displayed to the right of "Search user". By default, up to 20 users can be shown on the screen at one time. Use ‘Previous’/’Next’ for more users. User details displayed are name, email address, username, and preferred name.

Please note: This section to the right will be empty if your organisation has no ESL users.

This landing page's main function is to search for users within your organisation.

You can search for one or more users by using the various searchable fields. You can choose a user by selecting their name (shown as hyperlinked in blue) to view their account details. See details below about how to search User accounts. 

The left hand menu allows a Delegated Authoriser to carry out to additional user management functions such as invite user, search invites and run a report.

You can also switch between Delegated Authoriser access and Self-Service access. Self Service access allows you to view and manage some of your own ESL user account details. See instructions below about these options.

Please note: if you are a Delegated Authoriser for more than one organisation you must select the organisation you are wanting to administer from the Organisation field on the Search Users screen. 

Evidence of Identity (EOI) requirements

Before you send staff an email invite, you need to confirm that you have sighted their Evidence of Identity documents. You can read more about EOI requirements at:

How to use ESL: Evidence of Identity

Inviting a user

New staff that require ESL user access to Education Sector Applications at your organisation must be invited. This applies even if the Staff Member has an existing ESL account, as the invite allows them to connect their account with your organisation. 

An invitation is not an ESL account.  It is the mechanism for connecting an ESL account to the DA’s organisation.  The person then has the opportunity to either create a new ESL account or connect their existing ESL account.  It is recommended to use an existing account because it is easier for someone to manage and remember one account.  Most ESL applications work using a single account.

Select the ‘Invite user’ option from the left-hand menu and you will see the below screen.

Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation. The fields with a red asterisk are mandatory (shown above with a green star).

E-mail address requirements

ESL does not allow ‘Generic’ e-mail addresses. A generic e-mail is an address which multiple people have access to, such as ‘office@...’ or ‘admin@...’. If the user has supplied an e-mail like this, you need to request another e-mail address that only they can access.

If the e-mail address you enter is already in use in ESL, the user will be prompted to enter a different e-mail address while accepting the invite. The user may already have an ESL account with this address, which they should link to this invite.

Giving access to applications

There are application access roles available for a DA to allocate.  There may also be roles that a user might need that are not showing to a DA.   The reason these roles are unavailable for a DA to give is the access provisioning must be carried out by the technical support teams for the application.  There will be access request forms available for these application roles. 

This screen shows your Organisation Name and a list of available applications. 

list of available applications

Here is where you will select the user’s Standard roles for the organisation that are necessary for them to carry out their responsibilities. 

Clicking on the name of the applications will expand to show the user roles available.  By giving them a role, you are enabling access to that application.

Note:  The Education Sector Applications available to your organisation will vary, depending on your organisation type. 

Select at least one user role when inviting a new user. 

No role selected warning message will appear if you attempt to send an invite without selecting any role(s).

You may proceed with the invite if you are certain that the user doesn’t require any roles (i.e., access to any applications).

Generally, you should select the ‘Cancel’ button to go back to the invite user screen to select the relevant role/s for the staff member before choosing the invite button to proceed.

To send the user their e-mail invitation select ‘Invite’.

An email invitation will be sent to the user to complete the process, the below message will display in the top right corner of your page. 

Note: The invite will expire after 14 days if the user does not complete the invite process. If this happens, you can resend the invite.


Refer to 'Accept invitation' section on How to use ESL: User invitation - create a new account page.

Resend a user invite

If a user’s invite has 'timed out' (invites expire after 14 days) before the user completed the invite process, or the invite was sent to an incorrect email address, then you can resend the invite.


Select the "Search invites' function from the left hand navigation menu.

Search for the user’s invite by entering relevant search information, then select ‘Search’. In the search results the Name field contains a link for each user.  Select the link for the user you want, then the invite details screen for that user will show.

Image removed.

Note: the search invite function has a default setting to find pending and timed out invites (see checkboxes). You may change these to suit your search.

When you have the search results the Name field contains a link for each user, when clicking the link for the user you want it will take you to the invite details screen for that user.


From the invite details screen, click on ‘resend invite’.

Check and – if required – update the email address before you resend the invite. 

Image removed.

You can ‘Cancel invite…’ to delete the invitation.  Use this if details have been entered incorrectly, multiple invites have been sent or for any other reason the invite is no longer needed.

Image removed.

The invite will stay in the system for 30 days.


Search for a user

You can find a user at your organisation by performing a search on the ‘search users’ page.

Note: This is the same page as the Delegated Authoriser landing page (above).

Select the "Search users' function from the left hand navigation menu.
Enter search criteria and then press the ‘Search’ button.  

Search user criteria available are:

  • Username
  • Given name
  • Surname
  • Preferred Name
  • Organisation
  • Application
  • Email address or,
  • Date of Birth
  • Wildcards may be used

You need to enter a search criteria and then press the ‘search’ button.

In the search results, the Name field contains a link for each user. Click on the link for the user and the details screen will be displayed for that user.

Common ways to search for users are via an Exact search or a Wildcard search. Examples of these search types are provided below.

Exact search

The search will return user details that are an exact match on the criteria that you enter.

For example: if your search criteria is Roberts (Surname field), then all users with a last name of Roberts will be returned.

Screenshot of exact search

Wildcard search

Wildcards take the place of one or more characters in a search term. A question mark (?) is used for single character searching. An asterisk (*) is used for multiple character searching. You can perform a wildcard search to return a larger group of users.

For example: if your search criteria is Roberts* (surname field), then all users with a last name that contains Roberts will be returned (i.e. Robertson will be returned as well as Roberts).

Screenshot of wildcard search

Update user details

A user can edit their own contact details (Preferred name, email address or phone number) by using ESL Self Service.

Any changes to a users personal details (Given names, Surname, Date of Birth or Gender) must be done by a DA or the Education Service Desk.

Any changes to identity details requires a new Evidence of Identity check be completed before the user can be updated. Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation.
Following the ‘Search Users’ instructions, find and select the user account for update.

You can select ‘Edit user details’ from either of the places indicated above. This will display the below screen where you can update the user’s details.

Change any information you deem necessary and select ‘Update’.  This message will show in the top right corner of your page. The user will receive an automated email from ESL confirming that their details have been updated, the email will only confirm that there has been an update not the specifics of what has been updated.

User Status

The User Status field on the User Details screen indicates whether a user is Enabled or Disabled:


Disabled users

If a user’s status disabled, they will not be able to log in to any application with their ESL account.

There are two ways a user status could have been set as disabled:

  1. A Service Desk Analyst has disabled the user.
  2. If the user has not logged in for 18 months or more, they will be automatically disabled by the ESL.

Re-enabling a disabled user

Delegated Authorisers cannot currently edit the user status field i.e., they cannot re-enable a user.

To re-enable a disabled account, the Delegated Authoriser should contact the Education Service Desk who will be able to re-enable the account after verifying that the user requires continued access.

Update user access to roles for applications

You can provision and de-provision application roles for your users by using the ‘edit roles and organisations’ function. Do this by finding the user in the ‘Search users’ screen and click on their Name to view their account details.

From the user’s account details screen, select the one of ‘edit roles and organisations’ options below.

Update user access to roles for applications screenshot

From the edit roles and organisations page, make the required adjustments by selecting or de-selecting application roles.



Please Note:

  • The user’s EOI date must be valid for you to add any roles/access to their ESL account. (An invalid EOI is null/blank or a default, 01/01/1900)
  • Some access roles need approval requiring Education Service Desk intervention (including Helios, ENROL and Ngā Kete). All other role changes you make in ESL online are available to your users immediately.
  • The Education Sector Applications available to your organisation will vary, depending on your organisation type.

It is the Delegated Authoriser's responsibility that staff at their organisation only have the access they need to do their job.

Screenshot of edit roles and organisations page

Review users’ access

Review users’ access feature facilitates the review of all users and their roles in your organisation. It enables you to periodically confirm or reject their ongoing access in this screen. As a Delegated Authoriser you will be reminded to review each of your users’ roles after they have been assigned for 18 months, and subsequently again whenever 18 months pass since the last review.

Review Users' Access screenshot

Navigating to review users’ access

There are two ways to navigate to Review users’ access:

  1. By clicking the link under User Management.
  2. If you have roles ready for review, you will see a pop-up message when you log in. The message contains a link to Review users’ access:

Screenshot of roles ready for review pop-up message

The total number of reviews pending will also be displayed on the menu link:

Screenshot of total number of reviews pending

What you need to do

If you are a Delegated Authoriser at more than one organisation, select the organisation you want to review from the drop-down menu.

On the screen, there will be a line representing each user-role relationship. Eg if a user has 5 different roles, you will see 5 entries for them on the screen which require review:

User-role relationship screenshot

Each line on the screen has two decision buttons: ‘Confirm’ and ‘Reject’. By clicking ‘Confirm’ you are verifying that the user still requires that role. If you click ‘Reject’, the role will be removed from that user as it is no longer required.

Once you ‘Confirm’ the role for a user, it will disappear from the list. You will see a confirmation message on top of the screen:

Screenshot of confirmation message

If you reject a role, you will be presented with a message informing you the role will be removed:

Screenshot of confirmation message

You can sort on any of the rows by clicking on the top of the row.

You can search within any of the rows by typing in the search boxes at the bottom of the list.

Staff Member leaving?

If a user is leaving your organisation then you will need to remove your organisation from the user’s ESL account to they cannot access applications on behalf of your organisation.

Please note: this action removes the user’s connection to your organisation, it does not remove their ESL account

Removing your organisation and access from a user

Search for the Users account and select ‘Edit roles and organisations’.

In the bottom right corner select the red option ‘Remove user from organisation’, when the pop-up appears select ‘Confirm’.


Reset user login details

Use ‘Reset login details’ function, if a user has forgotten their username or password, or they are locked out of their ESL user account. Once you have searched and selected a user account this function will appear in the menu on the left, select the ‘Reset login details’ option.

As the Delegated Authoriser, you must confirm the identity of the user requesting any of the following three account recovery actions;

Reset password 

Using this function will email a one-time password to the user. This one-time password will expire after 4 hours.


  • Once you have confirmed the identity of the staff member who requires one of the three account recovery actions please select the radio box confirming that As the delegated authoriser, I confirm the identity of the user requesting the account recovery action.
  • The user needs to login to ESL Self Service and use this one-time password with their username to complete the password reset process. This must be done before the one-time password expires, the email advises the user of the expiry date and time.

Reset password screenshot

Reset password second screen screenshot

Send username 

Using this function will send the username to the user's email address from the user details section. 

Send username screenshot

Unlock account 

This option can only be used to unlock an account that has an account status of Locked. This is useful to use when the user has been locked out of their account (by an incorrect password being used too many times), but they can remember what their password is.

Unlock account first screenshot

Unlock account second screenshot

Unlock account confirmation screenshot


  • When a user has entered their security questions incorrectly, ESL will lock out this feature. The user will need to request a password reset.  If they tell you that they are unsure of the answers to their Security Questions please advise them that once they have reset their password the Self-Service page will display. On this page there will be an option for them to view the questions and change them.
  • Check that a user’s account is unlocked before resetting their password.  They will not be able to update their password if the account is locked.
  • Check that the user is not using an expired reset password login link (this only lasts 4 hours).
  • Allow enough time for e-mail delivery before resending a reset password link.  The user must use the last password reset link sent, as this is the only valid one.

Organisation Reports from ESL

You can use the Reports functionality to get a list of all ESL user accounts at your organisation and their associated applications and access. Select the ‘Create’ link under Reporting in the left-hand side menu, the below will be displayed.

School reports from ESL screenshot

A report can be created to:

  • generate a list of all of your ESL users and their access for all Education Sector applications (you can do this by leaving the application field blank) 
  • generate a list of your ESL users for a specific Education Sector application (you can do this by selecting an application from the application field)

School reports from ESL second screenshot

Once you ‘Create report’ it may take a few moments, or even up to a few minutes to generate the report. The below message will be displayed in the top right corner when you generate the report.

School reports from ESL third screenshot

Once the report is generated the page will refresh and the status will show as COMPLETED you can download the report by selecting the hyperlinked Report name, see below.

A open or save message will show at the foot of the screen.

School reports from ESL fourth screenshot

The report will be generated as a Microsoft Excel download in CSV format.

School reports from ESL fifth screenshot


Once you have finished using ESL Online always use the logout link in the top right corner to terminate your session. This is a security requirement as an ESL user.

Logout screenshot