Centralized Rostering and User Access Management Solution

The vendor is required to provide centralized rostering and user access management solution to implement a middleware and aggregator platform to serve as a central data hub, securely connecting the district's authoritative student information system (SIS) data to all downstream educational technology (EdTech) applications.
- Outcomes include enhanced data security through automated provisioning and deprovisioning, significant operational cost and time savings by eliminating manual tasks, and the ability to maintain a verifiable compliance posture.
- The digital ecosystem and learning space:
•    The district developed a digital ecosystem designed to facilitate teaching and learning, enhance communication, and strengthen the link between school and home. 
•    This system was envisioned to encompass various functions, including digital content, learning, assessment, and professional development resources. 
•    To ensure that the different parts of the ecosystem would work together seamlessly, the district joined the 1edtech consortium (formerly IMS global learning consortium). 
•    This partnership led to the district adopting open interoperability standards like learning tools interoperability (LTI) to create a "plug-and-play architecture" and the one-roster standard to manage class roster data. 
•    A key component of this digital strategy is the learning space student portal. 
•    This portal serves as a central hub for students to access digital tools, including google classroom, digital textbooks, and the city online research library. 
•    The learning space is part of an integrated enterprise solution that supports student engagement and learning.
- Core functional requirements
a. User lifecycle management (joiner-mover-leaver model)
1. Provisioning (joiner):
•    The system must automatically create user accounts in all connected applications when a new user record (student, teacher, or staff) appears in the authoritative SIS data. 
•    Accounts must be provisioned with the appropriate attributes, entitlements, and group memberships based on the user's role, school, and grade level. 
•    This automation is critical to ensure that new students and hires have secure, personalized access on their first day.
2. Updates (mover): 
•    The platform must automatically detect and propagate changes from the SIS data to all downstream applications. 
•    This includes, but is not limited to, changes in a user's name, email, or other attributes. 
•    The system must also manage changes related to organizational and academic shifts, such as a teacher moving to a new school or the annual student matriculation to a new grade level. 
•    All user access must be adjusted in real time or on a defined schedule to ensure alignment with their current roles and responsibilities.
3. Deprovisioning (leaver): 
•    The solution must automatically disable or suspend user accounts when a user leaves the district or is no longer active in the authoritative SIS data. 
•    This is a crucial security function, as it prevents "dormant accounts" from becoming a gateway for data breaches or other cybersecurity threats. 
•    The system should allow for configurable deactivation policies, such as immediate deprovisioning for staff and a grace period for student accounts.
b. Rostering and data aggregation
1. Authoritative source integration: 
•    The middleware must connect to the district's student information system (SIS) or its centralized equivalent such as an operational data store (ODS), which is designated as the single, authoritative source of truth for all identity and rostering information.
2. Data aggregation and schema mapping:
•    Users: students, teachers, and staff, with fields for unique id, name, email, human-readable id numbers, and contact information.
•    Orgs: the organizational hierarchy of the district, including district, school, and grade levels. 
•    Courses and classes: academic courses and the specific classes associated with them. 
•    Enrollments: the records that link specific users to a class with a defined role (e.g., student or teacher).
3. Data distribution and provisioning: 
•    The platform must securely provision this aggregated and standardized data to all downstream EdTech applications. 
•    The system must support both automated, scheduled synchronization and manual, on-demand syncs to handle urgent changes. 
•    It should also provide granular control over which specific data elements are shared with each application to meet privacy requirements.
4. Support for multiple data exchange methods: 
•    The solution must be capable of consuming and producing rostering data in both restful API (using json) and the one-roster-formatted csv file within a zip archive.
c. Role-based access control (RBAC) and entitlement management
•    The system must define and manage roles for students, teachers, administrators, and staff, automatically assigning entitlements based on these roles.
•    The solution must understand and support a multi-level organizational structure (e.g., a teacher is a user, has a role, teaches at a specific school, for a specific course or class) to correctly manage access permissions. 
•    The platform must support fine-grained access profiles to enforce the principle of least privilege, ensuring that users only receive the specific access required for their job function.

- Questions/Inquires Deadline: November 7, 2025