NCID Frequently Asked Questions

Login to NCID

These FAQs cover various NCID topics. The questions and answers were compiled from previously conducted webinars and training sessions. Click on the links from the list below to move to the topic  you are interested in, or you can scroll through the list.

Please note that the NCID Training and Documentation page provides the most current NCID product documentation and should be consulted for detailed information. These FAQs are intended to help clarify frequent areas of confusion.

General NCID Questions
Self-Registration
General DA Questions
Searching for an Account
Creating Employee Accounts
Resetting Passwords
Unlocking Accounts
Deactivating/Archiving/Reactivating Accounts
Promoting/Demoting DA
Transferring Accounts
Passwords
Challenge Questions
Application Access
Password Synchronization
Reporting
Miscellaneous

General NCID Questions


1. What is NCID?

The North Carolina Identity Management Service (NCID) is the standard identity and access management platform provided by the Department of Information Technology. NCID is a web-based application that provides a secure environment for state agency, local government, business and individual users to log in and gain access to real-time resources, such as customer-based applications and information retrieval.

2. What are the benefits of using NCID?

NCID provides identity management and access control to North Carolina state-owned resources. With an NCID account, users have access to many resources with one account. NCID customers can leverage the service to:

  • Verify the identity of users
  • Manage user accounts
  • Assign appropriate access to online resources
  • Delegate authority or distribute administrative tasks
  • Automate certain key functions

For detailed information regarding NCID features and functionality, please refer to NCID Training and Documentation to access product documentation and training videos.

3. When should NCID be used?

If the application uses NCID for access control, the user will need an NCID account to use that application.

4. How do I get my NCID?

You can enter the NCID site address https://ncid.nc.gov and select “Register!” in the lower right-hand corner.  You can follow the instructions for the type of account you want. 

5. What if my NCID password needs to be reset, how do I do that?

NCID password resets may be requested by going to https://ncid.nc.gov and clicking the "forgot your Password/unlock Account?" link.

6. What is the password policy in NCID?

All registered users of the NCID system must adhere to the policy of using strong passwords. Strong passwords must contain a minimum of 8 characters and no more than 35 characters. A user cannot reuse a password that he or she had previously used in the NCID system. Once a password has been entered in the system, it is kept in a history file and cannot be reused. State and local government employee accounts must change their passwords at least every 90 days.

Additional password rules:

  • Password is case sensitive.
  • Must be at least 8 characters long.
  • Must not include part of your name or username.
  • Must be used for at least three (3) days before a user can reset their own password.
  • Must have at least 4 types of the following characters:
    • Uppercase (A-Z)
    • Lowercase (a-z)
    • Number (0-9)
    • Symbol (!, #, $, etc.)
    • Other language characters not listed above
  • New password may not have been used previously

7. I have a new employee. How do they get their NCID?

Delegated Administrators (DAs) are responsible for creating new user accounts for any state and local government employee who is a member of the organization, division(s) and/or section(s) that the DAs manage. Upon creating the account, the DA will notify the employee that the account was created and provide the employee with a temporary password. The user must log in within fourteen (14) days of the account being created to change the temporary password and set up their challenge questions. For more information on creating employee accounts, please refer to the NCID Administration Guide.

8. What should I do if I am not sure whether I have an NCID problem or a problem with my application?

You can determine whether your NCID account is functioning by attempting to log in to the NCID website: https://ncid.nc.gov. If you are able to log in successfully and receive a "Welcome to NCID System" page, your NCID account is functioning properly. After that, if you are unable to access a certain application with your NCID account, please contact the DIT Service Desk at 919-754-6000 or 1-800-722-3946 and tell them you are having problems accessing the application. Be sure to tell them you were able to log in successfully to the NCID website with your NCID account.

Back to top

Self-Registration

 


9. What is the session timeout period when self-registering for a user account?

Business and individual users are allotted 15 minutes to self-register for an account.

10. Upon registering for a new account, why do some users not receive the activation email to complete the registration process?

The user's email account is most likely treating the message from NCID as spam. To ensure that NCID messages will always be delivered to the user's Inbox, please ask the user to verify that their email client and email provider are set up to accept messages from ncid.notifications@nc.gov prior to completing self-registration.

If the user does not receive the email in their Inbox within a few minutes after registering for the new account, please ask the user to verify that the message was not marked as spam and sent to the Junk Email folder. If this happens, instruct the user to move the message to their Inbox so they can validate the new account.

11. What is the length of time an individual account will remain in the system, and who can create this type of account? Who can delete?

Anyone can create a non-employee account (i.e., Business or Individual). Non-employee accounts will not be vetted or approved, and will not be managed by an administrator. These accounts will be automatically archived after 18 months of inactivity. Individuals can archive their own account.

Back to top

General DA Questions


12. Can there be more than 2 DAs per facility?

Yes, and we recommend that at least two DAs exist for each facility.

13. How are DA areas of administrative authority identified?

A DA's area of administrative authority is identified by the system, their agency, personnel status, organizational unit, etc. NCID uses a 3-tiered administrative model: Organization, Division and Section. An Organization DA is the highest-level administrator and has authority over all divisions and sections within the organization. A Division DA is the second highest-level administrator and has authority to manage the division and any section(s) within the division. The Section DA is the third-level administrator and has authority to manage the section.

14. When should an agency apply for DA designation?

An agency should apply for a DA as soon as one is needed.

15. In a government agency, who usually assumes the role of DA?

This is a business decision of the agency. The role could be delegated to Human Resources, Security or Network Administrators, for example.

16. If a DA transfers or separates, is the backup DA the only one who can delegate a existing DA?

Yes. In this case, the remaining DA might want to consider promoting another user account to DA so the agency always has a backup DA.

17. Is this agency specific?

No, this is a business process. Every agency should have more than one DA.

18. Will DAs create temporary employee accounts or will they go to the register link?

All employee accounts will be created by DAs.

19. Will only DAs be allowed to assign roles?

No, application owners (role managers) will assign roles.

20. Other than making other DAs, can we give someone ability to just unlock accounts, change passwords, etc. (like Tier 1 support)?

Yes, there is a role for Service Desk accounts. This role permits the user to unlock accounts and reset passwords for any users within their organization. Note that DA accounts must be reset or unlocked by another DA.

21. What is the correct way to change a user's name?

Click on the "Update Employee Account" link on the "Identity Self-Service" tab, and search for the user account you wish to update. The user's profile will be displayed and you can update the information in the First Name, Middle Initial and/or Last Name field(s).

22. How can an administrator review employee information without performing an action on the account?

The administrator should click on the "Update Employee Account" link on the "Identity Self-Service" tab, and search for the user account that you wish to view.

23. Is there any kind of automated warning that alerts an administrator that an employee is no longer working?

No, the system does not issue any warnings.

24. Can administrators manage contract/temporary accounts?

Yes, these account types can be managed if they are under the administrator's control.

25. A list of NCID Administrators per group would be useful. Would this be available under a Help Menu?

Please refer to the NCID home page, and use the NCID Administrator links to view administrators by County or State Agency or LEA.

26. Can the DA create and link service accounts to email addresses?

No, if this is in reference to NCID service (application) accounts.

Back to top

Searching for an Account


27. When searching for a user, can you search by first or last name instead of User ID?

Yes, you may search by first and/or last name. The search feature provides five (5) user attribute fields to help you retrieve an account: Last Name, First Name, User ID, Email and BEACON Number. Additionally, if you are an administrator of more than 5 divisions or sections, two additional search fields will be available: Divisions and Sections.

28. Can DAs use wildcards on a name search?

Wildcards are not necessary when searching for a user in NCID. The search utility provides a comparison operation feature, which lets you specify a value to perform against your chosen search field(s). Each search field has a dropdown menu to let you select one of the following values: Equals, Contains, Ends With or Starts With. To perform a 'wildcard-like' search, you can select "Contains," "Ends With" or "Starts With" from the dropdown menu and enter your search criteria in the search field. For example, if you wanted to search for all users whose last name begins with 'Smit', you can enter 'smit' in the "Last Name" field and select "Starts With" from the dropdown menu. The search results would then list all users whose last name begins with 'smit'.

Back to top

Creating Employee Accounts


29. Will DAs receive notification if an employee does not log in within 14 days of the account being created?

The DA will not receive notification if the user fails to log in.

30. After an employee account is created, does the DA need to approve it on the Work Dashboard?

No, new accounts are automatically approved when the account is created.

31. Will NCID use BEACON for provisioning new state employee accounts?

No, at this time NCID will not use BEACON for provisioning new state employee accounts.

32. Will there be an official 'New User' form/template that we can use to aid in creating a user's account?

No, this type of form/template does not exist.

33. What are the required fields for creating a user?

Required fields are marked by an asterisk (*) on the screen. Required fields include: First name, last name, business email, business telephone, employee type (for state government employees only), organization, division, section (where appropriate), password and confirm password. Note that date of birth is no longer required.

34. Is the BEACON number automatically assigned when creating an account?

No, it is generated when the employee is entered into BEACON by Human Resources.

35. If the DA assigns a User ID that matches an existing User ID, will a flow be set to avoid duplication?

Yes, the system will append a number to the User ID. The numbers will increment by 1 for each subsequent User ID (e.g.: jsmith, jsmith1, jsmith2, jsmith3).

36. What is the expiration rule for new accounts?

There is a three-day expiration rule for business and individual account types. During the registration process, these users are informed of this rule. Government employee accounts do not have a 3-day rule; however, the system will remove these accounts if they have not been claimed (set up) within 14 days of being created.

37. Can two NCID accounts point to the same email address?

The Exchange team controls this. When entering an email address, NCID displays a message if an existing account(s) is using the same email address, but you will be able to continue to create the account.

38. Can you create an association between the organization and the user other than employee relationship – for example, associate a physician with a state hospital?

No, currently this is a request for enhancement and will be reexamined at a later date.

39. We are considered local government employees. Should we consider our new users as local or state employees?

If you are a local government employee and are designated as an administrator for your group, then any new employee will have a local government account.

40. Are agencies billed for NCID accounts? If so, how much and when would billing stop – when the account is deactivated or when it is archived?

State agencies are billed for every active NCID account. Billing stops when an account is disabled. The DIT billing group requests a list of current active NCID state agency accounts early in the calendar year and uses that number for the next 12 months to bill for NCID accounts.

Back to top

Resetting Passwords


41. Does a user receive notification if a DA or a Service Desk agent takes action on their account (e.g., reset password)?

Yes, a user receives notification whenever his/her account is managed or password is reset.

42. When resetting a user password, will NCID generate the temporary password as it is now?

No, the DA will create a temporary password that complies with the password requirements. The DA will convey the password to the user, and the user will be forced to change it upon logging in.

Back to top

Unlocking Accounts


43. Will administrators be responsible for unlocking accounts?

Yes, administrators have the ability to unlock accounts for users within their agency/division. Uses that have completed the setup process can also use there security questions/answers to unlock their account. The user's Service Desk may also unlock the account.

44. In the 30 minutes that a user waits for the account lockout period to expire, can his or her administrator unlock the account?

Yes, the user's administrator has the ability to unlock it.

45. If a staff member gets locked out of NCIR (North Carolina Immunization Registry application), can they still get into HIS?

No. Any application that locks an account in NCID locks it in all connected applications. To release the 30 minute lockout, they will need to authenticate to NCID. In addition, DHHS’s HIS site is no longer active. It was replaced by a Microsoft SharePoint sign-in web service as of July 1, 2016.

46. What happens if an administrator gets locked out?

The administrator can wait 30 minutes from the time it was locked and try to log in to NCID again, the asministrator can use their security questions.answers, or ask another administrator (at the same level or higher) or the DIT Service Desk to unlock the account.

47. Will an employee be notified that their locked account will be unlocked within an 30 minutes or will they be prompted to contact their administrator?

Yes, upon locking the account NCID will alert the user to wait for 30 minutes, or to contact their administrator or Service Desk if he/she needs immediate assistance.

Back to top

Deactivating/Archiving/Reactivating Accounts


48. Is archiving a one-click process like now, or will it have multiple-click verification like deactivation/reactivation does now?

An account has to be deactivated before it can be archived. Deactivation is a one-click process, after searching for the user.

49. What is the process to archive an account to release the employee number?

You will first need to deactivate the account, and then archive it. Once archived, all account information is removed from NCID. BEACON is the authority for the employee number, which is unique to each person, so in the case of an employee who leaves and has their NCID account archived, if they return later, they would follow the same "linking" process in BEACON as they did previously to get their employee number associated with their new NCID account.

50. When an account is deactivated, will it automatically be archived?

Employee accounts must be manually archived after deactivation. Non-employee accounts are deactivated and archived automaticly by the system after 18 months of inactivity.

51. Can a DA deactivate and archive an individual account? Currently it takes a 18 months for it to release.

No. Individual and Business accounts are not managed by DAs. The account holder is the only one who can archive their account.

52. How long will a user account stay in the deactivated state?

It will stay deactivated until the DA takes action on it (reactivates or archives it).

53. Is there a way to reactivate multiple accounts at one time?

No.

54. When should an account be archived?

User accounts should be archived when you are sure that the user has left state employment. Once the account is archived, it cannot be reinstated. If the person rejoins state employment, a new NCID user account must be created for him or her. Please note that the user's previous User ID may no longer be available, so a new one might need to be used. Additionally, the user will need to be given access to their applications again.

55. Can we reactivate an account that has been archived (e.g., if a person returns to state employment)?

No, once the account is archived, it cannot be reinstated. If the person rejoins state employment, a new NCID user account must be created for him or her. Note that the user's previous User ID may no longer be available, so a new one might need to be used. Additionally, the user will need to be given access to their applications again.

Back to top

Promoting/Demoting DA


56. When promoting a user to DA, will deactivated accounts be displayed in the Search Results window?

No, deactivated accounts cannot be promoted to DA. The Search Results window will only display active accounts.

Transferring Accounts


57. Please explain how employee transfers between state agencies work in NCID.

Transferring a state user account to a different agency is a multi-step process performed by the user's current administrator and the administrator of the receiving agency. The current administrator initiates the transfer request, and the receiving administrator can then either approve or deny the request. If it is approved, the transferred account maintains the user's name, user ID, password and BEACON number; however, the address and email fields are cleared and the user's previous permissions and roles are removed. The new administrator or employee will need to enter the new email and business addresses, and must request access to the appropriate NCID resources. If a transfer request is denied, the user account remains in the current agency, and the agency's administrator will be notified of the rejection. To learn more about the transfer functionality, please refer to the NCID Administration Guide or the Transferring State Employee Accounts training video on the NCID Training and Documentation web page.

58. Can a deactivated user be transferred?

Yes, a deactivated user can be transferred. The account remains deactivated until the receiving (new) administrator reactivates the transferred account.

59. When staff is transferred between agencies, is the data stripped from the account?

Yes, the name, user ID, password and BEACON number stay, but all rights, roles, address, and email information are removed.

60. When a user transfers, what happens if the receiving agency does not approve the transfer within 7 days?

One of the following three things can happen: (1) the receiving agency can approve the request, (2) the receiving agency can reject the request and the user account stays in the current agency, or (3) after 7 days, the workflow expires and the account stays with the current agency. The account will remain in the same state it was before the transfer. Account expiration can also be set for a future date.

61. When transferring a user, will the receiving DA be notified by email?

Yes. All DAs associated with the Division/Section will receive an email. The receiving DA can also look at the work dashboard for pending requests.

62. How will the DA know to transfer an employee account?

This is a business process, not a technical process. It is assumed that someone in the agency will notify the DA (same notification process as when an account needs to be deactivated or archived).

63. What happens to the linked email account on an intra-agency transfer?

Nothing happens to the linked email account, because the move is within the same agency. An intra-agency transfer is not really considered a transfer – it’s considered a "move.” Only an agency-to-agency "transfer" breaks the email link.

64. Does the Agency-to-Agency transfer avoid the Deactivate/Archive process from the former agency?

Yes. It simplifies the process.

65. When an agency's users migrate, do the administrators need to change passwords for the user accounts and create accounts for every user?

Administrators will not need to update account passwords. Existing accounts will be migrated along with the user's password. Once an agency has migrated, any new employee account will need to be created by the administrator.

66. Can local government agencies, such as LEAs, transfer accounts from LEA to LEA?

No, the "Agency-to-Agency Transfer" feature is available to state agencies only.

67. We can transfer NCID accounts from agency to agency, but does this affect the agency's email address for that employee?

The answer depends on which email system(s) the source and destination agencies use. Any accounts transferring between agencies that both use Exchange will have to select what they want to happen to the account, and then Exchange will generate a new account for the new agency.

Back to top

Passwords


68. What is the expiration date on passwords?

The password expiration policy is 90 days for state and local government employees.

69. When a password is reset by a DA or the Service Desk, how many days does a user have to change the temporary password before it expires?

A user can change the temporary password from the time it was created up to 90 days. If a user does not log in, the account will deactivate after 90 days of non-use.

70. Will users be permitted to log in to other applications (e.g., BEACON, Exchange) using a temporary password?

No, the temporary password is a "one time use password"; therefore, users must first log in to NCID and reset their password before proceeding to other applications.

71. Will users be able to see the number of days remaining before they need to change their password, or will they be able to see the date the password needs to be changed?

A user can see their password expiration date on their profile. The user's DA will be able to see when the password was last changed and when it's due to expire on the "Update Employee Account" screen.

72. Although temporary passwords should follow password policies, does anything prevent DAs from using the same temporary password for every account?

No, the system allows the administrator to reuse the password each time he/she performs a password reset. From a security point of view, it is good practice to use different passwords each time a reset is performed.

73. Is one-time password considered a security risk if the DA is consistently using the same password?

Yes, but it needs to be addressed by agency policies.

74. Have password strength rules been considered?

Yes,

75. Are passwords case-sensitive?

Yes, NCID enforces case sensitivity.

76. Once a user resets the password, if they forget it, is there a time period when they can use the "Forgot Password" link again?

Yes, federal regulations require a 3-day period for a user to change their password; however, they can contact a DA to reset it before the minimum age requirement expires.

77. Will passwords reset after 1 hour?

No, an account will be unlocked after 30 minutes, and the user will need to log in to NCID.

78. Will there be a way to verify if a user with an expired account was sent an email requesting them to change their password? A majority of users don't seem to get the 10-day warning message.

The password expiration warning email message is a convenience feature, not a guarantee. There is no way for NCID to check if emails are received, and the email may go to spam or junk folders, for example. Most connected applications do not display warning messages about upcoming password expiration, but a warning message is displayed for users who log in to NCID directly and proxied applications. Note that password expiration dates are included in the DA report, so DAs could extract this information to implement their own warning process.

79. Can users change their password before it expires?

Yes, a user can change their password via the "Change Password" link displayed on the "Identity Self-Service" tab. Please be advised that the minimum password expiration policy requires state and local government employees to use their password for 3 days until it can be changed.

80. If a staff member is on medical leave for more than 15 days, will the user's password expire because the user has not logged into NCID?

The password expiration policy is 90 days, so the user will be able to log into NCID if it's within 90 days.

81. Is it correct that a temporary password is no longer auto-generated upon resetting a password in NCID?

Yes, that is correct. The administrator will need to enter a temporary password.

 

Back to top

 

Challenge Questions


82. Can Challenge Questions be reset before the next password expiration?

Yes,a user can log in to NCID and reset their questions before the password expires.

83. How will users be required to pick and answer challenge questions? Is it possible for users to skip this step?

A user must select their challenge questions the first time their password expires or they login to NCID. If they do not perform this step, they will receive a grace login error later which can only be fixed by a password reset.

Application Access


84. How are employees associated with applications?

Users are assigned to an application by the Application Administrator. To learn more about this topic, please refer to the NCID Administration Guide or the Granting Application Access training video on the NCID Training and Documentation web page.

85. If I need to give someone from another agency access to my application, do they need another NCID account?

No assuming the application is setup to allow cross agency access.

86. Will DHHS employees need a separate account to access a DOT application?

No, the DOT role manager will need to grant access to the application. However, if access is automatically granted based on your division, then you would need an account within that division.

Back to top

Password Synchronization


87. How long does it take for an account to synchronize between NCID and BEACON?

Approximately 5 minutes.

Reporting


88. How does reporting work in NCID?

Delegated Administrators can access data for all users in their division/section via a CSV file. Using this file, they will be able to quickly sort and extract specific user information. The CSV files are genereated every 24 hours and are available in the NCID service to DAs.

89. Are ad-hoc reports exportable to Excel?

You won't create your own report; however, you will have access to a CSV file containing data for all the users you manage.

90. Is there be a report for deactivated accounts?

Yes, using the CSV file, the DA can sort by account status to see a list of deactivated users.

91. Are any reports available in NCID such as Immunization schedules, etc.?

No, reports are specific to NCID only.

Back to top

Miscellaneous


92. Sometimes when a user accesses the NCID Login screen, some of the text or buttons are hidden. What can the user do to remedy this?

The user's font setting may be too large. The user will need to reduce the font size so all of the text and graphics will fit on the screen. To reduce the size in Internet Explorer, click on the View menu, and select the Text Size option. Click on the desired size (e.g., Medium). Note that if the user has a scroll wheel on their mouse, they can hold the Ctrl key while turning the wheel toward them.

93. It would be nice if, when users log into email, it would alarm them that the account is about to expire and give them an opportunity to redirect to NCID and change it.

This feature is a component of Microsoft Office 365 and is not an NCID element.

94. Since DIT is now under a charge model for NCID accounts, at what state does the charge for an account end (Deactivated/Archived/Other)?

Billing stops when the account is deactivated. But, billing numbers for an agecy are established once a year for the entire year.

95. Will NCID replace RACF or NCAS authentication in the near future?

No.

96. Do we have to use Internet Explorer or will NCID work with other browsers?

Recommended browsers for NCID are Internet Explorer. Note: In order for NCID to work correctly with IE, you will need to enable the "Compatibility View" feature found in IE. In most cases it will work with Firefox and other browsers.

97. What steps can a user perform if they are using Internet Explorer and cannot register or log in to NCID?

The user should add NCID to the Trusted Site list. For more information, the user should refer to the Adding NCID to Your Trusted Site List on the NCID website.

98. What should a user do when the following error message is displayed: Internet Explorer cannot display the web page?

The user should try one of the following methods, depending on which version of Internet Explorer is being used. Method 1: should use the "Delete Browsing History" feature to remove their Temporary Internet Files and Cookies. Method 2: should enable the "Compatibility View" setting.

Back to top