IAM in Service Catalog
February 6, 2019 – This new set of reference groups is being finalized for production release in February.
This document describes support for UW employee location groups including naming, data integration, data quality, life-cycle and access controls.
Employee location groups represent groups of UW employees by job location.
These institutional groups are based on data integration between the HRPWS and the groups service.
Employee location groups are provisioned automatically for all current job locations. They are updated nightly.
Employee location groups are intended to support effective and efficient day-to-day operations of UW departments, units, programs, teams, and applications by providing timely, accurate group memberships representing UW employees by job location.
Employee location groups are identified by UW Group IDs that conform to the UW Group Naming Plan.
The following affiliation/organization stem is reserved for them:
Each group is identified by this pattern of naming components:
The "workday-location" component is substituted with the name of employee's position's location id.
The following table illustrates a couple of employee location code groups:
Current employees with a Seattle Campus position
Current employees who hold a position that has location ID "Seattle Campus"
Current employees with a Seattle Other Buildings position
Current employees who hold a position that has location ID "Seattle Other Buildings"
The following table summarizes how data is integrated into the groups service, related to identifiers, display names, descriptions, memberships, contacts, classification, and access controls.
Data Integration Notes
Group IDs include a lower case version the location id, e.g.
Group Display Name
Display names include the location id, e.g.
Group descriptions include location id, e.g.
"Current employees who hold a position that has location ID "Seattle Other Buildings". This group is updated nightly from the HRPWS. It is available for appropriate business purposes in support of the UW mission. Access to the membership is controlled. Authorized clients are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact firstname.lastname@example.org for questions about using this group."
Employee location groups have no owner or contact specified.
Employee location groups are classified as Restricted. See UW Groups Data Classification Guideline.
Group Access Controls
Employee location groups have a membership viewer control that enforces the defined access control policy (below). Only members of the u_groups_org_location-read are authorized to view these memberships.
UW G Suite
Employee location groups cannot be enabled for use in UW G Suite. Contact email@example.com to inquire more.
UW Exchange Status
Employee location groups cannot be enabled for use in UW Exchange. This business rule is in place to ensure the privacy restriction on the group memberships, which the current design of the UW Exchange service cannot enforce by itself. Contact firstname.lastname@example.org to inquire more.
Group Membership List
Memberships are reconciled nightly to accurately represent current operational data rather than historical data. Members are identified by UW NetID.
This section summarizes the data quality standards for employee location groups represented in the groups service.
Data Validation Rules: Validation rules are applied only to ensure that HRPWS data conforms to the constraints of the groups data model. Therefore, the accuracy of employee location groups, including names and memberships, is primarily determined by the quality and validity of the source HR/Payroll data provisioned from the HRPWS. To be included employee position start and end dates must be fall within the current date or the employee has a "Leave of Absence". Position status must be "Active" or "Leave of Absence", not "Inactive".
Defined Error Rates: Overall, the groups service relies on the HRPWS, as its data source, to define the frequency of errors in employee location group data. However, some discrepancies are expected between HRPWS and employee location groups, if for example, loading of the HRPWS is delayed.
Integrity Monitoring: The integrity of source data is ensured during secure transport between HRPWS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.
Reliability: Employee location groups are provisioned from HRPWS using a nightly process monitored to ensure reliability and availability of the groups. When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of employee location groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.
Timeliness of Updates: Under normal operating conditions, once data is updated in the HRPWS, updates will propagate to the groups service nightly.
The following lifecycle policy provides advanced notification of employee location group availability to help customers make informed information technology decisions, anticipate deprovisioning, identify other business needs, and provide feedback.
Lifecycle Policy: Employee location groups are created automatically and won't be deleted without 90 days prior notification to customers.
The data custodians for employee data classify employee location groups as restricted. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the required membership viewer control and group description text (described above).
Access Control Policy: Having considered the privacy, security, and compliance concerns and acknowledging the business needs and widespread operational efficiencies enabled via UW employee location groups, the data custodians for HR data have established an access control policy that grants permission to view employee location group memberships to authorized users and processes based on business need. Access for third parties may be authorized on a case-by-case basis, based on establishing a business need and/or an appropriate data sharing agreement.
Appropriate Use Guidelines: Use of employee location groups is subject to the following appropriate use guidelines. Permission to view employee location group memberships is granted on the condition that authorized clients use the memberships for appropriate business purposes in support of the UW mission. Authorized clients are responsible for enforcing the defined access control policy (above) and may not share group memberships with unauthorized parties without first obtaining authorization to do so. Copying and posting the membership of a employee location group in a public location, or sending the membership via email, is unadvised and may violate the access control policy. Employee location groups may be used in limited ways to contact employees in support of the UW mission. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. These rules include guidelines on email use that apply to the use of employee location groups with email.