Document status: undergoing stakeholder review
This material supports the Person Directory Access Control Policy.
The Risk Factors help the directory-support team and application owners assess applications for suitability for access to the UW Person Directory.
Risk Factors for Exposure of Protected Student Data in Current Directory
Factors leading to low risk:
- Application doesn't access name attributes, eg only does identifier mapping.
- Application deals only with employee entries.
- Application has small user population.
- Application is only used in scenarios appropriate for access to protected student data.
Factors leading to high risk (in addition to inverse of above factors):
- Application is used by students.
- Application has people-picker that permits browsing directory entries.
- Application doesn't have well-defined usage or administration policies.
- Application maintains internal per-person records with copies of directory data.