IAM in Service Catalog
Changes Coming Soon
We've transitioned employee groups previously sourced from HEPPS data to newly modeled Workday sourced groups.
New HR groups will be provisioned for current employee group customers using data sourced from Workday. See the UW Human Resource Groups page for more information.
The existing 2015 biennium groups will remain but once we transition to the updated ODS those groups will no longer be updated and will quickly become stale and outdated.
This document describes support in the UW groups service for employee groups comprising current UW academic personnel, faculty, staff, and student employees by department or unit. This document covers group naming, data integration, data quality, lifecycle, classification, and access control. UW employee groups are created by customer request for departments and other units with a business need for them.
UW employee groups are intended to support effective and efficient day-to-day operations of UW departments, units, programs, teams, and applications by providing timely, accurate group memberships representing UW academic personnel, faculty, staff, and student employees by department or unit.
Employee groups are identified by UW Group IDs that conform to the UW Group Naming Plan. The following affiliation/organization stem is reserved for them:
Each employee group is identified by a series of naming components, i.e.:
Here 'orgcode' is the three-digit organization code associated with the budget number, 'source' is either 'apptdeptbdgt' or 'distbdgt', 'yyyy' is the 4-digit biennium year, and 'affiliation' is 'faculty', 'staff', or 'studemp'. (Please note that the 'faculty' stem is used to house both groups consisting of academic personnel and groups consisting of only faculty. The group display names and descriptions clearly distinguish between these.)
By use of examples, the following table illustrates the classes of employee groups that have been provisioned into the UW groups service:
Academic personnel holding appointments in budget 060600 for the 2015-2017 biennium
Current UW academic personnel with UW NetIDs, whose appointments have an Appointing Department Budget Number 06-0600 (FOSTER BUSINESS SCHOOL: DEAN BUSINESS: DEAN BUSINESS ADMIN) during the 2015 biennium.
NOTE: The stem name of 'faculty' is used to house both groups consisting of academic personnel and groups consisting of only faculty. The group display names and descriptions clearly distinguish between these.
Staff appointments in budget 075700 for the 2015-2017 biennium
Current UW staff with UW NetIDs, whose appointments have an Appointing Department Budget Number 07-5700 (SCH OF PUBLIC HEALTH: DEAN OF PUBLIC HEALTH: DEAN OF PUBLIC HEALTH) during the 2015 biennium.
Student employee appointments in budget 061630 for the 2015-2017 biennium
Current UW student employees with UW NetIDs, whose appointments have an Appointing Department Budget Number 06-1630 (THE INFORMATION SCHOOL: THE INFORMATION SCHOOL: INFORMATION SCHOOL) during the 2015 biennium.
Staff assigned to Home Dept Budget 043550 for the 2015-2017 biennium
Current UW staff with UW NetIDs, who have a Home Department Budget Number 04-3550 (UW FINANCE&FACILITIES: CAMPUS OPERATIONS: POWER PLANT) during the 2015-2017 biennium.
Employee groups are based on data integration of HR/Payroll data available in the Operational Data Store (ODS) into the groups service, such that a hierarchy of groups exists for each requesting unit or organization, identified by its organization code and budgets. The groups are updated nightly.
The following table summarizes the most relevant aspects of data integration between the ODS and the groups service, related to identifiers, display names, descriptions, memberships, contacts, classification, and access controls.
Data Integration Notes
Group IDs for employee groups include organization code, source, biennium year, budget numbers, and affiliation as derived from HR/Payroll data in the ODS.
Group Display Name
Display names include the budget number and biennium for which they are based:
Employee group descriptions begin with the budget description followed by appropriate use guidelines, e.g.
Employee groups have no owner or contact specified.
Group Access Controls
The membership viewer control permits interactive browser access for all UW employees (i.e. members of the group uw_employee).
UW Google Apps
Employee groups can or cannot be enabled for use in UW Google Apps. Groups in UW Google Apps will not allow anyone to view the membership.
Employee groups can or cannot be enabled for use in UW Exchange. This business rule is in place to ensure the privacy restriction on the group memberships, which the current design of the UW Exchange service may or may not be able to enforce by itself.
Group Membership List
Employee group memberships are reconciled nightly to accurately represent current operational data rather than historical data. Members are identified by UW NetID.
This section summarizes the data quality standards for employee groups represented in the groups service.
Data Validation Rules: Validation rules are applied only to ensure that employment data conforms to the constraints of the groups data model. Therefore, the accuracy of employee groups, including names and memberships, is primarily determined by the quality and validity of the source HR/Payroll data provisioned from the ODS.
Timeliness of Updates: Under normal operating conditions, once employee group data is updated in the ODS, updates will propagate to the groups service nightly.
Defined Error Rates: Overall, the groups service relies on the ODS, as the system of record for employment data, to define the frequency of errors in employee group data. However, some discrepancies are expected between ODS and employee groups, if for example, loading of the ODS is delayed.
Integrity Monitoring: The integrity of employment data is ensured during secure transport between ODS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.
Reliability: Employee groups are provisioned from ODS using a nightly process monitored to ensure reliability and availability of the groups. When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of employee groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.
The following lifecycle policy provides advanced notification of employee group availability to help customers make informed information technology decisions, anticipate deprovisioning, identify other business needs, and provide feedback.
Lifecycle Policy: The lifecycle policy for employee groups retains group data for the previous biennium. That is, at any given point in time, the groups service will include employee groups for the current biennium and one previous biennium, plus the future biennium (when available). Employee groups that are two or more biennia old will be deleted.
The method for determining the current biennium is to transition from one to the next on the first day of each new biennium. This schedule also determines when the older groups will be deleted.
The data custodians for employee data classify faculty and staff employee groups as public and student employee groups as restricted. These classifications form the basis of the following access control policy and appropriate use guidelines, and they are the basis of the membership viewer control and group descriptions.
Access Control Policy: Having considered the privacy, security, and compliance concerns and acknowledging the business needs and widespread operational efficiencies enabled via UW employee groups, the data custodians have established an access control policy that grants permission to view employee group memberships to all UW employees (i.e. current faculty, staff, and student employees) as well as processes acting on behalf of UW employees. Non-employee access (including students, affiliates, and other third parties) and other exceptions to this policy may be authorized by the custodians on a case-by-case basis, based on establishing a business need and/or an appropriate data sharing agreement.
Appropriate Use Guidelines: Use of employee groups is subject to the following appropriate use guidelines. Permission to view employee group memberships is granted on the condition that authorized clients use the memberships for appropriate business purposes in support of the UW mission. Authorized clients are responsible for enforcing the defined access control policy (above) and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. Copying and posting the membership of a employee group in a public location, or sending the membership via email, is unadvised and may violate the access control policy. Employee groups may be used in limited ways to contact employees in support of the UW mission. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. These rules include guidelines on email use that apply to the use of employee groups with email.