IAM
Space shortcuts

Log in to ASTRA
Manage UW Groups
Manage UW NetID Resources
Manage Certificates
Register/Update Shibboleth SP

IAM in Service Catalog

Access Management
Authentication
Directory Services
UW NetID
UW Directory
Microsoft Infrastructure

Page Tree

Child pages
  • UW Employee Groups
Skip to end of metadata
Go to start of metadata

Changes Coming Soon

We've transitioned employee groups previously sourced from HEPPS data to newly modeled Workday sourced groups.

New HR groups will be provisioned for current employee group customers using data sourced from Workday. See the UW Human Resource Groups page for more information.

The existing 2015 biennium groups will remain but once we transition to the updated ODS those groups will no longer be updated and will quickly become stale and outdated.


Summary

This document describes support in the UW groups service for employee groups comprising current UW academic personnel, faculty, staff, and student employees by department or unit. This document covers group naming, data integration, data quality, lifecycle, classification, and access control. UW employee groups are created by customer request for departments and other units with a business need for them.

Purpose

UW employee groups are intended to support effective and efficient day-to-day operations of UW departments, units, programs, teams, and applications by providing timely, accurate group memberships representing UW academic personnel, faculty, staff, and student employees by department or unit.

UW Employee Group IDs

Employee groups are identified by UW Group IDs that conform to the UW Group Naming Plan. The following affiliation/organization stem is reserved for them:

  uw_org

Each employee group is identified by a series of naming components, i.e.:

  uw_org_<orgcode><source><yyyy><budget><affiliation>

Here 'orgcode' is the three-digit organization code associated with the budget number, 'source' is either 'apptdeptbdgt' or 'distbdgt', 'yyyy' is the 4-digit biennium year, and 'affiliation' is 'faculty', 'staff', or 'studemp'.  (Please note that the 'faculty' stem is used to house both groups consisting of academic personnel and groups consisting of only faculty. The group display names and descriptions clearly distinguish between these.)

Employee Group Classes

By use of examples, the following table illustrates the classes of employee groups that have been provisioned into the UW groups service:

Group ID

Display Name

Effective Membership

uw_org_256_apptdeptbdgt_2015_060600_faculty

Academic personnel holding appointments in budget 060600 for the 2015-2017 biennium

Current UW academic personnel with UW NetIDs, whose appointments have an Appointing Department Budget Number 06-0600 (FOSTER BUSINESS SCHOOL: DEAN BUSINESS: DEAN BUSINESS ADMIN) during the 2015 biennium.

The uw_org_NNN_apptdeptbdgt_YYYY_NNNNNN_faculty class of groups contain all those UW employees who hold at least one appointment which has:

  • a begin date which is earlier than or equal to today
  • an end date which is later than or equal to today
  • an appointing department budget number which is equal to the NNNNNN in the group ID (060600, in this example), in the biennium indicated by YYYY (2015 in this example)
  • an ECSCode of 'F' an Appointment Status of 'A', 'N' or 'L'

NOTE:  The stem name of 'faculty' is used to house both groups consisting of academic personnel and groups consisting of only faculty. The group display names and descriptions clearly distinguish between these.

uw_org_310_apptdeptbdgt_2015_075700_staff

Staff appointments in budget 075700 for the 2015-2017 biennium

Current UW staff with UW NetIDs, whose appointments have an Appointing Department Budget Number 07-5700 (SCH OF PUBLIC HEALTH: DEAN OF PUBLIC HEALTH: DEAN OF PUBLIC HEALTH) during the 2015 biennium.

The uw_org_NNN_apptdeptbdgt_YYYY_NNNNNN_staff class of groups contain all those UW employees who hold at least one appointment which has:

  • a begin date which is earlier than or equal to today
  • an end date which is later than or equal to today
  • an appointing department budget number which is equal to the NNNNNN in the group ID (075700, in this example), in the biennium indicated by YYYY (2015 in this example)
  • an ECSCode which is one of ('B','C','E','D','I','T','P')
  • an Appointment Status of 'A', 'N' or 'L'

uw_org_267_apptdeptbdgt_2015_061630_studemp

Student employee appointments in budget 061630 for the 2015-2017 biennium

Current UW student employees with UW NetIDs, whose appointments have an Appointing Department Budget Number 06-1630 (THE INFORMATION SCHOOL: THE INFORMATION SCHOOL: INFORMATION SCHOOL) during the 2015 biennium.

The uw_org_NNN_apptdeptbdgt_YYYY_NNNNNN_studemp class of groups contain all those UW employees who hold at least one appointment which has:

  • a begin date which is earlier than or equal to today
  • an end date which is later than or equal to today
  • an appointing department budget number which is equal to the NNNNNN in the group ID (061630, in this example), in the biennium indicated by YYYY (2015 in this example)
  • an ECSCode which is one of ('U','G')
  • an Appointment Status of 'A', 'N' or 'L'

uw_org_208_homedeptbdgt_2015_043550_staff

Staff assigned to Home Dept Budget 043550 for the 2015-2017 biennium

Current UW staff with UW NetIDs, who have a Home Department Budget Number 04-3550 (UW FINANCE&FACILITIES: CAMPUS OPERATIONS: POWER PLANT) during the 2015-2017 biennium.

The uw_org_NNN_homedeptbdgt_YYYY_NNNNNN_staff class of groups contain all those UW employees who are assigned to a Home Department Budget:

  • has a BudgetNbr which is equal to the NNNNNN in the group ID (043550, in this example), in the biennium indicated by YYYY (2015 in this example)
  • has an ECSCode which is one of ('B','C','E','D','I','T','P')

Data Integration

Employee groups are based on data integration of HR/Payroll data available in the Operational Data Store (ODS) into the groups service, such that a hierarchy of groups exists for each requesting unit or organization, identified by its organization code and budgets. The groups are updated nightly.

The following table summarizes the most relevant aspects of data integration between the ODS and the groups service, related to identifiers, display names, descriptions, memberships, contacts, classification, and access controls.

Group Attribute

Data Integration Notes

Group ID

Group IDs for employee groups include organization code, source, biennium year, budget numbers, and affiliation as derived from HR/Payroll data in the ODS.

Since the source data is uppercase and contains spaces and occasional ampersands, the following transformations are applied to conform to naming conventions:

  1. Initial and trailing spaces are removed
  2. All letters are converted to lower case
  3. All internal spaces are replaced with dashes
  4. All ampersand characters are replaced with a dash followed by 'and' followed by a dash
  5. Any remaining characters not in [-], [a-z], [0-9] are replaced with the period '.' character

Group Display Name

Display names include the budget number and biennium for which they are based:

   Staff appointments in budget 105776 for the 2015-2017 biennium

No translation is done to the incoming data when provisioning display name values. (Some older groups may contain more verbose group display names - these will disappear as old groups are purged.)

Group Description

Employee group descriptions begin with the budget description followed by appropriate use guidelines, e.g.

"Staff appointments in budget 105776 (SCH OF PUBLIC HEALTH: ENVIRO & OCCUP HEALTH: ENVIR HEALTH MA). This group is updated nightly from the ODS. It is available for appropriate business purposes in support of the UW mission. All users are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact help@uw.edu for questions about using this group."

Contact Person

Employee groups have no owner or contact specified.

Group Classification

The faculty and staff groups are classified as Public. The student employee groups are classified as Restricted.

Group Access Controls

The membership viewer control permits interactive browser access for all UW employees (i.e. members of the group uw_employee).

The membership viewer control also permits access for applications whose UW CA certificate has been placed in the appropriate reader group (u_groups_org_faculty-read, u_groups_org_staff-read, or u_groups_org_studemp-read).

UW Google Apps

Employee groups can or cannot be enabled for use in UW Google Apps. Groups in UW Google Apps will not allow anyone to view the membership.

Exchange Status

Employee groups can or cannot be enabled for use in UW Exchange. This business rule is in place to ensure the privacy restriction on the group memberships, which the current design of the UW Exchange service may or may not be able to enforce by itself.

Group Membership List

Employee group memberships are reconciled nightly to accurately represent current operational data rather than historical data. Members are identified by UW NetID.

Data Quality Standards

This section summarizes the data quality standards for employee groups represented in the groups service.

Data Validation Rules: Validation rules are applied only to ensure that employment data conforms to the constraints of the groups data model. Therefore, the accuracy of employee groups, including names and memberships, is primarily determined by the quality and validity of the source HR/Payroll data provisioned from the ODS.

Timeliness of Updates: Under normal operating conditions, once employee group data is updated in the ODS, updates will propagate to the groups service nightly.

Defined Error Rates: Overall, the groups service relies on the ODS, as the system of record for employment data, to define the frequency of errors in employee group data. However, some discrepancies are expected between ODS and employee groups, if for example, loading of the ODS is delayed.

Integrity Monitoring: The integrity of employment data is ensured during secure transport between ODS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.

Reliability: Employee groups are provisioned from ODS using a nightly process monitored to ensure reliability and availability of the groups. When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of employee groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.

Employee Group Lifecycle Policy

The following lifecycle policy provides advanced notification of employee group availability to help customers make informed information technology decisions, anticipate deprovisioning, identify other business needs, and provide feedback.

Lifecycle Policy: The lifecycle policy for employee groups retains group data for the previous biennium. That is, at any given point in time, the groups service will include employee groups for the current biennium and one previous biennium, plus the future biennium (when available). Employee groups that are two or more biennia old will be deleted.

The method for determining the current biennium is to transition from one to the next on the first day of each new biennium. This schedule also determines when the older groups will be deleted.

Access Control Policy

The data custodians for employee data classify faculty and staff employee groups as public and student employee groups as restricted. These classifications form the basis of the following access control policy and appropriate use guidelines, and they are the basis of the membership viewer control and group descriptions.

Access Control Policy: Having considered the privacy, security, and compliance concerns and acknowledging the business needs and widespread operational efficiencies enabled via UW employee groups, the data custodians have established an access control policy that grants permission to view employee group memberships to all UW employees (i.e. current faculty, staff, and student employees) as well as processes acting on behalf of UW employees. Non-employee access (including students, affiliates, and other third parties) and other exceptions to this policy may be authorized by the custodians on a case-by-case basis, based on establishing a business need and/or an appropriate data sharing agreement.

Appropriate Use Guidelines: Use of employee groups is subject to the following appropriate use guidelines. Permission to view employee group memberships is granted on the condition that authorized clients use the memberships for appropriate business purposes in support of the UW mission. Authorized clients are responsible for enforcing the defined access control policy (above) and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. Copying and posting the membership of a employee group in a public location, or sending the membership via email, is unadvised and may violate the access control policy. Employee groups may be used in limited ways to contact employees in support of the UW mission. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. These rules include guidelines on email use that apply to the use of employee groups with email.

References

UW Employee Group Provisioning - 2010 Draft Report

Have a question? Contact us at iam-support@uw.edu.