IAM in Service Catalog
September 27, 2017 – The design for UW job class groups hasn't been reviewed and updated for the new canonical data model for HR data masted in Workday. Please contact us at email@example.com if you are interested in this type of institutional group. We are assessing customer demand.
This document describes support for job class groups in the UW groups service including naming, data integration, data quality, lifecycle and access controls.
Job class groups represent groups of UW employees by job class code.
These institutional groups are based on data integration between the operational data store (ODS) and the groups service. They are updated nightly.
Job class groups are created by request. To request a new job class group, email the job class code to firstname.lastname@example.org.
UW job class groups are intended to support effective and efficient day-to-day operations of UW departments, units, programs, teams, and applications by providing timely, accurate group memberships representing UW employees by job class code.
Job class groups are identified by UW Group IDs that conform to the UW Group Naming Plan.
The following affiliation/organization stem is reserved for them:
Each group is identified by this pattern of naming components:
The "jobclasscode" component is substituted with the four-digit job class code.
The following table illustrates a couple of job class code groups:
Current employees with appointment in jobclass 1560 - SOFTWARE ENGINEER
Current employees with job class code 1560.
Current employees with appointment in jobclass 1740 - TECHNOLOGY MANAGER
Current employees with job class code 1740.
The following table summarizes how data is integrated into the groups service, related to identifiers, display names, descriptions, memberships, contacts, classification, and access controls.
Data Integration Notes
Group IDs include a job class code, e.g.
Group Display Name
Display names include the job class code and job class description, e.g.
Group descriptions include job class code, job class description, and appropriate use guidelines, e.g.
"UW employees assigned to Job Class Code: 1560 Job Class Description: SOFTWARE ENGINEER. This group is updated nightly from the ODS. It is available for appropriate business purposes in support of the UW mission. Access to the membership is controlled. Authorized clients are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact email@example.com for questions about using this group."
Job class groups have no owner or contact specified.
Job class groups are classified as Public.
Group Access Controls
Job class groups have a membership viewer control that enforces the defined access control policy (below). Only members of the uw_employee group and u_groups_jobclass_read-access group are authorized to view these memberships.
UW Google Apps
Job class groups can XYZ be enabled for use in UW Google Apps by request. In UW Google Apps, the sender control is set to "UW" and the viewer control to "members only".
Job class groups cannot be enabled for use in UW Exchange. This business rule is in place to ensure the privacy restriction on the group memberships, which the current design of the UW Exchange service cannot enforce by itself.
Group Membership List
Memberships are reconciled nightly to accurately represent current operational data rather than historical data. Members are identified by UW NetID.
This section summarizes the data quality standards for job class groups represented in the groups service.
Data Validation Rules: Validation rules are applied only to ensure that ODS data conforms to the constraints of the groups data model. Therefore, the accuracy of job class groups, including names and memberships, is primarily determined by the quality and validity of the source HR/Payroll data provisioned from the ODS. To be included employee appointment start and end dates must be fall within the current date or the employee has a "Leave of Absence". Appointment status must be "Active" or "Leave of Absence", not "Inactive".
Defined Error Rates: Overall, the groups service relies on the ODS, as its data source, to define the frequency of errors in job class group data. However, some discrepancies are expected between ODS and job class groups, if for example, loading of the ODS is delayed.
Integrity Monitoring: The integrity of source data is ensured during secure transport between ODS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.
Reliability: Job class groups are provisioned from ODS using a nightly process monitored to ensure reliability and availability of the groups. When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of job class groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.
Timeliness of Updates: Under normal operating conditions, once data is updated in the ODS, updates will propagate to the groups service nightly.
The following lifecycle policy provides advanced notification of job class group availability to help customers make informed information technology decisions, anticipate deprovisioning, identify other business needs, and provide feedback.
Lifecycle Policy: Job class groups are created by request and XYZ won't be deleted without 30 days prior notification to customers who have registered their dependency on them by emailing firstname.lastname@example.org.
To be included in jobclass group the employee's appointment status must be Active and fall within the current date or on Leave. Inactive appointments are not included.
The data custodians for employee data classify job class groups as public. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the required membership viewer control and group description text (described above).
Access Control Policy: Having considered the privacy, security, and compliance concerns and acknowledging the business needs and widespread operational efficiencies enabled via UW job class groups, the data custodians for HR data have established an access control policy that grants permission to view job class group memberships to all UW employees (i.e. current faculty, staff, and student employees) as well as processes acting on behalf of UW employees. Non-employee access (including students, affiliates, and other third parties) may be authorized on a case-by-case basis, based on establishing a business need and/or an appropriate data sharing agreement.
Appropriate Use Guidelines: Use of job class groups is subject to the following appropriate use guidelines. Permission to view job class group memberships is granted on the condition that authorized clients use the memberships for appropriate business purposes in support of the UW mission. Authorized clients are responsible for enforcing the defined access control policy (above) and may not share group memberships with unauthorized parties without first obtaining authorization to do so. Copying and posting the membership of a job class group in a public location, or sending the membership via email, is unadvised and may violate the access control policy. Job class groups may be used in limited ways to contact employees in support of the UW mission. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. These rules include guidelines on email use that apply to the use of employee groups with email.