IAM in Service Catalog
This document describes support for UW employee location groups including naming, data integration, data quality, life-cycle and access controls.
Each group is identified by this pattern of naming components:
The "workday-location" component is substituted with the name of employee's position's location id.
The following table illustrates a couple of employee location code groups:
Current employees with a Seattle Campus position
Current employees who hold a position that has location ID "Seattle Campus"
Current employees with a Seattle Other Buildings position
Current employees who hold a position that has location ID "Seattle Other Buildings"
The following table summarizes how data is integrated into the groups service, related to identifiers, display names, descriptions, memberships, contacts, classification, and access controls.
Data Integration Notes
Group IDs include a lower case version the location id, e.g.
Group Display Name
Display names include the location id, e.g.
Group descriptions include location id, e.g.
"Current employees who hold a position that has location ID "Seattle Other Buildings". This group is updated nightly from the HRPWS. It is available for appropriate business purposes in support of the UW mission. Access to the membership is controlled. Authorized clients are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact firstname.lastname@example.org for questions about using this group."
Employee location groups have no owner or contact specified.
Employee location groups are classified as
Restricted. See UW Groups Data Classification Guideline.
Group Access Controls
Employee location groups have a membership viewer control that enforces the defined access control policy (below). Only members of the u_groups_org_location-read are authorized to view these memberships.
UW G Suite
Employee location groups cannot be enabled for use in UW G Suite. Contact email@example.com to inquire more.
UW Exchange Status
Employee location groups cannot be enabled for use in UW Exchange. This business rule is in place to ensure the privacy restriction on the group memberships, which the current design of the UW Exchange service cannot enforce by itself. Contact firstname.lastname@example.org to inquire more.
Group Membership List
Memberships are reconciled nightly to accurately represent current operational data rather than historical data. Members are identified by UW NetID.
This section summarizes the data quality standards for employee location groups represented in the groups service.
Lifecycle Policy: Employee location groups are created automatically and won't be deleted without 90 days prior notification to customers who have registered their dependency on them by emailing email@example.com.
The data custodians for employee data classify employee location groups as restricted. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the required membership viewer control and group description text (described above).
Access Control Policy: Having considered the privacy, security, and compliance concerns and acknowledging the business needs and widespread operational efficiencies enabled via UW employee location groups, the data custodians for HR data have established an access control policy that grants permission to view employee location group memberships to UW authorized users and processes acting based on behalf of core UW business needsneed. Access for third parties may be authorized on a case-by-case basis, based on establishing a business need and/or an appropriate data sharing agreement.