Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

DRAFT

ANALYSIS
Customers

Alin Hunter, Snezana Popovic, UW-IT – The customers of the groups described in this design template represent the owners of Legacy HR/P Archive reports. also possibly for email notices about the reports.

Application Use

BI Portal – The groups will be used for controlling access to the Legacy HR/P Archive reports hosted in the BI Portal (https://biportal.uw.edu).
TBD. Email – The groups will be used for emailing notices about the Legacy HR/P Archive reports using UW Mailman or Marketo.

Membership (Business Definition)

The business definition of the group memberships is individuals with the assignable security roles in Workday.

For example, someone with the "Academic_Partner" role will be a member of the related group.

See https://isc.uw.edu/admin-corner/security-roles/assignable-roles/

See https://isc.uw.edu/support-resources/how-to-get-workday-help/named-support-contacts/

Business ProcessWorkday security role management
System of RecordWorkday
Subject AreaMaster Data
Business DomainMaster Data – Services & Resources – HR/P – Access permissions and restrictions
DESIGN
TypeGroup/Role
Home Groupuw_isc
Group IDs

The following table describes mappings from Workday security group attributes to UW group attributes.

TBD Option A. Each Group ID will be of the format "uw_isc_security-group_<identifer>" where the identifier is replaced with the Workday security group reference ID. This option supports minor changes to Workday security role names without impact to the UW groups. But it results in more opaque UW group IDs.

TBD Option B. Each Group ID will be of the format "uw_isc_security-group_<identifier>" where the identifier is replaced with the Workday security group name (lowercase, underscores converted to hyphens). This option is less resilient to changes to Workday security role names, which would impact to the UW groups. But the UW group IDs are friendlier.

TBD - Workday Security Group Reference IDTBD - Workday Security Group NameUW Group Display NameUW Group ID
TBD – 1234567890Academic_PartnerWorkday Security Group - Academic_Partner

TBD Option A: uw_isc_security-group_1234567890

TBD Option B: uw_isc_security-group_academic-partner

etc.Costing_Allocations_CoordinatorWorkday Security Group - Costing_Allocations_Coordinatoruw_isc_security-group_costing-allocations-coordinator
etc.HCM_Initiate_2Workday Security Group - HCM_Initiate_2uw_isc_security-group_hcm_initiate_2

HR_PartnerWorkday Security Group - HR_Partneruw_isc_security-group_hr-partner

VO_STAFF_COMP_COSTWorkday Security Group - VO_STAFF_COMP_COSTuw_isc_security-group_vo-staff-comp-cost

Academic_Personnel_Office_PartnerWorkday Security Group - Academic_Personnel_Office_Partneruw_isc_security-group_academic-personnel-office-partner

HR_Office_PartnerWorkday Security Group - HR_Office_Partneruw_isc_security-group_hr-office-partner

CBU_Benefits_Office_PartnerWorkday Security Group - CBU_Benefits_Office_Partneruw_isc_security-group_cbu-benefits-office-partner

Absence_Office_PartnerWorkday Security Group - Absence_Office_Partneruw_isc_security-group_absence_office_partner

Labor_Relations_Union_Office_PartnerWorkday Security Group - Labor_Relations_Union_Office_Partneruw_isc_security-group_labor-relations-union-office-partner

ISC_Retiree_Office_PartnerWorkday Security Group - ISC_Retiree_Office_Partneruw_isc_security-group_isc-retiree-office-partner

HR_AuditorWorkday Security Group - Workday Security Group - HR_Auditoruw_isc_security-group_hr-auditor 

Payroll_AuditorWorkday Security Group - Payroll_Auditoruw_isc_security-group_payroll-auditor

ISC_Payroll_Office_PartnerWorkday Security Group - ISC_Payroll_Office_Partneruw_isc_security-group_isc-payroll-office-partner

ISC_Compensation_Office_PartnerWorkday Security Group - ISC_Compensation_Office_Partneruw_isc_security-group_isc-compensation-office-partner

VO_Medical_Centers_Payroll_PartnerWorkday Security Group - VO_Medical_Centers_Payroll_Partneruw_isc_security-group_vo-medical-centers-payroll-partner

VO_Medical_Centers_Absence_for_Leave_SpecialistWorkday Security Group - VO_Medical_Centers_Absence_for_Leave_Specialistuw_isc_security-group_vo-medical-centers-absence-for-leave-specialist
Display Name

TBD. Group display names will be populated with data from Workday. See table above.

Lifecycle Policy (Creation)

Groups will be created only for approved uses related to Legacy HR/P Archive reports.

Lifecycle Policy (Deletion)

Groups will be deleted when data custodians request and plan for their deletion.

Membership (Direct)

Direct membership of each group include the UW NetIDs of individuals assigned to the specific Workday security group.

Membership (Exceptions)

No exceptions for additions or deletions to memberships. All updates to the memberships must be made in Workday.

Membership (Grace Period)

None

Membership (Opt-in)N/A
Membership (Opt-out)N/A
Contact Person

TBD. A contact appropriate for Workday security role support, e.g. "ischelp".

Description

TBD. Define descriptions that help potential customers understand fit for purpose and use, including lifecycle policy, membership policy, data quality standards, appropriate use guidelines, access control policy, ownership, and contact information. Some business processes master data that can be used for descriptions.

Staff in Supervisory Org ISCHL_000001 (Information School) This group is updated nightly from the ODS. It is available for appropriate business purposes in support of the UW mission. All users are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact help@uw.edu for questions about using this group.

"Current employees who hold a position that has location ID "Seattle Other Buildings". This group is updated nightly from the HRPWS. It is available for appropriate business purposes in support of the UW mission. Access to the membership is controlled. Authorized clients are responsible for enforcing the defined access control policy and may not share employee group memberships with unauthorized parties without first obtaining authorization to do so. All users are expected to know and follow the rules related to ethical and appropriate use of UW computing and networking resources. Please contact help@uw.edu for questions about using this group."

More InformationN/A 
Application Settings (Exchange)

Inactive; change to settings will require custodian approval.

Application Settings (Google)

Inactive; change to settings will require custodian approval.

ACCESS CONTROL
Data Custodian

Nancy Jagger, Rachel Gatlin, Margaret Stuart, Cindy Gregovich

Classification

Confidential. See UW Groups Data Classification Guideline.

Access Control Policy

The data custodians have classified these UW group memberships as Confidential. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the Membership Viewer Control (below) and Description (above).

Access Control Policy: Having considered privacy, security, and compliance concerns and acknowledging the business needs for Workday security group memberships, the data custodians have established an access control policy that grants permission to view Workday security group memberships only to authorized users and processes based on business need.

Appropriate Use Guidelines: Use of Workday security group memberships groups is subject to the following appropriate use guidelines. Permission to view Workday security group memberships is granted on the condition that authorized clients use the memberships for appropriate business purposes in support of access to Legacy HR data. Authorized clients are responsible for enforcing the defined access control policy (above) and may not share group memberships with unauthorized parties without first obtaining authorization to do so. Copying and sharing the membership data with unauthorized users violates the access control policy and is forbidden.

Membership Viewer Control

TBD. uw_isc_security-group-viewer. This group is used to enforce the defined access control policy (above). 

Sender ControlN/A
IMPLEMENTATION
Data Source

HRPWS

Membership (Technical)

TBD. Ann Testroet

Define the technical definition of the memberships in terms used by the data source (HRPWS) and its data elements, as well as any additional filtering.

Provisioning

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define a provisioning model for data integration and reconciliation that ensures the groups are created in accordance with their lifecycle policy and managed in accordance with their data quality standards.

De-Provisioning

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define a de-provisioning model that ensures the groups are deleted in accordance with their lifecycle policy.

Monitoring

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define a monitoring solution that helps identify incidents and problems, particularly those that impact availability and reliability.

Data Quality Standards

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define data quality standards under normal operations, including data validation rules, timeliness of updates, defined error rates, integrity monitoring, and reliability. The standards will depend on the business process, system of record, data source, provisioning and de-provisioning models, monitoring, and operations.

Internal Documentation

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define what internal documentation will be developed and where it will be maintained.

Customer DocumentationTBD. 
Communication PlanAlin and Snezana will coordinate communications part of the "Legacy HRP System Shutdown and Data Archiving - Implementation" project (PRJ0234400).
OPERATIONS
Request FulfillmentTBD. All requests that cannot be handled self-service by the Customer Documentation, will be directed to the email address defined by the Contact Person (above). Examples of requests include standard requests for information and access to memberships.
Incident ManagementIncidents with the group memberships, with a root cause attributed to UW-IT's systems and processes, will be handled via the UW-IT Incident Management practice.
  • No labels