UW groups for access to Legacy HR data

Alin Hunter, Snezana Popovic, UW-IT – The customers of the groups described in this design template represent the owners of Legacy HR/P Archive reports.

TBD. BI Portal – The groups will be used for controlling access to the Legacy HR/P Archive reports available in the BI Portal (https://biportal.uw.edu) and/or EDW (https://edw.washington.edu).
TBD. Email – The groups will be used for emailing notices about the Legacy HR/P Archive reports using UW Mailman or Marketo.

The business definition of the group memberships is individuals assigned to each Workday security role or group.

For example, someone with the "Academic_Partner" role will be a member of the related UW group.

See https://isc.uw.edu/admin-corner/security-roles/assignable-roles/

See https://isc.uw.edu/support-resources/how-to-get-workday-help/named-support-contacts/

Group display names will be populated with data from Workday. See table above.

Groups will be created only for approved uses related to Legacy HR/P Archive reports.

Groups will be deleted when data custodians request and plan for their deletion.

Direct membership of each group include the UW NetIDs of individuals assigned to the specific Workday security role or group.

No exceptions for additions or deletions to memberships. All updates to the memberships must be made in Workday.

None

TBD. A contact appropriate for Workday security support, e.g. "ischelp".

Group descriptions will contain the following information (substituting the specific display name for each group):

"Workday Security - Academic_Partner. This group is updated nightly with data sourced from Workday. It is available only for approved business purposes. Authorized users are responsible for enforcing the defined access control policy and may not share the group membership with unauthorized parties without first obtaining authorization to do so. Please contact TBD@uw.edu for questions about using this group."

Inactive; change to settings will require custodian approval.

Inactive; change to settings will require custodian approval.

Nancy Jagger, Rachel Gatlin, Margaret Stuart, Cindy Gregovich

Confidential. See UW Groups Data Classification Guideline.

The data custodians have classified these UW group memberships as Confidential. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the Membership Viewer Control (below) and Description (above).

Access Control Policy: Having considered privacy, security, and compliance concerns and acknowledging the business needs for Workday security group memberships, the data custodians have established an access control policy that grants permission to view Workday security group memberships only to authorized users and processes based on business need.

Appropriate Use Guidelines: Use of Workday security group memberships is subject to the following appropriate use guidelines. Permission to view Workday security group memberships is granted on the condition that authorized clients use the memberships only for approved business purposes in support of access to Legacy HR data. Authorized users are responsible for enforcing the defined access control policy (above) and may not share group memberships with unauthorized parties without first obtaining authorization to do so. Copying and sharing the membership data with unauthorized users violates the access control policy and is forbidden.

TBD. uw_isc_security-group-viewer. This group is used to enforce the defined access control policy (above).
TBD. In order to fulfill requests to view the memberships of the Workday groups, appropriate admins and/or member managers should be defined for uw_isc_security-group-viewer.

HRPWS

TBD. Ann Testroet Similar to uwhrlocationgroupmaker

Define a provisioning model for data integration and reconciliation that ensures the groups are created in accordance with their lifecycle policy and managed in accordance with their data quality standards.