ANALYSIS
Customers

Alin Hunter, Snezana Popovic, UW-IT – The customers of the groups described in this design template represent the owners of Legacy HR/P Archive reports.

Application Use

BI Portal – The groups will be used for controlling access to the Legacy HR/P Archive reports available in the BI Portal (https://biportal.uw.edu).

Membership (Business Definition)

The business definition of the group memberships is individuals assigned to each Workday security role or group.

For example, someone with the "Academic_Partner" role will be a member of the related UW group.

See https://isc.uw.edu/admin-corner/security-roles/assignable-roles/

See https://isc.uw.edu/support-resources/how-to-get-workday-help/named-support-contacts/

Business ProcessWorkday security role or group management
System of RecordWorkday
Subject AreaMaster Data
Business DomainMaster Data – Services & Resources – HR/P – Access permissions and restrictions
DESIGN
TypeGroup/Role
Home Groupuw_isc_wdsg
Group IDs

The following table describes mappings from Workday security groups and roles to UW group attributes.

Each UW Group ID will be of the format "uw_isc_wdsg_<identifier>" where the <identifier> is replaced with the reference ID of the Workday security role or group. In order to conform to the UW group syntax, the reference ID will be lowercased and underscores converted to hyphens.

Each UW Group Display Name will be of the format "WDSG - <name>" where the <name> is replaced with the Workday security role or group name, without any changes to the data.


Workday Security Role/Group Reference IDWorkday Security Role/Group NameUW Group Display NameUW Group ID
1Absence_Office_PartnerAbsence Office PartnerWDSG - Absence_Office_Partneruw_isc_wdsg_absence-office-partner
2Academic_PartnerAcademic PartnerWDSG - Academic_Partner

uw_isc_wdsg_academic-partner

3Academic_Personnel_Office_PartnerAcademic Personnel Office PartnerWDSG - Academic_Personnel_Office_Partneruw_isc_wdsg_academic-personnel-office-partner
4CBU_Benefits_Office_PartnerCBU - Benefits Office PartnerWDSG - CBU_Benefits_Office_Partneruw_isc_wdsg_cbu-benefits-office-partner
5Costing_Allocations_Coordinator

Costing Allocations Coordinator

WDSG - Costing_Allocations_Coordinatoruw_isc_wdsg_costing-allocations-coordinator
6Compensation_Office_PartnerCompensation_Office_PartnerWDSG - Compensation_Office_Partneruw_isc_wdsg_compensation-office-partner
7HCM_Initiate_2HCM Initiate 2WDSG - HCM_Initiate_2uw_isc_wdsg_hcm-initiate-2
8HR_AuditorHR AuditorWDSG - HR_Auditoruw_isc_wdsg_hr-auditor 
9HR_Office_PartnerHR Office PartnerWDSG - HR_Office_Partneruw_isc_wdsg_hr-office-partner
10HR_PartnerHR PartnerWDSG - HR_Partneruw_isc_wdsg_hr-partner
11ISC_Absence_Office_PartnerISC - Absence Office PartnerWDSG - ISC_Absence_Office_Partneruw_isc_wdsg_isc-absence-office-partner
12ISC_Compensation_Office_PartnerISC - Compensation Office PartnerWDSG - ISC_Compensation_Office_Partneruw_isc_wdsg_isc-compensation-office-partner
13ISC_Payroll_Office_PartnerISC - Payroll Office PartnerWDSG - ISC_Payroll_Office_Partneruw_isc_wdsg_isc-payroll-office-partner
14ISC_Retiree_Office_PartnerISC - Retiree Office PartnerWDSG - ISC_Retiree_Office_Partneruw_isc_wdsg_isc-retiree-office-partner
15Labor_Relations_Union_Office_PartnerLabor Relations / Union Office PartnerWDSG - Labor_Relations_Union_Office_Partneruw_isc_wdsg_labor-relations-union-office-partner
16Payroll_AdministratorPayroll AdministratorWDSG - Payroll_Administratoruw_isc_wdsg_payroll-administrator
17Payroll_AuditorPayroll AuditorWDSG - Payroll_Auditoruw_isc_wdsg_payroll-auditor
18Recruiting_Office_PartnerRecruiting Office PartnerWDSG - Recruiting_Office_Partneruw_isc_wdsg_recruiting-office-partner
19VO_Medical_Centers_Payroll_PartnerVO-Medical Centers Payroll Partner (RBC)WDSG - VO_Medical_Centers_Payroll_Partneruw_isc_wdsg_vo-medical-centers-payroll-partner
20VO_Medical_Centers_Absence_for_Leave_SpecialistVO-Medical Centers Absence for Leave SpecialistWDSG - VO_Medical_Centers_Absence_for_Leave_Specialistuw_isc_wdsg_vo-medical-centers-absence-for-leave-specialist
21VO_STAFF_COMP_COSTVO-STAFF-COMP-COSTWDSG - VO_STAFF_COMP_COSTuw_isc_wdsg_vo-staff-comp-cost
22VO_Academic_Personnel_Office_PartnerVO-Academic Personnel Office PartnerWDSG - VO_Academic_Personnel_Office_Partneruw_isc_wdsg_vo-academic-personnel-office-partner


Display Name

Group display names will be populated with data from Workday. See table above.

Lifecycle Policy (Creation)

Groups will be created only for approved uses related to Legacy HR/P Archive reports.

Lifecycle Policy (Deletion)

Groups will be deleted when data custodians request and plan for their deletion.

Membership (Direct)

Direct membership of each group include the UW NetIDs of individuals assigned to the specific Workday security role or group.

Membership (Exceptions)

No exceptions for additions or deletions to memberships. All updates to the memberships must be made in Workday.

Membership (Grace Period)

None

Membership (Opt-in)N/A
Membership (Opt-out)N/A
Contact Person

ischelp

Description

Group descriptions will contain the following information (substituting the specific display name for each group):

"WDSG - Academic_Partner. This group is updated nightly with data sourced from Workday. It is available only for approved business purposes. Authorized users are responsible for enforcing the defined access control policy and may not share the group membership with unauthorized parties without first obtaining authorization to do so. Please contact ischelp@uw.edu for questions about using this group."

More InformationFYI:  For access to HR Legacy reports needing additional Workday Security role/group and resulting new UW Group for access here are the steps in a simplified list:
1. Submit email to astra@uw.edu (which will create a UW Connect record for tracking & accountability) requesting additional Workday Security role/group be added and resulting UW Groups be created for access to HR Legacy Reports; specify which Workday role(s)/group(s). 
a. Note:  Workday Security roles should all be available in HRPWS, Workday Security groups could possibly be new and if so, additional work may be needed by HRPWS team (Paul Prestin) and the ASTRA engineer to update/add the new Workday role or group.
2. Authorization updates as Authorizer, ProcessAuthorizer, Delegator & ProcessDelegator to include the new Workday Security Role limit(s) which are assigned to Cindy Gregovich in ASTRA Production and Eval environments.  Authorizations are marked as ‘owned’ by Paul Prestin, application owner of HRPWS.   ASTRA team (Heidi B) make the update to Cindy’s authorizations. 
3. Cindy is then able to authorize the UWCA certificate (app-orggroupmaker.cac.washington.edu) used by the ‘groupmakerprocess’ to create & manage the membership based on individuals who have the specified Workday Security role/group and add as members of the associated UW Group (in the uw_isc_wdsg_* group stem).  Snezana or Alin would communicate to Cindy, requesting she create the authorization(s) for the Process certificate.
a. Note:  the ‘groupmakerprocess’ uses a template which sets the Membership viewer (uw_isc_wdsg_viewers), and only the authorized UWCA certificate can manage the UW Group.    The uw_isc_wdsg_viewers group (5 members currently: armurray, blancato, huntera, jhoven, spopovic) can be managed/updated by the uw_isc_wdsg_admins group (6 member currently:  armurray, blancato, huntera, jaggern, jhoven, swinneyd). –
4. Update wiki tracking page to reflect new role(s)/group(s):   https://wiki.cac.washington.edu/display/infra/UW+groups+for+access+to+Legacy+HR+reports  (ASTRA team, Snezana or Alin can/should make the update to the wiki page.)
5. UW Connect REQ will be updated & marked resolved when prior steps have been completed & UW Groups have members.
6. Snezana/Alin confirm membership is as expected & communicate as appropriate.    
Application Settings (Exchange)

Inactive; change to settings will require custodian approval.

Application Settings (Google)

Inactive; change to settings will require custodian approval.

ACCESS CONTROL
Data Custodian

Nancy Jagger, Rachel Gatlin, Margaret Stuart, Cindy Gregovich

Classification

Confidential. See UW Groups Data Classification Guideline.

Access Control Policy

The data custodians have classified these UW group memberships as Confidential. This classification forms the basis of the following access control policy and appropriate use guidelines. It is also the basis of the Membership Viewer Control (below) and Description (above).

Access Control Policy: Having considered privacy, security, and compliance concerns and acknowledging the business needs for Workday security group memberships, the data custodians have established an access control policy that grants permission to view Workday security group memberships only to authorized users and processes based on business need.

Appropriate Use Guidelines: Use of Workday security group memberships is subject to the following appropriate use guidelines. Permission to view Workday security group memberships is granted on the condition that authorized clients use the memberships only for approved business purposes in support of access to Legacy HR data. Authorized users are responsible for enforcing the defined access control policy (above) and may not share group memberships with unauthorized parties without first obtaining authorization to do so. Copying and sharing the membership data with unauthorized users violates the access control policy and is forbidden.

Membership Viewer Control

uw_isc_wdsg_viewers. This group is used to enforce the defined access control policy (above).
In order to fulfill requests to view the memberships of the Workday groups, appropriate admins and/or member managers should be defined for uw_isc_wdsg_viewers.

Sender ControlN/A
IMPLEMENTATION
Data Source

HRPWS

Membership (Technical)

Membership is pulled from the HRP Web Service (HRPWS), and is based on the Security Role or Group.  The resource that returns membership of a Security Role from HRPWS is: ~/hrp/v2/security/SECURITY_ROLE/worker.json

Provisioning

Workday security groups are provisioned from HRPWS using a nightly process monitored to ensure reliability and availability of the groups.  When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of Workday security groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.

De-Provisioning

Groups will be deleted when data custodians request and plan for their deletion.

Monitoring

The integrity of source data is ensured during secure transport between HRPWS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.  When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed.  All errors or abnormalities in the daily provisioning process are reported in UW Connect, and are promptly reviewed and corrected.

Data Quality Standards

Data Validation Rules: Validation rules are applied only to ensure that HRPWS data conforms to the constraints of the groups data model. Therefore, the accuracy of Workday Security groups, including memberships, is primarily determined by the quality and validity of the source HR/Payroll data provisioned from the HRPWS.

Integrity Monitoring: The integrity of source data is ensured during secure transport between HRPWS and the groups service. Physical, system, and administrative controls are used on the groups service to maintain integrity.

Reliability: Workday Security groups are provisioned from HRPWS using a nightly process monitored to ensure reliability and availability of the groups. When abnormalities such as potentially corrupt or incomplete data feeds are detected during the provisioning process, updates are not applied until the abnormalities are reviewed. The reliability of Workday Security groups, once provisioned, is that of the groups service itself: 24 hours a day, 7 days a week, with rare exceptions.

Defined Error Rates: Overall, the groups service relies on the HRPWS, as its data source, to define the frequency of errors in Workday Security Role data. However, some discrepancies are expected between HRPWS and Workday Security groups, if for example, loading of the HRPWS is delayed.

Timeliness of Updates: Under normal operating conditions, once data is updated in the HRPWS, updates will propagate to the groups service nightly.

Internal Documentation
Customer Documentation

TBD. @huntera, @spopovic, @pprestin

Define customer documentation.

Communication PlanAlin and Snezana will coordinate communications part of the "Legacy HRP System Shutdown and Data Archiving - Implementation" project (PRJ0234400).
OPERATIONS
Request FulfillmentTBD. All requests that cannot be handled self-service by the Customer Documentation, will be directed to the email address defined by the Contact Person (above). Examples of requests include standard requests for information and access to memberships.
Change ManagementTBD. The data custodians and/or ISC and/or Arlene will be responsible for changes to Workday security group reference IDs. Changing an existing reference ID impacts customers of the corresponding UW group, and appropriate change management can reduce the impact to business operations.
Incident ManagementIncidents with the group memberships, with a root cause attributed to UW-IT's systems and processes, will be handled via the UW-IT Incident Management practice.