ATP (Workday) Integrations Governance Process and Approval Proposal

EDGC Decision Date: February 12, 2024

Decision: Workday Integrations

Decision

In close collaboration with ATP functional teams (Finance, HR, Research Administration), the ATP Integrations team is designing, building, and testing direct inbound and outbound integrations between Workday and key partner agencies, vendors, and ancillary systems. The request is for the EDGC to approve the proposed interim approach for determining what data may be included in Workday integrations while Workday is being implemented. This proposed approach is intended to allow ATP to continue with the timely development of required integrations for Workday go-live.

Background

In order to support a successful transition from PeopleSoft HCM (HRS) and FSCM (SFS) to Workday, a number of integrations to external partner agencies, vendors, and ancillary systems are necessary. The number of ancillary systems with which we directly integrate to/from Workday is intentionally being limited in order to ensure that we do not negatively affect tenant performance (Reference: Integrations and Web Service Limits on Workday Community). The ATP Integrations team has a current backlog of 160 integrations that have been determined necessary for a successful go-live. The requirements for these integrations, along with their prioritization, are driven by the ATP functional teams. In this relationship, ATP Integrations is a consultant, partner, and implementer.

The integrations currently being developed include connections between Workday and the following entities/systems:

AssetWorks Glacier Student Information Systems (SIS) for campuses*
BenefitFocus HireRight ShopUW+ (Jaggaer)*
CashNet Internal Revenue Service (IRS) TIAA
Concur LinkedIn Learning Travel Inc / Fox World Travel
GSA/Conus Legislative Audit Bureau (LAB) TMA
Clearsight OCSE US Bank
dormakaba Optum UW Med Foundation
Enterprise Analytics Platform (EAP) Perceptive Content WI Dept. of Administration
Employee Trust Fund (ETF) Per Diem Calculator WI Dept. of Revenue
Equifax Person Hub* WI Dept. of Workforce Development
Employee Compensation Compliance (ECC) RAMP (Huron Research Suite) Wisconsin Retirement System (WRS)
Fidelity Salesforce Workiva

Of the 160 integrations that are in-scope for go-live, 76 are for Finance, 69 are for HCM, and 15 are for Research Administration. As of Friday, February 9th, 98 of these integrations have been completed and moved to the end-to-end testing tenant (Wisconsin 8).

Interim Approach

Workday integration development has been proceeding for the past year, with requirements driven by the ATP functional teams. Integration development follows these steps:

  1. Current State Design Documentation – ATP Integrations in collaboration with SMEs
  2. Future State Design Documentation – ATP Integrations in collaboration with ATP Functional Team
  3. Design Review (Internal) – System Implementation Partner (Huron)
  4. Future State Design Signoff – ATP Functional Team
  5. Coding – ATP Integrations
  6. Unit Testing – ATP Integrations, sometimes in collaboration with ATP Functional Team
  7. Build Review (Internal) – System Implementation Partner (Huron)
  8. E2E Readiness – Functional Signoff – ATP Functional Team

The proposed interim approach is to continue with the current state where the ATP Functional Teams are responsible for determining the data necessary and appropriate to be included in the Workday integrations.

Person Hub

To support the transition from PeopleSoft to Workday for the current master identity management solution (Person Hub) that is leveraged by all campuses within the Universities of Wisconsin, a dedicated Person Hub Tiger Team was established in June 2023 consisting of representation from the Person Hub development team (UW–Madison DoIT AIS IAM), the ATP Cross-Functional team, and the ATP Integrations team. Together, and in consultation with ATP HR and ATP Finance when relevant, this Tiger Team has worked closely to identify requirements, create a design, and implement a solution. The steps outlined in the Interim Approach section above have also been followed for this body of work. Issue escalation and resolution has been handled through a leadership team consisting of:

  • Steven Hopper, Associate Vice President for Learning and Information Technology Services and Chief Information Officer, Universities of Wisconsin
  • Lois Brooks, Vice Provost for Information Technology and Chief Information Officer, UW–Madison
  • Kevin Donahoe, ATP Program Director
  • Allison Niles, ATP HR Strategy Lead
  • Susie Maloney, ATP Finance Strategy Lead
  • Adam Paulick, Executive Director, UW–Madison DoIT Enterprise Business Systems
  • Joe Tarter, Director, UW–Madison DoIT Application Infrastructure Services

ShopUW+ (Jaggaer)

To support the transition from PeopleSoft to Workday for the current eProcurement platform (Jaggaer, a.k.a. ShopUW+) that is leveraged by all campuses within the Universities of Wisconsin, and to align with the Workday-first model that was agreed upon as the path forward in October 2023, a Supply Chain Management working group was established in November 2023. This group includes representation from ATP Finance’s Supply Chain Management team, Accounts Payable, Procurement, ShopUW+ Administration, ATP Integrations, and Huron (in the Jaggaer, Workday SCM, and Integrations spaces). Together, this working group has worked closely to identify requirements, create a design, and is currently working through configuration and solution implementation. The steps outlined in the Interim Approach section are being followed for this body of work, with the exception that additional functional team unit testing is happening as integrations are developed in the Integration Development tenant (Wisconsin 11), before migrating those integrations to the End-to-End Testing tenant (Wisconsin 8). This is the result of us only being able to connect the Jaggaer development instance to a single Workday tenant at any one time, and is only expected to be a consideration during implementation. Issue escalation and resolution has been handled through the standard path for ATP:

  1. ATP Leadership Team
  2. ATP Finance Governance (if needed)
  3. Executive Sponsors (if needed)

Student Information Systems (SIS) for Campuses

To support the transition from PeopleSoft to Workday for the current Student Information Systems (PeopleSoft Campus Solutions), a number of SIS work groups and a broad SIS Connections group were formed in the spring of 2023. The work groups include:

  • Employee Data to SIS
  • Student Data to Workday
  • UDDS Replacement for Academic
  • General Ledger
  • Student Refunds

A dedicated ATP SIS Architect joined the Administrative Transformation Program in May 2023 and has been leading the coordination of work in this space. All campuses have had the opportunity to identify key staff for participation in the SIS work groups and the SIS Connections group meets on a bi-weekly basis to provide updates to a larger audience and solicit feedback and input from campus teams. The SIS Architect works closely with the SIS work groups, UW Shared Services, ATP functional teams and ATP Integrations to identify requirements, create a design, and implement a solution. The steps outlined in the Interim Approach section above have also been followed for this body of work. Issue escalation and resolution has been handled through the following path:

  1. SIS work groups, Registrar’s Offices, and others as needed
  2. ATP Leadership Team
  3. ATP Functional Governance (if needed)
  4. Executive Sponsors (if needed)

Who Developed the Recommendation?

This recommendation was developed by:

  • Morgan Andersen, ATP Integrations Strategy Lead

Who Was Consulted in the Development of the Recommendation?

The following stakeholders were consulted about the proposal:

  • Susie Maloney, ATP Finance Strategy Lead
  • Kurt McMillen, ATP Research Administration Strategy Lead
  • Allison Niles, ATP HR Strategy Lead
  • Sowmya Shankar, ATP Integration Dev Team Lead
  • Amanda Smith, ATP SIS Architect

[1] This includes the UW–Madison Cross-DEM/SIS Workgroup

 

 

Data Approval Process for Enterprise APIs

EDGC Decision Date: July 31, 2023

Decision: Data Approval Process for Enterprise APIs

Decision

UW System is building out data integration and analytics capabilities in support of administrative transformation, most notably in the form of institutional APIs and data assets which are themselves supported by an enterprise data lake. To effectively manage access to these data assets, UW System needs to develop an approval process that maintains campus control over data but can also be responsive to needs for cross-institutional data access.

Background

Requests for data that span institutions, or that represent a System-wide dataset, should be routed to UW System Administration (UWSA) for review. UWSA will work with the EDGC to establish a register of pre-approved use cases for systemwide datasets, and UWSA will review requests against that register. If a request cannot be satisfied by a pre-approved use case, the EDGC will determine if it represents a new use case, should be amended, or should be approved as an isolated case.

In support of this process, the Enterprise Data Governance Council (EDGC) will document existing institutional data governance processes and develop supporting documents to support those decision-making processes.

A more detailed procedure is defined in Appendix 1.

Who Developed the Recommendation?

This recommendation was developed jointly by:

  • Tom Jordan, UW-Madison’s Ancillary Systems Program
  • Stacy Scholtka, UW System’s Enterprise Analytics Program

Who Was Consulted in the Development of the Recommendation?

The following stakeholders were consulted about the proposed POC:

  • Members of UW-Madison’s API development teams and UW System’s Enterprise Analytics program reviewed and contributed to the principles identified in Appendix 1
  • Additionally, ATP functional and integration teams consulted on issues related to data access and approval for integrations.

Appendix 1: Recommended Procedure for Data Approval for APIs and Data Lake Assets

Principles

  • Campuses retain the ability to make decisions about their own data, through their data stewards, even when that data resides in enterprise-wide information systems.
  • Access to data assets should be based on a legitimate university interest, and should involve consideration of risk, impact, and business need.
  • The EDGC will determine appropriate uses of enterprise-wide data sets or integration services, including institutional APIs that provide access to data for all campuses.
  • UWSA will manage the request and approval process, including evaluating requests against a set of pre-approved use cases. UWSA will not judge the merit of a request beyond its technical feasibility.
  • EDGC will consider new use cases for system-wide datasets and services as the need arises.

ATP Conversion POC – Data ingestion from Oracle HRS/SFS to AWS S3

EDGC Decision Date: July 16, 2023

Decision: ATP Conversion POC – Data ingestion from Oracle HRS/SFS to AWS S3

Decision

This ATP conversion request is for actual data from our current HRS and SFS system (including PII data like full SSN, bank accounts, etc.) to be moved from the source system to Amazon S3, then to Workday for the conversion. The data will be converted into Workday and will follow the security policies of the ATP Workday team. Once the data is in Workday, the data will be secured using role-based security that is being designed by the ATP Functional teams. The data loaded to stage tables in AWS S3 is not going to persist past the go-live, all security is then passed to the Workday teams.

Background

The success of ATP Conversion depends, in part, on quickly and safely ingesting data from Oracle Exadata sources (including HRS and SFS), transforming that data to meet business requirements for Workday and ultimately loading the data to Workday via excel files.

The ATP Conversion Team has identified roughly 220 source tables needed to create the Workday files and present to our implementation partner to load to Workday. Some of these data sources contain highly restricted data such as social security numbers and bank accounts. This data will ultimately reside in the Workday cloud environment.

The team has been using a combination of Exadata, SQL, IICS and Python to build out the tenants for the project to date. The team requested permission to use AWS and AWS tools to ingest the data from SFS and HRS to an S3 raw layer.

The Conversion Team will utilize the following serverless services within AWS – S3, Glue, Athena, KMS (for encryption), IAM (for permissions) and Cloudwatch Logs (for logging). For ingestion, the team will use on-prem servers running hadoop/spark which won’t need any firewalls to be opened.

The goal for this POC is to evaluate the efficiency of using AWS. As we approach the go-live date, it is critical to continue to shrink the timelines for pulling and transforming the data to limit disruption to daily operations.

The team has anticipated this transition for 6 months and have been developing current code in a manner that will require little rework to test the POC. The team has been working with the DoIT Cloud Team to stand up the environment for ingestion. The team has met with Cyber Security, completed the assessment, and taking all necessary mitigation measures as it relates to this data.

This POC request is extremely limited to a small team of ATP Conversion developers and a key subset of HRS & SFS data. The team has tested the process of pulling public data to an S3 bucket in the AWS environment and the final step is to connect to Exadata to pull true data. The team has an expert AWS Engineer on the team who has been working to set up the environment and will manage the ingestion POC.

Who Developed the Recommendation?

  • Michelle Weber, ATP Conversion Strategy Lead
  • Brian Zehren, Associate Director, ERP App Support
  • Shiva Prakash, Conversion Cloud Engineer
  • Mike Vavrus, DoIT Cloud Engineer

Who Was Consulted in the Development of the Recommendation?

The following stakeholders were consulted about the proposed POC:

  • Pam Snyder, Cloud Security Risk Analyst
  • Steve Tanner, Cloud & Security Eng Associate Director
  • Steffanie Johnson, Info Security Analyst IV
  • Kristy Rogers, ATP IT Security Lead and HRS Security Lead
  • Al Kantor, Cloud Data Architect

 

Data classification of enterprise data according to risk

EDGC Decision Date: April 24, 2023

Decision: Data classification of enterprise data according to risk pdf

Background

The success of ATP/EAP/ASP projects depends, in part, on classifying enterprise data elements across enterprise systems in a standard way.

UW System Administrative Policy 1031 calls for data to be categorized as high, moderate, or low risk. It provides standards for classification and minimum protections for each level of risk. Data classification “determines the extent to which technical, administrative, and physical controls should be applied to protect the data from theft, alteration, loss of integrity, and/or misuse.” SYS 1031 is currently under revision.

UW-Madison employs a classification system with four categories: public, internal, sensitive, and restricted (per UW Madison IT policy UW-504) spanning the spectrum of low to high risk. Many developers working with enterprise data across the ATP/EAP/ASP portfolio are from UW-Madison and are accustomed to UW-Madison’s classification system. Data in UW-Madison’s ancillary systems use UW-Madison’s classification system.

Lack of agreement on a single risk classification may result in developers applying different classifications in Workday vs. the data lake vs. ancillary systems. This reduces the opportunity to apply a common set of security roles across enterprise systems, and where possible, ancillary systems. And it could lead to inconsistent access and security of enterprise data.

Decision

APT/EAP/ASP apply the draft data classification schema (below) that brings together existing Madison and UW System policy in anticipation of the pending revision, noting that this MAY change by the time the policy revision is fully vetted.

Draft Data Classification Schema

Public (Low Risk) Sensitive (Moderate Risk) Restricted (High Risk)
Data is classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Public data requires no confidentiality, integrity, or security protections.

Examples: Data approved for display on websites and/or made available to the public.

 

Data is classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the university or its affiliates. A reasonable level of security safeguards must be applied to sensitive data.

Examples: By default, all institutional data that is not explicitly classified as Public or Restricted must be treated as Sensitive data.

 

Data is classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a high level of risk to the university or its affiliates. Strong security controls must be applied to restricted data and access will frequently be limited to a small number of individuals.

 Examples: Information protected by state or federal privacy regulations (e.g., FERPA, HIPAA), or by standard confidentiality agreements.

Sub-category: Highly Restricted
Examples include data that may pose a threat to health and safety (e.g., biotoxins), Controlled Unclassified Information (CUI), export-controlled research information (e.g., ITAR and EAR), or research data associated with some Department of Defense contracts.

Who Developed the Recommendation?

  • Joe Johnson, UWSA Director of Governance, Risk, and Compliance
  • Lisa Johnston, UW-Madison Director of Data Governance

Who Was Consulted in the Development of the Recommendation?

The following stakeholders were consulted about the proposed data classifications, in the context of the forthcoming revision of SYS 1031. These stakeholders have supported the general direction being proposed and have not raised any initial concerns. However, the proposed data classification may change during the SYS 1031 revision over the coming months.

  • Ed Murphy (UW System, AVP Information Security)
  • Jim Treu (UW System, Director of Security Awareness and Outreach)
  • Mike Bubolz (UW Breen Bay, Interim CIO)
  • Patti Havlicek (UW-Madison, RMC Asst. Director)
  • Other various Technology and Information Security Council (TISC) representatives
  • UW Madison Data Stewards
  • UW Madison IT Policy Advisory Team (subcommittee of Information Technology Council)