DECISION: Data Approval Process for Redshift Data
EDGC Original Decision Date: May 2, 2024
Updated Decision Date: August 12, 2024
EDGC Decision – Data Approval Process for Redshift Data 8.12.24
Decision
The Universities of Wisconsin is building data views in Redshift in support of administrative transformation to replace current HR and Finance data warehouses, modernize the CDR data capabilities, and other general analytics capabilities. To effectively manage access to these data assets, the Universities of Wisconsin needs to develop an approval process that maintains campus control over data but can also be responsive to needs for cross-institutional and enterprise-wide data access.
Background
In current state, much of our enterprise data is only available in an “all or nothing” level of access to a view. In the future, data domains, data classification and row level security will allow more granular access to datasets available within a schema, allowing for more granular data access decisions. As established in the API approval process recommendation that was approved by the EDGC, requests for data at a University will be routed to the University data governance contact to follow the University process for approval, requests for data that span Universities, or that represent an enterprise-wide dataset, should be routed to UW System for review. Requests for CDR data access at a university will route to the UWS CDR Data Steward following campus approval. The CDR is a custom-built set of objects containing many derived data elements requiring specific knowledge to use effectively. UWS CDR Data Steward’s review and approval mitigates this additional layer of risk and is similar to how a University’s approval process may include additional approvers beyond the University data governance contact. UWS will work with the EDGC to establish a register of pre-approved use cases for enterprise-wide datasets, and UWS will review requests against that register. If a request cannot be satisfied by a pre-approved use case, the EDGC will determine if it represents a new use case, should be amended, or should be approved as an isolated case. One example of a recently approved use case is that people with access to data in Workday will automatically be granted access to the same data in Tableau for analytic and reporting purposes.
The Redshift data access does not follow the same pattern as the Tableau dataset access. Redshift data can be used for integration to existing data warehouses and data stores, and it can be used by individuals who query, combine, transform and add data to create new datasets. Because the uses vary and the individuals may or may not have access to the data in Workday, an ad hoc access process is needed request and review the requests to grant access to Redshift data. Conversely, because many people who use Workday will not use the Redshift data, there is no requirement to automatically grant Redshift data access based on Workday roles.
In support of this process, the Enterprise Data Governance Council (EDGC) will maintain a documented list of university data governance contacts and develop documents to support decision-making processes related to this recommendation.
Recommendation
Develop a request and approval process in Ivanti like the process designed for Integration Hub API access to data. There are 2 types of access requests that are known right now: 1. individual access requests to allow queries and use of the datasets available in Redshift, 2. service account access to extract data that could be used by datawarehouses/datastores or joined to other data warehouse data. Additional use cases may be developed in the future.
In both cases above, the request is initiated by the requester with relevant information about the use of the data. Information needed in the request will include the use of the data, data domain (HR, FIN, Canvas, CDR, etc.) and if high risk dataviews are requested. High risk data is defined in the updated data classification policy that will be used for all Universities effective December 1, 2024 (https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/). The request is routed to the University data steward contact for review using the University’s data governance processes. Once the University’s process approves or rejects the request, the University data governance contact updates the request in Ivanti and access will be granted for approved requests. Requests for CDR data access at a University will route to the UWS CDR Data Steward following campus approval. The CDR is a custom-built set of objects containing many derived data elements requiring specific knowledge to use effectively. UWS CDR Data Steward’s review and approval mitigates this additional layer of risk and is similar to how a University’s approval process may include additional approvers beyond the University data governance contact.
Any request for service account access will be reviewed every 6 months to ensure access is appropriate, secure and follows data privacy rules. Individual access will be terminated when employment is terminated and reviewed every 6 months with an attestation process to confirm the individual is still in a position that requires the access granted.
Who Developed the Recommendation?
This recommendation was developed by:
- Stacy Scholtka, Enterprise Analytics Platform
- Dale Johnson, Enterprise Analytics Platform
- HelioCampus, Enterprise Analytics Platform Redshift vendor
- Sue Buth, CDR Data Custodian
Who Was Consulted in the Development of the Recommendation?
- The following stakeholders were consulted about the proposed POC:
- Members of the Student Lifecycle product deployments
- ATP project team members
- Tom Jordan, Enterprise Architect Madison
- Diann Sypula, Data Steward for current enterprise warehouses
- Stacey Rolston, Data Privacy Officer UW-Shared Services
- CDR Liaisons, UW Campuses