1601 PR.07 Identity Data Access Requests

Revision Date: 
June 21, 2017

Contents

1.       Overview

2.       Understanding Data Access Request Terminology

3.       Attribute Release Request Requirements

4.       Reporting Changes

The Identity Data Attribute Release Procedure governs how Yale employees request Yale Identity Data, on a one-time or ongoing basis, from the People Hub/Identity Data Repository for use in a University application or third-party application supporting Yale’s mission.

People Data Information

The People Hub is a repository of data about people delivered with the Workday Financials Release 4 functionality for Go-Live in July, 2017.

Yale People/Identity Data

  • Makes available identity and affiliation information of enterprise interest to a wide variety of systems and platforms,
  • Allows departments to authenticate NetID holders when logging into departmental systems,
    and
  • Permits departments to authorize access to systems or applications based on user attributes stored within People Hub/Identity Data Repository (e.g. department, affiliation, job category).
  • Please note, your Identity Data attribute request will be agnostic as to data source (People Hub or IDR). The IAM Tech team will determine the optimal data source based on information you provide in the request form. 

The Yale People Hub and Identity Data Repository (Identity Data Repository) are secured, private, and managed directory services that contain identity information about students, faculty, staff, and university affiliates.  It contains comprehensive and confidential information and is not equivalent to the public “white pages” directory which is sourced from the Identity Data Repository.  The People Hub and Identity Data Repository is a repository of information consolidated for the internal use of University departments and systems.  Authorization to access confidential or restricted information contained in these data repositories is governed by the following Identity Attribute Access Control Process and the owners of the systems from which that information is derived.

Please note that the People Hub/Identity Data Repository are not the systems of record for any student or employee Identity information but do reflect that information in a timely manner.

The Identity Data Repository is the system of record for Yale Identity Correlation Data and provides a view of its authoritative source systems’ data and from time to time as it aggregates and correlates Identity data.  The Identity Data Repository may not exactly reflect the current, official status of a student or employee, but rather refreshes once a day.  The Identity Data Repository is a read-only repository, and no updates outside its own aggregation processes are permitted. 

The Identity Data Repository drives the University’s identity authentication and provisioning processes.

  • Yale Identity Data: One or more Yale Identity Attributes, e.g., Name, affiliation, or job title.
  • Attribute Release Request: A request identifying the need to programmatically access People Hub/Yale Identity Data. 
  • Source System: An authoritative source of the People Hub/Yale Identity Data.
  • Data Owner (of People Hub/Yale Identity Data): An individual who has been officially designated as accountable for specific identity data that is transmitted, used, and stored on a system within a department, college, school, or administrative unit of the University.
  • Requestor: An individual requesting access to Yale Identity Data on behalf of an organizational unit, department or project.
  • Yale Identity Correlation Data: Process by which Yale identifiers, e.g. NetID, UPI, PIDM, are recognized as being related and represent one identity.
  • Aggregation Process: The process of collecting identity data from different source systems and presenting it as a unified data source.

A.  Information Security Office Approval is Required

All Attribute Release Requests require the approval of the Chief Information Security Officer or that individual’s designee before any data transfer may occur.

B.  Data Owner Approval is Required

All Attribute Release Requests require the approval of the Data Owner of the Source System or that individual’s designee before any data transfer may occur.

The Data Owner should review the following University policies before approving an Attribute Release request:

  • Policy 1611 Program for the Security of Customer Financial and Related Data
  • Policy 1610 Systems and Network Security
  • Policy 1607 Information Technology Appropriate Use Policy (ITAUP), and
  • Policy 1601 Information Access and Security.

C.  Data Owner Rights and Responsibilities

Access to Yale Data found on a Source System is entirely at the discretion of the Data Owner of the Source System. The Data Owner shall be held accountable for Attribute Release Requests the Data Owner approves.

The Data Owner shall promptly contact Identity and Access Management (IAM) in the Information Security Office (ISO) by contacting the ITS Help Desk when one of the following events occurs:

  • Access to a previously approved Attribute Release Request needs to be terminated,
  • A Source System is to be decommissioned within 90 days.
  • A Source System is to be replaced within 90 days.
  • A Data Owner for a Source System has changed.

D.  Requestor Responsibilities

The Requestor shall provide truthful and accurate information in making an Attribute Release Request.

The Requestor shall promptly notify Identity and Access Management in the following circumstances:

  • When the Application/Contact pair changes (when the contact changes or an application is replaced).
  • When access to the Yale Data on a Source System is no longer required (when data needs change or a system is decommissioned).

Using the contact information, be sure to report changes to a Data Source, and report changes to a System or Application Receiving Data from the Enterprise Directory.