Manifest - Data Driven Groups

Manifest has the ability to consume some pre-populated groups.

UDDS Groups

Manifest users can consume UDDS groups by entering a group location with the following naming convention:

uw:ref:hr_system:udds:[UDDS]

[UDDS] can use any valid UDDS number. Employment data can be complicated(especially when using a unit's UDDS) so it may be best to consult your HR if you're unsure of what UDDS you need to use, but a UDDS search can be found here as well: Madison UDDS.

  • For all employees use A: uw:ref:hr_system:udds:A
  • For a division add the 2 digit identifier: uw:ref:hr_system:udds:A06
  • For a department add the next two digit identifier onto that: uw:ref:hr_system:udds:A0671
  • For a unit add the additional 2 digit identifier: uw:ref:hr_system:udds:A067140

An important thing to note is that when people leave a job HR may not actually end their job in HRS right away. Because of this they will still be an employee of the UDDS after they are gone and be a part of the group membership.

Level of Assurance Groups

Level of Assurance groups allows for application owners to limit access to users based on their level of identity proofing. See "Application of NIST 800-63 to UW-Madison" on: https://www.cio.wisc.edu/security-initiatives-levels.aspx for the official source on level of access(Please note Level 0 is now part of Level 1). Manifest merely provides the groups for applications to consume, it does not define them.

The above link is the definitive source on Level of Assurance, but the following is general information:

  • Level 1: No identity proofing. Spec Pop identies(NetIDs created in Manifest) fall in this category.
  • Level 2: Idenities have some proofing done. HR System and Student System Identies fall in this category.
  • There are times where people from Level 2 would move to Level 1. Such as when they have too many failed password attempts.

Manifest users can consume LoA groups by entering a group location with the following naming convention:

uw:ref:loa:[LOA]

[LOA] can be replaced with "loa_1", or "loa_2"

  • uw:ref:loa:loa_1
  • uw:ref:loa:loa_2



Keywords:UDDS groups membership data driven database prepopulated   Doc ID:30150
Owner:Drew F.Group:Middleware
Created:2013-05-14 12:13 CDTUpdated:2016-05-24 11:11 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  1   0