Badge swipes, Workday, and Wi?Fi logs conflicted; identity crosswalk and rules yielded a consistent attendance view

Overview

A telecom company’s return?to?office analysis conflicted across badge data, HRIS rosters, and Wi?Fi presence logs. Leaders debated which source to trust, site plans stalled, and HRBPs fielded questions they couldn’t settle. Intelligex built a reliability layer that reconciled identities across the badge system, Workday, and Wi?Fi/network logs with clear rules for contractors, visitors, and shared spaces. A governed crosswalk aligned people to signals, privacy gates protected sensitive data, and dashboards showed a consistent attendance picture. Decision makers stopped arguing about data and focused on staffing models, space usage, and team schedules—while Workday, physical access control, visitor management, and network tools remained unchanged.

Client Profile

• Industry: Telecommunications (network operations, corporate, and field services)
• Company size (range): Multi?campus and regional offices with hybrid policies and badge?controlled sites
• Stage: Workday as HRIS; badge system and visitor management at each site; Wi?Fi and 802.1X authentication for employee devices; reports produced ad hoc from each source
• Department owner: Human Resources & People Ops (People Analytics and HRIS)
• Other stakeholders: Corporate Real Estate/Workplace, Security/Physical Access, IT/Network, Legal/Privacy, Finance, HR Business Partners, Internal Audit

The Challenge

Three “truths” emerged for the same question. Badge swipes suggested one pattern, HRIS rosters showed another based on assigned locations, and Wi?Fi logs indicated different daily presence. Contractors and visitors blended into badge counts, shared badges at some doors obscured individual patterns, and device logs included personal phones and tablets. Weekly decks became reconciliation exercises rather than decision points for space planning and hybrid scheduling.

Ownership and definitions diverged. Security owned badge data scoped to site boundaries, IT owned network telemetry and authentication logs, and HR owned rosters and policy. Each team used its own identifiers and filters. Contractors and vendors appeared in counts for some reports and not others. Travel days, training events, and visitors distorted totals when not clearly labeled. Leaders questioned whether to rely on badge entries, Wi?Fi associations, or manager reports, and site plans paused until teams could “agree on the number.”

Privacy concerns slowed analysis. Network logs carried device identifiers, badge data included raw card IDs and door locations, and visitor systems held contact details. To answer simple questions, analysts passed spreadsheets with sensitive fields, then redacted later. Legal and Privacy flagged exposure risk and asked for role?based views and clear definitions before expanding distribution.

Why It Was Happening

Identities were not reconciled. Badge systems identified cards, Wi?Fi logs identified devices, and HRIS identified people; there was no governed crosswalk that linked these identifiers with effective dates and roles. Contractors, guests, and shared credentials were treated inconsistently across sites, so counts varied depending on which source and filter an analyst chose.

Signals were used outside a policy framework. Definitions of “on?site,” “partial day,” “contractor,” and “guest” lived in emails and slide notes. There was no rule set that excluded short dwell times, filtered non?corporate devices, or normalized multi?entry badge patterns. Without those checks, each report embedded subjective choices that others could not reproduce.

The Solution

Intelligex delivered a reliability layer that unified signals from Workday, the badge system, and network authentication/Wi?Fi logs into a policy?aligned model. A governed identity crosswalk linked person, badge card, device, and contractor IDs with effective dates. Rules separated employees, contractors, and visitors; filtered non?corporate devices; and normalized edge cases like shared badges and multi?entry doors. Privacy controls masked sensitive fields, and dashboards exposed consistent attendance patterns by site, org, and day. The design used Workday integration patterns (Workday Integration Cloud), role?based access controls informed by NIST RBAC, and privacy principles aligned to the NIST Privacy Framework. Row?level access in the analytics platform enforced regional scope and need?to?know boundaries (BigQuery Row?Level Security).

• Integrations: Workday for people, manager, location, employment type, and contractor records; Physical Access Control System for badge events and card mappings; visitor management for guest logs; network authentication/Wi?Fi for device presence; identity directory and MDM for managed device lists; collaboration tools for alerts and shares.
• Identity crosswalk: Canonical table linking Worker ID, badge card IDs, device identifiers (hashed), contractor/vendor IDs, and effective dates; site?specific overrides for shared doors and legacy card ranges.
• Normalization rules: Presence inference that counted a person as on?site when a policy?defined combination of signals occurred (for example, badge + managed device association within a window); dwell thresholds to exclude transient entries; filters to exclude guest badges and unmanaged devices; contractor and visitor cohorts separated from employee counts.
• Data protections: Hashing of device identifiers; masking of raw card IDs and precise door locations in end?user views; suppression for very small teams; access tiers for HR, Security, Workplace, and leaders.
• Dashboards and outputs: Consistent attendance patterns by site, org, and day; trend views by org and policy cohort (employee, contractor, visitor); anomaly flags for sites with unusual discrepancies between sources; exports that retained masking and suppression rules.
• Governance and lineage: Versioned rules and crosswalk updates with owners; change logs and release notes; lineage documentation from source to dashboard using analytics engineering practices (dbt).
• Exception handling: Review queues for ambiguous matches, shared badge hotspots, and unmanaged device spikes; reason codes and approvals; feedback loop to refine rules by site.

Implementation

• Discovery: Mapped badge, Wi?Fi, and HRIS data structures; inventoried visitor and contractor systems; documented site differences (shared doors, legacy badge ranges); sampled conflicting reports; gathered Legal/Privacy expectations for masking, suppression, and distribution.
• Design: Authored identity crosswalk schema and ownership; defined presence rules and dwell thresholds; specified contractor and visitor handling; designed masking, hashing, and access tiers; planned dashboards and anomaly flags; established change control and release notes.
• Build: Landed Workday, badge, visitor, and network feeds into the analytics platform; implemented crosswalk generation and reconciliation; coded presence inference and filtering rules; enabled row? and column?level security; built dashboards and export routines; instrumented logging and lineage.
• Testing/QA: Ran in shadow mode against prior weeks; compared inferred presence to site headcounts and spot checks; validated masking and suppression; exercised ambiguous cases (shared badges, unmanaged devices, visitors at training events); tuned thresholds with HR, Security, Workplace, and IT.
• Rollout: Published read?only dashboards to HR, Security, and Workplace; expanded to leaders after validation; kept legacy site reports as a fallback initially; tightened rules and access as adoption stabilized; issued release notes for rule changes.
• Training/hand?off: Delivered guides on definitions, filters, and privacy controls; briefed leaders on interpreting patterns vs precise counts; trained HRBPs to answer common questions; updated SOPs for crosswalk updates and exception reviews; transferred rule ownership to HRIS (identity crosswalk) and Security/IT (site overrides) under change control.
• Human?in?the?loop review: Established a weekly triage for ambiguous matches, anomaly flags, and site?specific quirks; recorded decisions with rationale and effective dates; iteratively refined crosswalks, thresholds, and masks.

Results

Attendance patterns became consistent across the enterprise. Dashboards reflected the same definitions of employee, contractor, and visitor, filtered unmanaged devices, and normalized shared?door entries. Leaders and Workplace teams used a single view to plan seating, shuttle schedules, and hybrid norms without debating whether badge or Wi?Fi was “more accurate.”

Privacy and governance improved. Sensitive fields were masked, device identifiers were hashed, and small teams were protected by suppression. Rule changes and crosswalk updates carried ownership and release notes, so downstream consumers knew when and why patterns shifted. Existing systems stayed in place; the reliability layer stitched them together with identity reconciliation, policy?driven rules, and controlled access.

What Changed for the Team

• Before: Badge, Wi?Fi, and roster reports conflicted. After: A reliability layer reconciled signals with one policy?aligned view.
• Before: Contractors and visitors inflated counts inconsistently. After: Cohorts were separated with clear rules and filters.
• Before: Shared badges and unmanaged devices skewed results. After: Thresholds, device management checks, and site overrides normalized edge cases.
• Before: Analysts passed sensitive spreadsheets. After: Dashboards applied masking, hashing, and suppression with row?level access.
• Before: Every site debated which source to trust. After: Leaders planned with the same definitions and lineage.
• Before: Exceptions lingered in email. After: Review queues and reason codes resolved ambiguous cases and improved the rules.

Key Takeaways

• Reconcile identities first; link people, cards, and devices with effective?dated crosswalks before analyzing presence.
• Encode policy into rules; define “on?site,” dwell thresholds, and contractor/visitor handling, then apply consistently.
• Normalize edge cases; account for shared doors, unmanaged devices, and events to avoid false signals.
• Protect privacy by design; mask sensitive fields, hash device identifiers, and enforce row?level access.
• Publish lineage and release notes; explain rule changes so stakeholders understand why patterns shift.
• Integrate, don’t replace; keep Workday, badge, visitor, and network systems—add a reliability layer with governance.

FAQ

What tools did this integrate with? The reliability layer ingested people and location data from Workday using Workday Integration Cloud patterns; badge events and card mappings from the Physical Access Control System; visitor logs from the visitor management tool; and network presence from authentication/Wi?Fi controllers and RADIUS accounting. Managed device status came from identity/MDM. Dashboards ran on the company’s analytics platform with row?level policies (BigQuery Row?Level Security).

How did you handle quality control and governance? Identity crosswalks, presence rules, and site overrides were versioned with named owners in HRIS, Security, and IT. Each change carried release notes and effective dates. Lineage and tests verified joins and filters (dbt), and anomaly flags highlighted sites where sources diverged so rules could be tuned. Reason?coded exception handling documented ambiguous matches and shared?badge areas.

How did you roll this out without disruption? The model ran in shadow mode first, comparing inferred presence to prior reports and spot checks. Read?only dashboards launched to HR, Security, and Workplace while legacy reports remained. After validation and tuning, access expanded to leaders, and legacy decks were retired with clear guidance on definitions.

How did you address contractors, visitors, and guests? Contractor IDs linked through HRIS or vendor systems enabled separate cohorts and filters. Visitor management logs excluded guests from employee counts while remaining available for site capacity views. Policies defined how temporary badges and event days were handled, and those rules were encoded in the reliability layer.

What privacy practices guided this? Device identifiers were hashed, raw card IDs and door?level details were masked in dashboards, and small?team suppression protected re?identification risk. Role?based access followed NIST RBAC principles, and overall handling aligned to the NIST Privacy Framework. Distribution lists and exports preserved masks and suppression.

How were anomalies and edge cases handled? The system flagged unusual divergences between sources at a site or door. HR, Security, and IT reviewed those cases weekly, adjusted crosswalks or thresholds, and documented the change. Shared?door hotspots were annotated with overrides so future counts reflected reality.

Can this support future policy changes? Yes. Presence definitions, dwell thresholds, and cohort rules were parameterized and governed. When policies evolved, updates flowed through change control with release notes, and dashboards reflected the new rules without rework.