Workday® Configurable Security Overview
Maybe you have heard something like this before if you are involved with Workday® - “I can’t logon” or “I can’t see John Doe, VP” or “I can’t do a Change Job”. These are among the many issues that can arise, and they are all connected to Workday’s® Configurable Security. From the time you logon, or intend to logon, until the time you exit the system, Workday® Security plays a part, including:
1.) How a user can logon
2.) Who and What a user can view
3.) What a user can do
Access is controlled by what is called Authentication. How a user logs onto the system can come in many forms and the setup and maintenance of this access is a critical aspect of Security. Both Financial and HCM systems house PPI data as well as private corporate data. It is vital to keep access to this information tightly controlled.
Configuring Authentication can be intimidating although it employs security standards customarily found in other SaaS. Workday’s® Community Authentication setup is here.
Security groups are sets of users. They are employed to give access to objects and steps in business processes. Aside from delivered groups, custom security groups can be created. Adding users to groups is done by either assigning users directly or originating association based on users’ system traits, like a worker’s job or the role they fill in an organization. Here is a link for Workday® delivered groups.
The three common Security Group Types are Role-Based, User-Based, and Process Maintained.
A Role-Based security group is manually assigned to a Job or Position based on responsibility in an organization, such as Benefits Partner or Manager. These groups are associated with an organization. If the role is vacated, it is inherited from the superior organization. This type groups users based on Roles.
A User-Based security group is assigned to a Person based on administrative responsibility, such as Security Administrator or Report Writer. These groups are typically associated with configuration and maintenance. They are independent of organizations and there is no inheritance.
A Process Maintained security group is assigned to a Person automatically and is a result of a process in Workday® such as Hire or Terminate. These groups are delivered and include Employee as Self for example.
A modifier often seen when discussing Role-Based and User-Based groups is Constrained versus Unconstrained. A simple way to think about this modifier is a Role-Based is constrained by or attached to an organization e.g., Grants access only to certain “rows” (for whom or what). An example: Role of Manager, but only for direct reports. Conversely, a User-Based is unconstrained or unattached, e.g., Compensation Administrator. A person assigned this role has Administrative duties for a functional area across the enterprise.
Here is a Workday® Community overview for setting up Security Groups.
What you can see whilst in Workday® is controlled by the makeup of a worker’s Security Profile. Most users are familiar with Supervisory Organizations and other Organization objects and their hierarchies. The related actions on any organization can show which security roles are applied, how they were installed, and who is in those roles.
Users’ Security Profiles contain Assignable Roles which governs which data is accessible. An HR Director may be assigned to the entire company while a Payroll Partner or HR Analyst may be assigned to specific Locations or Supervisory Organizations. As an example, a company has 5 different locations (A-E), and each location has a distinct worker assigned to the HR Analyst role. The HR Analyst assigned to Location A only sees data within Location A and cannot see data in Location B.
Alternatively, a Security Administrator may have duties across all organization types and can assign roles to workers within those organizations.
Use the Maintain Permissions for Security Group task for servicing Security Groups.
Another aspect controlling what you can do and see within Workday® is within Security Policies. The policies are Domain Security and Business Process Security. Domain policies are groups of related objects such as reports, integrations, or tasks. These allow clients to permit access across areas instead of going object by object. Use the search with the prefix dom: to view domains. This report - Domain Security Policies for Functional Area - is useful for changing Domain policies. Configuring these policies is straight-forward with a few caveats. Domain Security Polices are logically grouped by Functional Area. Within each Domain are Sub-Domains forming a roll-up for security permissions. Of course, a user needs the security permissions to edit Domain Security Policies, which is the Security Configuration domain in the System functional area. These policies are structured by View, Modify, Get, and Put permissions. A group might be assigned only View, meaning data is available to see but cannot be altered.
Business Process policies are used to decide which user gets to do what in processing actions in Workday®. For example, an HR Analyst may start (Initiate) a promotion (Change Job) for a worker. That process then gets the OK (Approval) by the Compensation Administrator. You can use the Business Process Security Policies for Functional Area report to edit permissions or go from the Actions button in an open Business Process.
Managing Security Changes
Once the policies have been edited an alert will display with an additional step to complete. The next task is Activate Pending Security Policy Changes. When this is completed, the changes are in place. User assignments or new groups do not require activation. And if they contain errors, there is a remedy. Use the Activate Previous Security Timestamp procedure to correct anything that is misconfigured. This is not an automatic fix. It activates the prior timestamp. Clients can use the related actions of View Latest Version and View Pending Changes for managing the policies.
These are just a few of many topics included in Workday® Security. Other aspects and configuration tips will follow in future blogs.
Contact us for more information, support for Security, and anything we can do to make Workday work for You!: info@teamUpHR.com.