Configurable Security Fundamentals Flashcards
Security Landscape: Functional Area
Highest level of application delivery is in Functional Areas.
Includes areas such as Staffing, Benefits, Core Compensation, Financial Accounting, etc.
FA’s are further broken down into Domains and Business Process Types
Security Landscape: Domains
Collections of items that share the same security.
Can include tasks, delivered reports, report data sources, web service operations and task
- WD determines the secured items within each domain
- You can’t change what delivered items are in what domains
Security Landscape: Business Process Types
Represents the events or transactions in WD that can be automated using WD’s business process framework
Each BP Type has its own security policy.
Security Landscape: Domain Security Policies
The security policy for a domain.
In the DSP you can configure which security groups have access to the items in the domain
- Access is configured at the domain level, not item-by-item. Users with access to a domain will have access to all items secured in that domain.
Security Landscape: Business Process Security Policies
The security policy for a BP that determines which security groups can do what within a BP, e.g. initiate, do action steps, approve, rescind, cancel, correct, etc.
Security Groups: Delivered and Workday Assigned Security Group Types
WD determines the allowed security group types and provides a set of default security groups of these types.
You can also create new security groups of these delivered types (e.g. Aggregation Security Group, Job-Based Security Group (c), Role-Based Security Group (u))
Security Groups: Constrained vs. Unconstrained
CONSTRAINED: Users have contextual access to a subset of data to which the security group has access. Target constraints in WD are typically by org, but can also be for levels and segments.
UNCONSTRAINED: Users have access to all target instances secured by the security group
MIXED: Applies to intersection and aggregation security groups where it depends on the security groups constraints being combined.
EXAMPLE: Jack (U) and Jill (C). Jack can run the report and for any worker. Jill can run the report, but, only for the organizations she supports within the context of her role (e.g. Compensation Partner for APAC).
Security Groups: User-Based (U)
- MEMBERSHIP: Manually assigned. Follows user.
- CONTEXT: Unconstrained
- EXAMPLE: HR Administrator, Finance Administrator
Security Groups: Role-Based (C/U)
- MEMBERSHIP: Based on Role Assignment. Roles are assigned to positions.
- CONTEXT: (C/U). Constrained by Organization(s) supported in role
- EXAMPLE: HR Partner, Benefits Partner, Accountant
Security Groups: Job-Based (C/U)
- MEMBERSHIP: Based on job details (e.g. job profile, management level)
- CONTEXT: Organization
- EXAMPLE: CFO, IT Workers, VP’s
Security Groups: Segment-Based (C)
- MEMBERSHIP: Based on included security groups
- CONTEXT: Segments
- EXAMPLE: Documents - Benefits Categories, Manager - Integrations
Security Groups: Location Membership (U)
- MEMBERSHIP: Based on location
- CONTEXT: Unconstrained
- EXAMPLE: All USA Workers
Security Groups: Organization Membership (C/U)
- MEMBERSHIP: Based on Organization Membership (e.g. Cost Center, Location Hierarchy)
- CONTEXT: Organization
- EXAMPLE: EMEA Workers, IT Cost Center Workers
Security Groups: Intersection (Mixed)
The “AND” grouping
- MEMBERSHIP: Members are those in ALL of included security groups
- CONTEXT: Mixed - depends on included security groups. Constraints intersected.
- EXAMPLE: Those that are HR Partners (Role) AND located in France (Location)
Security Groups: Aggregation (Mixed)
The “OR” grouping
- MEMBERSHIP: Members are those in ANY of the included security groups
- CONTEXT: Mixed - depends on included security groups.
- EXAMPLE: Those that are HR Partners (Role) OR located in France (location)
Security Groups: Service Center (C/U)
- MEMBERSHIP: Based on Service Center. Service center representatives in service center will be members.
- CONTEXT: Organization
- EXAMPLE: 3rd Party Help Desk
Security Groups: Integration System (C/U)
- MEMBERSHIP: Manually assigned to Integration System Users
- CONTEXT: Organization
- EXAMPLE: Credit Card System
Security Groups: Level-Based (C)
- MEMBERSHIP: Based on included levels. Requires leveling hierarchy defined, either Compensation Grade or Management Level
- CONTEXT: Lower Levels, regardless of organization
- EXAMPLE: Those in Manager Management Level, can access talent card data for all those in lower management levels.
Security Tips: Security methodology
Workday’s security framework allows you to configure which users have access to the delivered content via security policy configurations.
Security groups are the bridge between system users and security policies.
You can configure security groups in needed domain or business process security policies to grant access to security group members to delivered areas of Workday.
Security Tips: The steps for configuring security
1) Determine users and required access
2) Create Security Groups
3) Attach security groups to Security Policies
4) Activate pending security policy changes
5) Test changes
Security Tips: Recommendations
KEEP IT SIMPLE
DESIGN TOP DOWN
- Start w/user-based groups.
- Layer in role-based (constrained) groups.
- Think of your business partners first.
KEEP EFFICIENCY IN MIND
- Assign permissions at the highest node in the hierarchy to take advantage of inheritance, using the option for current and unassigned subordinates.
- Only assign at the lower levels when necessary.
TEST!
Security Tips: Managing Workforce Security Assignments
As part of staffing transactions where workers are terminating or changing jobs, it is important to ensure security group membership, specifically revisiting role-assignments and removing user-based security groups assignments.
- Use the Assign Roles sub-process in staffing transaction BP definitions
- Use delivered services, add service steps to staffing transaction BP definitions
- Service step to Remove User-Based Security Groups
- Service step to Terminate User Account
- In addition, leverage delivered reports and shared solutions to audit changes
Security Tips: Security Configuration Restrictions
Some domain and BP security policies can be restricted to certain security group types.
WD explicitly disallows you from allowing some security group types to BP or security domain policies to prevent applying security groups to policies for secured content.
Security Tips: Reports and Other Tools
LOTS of REPORTS, and you can create custom reports too!
- Domain Security Policies for Functional Area
- Business Process Security Policies for Functional Area
- View Security for Securable Item
- View Security Reports
- Security Analysis Reports
- Role Assignments reports
WHICH REPORT: How can I tell what security groups a user has?
View Security Groups for User
WHICH REPORT: What can a security group do? What does it have access to?
View Security Group
Security Analysis for Security Group
Action Summary for Security Group
WHICH REPORT: Who are the members of a security group?
If user based, you can see it when you View Security Group.
Else, write a custom report on security groups and show members.
WHICH REPORT: How can I find out if a user is a member of a given security group?
Test Security Group Membership
WHICH REPORT: How can I tell if a user has access to a given target using a given security group?
Test Security Group Membership
WHICH REPORT: How did this user get to this task or item? What security group allowed it?
Security Analysis for Action
