Workday Student core Flashcards
Campus Engagement
How to communicate across the campus
You _____ Reports.
View reports
You_____ tasks.
You run tasks
Workday business process is a type of _______.
Task
A worker is hired into a ________ and a position is assigned _________.
Position and Roles
____ is how we define security.
Roles
Security Landscape: Domains
Collections of items that share the same security.
Can include tasks, delivered reports, report data sources, web service operations and task
- WD determines the secured items within each domain
- You can’t change what delivered items are in what domains
Security Landscape: Business Process Types
Represents the events or transactions in WD that can be automated using WD’s business process framework
Each BP Type has its own security policy.
Security Landscape: Domain Security Policies
In the DSP you can configure which security groups have access to the items in the domain
- Access is configured at the domain level, not item-by-item. Users with access to a domain will have access to all items secured in that domain.
Security Landscape: Business Process Security Policies
The security policy for a BP that determines which security groups can do what within a BP, e.g. initiate, do action steps, approve, rescind, cancel, correct, etc.
Security Groups: Delivered and Workday Assigned Security Group Types
WD determines the allowed security group types and provides a set of default security groups of these types.
You can also create new security groups of these delivered types (e.g. Aggregation Security Group, Job-Based Security Group (c), Role-Based Security Group (u))
Constrained Security Groups
CONSTRAINED: Users have contextual access to a subset of data to which the security group has access. Target constraints in WD are typically by org, but can also be for levels and segments.
Unconstrained Security Groups
UNCONSTRAINED: Users have access to all target instances secured by the security group
Jack and Jill have Workday Student access. Jack can run the report and for any worker. Jill can run the report, but, only for the organizations she supports within the context of her role (e.g. Faculty). Who has constrained security and who is unconstrained?
Jack is unconstrained and Jill is constrained.
Security Groups: User-Based (U)
- MEMBERSHIP: Manually assigned. Follows user.
- CONTEXT: Unconstrained
- EXAMPLE: HR Administrator, Finance Administrator
Security Groups: Role-Based (C/U)
- MEMBERSHIP: Based on Role Assignment. Roles are assigned to positions.
- CONTEXT: (C/U). Constrained by Organization(s) supported in role
- EXAMPLE: Faculty, Registrar, Academic Advisor
Security Groups: Job-Based (C/U)
- MEMBERSHIP: Based on job details (e.g. job profile, management level)
- CONTEXT: Organization
- EXAMPLE: CFO, IT Workers, VP’s
Security Groups: Segment-Based (C)
- MEMBERSHIP: Based on included security groups
- CONTEXT: Segments
- EXAMPLE: Documents - Student Record, Manager - Integrations
Security Groups: Location Membership (U)
- MEMBERSHIP: Based on location
- CONTEXT: Unconstrained
- EXAMPLE: All USA Workers
Security Groups: Organization Membership (C/U)
- MEMBERSHIP: Based on Organization Membership (e.g. Cost Center, Location Hierarchy)
- CONTEXT: Organization
- EXAMPLE: IT Cost Center Workers
Security Groups: Intersection (Mixed)
The “AND” grouping
- MEMBERSHIP: Members are those in ALL of included security groups
- CONTEXT: Mixed - depends on included security groups. Constraints intersected.
- EXAMPLE: Those that are Faculty (Role) AND located in California (Location)
Security Groups: Aggregation (Mixed)
The “OR” grouping
- MEMBERSHIP: Members are those in ANY of the included security groups
- CONTEXT: Mixed - depends on included security groups.
- EXAMPLE: Those that are Faculty (Role) OR located in California (location)
Security Groups: Service Center (C/U)
- MEMBERSHIP: Based on Service Center. Service center representatives in service center will be members.
- CONTEXT: Organization
- EXAMPLE: 3rd Party Help Desk
Security Groups: Integration System (C/U)
- MEMBERSHIP: Manually assigned to Integration System Users
- CONTEXT: Organization
- EXAMPLE: Credit Card System
Security Groups: Level-Based (C)
- MEMBERSHIP: Based on included levels. Requires leveling hierarchy defined, either Compensation Grade or Management Level
- CONTEXT: Lower Levels, regardless of organization
- EXAMPLE: Those in Manager Management Level, can access talent card data for all those in lower management levels.
Security Tips: Security methodology
Workday’s security framework allows you to configure which users have access to the delivered content via security policy configurations.
Security groups are the bridge between system users and security policies.
You can configure security groups in needed domain or business process security policies to grant access to security group members to delivered areas of Workday.
Security Tips: The steps for configuring security
1) Determine users and required access
2) Create Security Groups
3) Attach security groups to Security Policies
4) Activate pending security policy changes
5) Test changes
Security Tips: Recommendations
KEEP IT SIMPLE
DESIGN TOP DOWN
- Start w/user-based groups.
- Layer in role-based (constrained) groups.
- Think of your business partners first.
KEEP EFFICIENCY IN MIND
- Assign permissions at the highest node in the hierarchy to take advantage of inheritance, using the option for current and unassigned subordinates.
- Only assign at the lower levels when necessary.
TEST!
Security Tips: Managing Workforce Security Assignments
As part of staffing transactions where workers are terminating or changing jobs, it is important to ensure security group membership, specifically revisiting role-assignments and removing user-based security groups assignments.
- Use the Assign Roles sub-process in staffing transaction BP definitions
- Use delivered services, add service steps to staffing transaction BP definitions
- Service step to Remove User-Based Security Groups
- Service step to Terminate User Account
- In addition, leverage delivered reports and shared solutions to audit changes
Security Tips: Security Configuration Restrictions
Some domain and BP security policies can be restricted to certain security group types.
WD explicitly disallows you from allowing some security group types to BP or security domain policies to prevent applying security groups to policies for secured content.
Security Tips: Reports and Other Tools
LOTS of REPORTS, and you can create custom reports too!
- Domain Security Policies for Functional Area
- Business Process Security Policies for Functional Area
- View Security for Securable Item
- View Security Reports
- Security Analysis Reports
- Role Assignments reports
WHICH REPORT: How can I tell what security groups a user has?
View Security Groups for User
WHICH REPORT: What can a security group do? What does it have access to?
View Security Group
Security Analysis for Security Group
Action Summary for Security Group
WHICH REPORT: Who are the members of a security group?
If user based, you can see it when you View Security Group.
Else, write a custom report on security groups and show members.
WHICH REPORT: How can I find out if a user is a member of a given security group?
Test Security Group Membership
WHICH REPORT: How can I tell if a user has access to a given target using a given security group?
Test Security Group Membership
WHICH REPORT: How did this user get to this task or item? What security group allowed it?
Security Analysis for Action
WHICH REPORT: Given all a user’s security groups, what is their cumulative access in tenant?
Security Analysis for Workday Account
BP Term: Task
A task is a business process step that a user must complete. For example, task alert notifications are triggered by steps in a business process.
BP Term: Event
An event is a transaction that occurs within your company such as hiring or terminating an employee. Workday Business Processes represent how Workday should respond to one of these events.
BP Term: Target
The target is the object that the business process operates on. E.g. the employee, the general ledger, etc.
The target determines the org, and therefore controls which BP custom definition Workday uses.
BP Term: Initiator
The user that initiates the business process instance.
Business Process Configuration Options Report
Enables you to determine how a business process type can be configured by detailing the options available and any restrictions.
Lists all available actions, approval options, what sub-processes can be used in the BP, options on saving, restrictions, prerequisite actions, whether the BP is a sub-process only, what BP’s it is allowed as a sub-process, org types for which it is valid, approval options, whether it allows mass approval steps, the allowed actions, and more!
BP Column: Step
This leftmost column holds the related action icon which contains available actions for the particular step of the business process.
BP Column: Order
This determines the order of execution for the steps within a business process. Use letters. Numbers are sorted alphabetically, not numerically, so 10 sorts before 2.
The initiation step is always a. Use characters b through z for the remaining steps.
If you use the exact same string. For example: three steps are d, they run in parallel and all must be completed in order for the next step to proceed. You can also skip letters.
BP Column: If
A condition is part of a business process step and consists of one or more rules an “if” statement. The step will not occur, if the condition is not satisfied.
BP Column: Type
This is where you identify the type of step. For example: Action, Service, or To Do.
BP Column: Specify
This is where you specify the type of step. For example: Type = Action; Specify = Propose Compensation
BP Column: Optional
Yes = Step is Optional No = Step is Required
An optional step does not have to be completed. The notification message contains a link that the recipient can click to skip the step. The next step does not begin until the recipient either chooses to skip it or completes it.
BP Column: Group
Specify one ore more security groups responsible for this step. The available security groups are limited to those allowed by the security policy. This step appears in everyone’s inbox automatically and is removed when someone in the group completes the step.
BP Column: Routing Restrictions
You can optionally define routing restrictions and alternate routing for certain business process step types (Initiation and Checklist step types cannot be rerouted)
BP Column: All
If the All column is NOT checked, as soon as one person in the assigned group approves the request, the notification disappears from everyone else’s inbox and the business process continues.
BP Column: Run as User
Used to identify the User for a Batch or Integration step type.
BP Column: Due Date
This is the elapsed time from when the process is initiated until the process should be complete.
BP Column: Due Date is Based on Effective Date
Refers to the effective date that the initiator specifies when starting an instance of the BP
BP Column: Complete
When a completion step finishes, the business process is listed as complete, even if there are more steps to do. For example, a person can be listed as “hired,” even if the steps for having the new employee enter their personal information and W-4 form are not done, yet.
Completion makes the data for this business process available to other systems like Payroll or General Ledger. Make sure all approval steps and Review action steps come before the completion step. If there is no completion step, the business process is considered complete when the last step finishes.
BP Step Type: Initiation
Always the first step in a BP
BP Step Type: Action
An action or event that occurs within WD. E.g. An action step of “Review Employee Hire” within the Hire (Default Definition).
BP Step Type: Approval
Gives the designated approver the opportunity to approve or deny the entire business process.
BP Step Type: Approval Chain
Also approves the entire business process.
A sequence of approvals that starts with an individual, then goes to that person’s manager, and on up the mgmt chain until it gets to the top, or until some exit condition is met.
Use the Group column to set the security group that starts the chain.
BP Step Type: Batch / Job
Allows you to specify that a batch process be run as a BP step.
BP Step Type: Checklist
A collection of To Dos. You can select one of the checklists available to the particular Org.
BP Step Type: Complete Questionnaire
By specifying a questionnaire as part of a BP, allows you to gather relevant info for making data-driven decisions.
BP Step Type: Consolidated Approval
Enables you to combine multiple approvals for the same person into a single approval task notification.
Approvers see a simplified info for each step, but with a link to more info, if needed.
As with other approvals, this will either approve or deny/terminate the entire BP.
BP Step Type: Consolidated Approval Chain
Combines the properties of an Approval Chain with a Consolidated Approval
BP Step Type: Edit Additional Data
Can be used to edit custom fields within the context of a BP. NOTE: BP validation rules do not apply to this step.
BP Step Type: Integration
A WD system operation that transfers data to or from an external application. An integration step would also kick off a separate processing thread.
BP Step Type: Report
Allows you to have a report run as a BP step. The report output is sent automatically to the W: drive, rather than displayed.
Optionally, you can create a To Do step within the BP that consolidates the link(s) to one or more reports within a single To Do step.
BP Step Type: Report Group
Sames as Report step, but allows multiple financial reports to run as a single unit.
BP Step Type: Review Documents
Enables you to use a BP to distribute documents to workers.
BP Step Type: Service
Kicks off a separate processing thread (example: creation of a Workday user account).
BP Step Type: To Do
An activity that the responsible person must do outside of WD, such as a new hire filling in and submitting a W-4 form.
BP Step Type: Mass Approval
Provides a dashboard for multiple approvals from a single process. Only available for processes that deal with multiple orgs, like bonus, merit, and salary actions.
Editing a BP: Add / Remove Steps from a BP
Search for the BP > BP Definition > Edit Definition
Add steps using the (+) sign.
Remove steps using the (-) sign.
Editing a BP: Impact to “in flight” BP transactions
Edits to BP definitions are effective dated.
BP transactions or events already “in flight” will not pick up the edits while “in flight”. Only newly initiated transactions (post edit) will pick up the new definition.
BP Config: Configurable validation message text
Related Actions > Validation > Configure Validation Text
BP Config: 3 areas where validation messages are used
1) Absence types
2) Business process validations
3) Custom validations (used in Financials)
BP Config: Maintain Validation Rule
In View Mode, off the related actions for a step > Business Process > Maintain Step Conditions > Create Condition Rule
BP Config: Create, Maintain, and Troubleshoot Step Conditions
In View Mode, off the related actions for a step > Business Process > Maintain Step Conditions
BP Config: Maintain Action Label Override
In View Mode, off the related actions for a step > Business Process > Maintain Step Label Override
BP Config: Maintain Step Help-Text
In View Mode, off the related actions for a step > Business Process > Maintain Step Help-Text
BP Config: Maintain Related Links
Off the related actions for BP > Business Process > Maintain Related Links By Definition
Find BP Events
1) Search “event: “
2) Worker History
3) Find Events - faceted report
4) From the Inbox, Archive tab
5) From the Worklet - My Business Processes
BPs and Orgs: Copy / Link Definitions
Best practice is to use the default definition.
However, you can create a copy of a definition for different orgs where execution steps vary greatly.
BPs and Orgs: How to tell which BP an object uses?
Navigate to the business object, off the related actions menu select Business Process > Business Process Definitions for Business Object
