Whether you are an experienced HR professional or IT admin seeking to enhance your security configuration or are new to Workday, this guide aims to provide you with the knowledge and tools needed to secure your Workday environment effectively. Let's get started on this crucial aspect of your HR and finance operations.
Workday's security framework is highly configurable, providing comprehensive access control for various securable items like tasks, reports, user interface pages, and integrations. It accommodates diverse organizational structures and locations through group-based security. Administrators can customize default security groups and policies using the Workday Object Management System (OMS).
Workday is like a fortress protecting your organization's sensitive HR and financial data. The keys to this fortress are security groups, domain security policies, and business process security policies.
1. Security Groups: These can be seen as different keycards granting access to various parts of your fortress. There are several types:
2. Domain Security Policies: These are the rules for accessing specific domains (areas) within Workday, such as tasks and reports related to employee data or financial records.
3. Business Process Security Policies: These policies control who can initiate, view, correct, rescind, approve, and cancel various business processes, such as hiring or termination.
Let’s learn about the steps for creating and managing these security groups and the security policies.
Pro tip: Before you create role-based security groups, review the following:
To access Workday, users must belong to a security group with assigned permissions. Use the 'Create Security Group' task to create or configure security groups and control their access to domain or business process policies.
a. To grant users access to securable items within domains and business processes, you need to associate security groups with the relevant security policies. Domain security can be set for report/task or integration permissions. For report/task permissions, you assign security groups the ability to view or modify tasks within the policy. For integration permissions, you designate permission to get or get and put data.
b. Each business process type has its own dedicated security policy. Within these policies, you can specify which security groups are permitted to initiate the process, perform authorized actions, or approve, rescind, or cancel an event. Users can edit the policy by taking action related to the business process.
Note: Workday logs the date and time of any modifications made to security policies, including adding or removing security groups and enabling or disabling policies and functional areas. To implement these changes, use the "Activate Pending Security Policy Changes" task.
In the realm of Workday security groups, each type brings its unique value and importance. But if there's one group that stands out as the hero of the story, it's role-based security groups. Role-based security groups stand as a cornerstone in Workday, offering a potent means of granting necessary access within the system. These groups typically represent users in pivotal support or leadership positions across various organizations. Let's delve deeper into their essence:
Assignable roles link workers to their designated positions, determining their membership in role-based security groups. These roles simplify access management by aligning privileges with job assignments. Administrators can create new roles by using the Maintain Assignable Roles task, which can enable them to do so on any organizational level.
Assigning roles involves designating support and leadership staff on an organization-by-organization basis, linking a worker's position or job with a specific assignable role for a particular organization. Roles can be assigned through various methods:
At the organization (or role-enabled instance) level
To assign roles to an organization (role-enabled instance), navigate to the relevant instance (e.g., an organization) and select "Roles > Assign Roles" from the Related Actions menu.
At the worker position (or job) level
Roles are assigned using tasks on the worker profile. From a worker’s Related Actions, select Security Profile > Assign Roles—Add/Remove or Assign Roles—Change Assignments.
To an unfilled position
From the position’s related actions, select Security Profile > Assign Roles – Add/Remove or Assign Roles – Change Assignments.
In summary, Workday's security framework, along with role-based permissions, acts as a reliable guardian for organizations, ensuring that access to sensitive data is controlled and tailored to each individual's role. It empowers teams by providing personalized access to the information they need, fostering efficiency and productivity. With its flexibility and adaptability, Workday's security features seamlessly evolve with organizational changes, maintaining data integrity while enabling growth. Ultimately, Workday's emphasis on security and role-based permissions not only protects data but also empowers organizations to thrive in a dynamic environment.
