Home
IT Hub
Unlocking the Secrets of Workday Integration Security

Unlocking the Secrets of Workday Integration Security

Workday
Reco Security Experts
Updated
October 16, 2024
October 16, 2024

Workday integrations are vital for organizations to streamline their processes and enhance productivity. However, these integrations can introduce significant security risks if not managed properly. As an IT manager, it’s crucial to understand how to secure these integrations to protect sensitive data and maintain compliance with industry standards. In this blog, we'll delve into the intricacies of Workday's integration security model and provide practical tips to configure your Workday Integration Security.

Workday's Built-in Security Framework

At the core of Workday's integration security lies a sophisticated system of controls and permissions. Let's break it down:

Security Domains

Workday offers different security areas to control how users access integration templates and systems. These areas help separate the permissions needed to set up an integration from those needed to run it and see the output. You can also divide integration templates and systems into parts and give access to each part individually. 

The table below shows the security areas related to integrations and the permissions granted for each domain.

Domains Grant Permissions to
Integration Build • Create or edit an Integration System
• Create or edit an EIB
• Deploy a Workday Studio Integration
Integration Configure • Configure Integration Services
• Configure an EIB
Integration Debug • Debug a Workday Studio Integration
Integration Event • Launch an Integration Event
• View resulting events, including integration output documents
Integration Reports • View integration reports, including reports for integration events, exception audits, messages, and integration IDs.
Integration Subscriptions • View an integration’s Subscriptions
• Edit an integration’s Subscriptions

Workday employs distinct security domains to separate the powers of configuring, executing, and viewing integrations. This ensures that only authorized personnel can perform specific actions. For instance, you can configure an integration without having the authority to run it or view its output.

Access to Workday Data

Access to Workday data is done through web services and Reports-as-a-Service. These services, along with report data sources, fields, and custom reports, are secured by different security areas. Integration systems and external systems accessing Workday need the correct (Get/Put) access to the areas that include the web services. They also need the right (View) access to the areas that cover the report data sources and fields. Outbound EIBs need access to the custom reports they use as data sources. 

Cloud Connect and Studio integrations need an Integration System User account for authentication and access to web service tasks. Each integration system must have its own unique Integration System User account. These users are always part of Integration System Security Groups and can't be part of any other security group type. For the integration to function properly, the security group of the Integration System User must have Put and Get access to the areas that contain the web service operations that work with the required data.

Before diving into the creation process, let's recap:

  • Integration System User (ISU) is a dedicated user account used by an integration system to interact with Workday.

  • Integration System Security Group (ISSG) is a security container defining permissions for an integration system. It controls access to data and functionalities within Workday.

Creating an Integration System User

  1. Access the Create Integration System User task: Locate the relevant section in your Workday instance to create a new ISU.
  2. Provide User Details: Enter the required information for the ISU, such as the Username and password, and verify the password.

The process is explained for setting up a new ISU by entering user details, such as username, password, and session timeout settings to ensure successful integration execution in Workday.

Note: Keep the Session Timeout Minutes default value of 0 to prevent session expiration. An expired session can cause the integration to time out before it completes.

Creating an Integration System Security Group

1. Access the Create Security Group task: Navigate to the appropriate section in your Workday instance to initiate the creation of a new security group.

2. Provide Essential Information: Enter a descriptive Name for the ISSG and select the appropriate type (constrained or unconstrained based on your requirements, we will use the Integration System Security group (unconstrained) here and click OK

Here, it explains the process of creating an integration system security group in Workday using the Create Security Group task.

3. Assign ISSG and associate the newly created ISSG with the ISU to grant it the necessary permissions.

4. Once the Integration System Security group is created, you may add integration System users. Multiple Integration System Users can be associated with a single Integration System Security Group, each receiving the same permissions.

Illustrating how to associate a newly created Integration System Security Group (ISSG) with an Integration System User (ISU) in Workday.

Providing Domain Permissions to Security Group

Grant the ISSG access to the necessary domains by editing domain security policy permissions. This involves specifying Get and Put access for relevant data elements. There are multiple ways to grant domain permission.

To grant the security group access to the domains required by your integration, perform the following steps for each domain:

  • Access the View Domain report and find the domain.

The above screenshot shows how to view the Domain report in Workday and select a specific domain for editing. 

  • Select Domain > Edit Security Policy Permissions.

The above image highlights the steps to modify permissions for specific domains and how to edit the domain security policy in Workday. 

  • Add the security group that you created to the Integration Permissions and select Get and Put.

This screenshot shows how to maintain domain permissions for a security group in Workday and shows the steps to add domains to the security group and grant "Get" and "Put" access for integration-related tasks.

We can also grant domain permissions in the following way:

  • From the related action of the security group we created, select Security Group > Maintain Domain Permissions for Security Group, where we can add those domains to the integration permission and give permissions to get and put access.

Here, the image illustrates the Maintain Domain Permissions feature for a Security Group in Workday.

Note: Workday secures data access through web service operations, Reports-as-a-Service, and Data Initialization Service (DIS). Utilizing security domains controls access to data elements, ensuring that integrations only have the necessary permissions.

  • When all the necessary Permission required for integration is added, then, Access the Activate Pending Security Policy Changes task and activate the changes that you made in the previous step.

Displaying the activated pending security policy changes in Workday. It highlights the confirmation of recent updates to security permissions. 

Beyond the Basics: Strengthening Your Security Posture

While Workday provides a solid foundation, additional measures are crucial for comprehensive protection:

  • Regular Security Audits: Conduct routine assessments to identify vulnerabilities and implement corrective actions.
  • Robust Password Management: Enforce strong, unique passwords for integration system accounts and consider multi-factor authentication (MFA) for added security.
  • Network Segmentation: Isolate your integration environment from the broader network to reduce potential attack vectors.
  • Advanced Threat Protection: Deploy intrusion detection and prevention systems (IDPS) to monitor network traffic and safeguard against threats.
  • Data Loss Prevention (DLP): Implement DLP policies to protect sensitive information from unauthorized access and exfiltration.
  • Employee Awareness: Educate employees about security best practices to minimize human error.

Practical Tips for ISSG Management

Integration System Security Groups (ISSGs) are a cornerstone of Workday integration security. Here are some practical tips for effective ISSG management:

  • Adhere to the Principle of Least Privilege: Grant only the necessary permissions to integration systems.
  • Regular ISSG Reviews: Conduct periodic reviews to ensure that permissions align with current business requirements.
  • Centralized ISSG Management: Establish a centralized process for managing ISSGs to maintain consistency.
  • Detailed Documentation: Maintain clear documentation of ISSG configurations, including rationale for permissions.

Conclusion

Workday’s robust security framework is essential for safeguarding sensitive data within integrations. Organizations can significantly enhance their security posture by leveraging security domains, ensuring proper access controls, and adhering to best practices such as regular audits, strong password management, and employee education. Proper management of Integration System Security Groups (ISSGs) further reinforces the integrity of your integrations, ensuring that only authorized users can access critical data and functionality. By understanding Workday's security model and implementing these best practices, you can significantly enhance the protection of your sensitive data and ensure the integrity of your integrations.

Login and Session Lockout Strategies in SharePoint
In the current business environment, managing access to collaboration platforms like SharePoint is essential. SharePoint offers advanced features for setting up and maintaining permissions for document libraries, sites, and lists.
Configuring Microsoft Defender for API Security
APIs (Application Programming Interfaces) have become integral components of modern software applications, facilitating seamless communication and integration between different systems.
Secure API Usage in Microsoft Power BI
In today's data-driven world, the ability to access and analyze data from various sources securely is critical for any organization. Microsoft Power BI offers robust features for data visualization and reporting.
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
Login and Session Lockout Strategies in SharePoint
In the current business environment, managing access to collaboration platforms like SharePoint is essential. SharePoint offers advanced features for setting up and maintaining permissions for document libraries, sites, and lists.
Configuring Microsoft Defender for API Security
APIs (Application Programming Interfaces) have become integral components of modern software applications, facilitating seamless communication and integration between different systems.
Secure API Usage in Microsoft Power BI
In today's data-driven world, the ability to access and analyze data from various sources securely is critical for any organization. Microsoft Power BI offers robust features for data visualization and reporting.
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo