Scribd
Upload
103 views29 pages

Session 10 - Configurable Security Part 1

Uploaded by

vijay.mukala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
103 views29 pages

Session 10 - Configurable Security Part 1

Uploaded by

vijay.mukala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Roles and Security

Agenda

 Security Groups and types of groups


 Security Policies
 Review Security Data
 Change Control

Copyright © 2013 Deloitte Development LLC. All rights reserved. 2


DEFINE – SECURITY GROUPS

Copyright © 2013 Deloitte Development LLC. All rights reserved. 3


Workday Security Overview – Security Groups

• A security group is a group of users who need to perform actions or


access data in Workday

• Workday provides several types of security groups that enable an


organization to set up configurable security

• These security group types include:


­ User Based
­ Role Based
­ Integration System
­ Job Based
­ Workday Assigned
­ Business Site Based
­ Organization Based
­ Segment
­ Intersection Most Commonly used
Copyright © 2013 Deloitte Development LLC. All rights reserved. 4
Introduction to Security Groups

How are security groups used? Users

In security
• Tasks
• Reports (delivered and custom)
• Related actions
Roles
Process-
In business processes Administrative Organization Job maintained
• Initiation
• Enrichment
• Routing Access
• To-do’s and checklists
• Approve, cancel, rescind.. Reports & Tasks Business Processes
• View process details

Copyright © 2013 Deloitte Development LLC. All rights reserved. 5


*Workday created content*
Workday Security Group Types

Workday offers four main types of Security Groups:

Role-based (by organization) – e.g. Benefits Partner, Recruiter


• Based on responsibility within an organization
• Assigned to a position by organization administrator
• Can be inherited from the superior organization if not filled

User-based (Administrative) - e.g. Security Administrator, Compensation Admin


• Based on administrative responsibility
• Assigned to a user by security administrator

Job-based – e.g. CEO, Vice President


• Customer defined
• Assigned to a job profile or management level

Process-Maintained – e.g. All Employees, All Users, Employee as Self


• Based on a person’s status as being hired or terminated
• Assigned by Workday system
Copyright © 2013 Deloitte Development LLC. All rights reserved. 6
Role-Based Security Groups

What are they?


• Organization Roles reside in each organization (e.g. Supervisory, Location Hierarchy,
etc.) and is equivalent to a responsibility in that organization
• Role assignments can be inherited from superior organization or specifically assigned for
the organization

Examples of Workday Default Organizational Roles:


• Absence Partner
• Benefits Partner
• Compensation Partner
• Facilities
• HR Analyst
• HR Partner
• Manager
• Payroll Interface Partner
• Recruiter
• Security Partner

Copyright © 2013 Deloitte Development LLC. All rights reserved. 7


Role-Based Security Groups

Organization B Roles (partial list)


Assigned

Org A Benefits Partner- Kimora Lee


Compensation Partner- Kazuo Kawasaki
HR Business Partner- Michelle Kim
HR Partner- Nancy Yeoh
Manager- Steve Morgan
Org B Security Partner- Parag Ved

Organization C Roles (partial list)


Org C Assigned/Inherited

Benefits Partner- Kimora Lee


Compensation Partner- Kazuo Kawasaki
HR Business Partner- Janet Murphy
HR Partner- David Cameron
Manager- Logan McNeil
Security Partner- Parag Ved
Blue = Role-Based Security Groups that are not inherited
from the superior organization. These roles were
assigned at Organization C.

Copyright © 2013 Deloitte Development LLC. All rights reserved. 8


User-Based Security Groups

What are they?


• User-Based Security groups grants global administrative access for setup and
maintenance for a specific functional area
• Admin assignments are manually assigned to workers by the security administrator
• A single admin group can be assigned to one or more workers

Examples of Workday Default User-Based Security Groups:


•Absence Administrator
•Benefits Administrator
•Business Process Admin
•Compensation Administrator
•Integration Administrator
•Job and Position Administrator
•Organization Administrator
•Report Writer
•Security Administrator

Copyright © 2013 Deloitte Development LLC. All rights reserved. 9


Way 1 : Adding User Based Security Group by Related Action of Employee

Way 2 :Search for Assign User-Based Security Groups for Person

Copyright © 2013 Deloitte Development LLC. All rights reserved. 10


User-Based vs. Role-Based Security Groups

User-based security groups can access the whole organization for a functional area

Copyright © 2013 Deloitte Development LLC. All rights reserved. 11


User-Based vs. Role-Based Security Groups

Role-based security groups can access one or more organizational units for a functional area

Copyright © 2013 Deloitte Development LLC. All rights reserved. 12


Job-Based Security Groups

What are they?


• Job-Based security groups are optional, defined by the customer and are only used by
workflow within business processes
• Role assignments are made based on job profile, management level, or organizational
role
• These roles are not specific to an organization

Examples of Job-Based Security Groups:


• Chief Financial Officer
• Senior Vice President
• Manager
• Manager’s Manager

Copyright © 2013 Deloitte Development LLC. All rights reserved. 13


Process-Maintained Security Groups

What are they?


• Process- (System-) maintained security groups are Workday-owned, defined by the
customer and are used by workflow within business processes.
• Role assignments are made based on the person’s status or a process that changes
status such as hire or terminate
• These security groups are assigned to a person from the Workday system and require
no manual maintenance by the customer

Examples of Process-Maintained
Security Groups:
All Employees
All Users
All Contingent Workers
Self Service Groups

Copyright © 2013 Deloitte Development LLC. All rights reserved. 14


Intersection Security – Role-based Example

Role:
The challenge
Employee
• HR function is split
• Headcount and job parity is managed by function
(supervisory organization) Intersection
Security
• Personal information, regulatory reporting, compensation is Supervisory
managed by geographic region (location hierarchy) Organizatio Location:
n: Thailand
Supervisory Orgs Pharma
Location Hierarchy
• Staffing transactions that result in job changes impact both
• The HR Partner for such transactions has to have expertise
in both the business unit and the geographic location Philippine
Pharma Consumer MD &D Thailand Taiwan
s

HR Functional HR Geographic
Partners: Partners:
Adrianne Adrianne
Kathy Carlos
Ralf Juanita
Copyright © 2013 Deloitte Development LLC. All rights reserved. 15
Security Groups – Delivered Groups User-based
Group

Role-based

Aggregation Group
(Un)Constrained

Job-based
Group
Integration
They are… System
(Un)Constrained

 Assigned by the Workday system


Business Site
Membership

Intersection Group
Group
 Based on a process such as hire or terminate Organization
Membership
Group
 Assigned to a user (could be system, worker, non-worker) Segment

 There is a version for self-service (..as Self) and, where Delivered Group

needed, a version that provides access to all instances of


that delivered group’s type (All…) – used to allow an
Employee to see all other Employees , for example
Examples:
 Employee
 Contingent Worker
 System User
 Supplier Contact

Copyright © 2013 Deloitte Development LLC. All rights reserved. 16


Security Group Review
Group Type How Assigned Where Assigned Context
… as Self Task (e.g., BP) Worker Self
All … Task (e.g., BP) Worker None
Aggregation Groups used See groups used “OR”
Integration System (Constrained) Manual Integration system user Organization/
and Organization Role
combination
Integration System (Unconstrained) Manual Integration System User None

Intersection Groups used See groups used “AND”


Job-Based (job prof, family, grp, Dynamic Position attribute Organization/
mgmt) Role
Job-Based (direct, work shift) Dynamic Position attribute None
Location Membership Dynamic Position attribute None
Organization Membership Dynamic Position attribute None
Role-Based (Constrained) Manual Position occupies role Organization/
Role
Role-Based (Unconstrained) Manual Position occupies role None
Segment Manual Segment and security Segment
group combination
User-Based Manual Worker None

Copyright © 2013 Deloitte Development LLC. All rights reserved. 17


DEFINE – SECURITY POLICIES

Copyright © 2013 Deloitte Development LLC. All rights reserved. 18


Securing information in Workday
The Workday System is organized by Functional Areas. Each Functional Area can contain
several Domains and Business Processes.
• Domains and SubDomains represent functionally cohesive parts of the system. All
Domains contain securable items such as tasks, worklets, and reports.
• Business Processes represent typical processes completed in Workday. All Business
Process Security can be segmented based on desired actions and visibility for users.

Payroll

Sub Domain Business Processes


Worker Data: Assign Pay Group
Domain
Payroll Input Payment Election
Worker Data: Payroll
Enrollment
Pay Cycle Event
Payroll Payee Tax Data
Copyright © 2013 Deloitte Development LLC. All rights reserved. 19
*Workday created content*
Defining Security Policies for Domains

This is an example of the Domain Security Policy for the Functional Area of Compensation.
Security Groups can be granted View or Modify access to each Domain and Sub Domain.

Functional Area

Domains and Sub


domains

Actions and Report


fields secured in this
Domain

Security Groups with


View or Modify
Permissions

Copyright © 2013 Deloitte Development LLC. All rights reserved. 20


Defining Security Policies for Business Processes
This is an example of the Business Process Security Policy for the Functional Area of
Compensation. Security Groups can be granted permissions for viewing or taking action on
various parts of each Business Process.

Functional Area

Business Processes

Securable Permission
(Initiate)

Security Groups with


Permission

Copyright © 2013 Deloitte Development LLC. All rights reserved. 21


REVIEW RESULTS

Copyright © 2013 Deloitte Development LLC. All rights reserved. 22


Review Security Data

• What can a member of this group see and do?


– Action Summary for Security Group

Copyright © 2013 Deloitte Development LLC. All rights reserved. 23


Review Security Data

How did someone get access to a data element?


• Security for Securable Item

Copyright © 2013 Deloitte Development LLC. All rights reserved. 24


Review Security Data
How is a task/report secured? Why can a specific user see it?
• Security Analysis for Action
• Test Security Group Membership (access to an instance)

Copyright © 2013 Deloitte Development LLC. All rights reserved. 25


ACTIVATE SECURITY POLICY CHANGES

Copyright © 2013 Deloitte Development LLC. All rights reserved. 26


Change Control of Security Data

Why Change Control?


• A broad set of security changes should be activated at a concise point in time
• If things go wrong, you need to be able to quickly revert back to the “last good
version” of your security setup
• This process needs to be manageable and robust

Copyright © 2013 Deloitte Development LLC. All rights reserved. 27


Change Control of Security Data

Example:

02/15/2009 06/22/2009 06/23/2009

Initial Activation Activate “MSS Rollout” Find problem


(upgrade to 7.0)

Revert back to last


known “good” timestamp

Active Security Timestamp

2/15/2009
6/22/2009

Copyright © 2013 Deloitte Development LLC. All rights reserved. 28


Questions

Copyright © 2013 Deloitte Development LLC. All rights reserved. 29

You might also like