WORKDAY

SECURITY n s i v e G u i d e
Comprehe
Agenda
We will take a look at all of my Workday Security posts overtime, the updates
since them, and tools that will help you be a successful security admin.
Security Hierarchy
To start, look at Security this way:
Security Hierarchy
Functional Areas sit on top. Once enabled, these allow you to access Domain
Security Policies & Business Process Security Policies. Then, Security Groups
resides within both.
This is accessed through the Maintain Functional Areas task. If you do not see
a functional area listed, then you need to create one through the Create
Functional Area task.
Now, domain security policies basically sit on a peer level with business
process security policies. Think of the two as being “coworkers” in an
organization setup. You need both enabled with security groups assigned in
order to accomplish your goals.
Security Tools
Create Security Request Framework
I have a separate post on Request Framework. Once you have that setup, this
is how we tailored the security request framework BP.
Copied our default definition for the request framework
Linked the security request type via rule base BP configuration
Segmented security around the questionnaire & allowed it on the
initiation step of the Request BP
Put security groups on the necessary steps on the request type
Leveraged a custom report to call upon all "requests" linked to this
request type
Framework Setup Continued
With this configuration and the way we setup our questionnaire, it allows end
users to easily identify who needs access and what levels of access they need.
One of our questions is a multiple choice drop down list of security roles and a
brief description of the access that it gives.
We also accounted for anything outside of these questions to be listed on a
free text question box as additional comments.
Security Request Reporting
With our request framework report, it enables us to call upon who initiated
the request, who the worker given access is, the request event itself, and
many other pertinent information all in one report.
Adding the request event to the report with an actionable link has been
important for the team to be able to drill into the event.
Additionally, we created two security reports that are based off of the
"Business Process Transactions" data source that enables us to see the
transaction status of an Assign Roles Event or User-Based Group Event, the
Assignee or worker given access, and the comments inputted on this.
Again - these reports help to audit security changes and allow the team to drill
into why something was issued and provide support when needed for
auditing purposes.
Security Change Requests Report

Report Definition
BO & Fields
Filters

Prompts
Calc Fields
Secura Reports
Let’s start with the infamous “Secura” reports. These are given this nickname
because that’s all you have to type in to see the reports.
View Security For Securable Item
Security Analysis for Securable Item and Account
View Security For Securable Item
View Security for Securable Item will likely be your “go to” for 90% of all
security troubleshooting needs. It allows you to back into how that item is
secured within Workday via permitted security groups on domains, and the
associated functional area.
Security Analysis for Securable Item and Account
This report compliments the other “secura” report and allows you to dig a
little deeper and fine tune your search if you want to see how a certain user is
able to access something in Workday.
Secured Items in Multiple Domains
Incredibly useful tool if you are trying to lock down an item. You will need to
see which domain(s) give access to that items and assign security accordingly.
 View Security Group & Maintain Permissions for
Security Group
View Security Group allows you to drill into that one specific security group.
You will get to see all of the usages such as Domains, BP Policies, Notifications,
Dashboards, etc.

Maintain Permissions For Security Group allows you to mass update domain
policies assigned to a security group or to copy that security to leverage it for a
new security group requirement
View All Security Timestamps
You can see all past timestamps, when they were made, and the comment. If
you drill further into it with the magnifying glass, you can see who activated
that specific timestamp.
Just select the magnifying glass you want, and click the relate action to run an
audit trail on it.
If you click the related actions on a previous time stamp, you can revert back
to that point in time if you need to do so.
Test Security Reports
Two great reports to security security membership, either via rule or security
group.
Custom Security
Reports
Security Business Process Definitions
Is a custom report based on the Business Process Definitions data source that
lists all of the security related BP’s (that I wanted to target).
Report Definition

BO & Field

Filter
RPT Fan Favorite - Security Administration
Do yourself a favor and thoroughly explore Customer Central! The reports
from this specific package can all be useful. Explore these reports in a test
tenant, and see what you want to migrate over.
This is searchable one migrated over by typing in “CP: Security”.
RPT Fan Favorite - Report Administration
Explore these reports in a test tenant, and see what you want to migrate over.
This is searchable once migrated over by typing in “CP: Report”.
Security Reports on Worker Profile
Two very useful reports to leverage on the Worker Profile as living “tabs”
would be the following:
Worker Security Roles
Worker User-Based Security Groups
This can be turned on by the following report definitions, filters, prompts, and
sharing access rights. Then to enable it, go to the Configure Profile Group task.
Then
Report Definition

BO & Field

Filter

Share Access
Report Definition

BO & Fields

Filter

Share Access
C
a
l
c
F
ie
l
d
s
Workday Security Routing Reports
This is a very simplistic report, but extremely helpful in aiding your security
assignment endeavors.
It allows you to quickly review security groups that are potentially assigned to
business processes steps.
We use it to isolate security groups that are assigned as Approval, Action,
Review, or other actionable steps in a business process. So when assigning a
user access, we can see what security group they should be in based on what
the end result should be.
Do they just need view access to certain areas via domains and not to be
approving inbox items? Or do they need both!
Report Definition

BO & Fields
 Filter

Sub-Filter
Security Analysis Reports & More
Security Analysis for Hub Definition
Security Analysis for Security Groups
Security Analysis for Landing Page Worklet
Security Analysis for Workday Account
Other Useful Reports/Tasks
Manage Data Sensitivity
Manage Authentication Policies
Manage Authentication Selectors
Compare Permissions of Two Security Groups
Security Exemption Audit
Security History For User
Security Groups Not Referenced In Any Security Policy
Action Summary for Security Group
 Security
Dashboard
Security Group Administrative Overview
Migrated over from the RPT Fan Favorite - Security Administration package.
this report is incredibly useful for a high level view of security groups. We use
it as a the front facing worklet in the HRIS Security Dashboard
Security Dashboard
This dashboard was setup in an effort to make security administration easier
for the team and serve as a one-stop -shop for security needs.
There are three unique tabs here for utilizing various security items. That one I
want to highlight here is the Security Reports tab that has three additional
worklets on it for the following:
Security Reports
Weekly Audits
Quarterly Audits
Security Dashboard: Menu
This section of the dashboard comprises individual reports and tasks based on
the are we want to group it to.
 Security Business
Processes & Associated
Reports
Assign Roles BP
The assign roles business process has a required step that is often all too
confusing for customers named Role Maintainer. This is a required step in the
business process.
I’ve found that it serves as a “catch” of sorts. Role Maintainer is a dynamic
security group that looks at who has access to assign that specific security role
that is designated through the Maintain Assignable Roles Task.
If a user assigning security does not have access rights to a particular role
through the Maintain Assignable Roles task, then upon submitting security it
will route to the Role Maintainer.
This happens even if you have designed an approval step for all security roles
that are designated as requiring approval.
To have this skip the role maintainer, I configured a condition rule that skips
this step to better streamline how we want our routing to look and is cleaner
from an audit perspective.
Assign Roles BP - Condition Rules
Condition Rule that skips Role Maintainer was configured with the following
calculated fields.
Assign Roles BP - Condition Rules
The above calculated fields are what comprised the logic for the Condition
rule of “Initiator Was Not Security Admin”. The last piece for this condition
rule was the selection list, which is in the below screenshot.
I targeted the only other security groups that were given permission from the
Maintain Assignable Roles task.
Assign Roles BP - Condition Rules
The last two condition rules just determine the security roles list that require
approval and logic that makes it go to the Corporate Security Approver
unless they initiated the task.
Security Roles Audit Report
Start by creating your Global calculated field in the Workday search bar with
“create calculated field”. This will make your calc field available on your
report and is a workday trick.

This will be a Prompt For Value calc field

Security Roles Audit Report
Now you can begin creating your report and new Business Object. Create a
report based on the Business Process Transactions (indexed) data source.
Then start creating your calc fields for your necessary fields and BO’s (business
objects).
This report has quite the lengthy amount of calc fields to accomplish this goal.

Report Definition
Report BO’s &
Fields
Filter

Prompt
Calc Fields
User Based BP: Setup
Type in “create business process” and search for User-Based Security Group
Event.

Once your BP is created. Go to the related actions and enable the necessary
security group son the BP Security Policy.
Activating Security
Assign Security Admin to the typical areas such as:
Initiating Action
Action Step
View All
Cancel
Reassign Tasks
Then add your approver security group to the following:
Approve
Deny
Cancel
View All
Lastly, type in “view domain” and type in Process: User-Based Security Group
Event.
Enable Security Admin to have modify access. Now activate your pending
security policy changes.
Administering Security
You can now issue user-based security and have it route for approval.
You can access this through the Update User-Based Security Group
Assignments.

*IMPORTANT NOTE* if you assign these the old way through Security Profile
and Assign User-Based Security, then it WILL NOT follow the BP routing.
The report will also only pull results if they are initiate via the new task
mentioned above.
Administering Security
You can also toggle this functionality on and off as needed through Maintain
Feature Opt-Ins
Final Touches Part 1
Create a condition rule to go to your designated approver.
For test purposes, I added in only two of our user-based security groups to
require approval.
Final Touches Part 2 (Optional)
Create a notification template from notification designer.
Assign that to a custom notification and create some calculated fields in your
message. (See other featured carousel post on this)
Calc Fields
Access
Granted
 Access
Revoked
User-Based Security Audit Report
Start by creating your Global calculated field in the Workday search bar with
“create calculated field”. This will make your calc field available on your
report and is a workday trick.

This will be a Prompt For Value calc field.

User-Based Security Audit Report
Now you can begin creating your report and new Business Object. Create a
report based on the Business Process Transactions (indexed) data source.
Then start creating your calc fields for your necessary fields and BO’s (business
objects).
*NOTE*:
You need to have the User-Based Security Group Event BP created to
report on this functionality.
You will also need to enable the Process: User-Based Security Group
Event domain
Report Definition
Report BO’s & Fields

Prompt
Calc Fields
 Security
&
Notification Designer
Notification Designer Setup
Setup Effort
What Do I Need To Do?
Opt in to the Notification Designer Innovation Service and enable the
Drive and Notification Designer security domains.
Access Drive and create or edit a notification designer template. Select
the template as a template override when you configure a custom
notification for a business process.
This is where the fun begins. Find the BP’s you want to enhance in the system.
I chose to instantly attack the Assign Roles Business Process. By default, the
email and Workday notifications were ugly and not intuitive on what was
happening “at a glance”. You always had to log into Workday to see exactly
what was happening or when approving security.
Notification Designer Setup - Continued
Since we designed our Assign Roles BP to have routing conditions on what
needs to be approved, we then put in notifications on when it was approved.
This informs the security admin that the request is complete, and they can
then inform the user that their access has been updated.
This default notification was not the most user friendly. So with the release of
Notification Designer, we decided to take the time to enhance this
notification design, as well as the calculated fields that populate the message
and body of the emails and notifications in Workday.
Notification Designer Templates
Once you access your Drive, click “New” at the top left and create a
Notification Template.
Design the notification as you see fit then go to “Maintain Notification
Templates” to enable the template for Custom Business Process Notifications.
Once you are satisfied with the look, go to the Assign Roles BP by searching,
“BP: AR” or “BP: Assign Roles”
Notification Template
Slap in that new template and let’s build the notification body. In the
following screenshots I’ll show you the calculated fields we used to design our
body & message of the notification.
Then the old email vs the new look.
Notification Body & Subject
The Line Break field is what breaks apart the different fields on seperate lines.
By adding two of these together, it appears to be a new paragraph on the
body of the email.
Out
with
the
Old
 In
with
the
New