Mahesh Konakalla’s Post

Building upon some previous posts where I touched on the subject on governance in Workday in regards to Workday Security. We configured routing for Security Roles on our Assign Roles Business Process of what is deemed to require additional approval. Not all security roles are listed here because that is too much governance and it hinders productivity. An example, is the manager role on a supervisory organization. If you have a large volume internal movement like us, this is not feasible to add to your list. On this Business Process, I enhanced our BP to account for the "Role Maintainer". I detailed on the attached carousel the configuration around this, and how to streamline all required routing to the appropriate approving security group, which houses our HRIS Manager. Holler with questions or comment to add to the discussion! Customer Sharing Movement Notification Designer for Security https://lnkd.in/gmWyCiwR User-Based Security https://lnkd.in/gpbNpkwE General Group Post https://lnkd.in/gGxDVUwU Role & User-Based Security Reports https://lnkd.in/gNbU9yfm Workday Security Routing Report https://lnkd.in/gMdVpKvQ Comprehensive Security Guide https://lnkd.in/grym-eYs User-Based Business Processes https://lnkd.in/d-xySH8i #hris #security #workday

Mastering Advanced Security Groups in Workday A global organization wants to restrict access to employee bonus data for HR Partners, allowing them to view bonuses only for employees in their region and edit bonus details for employees they directly manage. How can this be implemented using Advanced Security Groups in Workday? Step-by-Step Solution: 1️⃣ Analyze and Define Requirements -Access Scope: HR Partners can only view bonus data for employees in their region (e.g., North America, EMEA). HR Partners can edit bonus data only for their direct reports. Key Security Policies to Modify: Compensation Domains: Focus on "Bonus Data" access. Related Action Security: Ensure action rights align with access levels. 2️⃣ Configure Custom Workday Security Groups -Create Two Advanced Security Groups (ASGs): ASG for Regional View Access: Navigate to Workday Home > Security Administration > Create Security Group. Select Advanced Security Group. Define Rule: Add Criteria: Employee’s Region = HR Partner’s Region (derived from Location or Cost Center). Action Permission: View Only for bonus-related data domains. ASG for Direct Report Edit Access: Repeat the above steps, but define the rule as: Add Criteria: Employee’s Manager = HR Partner. Action Permission: Modify for bonus-related data domains. 3️⃣ Update Domain Security Policies -Navigate to Domain Security for Bonus Data Go to Security Administration > Domain Policies > Bonus Data. Update Access Permissions: Add ASG (Regional View Access): View rights. Add ASG (Direct Report Edit Access): Modify rights. -Configure Related Action Security Navigate to Related Action Security Policies > Search for "Bonus." Grant actions (e.g., Edit, Update) to ASG (Direct Report Edit Access). 4️⃣ Test the Configuration -Validate Access for Regional View: Impersonate an HR Partner in a specific region. Check if they can view bonus data for employees within their region. -Validate Edit Access for Direct Reports: Ensure the HR Partner can edit bonus data only for employees they directly manage. -Verify Data Restrictions: Attempt accessing bonus data outside the assigned region or unrelated employees. Ensure no unauthorized access. 5️⃣ Audit and Document -Run a Security Audit Report: Generate a security report to verify ASG assignments and ensure compliance with requirements. -Document Configuration: Maintain a record of ASG rules, domain policies, and related actions for future updates or troubleshooting. Love this workday bite? My Batch-76 40 hours Live Workday HCM course enrollment closing within 24 hours. Last date and time to enrol : 10th January 2025 midnight(IST) GMT+0530 DM me or comment "Enrol" below to join. Batch orientation session:- 12th January 2025 Classes Start:- 13th January 2025 onwards Monday-Friday Two batches: 8-10 am, 8-10 pm IST GMT(+0530) #workdaysecurity #advancedsecuritygroups #workdaytips #workdayhcm #workdaytraining #hrtech #datasecurity #workdaylearning #workday #learnworkdayhcm

Mastering Advanced Security Groups in Workday A global organization wants to restrict access to employee bonus data for HR Partners, allowing them to view bonuses only for employees in their region and edit bonus details for employees they directly manage. How can this be implemented using Advanced Security Groups in Workday? Step-by-Step Solution: 1️⃣ Analyze and Define Requirements -Access Scope: HR Partners can only view bonus data for employees in their region (e.g., North America, EMEA). HR Partners can edit bonus data only for their direct reports. Key Security Policies to Modify: Compensation Domains: Focus on "Bonus Data" access. Related Action Security: Ensure action rights align with access levels. 2️⃣ Configure Custom Workday Security Groups -Create Two Advanced Security Groups (ASGs): ASG for Regional View Access: Navigate to Workday Home > Security Administration > Create Security Group. Select Advanced Security Group. Define Rule: Add Criteria: Employee’s Region = HR Partner’s Region (derived from Location or Cost Center). Action Permission: View Only for bonus-related data domains. ASG for Direct Report Edit Access: Repeat the above steps, but define the rule as: Add Criteria: Employee’s Manager = HR Partner. Action Permission: Modify for bonus-related data domains. 3️⃣ Update Domain Security Policies -Navigate to Domain Security for Bonus Data Go to Security Administration > Domain Policies > Bonus Data. Update Access Permissions: Add ASG (Regional View Access): View rights. Add ASG (Direct Report Edit Access): Modify rights. -Configure Related Action Security Navigate to Related Action Security Policies > Search for "Bonus." Grant actions (e.g., Edit, Update) to ASG (Direct Report Edit Access). 4️⃣ Test the Configuration -Validate Access for Regional View: Impersonate an HR Partner in a specific region. Check if they can view bonus data for employees within their region. -Validate Edit Access for Direct Reports: Ensure the HR Partner can edit bonus data only for employees they directly manage. -Verify Data Restrictions: Attempt accessing bonus data outside the assigned region or unrelated employees. Ensure no unauthorized access. 5️⃣ Audit and Document -Run a Security Audit Report: Generate a security report to verify ASG assignments and ensure compliance with requirements. -Document Configuration: Maintain a record of ASG rules, domain policies, and related actions for future updates or troubleshooting. Love this workday bite? My Batch-76 40 hours Live Workday HCM course enrollment closing within 24 hours. Last date and time to enrol : 10th January 2025 midnight(IST) GMT+0530 DM me or comment "Enrol" below to join. Batch orientation session:- 12th January 2025 Classes Start:- 13th January 2025 onwards Monday-Friday Two batches: 8-10 am, 8-10 pm IST GMT(+0530) #workdaysecurity #advancedsecuritygroups #workdaytips #workdayhcm #workdaytraining #hrtech #datasecurity #workdaylearning #workday #learnworkdayhcm

What are security groups in Workday? >> In Workday, security groups are used to control access to data and functionality within the system. They are a way to define and manage who can view or perform certain actions within Workday based on their role, department, or other criteria. Security groups help to ensure that users have access only to the information and tasks that are relevant to their job responsibilities. Key Points About Workday Security Groups: 1. Access Control: Security groups are primarily used to restrict or grant access to specific parts of the Workday system. This can include reports, business processes, and data objects (e.g., employee records). 2. Types of Security Groups: * Domain Security Groups: Control access to specific business processes, reports, or data. * Custom Security Groups: Created to fit an organization’s specific access needs, such as giving a user access to a custom report or functionality. * Standard Security Groups: These come pre-configured with Workday and are generally used for common access control needs, like security for human resources, finance, etc. 3. Hierarchical and Role-Based: Users can be assigned to different security groups based on their role, location, or any other organizational structure. For example, a payroll administrator might have access to payroll data security groups, while a manager might only have access to the data of their direct reports. 4. Security Group Assignment: Users are assigned to security groups either manually by Workday administrators or automatically based on certain rules. These assignments control what users can do and see within Workday. 5. Security Policies: Security groups also define security policies in Workday, specifying who can perform certain actions (e.g., approve a time-off request, run financial reports, or modify employee data). In summary, security groups are a fundamental way to manage access and ensure that users in Workday have the appropriate permissions based on their roles and responsibilities. 👍🏻 For More Info Register Now For Demo :- wa.me/919392944457 👉🏻 Please Follow This Page :- https://lnkd.in/gE4JSEJq 👉🏻 New Batch Starting Tomorrow at 8 AM IST hashtag #workdayhcm hashtag #workdaytraining hashtag #workdayintegration hashtag #workdaycommunity hashtag #workday hashtag #hr hashtag #peoplesoft hashtag #tenantaccess hashtag #onlinetraining hashtag #india hashtag #usa hashtag #uk hashtag #canada hashtag #germany hashtag #newyork hashtag #mexico hashtag #california hashtag #toronto hashtag #mexico

Hey #workday network! 👋 Without hesitation, every single Workday customer should implement this major security upgrade, ASAP... 📣 The new business processes for managing user-based security group assignments! Managing user-based security group assignments has been a major pain point for Workday customers for years on end 😵💫 The Assign User-Based Security Groups for Person and Assign Users to User-Based Security Group tasks left much to be desired. Think... 👎 No approvals, no process visibility 👎 Compliance risks / SOC concerns 👎 Lack of delivered reporting (lackluster custom reporting too) With 2024R1 and 2024R2, Workday delivered two new business processes that will replace the old, non-workflow-enabled tasks. Here's what changed with 2024R1 and 2024R2, respectively... Assign User-Based Security Groups for Person (Task) --> User-Based Security Group Event for User (Business Process) Assign Users to User-Based Security Group (Task) --> User-Based Security Group Event for Group (Business Process) This is a HUGE upgrade for Workday security. But here's the caveat... It requires setup. If you're not sure where to start, or you're nervous about crossing your t's and dotting your i's on this one, I've got a helpful freebie for you! In tomorrow morning's Well Built Solutions newsletter, we're sending out a comprehensive setup guide to help you implement this new functionality. Get the guide in your inbox tomorrow by signing up for our (always free!) newsletter. You can find the signup link on my profile - Mia Eisenhandler Hope to see you tomorrow over your morning coffee or tea! 🤗 ☕️ #hr #hris #hrit #hrtechnology #wellbuiltworkday #security #audit #businessprocesses

Imagine you’re a Security Administrator at a multinational corporation using Workday HCM. You need to manage access for the Finance department, ensuring that only authorized personnel can perform specific tasks such as creating and editing cost centers. Step 1: Creating Role-Based Security Groups ->First, you set up a role-based security group named "Cost Center Administrators." ->This group includes members from the Finance team who are responsible for managing cost centers. ->By defining this role-based security, you ensure that only designated users have the permissions needed to add, edit, or deactivate cost centers. Step 2: Intersection Security Groups ->To further refine access, you create an intersection security group combining the "Cost Center Administrators" with a location-based security group. ->For example, this intersection could be for users in the European office, ensuring that only those in specific locations have access to cost center data relevant to their region. Step 3: Aggregation Security Groups ->You also utilize aggregation security groups, which combine multiple security groups. ->This allows members of any included security groups to access shared resources without modifying individual permissions frequently. ->This setup provides flexibility and scalability as organizational needs evolve. Step 4: Implementing Changes and Managing Access ->When a new Finance employee joins the team or an existing member transitions to a different role, updating their security group membership ensures they have appropriate access levels. ->For instance, when a Sales Ops employee moves to Marketing, their access to sensitive sales compensation data is automatically revoked once they leave the "Sales Ops" security group. Important: Change Management and Security Effective change management requires maintaining a balance between securing sensitive data and ensuring usability. Here are a few best practices to keep in mind: ->Regular Reviews: Periodically review user-based security groups to ensure that employees only have access to data necessary for their roles. ->Simplified Security Structure: Avoid overly complicated security groups with numerous intersections and exclusions. Simplify wherever possible to reduce administrative overhead and potential errors. ->Compliance Monitoring: Keep track of changes in security configurations to stay compliant with regulations like GDPR. Ensure all modifications are documented and approved by management. By strategically utilizing Workday’s security groups, you can safeguard your data while enabling seamless transitions and maintaining productivity during periods of change. For more detailed insights on managing Workday security effectively, check out some resources in the comments Stay secure and keep evolving! Be a workday Rockstar!! #workday #workdayhcm #workdaytraining #learnworkday #Trainonworkdayhcm

Hey #workday network! 👋 Here’s how I build one of my FAVORITE calculated fields that every Workday tenant should have… It's a Lookup Related Value (LRV) field that returns all security groups (of all types) that the initiator of a business process (BP) is in… You can use this calc field to build BP condition rules that reference the initiator’s security groups… e.g. --> a BP condition rule on the Hire BP that *skips* an approval if the initiator of the process is in the HR Admin or HR Partner security group. This is a powerful calc field—I've created it in almost every Workday tenant I’ve ever worked in! The key to building it WELL? 💡 Pull the security groups from the Workday Account, rather than the Worker… There’s an awesome multi-instance field on the Workday Account business object (that is NOT on the Worker BO) called, “Security Groups”… This particular field pulls security groups of ALL types (e.g. user-based, role-based, etc.), allowing you to reference security groups of any type in just one line of logic. 💡 Build the field on the Action Event business object so you can use it in ANY BP condition rule on ANY BP type. Are you using this field (or a variation of it) in your tenant!? Follow #wellbuiltworkday for more Workday knowledge nuggets 🏗🌞 P.S. If you enjoyed this post, you’d love the Well Built Solutions newsletter. Find the signup link on my profile - Mia Eisenhandler 😊 In our weekly newsletter, we include a Workday brainteaser to help you apply and grow your configuration skills! #hr #hris #hrit #hrtechnology #businessprocess

Week 1 Security for New Hires in Workday! During the critical first week, when a pre-employee becomes an employee, the security groups change magically on Day 1. Yet, your workers may not be fully prepared with SSO on their new devices, causing them to be cut off from important onboarding information. To ensure my new hires have access to everything they need (shuttle schedules were once a great example), I like to employ a user-based security group to bridge the gap for the first week of employment. I use the security group in my authentication policy to ensure that new hires continue to have username sign-on access in addition to SSO. To limit the security group membership, a boomerang integration is used to remove all prior members and refresh the security group with the accounts of the new hires for the current week. Report and XSLT files: https://lnkd.in/gKF_8xZS 1. The zip file above contains the report configuration for the boomerang input. There is a calc field that I've named "Workday Account WID." This is a Lookup Related Value calc field off of Worker to pull the WID from the Workday Account. Please note the all-important namespace on the web service is "urn:com.workday/bsvc" -- this matches the namespace in the XSLT. 2. Next, I use an outbound EIB to get the report data. 3. The attached XSLT file can be used in the EIB to transform the data into a SOAP API request. Update the XSLT file with your new hire security group WID. 4. Finally, I add a business process to the EIB and add a step for the boomerang Integration. (Select Human_Resources when asked to select the corresponding web service.) For more information on the boomerang configuration, see the README on the Boomerang GitHub project. This solution can be configured without writing a Studio integration. https://lnkd.in/gpTu4GpY I checked in during Rising and I am not aware of any new rule-based security group options for hire date. Until that time comes, I hope this approach is useful for other customers.

Understanding Workday Security Groups is Key to Effective Change Management In today’s dynamic business environment, ensuring the security and integrity of your HR data is paramount. Workday's security groups play a critical role in managing access and maintaining compliance, especially during periods of organizational change. Let's dive into a practical use case to illustrate the importance of security groups and their role in change management. #workday #workdayhcm #workdaytraining

What are security groups in Workday? >> In Workday, security groups are used to control access to data and functionality within the system. They are a way to define and manage who can view or perform certain actions within Workday based on their role, department, or other criteria. Security groups help to ensure that users have access only to the information and tasks that are relevant to their job responsibilities. Key Points About Workday Security Groups: 1. Access Control: Security groups are primarily used to restrict or grant access to specific parts of the Workday system. This can include reports, business processes, and data objects (e.g., employee records). 2. Types of Security Groups: * Domain Security Groups: Control access to specific business processes, reports, or data. * Custom Security Groups: Created to fit an organization’s specific access needs, such as giving a user access to a custom report or functionality. * Standard Security Groups: These come pre-configured with Workday and are generally used for common access control needs, like security for human resources, finance, etc. 3. Hierarchical and Role-Based: Users can be assigned to different security groups based on their role, location, or any other organizational structure. For example, a payroll administrator might have access to payroll data security groups, while a manager might only have access to the data of their direct reports. 4. Security Group Assignment: Users are assigned to security groups either manually by Workday administrators or automatically based on certain rules. These assignments control what users can do and see within Workday. 5. Security Policies: Security groups also define security policies in Workday, specifying who can perform certain actions (e.g., approve a time-off request, run financial reports, or modify employee data). In summary, security groups are a fundamental way to manage access and ensure that users in Workday have the appropriate permissions based on their roles and responsibilities. 👍🏻 For More Info Register Now For Demo :- wa.me/919392944457 👉🏻 Please Follow This Page :- https://lnkd.in/gE4JSEJq 👉🏻 New Batch Starting Tomorrow at 8 AM IST #workdayhcm #workdaytraining #workdayintegration #workdaycommunity #workday #hr #peoplesoft #tenantaccess #onlinetraining #india #usa #uk #canada #germany #newyork #mexico #california #toronto #mexico