Security in Workday is extensive and can seem daunting. Organizations will often have a Security Administrator role but no process in place to regularly audit their security setup. Common questions we receive are:
- How do we ensure our tenant is secure?
- What audits should we be performing?
- How do we carry out these audits?
- How do we see who has access to sensitive data?
Below are some steps we've helped customers like you take to configure and maintain their setup in a secure and sustainable way. Let's take your Security Administrators from reactive to strategic!
# 1 | Outline your design
Define these key elements:
- Who should be able to take which actions?
- Who should be able to view what content?
- Your process to gather and approve security change requests
Define your key stakeholders:
- Who should the members of your Workday Security team be that will handle configuration?
- Who are your Workstream Super Users that will provide insights into business needs?
As your company evolves so will your definitions and stakeholders. We recommend maintaining a master file to house this information that you can revisit every 6 months. This would be a good use case for Worksheets. You can also use this to verify that any new additions or updates are following your specified requirements.
# 2 | Complete these important activities to set you up for success
Secure your tenant:
- Have you defined authentication policies for worker types with varying levels of restriction?
- Are you using Multi-Factor Authentication?
- Are you using SSO?
- Are you using strong passwords?
- Are you regularly monitoring user signons via:
- Signons and Attempted Signons
- Workday Accounts Currently Locked Out by Excessive Failed Signon Attempts
Familiarize yourself with the current Setup:
Look at your:
- Admin/Modify security groups.
- These users have a lot of access. Should they in fact be able to configure in these areas? The members should be limited.
- Partner security groups.
- Can these groups view the data and perform the processes they need daily? Do they have any additional/unnecessary access.
- View security groups.
- Should these users be able to view these processes and/or data points?
- Business Process Policies/step recipient groups to ensure consistency across processes.
- Limit initiators
- Analyze approvers
- Analyze Cancel, Rescind, Correct access
- Members of your riskiest security group types (e.g. user based, and role based unconstrained).
- Sensitive business process types (e.g. compensation, personal data).
It is easiest to view security by Functional Area to ensure, for each grouping, the right people have the right access.
# 3 | Utilize WD Delivered Reports for Initial Audits
Example audits:
- Audit workers User Based security groups and Assignable Roles. Look at the user’s location, job profile, job category, job family. Are there any outlier assignments? Via:
- Role Assignments for Worker Position
- Roles for Organization and Subordinates
- View Security Groups
- Find non-admin security groups with modify/view access. Paying special attention to Set Up domains. Find any security groups with access to incorrect domains for a functional area. Via:
- Domain Security Policies for Functional Area
- Find and inactivate any security groups without permissions/that are no longer in use or that have no members. Via:
- Security Groups Not Referenced in any Security Policy
- View Security Group
- Verify members of extremely sensitive groups: Setup Admin, Security Configurator, Business Process Admin. Via:
- View Security Group
- Review recent Domain/Business Process Policy changes. Via:
- Business Process Security Policies Changed within Time Range
- Domain Security Policies Change within Time Range
- Review Organizations missing role assignments. Via:
- Unassigned Organization Roles Audit
- Find sensitive business processes and ensure approval steps and accurate policy access via:
- Business Process Policies for Functional Area
- Business Process Types and Initiating Security Groups
- Business Process Booklet or Extract Business Process Definition
- Find any non-admin/non-partner groups that can correct processes. Via:
- Action Summary for Security Group
- Security Analysis for Security Groups
# 4 | Build out your Custom Reports to fill in Gaps
Delivered reports can get you started but there are many custom reports Invisors can build to get you even further. Below are a few of our favorites.
Security Overview:
Security Group access to functional areas and the number of domains granted permissions in that area. This report helps you quickly determine security groups with access to domains in a functional area that they shouldn't have (eg. compensation or personal data). Or incorrect permissions assigned e.g. Modify vs View access. And the specific domains you need to update to remove incorrect access.
Business Process Access by Functional Area:
This report allows you to dig into your security groups ability to initiate, correct, rescind, or cancel a business process by functional area.
Business Process Policy Details:
Policy details for the business process definition. This report helps you quickly find security groups and/or workers that have access to perform actions on a business process that they shouldn’t.
- Including groups and workers for:
- Initiating
- Approving
- Contributing
- Cancelling
- Rescinding
- Correcting
- Reassigning
- Viewing
Custom View Security Groups:
Upgrade the delivered View Security Groups report to include all data pertaining to a security group. Including but not limited to assignable roles and assignees, BP access, and member details.
Organization Roles by Assignment Type:
View all assigned, inherited, defaulted role assignments for the organization (including subordinate organizations) selected in the prompt.
Role Assignments Changed within Time Range:
Recent role assignment changes. Helpful when a user is wondering why visibility to a population has changed.
Let us help you curate your Security Audit Dashboard today and have this analysis at your fingertips!