Difference between Constrained and Unconstrained Security Groups in Workday
I see many people seeking to know the difference between two types of security groups - Constrained and Unconstrained. Here is the briefing in Workday's Words:
Constrained Security Groups evaluate security using the target object being acted upon.
For example, a Manager Role-Based Security Group (Constrained) evaluates "is User A a Manager of User B", where User B is the constraining target object.
Unconstrained Security Groups do not use a target object for security evaluation.
For Example, a Manager Role-Based Security Group (Unconstrained) evaluates "is User A a Manager"; the target object is NOT considered when evaluating security.
Further more Definitions:
Unconstrained security groups do not enforce a context. If you add an unconstrained security group to a domain or business process security policy, members will be able to get to secured items in those policies with no context or constraint applied on what target data they see once there. They will see all tenant data available for that item.
Summary: Users based out of this group will have access to all the data that is allowed with out any restrictions or conditions.
Constrained security group types enforce a context on members target access (“row level security”) in Workday. If you add a constrained security group to a domain or business process security policy, members will be able to get to secured items in those policies and once there will have a context applied on what target data they see. Constraints are typically by organization.
Summary: Users based out of this group will have access to the data that is allowed base on the condition, if the person satisfies that restriction / condition then they will be able to access.
Target access involves what tenant data (e.g., for whom, or for what instances “rows” of data) the user can see when accessing an item such as a report or task. When using a constrained security group, you can limit access rights to certain target instances, i.e., enforce row-level security.
Below are the types Security Groups which allow you to create above Constrained and Unconstrained.
Service Center Security Group
Role-Based Security Group
Organization Membership Security Group
Job-Based Security Group
Integration System Security Group
No comments:
Post a Comment