Secured Items in Multiple Domains

Secured Items in Multiple Domains

Use this report, if you have a need to identify if any item like report, task, report field etc., are associated with multiple domains.

Unfortunately, it doesn't have any parameters that you can set before running the report. So it will take a while to run and fetch the results.

You can also make use of another delivered report,  View Security for Securable Item Not many will have access to this.

Custom Domains

 How to Enable Custom Domains and Use them for Custom Objects

You cannot create new domains nor move delivered items between delivered domains.

Workday offers you 200 custom domains (as of 2020R2) that allows you to configure security permissions for custom items such as custom dashboards and custom objects. You can find these in the System functional area.

All the custom domains from 1 to 200 are available in the Parent Domain Custom Domains, as shown below.

1. Choose the Custom Domain that you want from the list of Subdomains

2. Enable the domain that you identified.

3. Add the Security Groups and Permissions by going to the navigation

        Domain Security Policy >> Edit Permissions

4. Activate Pending Security Policy Changes.

        With this you domain is available to use.

5. Custom Object: Go to your Custom Object and in the Permissions tab add the newly enabled Custom Domain.

Custom Dashboard: In the Edit custom dashboard settings, add the newly enabled Custom Domain. Here you will notice all the domains that weren't enabled. If you are making use of one which you haven't enabled, make sure to enable at later stage.

Security Related Tasks and Reports

Security Tasks and Reports

View Security Groups for User 

Lists all the security groups on a given Workday account. The user’s access is a union across all the security group permissions.

Security Analysis for Workday Account

Provides a comprehensive view of a user’s access given all their security group permissions. 

View Security Group 

Shows details of a security group, including the description, type, and the domain and/or business process security policies that the security group has permissions to.

Action Summary for Security Group

Lists the domain and business process security policies the security group has permission to and details about each security policy. 

View Security for Securable Item 

Shows which domain or business process security policy provides access to a given securable item.

My Leadership Roles 

Displays any leadership roles to which your position is assigned. (You are also displayed on the organization chart as the leader of any organization(s) to which your position has a leadership role.)

My Supporting Roles

Displays any supporting roles to which your position is assigned. 

Role Assignments for Worker Position 

Displays an overview of assignable roles, security group membership, and access rights for the specified worker. The role information includes whether the role is inherited or directly assigned, and whether the role is active or inactive. You can limit results to specific roles as well as filter out inactive organizations and inherited role assignments.

Role Assignment Permissions

Displays the security group whose members can administer each role. Enables you to view or edit what security groups are allowed to assign workers to each assignable role. 

Roles for Organization and Subordinates 

Displays the organization hierarchy of subordinate organizations. Enables you to click on an organization in the hierarchy to see all the assignable roles, the worker in each, and whether they fill that role by assignment.

Unassigned Roles Audit

Displays roles for which no positions are assigned. Details include the organization type, unassigned roles, and the minimum roles to assign to each role. 

Unfilled Assigned Roles Audit 

Displays roles assigned to unfilled position(s). Enables you to include or exclude inactive roles in the results.

View Assignable Roles

Displays an overview of all assignable roles, including: the types of organizations for which each role is enabled; the default role, if any; and whether it is restricted to single assignment, hidden if not assigned, or a leadership role. You can also see which security groups are allowed to assign specific roles. This report also includes security group and access right information associated with each role. 

Worker Roles Audits 

Displays the workers in a specified organization and any assignable roles, user-or job-based security groups, or process-maintained roles to which they belong.

Security Related Question and Answers

Security Related Question and Answers

Below Q & A gives you a better deal to understand which task or report to use based on the scenario.

What can a security group do? What does it have access to? 

View Security Group 

Security Analysis for Security Group 

Action Summary for Security Group

How can I tell what security policy to update for a given item?

View Security for Securable Item 

How can I tell what security groups a user has? 

View Security Groups for User

How can I compare access between users?

Compare Security of Workday Accounts 

How can I compare security groups? 

Security Analysis for Security Groups

Who are the members of a security group?

If user-based, use View Security Group.

If not, write a custom report (PBO: Security Group, Report Field: Members).

How can I find out if a user is a member of a given security group? 

Test Security Group Membership

How can I tell if a user has access to a given target using a given security group?

Test Security Group Membership 

How did this user get to this task or item? What security group allowed it? 

Security Analysis for Action

Given a user’s security groups, what is their cumulative access in tenant?

Security Analysis for Workday Account 

How do I add or remove a security group from multiple domain security policies at once?

Maintain Permissions for Security Group

How can I tell who has access to a given task or item?

View Security for Securable Item

How can I see all the roles that are defined in tenant? 

View Assignable Roles

What if I need to add new roles?

Maintain Assignable Roles

How can I tell what roles are unassigned? 

Unassigned Organization Roles Audit 

Unassigned Roles Audit 

Unfilled Assigned Roles Audit

How can I tell what role assignments exist for a given worker?

Role Assignments for Worker Position 

How can I tell what role assignments exist for a given organization? 

Roles for Organization and Subordinates 

Worker Roles Audit

How can I tell which security groups are allowed to assign workers to each role?

Role Assignment Permissions

How can I see all the domains and business processes available for a given functional area? 

Functional Areas

How can I see the current security configuration for a given functional area?

Domain Security Policies for Functional Area

Business Process Security Policies for Functional Area 

How can I see all the security groups in the tenant? 

View Security Group

How can I see a full list of reports around security?

Run Workday Standard Reports for security-related categories. You can also write custom reports using security-related data sources.

How can I see an audit trail of changes to security policies? Who did what, and when? 

Domain Security Policy History 

Business Process Security Policy History 

Domain Security Policies Changed within Time Range 

Business Process Security Policies Changed within Time Range 

Audit Trial - Security

How can I audit a given Workday Account?

View User or Task or Object Audit Trail

How can I audit what a user viewed or changed? 

View User Activity

How can I see a history of security changes for either an organization (e.g., role assignments) or for a worker?

Security History

Security History for User

How can I activate changes to security policies? 

Activate Pending Security Policy Changes

Can I select which pending security policies to activate?

No – The Activate Security Policy Changes task will activate all pending security policy changes in the tenant since the last activation. 

If there is more than one person making security policy changes in the tenant, when one person activates pending security policy changes will it only activate that person’s changes? 

No – the Activate Security Policy Changes task will activate all pending security policy changes in the tenant since the last activation, regardless of who made the change.

How can I see what security policy edits are pending activation?

Domain Security Policies with Pending Changes

Business Process Security Policies with Pending Changes 

How can I revert back to a previous security configuration in the tenant? 

Activate Previous Security Timestamp

When I activate a previous timestamp, do my changes since that timestamp get removed or deleted?

No – your changes will still be there but instead in a pending state. You must edit the security policy manually to correct or remove the changes. 

How can I see how many times security has been activated in tenant? 

View All Security Timestamps

How can I see if there are issues with the security configuration?

Security Exception Audit

Security: View User or task or Object Audit Trail - Report

View User (or) Task (or) Object - Audit Trail

This is a great report which comes into rescue when you want to view the changes made for a specific object or a task or for a particular user for a given time frame.

There is a possibility that some times you may not be able to see the changes captured in your Audit Trail of your Business Object.

If your duration on the parameters are lengthy, it may return an error message like below. 

Rely on Create Audit Log if you have a bulk transactions or lot of transactions to view. 

Additional Reads:

Create Audit Log

Security: Constrained vs Un-Constrained Security Groups

Difference between Constrained and Unconstrained Security Groups in Workday

I see many people seeking to know the difference between two types of security groups - Constrained and Unconstrained. Here is the briefing in Workday's Words:

Constrained Security Groups evaluate security using the target object being acted upon. 

For example, a Manager Role-Based Security Group (Constrained) evaluates "is User A a Manager of User B", where User B is the constraining target object. 

Unconstrained Security Groups do not use a target object for security evaluation. 

For Example, a Manager Role-Based Security Group (Unconstrained) evaluates "is User A a Manager"; the target object is NOT considered when evaluating security.

Further more Definitions:

Unconstrained security groups do not enforce a context. If you add an unconstrained security group to a domain or business process security policy, members will be able to get to secured items in those policies with no context or constraint applied on what target data they see once there. They will see all tenant data available for that item.

Summary: Users based out of this group will have access to all the data that is allowed with out any restrictions or conditions.

Constrained security group types enforce a context on members target access (“row level security”) in Workday. If you add a constrained security group to a domain or business process security policy, members will be able to get to secured items in those policies and once there will have a context applied on what target data they see. Constraints are typically by organization.

Summary: Users based out of this group will have access to the data that is allowed base on the condition, if the person satisfies that restriction / condition then they will be able to access.

Target access involves what tenant data (e.g., for whom, or for what instances “rows” of data) the user can see when accessing an item such as a report or task. When using a constrained security group, you can limit access rights to certain target instances, i.e., enforce row-level security.

Below are the types Security Groups which allow you to create above Constrained and Unconstrained.

Service Center Security Group

Role-Based Security Group

Organization Membership Security Group

Job-Based Security Group

Integration System Security Group

Security: View Security for Securable Item

View Security for Securable Item

Often, we rely on Functional areas, Domains to see how your task or report is secured. Consider this task if you have access to.

This is a great task to identify the security of any delivered items like tasks or reports or data sources. Let us take a sample task - Create Position. (This is just like your workday wild search)

The next screen as below shows the list of tasks and reports that you can check the security.

Click on View Security to view the list of Security Groups allowed and the Functional area the task or report belongs to. Additionally you can see the Menu / Navigation.

Security: Session Time out minutes

Edit Workday Account - Task allows you to set the Session Timeout Minutes Enforced for an individual user.

How ever, some times even though you enforced  it takes a default of 15 min or asks you to key in between 5 min to 20 min. The one possible reason for this is that you being a Security Administrator, you might have added all the user based security groups to your id [Assign User-Based Security Groups for Person].  There is a security group which restricts this mostly - Credit card Administrator.

Which ever security groups have access to the Domain - Manage: Credit Card Data will not have more than 15 min of time out minutes, you can not override beyond the limit.

Remove this Security Groups if you are not using really then you should be comfortably override this.

Related Terms and Glossary - Security

Security Terms

Security Groups -
A collection of system users used to grant access to Workday. Security Groups are added to security policies to give members permissions to secured items in Workday. Group of users who need to perform actions or access data

Domain Security Policy-
Rules that dictate which security group can view or modify data within the domains

Components of Configurable Security:

• Security Groups
• Domains
• Domain Security Policies
• Business Processes
• Business Process Security Policies

What are the 3 types of security constraints?

• Unconstrained: members have access to available data instances
• Constrained: members will only have access to data for assigned constraints
• Mixed: Members have a mix of constrained and unconstrained

User-based security groups-
These groups are assigned manually to individual users to grant tenant wide access in Workday. Usually intended for administrators that needs system wide access.

Two types of Security Policies-
Domain security policies and Business process security policies.

Domain-
Domains are a collection of items that share the same security, including:
- Tasks
- Reports and report fields
- Web service operations

Domain Security Policies control which security groups have access to data in the domain
- View Security for Securable Item Report

Functional Area-
Represent the main grouping of delivered domains and BP types. These groupings are typically for a specific module or area of Workday, such as Procurement, Integrations, or Personal Data. Functional areas can be enabled or disabled.

Functional Area Report-
Functional Areas report is a "top-down" report which allows you to see a top-down view of Workday functional areas and the domains and business process types in each

Business Process Security Processes-
Business Processes Security Policies control which security groups can participate in the business process (initiate, perform actions, approve, cancel, delegate, etc.)
Have to give permission for multiple policies (ex. Approve, review, etc.)
Each business process type has a single security policy that secures all business process definitions of its type

Steps for Configuring Security:
1. Identify users- who needs access to what?
2. Create security groups- identify existing security group or create a new one for your employees
3. Edit Security Policies- grand view/ modify permissions to domains or grant business process permissions (sometimes domain OR business process or sometimes combo of both)
4.Activate Pending Changes to take effect
5. Test Changes to verify changes made provide the expected access (for both those who got access and those who don't need access)

Workday-Assigned Security Groups
These Security Groups grant GENERAL access and are AUTOMATICALLY assigned by the Workday system
- Assigned to a person
- Based on process such as hiring/ terminating
Ex. Employee as self, worker, all employees, all users, manager's manager

User-Based Security Groups-
These Security Groups grant ADMINISTRATIVE access tenant wide- typically for maintenance/admin groups
- Responsibility applies throughout the system (not just supervisory orgs but for entire tenant)
- User-based security groups are manually assigned to a worker
- Multiple people can be members of the same user-based security group
○ Ex. Benefits admin, compensation admin, payroll admin, report writer, HR admin, etc.

Steps for Creating a User-Based Security Group:
1. Create user-based security group
2. Configure security group on security policies
3. Activate pending security policies
4. Assign users to security group
5. Test (user can create an exit interview, testing it on who should be able vs who should not)
*Don't forget to add group for "administered for security groups" like Security Administrator, otherwise they wont be able to access anything

Role-Based Security Groups:
These Security Groups help identify your support or leadership staff
- Membership is derived based on being assigned an organizational role
- Roles are assigned to organizations (or location hierarchies)
- Roles are assigned to positions, NOT workers
- Roles inherit from superior org if not filled (if configured to do so)
- Access can be defined as constrained and unconstrained

Steps for Creating a Role-Based Security Group:
1. Use "maintain assignable roles" to create or modify assignable roles (supplemental book page 34-35)
2. Create role-based security group
3. Configure security group on security policies
4. Activate security policy changes
5. Assign roles to jobs/ positions to organizations
Test

Job-Based Security Group:
Identify members based on a job criterion

• Job profile
• Job category
• Job family
• Management level
• Work shift
• Include exempt jobs
• Include non-exempt jobs

Automatic membership, Can be constrained or unconstrained

Membership-Based Security Groups:
     1. Location (meant for more specific location, not US as a whole)
            Grants access to a task based on the location for a worker
            Once created, automatically assigned based on users location
 Example: for initial deployment of time tracking, only London workers enter time on Workday

     2. Organization
             Grants access to a task based on the user's membership in org
             Once created, automatically assigned based on organization assignments
Example: business unit, company, cost center, pay group, USA as a whole, etc.

Combination Security Groups:
    1. Intersection -
            Grants access based on membership in ALL of the included security groups
            Includes only users who meet all of the specifications
    2. Aggregation Security Group -
            Includes users who are in ANY of the selected security groups
            User does not have to be in every included group

Security Domain
A predefined set of related securable items that include reports, tasks, report fields, data sources, and data source filters
- The securable item that make up a domain cannot be changed
- Each domain has its own security policy that controls access to the security items

Which security group is assigned directly to a worker?
User based security-Tenant wide

Role based security group permissions are given to a worker when their position is linked to what?
Support Role

Editing a security policy takes effect immediately
False- Need to activate

Business Process Policies-
Defines which security groups can participate in the business process

Security group that allows self service access?
Employee as self

Groups of users who need to perform actions or access data?
Security Groups

Tasks & Reports - Security

Tasks and Reports in Workday Security

List of frequently used Security Tasks and Reports in Workday

Start Proxy
Stop Proxy

Create Proxy access Policy
View Proxy access Policy

Maintain Functional Areas (T)
Functional Areas (R)

Compare Security of Two Workers
Compare Permissions of Two Security Groups
Maintain Permissions for Security Groups
Activate Pending Security Policy Changes

Create Security Group
Assign User based Security groups for a person
Edit Business Process Security Policy
View Security for Securable Items

Maintain Assignable Roles
View Assignable Roles
My Self Assign Roles
Unfilled Assigned Roles Audit

Role Assignment
Role Assignments for Worker Position
Roles for Organization and Subordinates
Duplicate Role Assignments

Domain Security Policy Summary
Domain Security Policy History