Security: Constrained vs Un-Constrained Security Groups

Difference between Constrained and Unconstrained Security Groups in Workday

I see many people seeking to know the difference between two types of security groups - Constrained and Unconstrained. Here is the briefing in Workday's Words:

Constrained Security Groups evaluate security using the target object being acted upon. 

For example, a Manager Role-Based Security Group (Constrained) evaluates "is User A a Manager of User B", where User B is the constraining target object. 

Unconstrained Security Groups do not use a target object for security evaluation. 

For Example, a Manager Role-Based Security Group (Unconstrained) evaluates "is User A a Manager"; the target object is NOT considered when evaluating security.

Further more Definitions:

Unconstrained security groups do not enforce a context. If you add an unconstrained security group to a domain or business process security policy, members will be able to get to secured items in those policies with no context or constraint applied on what target data they see once there. They will see all tenant data available for that item.

Summary: Users based out of this group will have access to all the data that is allowed with out any restrictions or conditions.

Constrained security group types enforce a context on members target access (“row level security”) in Workday. If you add a constrained security group to a domain or business process security policy, members will be able to get to secured items in those policies and once there will have a context applied on what target data they see. Constraints are typically by organization.

Summary: Users based out of this group will have access to the data that is allowed base on the condition, if the person satisfies that restriction / condition then they will be able to access.

Target access involves what tenant data (e.g., for whom, or for what instances “rows” of data) the user can see when accessing an item such as a report or task. When using a constrained security group, you can limit access rights to certain target instances, i.e., enforce row-level security.

Below are the types Security Groups which allow you to create above Constrained and Unconstrained.

Service Center Security Group

Role-Based Security Group

Organization Membership Security Group

Job-Based Security Group

Integration System Security Group

Business Processes: Mass Cancel To Dos

To Do's

To Do's are typically used in the Business Processes. Also used in Checklist, again with in Business Processes.

To Do's won't have much priority when you compare with other BP Step types, so users comfortably skip them if they were optional.

The task Mass Cancel To Dos helps in canceling the To Dos which you don't want to visit anymore and complete them and which have been long pending.

Select the To Do events and cancel.

Other Tasks and Reports related to To Dos that you can check out:

To Dos

Maintain To Dos

Create To Do is the task that you see in the Business Process Step Type - To Do.

Workday 2020 R1: Highlights

Highlights of Workday 2020 R1 (Released in March 2020)

Workday Assistant (Chat Bot) - Innovation Services

Natural Workspaces - 

• Workday for Microsoft Teams
• Workday for Slack

Voice on Mobile For Workday Assistant

REST API Update

Integration Enhancements 

Security and Data Privacy Updates

Active Dashboards

 Data-as-a-Service Bench-marking

• Compensation
• Absence and Time
• U.S. Veteran Benchmark

Prism Analytics

Worker Hiring Enhancements etc.,

Tasks & Reports: Compensation

Compensation Tasks and Reports

Here are some of the commonly used Compensation related Tasks and Reports:

Compensation Eligibility Rules

View Compensation Eligibility Rule (also Create, Edit)

Create Compensation Grade (Edit)

Edit Compensation Grade Profile (View)

Compensation Package

Compensation Packages

Create Compensation Package (Edit)

Create Hourly Plan

Create One-Time Payment Plan

Create Salary Plan

Create Allowance Plan

Create Commission Plan

Compensation Steps

Compensation Rule Assignment

Employee Compensation Audit

Compensation Spreadsheet

Compensation Changes Report

Maintain Compensation Elements

Compensation Elements

Maintain Compensation Element Groups

Compensation Element Groups

Total Compensation

Total Compensation Template Audit

Compensation Summary

Employee Compensation Details by Job Profile

In Progress Compensation Changes

Out of Order Compensation Changes

General: How to maintain URLs within Workday

QuickLinks / URLs in Workday

Workday offers you to store urls and use it else where for references of some websites, documentation or help books for your organization. These urls could be internal or external.

Use the task Maintain Quicklinks to edit existing delivered URL's or add a new URL on need basis. Here you can see a  (-) on the first column which represents it was added by someone like you, and if it is blank it represents Workday delivered. You can still change or edit the url's delivered by Workday.

URL is Often called as Quicklink in Workday.

You have an option to restrict based on a Condition Rule. For example you wanted the URLs to be visible only for certain group of Employees in your organization you can set it up here using Condition Rule.

You can group your URL's like Benefit Related, Payroll Related, Workday Related etc.. And those groups will automatically show up in the Maintain Quicklinks task (Last Column).

Use the below Tasks to maintain the Quicklink Groups.

Create Quicklink Group

Delete Quicklink Group

Edit Quicklink Group

Use the below Reports related to Quicklinks

View Quicklinks 

View Quicklink Group

To report URL's use Quicklink Assignment as Primary Business Object with Quicklinks as Datasource. Other related BO's are Quicklink Group, Quicklink Item.