Workday offers several ways to restrict who can see what and who can perform actions on data. Workday’s configurable security model allows you to configure role-based and user-based security that can be both constrained and unconstrained.

One of Workday’s powerful configurable security group is Segment-based Security Groups. Using Segment-based Security Groups, you can grant users access to selected components (segments) of a secured item. Therefore, you can use a Segment-based Security Group in a security policy to control access to secured items that are contained in that segment.

Use Case for Segmented Security
While there are several applications within Workday for segmented  security, this use case focuses on one of the most common requests from functional users/business owners post go-live.

Your Workday deployment could have 100s of integrations, some of which are mission critical for end-users. Either the functional users want to see the integration output files to troubleshoot or the ability to run a specific integration ad-hoc. You do not want to grant every user the ability to see all integrations as this would be a breach of security. For example, an HRIS analyst might not have the ability to view compensation or payroll data and you would not want them to see an output file from an integration with payroll data.

Steps for Setting Up Segmented Security
Steps to use Segmented Security to allow business users to run or view specific integration outputs.

  1. Create: Create an Integration System Security Segment. The best practice is to use a naming convention starting with ISSS_<Segment name>. The segment name usually refers to a broader integration set that user will view or run.
  2. Select: Select the Specific Integration System option and select the integration(s) that user should have access to.
  3. Group: Create System-based Security Groups. Usually this will be constrained by segment access so you won’t see an unconstrained option. The best practices naming convention is to use prefix of SBSG_<integration name>.
  4. Assign: Assign domain security policy permissions. If you want the end user to only view integration events, you would grant view only access to Integration Event Domain Security Policy under Integration Functional Areas. Based on your requirements, you can choose the Domain Security Policies.
  5. Rights: Under Access Rights, assign the ISSS_<Segment> created in step 1.
  6. Run: Create a User-based Security group and assign members who will need access to view/run specific integrations. Best practices naming convention is to use name prefix of UBSG_<Integration name>.
  7. Connect: Assign the User-Based Security Group created in step 6 to System-based Security Group created in step 3.

RapidIT-Cloudbera is a Workday Consultancy focused on delivering quick returns on its customers’ major technology investment. We do this through our strong understanding of Workday, backed by years of experience on the platform. Genie, our automated testing solution for Workday, can test your security configurations and compare your overall configurations from tenant to tenant. Sign up for a free 30-day trial today by filling in the form below!

Sign Up For A Free Trial of Genie