Scribd Logo
Carica

Benvenuto in Scribd!

  • Docx

    Caricato da

    Swathi Bindu
    37 visualizzazioni4 pagine

    Titolo originale

    docx.docx

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    37 visualizzazioni4 pagine

    Docx

    Caricato da

    Swathi Bindu

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    WORKDAY SECURITY

    It enables customers to modify or accept delivered default security groups and security policies
    that control view and modify access to workday. It helps to answer questions like:
    Can you run a task? For Whom? For Yourself? For What items?
    Security Group represents one or more workers with similar access and modification needs, such
    as HR partner. A Security Policy details the report fields, tasks, and views that the group can
    access and or modify. A Domain or a Business Process is a collection of securable items (Domain)
    or a specific Business Process type. Business Processes are separately secured from Domains and
    Sub-Domains.
    Security acts as a bridge between Workday-owned metadata and customer-owned tenanted
    access to functionality, Security Groups and Security Policies are in the customer / tenanted
    realm, with little developer involvement. Domains reside in the metadata realm, and are off-
    limits to customers.

    SECURITY LANDSCAPE
    Workday has grouped parts of the Workday system into Functional Areas. These functional areas
    contain Domains and Business Processes.
    A functional area is a collection of related securable items. These items include actions, reports,
    report data source or custom report fields. The Functional Areas report will display all functional
    areas and included domains and business processes. Functional Areas can be enabled and
    disabled for each tenant with the Maintain Functional Areas task.
    Domains are pre-defined by Workday and cannot be modified by customers. Workday provides
    customers the ability to specify security policies that govern permissions for the content of a
    domain. A domain security policy grants a group of users access to the securable items contained
    in the domain.
    Business Process types are delivered by Workday. You cannot create new business process types;
    however you can copy and modify definitions. A business process security policy controls
    permissions to tasks and view capabilities for business process types.

    BUSINESS PROCESS SECURITY POLICY


    Business process security policies are collections of securable items related to business
    processes, including initiation steps and step actions. They also are where you specify
    permissions for actions on processes: view, approve, rescind, cancel, and correct.
    Business process security policies contain such securable items as initiation steps, step actions,
    and actions on the process as a whole: view, approve, rescind, cancel, and correct. A business
    process security policy also allows you to specify whether the business process can be delegated
    to others.
    All definitions copied or linked are controlled by the Business Process security policy for the type.

    DOMAIN SECURITY POLICIES


    Security Policies are the bridge between Domains and Security Groups. Security Policies are
    assigned to Domains by the customer, and are therefore tenanted data. When creating a Security
    Policy one of two types of access is granted. View access allows only View type activities to be
    performed. Modify access allows both View and Update types of activities to be performed. For
    each Domain, the Security Policy specifies which Security Groups may execute View or Modify
    (which includes View) the Domain's Tasks. If a Security Group has no permissions listed in the
    Security policy, by definition that Security Group has no access rights to any of that Domain's
    content.
    Sub-domains automatically inherit their super-domain's security policy; changing the policy on
    the sub-domain automatically overrides the super-domain's policy, and cascades to any sub-
    domains of the sub-domain.

    The following graphic outlines the steps for configuring security. Users are added to or removed
    from security groups. In many instances, new security groups will be created to meet your needs.
    There are several types of security groups. You cannot create new types. Security groups are
    added to or removed from security policies. When changes are made to a security policy, those
    changes are saved, but are pending until the Activate Pending Security Policy Changes task is run.
    Once you activate those changes, Test, Test, and Test!
    HOW CHANGE CONTROL WORKS
    Four elements make Workday security policy change control possible:
    Workday records the time of every security change.
    Workday evaluates security as of a timestamp, ignoring later changes, which are "pending."
    You can activate pending changes by time-stamping your current security configuration.
    You can tell Workday Security to activate a previous timestamp.

    When you tell Workday Security to use a timestamp as the security evaluation moment, changes
    made after that timestamp don't take effect until you activate them. Use the Activate Pending
    Security Policy Changes task to create a new, current timestamp.
    For example, if you activate security policy changes in March, June, and September and then
    discover a serious error in the September security configuration, you can activate the March
    timestamp using the Activate Previous Security Timestamp task. The changes from June and
    September are considered pending changes along with whatever new changes you make to fix
    the problems with the September security configuration. When you run the Activate Pending
    Security Policy Changes task, it creates a new timestamp and activates all of the changes made
    since March.
    Workday no longer allows you to activate the September timestamp, which it deems a bad
    configuration. It appears in the View All Security Timestamps report, but no longer appears on
    the list for activating previous timestamps. We recommend that you edit the timestamp
    comment to indicate that it is not a valid security configuration.
    Security timestamps look at domain and business process security policies and functional areas.
    They include changes made by adding or removing security groups from policies, enabling or
    disabling domains or functional areas, and whether business processes can be delegated.

    USER-BASED SECURITY GROUPS


    A user-based security group is a group to which you directly add workers as members. When the
    security group is used to grant workers permission to access items in a security policy, all the
    users in the group have that permission. You can edit and create user-based security groups.
    This is the least restrictive group. It is not context sensitive, in that it makes no attempt to match
    the context of the workers in the group (organization or ownership) with the context of the
    secured item. Use user-based security groups for administrators who you want to have global
    (enterprise-wide) access.
    ROLE-BASED SECURITY GROUPS
    Role-based security has two types of role-based context, constrained and unconstrained.
    Constrained indicates that your access is limited by your relationship to the objects. For example,
    access for the HR Partner is limited to the Supervisory Org or Locations that they support.
    Role-Based Security Group (Unconstrained) has no constraint based on organizations you
    support. A manager in an unconstrained role-based security group would have security access to
    all workers and not just workers in the organizations that they manage. This role is similar to the
    user-based security group administrator roles but is dynamic.

    JOB-BASED SECURITY GROUPS


    Job-based security groups can be defined as either constrained or unconstrained. Membership is
    based on criteria related to the job performed. System users in this group can only be workers
    since they require job-relevant criteria. The selection will be made from currently active workers.

    CONSTRAINED VS. UNCONSTRAINED INTEGRATION SECURITY GROUPS


    An Integration System Security Group (Constrained) serves the same general purpose as an
    Integration System Security Group (Unconstrained). The only difference is that the constrained
    group type enables you to filter data results contextually based on Organization. For example,
    you can set up an integration that exports data only for workers who are members of a specific
    supervisory Organization. Filtering varies depending on how the data is accessed.

    SEGMENT-BASED SECURITY GROUPS


    A segment-based security group grants access to members of other security groups. It grants
    access to selected components (a segment) of the secured item. The security group definition
    specifies the segment to which it grants access. That is, you use this security group to control
    access to policies whose secured items include components in the segment.

    ----------------------- X -----------------------

    Potrebbero piacerti anche