Given the size and complexity of most organizations, effectively managing user access to Workday can be challenging. Defining adequate security policies and requirements will enable a clean security role design with few or no unmitigated risks of which the organization is not aware. It is important to have a well-designed and strong security architecture within Workday to ensure smooth business operations, minimize risks, meet regulatory requirements, and improve an organization’s governance, risk and compliance (GRC) processes.
Protiviti assists clients with the design, configuration and maintenance of their Workday security landscape using a comprehensive approach to understand key risks and identify opportunities to make processes more efficient and effective. We evaluate Workday configuration and architecture and help tailor role- and user-based security groups to maximize efficiency while minimizing excessive access. In this blog, we share four key concepts we recommend clients use to secure their Workday environment.
Four Ways to Effectively Design and Configure Workday Security
1. Adopt Best Practices | Tailor Workday Delivered Security Groups
Out-of-the-box Workday security groups can often provide excessive access to one or many functional areas, depending on the organization structure. Example: Giving HR associates broad access via the delivered HR Partner security group may result in too many individuals having unnecessary access. To achieve best practice security architecture, custom security groups should be developed to minimize various risks including excessive access and lack of segregation of duties. Developing custom security roles will allow for those roles to be better tailored to exactly what is best for the organization.
2. Establish Standardized Naming Conventions | Enhance Delivered Concepts
Workday security groups follow a specific naming convention across modules. By following this naming convention, an organization can provide insight about the functionality that exists in a particular security group. Generally, conventions help system administrators and support partners classify and intuitively understand the general function of the security group. The table below contains the naming conventions of Workday delivered security groups in order of most to least privileged:
|Administrator||Finance Administrator, HR Administrator||Provides administrative setup to one or more areas. Includes system configuration that should be reserved for a small group of users.|
|Partner||Expense Partner, Payroll Partner||Provides review/approval access to business processes in a specific area. Often includes access to enter/initiate more sensitive transactions.|
|Specialist||Accounts Payable Settlement Specialist, Inventory Specialist||Provides transactional entry access. Generally, have access to enter/ initiate transactions that will be routed for approval by other users.|
|Analyst||Accounts Receivable Analyst, Cash Analyst||Provides view-only reporting access to specific areas. Includes access to detailed data required for analysis and other reporting|
|Auditor||Finance Auditor, System Auditor||Provides limited view-only access to specific areas. These security groups are often granted to those who require view access to system configuration for specific areas|
Note that these naming conventions serve as guidance and are not always prescriptive when used in both custom created security groups as well as Workday Delivered security groups. For example, the out-of-the-box Workday HR Partner security group has both entry and approval access within HR, based upon the actual business process.
3. Restrict Sensitive Access | Monitor Access to Critical Functions
Sensitive access refers to the capability of a user to perform high-risk tasks or critical business functions that are significant to the organization. Depending on the organization, these range from the modification of system configuration to creating or editing master data. Sensitive access should be limited to select individuals to ensure that only appropriate personnel have access to these functions. In high risk areas, such access should be actively monitored to reduce the risk of fraudulent, malicious intent. Implementer and Correct action access are two particularly important types of sensitive access that should be restricted.
- Implementer is a security group that has very powerful access, typically granted to the system implementer personnel who set up the system. This security group can configure and modify system behavior in ways that are not available to users with other administrator access. Implementer access should be closely monitored to ensure that users who do not require this access do not have it.
- The Correct business process action is a highly privileged function that allows users to alter an instance of a business process. Users with this access can modify the transaction at any point in the workflow, even a completed transaction, without requiring further approval. Best practice is to disallow the Correct action in a business process or to only assign it as an administrative privilege.
4. Eliminate Intra-Security Group Conflicts| Minimize Segregation of Duties Risks
Access provided by Workday delivered security groups can result in Segregation of Duties (SoD) conflicts within the security group itself, if not properly addressed. This can create an issue as an SoD conflict may be introduced to the environment every time the security group is assigned to a new user. No organization is able to entirely restrict sensitive access and eliminate SoD risks. They must strike a balance between securing the system and identifying controls that will mitigate the risk to an acceptable level. Custom security groups should be developed with the goal of having each security group be inherently free of SoD conflicts. This will create an environment where SoD risks are created only by the combination of security groups. With this structure, security groups can easily be removed and reassigned to reduce or eliminate SoD risks.
Workday Security is not a “One Size Fits All” Approach
Securing the Workday environment is an endeavor that will require each organization to balance the principle of ‘least privileged access’ with optimal usability, administrative burden and agility to respond to business changes. Regardless of the school of thought adopted for Workday security architecture, applying the principles discussed in this post will help to design and rollout Workday security effectively. This can go a long way to mitigate risks and reduce the ongoing effort required to maintain a stable and secure Workday environment.