As businesses grow and adopt complex software systems for managing their finances, sales and marketing, human resources, and business operations, they become more exposed to the potential risks associated with segregation of duties (SoD) conflicts or critical access (CA) violations. These risks often result from a failure to establish and maintain processes to ensure users are assigned the minimum access privileges to a business system and that user access reviews are conducted on a regular basis.
Users with inappropriate access to sensitive company data can cause significant damage to a company. These risks can range from exposing a client’s personally identifiable information (a GDPR violation) to an employee having the ability to create a vendor and then fraudulently paying that vendor (an SoD violation).
Workday provides mechanisms for managing critical access. However, the task of understanding the Workday security model and effectively implementing a secure user provisioning process within an organization is still challenging for many IT and security teams.
This blog outlines primary elements of the Workday security model and the need for developing a risk strategy for your organization, followed by a discussion of how Fastpath can help businesses implement a risk management process for Workday and other business applications which share information with Workday.
This blog is available as a downloadable PDF. Click here to get your copy of Workday Access Security Using Fastpath Assure.
Security in Workday
In Workday, users are granted access to domains and business processes via direct or indirect assignment of security groups. User access can also be restricted via the configuration of business processes for organizations and organization types. Organizations are groups of resources, workers, costs, and other organizations for business process routing, security, analysis, and reporting. Along with roles and hierarchies, organizations are part of the foundation that provides configurable and contextual security within Workday. The following list summarizes key Workday Security elements:
- A Functional Area is a collection of categories for business processes and domains. Defined by Workday.
- A Domain is a collection of reports, tasks, data sources, and web service operations. The securable objects within a standard domain are not editable. The access level to a given domain (View or Modify, Get or Put) is determined by the domain security policy, which grants a specific access level to security groups.
- A Business Process is a collection of steps that processes data through Workday in a controlled manner. Business processes refer to the governance of the business and define the processes and controls put in place to perform business activity, such as how approvals are handled, who has sign-off authority, and what restrictions are placed on approval limits. Different steps or actions within a business process are accessible by users based on security groups defined in a business process security policy.
- A Business Process Action is any action that can be taken within a business process. Actions are divided into three categories:
- Instance – actions taken on the entire business process instance (e.g., Approve, Rescind).
- Action – individual steps that take place in a specific order within a business process (e.g., View Customer, Review Customer).
- Initiating – actions that allow a specific security group to start an instance of a business process via the user interface or web services.
Understanding how Workday manages security is critical to creating the appropriate risk management strategy for your company.
Developing a Risk Strategy for Workday
Too often, organizations are under the mistaken idea that their system integrator will understand how to properly configure the ERP security settings and role definitions for their business.
In reality, it is the business and not the system integrator who is responsible for ownership of application security and truly understands how roles should be designed and implemented to match their business requirements. The management team and business process owners should take an active role in defining the security of their Workday system before, during, and after the implementation.
Implementing a companywide risk strategy affects how business is conducted in your organization. You can prepare for these changes by establishing secure business processes for transaction processing, security controls, and governance. Businesses should take advantage of Workday’s capabilities when designing business processes and establishing governance policy regarding system data security.
Some key security design considerations to help define your risk strategy include:
- Identify the business process owners, accountability, and reports necessary to manage risk.
- Document the procedures for ensuring secure workflows.
- Make sure that your Workday implementation is designed and configured to support your security and compliance processes.
- Perform Workday internal controls end-to-end testing to ensure the system operates in accordance with your intended security and risk management program.
Don’t leave system security for the end of an implementation. Governance, Risk Management, and Compliance (GRC) should be baked into the Workday system design, not left as an afterthought.
Using Fastpath to Manage Risk in Workday
Fastpath Assure® is a comprehensive suite of security applications that helps organizations identify security risks within Workday and other business applications. Using Fastpath, businesses can understand their overall application security risk posture, monitor organizational security, and provide necessary documentation to internal and external auditors.
Fastpath Assure helps organizations using Workday in the following areas:
- Manage Segregation of Duties (SoD) risk – Fastpath will help businesses understand their risk exposure within Workday by analyzing SoD conflicts and sensitive access down to the most granular functional levels of access by user or by role. Companies can leverage Fastpath’s extensive out-of-the-box SoD and sensitive access rulesets specifically designed for Workday.
- Automate User Access Reviews and Access Certifications – Fastpath lets business process owners automate the collection and distribution of user access data for review, allowing them to focus on key risk items and not on all roles that have minimal or no risk associated with them (like read-only or inquiry-only roles).
- Monitor SoD risk across all your business applications, not just Workday – View user access and SoD risk across multiple ERP/CRM systems (e.g., Workday and Salesforce). Fastpath comes with out-of-the-box connectors for over 15 systems (including Oracle, NetSuite, SAP, Microsoft Dynamics, Workday, Salesforce, and more), plus, you can use Fastpath’s Universal Product Integration to connect to even more applications, including legacy or homegrown business systems.
Fastpath’s out-of-the box (OOB) ruleset, designed specifically for Workday, comes pre-mapped to domains and business process actions which can perform key business and IT activities such as creating journal entries or maintaining supplier master data and administering user access, respectively. For example, Fastpath’s User Business Process Detailed report will analyze and display which users in the connected Workday environment can “Approve Payables Invoices” (OOB business activity from the Workday Default Ruleset) based on the domains, specific business processes (e.g., Supplier Invoice Event), and associated actions (e.g., Approve) Fastpath has mapped to the “Approve Payables Invoices” business activity. Not only will this report show the Workday users, but also the accompanying detail including the Security Group(s), domains, and business processes via which the access could occur.
Fastpath users can take this pre-mapped ruleset, clone it to create custom rulesets, then tailor these custom rulesets to meet the requirements of their organization.
By running Fastpath’s User Conflicts report, administrators can see where SoD conflicts exist along with the users involved. The report has drill-down capabilities to see more detail into the conflicts, including the specific domain and business process actions within the assigned security groups causing the conflicts. Fastpath’s SoD engine for Workday also automatically filters on domain securable actions and integrations with the “Modify” and “Put” permission level, excluding the view-only “View” and “Get” permission levels, respectively.
Administrators can identify conflicts at the security group or user level for users with multiple security groups assigned to them.
Instead of analyzing combinations of access, Fastpath’s Access Reviews can monitor critical sensitive access as well as Workday access independent of the configured SoD Conflict Rulesets.
Fastpath’s Access Certification module will notify supervisors and Business Process Owners by email to certify a user’s access rights. The Access Certification module tracks the users who have been reviewed along with any outstanding actions that need to be completed.
Managing user access to critical areas of your Workday environment is vital to protecting your company from fraud and intentional or unintentional manipulation of company data. Developing a repeatable and auditable risk management strategy will help secure your business applications and prepare for internal or external audits.
Fastpath provides the tools to help administrators and business process owners prevent or mitigate segregation of duties risks, automate user access requests, enforce periodic access reviews, and provide auditable access certifications.
Download your copy of Workday Access Security Using Fastpath Assure.