Identify and Mitigate User Access Risk in Workday

Identity Management and Audit Reporting for Workday

Analyzing access and monitoring segregation of duties risks are on-going challenges for a complex, leading enterprise finance, HR, and planning solution like Workday. Our team of Certified Internal Auditors has analyzed the unique challenges presented by Workday and developed audit templates, segregation of duties rules, and key audit reports to achieve continuous compliance. Fastpath Assure^® breaks down the complex security model of Workday into easily consumable reports that help identify the following: 

• Security group membership
• Domain and business process access
• Organization restrictions
• Risk in user access

Using Fastpath, businesses can understand their overall application security risk posture, monitor organizational security, and provide necessary documentation to internal and external auditors.

Access Risk Monitor

Fastpath’s Access Risk Monitor (ARM) allows customers to identify and mitigate user access risks by both Separation of Duties (SOD) and Sensitive Access (SA). Customers can also use ARM to produce reports that monitor access risk by user, security group, domain, and/or business process in Workday.

Use Fastpath ARM to answer questions such as:

• Which users have access to a specific domain or business process action?
• What security groups are providing access?
• Which organizations is a user limited to?

ARM Separation of Duties and Sensitive Access Analysis Capabilities

ARM’s Separation of Duties (SOD) capabilities include an out-of-the box ruleset built specifically for Workday by our team of certified auditors. With over a hundred conflicts in the ruleset, you can easily add to and customize it for your specific needs. Each conflict can be assigned a risk level along with business or IT activities.

• Extensive list of SOD conflicts specifically designed for Workday, pre-mapped to domains and business process actions.
• Allows users to assess their SOD risk impact related to Business Process Definitions, including any routing restrictions associated with them.
• SOD analysis can be performed by user, security group, domain, or business process.
• Simple to review and sign-off on mitigating controls.
• View SOD and SA risk across multiple ERP/CRM systems (e.g., Workday and Salesforce).
• Fastpath comes with out-of-the-box connectors for many other business applications, such as Oracle, NetSuite, SAP, Microsoft Dynamics, and Salesforce. Use Fastpath’s Universal Product Integration to connect to even more applications, including legacy systems.
• Assists in Sarbanes-Oxley (SOX) compliance in Workday.

ARM Report Scheduling Capabilities

Use prebuilt reports to quickly analyze who has access to critical data at the lowest levels to reduce the resources and time needed to conduct these reviews regularly.

• Understand potential SOD risks before granting approval for user access requests.
• Security reporting by user, security group, domain, and business process action.
• Define custom report schedules (daily, weekly, monthly).

Access Certification

Fastpath’s Access Certification automates the User Access Review process by identifying users who have potential access risk and notifying the responsible Business Process Owners (BPOs). The BPOs then review and accept or reject the access privileges for those users and/or roles within their area of responsibility who pose significant risk to the organization.

Access Certification allows BPOs to schedule periodic full or rolling user access reviews and sign off on various types of access: Risk (SOD or SA), Security Group Assignment, Security Group Configuration, Business Activity, and Product (for certifications spanning multiple applications beyond Workday). These review types, risk criteria, and BPO Ownership Groups are easily configurable workflow options.

• Schedule certifications – Define owners of the access type for review and schedule reviews for both full access reviews and rolling access reviews.
• Document reviews – All reports can be scheduled and signed from the report window. This record can be filtered by name, date, and signing user.
• Notify Audit or Security teams upon certification
  • Audit Team – The Audit Team will receive all notifications when a review has been completed in an Excel attachment via an email.
  • Security Team – The Security Team will receive notifications when a Product review or Security Role review has been completed with any rejected items identified to help facilitate any needed remediation requests in the target application(s).
• Audit reports – Generate reports showing access review and certifications for internal and external audits.