Introduction 

Workday is a widely adopted provider of enterprise applications for finance and human resources. Although Workday comes pre-deployed with security groups that can be assigned to users, it is well known to auditors that the pre-deployed out-of-the-box access within an application may give too much access to a user.  

In this article, we will discuss the importance of securing Workday and how Fastpath Access Control can assist organizations in reducing risks. 

Custom Security Groups  

Creating custom roles (Security Groups in Workday) is crucial for preventing users from having more access than required to perform their job duties.  

Fastpath has conducted panel reviews with large enterprise customers and the findings suggest that creating custom roles is a best practice. 

Fastpath’s Separation of Duties (SOD) analysis can easily display which out-of-the-box Workday security groups have SOD risks and what can be adjusted in a custom security group to remove those risks.  

How Are Separation of Duties (SOD) Risks Defined?  

Fastpath takes a bottom-up approach when it comes to building an SOD rule. This means Fastpath defines an SOD risk by looking at the lowest level of permission (securable objects) that could be assigned to a user.   

The securable objects that Fastpath analyzes regarding Workday is the Business Processes Actions (BPA) and Domains that allow users to create, maintain, delete, or approve a master record in the system. Those Workday BPAs and/or Domains are grouped together in what is referred to as Fastpath business processes.   

Utilizing the Fastpath business processes that are built with the securable objects from Workday, Fastpath software can analyze access that can be given to a user through a single Workday Security Group or a combination of Workday Security Groups.   

Within the Fastpath pre-built ruleset for Workday, Fastpath has 130+ out-of-the box SOD risks that can be analyzed. Here are a few examples of risks that can be analyzed:  

• Approve Bank Accounts & Perform Bank Reconciliations - A user could fraudulently manipulate cash among bank accounts or set up and initiate transfers to unauthorized external accounts, resulting in fraudulent disbursements.  

• Create or Change Employee Master Data & Process Payroll - A user could update employee compensation and approve unauthorized paychecks resulting in payroll schemes. 

The pre-built Fastpath ruleset automates the time-consuming activity of defining and detecting users or security groups that have potential risk.  

Cross-Application Risk Analysis  

Fastpath Access Control also enables cross-application risk analysis, which is essential for organizations that take a best-of-breed approach and use multiple applications. An example of this could be an organization that uses Workday as their ERP solution and Salesforce as their CRM. A potential SOD risk would be that a user could possibly create/maintain fictitious customers in Salesforce and issue refunds to those same customers in Workday.  

The out-of-the-box rulesets for various applications, including Workday, allow organizations to quickly combine business processes to identify cross-application risks.  

Conclusion 

Organizations must secure their Workday system to comply with regulations, protect sensitive information, ensure business continuity, safeguard their reputation, and save costs. Fastpath Access Control provides an efficient and automated way to manage Workday security, enabling organizations to reduce risk and establish a repeatable process for the future.