šŸŒžšŸ— The major Workday security upgrade you should set up ASAP

Setting up the new user-based security group assignment business processes

Author

Mia Eisenhandler
October 08, 2024

Read time: 8 minutes

Hey there! Managing user-based security group assignments has been a major pain point for Workday customers for years on endā€¦

Until now! Those days are finally behind usā€”if you implement the new functionality šŸ˜

In todayā€™s newsletter, Iā€™m sharing a step-by-step guide to help you successfully upgrade your security setup.

With 2024R1 and 2024R2, Workday released two new business processes that replace the old, non-workflow-enabled tasks for assigning user-based security groups. With these business processes, we say goodbye toā€¦

šŸ‘Ž Lack of approvals and process visibility
šŸ‘Ž Compliance risks / SOC concerns galore
šŸ‘Ž Lousy delivered and custom reporting

The User-Based Security Group Event for User business process replaces the ā€œAssign User-Based Security Groups for Personā€ task for assigning / removing multiple user-based security groups for a user (2024R1).

And the User-Based Security Group Event for Group business process replaces the ā€œAssign Users to User-Based Security Groupā€ task for assigning / removing multiple users from a single user-based security group (2024R2).

Out with the old and in with the new! Seriously, donā€™t sleep on implementing these game-changing upgrades.

Without further ado, grab your coffee or tea, and letā€™s get this party started! šŸ’ƒšŸ»

Step 1: Plan your projectā€”the well built way!

The best way to ensure your Workday initiatives are successful, no matter how mini or massive the undertaking, is to structure your work as projects. Whether youā€™re rolling out a new module or simply deploying a new business process, a āœØ project structure āœØ inspires accountability, organization, and execution.

So before we dive into configuring your security upgrade, letā€™s set you up for success! The more thought you put into this step, the better your deployment will be.

You can think of this implementation as a mini project. Here are your phases and steps:

  • Plan:

    • Step 1: Project planning: Team, timeline, requirement gathering

  • Configure:

    • Step 2: Enable the new domain, ā€œProcess: User-Based Security Group Eventā€

    • Step 3: Create your new business processes

    • Step 4: Configure your business process security policies

    • Step 5: Configure your business process definitions

    • Step 6: Set up custom business process notifications (if you want!)

    • Step 7: Disable the old functionality

  • Test:

    • Step 8: Test!

  • Document and empower:

    • Step 9: Document your new setup and educate your team

  • Deploy:

    • Step 10: Go live in PROD šŸ

For this mini project, you can split planning into 3 stepsā€¦

  1. Build your team - who is responsible for each step of this project?

  2. Establish a project timeline - how long do you expect each project phase to take? Hereā€™s a high-level 6-week sample timeline. You can tighten or extend this to match your teamā€™s pace and bandwidthā€¦

    • Plan (2 weeks)

    • Configure (1 week)

    • Test (1 week)

    • Document and empower (1 week)

    • Deploy (1 week)

  3. Requirement gathering: What information do you need to implement this upgrade? Focus onā€¦

    1. BP definition workflows - what steps, actions, and/or approvals should kick off in Workday when a user-based security group assignment or removal is initiated for a) one user for one or more groups and b) one group for one or more user? Map these workflows in detail.

    2. BP security policies - who / which security groups will have which business process access? Consider all permissions on each BP security policy. Here are a few heavy hittersā€¦

      • Initiate, Review, View All (Needed to view the event data for reporting), Approve, Cancel, Deny

    3. Custom notifications - do you need to notify workers, security groups, and/or third parties with specific information when a user-based security group assignment or removal is completed?

    4. Change management - who needs to be trained on this upgrade? How will you inform, educate, and empower them?

Alright! šŸ’Ŗ That was no easy featā€”but getting the details right from the get-go is a winning strategy (and we want you to win!). With this preparation complete, youā€™re ready to cruise through the rest of this mini project šŸ˜Ž So letā€™s get to itā€¦

Step 2: Enable the new domain, ā€œProcess: User-Based Security Group Eventā€ 

  1. Navigate to the domain, ā€œProcess: User-Based Security Group Eventā€. Your quickest way there is to use the prefix ā€œdomain:ā€ in the search bar.

  1. Click the related action button next to ā€œDomain Security Policyā€, hover over ā€œDomain Security Policy,ā€ and click ā€œEnableā€. Check the ā€œConfirmā€ box and press OK.

  1. This domain automatically inherits its parent domainā€™s permissions (Security Administration). I recommend leaving these settings in place, but hereā€™s how to edit the permissions more granularly:

    • Click on the related action button on the domain, hover over ā€œDomain Security Policyā€, and click ā€œEdit Permissionsā€. Update the View, Modify, Get, and Put permissions as desired, then click OK.

  1. Activation time! šŸ’„ A critical step to never forget. Navigate to the task, ā€œActivate Pending Security Policy Changesā€, leave a detailed comment, and press OK.

Your domain will now have a Status of ā€œActiveā€ šŸŽ‰

Step 3: Create your new business processes

There are two new business processes youā€™ll need to create:

  1. User-Based Security Group Event for User

  2. User-Based Security Group Event for Group

In this guide, weā€™ll walk through setting up the User-Based Security Group Event for User BP. You can then follow the same steps to set up the User-Based Security Group Event for Group BP on your own.

  1. Use the task, ā€œCreate Business Process Definition (Default Definition)ā€, to create your new business process definition.

  1. On your next screen titled ā€œEdit Business Processā€, simply press OK. Before you can configure steps on the business process, youā€™ll need to set up the Business Process Security Policyā€¦

Step 4: Configure your business process security policies

  1. Click on the related actions button on the business process, hover over ā€œBusiness Process Policyā€, and click ā€œEditā€.

  1. Configure the permissions on the business process security policy at your organizationā€™s discretion (as you planned in Step 1!). To keep things simple, I recommend leveraging the Security Administrator and/or HR Administrator security groups.

  1. Activation time, once more! Navigate to the task, ā€œActivate Pending Security Policy Changesā€, leave a solid comment, and press OK.

Step 5: Configure your business process definitions

Now for the fun partā€”where the magic of this upgrade happens! šŸŖ„ Letā€™s set up the business process steps.

  1. Navigate back to the business process, click on the related actions button, hover over ā€œBusiness Processā€, and click ā€œEdit Definitionā€.

  1. Add your business process steps per your organizationā€™s defined policy. Click the ā€œ+ā€ button to add rows. The permissions you set up in Step 4 on the BP security policy determine which steps you can assign to which security groups.

  1. Donā€™t forget to set your completion step, typically the last approval in your definition.

  1. Other setup steps to consider here areā€¦

    • Advanced Routing - for example, exclude initiators from approving their own assignments.

    • Business Process Validations - are there situations in which initiation should be blocked, or slowed with a warning?

    • Business Process Conditions - should certain steps be skipped if specified conditions are or are not met?

Step 6: Set up custom business process notifications (if you want!)

This step is totally optional! To add custom notifications, click on the related actions button on the business process, hover over ā€œBusiness Processā€, and click ā€œAdd Notificationā€.

Step 7: Disable the old functionality

Now that youā€™ve got the new functionality in place, thereā€™s no reason to keep the legacy tasks in play (unless you want to make a big oleā€™ mess out of your audit trails šŸ˜µā€šŸ’«).

Hereā€™s how to disable the old tasks once and for allā€¦

Navigate to the task, ā€œMaintain Feature Opt-Insā€, find the ā€œDisable User-Based Security Group Assignment Taskā€ item (filter the column to be speedy!), and click the ā€œOpt In to Featureā€ button:

By disabling the existing tasks, all user-based security group assignment changes will go through the new business process. To confirm youā€™ve successfully disabled the tasks, check the related actions on a user-based security group. Only one initiation option should remain, ā€œUpdate Membershipā€:

Before

After

Workday hasnā€™t specified a deprecation date yet, however, the non-workflow-enabled tasks will be deprecated down the road. Since you are proactively implementing the new functionality, you wonā€™t be scrambling when that day comes šŸ˜Ž

Step 8: Test!

Use the Update User-Based Security Group Assignments initiating task to test the ā€œUser-Based Security Group Event for Userā€ BP.

And use the Update User-Based Security Group Membership initiating task to test the ā€œUser-Based Security Group Event for Groupā€ BP.

Test plentiful scenarios! Ensure every piece of configuration you set up is put to the test, including routing rules, BP validations, BP conditions, custom notifications, etc.

Step 9: Document your new setup, and educate your team

This is a crucial step that is so often forgotten or skipped. Before you go live in PROD, document your configuration and train your team on your new processes and policies. Ahead of going live, your team should feel empowered to utilize and own your upgraded setup.

At this stage, for our clients, we typically deliverā€¦

āœ… User guides with clear screenshots (kind of like what youā€™re reading right now šŸ˜œ).

āœ… Custom demo videos using our favorite recording software, Tella.

āœ… Live training sessions with key stakeholders and end users (we record these so they can be rewatched!).

Step 10: Go live in PROD šŸ

Itā€™s that time! šŸ„³ Complete the following setup steps manually in Production:

  • Step 2: Enable the new domain, ā€œProcess: User-Based Security Group Eventā€

  • Step 3: Create your new business processes

  • Step 4: Configure your business process security policies

  • Step 7: Disable the old functionality

For maximum efficiency, migrate your business process definitions (the following steps) using Object Transporter:

  • Step 5: Configure your business process definition

  • Step 6: Set up custom business process notifications (if you want!)

To migrate your BP (including any custom notifications), click the related action button on the BP, hover over ā€œInstanceā€, and click ā€œMigrate with Object Transporter (FYI - Workday dropped the 2.0 from OXā€™s name with 2024R2).

As you deploy your setup in PROD, ensure you complete your configuration steps in order.

And there you have itā€”your security upgrade mini project is COMPLETE!

šŸŽ‰šŸŽ‰šŸŽ‰

As always, thank you for reading!

Weā€™re celebrating you and your pursuit of a Well Built Workday šŸ„³ 

Until next time!

Ceci & Mia

Co-Founders of Well Built Solutions

Say hi šŸ‘‹ on LinkedIn ā€” @ceciblomberg, @miaeisenhandler

P.S. When youā€™re ready, hereā€™s how we can helpā€¦

Learn Workday calculated fields: Master calculated fields in Workday once and for all with our free 34-part ā›…ļø Calculated Fields Demystified šŸŒ¤ļø LinkedIn series.

Accomplish your phaseX projects: Crush your organizationā€™s Workday roadmap, get your projects done well, and have fun while you do it!

Get Workday guides and training: Custom documentation and training videos that upskill your team and workforce. Book a call with us to learn more.

Reply

or to participate.