Read time:ย 8 minutes

Hey there! Managing user-based security group assignments has been a major pain point for Workday customers for years on endโ€ฆ

Until now! Those days are finally behind usโ€”if you implement the new functionality ๐Ÿ˜

In todayโ€™s newsletter, Iโ€™m sharing a step-by-step guide to help you successfully upgrade your security setup.

With 2024R1 and 2024R2, Workday released two new business processes that replace the old, non-workflow-enabled tasks for assigning user-based security groups. With these business processes, we say goodbye toโ€ฆ

๐Ÿ‘Ž Lack of approvals and process visibility
๐Ÿ‘Ž Compliance risks / SOC concerns galore
๐Ÿ‘Ž Lousy delivered and custom reporting

The User-Based Security Group Event for User business process replaces the โ€œAssign User-Based Security Groups for Personโ€ task for assigning / removing multiple user-based security groups for a user (2024R1).

And the User-Based Security Group Event for Group business process replaces the โ€œAssign Users to User-Based Security Groupโ€ task for assigning / removing multiple users from a single user-based security group (2024R2).

Out with the old and in with the new! Seriously, donโ€™t sleep on implementing these game-changing upgrades.

Without further ado, grab your coffee or tea, and letโ€™s get this party started! ๐Ÿ’ƒ๐Ÿป

Step 1: Plan your projectโ€”the well built way!

The best way to ensure your Workday initiatives are successful, no matter how mini or massive the undertaking, is to structure your work as projects. Whether youโ€™re rolling out a new module or simply deploying a new business process, a โœจ project structure โœจ inspires accountability, organization, and execution.

So before we dive into configuring your security upgrade, letโ€™s set you up for success! The more thought you put into this step, the better your deployment will be.

You can think of this implementation as a mini project. Here are your phases and steps:

  • Plan:

    • Step 1: Project planning: Team, timeline, requirement gathering

  • Configure:

    • Step 2: Enable the new domain, โ€œProcess: User-Based Security Group Eventโ€

    • Step 3: Create your new business processes

    • Step 4: Configure your business process security policies

    • Step 5: Configure your business process definitions

    • Step 6: Set up custom business process notifications (if you want!)

    • Step 7: Disable the old functionality

  • Test:

    • Step 8: Test!

  • Document and empower:

    • Step 9: Document your new setup and educate your team

  • Deploy:

    • Step 10: Go live in PROD ๐Ÿ

For this mini project, you can split planning into 3 stepsโ€ฆ

  1. Build your team - who is responsible for each step of this project?

  2. Establish a project timeline - how long do you expect each project phase to take? Hereโ€™s a high-level 6-week sample timeline. You can tighten or extend this to match your teamโ€™s pace and bandwidthโ€ฆ

    • Plan (2 weeks)

    • Configure (1 week)

    • Test (1 week)

    • Document and empower (1 week)

    • Deploy (1 week)

  3. Requirement gathering: What information do you need to implement this upgrade? Focus onโ€ฆ

    1. BP definition workflows - what steps, actions, and/or approvals should kick off in Workday when a user-based security group assignment or removal is initiated for a) one user for one or more groups and b) one group for one or more user? Map these workflows in detail.

    2. BP security policies - who / which security groups will have which business process access? Consider all permissions on each BP security policy. Here are a few heavy hittersโ€ฆ

      • Initiate, Review, View All (Needed to view the event data for reporting), Approve, Cancel, Deny

    3. Custom notifications - do you need to notify workers, security groups, and/or third parties with specific information when a user-based security group assignment or removal is completed?

    4. Change management - who needs to be trained on this upgrade? How will you inform, educate, and empower them?

Alright! ๐Ÿ’ช That was no easy featโ€”but getting the details right from the get-go is a winning strategy (and we want you to win!). With this preparation complete, youโ€™re ready to cruise through the rest of this mini project ๐Ÿ˜Ž So letโ€™s get to itโ€ฆ

Step 2: Enable the new domain, โ€œProcess: User-Based Security Group Eventโ€

  1. Navigate to the domain, โ€œProcess: User-Based Security Group Eventโ€. Your quickest way there is to use the prefix โ€œdomain:โ€ in the search bar.

  1. Click the related action button next to โ€œDomain Security Policyโ€, hover over โ€œDomain Security Policy,โ€ and click โ€œEnableโ€. Check the โ€œConfirmโ€ box and press OK.

  1. This domain automatically inherits its parent domainโ€™s permissions (Security Administration). I recommend leaving these settings in place, but hereโ€™s how to edit the permissions more granularly:

    • Click on the related action button on the domain, hover over โ€œDomain Security Policyโ€, and click โ€œEdit Permissionsโ€. Update the View, Modify, Get, and Put permissions as desired, then click OK.

  1. Activation time! ๐Ÿ’ฅ A critical step to never forget. Navigate to the task, โ€œActivate Pending Security Policy Changesโ€, leave a detailed comment, and press OK.

Your domain will now have a Status of โ€œActiveโ€ ๐ŸŽ‰

Step 3: Create your new business processes

There are two new business processes youโ€™ll need to create:

  1. User-Based Security Group Event for User

  2. User-Based Security Group Event for Group

In this guide, weโ€™ll walk through setting up the User-Based Security Group Event for User BP. You can then follow the same steps to set up the User-Based Security Group Event for Group BP on your own.

  1. Use the task, โ€œCreate Business Process Definition (Default Definition)โ€, to create your new business process definition.

  1. On your next screen titled โ€œEdit Business Processโ€, simply press OK. Before you can configure steps on the business process, youโ€™ll need to set up the Business Process Security Policyโ€ฆ

Step 4: Configure your business process security policies

  1. Click on the related actions button on the business process, hover over โ€œBusiness Process Policyโ€, and click โ€œEditโ€.

  1. Configure the permissions on the business process security policy at your organizationโ€™s discretion (as you planned in Step 1!). To keep things simple, I recommend leveraging the Security Administrator and/or HR Administrator security groups.

  1. Activation time, once more! Navigate to the task, โ€œActivate Pending Security Policy Changesโ€, leave a solid comment, and press OK.

Step 5: Configure your business process definitions

Now for the fun partโ€”where the magic of this upgrade happens! ๐Ÿช„ Letโ€™s set up the business process steps.

  1. Navigate back to the business process, click on the related actions button, hover over โ€œBusiness Processโ€, and click โ€œEdit Definitionโ€.

  1. Add your business process steps per your organizationโ€™s defined policy. Click the โ€œ+โ€ button to add rows. The permissions you set up in Step 4 on the BP security policy determine which steps you can assign to which security groups.

  1. Donโ€™t forget to set your completion step, typically the last approval in your definition.

  1. Other setup steps to consider here areโ€ฆ

    • Advanced Routing - for example, exclude initiators from approving their own assignments.

    • Business Process Validations - are there situations in which initiation should be blocked, or slowed with a warning?

    • Business Process Conditions - should certain steps be skipped if specified conditions are or are not met?

Step 6: Set up custom business process notifications (if you want!)

This step is totally optional! To add custom notifications, click on the related actions button on the business process, hover over โ€œBusiness Processโ€, and click โ€œAdd Notificationโ€.

Step 7: Disable the old functionality

Now that youโ€™ve got the new functionality in place, thereโ€™s no reason to keep the legacy tasks in play (unless you want to make a big oleโ€™ mess out of your audit trails ๐Ÿ˜ตโ€๐Ÿ’ซ).

Hereโ€™s how to disable the old tasks once and for allโ€ฆ

Navigate to the task, โ€œMaintain Feature Opt-Insโ€, find the โ€œDisable User-Based Security Group Assignment Taskโ€ item (filter the column to be speedy!), and click the โ€œOpt In to Featureโ€ button:

By disabling the existing tasks, all user-based security group assignment changes will go through the new business process. To confirm youโ€™ve successfully disabled the tasks, check the related actions on a user-based security group. Only one initiation option should remain, โ€œUpdate Membershipโ€:

Before

After

Workday hasnโ€™t specified a deprecation date yet, however, the non-workflow-enabled tasks will be deprecated down the road. Since you are proactively implementing the new functionality, you wonโ€™t be scrambling when that day comes ๐Ÿ˜Ž

Step 8: Test!

Use the Update User-Based Security Group Assignments initiating task to test the โ€œUser-Based Security Group Event for Userโ€ BP.

And use the Update User-Based Security Group Membership initiating task to test the โ€œUser-Based Security Group Event for Groupโ€ BP.

Test plentiful scenarios! Ensure every piece of configuration you set up is put to the test, including routing rules, BP validations, BP conditions, custom notifications, etc.

Step 9: Document your new setup, and educate your team

This is a crucial step that is so often forgotten or skipped. Before you go live in PROD, document your configuration and train your team on your new processes and policies. Ahead of going live, your team should feel empowered to utilize and own your upgraded setup.

At this stage, for our clients, we typically deliverโ€ฆ

โœ… User guides with clear screenshots (kind of like what youโ€™re reading right now ๐Ÿ˜œ).

โœ… Custom demo videos using our favorite recording software, Tella.

โœ… Live training sessions with key stakeholders and end users (we record these so they can be rewatched!).

Step 10: Go live in PROD ๐Ÿ

Itโ€™s that time! ๐Ÿฅณ Complete the following setup steps manually in Production:

  • Step 2: Enable the new domain, โ€œProcess: User-Based Security Group Eventโ€

  • Step 3: Create your new business processes

  • Step 4: Configure your business process security policies

  • Step 7: Disable the old functionality

For maximum efficiency, migrate your business process definitions (the following steps) using Object Transporter:

  • Step 5: Configure your business process definition

  • Step 6: Set up custom business process notifications (if you want!)

To migrate your BP (including any custom notifications), click the related action button on the BP, hover over โ€œInstanceโ€, and click โ€œMigrate with Object Transporter (FYI - Workday dropped the 2.0 from OXโ€™s name with 2024R2).

As you deploy your setup in PROD, ensure you complete your configuration steps in order.

And there you have itโ€”your security upgrade mini project is COMPLETE!

๐ŸŽ‰๐ŸŽ‰๐ŸŽ‰

As always, thank you for reading!

Weโ€™re celebrating you and your pursuit of a Well Built Workday ๐Ÿฅณ

Until next time!

Ceci & Mia

Co-Founders of Well Built Solutions

Say hi ๐Ÿ‘‹ on LinkedIn โ€” @ceciblomberg, @miaeisenhandler

โ˜Ž๏ธ Book a free Well Built discovery call

๐Ÿš€ Sponsor the Well Built Solutions Newsletter

P.S. When youโ€™re ready, hereโ€™s how we can helpโ€ฆ

Learn Workday calculated fields: Master calculated fields in Workday once and for all with our free 34-part โ›…๏ธ Calculated Fields Demystified ๐ŸŒค๏ธ LinkedIn series.

Accomplish your phaseX projects: Crush your organizationโ€™s Workday roadmap, get your projects done well, and have fun while you do it!

Get Workday guides and training: Custom documentation and training videos that upskill your team and workforce. Book a call with us to learn more.

Reply

Avatar

or to participate

Keep Reading