AGGREGATION SECURITY
Aggregation security groups
Aggregation security groups allow you to combine existing security groups so that individuals in any of the specified security groups are members. Included groups retain their target access constraints. You can also, optionally, exclude workers in specified security groups from membership. Use aggregation groups to ease maintenance when several security groups have common access requirements. Aggregation security groups allow you to scale or change your support model without affecting the end security policy configuration.
Aggregation security
Aggregation security groups allow you to combine existing security groups such that individuals in any of the specified security groups become members. Included groups retain their target access constraints. This security group type reduces maintenance by serving as the common access point in your security design. This very powerful security group type can help you meet complex access requirements, as well as ease your maintenance over time.
AGGREGATION IN BUSINESS PROCESS DEFINITIONS
Consider another advantage of aggregation security groups, beyond alleviating security policy maintenance: you can use them in business process definitions. Aggregation security groups preserve the underlying constraints of each included security group. By routing a business process step to an aggregation security group, Workday routes the step based on the context of the given transaction or event. The member of the included security group that can access the target context of the event will receive the step.
True or False? After adding a security group to an aggregation security group that is already in use, you must activate pending security policy changes before testing.
False. A benefit of using aggregation security group is that you can add security groups to an existing aggregation without needing to modify the security policies.
BENEFITS OF AGGREGATION
Key benefits of aggregation include: • Ability to grow and scale with additional security groups that need common access without impacting security policies. • Stable security policies despite broader organizational and staffing changes. • Capacity to "top off" access for individually for included security groups. • The option to include intersection security without impacting security policies or business process definitions.
An aggregation security group contains constrained service center security groups for different regions. If an approval step is routed to the aggregation group, who receives the action step?
Members with target access based on the context of the event.
Workday enables you to grant third-party users access to Workday to perform allowed tasks using Service Center security groups. You can constrain third-party user access to support specific organizations using service center constrained security groups.
SERVICE CENTER CONFIGURATION 1. Create a service center. 2. Create service center representatives for the service center. There will be one service center representative for each third-party user. 3. Create a Workday account for each service center representative so that they can sign in to the tenant. 4. Create a service center security group (constrained or unconstrained) for the service center. A. Members of the security group will be all service center representatives in that service center. B. Configure access rights to target instances for defined organizations, if constrained. 5. Include the service center security group in needed domain or business process security policies. 6. Activate pending security policy changes. 7. Test.
Service center security - USE IN AGGREGATION
Service center security groups are another use case for aggregation. Using an aggregation group that includes multiple service centers makes it easy to add additional service centers. Instead of adding each new service center security group to the needed domain security policies and activating the changes, you simply add them to the aggregation security group.
ADDING OR REMOVING ACCESS
The aggregation security group represents the minimum common access required for included security groups. You can then add additional access to the included security groups separately as needed. Example: The Mexico service center requires additional access in Workday. You can add the service center security group directly to any additional domain security policies without impacting the access for the aggregation security group.
COMMON USE CASES FOR AGGREGATION SECURITY
There are three common use cases in which aggregation security can help meet security requirements with a scalable and maintainable design: 1. With segment-based security groups. 2. With service center constrained security groups. 3. With your support model.
True or False? Aggregation security groups can contain any security group type except for rule-based or other aggregation security groups.
True
True or False? Once you have configured the aggregation security group, you cannot take away partial access from an included security group. All included security groups will have the full access of the aggregation security group.
True
CREATING AN AGGREGATION SECURITY GROUP
When you create an aggregation security group, you may specify security groups to include as well as security groups to exclude. Members are in any of the included groups, as long as they are not in an excluded group.
Aggregation security summary
• Aggregation security groups allow you to include security groups that need common access in end security policies. • Common uses for aggregation security groups are segment-based access, support model access, and service-center constrained security models. • Aggregation security groups allow for scaling and ease of maintenance.
