There are many real time scenarios which cannot be addressed by the user based and role-based security groups, we can use some other security groups in such situations like intersection security groups, aggregation security groups and segment-based security groups.
Intersection Security Groups:
It is a type of security group type in which we can combine one or more security groups of different types to intersect members and constraints. One important aspect is that, intersection security group includes only the workers who meet all the specifications for membership.
- We can exclude workers in specified security groups from membership.
- We cannot include other intersection security groups in the intersection.
Real-time utilization of Intersection security groups:
- Intersecting the role-based security groups which are enabled for different organizations (e.g. Constraining the access to workers in a supervisory organization who belong to certain location hierarchy, Such as European workers in Marketing Dept)
- Limiting certain self-service or certain functionality to a certain population. (e.g. comp-off only to support team employees)
- Hiding populations and excluding target instances that users would have otherwise seen (e.g. hide sensitive workers, hide HR from HR)
Intersecting Role-Based Groups:
The most common usage of this intersecting security is to intersect role-based constrained security groups.
For example, let’s consider we have an HR Partner role enables for supervisory organization and an HR partner by Location Role enabled for Location Hierarchy. These are two separate roles with separate role-based security groups.
In this instance, this HR Partner would support Candian Workers in Sales Organization.
Aggregation Security Groups:
This type of security groups allows you to combine existing security groups such that individuals in any of the specified security groups are included as members. Included group members retain their target access constraints.
- We can also optionally exclude workers in specified security groups from membership.
E.g. The Workbench Group aggregation security group contains several security groups, the members of any of these security groups will become members of this aggregation security group and have access to the Workbench-Landing page Domain.
Benefits of Aggregation Security Group:
- This helps to grow and scale horizontally, by adding more security groups that need the given common access without impacting policies or business process definitions.
- It provides stable security policies despite broader organizational and staffing changes.
- Ability to include intersection security group without impacting security policies or business process definitions.
Segment-Based Security Group:
Segment- based security group allows for an additional level of security within a domain by limiting access to specified values of a given secured item. We generally use this Segment based security groups in security policies to restrict access to segmented items. Workday provides few securable items for segmentation like:
- Pay Components
- Expense items
- Learning categories
- Integration systems
- Documentation Categories.
Segment based security groups provide membership based on existing security groups like job based, role based, or user based. These security groups could be constrained or unconstrained.
DIFFERENCES IN SECURITY GROUP TYPES:
|Security Group Type||How is membership is determined?||How is a member’s target access constrained?||Examples|
|User-based (U)||Manually assigned||No constraints
|Security Administrator Limited, Supplier Auditor, Compensation Administrator|
|Role-based (C/U)||Based on Role Assignment||Organization(s) assignments. Access to subordinate organizations is determined by security group access rights||Compensation Partner, IT Support Specialist, Accounts Payable Manager|
|Intersection (Mixed)||Members are those in all the included security groups.||Access is constrained to targets in all included organizations.||Compensation Partner Intersection|
|Aggregation (Mixed)||Members are those in any of the included security groups.
|Constrains for each included security group are retained.
|Workbench Group, Compensation Partner Aggregation.|
|Segment-based (C)||Members are those in included security groups.||Access is constrained to a segment of values||Expense Items for German workers, Worker documents for Benefits Partners|