EDGC Decision: Workday Access Strategy

Workday Data Access Strategy

EDGC Decision Date: March 11, 2024

Decision: Workday Data Access Strategy

Decision

The request is for the EDGC to approve the proposed Workday Data Access Strategy. That strategy can be summarized as the creation of 4 specific analyst roles (view) that are given access to view data within Workday. However, data elements that are deemed sensitive per UW policies, will be restricted regardless of the analyst role a user is assigned.

Background

Workday’s security model provides organizations with a lot of flexibility to customize what users can see in the system. However, other large Universities who have implemented Workday have cautioned that such flexibility often leads to overly, and unnecessarily, complex security models. With that, ATP has developed a recommendation that balances both the need to protect sensitive data and the need to keep the security model simple and manageable.

Problem Statement:

• Need to protect sensitive data when necessary.
• Data access within Workday is complex – it’s an intersection of the security roles assigned to the position, how a report is shared, and how the data is secured.
• Most UW users will need to see more information than they will need to act
• Need to ensure that users have access to the data (see) they need to do their jobs on day one
• Want to create a seamless user experience by delivering curated reports to workers based on system access.

The Recommended Solution:

1. Protect elements that are required to be protected – Know what data we need to protect and limit access to it.
2. Allow view to everything else – Create a limited amount of “view” roles that allow access within a domain and across domains when needed.

How ATP Plans to Implement:

ATP plans to start with the creation of 4 analyst roles (“analyst” roles allow users to view things in Workday). This list will likely grow as this concept is built out. There will be data that is not aligned with HR or Finance (audit logs, security roles, etc.) that will need to be accommodated. The 4 starting roles are:

1. HR data for HR professionals
2. HR data for non-HR professionals
3. Finance data for Finance professionals
4. Finance data for non-finance professionals

For each analyst role, ATP will review to ensure that data elements that fall within a protected classification are restricted from access, regardless of which of the 4 analyst roles a user may have. Such analysis will be conducted with current UW data classification and data protection policies as guides. After the analyst roles are created, with data restricted, ATP will test to ensure that access to data is as expected before assignment to end users.

Benefits of this approach (based on our principles)

• Enables Access to Data – This is one of the primary principles ATP was founded on. Our current data landscape at the UW is one in which many end users have access to a lot of data (WISER, OBIEE, etc.). This approach allows us to carry this forward.
• Just Enough Complexity – A common pitfall of Workday implementation is a complex security model that is unmanageable post-go-live. This approach keeps the analyst (view) roles simple to manage.
• Four mores – More data, to more people, more easily, for more purposes.
• Workday First – With this broader view access, we can keep users within Workday to view data and access reports when it makes sense.
• Future proofing our technology – Do not back ourselves into customization corners or one-off solutions.

Implications for EAP

The EAP security model (access to data via Tableau) will be based on the Workday approach. This will allow for consistency to ensure users have access to similar data in both places. Once the roles are built within Workday, assignments can be fed to EAP to replicate. Personal Identifiable Information (ex. SSN) data will be secured within EAP with a tokenization strategy.

Who Developed the Recommendation?

• Kurt McMillen – ATP Data & Reporting Strategy Lead
• Susie Maloney – ATP Finance Strategy Lead
• Allion Niles – ATP Human Resources Strategy Lead
• Nysa Stryker – ATP Cross-Functional Strategy Lead
• Stacy Scholtka – UWSA, Chief Technology Officer
• Brad Roll – Workday Data & Reporting Strategy Lead

Who Was Consulted in the Development of the Recommendation?

• ATP Finance Governance
  • https://atp.wisconsin.edu/governance/
• ATP Leadership
  • https://atp.wisconsin.edu/program-team/ (Listed under “program leadership”)
  • In addition, these other key individuals have had the opportunity to review:
    • Adam Paulick
    • Rolston, Stacey
    • Huron counterparts
  • UW-Madison Badger Analytics Council
    • https://data.wisc.edu/data-governance/data-governance-council/