Security Test Runs

Workday organization changes are an everyday occurrence. Workers are transferred, terminated or promoted, so it is important that the Smart Security tests are able to keep up with these changes. Smart is able to support these changes by dynamically selecting objects against which to test.

Together with our recommended approach of testing security using key workers, Smart Security is able to more thoroughly test your security configuration, while being easier to maintain and update.

If you would like to discuss moving from a legacy security template to the new Security template, please contact smartcustomersupport@kainos.com

Change Detection

Smart is able to dynamically detect organization changes when testing your security configuration. Using custom reports, Smart can detect various objects at run-time, removing the need for users to manually update templates in the event something happens to the initial object that was detected.

For example, a typical test scenario takes a subject worker and detects what available actions/field permissions they can see against their manager. In the event the subject worker's manager changes, Smart will clearly alert the user to this change and allow them to decide the correct action to take.

Populating The Security Template

The Smart Security template has a number of options available for selection, designed to make it easy to build an initial security pack. On opening the template, users will see a template similar to the image shown below (a number of fields containing worker data have been filled in for demonstrative purposes).

There are a number of fields that can be changed as per the users requirements. The fields are as follows:

  • Prebuilt Test Scenarios - Choice between Constrained/Unconstrained. In the context of Smart Security, Constrained are Role Based security groups, Unconstrained are User Based security groups.
  • Subject Username - The username in Workday of the subject worker (the worker whose security users would like to test). The subject username must also be entered as the name of the sheet (highlighted in the image above) for each sheet in the template. Due to limitations of Excel, this field cannot exceed 30 characters.
  • Security Group - The security group the subject worker belongs to. Only available when Constrained is selected.
  • Supported Org - The organization the subject worker supports. Only available when Constrained is selected. If using a Workday ID for this Organization, please note it must be in the format '{wid:XXXXXXXXXXXXXXXXXXXXXXXXXXX}'
  • Unsupported Org - An organization the subject worker does not support. Only available when Constrained is selected. If using a Workday ID for this Organization, please note it must be in the format '{wid:XXXXXXXXXXXXXXXXXXXXXXXXXXX}'
  • Test Case ID - A unique Test Case ID for each test case. The IDs entered into this field must be unique across every separate tab in the template.
  • Permission Type - Choice between Available Action/Field Permission. Available Actions are the related actions the subject worker can see on the object (e.g. Manager). Field Permissions are the visibility of certain fields to the subject worker on the object, from a reporting perspective. Changing this field will change the generated test actions.
  • Target - The object that you would like to test the security against. These targets are predefined by the reporting used by Smart and cannot be changed, however they can be overridden.
  • Description - The description for each test is generated automatically based on the information provided above, or it can be manually overridden.
  • Object Type - The object type to test against (e.g. Employee, Supervisory, Cost Center, Company, Custom Organization). Only available when Manual Configuration is selected in Target field.
  • Object Name - The name of the above object. Only available when Manual Configuration is selected in Target field.
  • Object ID - The Workday ID of the above object. Only available when Manual Configuration is selected in Target field. If using a Workday ID for this object, please note it must be in the format 'wid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'.

All Available Actions

The Smart Security templates are pre-populated with a number of Available Actions assertions to test against in Workday. These are in the format "Menu | Action". While Smart will test for these actions initially, it will also test on all additional Available Actions for the objects specified. In the event that Smart detects additional actions on top of those specified in the template, it will report on these when viewing the test results.

More information is available in the section on Viewing Security Results.

Targets

Depending on the users choice of Constrained or Unconstrained, the options available under the Target menu will change. The list of options are as follows:

Constrained

  • Manual Configuration
  • Employee from supported org
  • Contingent worker from supported org
  • Worker from another org of the same type that is not supported by the subject
  • Self
  • Manager
  • Workers own position
  • Managers position
  • Filled position from subjects supported org
  • Position from another org of the same type that is not supported by the subject
  • Subjects supported org
  • Another org of the same type that is not supported by the subject

Unconstrained

  • Manual Configuration
  • Self
  • Manager
  • Worker from same supervisory org
  • Worker from superior supervisory org
  • Worker from subordinate supervisory org
  • Workers own position
  • Managers position
  • Other worker position in the same supervisory org
  • Worker position from superior supervisory org - not manager
  • Worker position from subordinate supervisory org
  • Supervisory orgs - member
  • Supervisory orgs - not member
  • Company - member
  • Company - not member
  • Location Hierarchy - member
  • Location Hierarchy - not member
  • Cost Center - member
  • Cost Center - not member
  • Contingent Worker from the same org

Users are free to remove any tests from the template that they do not wish to test. To do this, select the columns containing the tests and delete them from the template.

If the predefined scenarios do not cover what is required, the Manual Configuration option can be selected under Target. Selecting this will activate the remaining three fields and allow users to manually define the Object Type, Object Name and Object ID of the specific object they wish to test against.

Additional Subject Workers

To add an extra subject worker to the template, users can simply create a copy of the sheet in Excel and change the Subject Username field, as well as update the sheet name to match the new username.

Security Template Uploads

Uploading a security test template follows a similar path to that of Business Processes or Integrations. Select Security under the Test Runs heading from the CREATE menu. Users will be presented with the screen below. Select the highlighted upload button and locate the required template to upload into Smart.

The Add a test pack hyperlink can be clicked to add extra Security templates at the bottom of the list.

Provide a unique name for the Security Test Pack and select Save test run. Tags can be added at this point to help easily identify the security pack when using filters in Smart.

Viewing Security Results

Once you have executed the test run you can view it to start the investigation process. Clicking a test run name will take you to the relevant test run details page. Here you can see execution details, a summary of the test results and all the test cases included in the run.

The test cases table provides enough detail to aid decision making around investigation. Data for the 'Test Case ID', 'Description' and 'Subject' columns comes from the test script. The 'Object' column shows the data that Smart has chosen to fulfil the scenario stated in the test script.

The 'Additional Info' column provides more context, highlighting if the object:

  • has changed since the last execution
  • is not visible to the subject
  • has new assertions since the last execution

If there was a problem during the test the 'Execution Status' will show the test cases affected.

The 'Result' is automatically calculated based on what the test finds.

Smart will attempt to use the same target objects at re-execution. If there are no changes then the result is set to passed. The result will be set to failed when:

  • the expected and actual assertions are different
  • available actions are added or removed
  • the target object has changed, and this has caused a change in the assertions

In instances where Smart is unable to detect an object, the result is set to blocked.

Reviewing Security Changes

Failed Tests

In the following scenario a change has granted this worker access to view Benefits actions.

The failed result is because the actual and expected assertions are different. You should review the 'Actual' column in the 'Assertions' table to ensure they are as expected.

The 'Change Type' column tells you whether the item:

  • is new for this worker
  • has been granted
  • has been revoked

Expected differences can make use of the Accept and Pass' button to accept the changes. This will update the results and override 'Expected' with the 'Actual' results found. We recommend leaving a comment to provide context when reviewing tests.

If changes were not expected, you can 'Dismiss' the info message and leave the test as failed. This should prompt an investigation of your security configuration.

In the scenario where there is a change to the target object you can follow the same process. Check the assertions are as expected and 'Accept and Pass' the test case.

If the target object Smart selected is not suitable you should 'Dismiss' the info message and:

  • amend the configuration and re-execute
  • change the data in the test script

Blocked Tests

If Smart is unable to find an object that meets the scenario in the test script, it will set the test to blocked. For example, a test is 'Blocked' when there is no subordinate organization below the subject's organization.

If the scenario is valid but temporarily returns no object, you should 'Accept and Pass' the test case. Smart will continue to try and find an object matching the scenario at every re-execution. When it does find a suitable object, it will 'Fail' the test to prompt investigation.

Re-execution

As part of the regular re-execution of security tests, the functionality provided by Smart Security will make it easier to understand when a test should be reviewed. The ability to accept or dismiss the results, as well as add comments, will greatly increase the value of Smart Security from a functional perspective, as well as an auditing perspective.

Security Baseline Process

When running Smart Security tests, a functionality known as "Baselining" is available to assist in the maintenance of the security packs. This option is available when executing a new security pack, or when re-executing an existing pack, by selecting the Retrieve latest baseline results checkbox on the test execution screen.

With this box checked, Smart will take the current list of Available Actions in the Workday tenant and overwrite the existing values in the template. There are two common scenarios in which this functionality is used:

  • Creating a new Smart Security test pack - When creating a new Smart Security test pack, the baseline functionality can be used on the initial run as a way to pull back the current security configuration of the Workday tenant.
  • Re-executing an existing Smart Security test pack - When running a Smart Security test pack without the baseline functionality enabled, Smart will report back on any changes in the pack as described in the section on Reviewing Security Changes. In these cases the tests can be verified and accepted/passed on a per-test basis, alternatively, the entire test pack can be re-ran with the baseline functionality enabled to accept all of these changes in bulk.

The following image shows our recommended approach to the baseline process if you have an already existing Smart Security test pack.

For any further information on Smart Security, please contact the support team at smartcustomersupport@kainos.com.