Learn what changes when you transition from level-based access security to access rules.
Access rules define specific intersections of data that users or groups can edit or view.
When you transition to access rules:
- Some capabilities are discontinued, changed, or restricted. You may need to take some actions before Workday can enable access rules.
- Default rules are automatically created to mimic your current level-based security.
- Creating access rules is a two step process. First you secure the dimensions, then you use the secured dimensions to create the rules. Securing dimensions does not affect access until you create the rule.
New to access rules? See the Access Rules Overview.
Once Workday enables access rules for your instance, you can't turn it off.
Transition Basic Steps
- Review the Discontinued, Restricted, or Changed Capabilities. Take any necessary actions to prepare for access rules.
- Submit a Support Request.
Complete the online form with your request. You may request a sandbox to test access rules.
- View or change your default rules.
- (Optional) Migrate the access rules to your live instance from your sandbox.
Discontinued , Restricted, or Changed Capabilities
With access rules, these capabilities are discontinued:
- Discovery Classic
- Shared reporting dashboards
- Reclassification rules
- The Data Visibility option on shared reports
- Sample reports
- SOAP APIs
If applicable, take these before submitting the request:
- Transfer all the Discovery Classic charts to dashboards. See Import Perspectives to the Dashboards User Interface.
- Use Announcements to recreate shared reporting dashboards. See Create Announcements. Find all your personal reporting dashboards in your Reports personal folder.
- Delete all reclassification rules. This deletes all data associated with the rules and could change your historical data in your actuals version.
Be aware of these items:
- When you saved shared reports, you had a Data Visibility option. The options showed users all the report data regardless of level ownership. With access rules, this option disappears. Users may not be able to run previously shared reports or they may see different data.
Restricted or Changed Capabilities
These APIs will only validate against API v22 for access rule compatibility:
- You need the new permission, System Audit Access, to:
- Run audit trail reports
- Build pattern reports
- Build or edit transaction reports
- Search cell notes
- The Access Model Management > Manage Allocations permission lets you manage allocations on all levels and all accounts, even those not granted through access rules.
- The Access Transactions permission no longer lets you edit transaction reports when you drill into data from sheets. To edit transaction reports, you need the System Audit Access permission, and you must go to Reports from the nav menu.
- Modeled and Cube Sheet Setting: Edit Dimension Values on Sheets is disabled for secured custom dimensions.
- Dimension Setting: Use on Levels and Data import automatically creates dimension values is disabled for secured custom dimensions.
- Without access rules, you can view data in sheets and reports in the levels that you own.
- With access rules, ownership doesn't control your access. You no longer need to own the level to open a level-assigned sheet. Instead, your access rules must grant you access to at least one level on the sheet.
- Level ownership managerial privileges don't change.
See Assign Owners to Levels for details.
Submit a Support Request
Access rules can have major affects on your model and how you plan. Consider how you want to use access rules. Use the table to know what to expect during the implementation process:
How you plan to use it:
Secure only levels to create access rules
|Secure accounts to create access rules||Secure custom dimensions|
||Not Likely||Consider||Your Professional Services rep will advise you.|
View and Change the Default Access Rules
As soon as you enable access rules, Adaptive Insights secures levels and creates rules. The rules mimic level ownership access for each user. To keep the user experience the same, the new rules assign Edit access to the owned levels.
You can review and then change the rules.
View Default Access Rules
- From the nav menu, select Administration.
- Select Access Rules.
The table displays the level-based default rules for each user.
For example, the VP of Sales owned the Sales level. The default rule is Edit access to the Sales level and all Sale's child levels. The child levels are not listed, but are always included. VP of Sales has Edit access to all accounts and all dimensions until you define more rules.
Admin's rule states that Admin has Edit access to the entire model because Admin has Edit access to the top level, Headquarters.
Change the Default Access Rules
- Secure more dimensions by adding them to the table. Once you add dimensions, you see them as columns in the table.