In my previous post “Business Process Booklet” I talked about regression testing business processes after making security changes. Today we talk reports.
While these two exercises are similar, today we are going to answer a slightly different question: not “how do I know what reports to change when making security updates?” But rather “how can I tell what reports in Workday a certain person or group can see?”; for example, managers.
This is actually not an easy task when you really think about it. There are both Custom and Workday delivered reports. The custom reports can be shared with specific users, groups, or the dreaded “All Authorized Users”. The Workday delivered reports are all inherently shared with “all authorized users” based on the data source of that report, and come in 2 types: Standard, and XpressO.
Where do we start??!!
For this we will look to our example: managers. We will also start with the easier, and more familiar subject of custom reports first.
To get started let's build a report I call “KOG_Custom Reports Shared with Prompted Group(s)”. Click below to download:
Once you have created the report, run it, and add Manager, Management Chain, and Manager’s Manager to the prompt it gives you. This will show you all custom reports in Workday specifically shared with Manager-based security groups. Download to Excel, and let’s move to custom reports shared with “All Authorized Users”.
Build the next report called “KOG_Custom Reports for All Authorized Users (Security Group Prompt)”. Click below to download:
You will need to build one calculated field for this report as well:
This will be a Lookup Related Value off the business object "Custom Report".
Lookup Field = Data Source
Related Value = Security Groups Needed
Once you are done, run the report and add Manager, Management Chain, and Manager’s Manager to the prompt it gives you. Pull that down to Excel also. Combine this report with the first report you ran, and you know have a true list of ALL the custom reports in Workday that your managers have access to.
Now let’s move to the Workday delivered reports.
Build the third report called “KOG_Workday Delivered Report Audit (Security Group Prompt)”. Click below to download:
Since you cannot edit the delivered reports there is no way to change the sharing, and thus all reports delivered by Workday are shared using the “All Authorized Users” setting. For each report, the authorized users setting is based on the data source of the report. If you have view access to the domain where the data source is stored, you see the report - simple. Because of this we only need to use one report to analyze the Workday delivered report access as opposed to the two we have already created to analyze custom reports.
Just like the previous two reports, add Manager, Management Chain, and Manager’s Manager to the prompt it gives you when you run the report, and download to Excel. Combine all 3 of these reports and you now have a list of ALL reports in Workday managers see and can search for.
Some of you might be asking yourselves, or yelling at me, “what about when a report is hidden?!” (For those who don’t know, there is a task in Workday called “Hide Workday Delivered Report” which allows you to hide Workday Delivered Reports from users. This impacts all security groups who would have had access to the hidden report: i.e. if you hide it from one, you hide it from all.) The short answer to the question is, you need to go look at the task itself for “Hide Workday Delivered Report” to see what reports are hidden. I have not found a way to do that in my report. If anyone out there knows, please share with the group!
Lastly, let me add a fourth report that can be fun if you need to get even more specific. Let’s say you have a specific manager whose access you want to know about.
Build the optional fourth report called “KOG_Custom Reports Shared with Prompted User(s)”. Click below to download:
Run this report with the manager in question’s name in the prompt. This will give you all reports shared with this particular worker, even if other managers do not see it! If you combine this list with the list you made with the first three reports, you will now see ALL reports that this particular manager can access in Workday.
It is also important to point out the fact that just because you can search for a report, and have access to run it, does NOT necessarily mean you will actually get data, or even have access to fill in one or more of the prompts on that particular report. The way a report is created and the associated calculated fields, filters, and prompts can all effect how and what data a report returns to the end user. If you need to dig into this, it tends to be on a report by report, and even a field by field activity. I will share a report that can help show what domains are required to see EVERYTHING in any particular report, but I’ll save that for a later post : )
As always, enjoy, and please feel free to share feedback, corrections, or other fun new ways to use these reports!