 Welcome to Authorization in Software, the podcast that explores everything you need to know about Authorization. I'm your host, Damian Schenkelman, and in each episode we dive deep into Authorization with industry experts, as they share their experiences and insights with you. If you're a software developer, or just someone that's interested in the world of Authorization in software in general, you are in the right place. Let's get started. My name is Damian Schenkelman, and today I'm chatting about how Workday approaches Authorization with Jennifer Wong, Director of Product Management at Workday. Hey Jennifer, it's great to have you here. Thank you, I'm so excited to be part of this. To get started, could you give our listeners a brief overview of your background? Sure, I've been with Workday for 10 years, and over the years I've been leading product management across different platform solutions across Workday. From business processes, organization hierarchies, and most recently, security. What do I mean by platform solutions? Well, as Workday continues to grow and build new products and features, all these new products and features are built upon a common platform, reusing the same organization framework, the same business process framework, the same security framework, etc. This allows customers, our Workday customers, to utilize a single org structure, the same set of security groups, etc., to customize for the new products to their needs, which reduces their time from value to value creations and realization. With that background, I lead product management for application security with reusability in mind. We do not offer point solutions for our application. Workday offers applications and technology that work together to accelerate interoperability and business agility. That makes sense. We've had a few folks working on this platform, reuse all component teams, both from an infrastructure and a security perspective on the podcast, talking about how they help their companies with authorization. Let's start with the business and why is authorization important at Workday? And what happens if it's not working properly? Workday stores the most important corporate data for some of the world's largest companies. This includes sensitive personal information about the former and current employees, contractors, applicants, etc. Additionally, Workday also stores financial information related to the company's past, current and projected financial performance. Therefore, Workday operates with zero tolerance for stale security evaluation. If authentication authorization is not working properly in Workday, we are at risk of customer data being compromised. Yeah, I guess from what you're saying, you're storing a lot of very sensitive, important data. I also know that Workday has multiple products for financial management, human capital management, HCM, work adaptive planning, and from what I've seen as a user, from what I've seen from the product, it's a very large surface area feature and use case-wise. How does authorization work across these different products? Is it centralized logic? Is it per product? Is it per feature? Yeah, as you mentioned, Workday offers a wide suite of solutions across HCM and finance from the flagship application to many add-on SKUs. And in recent years, Workday has grown through acquisition, such as what you mentioned, adaptive planning, PECON, Vinly, etc., to provide solutions that complement Workday's application. Now, when Workday evaluates each application for acquisitions, one of our key criteria is to ensure that these applications meet Workday's security standards. This is because Workday upholds an industry-leading standard of security that has successfully earned our customer's trust over the years, and we want to ensure that level of security governance and oversight is consistently maintained across our current and newly acquired application. So depending on the application use cases and the authorization requirement for that, these applications then continue to utilize the original security model under the same rigorous security governance and oversight as all the Workday offerings. And we will continue to invest in our authorization capabilities across all our applications. It seems that, as you're saying, that there are things at Workday that allow their acquisitions. I wonder how much of the evolution of these authorization capabilities was organic versus more intentional planning. Yeah, so our intention is always the same, which is to keep customer data secure. But as the company has evolved, our product and offerings have evolved as well, and the threat to the customer data has also evolved, so that our project will also be evolving as well. And right now, we're focused on building additional security products and functionalities to facilitate security authorization between Workday suite of products. What are the pros and cons of that approach of having these different products and evolving them over time and also having them use different logic depending on the application use cases? Yeah, the key advantage is that we can always ensure customer data is secure and this is because, as I mentioned, when we evaluate these acquisitions, we're already assessing them with our standards and we also maintain the consistent standards that Workday upholds after they join the Workday family. And in doing so, the customers continue to trust Workday and to store their most sensitive data and extend that trust they have with Workday to all our Workday applications. So that's the most key advantage. Now, in addition to that, we also leverage the fact that Workday applications and other acquired applications are under the same company, so actually we can collaborate much closer to enhance our joint customers' security and experiences. For example, like every week I meet with several of my counterparts in Adaptive, Picon, etc. to explore and roadmap joint opportunities. One I can share is last year we delivered a just-in-time provisioning feature to support single sign-on for our joint customers who bought both Workday strategic sourcing, previously known as Scout and Workday. So there are many opportunities by leveraging what we can do together in representing Workday and the Workday acquired acquisitions. Now, on the other hand, we also understand that every application may have its unique security requirements. For example, like granular accessibility is required for adaptive planning reports down to role level. So we acknowledge that there are no cookie-cutter approach and so we collaborate closely with our acquired application team to adapt and adjust. Yeah, that makes sense. It goes back, I think, to some of what you're saying about what you do with each of these applications and whether you end up centralizing or not depends on the use cases. So, for example, granular accessibility is required for adaptive planning, maybe not for these other products, and that likely requires very different technology and a different approach. Ultimately, what I heard a couple of times, it seems this is about trust, right? Authorization and trust go hand in hand. Definitely. I want to get a bit into how the users and their user roles and permissions work at Workday and where authorizations decision happen. Sure. Well, first and foremost, Workday follows core zero trust principles in all our authorization decisions, but explicitly verifies the users for every single transactions and actions and therefore enforcing the least privileged access. Now, the system checks to see what the data elements the user is attempting to access and for whom, and then checks to see if the user has a security permission to access the requested data. So, the basis of the evaluation relies upon three key things. The security domain, the security group, and the security policy. Now, let me dive into each of them a little bit. The security domain is a grouping of data elements and tasks, collectively known as security items. If you know Workday well, like it's more about the reports and tasks you see, like request PTO or our view my payroll check, et cetera. Security groups are the groupings of the users based on their roles, jobs, or attributes. We provide both standard out-of-the-box security groups and customer-configurable security groups, and both of them can be applied with contextual security. And finally, security policy. For each security domain where we group all those data elements and tasks, the policy have each domain have other policy and the policy dictates which security group can perform what actions, view or model. Yeah, that makes sense. You mentioned CETO trust, which is, I think, becoming a hot topic every year. I'm hearing that term more and more in the podcast as we talk to folks. I'd like to dig a bit deeper into some of these things, and maybe again, as you mentioned, if you know Workday, but what about if I don't know Workday? Who manages these security domains and groups and what their expertise needs to be? How do they maintain it? Are these policies or rules cold? Are they UI based? How does this work? Sure, so Workday customers have security administrators who configure and maintain Workday authorization settings for all their tenants, including the security groups and the security policies. And one thing I'm really proud of is that the Workday provides this easy-to-use UI interface for these security administrators to set things up, and we do not need them to write code. And it's a very intuitive UI experience for them. We also provide rigorous approvals and auditing capabilities to ensure the security setup is meeting expectations. And we talked about this a bit earlier when we gave that example of granular low-level access, but more genera. How horse grain out of these roles and permissions? More importantly, how do you make full decisions around this granularity? For example, is it because customers require more or less of it? Is it a trade-off between simplicity and clarity or maybe less granular approaches versus the flexibility of finer grain authorization? Yeah, we actually work to offer a range of options from out-of-the-box customer-configurable groups to Workday delivered groups, and that can touch upon each of them. So out-of-the-box we offer roles via the customer-configurable security groups, which can be based on the users, the roles, the jobs, organization, many other things. They can be combined into new security groups that logically include or exclude other groups as well. And so combined with the predefined policies, they can grant or restrict user access. Customers can tailor these groups and policies to meet their needs, providing as fine grain access as they require to support any complex configurations they have. Now, over time, customers are requesting more and more granular security controls, and they need more constrained access to search and task. And so to address that, in the past years we have enhanced our security groups to provide a rule-based security concept. And this security group, we allow customers to further constrain the members based on the baseline security group using condition rules. So first, let me illustrate it with an example so it's easier to understand. So we've heard use cases where customers want to only enable part-time workers to track their work hours in Workday. So Workday already has a Workday delivered security group. We call it all users. And this security group can be used as a baseline for this rule-based security group. Now, the next thing customers do is to define a security rule to say, how do you define what's a part-time worker? Well, in Workday we have these fields like time type, et cetera, to help you identify these part-time workers. So you can create a security rule that narrows down to just a bunch of only to the part-time workers. Then you can apply this security rule to the inclusion criteria of the rule-based security groups with all user security group spaces. So this means that we grab all the users and then apply this rule so only it returns the part-time workers there. And then by adding this new rule-based security group we just created to the time-tracking domain, which secures the work hours. You can then enable only part-time workers to track their work hours. Now, Workday also provides a security group that automatically updated based on the business process, such as hire and end contract. And we have these Workday delivered groups to be used alone or in combination of other Workday delivered or custom-created security groups to determine access via security policies. So you can see that we offer an area of choices based on how fine-grained that the customers need. There's something out of the box. There's something where you can apply more finer rules to narrow down the scope and access. Yeah, let me see if I understood. So again, you have the previous groups like in all users where you have a few other things that no customers use a lot. But you can essentially create a new group and say, for example, who is a member of this new security group? So you take all of the users and then you say, for each of these users, check their, in this case, time-type attribute. And if the time-type attribute is something like part-time, then they would essentially become a member of that security group and from that point onwards, that customer can start using the part-time security group in their authorization logic. Is that how it works? Yes, that's our rule-based security group. Okay, and how are these kind of like security groups handled? Yeah, so at Workday, we have a lot of different kinds of security groups and they all are based on core things like the users, the roles, the job, and as you point, we talked about in the previous example, like even attributes like time-type, right? Now, the most common one that we used is a role-based security group. Now, role-based security group is tied to roles that you create and assign to members of your organization. For example, a manager security group will be tied to the manager role for supervisory organizations. Now, why is role-based security group so popular? Because it maintains a rigorous security automatically when people change roles in the organization, which happens very constantly and it's a major pain point for security admins. For any moolah joiners, leavers like you have to edit all the security, it's a pain. So the distinct design for Workday assignable role concept is that the role is tied to a position, not the user. This means that when the user leaves the manager role for the organization, the user immediately loses the manager security group membership. And when a new person takes over the position, he or she automatically inherits the manager role and subsequently the manager's security role membership. And so this removes the need for manually assigning roles and security groups for joiners, moolahs, leavers. Okay, there it goes. You mentioned that there are lots of ways in which people can become members of security groups and now we're in the notion of role, but it seems kind of like I'm going to use a word, maybe it's not the word that you folks use, but dynamism is a big part of it. So rather than saying a user is assigned to a role, in reality a role exists, in this case the manager role, and then all users that happen to have an attribute that in this case might be, they are a manager, are assigned to it. And that dynamism simplifies a lot of the management for folks that essentially have to manage the workday account. Exactly, and so this is why role-based security group is so commonly used within our workday customers. Okay, yeah, that makes sense. And it seems intentional considering the complexity of the domain and how roles changing and people moving and changing teams would make things simpler for an admin. I want to kind of like switch topics a bit and maybe kind of like deep into a concrete example. We use workday at Octa, so let's say we pick a feature, like employee compensation, right? How does workday handle authorization for that case? For example, how does workday feed out who can view my information in the system? Yeah, so in workday security evaluation that done at the time the transaction is executed. So say your headshot partner logs into workday and searches for you and click onto your worker profile page. Now, if you remember that profile page, you see a photo up there and on the left-hand side, the blue power, you can see there's a lot of tabs like your job, personal information, compensation. Actually, when we load that whole page up, we are already evaluating the person's security to determine which tab you have access to and to only show the tab that you do have access for. So in this case, going back to the headshot partner, when the headshot partner clicks and view your worker profile, we look for the security domain that secures the compensation tab and then look into the security policy for that domain. Within the policy, we can see which security groups have the view access and we determine whether the headshot partner is a member of any of those authorized security groups. If he or she is, we will load the compensation tab and if not, he or she will not see the compensation tab at all. That's how it works. Okay, so in this case again, the headshot partner would need to be a member of one of the security groups that has been granted, let's say, read or view access to the compensation. And that's essentially kind of like a dynamic check that happens at runtime each time the user wants to access this information. I know it's kind of like sensitive and where the big public company, so as much as you can share, can you give us a high-level overview of the internal components and technologies that help with these authorization decisions? Sure. A high-level workday authorization architecture is in alignment with the workday architecture and leverages our native programming language called Expresso and REST APIs, caching techniques were applicable, and other algorithms are used for efficient evaluation. We also use advanced techniques such as dynamic partization caching to make the authorization process more relevant and efficient. And mainly kind of like, can you give us an idea of the scale that the system manages, like the number of objects or documents, the number of authorization decisions a minute or a second, like what's that like? You want a guess? I have no idea. I don't know if I have the notion of like how big this might be. It's probably like hundreds of millions or something like that. Well, much more approximately, like just in fiscal year 2023, around 629 billion transactions were processed in workday. So with all these transactions, every single of them requires multiple security evaluations on who can do what, for whom, or what. So you can imagine the scale of the authorization framework supports. It's in the order of millions per hour. That's huge. And probably as you were saying, like the system that handles this needs to be able to manage that scale every day consistently, right? That's very good. Where are these authorization decisions made? And we typically ask guests about this because of exactly what we were discussing before, right? Performance and scale characteristics typically require handling large amounts of data and that data has to kind of like essentially be put together to make these authorization decisions in like policy or an agent or software. So what data do you folks use and what's the performance like here? Yeah, I think you've described very well that the performance is a concern, especially with the amount of data and the number of transactions we have. Well, the good thing is that workday, with workday is that for all the customers who uses workday, workday is usually the source of truth for all the data that you need for authorization. So we have the five key things that we have. The user, so that we know the identity, the job, the position, everything about the user the customer uses workday HCM. We know the organization. The organization and hierarchy structures that controls the level of access and the roles. We talked a lot about the roles earlier that the roles are groupings of people with specific permissions and responsibilities and that they're tied to positions which eases the maintenance for the join as mobile levers and all these roles are tied to security groups. We also have all the resources. All the workday tasks and reports are part of he also housed in the same as all of these users orgs and roles. And finally, so is the policy. The security domain and security policies that secures the resources. So with all of these natively maintained system of record all inside the house, our authorization decision doesn't need to go far anywhere but within workday ourselves. And this is the core advantage why workday can thrive on providing real time security evaluation. I'm kind of switching gears a bit. I know workday integrates with lots of other apps between apps. How does a typical third party app use workday? How does that integration work from a formal authorization perspective? Sure. So full customers use workday. Workday is usually the source of truth, as I said, for the data that you need for authorization, like the user information, the overnight. So this provides the API or downstream applications to timely update this data. I see. And I understand also workday does not do off like I mean tokens to grant apps kind of like permissions to access resources on behalf of users. So how do these integrations across apps work from an authorization perspective? Sure. So workday uses a proprietary object oriented role based security access control model or RBAC that provides enormous customization and control for the end users on how they provision users, teams and functional organizations. Then the customers or implementers can translate from our user roles to security tokens and scopes for various B2E use cases. These are custom integrations. Any data sharing between workday and external apps have to be explicitly implemented using these integration tools, connectors, etc. Makes sense. So the concepts that we talked about earlier like the policies and the rules and the security groups, you have this kind of like proprietary machinery that allows these apps to integrate and essentially talk the workday lingo so that they can interact with the API and make requests. Yes. Okay, that's awesome. Thanks for explaining that. So we're at the end of the show. I really appreciate your time and sharing all of these insights. Workday is a very interesting case. I really wanted to talk to you since we started the recording the season because of the complexity, the size, the M&A challenges. And I think hopefully you also think that we've done a good job. It's the former CIA director. We're issued to former CIA director John Brennan. He's a rightful security advisor. Former U.S.A. Other individuals know another thing. We're going to get clear answers to try to get clear answers. And the House Intelligence Committee issued four related to the Russians today. Four and three relationship probe issue of unmasking or the unveiling of identities or the unveiling of intelligence of Americans in intelligence reports. Now those CIA director were issued to Brennan, former director John Brennan, former U.N. Ambassador Samantha Power. So that's a very reasonable question or answer to try to get a clear answer. And the House Intelligence Committee issued seven subpoenas, four related to the Russians today, and it's the unveiling of identities or the unveiling of intelligence of Americans in intelligence or Americans in intelligence or Americans in intelligence.