In the first of our Customer Central blogs, we walked through what Customer Central is, its tools, and how Customer Central remains relevant both during and after deployment. In this blog, we’ll discuss the setup of Customer Central and the key security roles involved. While it may feel daunting at first, the good news is that once Customer Central is enabled and set up to work with your tenants, the maintenance is straightforward.
3 Key Customer Central Roles
There are 3 key roles in Customer Central:
Customer Central (CC) Security Administrator
Customer Central (CC) Administrator
Customer Central (CC) User
Note, in initial deployments, your implementation team will primarily manage their own CC Administrator and CC User accounts. Upon Go-Live, the responsibilities will shift to the customer team.
CUSTOMER CENTRAL SECURITY ADMINISTRATOR
What They Can Do: CC Security Administrators set password rules, enable multi-factor authentication, monitor login reports, and perform other security tasks such as resetting forgotten passwords. CC Security Administrators can create additional CC Security Administrators.
Who to Assign: Named Support Contacts, People assigned Security Administrator in Production.
Can They Migrate Configuration: No
Recommended Username: username-secadmin or firstinitial.lastname-secadmin
Unique Callouts:
Typically, CC Security Administrators will have two sets of account credentials to maintain: one for their CC Security Administrator rights and one for their CC Administrator rights.
CUSTOMER CENTRAL ADMINISTRATOR
What They Can Do: CC Administrators typically manage the day-to-day provisioning of CC User accounts. CC Administrators can create other CC Administrators and CC Users and provision which tenant(s) the new account will be able to access. They can also migrate configuration themselves.
Who to Assign: Named Support Contacts, People assigned Security Administrator in Production, HRIS or IT Administrators and Implementation Partner Engagement Managers.
Can They Migrate Configuration: Yes
Recommended Username: Exact match to native Workday account username.
Unique Callouts:
If you are a CC Administrator, your username should match your Workday account username in Production, Sandbox, and IMPL tenants.
The CC Administrator should also be assigned the Migration Administrator security group in the Production, Sandbox, and IMPL tenants.
As a CC Administrator, you automatically have access to migrate configurations between any tenant and access Configuration Catalog. You do not need a CC User account if you are a CC Administrator.
CUSTOMER CENTRAL USER
What They Can Do: CC Users are provisioned access to migrate configuration items either across customer tenants, or from the Configuration Catalog.
Who to Assign: Workday super users that may be responsible for regularly creating and managing configuration including HRIS, IT, and Finance resources. For example, those assigned HR Administrator, Finance Administrator, Business Process Administrator, or Report Administrator / Report Writer in the Production, Sandbox, and IMPL tenants.
Can They Migrate Configuration: Yes
Recommended Username: Exact match to native Workday account username.
Unique Callouts:
If you are a CC User, your username should match your Workday account username in Production, Sandbox, and IMPL tenants.
The CC User should also be assigned the Migration Administrator security group in the Production, Sandbox, and IMPL tenants.
CC Users will need to be granted access to migrate between tenants via the Manage Tenant Access task.
Tip: If you receive an error when trying to add a CC User to Manage Tenant Access, make sure they have the Migration Administrator security group in the Production, Sandbox, and IMPL tenants.
Migration Administrator in Production, Sandbox, and IMPL tenants
In addition to the 3 key roles in Customer Central, there is also the Migration Administrator User-Based Security Group that will need to be set up in all Production, Sandbox, and IMPL tenants.
MIGRATION ADMINISTRATOR
What They Can Do: Migrate configuration via the OX 2.0 tool in Customer Central.
Who to Assign: Every user who is assigned CC Administrator or CC User needs to be assigned this User-Based Security Group to migrate configuration.
Can They Migrate Configuration: Yes
Unique Callouts:
Make sure the Migration Administrator security group is setup with the following domain permissions in Production, Sandbox, and IMPL tenants, and all domains are enabled:
Tenant Health Dashboard
The Tenant Health Dashboard in Customer Central can help CC Administrators and CC Users to manage account access and troubleshoot their own access. From the “All Customer Central Accounts” section, CC Administrators can view and inactivate CC User accounts.
From the “My Tenant Access” section, CC Users can validate the tenants to which they have access to in order to migrate configuration and also use this section to troubleshoot missing access.
Once you have your initial set of CC Security Administrators and CC Administrators defined and assigned, the day-to-day maintenance requires provisioning access to new CC Users as needed. This may be a monthly task for some, for others as infrequent as every few months or annually.
Frequently Asked Questions
What role(s) should I provision implementation or third-party partners?
Depending on your level of post-production support or Phase X implementation activity, you may want to assign an Engagement Manager or Account Lead from your third-party service provider a CC Security Administrator and a CC Administrator role to be able to provision their team efficiently and independently. Otherwise, most of your functional consultants should be sufficient sitting in the CC User role.
How often should we audit Customer Central users and deactivate accounts?
We recommend including Customer Central in your standard operating procedure for account auditing, typically on a monthly, quarterly, or annual basis. Once a user is no longer engaged with your organization, you should disable their Customer Central Account by toggling off the related actions of their account and selecting Security Profile > Manage Workday Credentials. Any deactivation of any account should be concurrent with disabling their Workday account in your Production, Sandbox, and IMPL tenants.
How do you set up a new Customer Central User?
When provisioning access to a new CC User, there are a few steps to take:
a) First, make sure the Workday Account is assigned to the Migration Administrator User-Based Security Group in all applicable tenants (Production, Sandbox, and IMPL).
b) Next, logging in as the CC Administrator, access the Central Administration dashboard. Select Create Customer Central User and enter the individual’s name, username, temporary password, and work contact information. Be sure to check the box “YES” if they are a certified Workday implementer and have an implementer account. (see (1) below)
c) Next, you’ll use the Manage Tenant Access task to determine the specific tenants the user can migrate to/from. For example, if you have an implementation tenant specified for a certain project and don’t want someone to accidentally migrate new configuration into it, we recommend restricting them from that tenant. (see (2) below)
How can you reset a user’s password?
To reset any Customer Central account’s password, the CC Security Administrator should log in and access the Edit Workday Account task from either the Search bar or from Related Actions off the user’s account.
Note, only the CC Security Administrator has access to reset passwords, even though the CC Administrator originally set up the account.
Can Customer Central Users migrate to Production?
Yes, if granted access to the Production Tenant via Manage Tenant Access, then any user can migrate to Production. There are a few key prerequisites, however:
a) Make sure you’ve enabled the Production tenant for migration via the Manage Tenant Connection task in Workday.
b) CC Administrators and CC Users will have to first enable a session via My Tenant Session in Customer Central. This authenticates their access to Production and lasts for 30 days.
c) Lastly, one may only migrate configuration from Sandbox to Production. If migrating configurations from an implementation tenant, Sandbox Preview, or wdsetup then you must first migrate the configuration to Sandbox before moving to Production.
Conclusion
Understanding the difference between each Customer Central role’s purpose and who should be assigned (and not to forget, maintaining one’s login credentials) is most of the maintenance required for the Customer Central tenant. Designating 1-2 primary contacts in your organization to be responsible for provisioning is a key success factor in ensuring your organization understands how Customer Central works and should be maintained.
Sources:
Author: Dia from Ohio
Opmerkingen