Automatically Update User Access by Attribute

Reduce manual effort to update data security when a user's role, region, or other attribute changes in your source system.

Overview

Automated org sync (organization synchronization) is the automatic mirroring of user identities, group memberships, and permissions across different platforms or environments. Instead of an IT admin manually changing a user's access in five different apps after a role change, org sync ensures that the source of truth pushes that data everywhere else.

Org sync automates:

  • Onboarding: New hires get access to all synced apps on day 1.
  • Offboarding: When an employee leaves, disabling them in the source of truth cuts their access to all synced apps. This prevents orphan accounts that pose a major security risk.
  • Group and attribute mapping: If a user's department changes from Sales to Success in the HR system, org sync updates their permissions in all synced apps.

This guide describes the tasks to implement automated org sync in Visier and provides a step-by-step example you can follow along with.

Checklist

To implement automated org sync, complete these steps.

  • Send access-related files to Visier.
  • Set up containers to hold your access data in Visier.
  • Create permissions and rules that dynamically assign access.
  • Check your work.

This guide assumes that your organization already has a regular data load schedule with Visier that you can add your access-related files to. For more information about sending data to Visier, see Bring Data In.

Send access-related files to Visier

Each source system defines access in different ways. Visier uses permissions to set user access to data. To update Visier permissions based on your source system security:

  1. Send a population file to Visier: Sets the population access in the dynamic permission or assigns a permission to a user.
  2. Send a User Group Matrix file to Visier: Defines the user group to receive the dynamic permission. Not required if user group membership is identified in your employee data.

To learn how to format these files, see Map a population using a security file.

This data is used in Visier to define population access, ensuring that users can only see employee data for the organizations they are authorized to support. You can automate the delivery of these files by setting up exports in your source system and including the files in your data load schedule with Visier.

Tip: Each source system has different requirements to generate a compatible file to send to Visier. To generate a population file from Workday, see Recreate the Workday to Visier Security Integration.

Set up containers in Visier

After Visier receives data, the data must be contained somewhere.

  1. Create a source. Sources are containers that represent the data and its structure (columns and data types) that Visier expects to receive when you send that data again in your next data load. For more information, see Sources.
  2. Leverage an existing hierarchy or create a parent-child dimension. The hierarchy tells Visier how to represent the parent-child relationship of user access to employee data in your population file.
    1. In the parent-child dimension, create a custom property.
    2. Give the custom property a display name that ends in _List. This tells Visier that the dimension represents an access list.

  3. Create a mapping. This connects the source data to the parent-child dimension. The mapping must have the following settings:
    • Mapping type: Lookup
    • Data file type: Temporal
    • Override behavior: Event date

  4. In the lookup mapping, set the following:
    • MappingKey: Map from column. Select a key value from the source, such as Organization_ID.
    • EventDate: Map from formula. Use dateColumn("ColumnName") where ColumnName is the date column in your population file.
    • Add one intermediate property per role you're creating data access for, then click Map from formula. Add a formula to remove white space so that the data is a comma-separated list; for example:
      Copy
      Sample intermediate property formula
      stringSubstitute(column("HRBP"), " ", "")

      In additional properties, replace HRBP with the column name for each role.

Create permissions and rules that dynamically assign access

With the data in Visier and connected to objects, all that's left is to make sure your permissions are configured correctly to dynamically assign user access to data.

  1. Create a business rule. The business rule must have the following settings:
    1. In Subject, select the _List parent-child dimension.
    2. In Formula, type a formula to look up the population file and assign access through the parent-child dimension.

      Copy
      Sample business rule
      augmentingMapping(
          mappingName, 
          mappingKey, 
          mappedProperties [,ifUnmapped, filter, ifOutputExists, ignoreIfNoValue]
      )

      For more information, see Business Rules.

  2. Create data access sets. This defines the level of access that users should be able to see for different attributes, such as Tenure and Compensation. You might make several data access sets to fit the needs of multiple different access requirements. For example, a permission that should be able to see detailed data for Salary versus a permission that shouldn't see any Salary data. For more information, see Configure Data Access.

  3. Create a permission. The permission must have the following settings:
    • In Data Access, select the data access set you created.
    • In Population Access, select Custom.
    • In Dynamic Filter, select User to dimension.
    • Select the parent-child dimension, such as Organization_Hierarchy.
    • Map the _List property to Employee ID.

  4. If needed, define the user group that will receive automated org sync. For more information, see Create a User Group.

Check your work

To make sure the permission works as expected, assign it to a user and preview the data as that user to verify they can see the correct data.

  1. To assign the permission, see Assign Permissions to a User.
  2. Generate a new data version so that your project incorporates the new mappings you made. For more information, see Run a Job.
  3. When the job completes successfully, you can impersonate the user and preview the data. To preview as a user, see Preview the Solution as a User.
  4. If everything looks as expected, you can publish the project that contains your security changes. For more information, see Publish Project Changes.

Outcome

With automated org sync set up, user access to data will dynamically update every time you send the population file to Visier. Because users change frequently, we recommend a daily data load to ensure user access is correct every day.


Example: I want to synchronize roles in Workday to permissions in Visier

This section provides a step-by-step example to implement automated org sync to update user access in Visier when their role or region changes in Workday. This example shows how to set up user access for an organization that has two roles: HRBP and Leader.

Access requirements

Custom profile with these capabilities:

  • Data (Write, Detailed)

  • Model (Write, Simple)

  • Permission Management (Write, Simple)

  • Security (Read, Simple)

  • User Management (Read, Simple)

Users with this permission capability: Super Admin Permission

Reach out to your administrator for access.

Step 1: Send access-related files to Visier

Workday roles do not have one-to-one counterparts in Visier. As a result, you must set up processes to prepare Workday roles for use in Visier.

To complete this process, see Recreate the Workday to Visier Security Integration.

Step 2: Set up containers in Visier

Next, create the source to hold your population file data. You can generate a source from the data file after Visier receives a population file from your EIB's SFTP delivery for the first time.

Create a source

  1. In Visier, on the global navigation bar, click Data > Data Transfers.
  2. In the list of files, find PopulationAccess_SupvOrg.csv. This is the File Name that you set up in "Configure Deliver" of Step 3: Configure the Enterprise Interface Builder (EIB). You might need to filter the Data Transfers list to a longer time frame if the file was received more than a day ago.
  3. Hover over the row and click the Generate source button .

Create a parent-child dimension

If your organization already has a security hierarchy in Visier, use that hierarchy. In this example, you'll create a parent-child dimension (hierarchy) to represent the parent-child relationship of user access to employee data.

Parent-child dimensions are created in projects, so create a project.

  1. On the global navigation bar, click Projects > New Project.
  2. In Display name, type Set Up Workday-Visier Security.
  3. In Description, type Create security objects for automated org sync.
  4. Click Create.

In the project, create the parent-child dimension.

  1. On the navigation bar, click Model > Dimensions > Create Dimension.
  2. Select Parent-child.
  3. Enable the Make dimension shared toggle.
  4. In Display name, type Organization_Hierarchy.
  5. Select the Employee object.
  6. Click Done.
  7. In the dimension, add a custom property.
  8. Give the custom property a display name that ends in _List, such as HRBP_List.
  9. Select the Text data type for the custom property. This is because the population file must use text data to assign access.
  10. Repeat steps 7 to 9 for every role you're creating access for. In this example, there's one more role for Leaders, so you'll create a custom property named Leader_List.

Create a mapping

With a source and a _List parent-child dimension custom property, you can connect the access data to the property. In Visier, data is connected to objects through mappings. There are a few kinds of mappings, but to assign automated access you want to look up data in the population file to connect it to objects. That means you must make a lookup mapping.

  1. In your Set Up Workday-Visier Security project, navigate to Data > Mappings > Create Mapping.
  2. In Display name, type Organization Lookup.
  3. In Description, type Lookup mapping for Workday population file.
  4. In Mapping type, select Lookup.
  5. Select the source that you generated for the PopulationAccess_SupvOrg.csv file.
  6. In Data file type, select Temporal. This tells Visier that the files contain all the access data at a point in time.
  7. In Override behavior, select Event date. This tells Visier to only take the latest population file and ignore previous population files when assigning data access.
  8. Click Create.

Within the lookup mapping, configure the mandatory properties and an extraction rule to remove white space so that the list is comma-separated.

  1. Click MappingKey > Map from a column > Organization_ID. This is the key value in your population file.
  2. Click EventDate > Map from formula > dateColumn("EventDate"). This is the date column in your population file.
  3. Click Add Intermediate Property.
  4. In Display name, type temp_HRBPAccessList.
  5. In the intermediate property, click Map from formula.
  6. Type an extraction rule formula to remove white space so you are left with a comma-separated list. The following example removes white space from the HRBP column.
    Copy
    Sample intermediate property formula
    stringSubstitute(column("HRBP"), " ", "")
  7. Repeat steps 3 to 6 for every column in your population file. In this example, there is one more column for Leader, so you'll make another intermediate property called temp_LeaderAccessList with the property formula stringSubstitute(column("Leader"), " ", "").

Step 3: Create permissions and rules that dynamically assign access

To look up the population file and assign access using the previously-created dimension, create a business rule to perform those actions.

Create a business rule

  1. In a project, on the navigation bar, click Data > Rules > Business Rules > Create Rule.
  2. Select the data category that the rule belongs to.
  3. Select Business rule.
  4. In Display name, type Security - Organization Lookup.
  5. Click Subject and select the Organization_Hierarchy parent-child dimension.
  6. Enter the following formula to look up the access list and assign access to the _List custom properties for each role you're assigning access for.
    Copy
    Sample business rule
    call augmentingMapping(
        "WD_Security_Role_Lookup_Mapping",
        Organization_Hierarchy.Organization_ID,
        {
            Organization_Hierarchy.HRBP_List -> "temp_HRBPAccessList",
            Organization_Hierarchy.Leader_List -> "temp_HRBPAccessList"
        }
    )

Create a data access set

Next, define the level of access that users should be able to see for different attributes. This is set in data access sets that get assigned to permissions. In this example, you'll create two data access sets for each of the roles you're creating access for.

  1. In a project, on the navigation bar, click Security > Data Access Set > Add Data Access Set.
  2. In the New data access set pane, select Employee and then click Next.
  3. In Display name, type HRBP Data Access.
  4. Click Create.
  5. Click the Data Access column.
  6. In Data view, set the following:
    1. In Properties, select Detailed.
    2. In References, select None.
    3. In Events, select Detailed.
    4. In Related Objects, select None.

      This grants access to all Employee properties and events, but doesn't grant access to related objects like Applicants or Sales Quotas that the HRBP should not have access to.

  7. Repeat steps 1 to 6, but use the display name Leaders Data Access and set the following Data view:
    1. In Properties, select Detailed.
    2. In References, select Detailed.
    3. In Events, select Detailed.
    4. In Related Objects, select Detailed.

      This grants access to all Employee properties, events, and related objects that a Leader should be able to see for their direct reports.

Create a permission

Next, create a dynamic permission using the parent-child dimension associated with your population file. You'll create one permission per role you're creating access for.

  1. In a project, on the navigation bar, click Security > Permissions > Add Permission.
  2. In Display name, type HRBP Dynamic Permission.
  3. In Data Access, select the data access set you created.
  4. Click Create.
  5. In the Data security tab, click Set access and then select HRBP Data Access.
  6. In Population Access, select Custom.
  7. In Dynamic Filter, select User to dimension.
  8. Select Organization > Organization_Hierarchy.
  9. Select HRBP_List = EmployeeID.

  10. Click Apply.
  11. Repeat steps 1 to 10, but use the display name Leader Dynamic Permission, set the access to Leader Data Access, and select Leader_List = EmployeeID.

Step 4: Check your work

To make sure the permission works as expected, assign it to a user and preview the data as that user to verify they can see the correct data. In this example, you'll assign HRBP Dynamic Permission to User 1.

Assign the permission

  1. In a project, on the navigation bar, click Security > Users.
  2. Select a user in the Users list. In this example, the user is User 1.
  3. Click Assign in the Permissions area.
  4. In the list of permissions, select HRBP Dynamic Permission.
  5. Click Assign.

Generate a data version

  1. In a project, on the navigation bar, click Data > Data Categories.
  2. On the data category you want to create a new data version, click the More button .
  3. Click Run job.
  4. In the Run job dialog, do the following:
    1. In Generate debugging info, select None.
    2. Disable Use alerts.
    3. Turn on Enable normalizer cache.
  5. Click Run Job.

Impersonate a user

  1. On the navigation bar, click Security > Users.
  2. Select the user that you assigned the HRBP Dynamic Permission. In this example, the user is User 1.
  3. Click View As > Preview As User in the upper-right corner.

    Result: A preview version of the solution opens in a new tab.

  4. In the solution, navigate to Explore or Analyses and then change the filters, metrics, and group bys to see what data the user can see.

Publish the project

  1. In a project, on the navigation bar, click the Home button .
  2. Click Release to Production in the upper-right corner of the project. The project must contain at least one revision before Release to Production appears.
  3. In the Release to Production dialog, do the following:
    1. In Display name, type Workday Security.
    2. In Description, type Added permissions and mappings for dynamic security.
    3. In Release Version, type a release number, such as 7001137.
  4. Click Release now.

    Result: A new production version is released that contains your security updates. Every time Visier receives the population file from your Workday integration, user security will be updated.