IT Hub

Configuring Workday Security and Role-Based Permissions

Reco Security Experts
June 12, 2024
June 12, 2024

Whether you are an experienced HR professional or IT admin seeking to enhance your security configuration or are new to Workday, this guide aims to provide you with the knowledge and tools needed to secure your Workday environment effectively. Let's get started on this crucial aspect of your HR and finance operations.

Understanding Workday Security Framework

Workday's security framework is highly configurable, providing comprehensive access control for various securable items like tasks, reports, user interface pages, and integrations. It accommodates diverse organizational structures and locations through group-based security. Administrators can customize default security groups and policies using the Workday Object Management System (OMS).

Here's a Scenario to Help You Understand Better

Workday is like a fortress protecting your organization's sensitive HR and financial data. The keys to this fortress are security groups, domain security policies, and business process security policies.

1. Security Groups: These can be seen as different keycards granting access to various parts of your fortress. There are several types:

  • User-based security groups assign permissions to individual users.
  • Role-based security groups assign permissions based on job roles.
  • Intersection security groups combine criteria to form a more specific group.
  • Segment-based security groups define access based on segments.

2. Domain Security Policies: These are the rules for accessing specific domains (areas) within Workday, such as tasks and reports related to employee data or financial records.

3. Business Process Security Policies: These policies control who can initiate, view, correct, rescind, approve, and cancel various business processes, such as hiring or termination.

Steps for Configuring Security

Let’s learn about the steps for creating and managing these security groups and the security policies.

Pro tip: Before you create role-based security groups, review the following:

  • Data points and business process steps you want to provide access to.
  • Security policies that secure those items.
  • Types of security groups that you can associate with the security policies.

Step #1: Creating or Configuring Security Groups

To access Workday, users must belong to a security group with assigned permissions. Use the 'Create Security Group' task to create or configure security groups and control their access to domain or business process policies.

Step #2: Configuring Domain/Business Security Policies

a. To grant users access to securable items within domains and business processes, you need to associate security groups with the relevant security policies. Domain security can be set for report/task or integration permissions. For report/task permissions, you assign security groups the ability to view or modify tasks within the policy. For integration permissions, you designate permission to get or get and put data.

b. Each business process type has its own dedicated security policy. Within these policies, you can specify which security groups are permitted to initiate the process, perform authorized actions, or approve, rescind, or cancel an event. Users can edit the policy by taking action related to the business process.

Note: Workday logs the date and time of any modifications made to security policies, including adding or removing security groups and enabling or disabling policies and functional areas. To implement these changes, use the "Activate Pending Security Policy Changes" task.

Workday Role-Based Security Groups

In the realm of Workday security groups, each type brings its unique value and importance. But if there's one group that stands out as the hero of the story, it's role-based security groups. Role-based security groups stand as a cornerstone in Workday, offering a potent means of granting necessary access within the system. These groups typically represent users in pivotal support or leadership positions across various organizations. Let's delve deeper into their essence:

  • Versatility in Identification: Role-based security groups serve as a versatile tool for identifying users fulfilling crucial support or leadership roles within the organization, i.e., Manager, absence partner, etc.
  • Constrained vs. Unconstrained: Within the realm of role-based security groups, there exist two primary categories: constrained and unconstrained. Constrained groups are particularly prevalent, as they enable the identification and restriction of support staff to specific target instances within the designated organization(s).
  • Targeted Support: Constrained role-based security groups facilitate targeted support by confining access to relevant instances within a given organization. For instance, a manager may be restricted to accessing information solely within their assigned supervisory organization. At the same time, a Compensation Partner may only view compensation details for workers within a specific organizational unit.

Workday Assignable Roles

Assignable roles link workers to their designated positions, determining their membership in role-based security groups. These roles simplify access management by aligning privileges with job assignments. Administrators can create new roles by using the Maintain Assignable Roles task, which can enable them to do so on any organizational level.

Different Ways of Role Assignment

Assigning roles involves designating support and leadership staff on an organization-by-organization basis, linking a worker's position or job with a specific assignable role for a particular organization. Roles can be assigned through various methods:

At the organization (or role-enabled instance) level

To assign roles to an organization (role-enabled instance), navigate to the relevant instance (e.g., an organization) and select "Roles > Assign Roles" from the Related Actions menu.

At the worker position (or job) level

Roles are assigned using tasks on the worker profile. From a worker’s Related Actions, select Security Profile > Assign Roles—Add/Remove or Assign Roles—Change Assignments.

To an unfilled position

From the position’s related actions, select Security Profile > Assign Roles – Add/Remove or Assign Roles – Change Assignments.


In summary, Workday's security framework, along with role-based permissions, acts as a reliable guardian for organizations, ensuring that access to sensitive data is controlled and tailored to each individual's role. It empowers teams by providing personalized access to the information they need, fostering efficiency and productivity. With its flexibility and adaptability, Workday's security features seamlessly evolve with organizational changes, maintaining data integrity while enabling growth. Ultimately, Workday's emphasis on security and role-based permissions not only protects data but also empowers organizations to thrive in a dynamic environment.

Explore More
See more articles from our Hub