IT Hub

Implementing Effective Session Management Policies in Workday

Reco Security Experts
June 14, 2024
June 14, 2024

This article guides you in enhancing the security of your Workday system. In today's connected world, protecting sensitive data is more important than ever. Session management is crucial in preventing unauthorized access by controlling how and when users interact with the system.


What is Session Management and Why is It Important?

Session management is all about overseeing how long and in what ways a user's session lasts on a digital platform. It includes deciding the duration of a session, when it should end, and when a user needs to log in again. Good session management helps real users get their work done without unnecessary breaks while keeping unauthorized users out. It's vital because it prevents unauthorized access, mitigating risks such as data breaches and financial losses.

Here's a Scenario for Better Understanding 

Case Scenario: The Forgotten Login

Imagine Sarah, a busy marketing manager, logging in to Workday on her office computer to check campaign performance.  She gets occupied in a brainstorming session and forgets to log out before leaving for lunch.  An hour later, a colleague stumbles upon Sarah's unlocked computer. With an open Workday session, they can potentially access sensitive data or even make unauthorized changes.

Solutions for The Forgotten Login

Following are some of the conventional solutions to handle unauthorized access.

  • Session Timeout
  • Multi-Factor Authentication (MFA)

Advanced Session Management Techniques

Beyond the foundational practices, consider these advanced techniques to strengthen your Workday security posture further:

  • IP Address Restrictions (Optional)
  • Access Restrictions
  • Monitoring Sign-Ins

Implementing Session Management in Workday                                           

Let's take a closer look at each of these components to gain a deeper understanding of how session management operates in Workday:

A. Session Timeout

In Workday, a session timeout is the amount of inactivity that automatically ends your login session. Once your session has timed out, you must re-enter your password to access Workday. This is a security measure to protect your private data.

How It Works

When you log in to Workday, the backend server initiates a session identified by a unique ID. This session retains your IP address, username, and temporary data. A timer linked to your session starts counting down based on a pre-defined timeout duration set by administrators. Each action you take within Workday resets the timer, signaling continued activity. However, if there's no activity and the timer expires, your session is deemed idle, triggering a session timeout notice and requiring re-authentication to continue.

Configure Session Timeout in Workday

For PCI user accounts, Workday automatically sets the session timeout to 15 minutes, and you are unable to modify it. However, for Workday accounts that PCI users do not use, you can adjust the session timeout. Apply:

i. The Maintain Password Rules task modifies the tenant's default session timeout.

ii. To adjust an individual user’s session timeout, access the Edit Workday Account task.

B. Multi-Factor Authentication (MFA)

MFA implements a two-step verification process. While usernames and passwords remain the initial access point, MFA introduces a secondary authentication factor, significantly strengthening the overall security posture.

Configure MFA in Workday

Before enabling MFA in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains for the task and any additional actions. After getting security access, you must set up MFA providers in the tenant before you can specify them on authentication policies except for challenge questions.

  1.  Access the Edit Tenant Setup - Security task.
  2. On the Multi-Factor Authentication Providers grid, click Add Multi-Factor Authentication Provider and enable any of these authentication providers to the tenant according to your requirement:
  • Authenticator App
  • Backup Code (Optional)
  • One Time Passcode - Email
  • One Time Passcode - SMS

Workday automatically prompts users when they sign-in using any MFA method. Workday advises you to give your users instructions on how to capture and safely preserve their backup codes. For one-time email passcodes, Workday automatically prompts users to verify the email address to which Workday will send one-time passcodes the first time they sign-in. For a time SMS passcode, when users log in, Workday prompts them automatically to set up an SMS one-time passcode. Users pick a cell provider during setup. They also choose the cell phone number that Workday will use to text them one-time passcodes via SMS from a list of numbers.

C. IP Address Restrictions (Optional)

IP address restrictions in Workday are a security feature that allows your organization to control which IP addresses or IP ranges can access the Workday platform.

Configure IP Address Restrictions in Workday

Before enabling IP address maintenance in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the system functional area. You can define a range of IP addresses as client networks and use them in authentication policies to designate blocked and allowed networks for accessing Workday.

i. Access the Maintain IP Ranges task.

ii. To define a network, add a row and input a list of IP addresses separated by commas in the IP range box.

iii. To disable an IP range, tick the inactive check box (optional).

iv. Access the Activate All Pending Authentication Policy Changes task to confirm changes.

D. Access Restrictions

Workday access restrictions are a broad set of controls that limit what users or groups can see and do within the platform. This ensures data security and compliance with regulations by granting access only to the functionalities and information required for each user's role.

Configure Access Restrictions in Workday

Before enabling access restriction in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the system functional area. Access restrictions and authentication policies allow you to restrict Workday access based on the kind of sign-in (internal vs. external network).

  1. Access the Manage Authentication Policies task and click the Add Authentication Policies button. In the Authentication Ruleset grid, add a row for Access Restriction and other parameters.
  2. Define Access Levels: Choose the security groups you want to grant access to for this specific sign-in method. You can use context-sensitive security groups for more granular control, but be mindful of unintended access from included security groups.
  3. Define Excluded Functionality (Optional): Further restrict access by specifying Workday functionalities users cannot access with this sign-in method (e.g., exclude "Inbox Approvals" to prevent My Tasks approvals).

From the Excludes Functionality prompt, select the Workday functionality to which you want to restrict access.

Option Description
Attachment Download (Limited) Restricting users' ability to download and view specific attachments they post to Workday does not stop users from submitting files.
Workday exempts the following attachment types from this functionality exclusion:
• Downloads of attachments on business processes
• Downloads from My Tasks
• Payslips
Business Process Steps Sent Back for Revision Stops users from accessing the business process- Sent Revise steps that are sent to My Tasks.
Workday Visuals: When you access My Tasks activities that are subject to this functionality exclusion, the action is no longer available.
Check-In/Out Stops users from using the following to check in and out of Workday directly:
• Time worklet
• Check-In and Check-Out tasks
• Workday mobile apps

E. Monitoring Sign-Ins

In Workday, "monitoring sign-in" refers to the procedure of keeping track of and examining user login actions. This is also important for maintaining security and keeping track of user activity within the platform.

Configure Monitoring Sign-Ins in Workday

Before enabling access restriction in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the System functional area. By enabling the View Signon History report, users can examine their own Workday sign-in activities for a chosen period. Look for any unusual behavior related to their Workday account sign-in.

  1. For the system functional area, access the Domain Security Policies for Functional Area report.
  2. Configure the Self-Service: Signons domain security policy. Grant View access to 1 or both of these security groups:
    • Employee as Self
    • Contingent Worker as Self

Access the Activate Pending Security Policy Changes task to confirm changes. 

Users can access the View Signon History report and review details about their sign-in activity, such as:

  • Sign-in and sign-out times.
  • Device type.
  • Authentication type.
  • IP address


Effective session management is key to keeping Workday secure. By setting up session timeouts, requiring re-authentication for sensitive tasks, using multi-factor authentication, and constantly monitoring sessions, organizations can protect their sensitive data without sacrificing user convenience. Regularly reviewing and updating these policies ensures they stay effective against new threats, keeping both your organization and its employees safe.

Explore More
See more articles from our Hub