100% found this document useful (1 vote)

525 views114 pages

Config Security

Uploaded by

Jayashree Koustubh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

525 views114 pages

Config Security

Uploaded by

Jayashree Koustubh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 114

12/27/21, 12:01 AM Workday® Administrator Guide

1 | Configurable Security
1.1 | Configurable Security Basics
1.1.1 | Setup Considerations: Configurable Security

You can use this topic to help make decisions when planning your use of configurable security. It
explains:

Why to set it up.

How it fits into the rest of Workday.
Downstream impacts and cross-product interactions.
Security requirements and business process configurations.
Questions and limitations to consider before implementation.

Refer to detailed task instructions for full configuration details.

What It Is
Workday configurable security enables you to control the items users can view and the actions they
can perform in your tenant. You can determine how you want to group users through security
groups. You can specify the items and actions that members of security groups can view and
perform through security policies.

Business Benefits
Automate permission assignments by grouping users based on similar attributes, saving
you the effort of setting up permissions individually.
Manage access to integrations, reports, mobile devices, and IT access using a single
security model, making it easier to maintain access at scale.
Make mass changes to your security configuration as your organization grows.

Use Cases
Automatically add new users to a defined security group based on their position, such as
adding financial analysts to a security group when hired.
Enable users to access only nonsensitive portions of data, such as enabling HR
administrators to access aggregated payroll results.
Provide different levels of access for different types of users in the same tenant.

Questions to Consider

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 1/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

How do you want to determine who can view Workday provides different types of security
items and perform actions in Workday? groups to enable you to address the security
needs of your organization. Example: Job-
based security groups enable you to control
access to items and actions by grouping
users based on their job details.

Workday groups similar items and actions

into different security policies. While you
can't change the items and actions secured
to security policies, you can change the
security groups associated with the security
policies.

By associating security groups with security

policies, you can enable members of the
security groups to access the secured items
and actions.

What level of permission do you want to Workday groups similar tasks and reports
provide to tasks and reports? into security domains. To provide access to
the tasks and reports, set View or Modify
permission on the security policies that
secure them.

View permission provides users with access

to only the tasks and reports that Workday
designates with View access. Reports and
reporting items are typically the items that
Workday designates with View access.
Modify permission provides users with
access to all the tasks and reports secured
to the domain.

What level of permission do you want to You can use business process security
provide to business processes? policies to set permissions for the actions on
business processes, such as initiation and
action steps.

You can set different permissions for actions

on business processes, such as View All,
Rescind, and Deny permissions.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 2/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

What's your change management strategy The changes you make to security policies
for security? go into effect when you activate the
changes. You can:

Revert to earlier versions of your

security configuration.

Prepare complex changes to your

security before enabling the changes.

While you can revert to earlier versions,

Workday doesn't provide security policy
change control to help you keep alternate
valid configurations. When you revert to
another configuration, the current
configuration is no longer available.

Do third-party resources need access to your You can use Service Centers to grant third-
Workday tenant? party contracted organizations access to
your Workday tenant without granting them
access to sensitive data.

Representatives from the third-party

organizations have limited access to your
Workday tenant and can support a subset of
workers in your organization. The
representatives aren't workers but can
perform tasks in Workday within a
predefined scope. Example: Helping
employees enroll in benefits or unlock their
locked accounts.

Recommendations
Before you create your own security groups, use Workday-provided security groups, which enable
you to:

Benefit from questions and feedback about the security groups as captured on Workday
Community.
Use Workday-verified security configurations.

Provide users with the fewest privileges to information and resources needed to accomplish their
job functions. Providing users with the fewest privileges enhances the protection of your
information and resources.

Turn off functional areas and security policies that you don't currently use to simplify your security
configuration.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 3/114
12/27/21, 12:01 AM Workday® Administrator Guide

Review setup considerations for security groups and security policies for additional
recommendations.

Requirements
To set permissions for domains and business processes, enable each functional area as well as its
security policies. Enabling a functional area doesn’t automatically enable all the security policies
within the functional area.

Review setup considerations for security groups and security policies for additional requirements.

Limitations
You can’t:

Change the actions available on business process security policies.

Change the items within domains.
Create your own functional areas.
Delete security policies.
Move domains or business processes from 1 functional area to another.

When you revert to another configuration using security policy change control, the original
configuration is no longer available.

Tenant Setup
No impact.

Security
These domains in the System functional area:

Domains Considerations

Security Administration Enables you to review and administer

security. Provides the ability to view how
Workday secures items.

Security Configuration Enables you to configure security and review

your security configuration. Provides the
ability to view and maintain functional areas,
create security groups, and view security
timestamps.

Business Processes
No impact.

Reporting

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 4/114
12/27/21, 12:01 AM Workday® Administrator Guide

Reports Considerations

Business Process Security Policies for Displays all business process security
Functional Area policies for a functional area.

Domain Security Policies for Functional Displays all domain security policies for a
Area functional area.

Functional Areas Displays all functional areas and the

domains and business processes in them.

Security Exception Audit Displays errors and warnings involving your

security configuration.

View Security for Securable Item Displays how Workday secures delivered
items.

View Security Group Displays the associated security policies and

configuration details for a security group.

View Security Groups for User Displays the security groups that a user is a
member of.

Integrations
No impact.

Connections and Touchpoints

Configurable security provides a comprehensive model for accessing items throughout Workday
and on all devices.

Workday offers a Touchpoints Kit with resources to help you understand configuration relationships
in your tenant. Learn more about the Workday Touchpoints Kit on Workday Community.

Related Information

Concepts
Concept: Configurable Security
Concept: Security Policy Change Control
Tasks
Maintain Security Group Permissions
Reference
Setup Considerations: Security Groups
Setup Considerations: Security Policies
Reference: Security-Related Reports
Reference: Security Group Types

1.1.2 | Steps: Enable Functional Areas and Security Policies

Prerequisites

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 5/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security: Security Configuration domain in the System functional area.

Context

Before you can configure security for workers in your tenant, enable the functional areas and
security policies for secured items you want to provide access to.

Steps

1. Access the Maintain Functional Areas task.

Select the Enabled check box for the functional areas you want to use.
If a functional area doesn't display on the Maintain Functional Areas task, access the Create
Functional Area task. You can specify the name of an existing domain group without a
functional area to create the functional area.
2. Access the Domain Security Policies for Functional Area report.
Select Domain Security Policy > Enable from the related actions menu of the domain
security policy.
Security: Security Activation domain in the System functional area.
3. Access the Business Process Security Policies for Functional Area report.
Select Business Process Policy > Edit from the related actions menu of the business
process type.
Add security groups to relevant initiating actions. You can disable the business process
security policy by removing all the security groups from relevant initiating actions.
4. Activate your changes to security policies.
See Activate Pending Security Policy Changes.

Example

By enabling functional areas and security policies for:

Activity streams, you can specify the workers who can collaborate with others.
Extended enterprise learning, you can specify the workers who can create and manage
extended enterprise learners.
Lease accounting, you can specify the workers who can manage account posting rules.

1.1.3 | Steps: Set Up Security Permissions

Prerequisites

Enable the functional areas for the items you want to use.
Security: Security Configuration domain in the System functional area.

Context

Set up security for workers in your tenant so they can access tasks, reports, and other secured
items in Workday. Workers gain access to items when you:

Add workers to security groups or identify an existing security group that contains the
workers.
Associate the security groups with the security policies that secure the items.
Activate your changes to the security policies.

You can add workers to security groups by either:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 6/114
12/27/21, 12:01 AM Workday® Administrator Guide

Assigning users to security groups directly. Example: Using user-based security groups.
Deriving membership based on information about users. Example: Their role assignments or
job details.

Steps

1. Identify an existing security group that contains the users for whom you want to set
permissions.
You can also access the Create Security Group task to create a new security group.
See Reference: Security Group Types and Reference: Workday-Delivered Security Groups.
2. (Optional) Access the View Security for Securable Item report.
Identify the security policies that secure specified items.
3. Add the security group to the security policies.
See Edit Domain Security Policies and Edit Business Process Security Policies.
4. Activate your changes to security policies.
See Activate Pending Security Policy Changes.
5. Verify your security configuration.
See Reference: Security-Related Reports.

Result

Workers in the specified security groups can access items that Workday secures to the associated
security policies.

Example

Set up security to determine who can:

Access specified hold reasons and whether those workers can override or update the
corresponding student holds.
Complete an electronic Form I-9.
Create and modify headcount plans and view and analyze plan data.

Related Information

Reference
The Next Level: Getting to Know Configurable Security

1.1.4 | Concept: Configurable Security

You can control the items users can view and the actions they can perform in your tenant with
configurable security.

Functional Areas
Workday groups reports, tasks, and other items into different functional areas. Each functional area
includes items that enable users to perform similar actions. Example: The Benefits functional area
includes reports, tasks, and other items for managing benefits.

Each functional area includes:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 7/114
12/27/21, 12:01 AM Workday® Administrator Guide

Domains, which include reports, tasks, instance sets, report fields, integration templates,
web services, and data sources.
Business process types, which include the steps for actions in business processes, such as
initiation and action steps.

To view functional areas and the domains and business processes within them, access the
Functional Areas report.

Security Groups
Security groups are collections of users that you can use to grant access to secured items and
business process steps. You can create custom security groups to serve security requirements
beyond the security groups in your tenant. You can add workers to security groups by either:

Assigning users to security groups directly.

Deriving membership based on information about users, such as their roles or job details.

Security Policies
Security policies enable you to configure access to groups of items and individual business process
actions. By associating security groups with security policies, you can enable members of the
security groups to access the secured items and actions. You can't change the items in a domain or
actions in a business process.

You can set:

Get and Put permissions for integrations.

View and Modify permissions for reports, tasks, and other items secured to domains.

You can also set various permissions for actions on business processes, such as View All, Rescind,
and Deny permissions.

Inheritance in Domain Security Policies

Workday defines parent-child relationships so that child security policies inherit permissions from a
parent security policy. Example: The Set Up: Accounting Rules domain inherits permissions from the
Set Up: Financial Accounting domain. These relationships can help you maintain and update
permissions for many items at once.

You can:

Identify whether a domain security policy inherits permissions by accessing the domain
security policy on the View Domain report.
Override inherited permissions when a child security policy needs different permissions.
Return to the parent permissions using the User Parent Permissions option on the View
Domain Security Policy report.

The items in a parent security policy include the items from the domain it secures and all the
subdomains. The domain it secures might not have securable items of its own. Overriding
permissions doesn’t affect the inheritance on any other child security policies.

Inherent Permissions
Workday provides default access to certain securable items through inherent permissions. While
you can remove security groups from some domain security policies, the security groups retain

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 8/114
12/27/21, 12:01 AM Workday® Administrator Guide

access to the securable items that Workday secures to the security policies.

Example: The Implementers security group has inherent permissions to the User-Based Security
Group Administration domain security policy. Members of the Implementers security group have
permanent access to items secured by the domain.

The Inherent Permission field on the View Domain report lists the security groups that have
permanent access to a domain security policy.

Security Policy Change Control

Workday tracks the date and time of each change you make to your security. Workday evaluates
your security based on a timestamp of all your changes since a specified date and time. You can
activate:

Pending changes and create a new timestamp.

Previous timestamps to revert to earlier versions of your security.

Related Information

Concepts
Concept: Security Groups
Concept: Security Policies
Concept: Security Policy Change Control
Reference
The Next Level: Getting to Know Configurable Security

1.1.5 | Reference: Security-Related Reports

Workday provides reports in these areas to help you manage security in your tenant:

Security Groups
Security Policies
Domains and Business Processes
Workers
Security Audits

Security Groups

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 9/114
12/27/21, 12:01 AM Workday® Administrator Guide

Report Description Prompts

Action Summary for View the security policies Security Group

Security Group associated with a specified
security group.

Business Process Types View all business processes None

and Initiating Security and the security groups that
Groups have permission to initiate
them.

Compare Permissions of Compare the security policy Security Group 1

Two Security Groups permissions for 2 security
Security Group 2
groups.
Include Disabled
Domains/Functional Areas
(Optional)

Security Analysis for View the secured items Security Group (Optional)
Security Groups associated with 1 or more
Include Disabled
specified security groups.
Domains/Functional Areas
(Optional)

View Security Group View 1 security group and Security Group

the associated security
policies and configuration
details.

View Security Groups View 1 or more security Include Disabled

groups and the associated Domains/Functional Areas
security policies and (Optional)
configuration details.
Include Inactive Security
Groups (Optional)

Security Group Type(s)

(Optional)

View Web Service Identify the security groups Web Service

Operations Security Groups that you need to be a
member of to run a
specified web service.

Web Service Security Audit View the security groups Web Service Task to Select
that can run web service (Optional)
tasks.

Security Policies

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 10/114
12/27/21, 12:01 AM Workday® Administrator Guide

Report Description Prompts

Business Process Security View changes to business From (Optional)

Policies Changed within process security policies in
To (Optional)
Time Range your tenant and view when
and who changed the Include Changes to Security
security policies. Groups (Optional)

Business Process Security View all business process Functional Area

Policies for Functional Area security policies for a
Business Process (Optional)
functional area.

Business Process Security Review pending changes to None

Policies with Pending business process security
Changes policies before activating
them.

Business Process Security Audit changes to specified Business Process Type

Policy History business process security (Optional)
policies and view when and
From (Optional)
who changed the security
policies. To (Optional)

Domain Security Policies View changes to every From (Optional)

Changed within Time Range domain security policy in
To (Optional)
your tenant and view when
and who changed the Include Changes to Security
security policies. Groups (Optional)

Domain Security Policies View all domain security Functional Area

for Functional Area policies for a functional
area.

Domain Security Policies Review pending changes to None

with Pending Changes domain security policies
before activating them.

Domain Security Policy Audit changes to specified Domain Security Policy

History domain security policies and
From (Optional)
view when and who
changed the security To (Optional)
policies.

Domain Security Policy View the current security Functional Areas (Optional)
Summary configuration for every
domain in 1 or more
functional areas.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 11/114
12/27/21, 12:01 AM Workday® Administrator Guide

Report Description Prompts

Functional Areas View all functional areas None

and the domains and
business processes in them.

View Security for Securable Identify how Workday Securable Item

Item secures specified delivered
items.

Domains and Business Processes

Report Description Prompts

All Domains View the functional areas, None

subdomains, and super
domains for each domain in
Workday.

Inactivated Domains View all inactivated domains None

and the policy statuses.

Secured Items in Multiple View the delivered items None

Domains that Workday secures to
more than 1 domain.

View Domain View the reports, tasks, and Domain

other items that Workday
secures to a domain.

Workers

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 12/114
12/27/21, 12:01 AM Workday® Administrator Guide

Report Description Prompts

Compare Security of Two Compare the security group Worker 1

Worker Accounts assignments for 2 workers.
Worker 2

Security Analysis for View whether a Workday Landing Pages

Landing Page Worklet account can access
Account
specified landing pages and
the associated worklets.

Security Analysis for View the security policies Securable Item

Securable Item and Account and security groups that
Account
grant a Workday account
access to a delivered item. Show Details (Optional)

Security Analysis for View the access Workday Account (Optional)

Workday Account permissions for 1 or more
Include Disabled
Workday accounts.
Domains/Functional Areas
(Optional)

Security History for User View a detailed history of User

the transactions involving a
From (Optional)
Workday user.
To (Optional)

Test Security Group Evaluate whether a user is a Is User

Membership member of a security group.
In Security Group

for Target Instance

(Optional)

Test Security Rule Evaluate whether a Workday Security Rule

account satisfies the
Workday Account
conditions on a security
rule.

View Security Groups for View all the security groups Person
User that a user is a member of.

Security Audits

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 13/114
12/27/21, 12:01 AM Workday® Administrator Guide

Report Description Prompts

Security Exception Audit Audit the details of errors None

and warnings involving
security groups and security
policies in your tenant.

Security Groups Not Audit the security groups None

Referenced in any Security that you aren't using on any
Policy security policy.

Security History Audit the security changes Organization

for a specified organization.
From (Optional)

To (Optional)

Include Subordinate
Organizations (Optional)

View All Security Audit all security None

Timestamps timestamps, including
current and previous
timestamps, and the
comments.

Related Information

Concepts
Concept: Configurable Security
Concept: Security Policies
Concept: Security Groups
Reference
Workday Community: Security Reports

1.1.6 | FAQ: Configurable Security

What if users can access items that they shouldn't be able to access?
What if users can't access items that they should be able to access?
How does a user get access to an instance?
Which security groups have permission to view background processes?
Which security groups have permission to access My Reports and download content from
Workday?
How can I fix securable items that have exceptions?
Why does a user receive an error when attempting to access an Inbox item or email
notification link?
Where can I view the different role and security group assignments for 2 different workers?
Where can I view the different security policy assignments for 2 different security groups?
Where can I view the permissions granted to a security group?
Where can I view the security for securable items?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 14/114
12/27/21, 12:01 AM Workday® Administrator Guide

What if users can access items that they shouldn't be able to access?
The Security Analysis for Securable Item and Account report can help you determine if you need to
remove:

A security group from a security policy.

A user from a security group.

The report can also help you determine if a secured item displays in more than 1 domain. Users
with different levels of access in different domains have the most permissive access granted.
Example: A user has Modify permission to a secured item when the user has:

View permission to the secured item in 1 domain.

Modify permission to the secured item in another domain.

If users have permission to access a secured item that they shouldn't have permission to access:

View the Access Rights to Organizations section in the security group definition and
inheritance.
Access the Secured Items in Multiple Domains report.

All changes to security groups or security policies are effective immediately. Before you make
changes, consider how the changes affect other access for the security group and user.

What if users can't access items that they should be able to access?
These reports can help you compare the security groups for a user with the security groups on a
securable item:

View Security for Securable Item

View Security Groups for User

Using the information from these reports:

Add the user to a security group that has permission to access the item.
Grant access to a security group that the user belongs to.

Before you change your tenant, consider:

The access of the user when you associate them with a security group that has permission
to access the item.
The number of other users in the security groups that the user is in.

How does a user get access to an instance?

A user might get access to an instance through a role-based security group. Access the Security
Analysis for Securable Item and Account report to identify:

The role-based security group that provides the user with access to the instance.
The instance ID.

Use this information in the Test Security Group Membership report and:

Add 1 security group at a time to identify the security group that provides access.
Identify the security groups assigned to the user or the role assignments for the user.

Which security groups have permission to view background processes?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 15/114
12/27/21, 12:01 AM Workday® Administrator Guide

You can view background processes in the Background Processes for a Process report.

Any user who belongs to an Administrative security group can view all background processes in this
report.

All users can view the background processes for processes that they’ve run. For Integrations, users
can view processes if you provide them with permission to view the relevant templates.

Users can view these background process types if they have the appropriate permissions:

Integration Processes: Users must belong to an Administrative-type security group secured

to the Integration Build, Integration Debug, or Integration Event security domains.
Report Processes: Users must belong to an Administrative-type security group secured to
the Report Background Processes security domain.
Scheduled Reports: Users must belong to an Administrative-type security group secured to
the Scheduled Report Processes security domain.

Which security groups have permission to access My Reports and download content from
Workday?
Security groups that have access to the Export to PDF and Excel domain security policy can:

Access the My Reports report.

Download content from Workday to PDF or Microsoft Excel files.

By default, Workday configures the All Users security group on the Export to PDF and Excel domain
security policy.

Security groups that have access to the domain security policy can download these types of
content:

Drill-down menus.
Grids.
Items accessed using context menus.
Pages.

The domain security policy has no impact on self-service type content. Security groups that don't
have access can download items such as:

Business forms.
Pay advice.
W-2 forms.

(Workday Extend only) For Export to Excel grids, Workday doesn't support security policies
configured on the Export to PDF and Excel domain. To prevent users from exporting grid data, the
Workday Extend app developer must disable the Export to Excel feature on the grid.

How can I fix securable items that have exceptions?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 16/114
12/27/21, 12:01 AM Workday® Administrator Guide

Exceptions can occur when someone changes a security policy, which invalidates an access
assignment. These exceptions can happen when you activate a pending security policy change in
which a:

Business process security policy is missing a security group that the business process still
uses.
Security policy specifies a security group that you deleted from Workday.

Before you remove a security group from a business process security policy, remove the security
group from the business process definition.

Access the Security Exception Audit report to:

Identify problem areas.

Remove the invalid security group from the security policy or business process definition.

When a business process starts, you can:

Reassign the step routed to an invalid user.

Rescind the process.

In either case, change the business process definition for that organization to specify only valid
security groups.

Why does a user receive an error when attempting to access an Inbox item or email notification
link?

A user might receive an error when someone changes the security policy on a business process
after the process starts.

The error might occur when the security group with permission to access the step doesn't have
either:

View All access for events in progress.

View Completed Only access for completed events.

To assess the business processes, access these reports:

Business Process Policy View Audit: Identify security groups that don't have View access to
components of business process types that might involve them.
Security Exception Audit.

Where can I view the different role and security group assignments for 2 different workers?
Access the Compare Security of Two Worker Accounts report to view:

Assignment differences for roles and security groups.

Common assignments for 2 workers.

Where can I view the different security policy assignments for 2 different security groups?

Access the Compare Permissions of Two Security Groups report.

Where can I view the permissions granted to a security group?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 17/114
12/27/21, 12:01 AM Workday® Administrator Guide

Access the View Security Group report and view a security policy from 1 of these tabs:

Business Process Permissions tab for business process security policies.

Security Permissions tab for domain security policies.

You can also access the Action Summary for Security Group report. You can use the report to view
details about the security policy assignments for a security group.

Where can I view the security for securable items?

Access the View Security for Securable Item report.

Related Information

Reference
Workday 32 What's New Post: Configurable Security Reporting
Workday 32 What's New Post: View Security for Securable Item

1.2 | Security Groups

1.2.1 | Setup Considerations: Security Groups

You can use this topic to help make decisions when planning your configuration and use of security
groups. It explains:

Why to set them up.

How they fit into the rest of Workday.
Downstream impacts and cross-product interactions.
Security requirements and business process configurations.
Questions and limitations to consider before implementation.

Refer to detailed task instructions for full configuration details.

What They Are

Security groups are collections of users that you can use to grant access to secured items and
business process steps. You can create custom security groups to serve security requirements
beyond the security groups in your tenant. You can add workers to security groups by either:

Assigning users to security groups directly.

Deriving membership based on information about users, such as their roles or job details.

Business Benefits
Security groups save you time configuring and managing permissions for large collections of users.

Use Cases
Depending on the type of security group you use, you can:

Enable credit card companies to integrate with Workday.

Enable HR Partners to view worker data for their assigned organizations.
Enable only contingent workers to complete time tracking.
Enable third-party help desks to access target data.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 18/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions to Consider

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 19/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to set security permissions for You can use user-based security groups to
individual users? set security permissions for individual users,
such as administrators with elevated
privileges.

Setting permissions for individual users can

be maintenance intensive. When you want to
automate maintenance, Workday
recommends using other types of security
groups, such as role-based or job-based
security groups.

Do you want to enable third-party users to Service Center security groups enable third-
access secured items? party users in a Service Center to access
secured items. You can use user-based
security groups to provide certain users in
the Service Center with elevated privileges.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 20/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to adjust the permissions on an Use these types of security groups to adjust
existing security group without changing the permissions by combining members from
security group? other security groups:

Aggregation security groups.

Intersection security groups.

Aggregation security groups include users

who are members of at least 1 included
security group. Example: Provide HR
Partners and HR Executives with the same
permissions.

Intersection security groups include users

who are common to all the included security
groups. Example: Combine these security
groups so HR Partners who are members of
both security groups get access to secured
content:

HR Partner security group based on

supervisory organization.

HR Partner security group based on

location hierarchy.

The configuration enables you to separate

permissions between HR Partners in
England, Germany, and Ireland from HR
Partners in the United States and Canada.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 21/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to set permissions based on a Job-based security groups enable you to
worker's job? automate security group assignments based
on the job profile details of a worker.
Example: Enable hourly, nonexempt workers
to access time tracking functionality.

To change the members of a job-based

security group, you can:

Change the job details that you

reference in the security group
definition.

Change the job details of the users

you want to add or remove from the
security group.

Do you want to set permissions to support a You can use constrained role-based security
worker population in a certain location? groups to provide access based on the
position you assign to a role in a location
hierarchy. Example: The manager of the
Berlin office sits in the London office. You
can enable the manager to access data in
Germany by assigning the position on the
Manager role for Berlin.

You can use organization membership

security groups to provide broad access
using a location hierarchy. Because you're
using a location hierarchy, Workday
automatically updates permissions as
locations change in the hierarchy.

You can use location membership security

groups to provide access based on a specific
location. Example: Set permissions for
workers in Austin, Texas.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 22/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to enable workers to access You can constrain certain security group
data for only their assigned organizations? types so that members can access only data
that you secure to their organizations. You
can also constrain role-based security
groups by:

Customer.

Job requisition.

Prospect.

Requisition.

Supplier contract.

You can use user-based security groups and

other unconstrained security group types to
grant access to secured content regardless
of organization. Workday recommends using
unconstrained security groups for:

Domains that enable you to modify

configurations, such as Set Up
domains.

Centralized teams that need tenant-

wide access to all data, such as your
Human Resources Information
Services and Human Resources
Information Technology teams.

Recommendations
Workday recommends that you:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 23/114
12/27/21, 12:01 AM Workday® Administrator Guide

Avoid creating intersection security groups that contain only 1 security group.
Avoid creating user-based security groups that contain only 1 user.
Remove security groups from security policies when you intend to replace the security
groups with aggregation, intersection, or segment-based security groups.
Test each change to a security group by signing in as other users and reviewing the data
that the users can access.
Use simple constraints when creating security groups to ensure that Workday evaluates
security more quickly.

Many security policies have restrictions on the types of security groups that you can add to the
security policies. Before you create security groups, consider the:

Data points, tasks, reports, and business processes you want to provide access to.
Security policies that secure those items.
Types of security groups that you can associate with the security policies.

Use the default security groups in your tenant as a starting point for your configuration. You can
then refine the security groups as you need to so you can:

Take advantage of the questions that others ask on Workday Community by referencing the
same security language.
Use the security group configurations that Workday designs and verifies.

Consolidate similar business requirements into broad security groups. By configuring less-specific
security groups, you can:

Avoid activating many small security changes.

More easily maintain security permissions.

The security groups you use can impact how quickly you can generate reports and route steps on
business processes. When performance is an important consideration, use:

Unconstrained role-based security groups.

User-based security groups.

Copy security groups carefully to avoid providing new security groups with more access than you
intend to provide. When you copy security groups, Workday copies all the security permissions to
the new security group. When you want to change the permissions on the security group, you must
remove security policies individually.

Requirements
No impact.

Limitations
When you configure intersection security groups, you can't use:

Aggregation or other intersection security groups as exclusion criteria.

Constrained security groups as exclusion criteria.
Integration System and other intersection security groups as inclusion criteria.
Intersection security groups in access restrictions.

You can't use these Workday-delivered security groups in intersection security groups:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 24/114
12/27/21, 12:01 AM Workday® Administrator Guide

All Users.
Manager's Manager.

Tenant Setup
No impact.

Security
These domains in the System functional area:

Domains Considerations

Security Administration Enables you to audit and administer security

groups.

Security Configuration Enables you to create and manage security

groups.

You can use these delivered security groups to enable users to set and manage security in your
tenant:

Security Groups Considerations

Security Administrator Can manage all security-related information

regardless of organization.

Security Configurator Can assign workers to security groups.

Security Partner Can perform security management functions

for assigned organizations.

System Auditor Can audit security group setup.

Business Processes
No impact.

Reporting
These reports display security groups in your tenant and enable you to evaluate membership in the
security groups:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 25/114
12/27/21, 12:01 AM Workday® Administrator Guide

Reports Considerations

Action Summary for Security Group Displays the security policies that you
associate with a security group.

Compare Permissions of Two Security Displays the security policy permissions for 2
Groups security groups.

Security Analysis for Security Groups Displays the items that you associate with 1
or more security groups.

Test Security Group Membership Displays whether a worker is a member of a

security group.

View Security Group Displays the configuration details and

associated security policies for 1 security
group.

View Security Groups Displays the configuration details and

associated security policies for 1 or more
security groups.

You can also use the Security Groups data source to create custom reports about the security
groups in your tenant. The data source displays 1 row for each security group and includes all
security group types.

Integrations
No impact.

Connections and Touchpoints

Workday offers a Touchpoints Kit with resources to help you understand configuration relationships
in your tenant. Learn more about the Workday Touchpoints Kit on Workday Community.

Related Information

Concepts
Concept: Security Groups
Setup Considerations: Security Policies
Reference
Reference: Security Group Types
Reference: Workday-Delivered Security Groups

1.2.2 | Setup Considerations: Role-Based Security Groups

You can use this topic to help make decisions when planning your configuration and use of role-
based security groups. It explains:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 26/114
12/27/21, 12:01 AM Workday® Administrator Guide

Why to set them up.

Refer to detailed task instructions for full configuration details.

What They Are

With role-based security groups, you can control access to items and actions based on roles you
create and assign to members of your organizations. You can assign roles to positions or jobs. You
can also constrain the security group type to certain areas of an organization that each position or
job supports.

Business Benefits
Using role-based security groups, you can assign and remove access rights automatically as
workers change positions or jobs, enabling you to:

Derive membership instead of explicitly defining it.

Reduce the number of security groups to maintain.

Use Cases
Role-based security groups enable you to automatically:

Add new HR representatives to an HR Partner role-based security group instead of having to

assign them to the security group manually.
Remove permissions when an engineer takes on a new position.

Questions to Consider

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 27/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

How do you provide access to only specific You can use:

instances of secured data?

Conditional role-based security

groups to constrain access based on
location hierarchies. Example:
Managers in Germany can have
permission to access more levels in
an organization than managers in the
United States.

Constrained role-based security

groups to constrain access based on
organizations and other role-enabled
objects. Example: Recruiters can only
access job applications for their
organizations.

How do you configure role-based security The security groups you use can impact how
groups for optimal performance? quickly you can generate reports and route
steps on business processes. To optimize
performance:

Avoid filling a role using an

organization assigned through a
membership rule.

Avoid layers of intersecting role-

based security groups.

Use unconstrained role-based

security groups.

When you configure constrained role-based

security groups, you can improve
performance by setting the access rights to
the current organization and all subordinate
organizations.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 28/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

How does your staffing model affect role- The staffing model you use can impact
based security groups? whether workers backfill vacancies and
inherit the associated permissions. With the:

Job management staffing model,

Workday closes vacancies. When you
hire a new worker, you must create a
new job. The new worker doesn’t
inherit the original role assignments.

Position management staffing model,

vacant positions remain open. New
workers can backfill the vacant
positions and inherit the original role
assignments.

How do you provide similar permissions to Workday recommends that you use
multiple roles? aggregation security groups to set similar
permissions. When you copy security groups,
you must manually update permissions on
each security group separately during
security changes.

Example: Your organization has HR Partner

and HR Executive roles. You can add these
roles to role-based security groups and add
the security groups to an HR Management
aggregation security group. When HR
Executive and HR Partner need:

Different permissions, use the HR

Executive or HR Partner security
group to define the unique
permissions.

Similar permissions, use the

aggregation security group to define
the common permissions.

Recommendations
Use:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 29/114
12/27/21, 12:01 AM Workday® Administrator Guide

1 role for each role-based security group to simplify your security configuration.
1 organization type for each role, except when you use hierarchical organizations that roll up
to other organizations. Example: You can use 1 role for Cost Center Hierarchy and Cost
Center because they're part of the same organization type.
Unconstrained role-based security groups carefully. Anyone with the position you associate
with the role can access the secured data for all organizations.
User-based security groups to provide specific users, such as administrators, with access to
securable items that aren't organization-specific.

Before you create role-based security groups, review the:

Data points and business process steps you want to provide access to.
Security policies that secure those items.
Types of security groups that you can associate with the security policies.

Use consistent naming conventions for roles. Examples:

HR Partner describes the HR functional area with modify access; HR Analyst describes the
area with view access for HR data.
Finance Partner describes the Financial functional area with modify access; Finance Analyst
describes the area with view access for financial data.

Requirements
No impact.

Limitations
No impact.

Tenant Setup
No impact.

Security

Domains Considerations

Security Administration domain in the System Enables you to manage who can assign role
functional area. permissions.

Security Configuration domain in the System Enables you to create, view, and delete role-
functional area. based security groups.

Manage: Organization Roles domain in the Enables you to run audits and reports on
Organizations and Roles functional area. roles.

Set Up: Assignable Roles domain in the Enables you to view and maintain roles.
Organizations and Roles functional area.

Business Processes
No impact.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 30/114
12/27/21, 12:01 AM Workday® Administrator Guide

Reporting

Reports Considerations

Role Assignment Permissions Displays the security groups that can

administer each role in your tenant.

Role Assignments for Worker Position Displays the roles and the associated role-
based security groups for a specified worker.

Roles for Organization and Subordinates Displays the hierarchy of a specified

organization.

Unassigned Roles Audit Displays unassigned roles in your tenant.

Unfilled Assigned Roles Audit Displays assigned roles with positions or

jobs that no workers fill.

View Assignable Roles Displays all roles in your tenant and the
security groups that can assign the roles.

View Security Groups Displays existing role-based security groups.

Worker Roles Audit Displays the roles for each worker within a
specified organization.

Integrations
No impact.

Connections and Touchpoints

Workday offers a Touchpoints Kit with resources to help you understand configuration relationships
in your tenant. Learn more about the Workday Touchpoints Kit on Workday Community.

Related Information

Concepts
Concept: Assign Roles
Concept: Assignable Roles
Concept: Security Groups
Concept: Staffing Models
Reference
Setup Considerations: Roles
Reference: Security Group Types

1.2.3 | Create Aggregation Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 31/114
12/27/21, 12:01 AM Workday® Administrator Guide

Context

You can use aggregation security groups to combine members from other security groups. Workday
includes users who are members of at least 1 of the included security groups. You can also exclude
workers who are members of a specified security group. Consider using aggregation security
groups to ease maintenance when several security groups have common access requirements.

Steps

1. Access the Create Security Group task.

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. From the Security Groups to Include prompt, select 1 or more security groups whose
members you want to include.
4. (Optional) From the Security Group to Exclude prompt, select a security group whose
members you want to exclude.
Workday excludes a user from an aggregation security group when the user is a member of:
A security group that you include.
Another security group that you exclude.

Example

You assign security permissions to the HR Partner (Supervisory Organization) and HR Partner
(Location Membership) groups separately. As a result, you need to maintain those assignments
individually. Alternatively, you can create an HR Partner aggregation security group that includes
both the HR Partner (Supervisory Organization) and HR Partner (Location Membership) security
groups. Using the aggregation security group in security policies, you can assign permissions to
both security groups simultaneously, making it easier to maintain your security configuration.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Examples
Example: Create a Service Center Security Group for Benefits Support

1.2.4 | Create Conditional Role-Based Security Groups

Prerequisites

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 32/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security: Security Configuration domain in the System functional area.

Context

You can use conditional role-based security groups to apply a constrained role-based security group
based on a condition. You can also use conditional role-based security groups to limit the display of
detail-level data while still displaying aggregate values in these report types:

Advanced reports, when you also select the Summarize Detail Rows check box on the report
definition.
Composite reports.
Matrix reports.
Trending reports.

In these report types, aggregate values reflect the Security Group When Condition Not Met
evaluation. Detail-level data, such as in a drill-down menu, reflects the full security group evaluation.

Steps

1. Access the Create Security Group task.

Option Description

Condition Location hierarchies to use as criteria for

selecting which constrained role-based
security group to apply.

Security Group when Condition Met The constrained role-based security

group to apply if the worker is in a
specified location hierarchy.

Security Group when Condition Not Met The constrained role-based security
and for Aggregate Data in Standard and group to apply if the worker isn't in any
Custom Reports specified location hierarchies.

Example

Your company headquarters are in the U.S. with branch offices in France and Germany. To comply
with Works Council regulations for organizations, managers in Germany can only view worker data
down to 2 levels in the organization chart. The regulations don't apply to offices in the U.S. and
France. You can create a conditional role-based security group so you can enforce the Works
Council regulations for team members located in Germany.

Next Steps

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 33/114
12/27/21, 12:01 AM Workday® Administrator Guide

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Examples
Example: Create a Conditional Role-Based Security Group

1.2.5 | Create Integration System Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

Integration system security groups (ISSG):

Include 1 or more integration system user (ISU) accounts.

Provide Get and Put access to web service tasks.

When you create:

Constrained ISSGs, you can filter data results contextually based on specified organizations.
Example: Export data only for workers who are members of a specific supervisory
organization.
Unconstrained ISSGs, Workday provides members with access to data for all organizations.

When you constrain the security group type, filtering depends on the data access method:

Public web services: Workday filters by element, not by row, based on the security of the
web service operation. Example: A Workday integration that returns worker data only returns
1 row for each worker, but can filter out some worker data. Workday filters out data if
different domains secure the element from the underlying web service operation and the
web service operation.
Reports as a Service: Workday filters by row based on the security of the report data source.

When an ISSG specifies organizations as inclusion or exclusion criteria, match the organization type
from the organization criteria to the security group restrictions. Example: When you specify a
Company on your ISSG, you can add the security group to only security policies that permit
Companies.

To interact with data in Workday, your integration system requires access to the web service
operations that retrieve and insert the related data.

Steps

1. Access the Create Security Group task.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 34/114
12/27/21, 12:01 AM Workday® Administrator Guide

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. From the Integration System Users prompt, select ISUs to include in the security group.
4. (Constrained only) From the Organizations prompt, select organizations to which you want
to constrain the security group.
5. (Constrained only) As you complete the Access Rights to Organization section, select
organizations that the group criteria applies to:

Option Description

Access to Current Organization Only ISUs can access protected data for
members of the specified organization.

Access to Current Organization And All ISUs can access protected data for
Subordinates members of the specified organization
and all its subordinate organizations.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Reference
Workday Community: API Documentation

1.2.6 | Create Intersection Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use intersection security groups to combine members and constraints from other security
groups. Workday includes workers and constraints that are common to all the included security
groups. Workday excludes users and constraints in some or none of the included security groups.
You can also explicitly exclude workers and constraints from a specified security group.

You can use intersection security groups to:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 35/114
12/27/21, 12:01 AM Workday® Administrator Guide

Hide populations or target instances. Example: Hide data about HR employees from other
HR employees.
Intersect constrained role-based security groups that you enable for different organizations.
Example: Intersect Canadian Workers with the Sales Organization.
Limit self-service tasks or functionality to a certain population. Example: Limit time tracking
to contingent workers.

Note: Workday doesn't recommend using intersection security for Compensation because it doesn't
apply to all situations. One case where Workday can't evaluate intersection security is exclusion
criteria, which depend on organizations. Many compensation components, including plans, grades,
and pay ranges aren't associated with organizations. Managers can't have security over
compensation components through organizations and roles the way they can for employees.

Steps

1. Access the Create Security Group task.

Option Description

Security Groups to Include Workday includes users who are

members of all selected security groups.

Security Group to Exclude (Optional) Workday excludes users who

are members of the selected security
group.

4. (Optional) In the Exclusion Criteria (Constrained Context) section, select 1 or more

organizations to exclude target positions from.
As you complete the section, consider:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 36/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Applies to Current Organization Only Prevent users in the intersection security

group from being able to access
information about users with current
positions in the selected organizations.

Applies to Current Organization And All Prevent users in the intersection security
Subordinates group from being able to access
information about users with current
positions in:

The selected organizations.

Any subordinate organizations.

Example

You want to enable only U.S.-based workers to submit expense reports in Workday. You can create
an unconstrained organization membership security group for the U.S. Location Hierarchy that
includes all U.S.-based workers. You can then intersect the security group with the Employee As
Self security group. You can replace the existing self-service security groups on the Self Service:
Expense Report domain with your new intersection security group. As a result, only users in both the
U.S. Location Hierarchy and Employee As Self security groups can submit expense reports in
Workday.

Next Steps

When using intersection security groups, especially ones with exclusion criteria, Workday
recommends that you thoroughly test access, prompting, routing, and other functionality to ensure
that security works as you expect.

To provide security permissions:

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.7 | Create Job-Based Security Groups

Prerequisites

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 37/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security: Security Configuration domain in the System functional area.

Context

You can use job-based security groups to set security permissions based on job details. You can
create:

Constrained job-based security groups so members of the security group can access
instances for select organizations.
Unconstrained job-based security groups so members of the security group can access
instances for all organizations.

When you create constrained job-based security groups, you can define membership based on
these job details:

Job category.
Job family.
Job profile.
Management level.

When you create unconstrained job-based security groups, you can also define membership based
on these job details:

Exempt jobs.
Nonexempt jobs.
Work shift.

Steps

1. Access the Create Security Group task.

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. In the Group Criteria section, select the job details you want to associate with the security
group.
4. (Constrained only) In the Access Rights section, select access rights for the security group.
The organization type from the organization criteria must match the organization type from
the security group restrictions. Example: When you select Company, you can add the
security group to only security policies restricted to the Company organization type.
5. (Constrained only) As you complete the section, consider:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 38/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Applies to Current Organization Only Workers with the specified job details
can access securable items for specified
organizations.

Applies to Current Organization And All Workers with the specified job details
Subordinates can access securable items for specified
organizations and all subordinate
organizations.

Example: You select this option when you

create a job-based security group
(constrained) based on the:

Senior Vice President job profile.

Supervisory organization type.

To determine who has permission to

access worker information, Workday
ascends the supervisory organization
hierarchy of the worker to find someone
with the Senior Vice President job profile.

Example

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 39/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Type Example

Job-based security group (unconstrained) You want to enable the Chief Human
Resources Officer (CHRO) of your company
to view actual values for benchmarking. You
can configure an unconstrained job-based
security group to ensure that the person who
fills this position in your organization
automatically gets the correct access. When
you create the unconstrained job-based
security group, you can use the job profile of
CHRO as the criteria for membership. As a
result, Workday automatically updates the
security assignment as different individuals
move in and out of the CHRO position.

Job-based security group (constrained) You want to enable workers in a Team Lead
job profile to have access to other workers in
their supervisory organization. You don't
want them to have access to workers
outside of their own supervisory
organization. You can create a constrained
job-based security group using the Team
Lead job profile as the criteria for the group.
You can then grant the access to the
Supervisory Organization type and apply that
access to only the current organization.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.8 | Create Level-Based Security Groups

Prerequisites

Complete the:

Create Management Level Hierarchy task to create management hierarchies.

Maintain Compensation Grade Hierarchy task to create compensation hierarchies.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 40/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security: Security Configuration domain in the System functional area.

Context

Level-based security groups define how workers at 1 level can access worker data at another level,
independent of organizational structures. Level-based security groups associate with these types of
leveled structures:

Compensation grade hierarchies: Workday maps workers to each level based on their
compensation grade.
Management-level hierarchies: Workday maps workers to each level based on their job
profile.

You can use level-based security groups with Workday Talent Management functionality, such as
nBox reporting and Find Workers. Workday doesn't recommend you use level-based security groups
on security policies in other application areas.

Steps

1. Access the Create Security Group task.

Example

You want managers to be able to view talent and performance information about their direct
reports. You can create a compensation grade hierarchy to define the relationship between
employees. You can then use the compensation grade hierarchy to create a compensation level-
based security group. By adding the security group to the Worker Data: Talent and Worker Data:
Performance Reviews domains, managers can view talent and performance information about their
direct reports.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.9 | Create Location Membership Security Groups

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 41/114
12/27/21, 12:01 AM Workday® Administrator Guide

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

Location membership security groups enable you to group workers who are in any of the specified
locations. Example: All workers in Amsterdam and Tokyo. The security group type isn't context-
sensitive. That is, Workday doesn't match worker location to the location of the secured item.

Steps

1. Access the Create Security Group task.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.10 | Create Organization Membership Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use organization membership security groups to set security permissions for workers in
specified organizations. You can include organizations of any type, such as Company or Cost
Center. You can also include workers in subordinate organizations. When you create:

Constrained organization membership security groups, Workday matches the organization

for a worker to the organization for secured items.
Unconstrained organization membership security groups, Workday provides a subset of
workers with access to securable items when they belong to any included organization.

Steps

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 42/114
12/27/21, 12:01 AM Workday® Administrator Guide

1. Access the Create Security Group task.

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. Select organizations with workers you want to include in the security group. When you
create:
Constrained security groups, select 1 organization.
Unconstrained security groups, select 1 or more organizations.
4. (Constrained only) As you complete the task, consider:

Option Description

Applies to Current Organization Only Workers can access securable items for
specified organizations.

Applies to Current Organization And All Workers can access securable items for
Subordinates specified organizations and all
subordinate organizations.

Example

Security Group Type Example

Organization membership security group You want any worker in a Legal supervisory
(unconstrained) organization to be able to view all worker
data in the tenant. You can create an
unconstrained organization membership
security group that references the Legal
supervisory organization. You can then apply
the security group to the necessary security
policies.

Organization membership security group You want any worker in a cost center
(constrained) hierarchy to be able to view other workers in
their cost center hierarchy. You don't want
them to be able to view workers outside of
the cost center hierarchy. You can create a
constrained organization membership
security group that references the cost
center hierarchy. You can then apply the
security group to the necessary security
policies.

Next Steps

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 43/114
12/27/21, 12:01 AM Workday® Administrator Guide

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.11 | Create Prism Access Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use Prism access security groups to combine members from other Prism access security
groups. Workday includes users who are members of at least 1 of the included security groups. Use
Prism access security groups to assign permissions to users in an unconstrained security group in
Prism-related domain security policies. Some Prism-related domains allow Prism access security
groups instead of unconstrained security groups.

Steps

1. Access the Create Security Group task.

2. From the Unconstrained Security Groups prompt, select 1 or more unconstrained security
groups whose members you want to include.

Example

You want to give unconstrained access to a group of workers who can create and edit Prism
Analytics tables. You can create a user-based security group that includes the workers. You can
then create a Prism access security group that includes the user-based security group. You can
then edit the security policy for the Prism Tables: Create domain, and assign permissions to the
Prism access security group.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 44/114
12/27/21, 12:01 AM Workday® Administrator Guide

Steps: Set Up Tenant for Prism Analytics

1.2.12 | Create Role-Based Security Groups

Prerequisites

Create assignable roles to use on the security group.

Security: Security Configuration domain in the System functional area.

Context

You can use role-based security groups to derive security permissions based on roles. Role
assignments involve assigning a role to a given worker position or job for a specified organization
or role-enabled instance. When you create:

Constrained role-based security groups, you can constrain access based on organizations
or other role-enabled objects. Example: Recruiters can only access job applications for their
organizations rather than for all organizations in your tenant.
Unconstrained role-based security groups, you can provide access to all instance data in all
organizations. Example: Recruiters can access job applications for all organizations in your
tenant.

Steps

1. Access the Create Security Group task.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 45/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Applies to Current Organization Only Workers with the specified role can
access securable items for the current
organization.

Example: Caitlin has the Compensation

Partner role in the Operations
organization. When you select this
option, Caitlin can access data for
workers in the specified organization
only.

Applies To Current Organization And Workers with the specified role can
Unassigned Subordinates access securable items for the current
organization and all subordinate
organizations that don't have the
specified assignable role.

Example: Caitlin has the Compensation

Partner role in the Operations
organization. Robert has the role in the
Facilities Group subordinate
organization. Caitlin can access data for
workers in all subordinate organizations,
except data for workers in the Facilities
Group subordinate organization.

Applies to Current Organization And All Workers with the specified role can
Subordinates access securable items for the current
organization and all subordinate
organizations.

Example: Caitlin has the Compensation

Partner role in the Operations
organization. Robert has the role in the
Facilities Group subordinate
organization. Caitlin can access data for
workers in all subordinate organizations,
including data for workers in the
Facilities Group subordinate
organization.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 46/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Applies to Current Organization and Workers with the specified role can
Subordinates to Level access securable items for the current
organization and all subordinate
organizations. The subordinate
organizations are up to a specified
number of levels under the specified
organization. You can use the
Subordinate Levels field to specify the
number of levels under the organization
in the hierarchy.

Example: Caitlin has the Compensation

Partner role in the Operations
organization. Robert has the role in the
Facilities Group subordinate
organization, which is 1 level below the
Operations organization. Caitlin can
access data for workers in subordinate
organizations that are 1 level below the
specified organization when you:

Select this option.

Specify 1 on the Subordinate

Levels field.

Note: When you view the organization, Workday displays security access on the Security
Groups tab, not on the Roles tab. Workers automatically inherit roles from the top-level
organization down through the hierarchy. When Inherited displays in the Role From column
on the Roles tab, the worker has access to the organization only when you also assign the
worker to the security group displayed on the Security Groups tab.
4. (Constrained only) In the Access Rights to Multiple Job Workers section, select
permissions to position or job data, and person data, for workers with multiple jobs:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 47/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Role has access to the positions they Grants access only for the job or position
support that you assign to the role in the
specified organization.

Example: Sarah has a primary position at

Company 1 that Mark manages and a
secondary position at Company 2 that
Susan manages. When you select this
option:

Mark can access Sarah’s person

data and primary position data
for Company 1.

Susan can access Sarah’s person

data and secondary position data
for Company 2.

Role for primary job has access to all Grants access to assignees who have a
positions role in the organization associated with
the primary job or position. Denies
access to assignees who have a role in
the organization associated with an
additional job or position.

Example: Sarah has a primary position at

Company 1 that Mark manages and a
secondary position at Company 2 that
Susan manages. When you select this
option, only Mark can access Sarah’s:

Person data.

Primary position data for

Company 1.

Secondary position data for

Company 2.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 48/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Role has access to all positions Grants access to assignees who have a
role in the organization associated with
the primary or additional job or position.

Example: Sarah has a primary position at

Company 1 that Mark manages and a
secondary position at Company 2 that
Susan manages. When you select this
option, both Mark and Susan can access
Sarah’s:

Person data.

Primary position data for

Company 1.

Secondary position data for

Company 2.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Reference
Setup Considerations: Role-Based Security Groups
Examples
Example: Set Up Domain Security for Workers with Multiple Positions
Example: Set Up Business Process Security for Workers with Multiple Positions

1.2.13 | Create Rule-Based Security Groups

Prerequisites

Create a security rule.

Security: Security Configuration domain in the System functional area.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 49/114
12/27/21, 12:01 AM Workday® Administrator Guide

Context

You can use rule-based security groups to constrain the members on a baseline security group
using conditional rules. Examples: You can enable:

Employees on leave to have self-service access.

Employees from separate countries to be able to use self-service expense reporting
functionality.
Managers who have active contingent workers in their departments to share reports on
contingent workers.
Only nonexempt US employees to clock in and out.

With rule-based security groups, you can:

Modify rule criteria without needing to activate individual security policy changes.
Reuse rule criteria in multiple rule-based security groups.
Use conditional rules that aren’t maintenance intensive.

Steps

1. Access the Create Security Group task.

Option Description

Include Members by Rule Include members from the baseline

security group who match the criteria on
the security rule.

Exclude Members by Rule Exclude members from the baseline

security group who match the criteria on
the security rule.

Example

You want to enable only part-time workers to track their work hours in Workday. You can define a
security rule using the Time Type security field to identify part-time workers. You can then apply the
security rule on the inclusion criteria of a rule-based security group. As the baseline security group,
you can use the All Users security group. By adding the new security group to the Worker Data: Time
Tracking domain, you can enable only part-time workers to track their work hours.

Next Steps

After configuring the security group:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 50/114
12/27/21, 12:01 AM Workday® Administrator Guide

Add the security group to security policies.

Activate pending security policy changes.
When you associate a security group with security policies, replace the existing security
group with your new security group.
When you want to enable the permissions on an inactive security group, activate the security
group.

Use the Test Security Group Membership report to evaluate whether a Workday account is a
member of a rule-based security group. An account isn’t a member when the account either:

Doesn’t match the business object on the security rule.

Doesn’t satisfy at least 1 condition in a security rule on the inclusion criteria.
Satisfies all the conditions in a security rule on the exclusion criteria.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Reference
2020R1 What’s New Post: Rule-Based Security Groups
FAQ: Rule-Based Security Groups
Examples
Example: Set Up Rule-Based Security Groups

1.2.14 | Create Security Rules

Prerequisites

Security: Set Up: Security Rules domain in the System functional area.

Context

You can configure security rules to define criteria for determining membership on rule-based
security groups. You can only use security rules on rule-based security groups.

Steps

1. Access the Create Security Rule task.

2. Select Worker from the Business Object prompt.
3. (Optional) Specify a security rule that includes conditions you want to copy from the Copy
Condition from Rule prompt.
4. Specify the rule criteria from the Rule Conditions grid.
You can include up to 5 rule conditions on each security rule.

Next Steps

Add the security rule to rule-based security groups.

Use the Test Security Rule report to evaluate whether a Workday account satisfies the conditions
on a security rule. You can’t specify a security rule on the report when the security rule contains
report fields secured to self-service domains.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 51/114
12/27/21, 12:01 AM Workday® Administrator Guide

Related Information

Reference
FAQ: Rule-Based Security Groups
Examples
Example: Set Up Rule-Based Security Groups

1.2.15 | Create Segment-Based Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use segment-based security groups to enable members of other security groups to access
select components of a securable item. Members can be part of multiple security groups and have
permission to access multiple security segments. Workday enables you to define security segments
when you belong to a security group with Modify permissions on the Segmented Setup domain.

Steps

1. Access the Create Security Group task.

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. From the Security Groups prompt, select security groups to identify who has permission to
access the securable items.
4. From the Access to Segments prompt, select security segments that you want members of
the specified security groups to be able to access. Workday-owned security segments
include:
Job Application - Contingent Worker
Job Application - Employee
Job Application - External
You can't combine security segments of different types in a segment-based security group.

Example

You want a Benefits Administrator to be able to manage only benefits-related documents. You don't
want them to be able to manage payroll-related documents. Workday secures access to manage all
worker documents to the Worker Data: Add Worker Documents and Worker Data: Edit and Delete
Worker Documents domains. You can create a Document Categories - Benefits segment to identify
benefits-related documents. You can then use the security segment to create a segment-based
security group so Benefits Administrators can access only the benefits-related documents.

Next Steps

Users with access to a domain through both a segment-based and a non-segment-based security
group have permission to access all segments. Make sure you associate non-segment-based
security groups with users who have permission to access all segments by:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 52/114
12/27/21, 12:01 AM Workday® Administrator Guide

Reviewing all security groups on the policy before adding segment-based security groups.
Reviewing the included security groups in an aggregation security group.

To provide security permissions:

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

1.2.16 | Create Service Center Security Groups

Prerequisites

Create a Service Center and Service Center representatives.

Security: Security Configuration domain in the System functional area.

Context

You can use service center security groups to grant third-party users access to Workday. You can
create:

Constrained service center security groups so third-party users can support select
organizations.
Unconstrained service center security groups so third-party users can support all
organizations.

Steps

1. Access the Create Security Group task.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 53/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Applies to Current Organization Only Service Center representatives in the

specified Service Centers can access
securable items for the select
organizations.

Applies to Current Organization And All Service Center representatives in the

Subordinates specified Service Centers can access
securable items for the select
organizations and all subordinate
organizations.

The organization type from the organization criteria must match the organization type from
the security group restrictions. Example: When you select Company, you can add the
security group to only security policies restricted to the Company organization type.

Example

You want to hire temporary workers to assist with the benefits enrollment process. Instead of hiring
the workers through the typical staffing process, you can provide the workers with temporary
access by creating a service center. You can use the service center to create a service center
security group. You can then assign the security group to the same domains assigned to the
Benefits Administrator security group. As a result, temporary workers can assist with the enrollment
process without going through the typical staffing process.

Next Steps

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes
Examples
Example: Create a Service Center Security Group for Benefits Support

1.2.17 | Create User-Based Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use user-based security groups to:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 54/114
12/27/21, 12:01 AM Workday® Administrator Guide

Give administrators enterprise-wide access to the tenant.

Grant specific workers permission to access items secured to a security policy.
Administer another user-based security group. Workday enables you to add more than 1
administering security group.

You can't:

Add user-based security groups to intersection security groups.

Restrict user-based security groups to regions.

Steps

1. Access the Create Security Group task.

2. (Optional) Select the Inactive check box to disable permissions for members of the security
group. You can't inactivate the security group when you:
Grant the security group permission to the Security Configuration domain.
Include the security group as a member of another security group.
Specify the security group as an administrator for another security group.
3. (Optional) From the Administered by Security Groups prompt, select 1 or more user-based
security groups. Members of the specified security groups can assign users to the new user-
based security group.
Administrators with permission to the User-Based Security Group Administration domain can
assign users to any user-based security group.

Example

You want to enable certain employees to create and maintain all bank setup data regardless of their
organization. You can create a Bank Administrator user-based security group by directly assigning
users to the security group. You can then add the security group to the View: Bank Entity and Set Up:
Cash Forecasting domains to enable the assigned users to administer bank setup data. As you hire
new employees to administer bank setup data, you can assign the employees to the security group
directly.

Next Steps

Add users to the user-based security group. To add a user to:

1 user-based security group, access the Assign User to User-Based Security Group task.
More than 1 user-based security group, access the Assign User-Based Security Groups for
Person task.

After you add users to the security group:

Add the security group to security policies.

Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Tasks
Edit Domain Security Policies
Edit Business Process Security Policies
Activate Pending Security Policy Changes

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 55/114
12/27/21, 12:01 AM Workday® Administrator Guide

Examples
Example: Create a User-Based Security Group for Administrators

1.2.18 | Copy Security Group Permissions

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use the Maintain Permissions for Security Group task to:

Easily migrate permissions across security groups of different types.

Transition to new security models as your organization grows.

Using the task, you can copy permissions from an existing security group to:

A new security group of the same type.

An existing security group of the same or different type.

Steps

1. Access the Maintain Permissions for Security Group task.

2. Select Copy on the Operation field.
3. In the Source Security Group prompt, select an existing security group with permissions you
want to copy.
4. (Optional) Select the Copy User Assignments check box to copy users from 1 user-based
security group to another.
5. On the Domain Security Policy Permissions tab, review the permissions on the source
security group.
You can select the check box on the Selected column to copy permissions to the target
security group.
To exclude permissions from the source security group:
Clear the check box on the Selected column, deleting the permission while
displaying the row.
Select the Remove Row option, deleting the permission and row.
Workday displays a selected box on the From Source column when permissions derive from
the source security group.
6. Review business process security policy permissions from the source security group in the
Business Process Security Policy Permissions tab. The tab displays when you copy
permissions to a security group of the same type.

Result

Workday:

Copies permissions to the target security group.

Doesn't delete excluded permissions from the source security group.

Example

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 56/114
12/27/21, 12:01 AM Workday® Administrator Guide

To prevent HR representatives from accessing compensation information about other HR

representatives, you create an HR Partner intersection security group and assign relevant
permissions. You later decide you want to use a rule-based security group instead. You can migrate
the permissions from the intersection security group to the rule-based security group.

Next Steps

Verify the changes to the target security group using the View Security Group task.
Activate pending security policy changes.
Activate the security group when you want to enable the permissions on an inactive security
group.

Related Information

Concepts
Concept: Security Groups
Tasks
Activate Pending Security Policy Changes
Reference
2020R1 What's New Post: Mass Maintain Security Permissions

1.2.19 | Maintain Security Group Permissions

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can use the Maintain Permissions for Security Group task to:

Add and delete domain security policy permissions on an existing security group.
Review business process security policy permissions on an existing security group.

Steps

1. Access the Maintain Permissions for Security Group task.

2. Select Maintain on the Operation field.
3. In the Source Security Group prompt, select an existing security group with permissions you
want to change.
4. On the Domain Security Policy Permissions tab, review or delete domain security policy
permissions.
To delete permissions:
Clear the check box on the Selected column, deleting the permission while still
displaying the row.
Select the Remove Row option, deleting the permission and row.
5. On the Business Process Security Policy Permissions tab, view business process security
policy permissions on the source security group.

Next Steps

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 57/114
12/27/21, 12:01 AM Workday® Administrator Guide

Related Information

Concepts
Concept: Security Groups
Tasks
Activate Pending Security Policy Changes
Reference
2020R1 What's New Post: Mass Maintain Security Permissions

1.2.20 | Delete Security Groups

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can delete security groups that:

You haven't activated, whether or not the security groups have members.
You add to security policies, as long as you haven't activated the security policy changes.

You can't delete a security group once you add it to security policies and activate the changes.

You can't restore deleted security groups.

Steps

1. Access the Delete Security Group task.

2. From the Tenanted Security Group to Delete prompt, select the security group you want to
delete.
3. Select the Confirm check box.

1.2.21 | Concept: Security Groups

Security groups are collections of users that you can use to grant access to securable items in your
Workday tenant. You can add users to security groups by either:

Assigning users to security groups directly. Example: Using user-based security groups.
Deriving membership based on information about users. Example: Their role assignments or
job details.

Your tenant includes:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 58/114
12/27/21, 12:01 AM Workday® Administrator Guide

Configurable security groups: Your implementation partner loads these commonly used
security groups into your tenant during implementation. You can create, change, and delete
these security groups.
Workday-delivered security groups: Workday defines these security groups and determines
their members. You can’t create, change, or delete these security groups.

You can create your own security groups when your tenant doesn't include the ones you need.

Context Types
Workday enables you to restrict the access that members of a security group have using these
context types:

Unconstrained: Members can access all secured data instances.

Constrained: Members can access a subset of secured data instances.
Mixed: Members don’t have uniform access to secured data instances.

Mixed applies to these types of security groups:

Aggregation
Intersection

The name of a security group type can help you determine the access to secured data instances.
Example: Members of role-based security groups (constrained) have contextual access.

Context Sensitivity
Constrained security groups provide members with access to a subset of secured data instances
based on context. Example: Members have access to data in the context of their own organizations
only. These types of security groups are context-sensitive by organization:

Integration system (constrained).

Job-based (constrained).
Organization membership (constrained).
Role-based (constrained).
Service Center (constrained).

Role-based security groups (constrained) can also be context-sensitive by:

Customer.
Job requisition.
Prospect.
Requisition.
Supplier contract.

These types of security groups are context-sensitive when at least 1 security group contained in
these security group types is context-sensitive:

Aggregation
Intersection
Segment-based

The organization type on the organization criteria must match the organization type on the security
group restrictions on these security group types:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 59/114
12/27/21, 12:01 AM Workday® Administrator Guide

Integration system (constrained).

Intersection.
Service Center (constrained).

Example: You can't add a security group to a security policy that you restrict to organization types
other than Company when you:

Include a role-based security group that is valid for security group restrictions of Roles –
Company in the Intersection Criteria.
Specify a Company in the Exclusion Criteria (Constrained Context) of an intersection
security group.
Specify a Company in the Organizations prompt of an integration system security group
(constrained).

Workday grants securable item access to targets associated with a context-sensitive security group
only when the targets and the item instance share the characteristic that makes the security group
context-sensitive.
Example: A constrained integration system security group is context-sensitive by an organization. A
segment-based security group with access to an integration system security segment is context-
sensitive by an integration system. You can’t use the segment-based security group to grant
integration systems to the constrained integration system security group. Instead, Workday
recommends that you:

Use an unconstrained security group with the segment-based security group.

Don’t grant the unconstrained security group access to any other domains.

Public Domains
Domain names that include the keyword Public provide access to public information, such as
contact addresses. Access to these domains depends on the security group that you assign to the
domains.

Job-based security groups provide greater access to worker data profiles.

Role-based security groups display the workers that a user supports.
User-based security groups don't apply filters; administrators who require broad access
typically use this type of security group.

Workday delivers job-based security groups that group members independently of the configuration
of an organization. You can assign delivered job-based security groups to Worker Profile domains,
such as:

All Contingent Workers

All Employees
All Users

You can define your own security groups to meet your business needs. Examples: These security
groups provide more open access to worker data:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 60/114
12/27/21, 12:01 AM Workday® Administrator Guide

Job-based security groups, such as All Managers, with access to All Organizations enable
any manager to access any worker.
Job-based security groups for other groups, such as Any HR Partner. The security groups
enable all HR Partners to access the information for any worker who you secure through a
security policy.
User-based security groups, when job-based security groups can't group users based on
management levels or job profiles.

To secure the Job Details tab for workers with:

Full data, place the security group you create on the Worker Data: Public Worker Reports
domain in place of the Manager or HR Partner security groups.
Limited data, place the security group you create on the Worker Data: Current Staffing
Information and Worker Data: General Staffing Information domains.

Support Groups
Each worker is a member of 1 or more organizations. The other role assignees on those
organizations make up the support groups for a worker. You can expose support groups for a
worker on the Support Groups worklet using the Configure Support Groups task (secured to the Set
Up: Assignable Roles domain).

Workers can use the worklet to view important contacts in their support groups, such as their HR
Partner. The worklet displays specified security groups and the role assignees on those security
groups.

Valid for Security Group Restrictions

The Valid for Security Group Restrictions field on the View Security Groups for User report identifies
the security group types for a select security group. You can use the field, along with the restrictions
on a security policy, to determine whether you can assign a security group to a security policy.
Example: Workday uses the Intersection Groups Containing Multiple Contextual Groups type to
indicate that an intersection security group contains more than 1 contextual security group.

Workday-Delivered Security Groups

You can't manually add or remove users or change the criteria that determines who is a member of
a Workday-delivered security group. However, you can remove users from Workday-delivered
security groups by changing the attributes of the users. Example: You can remove a manager from
a Workday-delivered security group by moving them to an individual contributor role.

Related Information

Concepts
Concept: Configurable Security
Reference
Reference: Security-Related Reports
The Next Level: Getting to Know Configurable Security
The Next Level: Advanced Security: If You’re Doing It Right, No One Will Know

1.2.22 | Concept: Intersection Security Groups

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 61/114
12/27/21, 12:01 AM Workday® Administrator Guide

An intersection security group comprises 1 or more security groups. It includes users who are in all
of the security groups.

Security Groups You Can Include

You can include these security group types in intersection security groups:

Job-Based.
Location Membership.
Organization Membership.
Role-Based.
Workday-Delivered, except for All Users and Manager's Manager.

Organization Types You Can't Exclude

You can't select these organization types as an Exclusion Criteria (Constrained Context):

Academic Unit or Academic Unit Hierarchy.

Business Unit or Business Unit Hierarchy.
Fund or Fund Hierarchy.
Gift or Gift Hierarchy.
Grant or Grant Hierarchy.
Program or Program Hierarchy.
Project or Project Hierarchy.
Union.

You can access the Security Exception Audit report to find intersection security groups that include
any of the organization types.

Recommendations
Workday recommends against using:

Intersection security groups that use excluded organizations in business process security
policies.
Organization membership security groups that use custom organizations with dynamic
membership rules in intersection security groups.

When working with such intersection security groups, test your configuration to make sure it works
as intended.

Using Intersection Security Groups to Restrict Access

You can use intersection security groups to restrict access for:

Students protected by the Family Educational Rights and Privacy Act (FERPA).
Workers in sensitive positions.

You can restrict access by selecting a custom organization containing the workers or students from
the Exclude Target Position in Organization prompt. If a worker or student held prior positions in
other organizations, you can exclude the positions by adding them to the exclusion criteria.
You can’t create an intersection security group that:

Includes a constrained role-based security group.

Excludes another constrained role-based security group.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 62/114
12/27/21, 12:01 AM Workday® Administrator Guide

To configure a role-based security group without access to a given population:

Select the role-based security group from the Security Groups to Include prompt.
Select the population they can't access from the Exclude Target Position in Organization
prompt.

Example: To prevent HR Partners from viewing other HR Partners, create a custom organization of
HR Partners and:

Select the HR Partner role-based security group from the Security Groups to Include
prompt.
Select the HR Partner custom organization from the Exclude Target Position in
Organization prompt.

Additional Considerations
You can’t apply intersection security groups that intersect 2 or more context-sensitive security
groups to:

Processing actions on business processes.

Security domains.

The restriction prevents you from applying security groups to policies for items that run with 1
contextual filter.
You can't add an intersection security group to a security policy that Workday restricts to
organization types other than Company when you:

Include a role-based security group that’s valid for security group restrictions of Roles -
Company from the Intersection Criteria prompt.
Select a Company from the Exclusion Criteria (Constrained Context) prompt of an
intersection security group.

Related Information

Tasks
Create Intersection Security Groups

1.2.23 | Concept: Role-Based Security Groups (Constrained)

With role-based security groups, you can control access to items and actions based on roles you
create and assign to members of your organizations. For workers, you assign roles to positions. For
nonworkers, you assign roles directly to the:

Academic Affiliate.
Service Center Representative.
Student Recruiter.

Constrained role-based security groups are context-sensitive because Workday matches security
group members to the role-enabled object of an item. Only members with a role on the role-enabled
object can access securable items in a domain.

Organization Assignments

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 63/114
12/27/21, 12:01 AM Workday® Administrator Guide

Workday determines the organization to which a particular instance of a secured item belongs.
Workday only grants access to workers in positions or roles that support that organization.
Example: You can use a constrained role-based security group to ensure that only a worker with the
HR Partner role can review or approve a step in the Hire business process.

Access to Subordinate Organizations

You can restrict access to subordinate organizations that are a specified number of levels below
the current organization in a hierarchy. Access rights to organization data that you grant to a
constrained role-based security group dictate whether workers can access subordinate
organizations. If you don't assign anyone to a role in an organization, Workday searches up the
hierarchy until it finds a role with access rights.

Reorganizations
When you create constrained role-based security groups, you can decide whether you want
subordinate organizations to inherit the permissions from a role-enabled object. Workday
recommends that you re-evaluate your configuration during reorganizations if you configure a
constrained role-based security groups so unassigned subordinate organization inherit permissions
from a parent organization. Otherwise, subordinate organizations might not have the appropriate
role assignments after the reorganization goes into effect.

Example: Logan manages Admin in Payroll. Logan hires Betty to manage Adam and has Betty
report to Logan. When Betty begins to manage Adam, Logan loses access to data about Adam.
Logan loses access because Adam is in a subordinate organization that inherits permissions from
a parent organization. Because Betty is in the parent organization to Adam, Betty gains access to
data about Adam.

Related Information

Concepts
Concept: Assignable Roles
Tasks
Set Up Assignable Roles
Reference
Setup Considerations: Role-Based Security Groups

1.2.24 | Reference: Security Group Types

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 64/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Type Description Use Cases

Aggregation Collection of users who are You can assign permissions

members of other security to HR Partner (Supervisory
groups. Workday includes Organization) and HR
users who are members of Partner (Location
any of the security groups Membership) security
used in the inclusion criteria. groups through an HR
Partner aggregation security
Workday excludes users
group. You can use the HR
who are members of a
Partner security group to
security group used in the
assign permissions to both
exclusion criteria. Workday
security groups
also excludes users who are
simultaneously, making it
members of a security
easier to maintain your
group used in both the
security configuration.
inclusion and exclusion
criteria.

Conditional role-based Collection of users from You can create a conditional

constrained role-based role-based security group so
security groups who satisfy you can enforce the Works
a specified condition. Council regulations for team
members located in
You can constrain access
Germany.
based on a specified
organization.

Integration system Collection of 1 or more You can enable a credit card

integration system users company to integrate with
(ISUs) with access to web Workday.
service tasks.

You can constrain access

based on a specified
organization.

Intersection Collection of users who are You can intersect a security

members of other security group for U.S.-based
groups. Workday includes workers with the Employee
users who are members of As Self security group. You
all of the security groups can use the security group
used in the inclusion criteria. so only users in both the
U.S. and the Employee As
Workday excludes users
Self security groups can
who are in some or none of
submit expense reports.
the security groups used in
the inclusion criteria.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 65/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Type Description Use Cases

Job-based Collection of users based on You can use the job profile
job details, such as: of Chief Human Resources
Officer (CHRO) to ensure
that the person who fills the
Job category.
position automatically gets
the correct access.
Job family.

Job profile.

Management level.

You can constrain access

based on a specified
organization.

Level-based Collection of users at 1 level You can create a level-based

in a hierarchy who can security group so managers
access data at another level can view talent and
in the hierarchy, independent performance information
of organization structures. about their direct reports.

You can group users based

on these levels:

Compensation
grade.

Management.

Location membership Collection of users who are You can enable all workers
in any of the included in Tokyo to access target
locations. data.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 66/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Type Description Use Cases

Organization membership Collection of users who are You can enable any worker
members of a specified in a Legal supervisory
organization type, such as: organization to be able to
view all worker data in the
tenant.
Cost center.

Location hierarchy.

Pay group.

You can constrain access to

target data in the specified
organization.

Prism access Collection of users who are You can assign permissions
members of other to the Prism Data
unconstrained security Administrator (User-based)
groups. Workday includes security group through a
users who are members of Prism Data Admin - PASG
any of the security groups prism access security
used in the inclusion criteria. group. You can use the
Prism Data Admin - PASG
security group to assign
permissions to Prism-
related domain security
policies that don't allow
permissions directly on
unconstrained security
groups.

Role-based Collection of users You want to enable your

associated with a specified support and leadership staff
assignable role. to access target data.

You can constrain access to

the organizations that users
support or lead.

Rule-based Collection of users who are You can enable only part-
members of a baseline time workers to track their
security group and who work hours by defining a
satisfy a specified condition security rule using the Time
on the baseline security Type security field to identify
group. part-time workers.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 67/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Type Description Use Cases

Segment-based Collection of users who are You can enable Benefits

members of other security Administrators to be able to
groups and provide them manage only benefits-
with permission to access related documents, without
components of a secured granting them the ability to
item. manage payroll-related
documents.
Members can be part of
multiple groups and can
have permission to access
multiple security segments.

Service center Collection of third-party You can enable temporary

users. Third-party users are works to assist with the
users who aren’t workers in benefits enrollment process
your organization charts and without hiring them through
headcounts. the typical staffing process.

You can constrain access

based on a specified
organization.

User-based Collection of users by direct You can create a Bank

assignment. Users retain Administrator user-based
assignment regardless of security group by directly
job changes. assigning users to the
security group. As you hire
new employees to
administer bank setup data,
you can assign the
employees to the security
group directly.

Related Information

Concepts
Concept: Security Groups
Reference
Setup Considerations: Security Groups

1.2.25 | Reference: Workday-Delivered Security Groups

Workday automatically populates these security groups. You can't create, edit, or delete them.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 68/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

Academic Affiliate as Self Includes users with an active academic

appointment, which gives them access to
self-service tasks.

Admissions Counselor as Self Includes active student recruiters as

determined by the status of these business
processes:

Activate Student Recruiter

Deactivate Student Recruiter

All Academic Affiliates Includes users with an active academic

appointment as determined by the status of
these business processes:

Add Academic Appointment

End Academic Appointment

All Candidates Includes users with a verified recruiting

system account.

All Contingent Workers Includes users with a completed Contract

Contingent Worker event, where the contract
start date is on or before today.

All Employees Includes users with a completed Hire event,

where the hire date is on or before today.

All External Committee Members Includes users with:

A current committee membership as

determined by the dates of the
Manage Committee Membership
business processes.

No other role in the tenant.

All Extended Enterprise Learners Includes all users from outside your
company who can access your learning
catalog.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 69/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

All External Learning Instructors Includes all external, third-party instructors.

External instructors can't:

Be extended enterprise learners.

Enroll in courses.

View worker profiles or details about

a worker that aren't relevant to the
courses they teach.

All External Learning Users Includes all users from outside your
company who can access your learning
catalog.

All Internal Learning Instructors Includes all instructors that you created from
workers already in your tenant who:

Give lessons.

Grade learners' course work.

Manage waitlists.

All Learning Assessors Includes users who grade work, and record
attendance in individual lessons or courses.

All Managers' Managers Includes users with a manager role for a

manager. Uses position-based evaluation
logic to enhance security when a worker's
direct manager:

Is on an international assignment.

Has multiple jobs in the enterprise.

All Non-VCR Restricted Implementers Includes implementers who aren't subject to

virtual clean room (VCR) sign-in restrictions
as part of the implementer creation flow by
the Engagement Manager.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 70/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

All Pre-Contingent Workers Includes users with a completed Contract

Contingent Worker event, where the contract
start date is before today.

All Pre-Employees Includes users with a completed Hire event,

where the hire date is before today.

All Project Members Includes users assigned to a project:

Directly.

Indirectly through a resource or talent

pool.

All Prospective Suppliers Includes users with a prospective supplier

account to an external supplier site.

All Recruiting Agency Users Includes users with a Recruiting Agency User
account.

All Retirees Includes users with a completed Termination

event with the termination reason of
Retirement.

All Service Center Representatives Includes users with a Service Center

Representative account.

All Students Includes matriculated students as

determined by the Student Application Pre-
Matriculation Event business process.

All Student Prospects Includes users with a Student Prospect

account.

All Student Recruiters Includes users with a Student Recruiting

account.

All Terminees Includes users with a completed Termination

event, where the termination date is before
today.

All Users Includes users who can sign in to Workday,

including Implementers and integration
system users (ISUs).

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 71/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

All VCR Restricted Implementers Includes implementers who are subject to

virtual clean room (VCR) sign-in restrictions
as part of the implementer creation flow by
the Engagement Manager.

Any Organization Role (Leadership or Includes users with a role on an organization

Supporting) where the effective date is before today.

Candidate as Self Includes users with a verified Recruiting

System account, which gives them access to
self-service tasks.

Commenter Includes users with the Comment

permission level for Drive items.

Contingent Worker as Self Includes users with a completed Contract

Contingent Worker event, where the contract
start date is on or before today. The security
group provides users with self-service
access to their own information.

Customer Contact As Self Includes customer contacts with a Workday

account, which gives them access to self-
service tasks.

Editor Includes users with the Editor permission

level for Drive items.

Employee as Self Includes users with a completed Hire event,

where the hire date is on or before today. The
security group provides users with self-
service access to their own information.

Extended Enterprise Learner as Self Includes all users from outside your
company who can access your learning
catalog. These users have a Workday
account and can access self-service tasks.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 72/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

External Learning Instructor as Self Includes all external, third-party instructors

with a Workday account who can access
self-service tasks. External instructors can't:

Be extended enterprise learners.

Enroll in courses.

View worker profiles or details about

a worker that aren't relevant to the
courses they teach.

External Learning User as Self Includes all external, third-party learners with
a Workday account who can access self-
service tasks.

External Committee Member as Self Includes users with:

A current committee membership as

determined by the dates of the
Manage Committee Membership
business processes.

No other role in the tenant.

The security group provides users with self-

service access to their own information.

External Supplier Site System Includes anonymous users with access to

information that's common for any
prospective supplier accessing the external
supplier registration site.

Implementers Includes users created by Engagement

Managers that implement customer tenants.

Inactive External Committee Members as Includes users with a previous (not current)
Self committee membership as determined by
the dates of the Manage Committee
Membership business processes. The
security group provides self-service access
to invitees for new committee memberships.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 73/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

Initiator Includes users who are members of a

security group that's secured to at least 1
initiating action on a business process
security policy. Example: All users who are
part of the Employee As Self security group
are included in the Initiator security group
when Employee As Self is secured to at least
1 initiating action on any business process
security policy. To view the members of the
Initiator security group, view the security
groups that can perform at least 1 initiating
action on a business process security policy.
Use the Initiator security group for routing
and notifications. A specific user is
determined in context of an event (initiation
of a business process).

Workday doesn't recommend that you add

the Initiator security group to a domain
security policy because doing so grants
access to all users to view all data.

Internal Learning Instructor As Self Includes all instructors that you created from
workers already in your tenant who:

Give lessons.

Grade learners' course work.

Manage waitlists.

This security group provides users with self-

service access to their own information.

Learning Assessor as Self Includes users who grade work, and record
attendance in individual lessons or courses.
The security group provides users with self-
service access to their own information.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 74/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

Manager for Majority of Event Used only in employee reviews. Membership

is derived by comparing a worker's manager
at the start, midpoint, and end of an event.
For employee reviews, the event time-span is
the time-span of the review period. If the
manager at the midpoint and the end of the
event is the same, that manager is the
Manager for Majority of Event. Otherwise, the
manager at the start of the event is the
Manager for Majority of Event. Workday also
derives the Manager for Majority of Event for
workers with multiple managers.

Manager's Manager Includes users with a manager role for a

manager. Uses position-based evaluation
logic to enhance security when a worker's
direct manager:

Is on an international assignment.

Has multiple jobs in the enterprise.

Mentor Includes users with a proposed mentor for a

mentorship event. When a mentorship event
is approved, the user is the approved mentor
for the mentorship.

Owner Includes users with the Owner permission

level for Drive items. After a user or
administrator transfers ownership of an item,
Drive removes the original owner from the
Owner security group.

Pre-Contingent Worker as Self Includes users with a completed Contract

Contingent Worker event, where the contract
start date is before today. The security group
provides users with self-service access to
their own information.

Pre-Employee as Self Includes users with a completed Hire event,

where the hire date is before today. The
security group provides users with self-
service access to their own information.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 75/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

Primary Manager's Manager Uses position-based evaluation logic to

enhance security when a worker's direct
manager:

Is on an international assignment.

Has multiple jobs in the enterprise.

Project Member as Self Includes users assigned to a project, which

gives them access to self-service tasks.

Prospective Supplier as Self Includes users with a verified prospective

supplier account, which gives them access
to their supplier business entries.

Recruiting Agency User as Self Includes recruiting agency users who can
access the Workday security domains
available for recruiting agency self-service.

Requisition Requester Includes users who have created

requisitions.

Retiree as Self Includes terminated users with a termination

reason of retirement, which gives them
access to self-service tasks.

Role Maintainer Includes users who can assign roles to

organizations.

Seer Includes users with the Seer permission level

for Drive templates. The Seer permission
level indicates that a template was
distributed to the user but not shared with
them.

Service Center Representative as Self Includes users who have a Service Center
Representative account, which gives them
access to self-service tasks.

Student as Self Includes matriculated students as

determined by the Student Application Pre-
Matriculation Event business process.

Student Prospect as Self Includes users with a student prospect

account, which gives them access to self-
service tasks.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 76/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security Group Description

Supplier Contact as Self Includes suppliers with a Workday account,

which gives them access to self-service
tasks.

Supplier Contract Specialist for Supplier Includes users whose names you specify as
Contract the contract specialist on a supplier contract.
You can remove a member from the security
group by replacing the name on all supplier
contracts.

Terminee as Self Includes terminated users who can still sign

in to Workday, which gives them access to
self-service tasks.

Viewer Includes users with the View permission

level for Drive items.

Worker Start Date Correction Assignee Group Includes users who are setup to receive
notifications for events that require manual
action on the Correct Worker Start Date
business process. The users also receive
notifications when Workday encounters an
issue for automatic actions on the business
process.

Related Information

Concepts
Concept: Security Groups

1.2.26 | FAQ: Rule-Based Security Groups

How many membership security rules can I select on a rule-based security group?
Should I rerun the Activate Pending Security Policy Changes task when I change a security
rule?
Why can't I access certain report fields on the Worker business object when I configure a
security rule?
Why can’t I access the security rules that display on my rule-based security group?
How do I migrate rule-based security groups and security rules between tenants?
What time zone does Workday use to evaluate whether a user is a member of a rule-based
security group?

How many membership security rules can I select on a rule-based security group?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 77/114
12/27/21, 12:01 AM Workday® Administrator Guide

You can select 1 membership security rule for each rule-based security group. You can also:

Add or change the rule conditions on a security rule.

Combine the rule conditions from other security rules.

To combine existing conditions, add security rules to the Copy Condition from Rule prompt on the
Create Security Rule task.

Should I rerun the Activate Pending Security Policy Changes task when I change a security rule?

You don't need to rerun the task when you change a security rule.

Why can't I access certain report fields on the Worker business object when I configure a security
rule?
Workday enables you to access a subset of the report fields on the Worker business object.
Workday provides these report fields:

Assigned Staffing Organizations

Compensation Grade
Contingent Worker Type
Direct Reports Include Contingent Workers
Employee Types
Exempt
Is International Assignee
Job Category
Job Family
Job Family Group
Job Profile (Primary)
Location
Location Address - Country
Management Level
On Leave
Organization and Superior Organizations
Pay Rate Type
Region
Supervisory Organization
Time Type
Work Shift
Worker
Worker Type

Workday currently provides the subset of report fields based on these prioritized use cases:

Enable managers who have active contingent workers in their departments to share reports
on contingent workers.
Enable only nonexempt US employees to clock in and out.
Enable only US employees to access benefits information.
Provide access based on worker type or compensation grade.
Provide restricted self-service access to temporary employees and employees on leave.

Why can’t I access the security rules that display on my rule-based security group?

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 78/114
12/27/21, 12:01 AM Workday® Administrator Guide

You can access security rules on rule-based security groups only when you can access the:

Report fields on the security rules.

Set Up: Security Rules domain or Security Administration parent domain in the System
functional area.

How do I migrate rule-based security groups and security rules between tenants?

Implementers can use web services to migrate security rules and rule-based security groups. The
web service used to migrate rule-based security groups only migrates the rule-based security group,
its baseline security group, and any associated security rules. The web service doesn't include data
that supports the baseline security group.

What time zone does Workday use to evaluate whether a user is a member of a rule-based
security group?
Workday uses the preferred time zone for a user to evaluate membership on rule-based security
groups. When a user doesn't have a preferred time zone, Workday defaults to this order to
determine the time zone to use:

1. The time zone on the location of the user’s primary position.

2. The tenant default time zone.
3. The Pacific Standard Time (PST) time zone.

When a user changes their time zone, Workday uses the new time zone once the user signs out and
then signs in.

Related Information

Tasks
Create Rule-Based Security Groups
Examples
Example: Set Up Rule-Based Security Groups

1.2.27 | Security Group Examples

1.2.27.1 | Example: Create a Conditional Role-Based Security Group

This example illustrates how to use a conditional role-based security group to apply a constrained
role-based security group based on a specified condition.

Scenario

Your company headquarters are in the USA with branch offices in France and Germany. To comply
with Works Council regulations for organizations, managers in Germany can only view worker data
down to 2 levels in the organization chart. The regulations don't apply to offices in France and the
USA.

You want to ensure that Workday:

Enforces the Works Council regulations for team members in Germany.

Includes workers who transfer to Germany from France or the USA.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 79/114
12/27/21, 12:01 AM Workday® Administrator Guide

Prerequisites

Security: Security Configuration domain in the System functional area.

Steps

1. Access the Create Security Group task.

2. Enter these values:

Field Enter

Type of Tenanted Security Group Role-Based Security Group (Constrained)

Name Manager 2-Level

3. Click OK.
4. In the Assignable Role prompt, select Manager.
5. In the Access Rights to Organizations section, specify:

Field Enter

Access Rights to Organizations Applies to Current Organization and

Subordinates to Level

Subordinate Levels 2

6. In the Access Rights to Multiple Job Workers section, select Role has access to the
positions they support.
7. Click OK.
8. Click Done.
9. Access the Create Security Group task.
10. Enter these values:

Field Enter

Type of Tenanted Security Group Conditional Role-Based Security Group

Name Conditional Management Chain -

Germany

11. Click OK.

12. In the Location Hierarchy prompt, select 2.2 Germany.
13. In the Role-Based Security Group (Constrained) prompt of the Security Group when
Condition Met section, select Manager 2-Level.
14. In the Role-Based Security Group (Constrained) prompt of the Security Group when
Condition Not Met and for Aggregate Data in Standard and Custom Reports section, select
Management Chain.
15. Click OK.
16. Click Done.

Result

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 80/114
12/27/21, 12:01 AM Workday® Administrator Guide

Managers in the France office can view data for workers in France up to 3 levels down the
organization chart. If a worker relocates to the Germany office, the managers won't be able to view
data for the worker.

Next Steps

Add the conditional role-based security group to a domain security policy that controls access to
worker data. Ensure that the constrained role-based security group isn’t on that domain security
policy.

Related Information

Tasks
Create Conditional Role-Based Security Groups

1.2.27.2 | Example: Set Up Business Process Security for Workers with Multiple Positions

This example illustrates how to enable an HR partner to approve job changes for workers who have
multiple positions.

Scenario

Sarah is a worker with these positions:

A primary position for Company 1.

A secondary position for Company 2.

You want to give the HR Partner for Company 1 the ability to approve Change Job business process
events for Sarah.

Prerequisites

Security: Security Configuration domain in the System functional area.

Steps

1. Access the Create Security Group task and enter:

Option Description

Type of Tenanted Security Group Role-Based Security Group (Constrained)

Name Primary HR Partner

2. Click OK.
3. Specify these values:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 81/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Assignable Role HR Partner

Access Rights to Organizations Applies To Current Organization And

Unassigned Subordinates

Access Rights to Multiple Job Workers Role has access to all positions

4. Click OK.
5. Access the Edit Business Process Security Policy task and enter Change Job.
6. Click OK.
7. Add the new Primary HR Partner security group to the Approve action.
8. Click OK.
9. To activate your changes, access the Activate Pending Security Policy Changes task.
10. In the Comment field, enter Enable the HR partner to approve job changes for Sarah.
11. Select the Confirm check box.

Result

The security group enables the HR partner to approve job changes for Sarah.

Related Information

Tasks
Create Role-Based Security Groups

1.2.27.3 | Example: Set Up Domain Security for Workers with Multiple Positions

This example illustrates how to expand domain security policies for workers who have multiple
positions.

Scenario

Sarah is a worker with these positions:

A primary position for Company 1 managed by Mark.

A secondary position for Company 2 managed by Susan.

Jane is the global mobility partner for Company 2.

You want to give the managers and global mobility partner access to Sarah's compensation
information.

Prerequisites

Security: Security Configuration domain in the System functional area.

Steps

1. To create a Global Mobility Partner security group, access the Create Security Group task
and enter:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 82/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Type of Tenanted Security Group Role-Based Security Group (Constrained)

Name Global Mobility Partner

2. Click OK.
3. Specify these values:

Option Description

Assignable Role Manager

Access Rights to Organizations Applies To Current Organization And

Unassigned Subordinates

Access Rights to Multiple Job Workers Role has access to all positions

4. Click OK.
5. To create a Primary Manager security group, access the Create Security Group task and
enter:

Option Description

Type of Tenanted Security Group Role-Based Security Group (Constrained)

Name Primary Manager

6. Click OK.
7. Specify these values:

Option Description

Assignable Role Manager

Access Rights to Organizations Applies To Current Organization And

Unassigned Subordinates

Access Rights to Multiple Job Workers Role for primary job has access to all
positions

8. Click OK.
9. To change the Manager security group, access the Edit Security Group task.
10. Enter Manager from the Tenanted Security Group prompt and click OK.
11. Select Role has access to the positions they support in the Access Rights to Multiple Job
Workers section.
12. Click OK.
13. To grant access to the new security groups, access the Worker Data: Compensation by
Organization domain security policy.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 83/114
12/27/21, 12:01 AM Workday® Administrator Guide

14. Select Domain > Edit Security Policy Permissions from the related actions menu of the
domain security policy.
15. In the Report/Task Permissions section, add Global Mobility Partner and Primary Manager
with View access.
16. Click OK.
17. To activate your changes, access the Activate Pending Security Policy Changes task.
18. In the Comment field, enter Enable the managers and global mobility partner to access the
compensation information for Sarah.
19. Select the Confirm check box.

Result

The security groups enable the managers and global mobility partner to access the compensation
information for Sarah.

Jane can access compensation information for both of Sarah's positions through the Global
Mobility Partner security group.
Mark can access compensation information for both of Sarah's positions through the
Primary Manager security group.
Susan can access compensation information for Sarah's secondary position through the
changes to the Manager security group.

Related Information

Tasks
Create Role-Based Security Groups

1.2.27.4 | Example: Set Up Rule-Based Security Groups

This example illustrates how to build a rule-based security group using a membership security rule.

Scenario

Currently, you enable all employees to enter their work time on Workday. You want to change your
security configuration to ensure that only nonexempt U.S. employees can enter their work time on
Workday.

Prerequisites

Security: These domains in the System functional area:

Security Activation
Security Configuration
Set Up: Security Rules

Steps

1. Access the Create Security Rule task.

2. Specify these values:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 84/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Security Rule Type Membership Rule

Business Object Worker

3. Click OK.
4. Enter Exempt U.S. Security Rule in the Description field.
5. Select these values in the Rule Conditions grid:

Relational Comparison Comparison

And/Or Security Field Operator Type Value

And Location in the Value United States

Address - selection list specified in of America
Country this filter

And Exempt equal to Value Clear the

specified in check box.
this filter

6. Click OK.
7. Access the Create Security Group task.
8. Specify these values:

Option Description

Type of Tenanted Security Group Rule-Based Security Group

Name Non-Exempt U.S. Employees

9. Click OK.
10. Select Employee As Self from the Baseline Security Group prompt.
11. Select Include Members by Rule in the Membership section.
12. Select Exempt U.S. Security Rule from the prompt.
13. Click OK.
14. Select Domain > Edit Security Policy Permissions from the related actions menu of the Self-
Service: Time Tracking High Volume domain.
15. Replace Employee As Self with Non-Exempt U.S. Employees on the Report/Task
Permissions grid.
16. Click OK.
17. Access the Activate Pending Security Policy Changes task.
18. Enter Enabling only nonexempt U.S. employees to enter their work time in the Comment field.
19. Click OK.
20. Click Confirm.
21. Click OK.

Result

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 85/114
12/27/21, 12:01 AM Workday® Administrator Guide

Nonexempt U.S. employees can access the Enter My Time task. Non-U.S. employees and U.S.
exempt employees are among the workers who can no longer access the task.

Related Information

Tasks
Create Rule-Based Security Groups

1.2.27.5 | Example: Create a Service Center Security Group for Benefits Support

This example illustrates 1 way to create an aggregation security group that includes the service
center security group for each supported location.

Scenario

Your organization hires third-party users to provide benefits support to workers in the U.S. and
Canada. You want to create separate service centers to support workers in different locations, but
you don’t want to assign permissions to each service center individually. You can create an
aggregation security group that includes the individual security groups so you can more easily
assign permissions to the security groups.

Prerequisites

Create U.S. and Canada service centers for third-party auditors.

Security: Security Configuration domain in the System functional area.

Steps

1. Create a security group for the U.S. service center.

a. Access the Create Security Group task.
b. Select Service Center Security Group (Constrained) from the Type of Tenanted
Security Group prompt.
c. Enter U.S. Benefits in the Name field.
d. Click OK.
e. Select United States from the Organizations prompt.
f. Select Applies to Current Organization And All Subordinates.
g. Click OK.
2. Create a security group for the Canada service center.
a. Access the Create Security Group task.
b. Select Service Center Security Group (Constrained) from the Type of Tenanted
Security Group prompt.
c. Enter Canada Benefits in the Name field.
d. Click OK.
e. Select Canada from the Organizations prompt.
f. Select Applies to Current Organization And All Subordinates.
g. Click OK.
3. Create an aggregation security group for all service centers.
a. Access the Create Security Group task.
b. Select Aggregation Security Group from the Type of Tenanted Security Group
prompt.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 86/114
12/27/21, 12:01 AM Workday® Administrator Guide

c. Enter All Benefits Support in the Name field.

d. Click OK.
e. Select U.S. Benefits and Canada Benefits from the Security Groups to Include
prompt.
f. Click OK.
4. Set security access to some of the benefits-related secured items.
a. Access the Maintain Permissions for Security Group task.
b. Select Maintain from the Operation field.
c. Select All Benefits Support from the Source Security Group prompt.
d. Click OK.
e. Add a row on the Domain Security Policy Permissions grid.
f. Select View Only from the View/Modify Access prompt.
g. Select these domains from the Domain Security Policy prompt:
Job Information
Worker Data: Compensation
Worker Data: Job Details
Worker Data: Public Worker Reports
Worklet General
h. Continue to add security domains for all service center representatives.
i. Click OK.
5. Activate pending security policy changes.
a. Access the Activate Pending Security Policy Changes task.
b. Enter Enabling third-party users to access tasks and reports to support employee
benefits in Workday in the Comment field.
c. Click OK.
d. Select the Confirm check box.
e. Click OK.

Result

You can assign permissions to service center representatives in all locations using the All Benefits
security group.

Related Information

Tasks
Create Aggregation Security Groups
Create Service Center Security Groups
Maintain Security Group Permissions

1.2.27.6 | Example: Create a User-Based Security Group for Administrators

This example illustrates 1 way to set security permissions for administrators using a user-based
security group.

Scenario

You recently hired a new Compensation Administrator who needs unconstrained access to worker
compensation data. You can create a user-based security group and assign the new Compensation

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 87/114
12/27/21, 12:01 AM Workday® Administrator Guide

Administrator to the security group. As you hire additional Compensation Administrators, you can
assign them to the security group without needing to reassign the security permissions.

Steps

1. Create a Compensation Administrator user-based security group.

a. Access the Create Security Groups task.
b. Select User-Based Security Group from the Type of Tenanted Security Group prompt.
c. Enter Compensation Administrator in the Name field.
d. Click OK.
e. Select Security Administrator from the Administered by Security Groups prompt.
f. Click OK.
2. Assign users to the user-based security group.
a. Access the Assign Users to User-Based Security Group task.
b. Select Compensation Administrator from the Assign Users to User-Based Security
Group prompt.
c. Click OK.
d. Select 1 or more users to provide compensation administrator privileges from the
System Users prompt.
e. Click OK.
3. Assign security permissions to the user-based security group.
a. Access the Maintain Permissions for Security Group task.
b. Select Maintain from the Operation field.
c. Select Compensation Administrator from the Source Security Group prompt.
d. Click OK.
e. Add a row on the Domain Security Policy Permissions grid.
f. Select View and Modify from the View/Modify Access prompt.
g. Select these domains from the Domain Security Policy prompt:
Compensation Change: Salary
Set Up: Compensation
Worker Data: Compensation
Worker Data: Compensation Management
h. Continue to add security domains for Compensation Administrators.
i. Click OK.
4. Activate your pending security policy changes.
a. Access the Activate Pending Security Policy Changes task.
b. Enter Enabling compensation administrators to set up compensation components in
the Comment field.
c. Click OK.
d. Click Confirm.
e. Click OK.

Related Information

Tasks
Create User-Based Security Groups
Maintain Security Group Permissions

1.3 | Security Policies

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 88/114
12/27/21, 12:01 AM Workday® Administrator Guide

1.3.1 | Setup Considerations: Security Policies

You can use this topic to help make decisions when planning your configuration and use of security
policies. It explains:

Why to set them up.

Refer to detailed task instructions for full configuration details.

What They Are

Security policies enable you to configure access to groups of items and individual business process
actions. By associating security groups with security policies, you can enable members of the
security groups to access the secured items and actions.

Workday delivers these types of security policies:

Domain security policies, which secure reports, tasks, and integrations.

Business process security policies, which secure business processes.

Workday enables you to configure permissions for reports and tasks separately from permissions
for integrations. You can set:

Get and Put permissions for integrations.

View and Modify permissions for reports and tasks.

You can also set various permissions for actions on business processes, such as View All, Rescind,
and Deny permissions.

Business Benefits
Security policies enable you to deliver the right information and actions to the right users. By
configuring:

Domain security policies, you can efficiently set permissions for groups of items rather than
for individual items.
Business process security policies, you can decide who can take actions on a business
process.

Use Cases
Add security groups to the Initiate permission on the Change Job business process security
policy to enable members of the security groups to initiate job changes.
Add security groups to the Report Prompt Set Management domain security policy to enable
members of the security groups to create report prompt sets.
Remove security groups from the Photo Change business process security policy to prevent
members of the security groups from changing their photos.

Questions to Consider

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 89/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to provide users with access to When you enable users to access business
certain information in a business process? processes, Workday doesn't automatically
enable the users to access all the
information they need access to in the
business processes. Use the domains
associated with the business processes to
determine what the users can access in the
business processes.

Example: Managers who run the Change Job

business process can’t view job profile
information until you add them to the Staffing
Actions: Job Profile domain.

Do you want to provide users with access to Providing access to certain actions on a
certain actions on a business process? business process can also provide access to
other actions on the business process.
Example: Providing security groups with
Correct permissions also provides the
security groups with View All permissions for
transactions that are cancelable.

Review each business process security

policy to understand the permissions that
Workday inherently provides.

What security group types can you add to a You can access the Allowed Security Group
domain security policy? Types field on a domain to view the types of
security groups you can add to a domain
security policy.

Make sure that the security group types you

want to add match the security group types
on the Allowed Security Group Types field.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 90/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to override permissions from a Workday defines parent-child relationships

parent security policy? among domains so child security policies
inherit permissions from a parent security
policy. These relationships can help you
maintain and update permissions for many
items at once.

You can override inherited permissions when

a child security policy needs different
permissions. When you override permissions
on a child security policy, the other child
security policies still inherit permissions
from the parent policy.

Example: You want managers to have access

to all employee contact information except
employee phone numbers. You can override
the permissions on the security policy for
employee phone numbers.

To reduce security policy maintenance, limit

the number of child security policies you
override.

When do you need to activate changes to Changes to security policies only go into
security policies? effect when you activate the changes. You
only need to activate pending changes when
you change a security policy. You don’t need
to activate these types of changes:

Assign roles.

Assign users to security groups.

Change a security group.

Create a security group.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 91/114
12/27/21, 12:01 AM Workday® Administrator Guide

Questions Considerations

Do you want to undo activated changes to Workday enables you to revert to previous
security policies? timestamps, undoing changes to security
policies that you’ve activated.

When you activate a previous timestamp,

Workday retains the security configuration
from the original timestamp as pending
changes. If you don’t want to reactivate
those pending changes, cancel the changes
and then activate pending security policy
changes.

Example: You revert to a timestamp from

September so you can eliminate the changes
from October. After you revert to the previous
timestamp, cancel the pending changes and
activate pending security policy changes.

Recommendations
Consider all the items you’re providing access to when you assign a security group to a domain
security policy.

Find the domains that secure the content you're looking to secure using the View Security for
Securable Items report.

Requirements
Workday groups functionally similar domains and business processes into functional areas. To set
permissions for domains and business processes, enable each functional area as well as its
security policies. Enabling a functional area doesn’t automatically enable all the security policies
within the functional area.

When you remove a security group from a business process security policy, also remove it from the
steps in the business process definition that reference the security group. Otherwise, Workday
might not assign the steps in the business process to users, causing the business process to stall
and requiring you to intervene.

Limitations
You can’t:

Change the actions available on business process security policies.

Change the items within domains.
Create your own functional areas.
Delete security policies.
Move domains or business processes from 1 functional area to another.

Tenant Setup
No impact.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 92/114
12/27/21, 12:01 AM Workday® Administrator Guide

Security
These domains in the System functional area:

Domains Considerations

Security Administration Enables you to access security

administration tasks and reports. Includes
tasks for activating changes to security
policies and reports for security audits.

Security Configuration Enables you to access security configuration

tasks and reports. Includes reports for
analyzing and reviewing the configuration of
security policies.

Business Processes
No impact.

Reporting
These reports enable you to audit security policies for business processes:

Reports Considerations

Business Process Security Policies Changed Displays the changes to a business process
within Time Range security policy, who made the change, and
when they made the change within a time
frame.

Business Process Security Policies for Displays the security configuration for each
Functional Area business process security policy in a
functional area.

Business Process Security Policies with Displays each business process security
Pending Changes policy with a pending change, who made the
change, and when they made the change.

Business Process Security Policy History Displays the changes to a business process
security policy, who made the change, and
when they made the change.

These reports enable you to audit security policies for domains:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 93/114
12/27/21, 12:01 AM Workday® Administrator Guide

Reports Considerations

Domain Security Policies Changed within Displays the changes to a domain security
Time Range policy, who made the changes, and when
they made the changes.

Domain Security Policies for Functional Displays the security configuration for each
Area domain security policy in a functional area.

Domain Security Policies with Pending Displays each domain security policy with a
Changes pending change, who made the change, and
when they made the change.

Domain Security Policy History Displays the changes to a domain security

policy, who made the change, and when they
made the change.

Domain Security Policy Summary Displays the current security configuration

for each domain.

Secured Items in Multiple Domains Displays every secured item that Workday
secures to more than 1 domain.

These reports provide more general support for security policies and functional areas:

Reports Considerations

Audit Trail - Security Displays the changes to security policies and

permissions within a time frame.

Functional Areas Displays all functional areas and the

domains and business processes within
them.

View All Security Timestamps Displays all security timestamps and

identifies the current active timestamp.

View Security for Securable Item Displays how Workday secures delivered
items, such as reports, tasks, integrations,
business processes, and data sources.

Integrations
Integrations and other applications that access Workday must have an Integration System User
(ISU) with:

Get and Put access to the domains that secure web service operations.
View access to the domains that secure report data sources and report fields.

Outbound EIBs also require access to the custom report used as a data source.

Workday secures each REST method to a domain or business process security policy. Each REST
method can access only the domains and business processes that the current user can access.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 94/114
12/27/21, 12:01 AM Workday® Administrator Guide

Example: The GET /supervisoryOrganizations REST API returns only the organizations that the user
has permission to access.

Connections and Touchpoints

Workday offers a Touchpoints Kit with resources to help you understand configuration relationships
in your tenant. Learn more about the Workday Touchpoints Kit on Workday Community.

Other Impacts
In addition to using segmented security, you can limit access to items in a domain through View
permissions. When you set View permissions, members of the associated security groups can
access only the items that users can view. Example: A domain includes 6 reports and 4 tasks. By
setting View permissions, members of the associated security groups can only access the 6
reports.

You can use the Maintain Permissions for Security Group task to add 1 security group to many
security policies at once.

Related Information

Concepts
Setup Considerations: Security Groups
Concept: Business Processes
Concept: Configurable Security
Concept: Security Policies
Concept: Security Policy Change Control
Tasks
Steps: Enable Functional Areas and Security Policies

1.3.2 | Edit Domain Security Policies

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can configure which security groups have permission to access the secured items in a domain.

Steps

1. Access the Domain Security Policies for Functional Area report.

2. Select a security policy.
3. Click Edit Permissions.
4. Select the View or Modify check box to grant the security groups access to the report or
task securable items.
5. Select the Get or Put check box to grant the security groups access to integration and report
or task securable actions.

Next Steps

Activate pending security policy changes.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 95/114
12/27/21, 12:01 AM Workday® Administrator Guide

Related Information

Concepts
Concept: Security Policies
Tasks
Activate Pending Security Policy Changes

1.3.3 | Edit Business Process Security Policies

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

You can specify which security groups have permission to access each of the securable items in a
business process security policy.

Hierarchical relationships in business process security policies logically group similar policies, but
there's no inheritance.

Steps

1. Access the Business Process Security Policies for Functional Area report.
2. Click Edit Permissions.
3. Add or remove security groups for each relevant action on the business process.
Note: If you remove a security group from a business process security policy, you must also
remove the group from the corresponding business process definition.

Next Steps

Activate pending security policy changes.

Related Information

Tasks
Activate Pending Security Policy Changes
Edit Business Processes
Edit Domain Security Policies

1.3.4 | Concept: Security Policies

A security policy secures the items in a domain or business process. Each functional area can
contain security policies for:

Actions, such as action steps, approvals, and initiation steps on business processes.
Reporting and task items, such as data sources, delivered worklets, report fields, reports,
and tasks.
Integration items, such as integration templates and web services.

For each functional area, you can view the security policies for:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 96/114
12/27/21, 12:01 AM Workday® Administrator Guide

Domains by accessing the Domain Security Policies for Functional Area report.
Business processes by accessing the Business Process Security Policies for Functional
Area report.

By selecting Edit Permissions on a security policy, you can assign or remove security groups from
the security policy to modify permissions to secured items. However, you can't:

Change the securable items in a security policy.

Define more than 1 security policy for a domain or business process.
Delete a security policy.
Move a domain or business process from 1 functional area to another.

When you configure the security policy for a business process, Workday:

Displays an Initiation step for each way to start the business process.
Enables you to specify whether you can delegate the business process to others.
Includes separate securable items for each Action step in the business process.

For each update, Workday creates empty domain security policies that you can configure. You can
use the Create Security Policy for Domain task to create the security policy for a domain between
updates. As you complete the task, the For Domain prompt displays only domains that don't already
have associated security policies in your tenant.

Security Policy Assignments

You can assign users to security policies by:

Assigning users to security groups.

Deriving security group membership.

You can assign:

Users to Workday-delivered or custom user-based security groups.

Integration system users to integration system security groups.

You can derive security group membership based on relevant information about users. Examples:
You can assign:

The appropriate job profile during the hire or job change process.
Users to the appropriate locations when you configure location-based security groups.
Users to the appropriate organizations when you configure organization-based security
groups.
Worker positions to organization roles. When you need organization-specific security
access, you can create organization roles and role-based security groups.

After you assign users to security groups or derive security group membership, assign the security
groups to security policies using these tasks:

Edit Domain Security Policies

Edit Business Process Security Policies

Business Process Security Policies and Event Targets

An event is a business process transaction that occurs within your organization, such as hiring an
employee. An event target is the instance that a business process event is about. Examples:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 97/114
12/27/21, 12:01 AM Workday® Administrator Guide

For a Hire business process event, the event target is the person you're hiring.
For an Expense business process event, the event target is the person responsible for the
expense report.

To access an event target, you must have permission to access both the:

Business process. Examples: Hire, Expense Report Event.

Specific instances. Examples: Pre-hire, Employee.

When you lose access to an event target, you also lose access to an event involving the target. That
is, unless you are in a security group with access to the event.

To hide the details of a business process event from an event target, use the Hide Details from
Worker check box on the Edit Business Process Security Policy task.

Related Information

Concepts
Concept: Configurable Security
Concept: Security Groups
Reference
Reference: Security-Related Reports

1.4 | Security Change Control

1.4.1 | Activate Pending Security Policy Changes

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

Create an active timestamp using the Activate Pending Security Policy Changes task. Security
policy changes made since the previous active timestamp take effect immediately. The active
timestamp now reflects the current time, whether or not changes are pending.

You can run these reports to view a detailed list of the security policy changes you're activating:

Domain Security Policies with Pending Changes

Business Process Security Policies with Pending Changes

Steps

1. Access the Activate Pending Security Policy Changes task.

2. Describe your changes in the Comment field.
3. Select the Confirm check box to activate your changes.

Next Steps

You can use the View All Security Timestamps report to roll back to a previous timestamp.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 98/114
12/27/21, 12:01 AM Workday® Administrator Guide

1.4.2 | Activate Previous Security Timestamp

Prerequisites

Security: Security Configuration domain in the System functional area.

Context

Workday enables you to revert to a previous security timestamp for troubleshooting purposes.
When you activate a previous timestamp, Workday prevents you from using the current timestamp
again.

If you're recovering from a faulty configuration, activating a previous timestamp doesn't fix errors; it
only evaluates your security configuration at an earlier point in time. The errors still exist and you
must correct them before you run the Activate Pending Security Policy Changes task to create a
new timestamp.

When you activate a previous timestamp, check for changes not governed by the security policy but
that affect it. Example: A security group isn't part of the security policy that references it. You can
delete a security group and change security policies to no longer reference that security group.
However, the security group doesn't display if you activate a previous security timestamp
referencing that security group. Changes made to a business process could mean that it’s no longer
secured or routed correctly when you revert to a previous timestamp.

When you change the name of a security group, run the Activate Pending Security Policy Changes
task to update security policies with the new name.

Steps

1. Access the Activate Previous Security Timestamp task.

2. From the Previous Security Timestamps prompt, select a previous timestamp.
3. (Optional) Describe your changes in the Comment field.
4. Select the Confirm check box. Workday timestamps the current moment, which includes
these changes.

Result

Any security policy changes made after this timestamp are no longer in effect, but Workday
preserves the changes as pending changes. Use the Activate Pending Security Policy Changes
task to implement these changes.

Next Steps

You can edit your comments at any time. To edit your comments, select Security Timestamp > Edit
from the related actions menu of the View All Security Timestamps report.

Related Information

Tasks
Activate Pending Security Policy Changes

1.4.3 | Concept: Security Policy Change Control

Security policy change control enables you to:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 99/114
12/27/21, 12:01 AM Workday® Administrator Guide

Revert to previous versions of your security configuration so you can correct critical security
errors.
Prepare complex security changes and activate the changes when you're ready to deploy
them.

Security policy change control doesn’t enable you to retain alternate valid security configurations.
When you revert from a security configuration, the security configuration is no longer available.

How It Works
With security policy change control:

Workday records the time of every security change.

Workday evaluates security as of a timestamp, ignoring pending changes until you activate
your current security configuration.
You can activate a previous timestamp.

Security timestamps take into account these changes:

Adding or removing security groups from security policies.

Enabling or disabling the delegation of business processes.
Enabling or disabling security domains or functional areas.

These changes take effect immediately and don't require activation:

Security group definitions.

User assignments.

Example
You activate security policy changes in March, June, and September. In September, you discover a
serious error in the security configuration from March. You decide to activate the timestamp from
March by running the Activate Previous Security Timestamp task.

After you activate the timestamp, the June and September changes are pending. The changes you
make to fix the error from September are also pending. When you run the Activate Pending Security
Policy Changes task:

Workday creates a new timestamp and activates all changes made since March.
You can no longer activate the timestamp from September because Workday considers it an
invalid configuration.

Exporting Security Changes

When you export security changes to a test tenant for validation, you can activate all changes at
once.

Reporting
You can view an activated security policy and the pending changes by accessing:

Domain Security Policy > View Latest Version from the related actions menu of a domain
security policy.
Business Process Policy > View Latest Version from the related actions menu of a business
process security policy.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 100/114
12/27/21, 12:01 AM Workday® Administrator Guide

You can compare security policy versions, before and after changes, by accessing:

Domain Security Policy > View Pending Changes from the related actions menu of a
domain security policy.
Business Process Policy > View Pending Changes from the related actions menu of a
business process security policy.

Related Information

Reference
Reference: Security-Related Reports

1.5 | Service Centers

1.5.1 | Steps: Set Up Service Centers

Context

You can configure service centers to grant third-party organizations access to your Workday tenant,
without granting them access to sensitive data. Service centers consist of representatives who
work only for that service center and aren't part of your headcount.

Service center representatives can have limited access to your Workday tenant and support only a
subset of workers in your organization. They aren't workers but can perform tasks in Workday within
a predefined scope. Example: They can help employees enroll in benefits or unlock their locked
accounts.

Steps

1. Access the Create Service Center task.

(Optional) Enter contact information for the service center, not for individual representatives.
Security: Set Up: Service Center domain in the System functional area.
2. Access the Create Service Center Representative task.
(Optional) Enter contact information for the new representative, not for the service center.
Security: Manage: Service Center domain in the System functional area.
3. (Optional) Create a business process definition for the service center using the Create
Workday Account business process.
See Create Workday Accounts for Service Center Representatives.
4. From the related actions menu of a representative, select Security Profile > Create Workday
Account.
Create a Workday account to enable the representative to sign in to your Workday tenant.
5. Set security permissions for the service center.
See Assign Roles to Service Centers.
6. Set security permissions for representatives in the service center.
See Create Service Center Security Groups.

Result

Service center representatives can perform tasks in your Workday tenant on specified items.

Example

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 101/114
12/27/21, 12:01 AM Workday® Administrator Guide

Global Modern Services outsources its IT support to Global Technologies. Kevin, an employee of
Global Modern Services, locks himself out of his account. You can configure a service center so a
representative from Global Technologies can unlock his account.

Next Steps

Run the View Service Center report to view information about the service center and the service
center representatives, including:

Activation or inactivation dates.

Changes in service center assignments.
Contact information.

Related Information

Examples
Example: Create a Service Center for Third-Party Auditors

1.5.2 | Assign Roles to Service Centers

Prerequisites

Configure the Assign Roles business process and security policy in the Organizations and Roles
functional area.

Context

When you assign the Service Center Manager role to a Service Center, Service Center Managers can
authorize representatives to perform tasks and access other secured items.

Steps

1. From the related actions menu of a service center, select Roles > Assign Roles.
2. Select a role from the Assign Roles grid.
Make sure you can assign the role to users. You must be in a security group in the Assigned
by Security Group field on the Maintain Assignable Roles task.
Workday indicates whether you can assign a role to multiple users on the Restricted to
Single Assignment field. You can modify the field on the Maintain Assignable Roles task.
3. Assign the role to one or more users.

Related Information

Tasks
Set Up Assignable Roles
Create Role-Based Security Groups
Create Service Center Security Groups

1.5.3 | Create Workday Accounts for Service Center Representatives

Prerequisites

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 102/114
12/27/21, 12:01 AM Workday® Administrator Guide

Create role-based security groups for Service Center Managers and add them to the Manage:
Service Center security domain with View and Modify permissions.

Context

You can create different business process definitions for the Create Workday Account business
process for each Service Center, enabling Service Center Managers to:

Create or change a Workday account and notify the Security Administrator.

Send email messages to the email address specified in their contact information.

Steps

1. View the definition of the Create Workday Account (Default Definition) business process.
2. From the related actions menu of the business process definition, select Business Process
> Copy or Link Business Process Definition.
3. Select Copy Workflow Definition to Business Object.
4. From the prompt, specify the Service Center.
5. From the related actions menu of the business process definition for the Service Center,
select Business Process > Add Notification.
6. Create notifications for the appropriate security groups, such as:
Security Administrator.
Service Center Representative as Self.

Result

Workday notifies members of the selected security groups when you create a Workday account for
a Service Center representative.

Related Information

Tasks
Assign Roles to Service Centers
Create Custom Notifications
Edit Business Processes
Edit Workday Accounts

1.5.4 | Manage Passwords for Workday Accounts

Prerequisites

Configure Service Center and Service Center representatives.

Security: These domains in the System functional area:

Workday Account Passwords

Workday Accounts

Context

Service Center representatives can reset and change passwords for workers in your Workday
tenant. These steps only apply to Workday accounts, which are accounts that Workday manages.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 103/114
12/27/21, 12:01 AM Workday® Administrator Guide

Steps

1. From the related actions menu of a worker profile, select Security Profile > Manage
Workday Account Credentials.
2. As you complete the task, consider:

Option Description

Generate Random Password Workday emails the worker a randomly

generated password. When the worker
signs in with the randomly generated
password, Workday prompts them to
create a new password.

New Password Service Center representatives can

configure a new password for the worker.
Verify New Password

Require New Password at Next Sign In Workday ignores this setting when users
sign in using Delegated Authentication or
SAML.

Reset Challenge Questions Enables users who specified challenge

questions to reset their challenge
questions. When users don't specify
challenge questions, you can't
successfully clear the check box;
Workday doesn't save changes to the
check box.

Related Information

Tasks
Configure Password Reset
Edit Workday Accounts

1.5.5 | Inactivate Service Center Representatives

Prerequisites

Configure the Inactivate Service Center Representative business process in the System functional
area.

Security: These domains in the System functional area:

Manage: Service Center

Self-Service: Service Center Representative

Context

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 104/114
12/27/21, 12:01 AM Workday® Administrator Guide

As a Service Center Administrator, you can inactivate any Service Center representative. When you
inactivate a Service Center representative, Workday:

Disables their Workday account.

Dissociates them from Service Centers.
Removes their associated roles.

Workday also removes the representative from:

All role-based security groups associated with the Service Centers.

All Service Center security groups.
Delegation.

Steps

1. Access the View Service Center Representative report.

2. From the related actions menu of the Service Center representative, select Service Center
Representative > Inactivate.
3. Select the Confirm check box.

1.5.6 | Example: Create a Service Center for Third-Party Auditors

This example illustrates how to provide third-party auditors with read-only access to securable
items using service centers.

Scenario

Your organization decides to engage temporary third-party auditors to complete audits of your
tenant. Because the auditors are temporary engagements, you don’t want to onboard them through
the typical staffing process. You only want to provide the auditors with temporary read-only access
to reports for auditing. You can create a service center for the auditors to provide them with the
right permissions quickly.

Prerequisites

Security: These domains in the System functional area:

Manage: Service Center

Set Up: Service Center

Steps

1. Create a service center to group together all third-party auditors.

a. Access the Create Service Center task.
b. Enter Third-Party Auditors in the Name field.
c. Click OK.
2. Add each third-party auditor as a representative to the service center.
a. Access the Create Service Center Representative task.
b. Select Third-Party Auditors from the Service Center prompt.
c. Enter James in the First Name field.
d. Enter Morgan in the Last Name field.
e. Click OK.
3. Create a Workday account for each auditor so they can sign in to your Workday tenant.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 105/114
12/27/21, 12:01 AM Workday® Administrator Guide

a. From the related actions menu of the representative, select Security Profile > Create
Workday Account.
b. Enter James.Morgan in the User Name field.
c. Enter a password for the new representative.
d. Clear the Require New Password at Next Sign In check box.
e. Click Submit.
4. Associate the representative with the System Auditor user-based security group. Workday
associates the delivered security group with all the necessary items for auditing.
a. Access the View Security Group report.
b. Select System Auditor from the Security Group prompt.
c. Click OK.
d. From the related actions menu of the System Auditor security group, select User-
Based Security Group > Assign Users.
e. Specify James Morgan in the System Users field.
f. Click OK.
5. Activate pending security policy changes.
a. Access the Activate Pending Security Policy Changes task.
b. Enter Enabling third-party auditors to access tasks and reports for auditing in Workday
in the Comment field.
c. Click OK.
d. Select the Confirm check box.
e. Click OK.

Result

Workday associates the domain that secures the items for auditing with the System Auditor
security group. You can grant access to the items by assigning representatives to the security
group.

Related Information

Tasks
Steps: Set Up Service Centers
Examples
Example: Create a Service Center Security Group for Benefits Support

1.6 | Constrained Proxy

1.6.1 | Steps: Set Up Constrained Proxy Access

Context

Workday enables you to configure constrained proxy access so that users can delegate tasks and
reports to other users in any Workday environment. This eliminates the need to share passwords,
enables you to audit user actions, and helps you comply with security best practices.

Steps

1. Set Up the My Proxy Worklet.

2. Set Up the Security Policy for the Proxy Approval Process.
3. Set Up the Proxy Approval Process.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 106/114
12/27/21, 12:01 AM Workday® Administrator Guide

4. Create Proxy Access Restriction Sets.

5. (Optional) Set up instructional text on the Constrained User Proxy business process.
See Configure Step Help.

Result

Users can request proxy access on behalf of a worker using the Request Proxy Access task.
Workday notifies the worker so the worker can approve or deny the request.

Users with proxy access can:

Start proxy sessions using the Start User Proxy task.

Stop proxy sessions using the Stop User Proxy task.

During proxy sessions, Workday displays On Behalf of and the name of the user on whose behalf a
proxy user acts.

Example

As chief financial officer (CFO), Teresa wants to include important financial metrics in an upcoming
presentation. Teresa delegates certain reports to Olivia, an executive assistant, so Olivia can export
the financial metrics for the presentation. Teresa enables Olivia to access only the relevant reports
that she needs in order to export the financial metrics.

Related Information

Concepts
Concept: Constrained Proxy
Reference
2021R1 What's New Post: Constrained Proxy
Examples
Example: Set Up Constrained Proxy Access

1.6.2 | Set Up the My Proxy Worklet

Prerequisites

Security: Set Up: Tenant Setup - Worklets domain in the System functional area.

Context

You can configure the My Proxy Dashboard worklet to display on the Home page for any Workday
user. The worklet enables users to access their delegated tasks and reports quickly, making it
easier for them to:

Manage their proxy policies.

Request proxy access on behalf of other users.
Start and stop proxy sessions.

You can also access tasks and reports for configuring constrained proxy.

Steps

1. Access the Maintain Dashboards report.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 107/114
12/27/21, 12:01 AM Workday® Administrator Guide

2. Edit the Home dashboard.

3. Add a row for the worklet.
4. Select My Proxy Dashboard from the Worklet prompt.
5. Select security groups from the Required for Groups prompt if Workday doesn’t autofill
them.
Workday recommends that you select the Constrained User Proxy security group.
6. Select the Required? check box to display the worklet on the Home page.

Related Information

Concepts
Concept: Constrained Proxy

1.6.3 | Set Up the Security Policy for the Proxy Approval Process

Prerequisites

Set up the My Proxy Dashboard worklet.

Security: Security Configuration domain in the System functional area.

Context

You can configure the Constrained User Proxy business process to route proxy requests for
approval. This business process enables you to specify who can:

Approve or deny proxy access requests.

Request proxy access.
View notifications about policy changes.

Only security groups based on employee or contingent workers can approve proxy requests.
Workday delivers these worker-based security groups:

All Employees
All Contingent Workers

Note: The first time you configure the Constrained User Proxy business process security policy, you
can’t add the All Employees and All Contingent Workers security groups to the Who Can Start the
Business Process section. Complete the initial business process security policy set up, and then
edit the policy again to select the All Employees and All Contingent Workers security groups.

Security groups not based on employee or contingent workers can't approve proxy requests.
Examples of ineligible Workday-delivered security groups include:

All Pre-Contingent Workers

All Pre-Employees
All Service Center Representatives

Steps

1. Access the My Proxy Dashboard worklet.

2. Select the Edit Business Process Security Policy task.
3. Select Constrained User Proxy from the Business Process Type prompt.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 108/114
12/27/21, 12:01 AM Workday® Administrator Guide

4. From the Security Group prompt in the Who Can Start the Business Process section, do 1 of
these procedures:
Select a security group other than All Employees or All Contingent Workers and click
OK to complete the task. Access the Edit Business Process Security Policy task
again to select the All Employees and All Contingent Workers security groups.
Select Create and create a security group based on workers. Only employees or
contingent workers can start the business process to approve proxy requests.
5. In the Who Can Do Actions on Entire Business Process section, add these security groups
to the View action:
Initiator
Employee As Self
Contingent Worker
Members of the security groups can access the View Event button on proxy access
notifications and view their archived approvals.
6. In the Who Can Do Actions on Entire Business Process section, add these security groups
to the Approve and Deny actions:
Employee As Self
Contingent Worker As Self
Employees and contingent workers can approve or deny requests to access items on their
behalf when you add the security groups.
7. Activate Pending Security Policy Changes.

Next Steps

Set up the proxy approval process.

1.6.4 | Set Up the Proxy Approval Process

Prerequisites

Set up the My Proxy Dashboard worklet.

Set up the security policy for the proxy approval process.
Security: These domains in the System functional area:
Business Process Administration
Manage: Business Process Definitions

Context

You can configure the Constrained User Proxy business process so users must approve requests to
access securable items on their behalf. You only need to configure the proxy approval process
once.

Steps

1. Access the My Proxy Dashboard worklet.

2. Select the Create Business Process Definition (Default Definition) task.
3. Select Constrained User Proxy from the Business Process Type prompt.
4. Add an Approval step to the business process definition:

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 109/114
12/27/21, 12:01 AM Workday® Administrator Guide

Option Description

Order Enter the letter b.

Type Select Approval.

Group Select Employee As Self and Contingent

Worker As Self.

Due Date (Optional) Specify by when users must

approve a request.

Result

Employees and contingent workers can request proxy access using the Request Proxy Access task.
The Constrained User Proxy business process initiates when employees and contingent workers
complete the task.

Next Steps

Create proxy access restriction sets.

1.6.5 | Create Proxy Access Restriction Sets

Prerequisites

Set up the My Proxy Dashboard worklet.

Security: Security Configuration domain in the System functional area.

Context

Restriction sets are custom collections of tasks and reports. Users can request access to
restriction sets so they can access tasks and reports on behalf of other users. Once users request
access to restriction sets, you can't delete the restriction sets.

Steps

1. Access the My Proxy Dashboard worklet.

2. Select the Maintain Proxy Access Restriction Sets task.
3. Select tasks and reports to add to a restriction set from the Secured Item prompt. When
Workday displays more than 1 securable item with the same name, you can refer to the:
Type of the securable item in parentheses.
Path to access the securable item in brackets.
You can’t add integrations and web services to restriction sets.
If you add a composite report to a restriction set, you must also add its subreports.
Workday displays a warning when you select a self-service securable item.

1.6.6 | Concept: Constrained Proxy

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 110/114
12/27/21, 12:01 AM Workday® Administrator Guide

You can configure constrained proxy access so Workday users can delegate tasks and reports to
other users in any Workday environment. Constrained proxy access exclusively enables proxy users
to:

Access only specified securable items for a specified duration.

Perform delegated tasks on behalf of other users.
Request access to items. You don't need to define rules for who can start proxy sessions.

Constrained proxy access also enables you to configure proxy access for any Workday
environment.

Delegation
Constrained proxy and delegation enable users to share responsibility for secured items without
permanently reassigning the items. The types of items you can delegate differ among constrained
proxy and delegation. With:

Constrained proxy, you can share responsibility for tasks and reports.
Delegation, you can share responsibility for initiating tasks and Inbox items associated with
1 or more business processes.

Excluded Functionality
Proxy users can’t:

Access business processes or business process attachments during proxy sessions.

Access items from prompts secured to reports that aren’t in approved restriction sets.
Download custom reports by printing the reports during proxy sessions.
Start proxy sessions or perform actions as a delegate once they're in a constrained proxy
session.
Start proxy sessions using Workday on Android, iPad, or iPhone.

Workday doesn’t support business process delegation for the Constrained User Proxy business
process.

Auditing Proxy Access

You can run the:

All Constrained User Proxy Requests report (secured to the Security Configuration domain)
to view all approved constrained proxy requests for any user. The report is available from the
My Proxy Dashboard worklet.
View User Activity report to view the actions users perform in proxy sessions.

Users can run the Manage My Constrained Proxy report from the My Proxy Dashboard to:

View and revoke access by others to items on their behalf.

View the items that users can access on behalf of others.

You can configure the Revoke Constrained Proxy Policies service on a Termination business process
definition to revoke proxy access for a terminated worker automatically.

Workday prevents a proxy user from performing actions in a proxy session when the user that
they’re acting on behalf of revokes their proxy access.

Updating Proxy Access Restriction Sets

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 111/114
12/27/21, 12:01 AM Workday® Administrator Guide

Proxy users don’t need to restart proxy sessions when you make changes to restriction sets.

Proxy users and the users they're acting on behalf of receive a notification when someone modifies
a restriction set that's in use.

Migrating Proxy Access Restriction Sets

Implementers can use Workday-delivered web services to migrate restriction sets.

Related Information

Tasks
Steps: Set Up Constrained Proxy Access
Reference
Setup Considerations: Delegation

1.6.7 | Example: Set Up Constrained Proxy Access

This example illustrates how to enable users to delegate securable items to other users by
providing them with constrained proxy access.

Scenario

The chief financial officer (CFO) of your organization wants to review organization performance
against budget in each revenue category. The CFO decides to delegate the relevant report to an
assistant for 1 week so the assistant can generate the results. After that time, the CFO wants
Workday to remove their access to the item.

Prerequisites

Security: These domains in the System functional area:

Business Process Administration

Manage: Business Process Definitions
Security Configuration

Steps

1. Configure the My Proxy Dashboard worklet to display on the Home page.

a. Access the Maintain Dashboards report.
b. Edit the Home dashboard.
c. Add a row for the worklet.
d. Select My Proxy Dashboard from the Worklet prompt.
e. Select Constrained Proxy Users from the Required for Groups prompt.
f. Select the Required? check box to display the worklet on the Home page in proxy
sessions.
g. Click OK.
2. Create a restriction set.
a. Select the My Proxy Dashboard worklet on the Home page.
b. Access the Maintain Proxy Access Restriction Sets task.
c. Enter Report for Budget and Actual by Revenue Category in the Name field.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 112/114
12/27/21, 12:01 AM Workday® Administrator Guide

d. Enter Generate results for organization performance compared to budget in each

revenue category in the Description field.
e. Select the Budget vs. Actual by Revenue Category report from the Securable Item
prompt.
f. Click OK.
3. Specify who can approve or deny proxy access requests.
a. Select the My Proxy Dashboard worklet on the Home page.
b. Access the Edit Business Process Security Policy task.
c. Select Constrained User Proxy from the Business Process Type prompt.
d. Click OK.
e. Select Initiator, Employee As Self, and Contingent Worker As Self for the View All
action in the Who Can Do Actions on Entire Business Process section.
f. Select Employee As Self and Contingent Worker As Self for the Approve and Deny
actions in the Who Can Do Actions on Entire Business Process section.
g. Click OK.
4. Activate your security policy changes.
a. Access the Activate Pending Security Policy Changes task.
b. Enter Enabling users to request proxy access, approve or deny proxy access requests,
and view notifications about policy changes in the Comment field.
c. Click OK.
d. Select the Confirm check box.
e. Click OK.
5. Configure the Constrained User Proxy business process to route to users for their approval.
a. Select the My Proxy Dashboard worklet on the Home page.
b. Access the Create Business Process Definition (Default Definition) task.
c. Select Constrained User Proxy from the Business Process Type prompt.
d. Click OK.
e. Add an Approval step to the business process definition.
f. Enter the letter b in the Order field.
g. Select Approval in the Type field.
h. Select Employee As Self and Contingent Worker As Self in the Group field.
i. Click OK.
6. Configure the Termination business process to revoke proxy policies from terminated
workers.
a. From the related actions menu of the Termination business process definition, select
Business Process > Edit Definition.
b. Click OK.
c. Add a Service step to the business process definition.
d. Enter the letters bb in the Order field.
e. Select Service in the Type field.
f. Select Revoke Constrained Proxy Policies from the Specify prompt.
g. Click OK.

Next Steps

The assistant can request proxy access using the Request Proxy Access task and select the:

CFO as the user to act on behalf of.

Report for Budget and Actual by Revenue Category restriction set.
End of their access as a week from the current date.

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 113/114
12/27/21, 12:01 AM Workday® Administrator Guide

When the assistant completes the task, Workday notifies the CFO to approve or deny the request. If
the CFO approves the request, the assistant can access the Budget vs. Actual by Revenue Category
report using the Start User Proxy task on the My Proxy Dashboard worklet.

Related Information

Tasks
Steps: Set Up Constrained Proxy Access

https://doc.workday.com/internal/api/webapp/print/aa7ab020-8a58-4a7d-aeba-eb9f52344752 114/114

Workday® Administrator Guide
No ratings yet
Workday® Administrator Guide
245 pages
Workday Core HCM Ebook
No ratings yet
Workday Core HCM Ebook
51 pages
Workday Absence Management
No ratings yet
Workday Absence Management
67 pages
Admin Guide Workday Studio
No ratings yet
Admin Guide Workday Studio
372 pages
Benefits Connectors
No ratings yet
Benefits Connectors
67 pages
Workday Pro Integrations Certification Exam Guide
67% (3)
Workday Pro Integrations Certification Exam Guide
3 pages
Kickoff
100% (1)
Kickoff
66 pages
Workday Supervisory Org PDF
100% (3)
Workday Supervisory Org PDF
29 pages
Workday Questionnaire
100% (1)
Workday Questionnaire
6 pages
Report Writer: Course Manual and Activity Guide
No ratings yet
Report Writer: Course Manual and Activity Guide
89 pages
360 - Workday Report Writer Interview Questions
No ratings yet
360 - Workday Report Writer Interview Questions
2 pages
GS Pvt. Ltd. Compensation & HR Overview
No ratings yet
GS Pvt. Ltd. Compensation & HR Overview
24 pages
Workday HCM Functional & Technical Guide
No ratings yet
Workday HCM Functional & Technical Guide
3 pages
Alight S Guide To Navigating Workday S Customer Central
100% (1)
Alight S Guide To Navigating Workday S Customer Central
9 pages
Workday Report Writing Guide
100% (3)
Workday Report Writing Guide
19 pages
1.0.0 Workday Reports: Report Writer
100% (1)
1.0.0 Workday Reports: Report Writer
19 pages
Workday Studio Course Content
No ratings yet
Workday Studio Course Content
1 page
Workday Oregon - Security Roles Descriptions PDF
100% (1)
Workday Oregon - Security Roles Descriptions PDF
4 pages
Datasheet Workday Compensation
No ratings yet
Datasheet Workday Compensation
2 pages
HR Analyst Training: Move Workers
No ratings yet
HR Analyst Training: Move Workers
31 pages
Workday Cusomers
No ratings yet
Workday Cusomers
348 pages
Workday Fundamentals Guide
100% (1)
Workday Fundamentals Guide
17 pages
Workday Basics PDF
100% (3)
Workday Basics PDF
16 pages
Create Position PDF
100% (1)
Create Position PDF
24 pages
Docx
No ratings yet
Docx
4 pages
Typically Payroll Interface Requirements: - Requirements Are Often Expressed Like This
No ratings yet
Typically Payroll Interface Requirements: - Requirements Are Often Expressed Like This
56 pages
Dashboards Overview
No ratings yet
Dashboards Overview
7 pages
Grocery Store
0% (1)
Grocery Store
16 pages
BIM Tools for AEC Professionals
No ratings yet
BIM Tools for AEC Professionals
8 pages
Workday Calculated Fields Guide
100% (2)
Workday Calculated Fields Guide
6 pages
Workday Studio Integration Guide
No ratings yet
Workday Studio Integration Guide
1 page
QRG - Inbound EIB Guide
No ratings yet
QRG - Inbound EIB Guide
3 pages
Workday Assign Roles PDF
100% (1)
Workday Assign Roles PDF
2 pages
2.0.calculated Fields
No ratings yet
2.0.calculated Fields
178 pages
Admin Guide Workday Studio
100% (1)
Admin Guide Workday Studio
356 pages
My Workday Experience On Security
No ratings yet
My Workday Experience On Security
2 pages
Workday Integration Cloud Guide
100% (2)
Workday Integration Cloud Guide
3 pages
Workday Terms for HR & Finance Pros
100% (1)
Workday Terms for HR & Finance Pros
31 pages
Workday Calculated Fields Guide
No ratings yet
Workday Calculated Fields Guide
14 pages
Workday Position Management FAQs
100% (1)
Workday Position Management FAQs
6 pages
Interview Questions Based Workday HCM Job Description
No ratings yet
Interview Questions Based Workday HCM Job Description
60 pages
Workday Knowledge Management Training Catalog 1 PDF
75% (4)
Workday Knowledge Management Training Catalog 1 PDF
35 pages
5g Core Guide Cloud Native Transformation
No ratings yet
5g Core Guide Cloud Native Transformation
9 pages
Workday HCM & Integration Course
100% (1)
Workday HCM & Integration Course
3 pages
Workday Audit Reports
100% (1)
Workday Audit Reports
41 pages
Eng - HR - Hire Employee Without Workday Recruiting PDF
No ratings yet
Eng - HR - Hire Employee Without Workday Recruiting PDF
5 pages
Interview Question All-130923
100% (1)
Interview Question All-130923
20 pages
Compensation Course by Workday
No ratings yet
Compensation Course by Workday
3 pages
Typically Payroll Interface Requirements: - Requirements Are Often Expressed Like This
100% (1)
Typically Payroll Interface Requirements: - Requirements Are Often Expressed Like This
56 pages
Tybsc-It Sem5 SPM Apr19
No ratings yet
Tybsc-It Sem5 SPM Apr19
2 pages
MCQ - Workday Recruiting
0% (1)
MCQ - Workday Recruiting
54 pages
Workday 2024 R1 Recruiting
100% (1)
Workday 2024 R1 Recruiting
18 pages
KG Stpcs7 2017-V en Web
No ratings yet
KG Stpcs7 2017-V en Web
608 pages
OpenScape Xpressions V7, Server Installation, Installation Guide, Issue 24
No ratings yet
OpenScape Xpressions V7, Server Installation, Installation Guide, Issue 24
572 pages
Workday Interview Q&A Guide
No ratings yet
Workday Interview Q&A Guide
3 pages
Intern Report Kishor
No ratings yet
Intern Report Kishor
56 pages
Japan Digital Agenda 2030 McKinsey Company 1645262069
No ratings yet
Japan Digital Agenda 2030 McKinsey Company 1645262069
136 pages
Amazon
No ratings yet
Amazon
46 pages
OBJECT 187 QOP-82-03 (01) In-Process Inspections A 1
No ratings yet
OBJECT 187 QOP-82-03 (01) In-Process Inspections A 1
4 pages
IT Application Services RFI Form
No ratings yet
IT Application Services RFI Form
24 pages
Salesforce Platform App Builder Q&A
No ratings yet
Salesforce Platform App Builder Q&A
8 pages
The Implication of Using Modular Construction Projects On The Building Sustainability: A Critical Literature Review
No ratings yet
The Implication of Using Modular Construction Projects On The Building Sustainability: A Critical Literature Review
71 pages
Workday Financials FAQs: POs, Invoices, Expenses
No ratings yet
Workday Financials FAQs: POs, Invoices, Expenses
11 pages
1.1 - Business Process Framework Concepts
No ratings yet
1.1 - Business Process Framework Concepts
192 pages
2023course ConfigSecurityFund
No ratings yet
2023course ConfigSecurityFund
3 pages
Planning and Scheduling Construction Projects Using Primavera Software A Case Study
No ratings yet
Planning and Scheduling Construction Projects Using Primavera Software A Case Study
11 pages
Iproc
No ratings yet
Iproc
3 pages
Reporting Foundation - Core HCM 2020R2 v2
No ratings yet
Reporting Foundation - Core HCM 2020R2 v2
32 pages
Chapter 1 - Report Writer Tool: Workday Training - Integrations Training Plan
No ratings yet
Chapter 1 - Report Writer Tool: Workday Training - Integrations Training Plan
4 pages
System Proposal
No ratings yet
System Proposal
21 pages
Workday Docs 2024R1
100% (1)
Workday Docs 2024R1
3 pages
Assessment Task 2.2
No ratings yet
Assessment Task 2.2
46 pages
SCCM Sample Resume 3
No ratings yet
SCCM Sample Resume 3
3 pages
S Microservice Architecture ?? ?
No ratings yet
S Microservice Architecture ?? ?
11 pages
Manufacturing Engineering Internship 2024
No ratings yet
Manufacturing Engineering Internship 2024
2 pages
Mastering Workday HCM
No ratings yet
Mastering Workday HCM
43 pages
Day 1 - First Session - Introduction To Freelancing and Working Online
No ratings yet
Day 1 - First Session - Introduction To Freelancing and Working Online
42 pages
Team Productivity
No ratings yet
Team Productivity
9 pages
Karpagam Resume
No ratings yet
Karpagam Resume
3 pages
Tms
No ratings yet
Tms
9 pages
Compensation
100% (1)
Compensation
112 pages
Finance Interview Questions
No ratings yet
Finance Interview Questions
26 pages
Workday Core HCM (A Comprehensive Guide) Ebook
0% (1)
Workday Core HCM (A Comprehensive Guide) Ebook
59 pages
Jagadeesh's Resume
No ratings yet
Jagadeesh's Resume
6 pages
Training SharePoint Online Management and Administration (55370AC)
No ratings yet
Training SharePoint Online Management and Administration (55370AC)
4 pages
2228 7315 1 PB
No ratings yet
2228 7315 1 PB
14 pages
NCSC Board Toolkit Cyber Security 101
No ratings yet
NCSC Board Toolkit Cyber Security 101
2 pages
PSML PP Configuration
No ratings yet
PSML PP Configuration
66 pages