As your business grows and evolves, your security needs do too. With so many Workday security group types, choosing the right one can be daunting, especially in a tenant that has been live for some time. To help you make these difficult decisions, our Workday security experts have prepared an overview of some frequently used security group types and key considerations you can take into account to guide your choice.

  User Based Scurity   # 1 | User-based security

User-based security is one of Workday’s most common and most easily maintained security group types. 

How it works:

  • Individual workers are assigned directly to a security group and are given all domain and business process permissions associated with that group on an unconstrained basis. 
  • They will be able to view those items for every worker and every organization in the tenant without restriction.  
  • Security group assignments are not inherited by position, so when a user is terminated, their access to the group is terminated with no automatic replacement.  

Questions to ask:

  • Should these users be able to see the secured data for all workers in the tenant, including high-level executives and their peers?  
  • If a worker in this group is terminated, what is the procedure for evaluating if other workers should receive this access in their absence? 

 

Role-Based Security    # 2 | Role-based security 

Role-based security, another frequently used security group type, assigns role-based access to associated domains and business process policies. Because roles are assigned by position, role-based assignments are transferred between users whenever a new user takes over a position. 

Types of access:

  • With constrained access, the role assigned to the user provides them with access to the associated data only as it pertains to workers who are members of the organization to which they are assigned. This configuration is useful if you intend to limit the workers for whom a specific user can view specific data; for instance, if an HR Partner should be able to view feedback for members of other departments but not their own peers. 
  • With unconstrained access, workers can access data for all workers in the tenant.  
  • Frequently, constrained and unconstrained role access are used in conjunction, with a singular role assigned to both a constrained and an unconstrained security group. Typically, the constrained group provides more in-depth access to information, whereas the unconstrained counterpart would provide access to more generalized information, giving the user enough information to view and perform cross-organizational transactions, such as a worker transfer.  

Questions to ask:

  • Should access be restricted based on organization membership? Which organization type should be used to define access (supervisory org, location, etc.)?  
  • Is there a use case to create custom organizations to maintain proper access rights? 
  • Should the role assignees be able to view data just for the members of organizations where they are assigned directly, or for members of subordinate organizations as well? 
  • How will we maintain role assignments when a position is vacant, especially for single-assignment roles such as a manager?  
  • If we are creating a constrained role-based group, is there a need for an unconstrained counterpart to provide access to any organization-wide information? 

 

data-collection   # 3 | Aggregation security

Aggregation security combines the membership of two or more security groups to create another broader group.

Use case:

  • Combines complementary role-based groups from different organization types; for instance, Workday’s HR Partner group is an aggregation group that typically combines HR Partner (Local) with HR Partner (Supervisory).  
  • This setup allows for more granular security access for sub-groups while still maintaining a common level of access in the larger aggregation.  

Questions to ask:

  •  Do the groups overlap enough to justify aggregation? 
  • Are the two groups considered for the aggregation different enough to warrant maintaining a multi-tiered access structure rather than simply combining them? 
  • What will be your process for maintaining access for aggregate or individual groups?

 

Intersection Security  # 4 | Intersection security 

Intersection security offers two types of criteria to designate membership: inclusion and exclusion.

Inclusion:

  • Like a Venn diagram, membership in the intersection group will only apply to workers who are members of both groups specified in the inclusion criteria.  
  • When constrained security groups are assigned in the inclusion criteria, members will only have access to information for workers for whom they have constrained access rights from both component groups.  
  • For example, providing a user with access to data only for workers in a certain department and location. Intersection security can combine roles from each of those organization types to define that access. 
Exclusion: 
  • Typically used in conjunction with inclusion criteria to exclude certain members of the included population. 
  • For example, you may need to create a more specific “Employee as Self” group, such as an ”Employee as Self” group only for workers in the US. To achieve this goal, they could specify "Employee as Self" in the inclusion criteria and create a location membership security group to use in the exclusion criteria, taking advantage of the additional level of customizability offered by this functionality. 

Questions to ask:

  • If using two or more groups in the inclusion criteria, does the overlap in assignments provide adequate access?  
  • Are there any gaps in which some workers may end up with nobody assigned to the security group to support them? 
  • What other security group types might we need to create to define the intersection? For instance, do we need to define membership using a specific location, job profile or organization? 
  • What access are we assigning to the intersection that should not be accessible to the component groups themselves? 

Workday Security setup can be intimidating, but by asking the right questions, you can begin to identify your organization’s needs and discern which security group types may be best for your growing business.  

This guide covers the most frequently used group types, but Workday offers additional options. You can get started evaluating your organization’s access needs and then choose the group type(s) that best fit. And if you find yourself looking for a little more hands-on support, contact our Workday experts

Connect with our Workday Securty experts

More Workday Resources:

Video Testimonial
Video Testimonial
Demand + Capacity with Workday Prism Analytics
customer_story
Customer Story
Putting Your Data to Work with Prism Analytics
On Demand Webinar
On Demand Webinar
Analytics Webinar Place Holder
Invisors Blog
Blog
6 Wishes Granted Thanks to Workday Financial Management
Invisors Blog
Blog
6 Wishes Granted Thanks to Workday Financial Management
Invisors Blog
Blog
6 Wishes Granted Thanks to Workday Financial Management
2-Blog-Icon

Workday Security: A Tactical Guide to Configuration and Maintenance

Check out our most-loved Workday Security resource to discover some steps we've helped customers like you take to configure and maintain their setup in a secure and sustainable way.

Let's take your Security Administrators from rective to strategic!


Read the blog

A global consultancy + a Workday Certified Services Partner.

Growing because we have happy customers + seasoned Workday consultants.

Executing immediate Workday needs + enabling long-term operational success.

© Invisors LLC. All Rights Reserved.

1201 Peachtree Street NE Suite 1500, Atlanta, GA 30361

Privacy Policy           Cookie Policy

Accessibility Statement

Slavery and Human Trafficking Statement

Aetna Machine Readable Files (MRFs)

All of the beautiful artwork on our website is done by the gifted Katie Reim

Theme Design By Awwal Design