Whether you’ve been using Workday for a month or a few years, there’s always a lot to learn when it comes to making the most of any kind of software. One area of Workday functionality that will require your particular attention? Security permissions.

This article will discuss the key components and capabilities of the Workday Security solution, as well as where our team of Workday consultants can come in to help.

Understanding Role-Based Security in Workday

The data in your Workday platform is doubly critical to your company—not only in terms of your business itself but also the people that keep that business running.

That’s why protecting your data and ensuring that it’s in compliance with regulations is a priority for every smart business out there. Of course, dealing with data privacy and sensitive data protection is sometimes easier said than done, especially when evolving security risks and ever-changing guidelines are taken into account.

Trying to balance the tasks of your data processor and data controller while keeping track of certain data that requires a unique encryption key can be challenging, especially while also trying to implement or integrate Workday modules into your system. Not sure how to navigate having so many aspects of data organization and security at once? That’s where you need a trusted Workday security administrator.

To better explain how security works in Workday, here’s a library analogy.

How Does Security in Workday Work?

For this example, think of employees as having a login that lets them borrow a book from any library branch in the network so long as Workday security grants the employee access to that book. The library network is set up to have different kinds of data (or “books”) in each region, as demonstrated in the map below.

US Library Network EPA gov

Here’s how some of your data may be stored and separated. (Note: This is a simplified example. Workday has hundreds of data domains.)

  • Region 1 – Payroll Data
  • Region 3 – Personal Contact Information and Demographics
  • Region 4 – Compensation
  • Region 9 – Job history records
  • Region 10 – Benefits data and history

If we’re talking about the average employee, one with no additional designated HR or payroll security access, they can access books about themselves but wouldn’t be able to “sign out a book” about a coworker. Some data on other workers in the company, on the other hand (such as name, job title, department, location, work phone, work email, and photo), are treated as “generally available” and don’t require special security. 

A Real-Life Example

Let’s consider a manager. A manager could access Job and Compensation (Regions 9 and 4) information on their direct or indirect reports, but NOT Payroll Data in Region 1. Why? Because this data includes information on benefits (the deductions, which are indicative of benefit elections) and payroll-specific information (such as wage garnishments).

It’s not the manager’s business to know how much employees are contributing to retirement or whether they have a child-support order garnishing their wages. A manager may have access to more data than non-managerial employees, but they don’t have unlimited access, especially when it comes to their employees’ most sensitive data.

Understanding Workday Security Roles

Whether you’re new to Workday or have been live for awhile now, customer data, compliance requirements, and processing activities are ever-changing, and your team needs to be able to keep up with them.

One critical piece of the puzzle for your organization is ensuring that all employees have access to the data and functionality they need to do their jobs. Not only do they need the ability to access certain data in the system, but it’s also important to make sure that data doesn’t end up in the wrong hands.

This is where a role-based security group in Workday can come into play.

What Exactly Are They?

Security roles in Workday help your organization and its administrators stay on top of the continuous monitoring of data that comes in and out of the system. They control an employee’s ability to update data, approve cross-border data transfers, initiate processing activities, and their security permissions in general.

Viewing assignable user roles in Workday

Although they are similar to your organization’s general data protection regulation processes, security roles in Workday outline the specific ability each employee has to access data, reports, and other insights and functions within your organization.

How Are They Different?

Security roles in Workday are determined and separated by an employee’s position, rather than by each person specifically. This way, if employees leave your organization or move positions, it’s a little easier for you to navigate the security challenges that come with those changes.

Let’s say, for example, your current HR Manager gets promoted to CHRO. Rather than having to go into the Workday system and update all kinds of security preferences for that one person, they will simply inherit the Workday security roles that are associated with their new position, and the new HR Manager will do the same.

Cutting out unnecessary steps required for employee changes, security updates, or data transfers and protecting your data every step of the way. That’s the goal of role-based security in Workday.

Outlining user roles to maintain security in Workday

Making Changes to Workday Security

Let’s think a little more about the security implications of when you need to change data in your Workday system. That’s when you need to pay special attention to the intersection of Workday Security and Business Processes.

In addition to defining what actually happens in your Workday organization, (such as validation, approvals, and notifications), your business processes also define who can initiate a transaction, see a change in-flight (before it’s fully approved and committed to the database), undo the changes and restore values to their previous state, and do approvals.  

However, certain kinds of data must be changed through a Task instead of a Business Process. Tasks—such as adding a new cost center—are administrative, so if someone is a member of a security group that can perform that task, the user can take that action. For example, imagine a “Cost Center Administrator.” A Cost Center Admin is usually someone in Finance who coordinates these kinds of changes with the General Ledger reference tables. As such, it’s appropriate for them to be able to securely add or edit or deactivate a cost center.

NOTE: Approvals and notifications are not configurable for tasks.

Remember that redefining how Workday-delivered security operates in your organization is fine, so long as A) Management signs off on those changes, and B) your audit team can find a trail of the request, management approval of said request, testing, approval/acceptance of testing, release to production, and verification of release to production.  

Creating Security Groups in Workday

Another way to optimize your Workday security features is to create layers of security that work in tandem with each other. For example, let’s say you have an employee working in Sales Ops who has no direct reports, but you’d like that person to be able to see compensation, including commissions, but only for salespeople.

One way to set that up would be to create a new custom security group, add the Sales Ops people to that group, and apply to that group a set of security rules that allows access to compensation data for employees who have a compensation plan assigned to them that allows payments of commissions. That way, you’re defining security not by domain or by management hierarchy, but by compensation plan assignment. Why is that useful?

Let’s pretend that our example employee moved from Sales to Marketing. Their former Sales coworkers no longer need access to their compensation information, and as soon as they leave the Sales Ops group in Workday—boom! That data is no longer accessible to their former peers, just like in our library analogy.

Workday Security Best Practices to Keep in Mind

Now that you have a better understanding of Workday security basics, here are a few best practices to keep in mind to help you use it effectively.

Below are a few of our recommended Workday security best practices:

  • Review user-based security groups on an ongoing basis to ensure folks don’t have access to sectors that they shouldn’t.
  • With the growing importance of GDPR compliance and legislation, keep an eye on your baseline security posture and make sure to routinely track any changes you notice.
  • There are more critical times to test your security environment than just your standard monthly tests. During implementation and testing, after adding new functionality, whenever a worker gets assigned to multiple groups (and thus, has access to multiple different security areas) or you make changes to security groups, you should always test to make sure those changes haven’t granted anyone inappropriate security access.

A Few Common Mistakes to Avoid

Let’s take a closer look at a few common security mistakes to avoid to save your team time (and money) in the long run…

Complicated Security Groups

The best piece of advice we can share (and share again) is to keep Workday Security simple. We’ve seen so many organizations get into the mode of making changes to fix every single issue only to realize that they’ve added so many new features that the system has more problems than when they started.

Keep your security solutions simple. When you do create privacy and security restrictions, do your best to avoid a lot of intersections in Security with too many exclusions. Especially as you try to navigate your own change management plan as your company expands and employees come and go, simplifying who has access to what is important.

Being able to manage change and troubleshoot issues with your data is a key piece in your company’s general data protection regulation plan. Data protection is at the heart of your company’s success, so, simplifying this process can help save your employees, administrators, and the whole organization time, resources, and quite a few headaches.

Improper Setup for Integrations

When it comes to integrations within your Workday system, keeping it simple is your key to success. As soon as you complicate the process with an overload of information or limited access from improper account types, you introduce a new set of problems that could be easily avoided.

Too Much Information

A common mistake we’ve seen implementers make is to throw everything short of the kitchen sink into making an integration run, as opposed to taking the time to narrow things down to only the information it needs to run.

In other words, if you’re building an integration that requires Security for the integration to run, make sure the integration only has the access it needs to run its process and nothing more. Otherwise, you’re basically throwing broken glass in the road ahead of your car and hoping you don’t run over it later.

Not only will including too much information into one step of the process confuse you later on, but it could also make your implementation or integration process in Workday run more slowly. We all know that time is money, so being able to control the timeline of your business processes and keep track of integrations on a regular basis is an important piece of your success, especially given the ever-changing data and security industry.

Issues with Personal User Accounts

Another way we’ve seen clients fumble their integrations is by allowing them to run under personal user accounts. We’ve seen situations in the past where an integration was set up to run under an individual user account. That worked…until the person left the company. As was the standard practice, the company disabled their account…which also caused the integration to fail.

Lessons like these can be time consuming and frustrating for companies to learn, so understanding the proper ways to handle your integrations early is key.

Lack of Documentation

When it comes to security, documentation is critical. Not only do you need to develop a plan on how requests will come in, what will be reviewed and prioritized, and how work will get done, but you also have to document this plan. An undocumented plan is like trying to put a jigsaw puzzle together after throwing away the box—you might have a clear picture of what you’re trying to accomplish right now, but what about a month from now? What ten months from now?

A well-documented plan will save you headaches in the future, not to mention ensure that everyone involved in the project has something they can reference as things progress. This way, each employee is held accountable for their responsibilities, and nothing slips through the cracks for someone else to have to fix later.

Forgetting a Comprehensive Testing Plan

Before you even start implementing Workday security, develop a comprehensive testing plan. Working proactively and setting up your testing plan beforehand will save you time (and maybe even some money) once you get to that point in the project. With a set testing plan, everyone involved knows 1) what to expect and 2) what is expected of them at that point in the project.

Unfortunately, setting up proper testing plans isn’t always at the top of the priority list. We’ve had clients in the past that failed to test every single change they’ve made, and somehow it’s always the ones that seem fine at the beginning that end up having an enormous impact on every other aspect of security.

A comprehensive testing regimen will help you discover issues before they end up breaking the rest of your system.

Administrator Approval for Every Security Request

Finally, it’s important for your Workday Security administrator to have the ability to push back on security requests. If someone in the company makes a security change or request, review it and challenge it, if needed. Far too often, we’ve seen admins get in the habit of automatically approving every request that comes in.

If a security request isn’t valid, necessary, and tested, it shouldn’t be approved. This helps maintain your data privacy and protect even the most sensitive data in your systems. Using stricter approval criteria for Workday data security risks an important factor in keeping your data secure and ensuring it stays in the right hands.


Properly optimizing your Workday Security configuration is critical when it comes to ensuring your data isn’t compromised or misused. And, when it comes to rule breakers, our experienced team of Workday consultants can help you avoid risk and ensure top-notch protection through security groups, domain security, and implementing business process best practices.

How Can We Help?

If you need help with security permissions, optimization, or testing, our team of Workday experts can help. And, to help you gain some insight on who you could be working with, here’s an example profile of one of our best Workday Security consultants.

Surety Senior Workday Security Consultant

  • 8+ years of overall Workday experience, all 8 years engrossed in Security as well
  • Has successfully led two Security implementations and also served other clients as the security expert giving best practices, advice, knowledge transfer, etc.
  • Has designed and implemented Security configuration for Eastern Europe and APAC regions
    Experience configuring, reconfiguring and teaching Security
  • Technical and functional oversight for global Workday HCM system, including Security, Payroll, Benefits, Expenses, HR, and Finance

Contact us today to get started.