Explain Workday security components?

All your Workday tenants are supported by your security groups configuration. Role-based, user-based, and standard workers are the three types of workers.

The position is given particular security permissions and is confined to a Workday Organization in role-based groups (for example, Supervisory Organization, Company, etc). Any worker allocated to that function has access to key data and can take actions against workers and objects within the Organization (for example, positions) according to the security group’s specifications.

Tenant-wide user-based security access is common, and these security groups typically encompass important tenant management functions (for example, Business Process Administrator, Security).

Configurable Security’s Components:

Groups of users who need to conduct activities or access data are referred to as security groups.

Domains are functionally comparable tasks and reports that have been defined.

Domain Security Policies:

These are the rules that determine which security groups have permission. This is to view or update data within domains.

Workday-delivered processes

These are referred to as business processes. You can’t develop new business processes, but you can customize existing ones to match your Workflow needs.

Business Process Policies:

These are the guidelines that determine which security groups are permitted. This is to participate in the business process and in what capacities.


If we’re talking about the average employee, who doesn’t have any additional HR or payroll security access, they can access books about themselves but not books about their co-workers. On the other hand, some information about other employees (such as name, job title, department, location, work phone, work email, and photo) is considered “generally available” and does not require additional security.

Let’s look at a manager now. On their direct or indirect reports, a manager could see Job and Compensation (Regions 9 and 4) information, but not Payroll Data in Region 1. Why? Because this data includes information on benefits (deductions that indicate benefit elections) as well as payroll-specific data (such as wage garnishments). It is not the manager’s responsibility to know how much employees contribute to their retirement accounts or whether they have a child-support order garnishing their earnings. A manager may have more data access than non-managerial staff, but this access is limited.


Making Workplace Security Changes

Let’s get away from the library analogy and consider the security consequences of changing data in your Workday organization. That’s when the interaction between Workday Security and Business Processes needs extra attention. Your business processes define who can initiate a transaction, see a change in-flight (before it’s fully approved and committed to the database), undo the changes, and restore values to their previous state, and do approvals, in addition to defining what happens in your Workday org (such as validation, approvals, and notifications).

Certain types of data, on the other hand, must be modified using a Task rather than a Business Process. Administrative tasks, such as introducing a new cost centre, can be performed by anyone who is a member of a security group that can conduct that operation. Consider the position of “Cost Centre Administrator.” A Cost Centre Admin is typically a Finance employee that coordinates these adjustments with the General Ledger reference tables. As a result, they should be able to safely add, amend, or deactivate a cost centre.

Task approvals and alerts are not customizable.

Remember that changing the way Workday-delivered security works in your organization is fine if A) management approves the changes and B) your audit team can track the request, management approval.

Creating Security Based on Segments

Another option to improve the security features in Workday is to build levels of protection that function together. Let’s imagine you have a Sales Ops employee that doesn’t have any direct reports, but you want him or her to be able to access compensation, including commissions, but only for salespeople.

One method to do this is to create a new custom security group, add the Sales Ops folks to it, and apply a set of security rules to that group that permits access to compensation data for employees with a compensation plan that supports commission payments. You’re not defining security by domain this way.

Assume that our hypothetical employee transitioned from Sales to Marketing. Their former Sales colleagues no longer require access to their salary data, and as soon as they leave the Sales Ops group in Workday, bam! Like our library analogy, the info is no longer available to their old peers.

Creating Role-based Security Groups:

Step 1:

To create a role, go for the Maintain Assignable Roles Task.

Step 2:

Fill in the names of the role and the security groups that administer them.

Creating Security Groups Based on Roles

Step 3:

When you’re finished, click Ok.

Step 4:

Look for the task ‘Create Security Group.’

Step 5:

Select the security group type you want to create. Enter ‘Role-Based Security Group’ in this case.

Step 6:

Give the Security Group a name. Then you can fill the name.

Step 7:

Fill in the Group Criteria with the previously defined Role.

Step 8:

Leave ‘Access Rights to Organizations’ and ‘Access Rights to Multiple Job Workers’ at their default settings.

Organizational Access Rights

Step 9:

When you’re finished, click Ok.

Creating User-based Security Groups

Step 1:

In this step create a security group.

Step 2:

Select User-based Security Group from the Type of Security Group drop-down menu.

User-based Security Groups are now available.

Step 3:

When you’re finished, click Ok.

Done by clicking Ok.

Step 4:

Look for the job titled “Assign user-based security groups for Person.” Click on Ok after entering the name of the person to whom you want to allocate the newly created User-based security group.

The person should be assigned to user-based security groups.

Step 5:

Type the name of the security group to which the user should be assigned, then click Ok and Done.

You must be a member of the Report-writer user-based security group and have access to the Custom report creation Security Domain to build a custom report. You’ll also need access to the following resources. This is for the Data source, you intend to use, create a Security Domain.

  • You’ll need to create security domains for the report fields you want to include.
  • Report Owners and users must have permission to update and delete custom reports.
  • Manage the security domain for all custom reports.

Keep These Security Best Practices in Mind During the Workday

Now that you know the basics of Workday security, here are some recommended practises. This is to remember to get the most out of it. Here is a handful of the Workday security best practices we recommend.

  • Review user-based security groups regularly to ensure that no one has access to areas they shouldn’t.
  • Keep an eye on your baseline security, and be sure to log any changes you detect regularly, given the growing importance of GDPR.


There are situations when you should test your security environment more frequently than once a month. Whenever a worker is assigned to numerous groups (and so has access to many distinct security areas) or you make changes to security groups during implementation and testing. You should always test to ensure that those changes haven’t allowed anyone incorrect security access. You can learn more about security through Workday online training.


Comments are closed