Policy Number: WD-200
Effective Date: 10/10/2025
Last Reviewed: 9/17/2025
Role-based security assignments are those that are assigned to positions in Workday. These roles are not attached to users, but to the positions they are hired into within Workday. Role-based assignments are constrained and limit access based on the organization(s) assigned. These assignments are primarily assigned based on Supervisory Organization but may also be assigned based on other organization types, such as Pay Group or Academic Unit.
Approval and Assignment of Role-Based Roles
- Role-based security assignments are requested using the “Security Request” process within Workday.
- All requests for role-based assignments must be approved in Workday by the Security Partner.
- Role-based security for employees of third-party service providers must be approved by the owner of the vendor relationship, and those employees or the vendor must agree to our confidentiality, privacy, and security terms.
- Requests for role-based security that is constrained to an organization type other than Supervisory Organization or Academic Unit shall require the approval of the security executives.
- Requests for role-based security that is constrained to Supervisory Organizations above the School/Center level (President, EVP, Provost) shall require the approval of the senior executives.
- Requests will be reviewed and processed in Workday by the Workday Security Administrator(s).
Position Management
- Once a role-based assignment is assigned to a position, it will remain with that position until removed. Future hires for that position will receive secure automatically.
- Assignments can be removed from positions upon request from the School/Center’s HR Partner(s) and/or Security Administrator.
Separation of Duties
- Individuals may not hold combinations of roles that circumvent business process transaction approvals by allowing one person to initiate and approve the entire transaction.
- This includes but may not be limited to:
- The roles of HR Partner and Budget Partner may not be held by the same person in the same Supervisory Organization.
Monitoring of Role-Based Role Assignments
- Workday Operations will be responsible for working with School/Center security partners to review and audit security role assignments on a regular basis. This review will ensure that the list of users on each group is appropriate and expected.
- This review of role-based assignments shall be done no less frequently than annually and may be done manually using Workday reporting, or in an automated manner using testing/auditing tools.
- Role-based assignments of employees of third-party service providers will be verified with the owner of the vendor relationship.
Deactivation of Role-Based Role Assignments
- Workday Operations will deactivate security roles from individuals in positions who use their assigned Workday security roles to initiate /review/approve 10 or fewer Workday transactions in the past six months, or who have not logged into Workday in the past six months. The deactivation process begins in 2026.
- Workday Operations may remove security role assignments at any time without warning if any malicious activity or a violation of University policy is detected or suspected. Security may be removed upon request from appropriate offices, including but not limited to: ISC Security, the Office of Audit, Compliance, and Privacy, Division of Human Resources, Office of General Counsel, and the Division of Finance.
Provision for System/Module Implementation
There may be certain times when it may be necessary to assign role-based security to a larger-than-normal number of users. This may occur at system implementation, during the implementation of new functionality or modules, or because of a Workday release. In these cases, a list of users being assigned to each security role can be provided to the security executives for bulk approval, by School/Center. In this case, the list of users and the approval shall be maintained in the same manner as the request forms.