Policy Number: WD-201
Effective Date: 10/10/2025
Last Reviewed: 9/17/2025
User-based roles are those roles that are assigned to specific users in Workday. These roles are not attached to positions and must be assigned to the individual occupying the position. User-based roles are unconstrained and do not limit access to any subset of workers in Workday. User-based roles include (but are not limited to) auditor-type roles that provide access to subsets of Workday data and system administration roles.
Approval and Assignment of User-Based Roles
- User-based roles are requested using the approved Workday Security process.
- All requests for User-based roles must be approved by security executives.
- Requests for user-based roles for users outside of the central administrative offices must also be approved by the school or center security partners.
- User-based roles assigned to employees of third-party service providers must also be approved by the owner of the vendor relationship, and those employees or the vendor must agree to our confidentiality, privacy, and security terms.
- >Requests will be entered into Workday.
- The Workday Security Administrator will maintain the approval documentation in Workday.
Monitoring of User-Based Role Assignments
- Workday Operations will be responsible for reviewing and auditing user-based role assignments on a regular basis. This review will ensure that the list of users in each group is appropriate and expected.
- This review of user-based roles shall be done no less frequently than quarterly and may be done manually using Workday reporting, or in an automated manner using testing/auditing tools.
- User-based role assignments of employees of third-party service providers will be verified with the owner of the vendor relationship.
Removal of User-Based Role Assignments
- Users who have user-based role assigned will be monitored for changes to their position in Workday on a weekly basis.
- The Workday Security Administrator will remove user-based role assignments from any user who has moved positions and is no longer in the position that would have warranted the role. The approvers of the original request will be consulted as necessary.
- The Workday Security Administrator may remove user based role assignments at any time without warning if any malicious activity or University policy violation is detected or suspected. A user-based role assignment may be removed upon request from appropriate offices, including but not limited to: ISC Security, the Office of Audit, Compliance, and Privacy, Division of Human Resources, Office of General Counsel, and the Division of Finance.
- Terminated workers will automatically have their user-based role assignments removed during the termination business process in Workday.
- User-based role assignments for employees of third-party service providers will be removed upon request from the owner of the vendor relationship. It is the responsibility of the owner to inform the Workday Security Administrator of any changes.
- Workday Operations will deactivate security roles from individuals in positions who use their assigned Workday security roles to initiate /review/approve 10 or fewer Workday transactions in the past six months, or who have not logged into Workday in the past six months. The deactivation process begins in 2026.
Provision for System/Module Implementation
- There may be certain times when it may be necessary to assign user-based security to a larger-than-normal number of users. This may occur at system implementation, during the implementation of new functionality or modules, or because of a Workday release.
- In these cases, a list of users being assigned to each security role can be provided to the approvers listed above for bulk approval. In this case, the list of users and the approval shall be maintained in the same manner as the request forms.