Role-Based Security Role Assignments

Policy Number: WD-200
Effective Date: 7/14/2020
Last Reviewed: 6/24/2020

Role-based security assignments are those that are assigned to positions in Workday. These roles are not attached to users, but to the positions they are hired into within Workday. Role-based assignments are constrained, and limit access based on the organization(s) assigned. These assignments are primarily assigned based on Supervisory Organization but may also be assigned based on other organization types, such as Pay Group or Academic Unit.

Approval and Assignment of Role-Based Roles

  • Role-based security assignments are requested using the “Security Request” process within Workday.
  • All requests for role-based assignments must be approved in Workday by the Security Partner.
  • Role-based security for employees of third-party service providers must be approved by the owner of the vendor relationship, and those employees or the vendor must agree to our confidentiality, privacy, and security terms.
  • Requests for role-based security that is constrained to an organization type other than Supervisory Organization or Academic Unit shall require the approval of the Vice President for Human Resources, the Vice President for Finance and Treasurer, Vice President of Information Systems and Computing and Chief Information Officer, and the Director of Workday Operations.
  • Requests for role-based security that is constrained to Supervisory Organizations above the School/Center level (President, EVP, Provost) shall require the approval of the Vice President for Human Resources, the Vice President for Finance and Treasurer, Vice President of Information Systems and Computing and Chief Information Officer, and the Director of Workday  Operations.
  • Requests will be reviewed processed in Workday by the Workday Security Administrator(s).

Position Management

  • Once a role-based assignment is assigned to a position, it will remain with that position until removed. Individuals hired into that position in the future will automatically receive the security.
  • Assignments can be removed from positions upon request from the School/Center’s HR Partner(s) and/or Security Administrator.

Separation of Duties

  • Individuals may not hold combinations of roles that circumvent business process transaction approvals by allowing one person to initiate and approve the entire transaction.
  • This includes but may not be limited to:
    • The roles of HR Partner and Budget Partner may not be held by the same person in the same Supervisory Organization.

Monitoring of User-Based Role Assignments

  • The Workday Security Administrator and Director of Workday Operations will be responsible for working with School/Center HR Partners and Security Administrators to review and audit security role assignments on a regular basis.  This review will ensure that the list of users on each group are appropriate and expected.
  • This review of role-based assignments shall be done no less frequently than annually and may be done manually using Workday reporting, or in an automated manner using testing/auditing tools.
  • Role-based assignments of employees of third-party service providers will be verified with the owner of the vendor relationship.

Removal of User-Based Role Assignments

The Workday Security Administrator or Director of Workday Operations may remove security role assignments at any time without warning if any malicious activity or a violation of University policy is detected or suspected.  Security may be removed upon request from appropriate offices, including but not limited to: ISC Security, the Office of Audit, Compliance, and Privacy, Division of Human Resources, Office of General Counsel, and the Division of Finance.

Provision for System/Module Implementation

There may be certain times when it may be necessary to assign role-based security to a larger than normal number of users. This may occur at system implementation, during the implementation of new functionality or modules, or as a result of a Workday release. In these cases, a list of users being assigned to each security role can be provided to the approvers listed above for bulk approval, by School/Center. In this case, the list of users and the approval shall be maintained in the same manner as the request forms.

Contact Us

Penn Employee Solution Center
solutioncenter@upenn.edu or (215) 898-7372