User-Based Security Role Assignments

Policy Number: WD-201
Effective Date: 7/1/2019
Last Reviewed: 6/21/2019

User-Based roles are those roles that are assigned to specific users in Workday. These roles are not attached to positions and must be assigned to the individual occupying the position. User-based roles are unconstrained and do not limit access to any particular subset of workers in Workday.  User-based roles include (but are not be limited to) auditor-type roles that provide access to subsets of Workday data and system administration roles.

Approval and Assignment of User-Based Roles

  • User-based roles are requested using the “Workday@Penn Role Assignment Request Form”.
  • The request form must be signed by the individual requesting access and be accompanied by a signed Workday@Penn Confidentiality Statement.
  • All requests for User-based roles must be approved by the Vice President for Human Resources, the Vice President for Finance and Treasurer, and the Directory of Workday Operations.
  • Requests for user-based roles for users outside of the central administrative offices must also be approved by the School or Center’s HR Partner and Security Administrator.
  • User-based roles assigned to employees of third-party service providers must also be approved by the owner of the vendor relationship, and those employees or the vendor must agree to our confidentiality, privacy, and security terms.
  • Requests will be reviewed and entered into Workday by the Workday Security Administrator(s).
    The request form will be signed by the Workday Security Administrator and maintained.

Monitoring of User-Based Role Assignments

  • The Workday Security Administrator and Director of Workday Operations will be responsible for reviewing and auditing user-based role assignments on a regular basis.  This review will ensure that the list of users on each group are appropriate and expected.
  • This review of user-based roles shall be done no less frequently than quarterly and may be done manually using Workday reporting, or in an automated manner using testing/auditing tools.
  • User-based role assignments of employees of third-party service providers will be verified with owner of the vendor relationship.

Removal of User-Based Role Assignments

  • Users that have user-based role assigned will be monitored for changes to their position in Workday on a weekly basis. 
  • The Workday Security Administrator will remove user-based role assignments from any user that has moved positions and is no longer in the position that would have warranted the role.  The approvers of the original request will be consulted as necessary.
  • The Workday Security Administrator or Director of Workday Operations may remove user based role assignments at any time without warning if any malicious activity or University policy violation is detected or suspected.  User based role assignment may be removed upon request from appropriate offices, including but not limited to: ISC Security, the Office of Audit, Compliance, and Privacy, Division of Human Resources, Office of General Counsel, and the Division of Finance.  
  • Terminated workers will automatically have their user-based role assignments removed during the termination business process in Workday.
  • User-based role assignments for employees of third-party service providers will be removed upon request from the owner of the vendor relationship.  It is the responsibility of the owner to inform the Workday Security Administrator of any changes.

Provision for System/Module Implementation

  • There may be certain times when it may be necessary to assign user-based security to a larger than normal number of users.  This may occur at system implementation, during the implementation of new functionality or modules, or as a result of a Workday release.
  • In these cases, a list of users being assigned to each security role can be provided to the approvers listed above for bulk approval.  In this case, the list of users and the approval shall be maintained in the same manner as the request forms.

Contact Us

Penn Employee Solution Center
solutioncenter@upenn.edu or (215) 898-7372