Read time: 10 minutes
Hey, there! Mia and Ceci here.
Spooky season is upon us! 👻 So today, we're gonna take the spook out of something that gives many of us the heebeegeebees: segmented security.
Did you just groan? 😅
We get it. Workday security is tough enough on its own. But, once you master this part of the Workday trifecta (reporting & calc fields, business processes, and security), you’ll become the WD generalist the ghouls themselves fear 😜
Let’s set the stage with a quick recap of Workday security...
Workday Security Rewind ⏪
Workday security is governed by three core considerations:
Who needs access (e.g., all employees, a specific group like HR Partner or Benefits Partner, a cherry-picked handful of users)?
What do they need access to (e.g., benefits, pay results, learning courses)?
For whom should they see that data (e.g., should the user see comp data for all employees or just a subset)?
Most days that formula works, but some days, it’s not enough! Because sometimes users only need access to… certain slices of the what. Not all documents. Not all pay results. Not all integrations.
This is where well-meaning admins become accidental chaos goblins 👹
You know the scene…
We’ve all been there—a teammate needs access just this once. The security policy is right there. You think, “What’s the harm?” and click Edit → Activate.
File that under #seemedlikeagoodideaatthetime 😬 These are the HR security horrors that can’t be unseen 😱
The good news is that Workday's security capabilities are robust! With the right segmented setup, you can lock down your data just right.
What is Segmented Security?
You don’t need garlic or holy water to keep the security scaries away—just segmented security.
Segmented security is Workday’s configuration solution to partition—or segment out—certain types of data so you can secure access to those pieces without giving away the whole castle… it’s your way around the “all or nothing” domain access dilemma.
Here’s an analogy…
Imagine a records room of locked file cabinets. Each cabinet houses a category of documents (who remembers when this was just reality? 👵🏻).
You could hand HR a master key that opens every cabinet. Or, you could hand them a key ring with keys that unlock only what they’re responsible for.
That curated key ring is your segment. And, each key on that ring represents data included in the segment. This is what segmented security allows you to achieve!
When would you use segments?
Here are just a few scenarios where you’d need a segmented security setup (and the segment type you’d configure)…
🔐 You don't want to expose all uploaded documents—only certain categories (create a Document Category Security Segment).
🔐 You don't want to open up all payroll data—only certain earnings or deductions (create a Pay Component Security Segment).
🔐 You don’t want to provide access to all integrations—only certain INT systems or EIBs (create an Integration System Security Segment).
It’s important to know, you can’t “segment” just any type of WD data. WD has predefined what kinds of data you can segment. There are a number of options…
Below, first you’ll see all the types of segments that you, as a Workday customer, can create from scratch.
And second, you’ll see the types of Workday-owned segments that come prebuilt with your tenant at go-live:
At first glance, that’s as overwhelming as trying to choose something off the Cheesecake Factory menu! 🍰
We called out the segment types that WD provides some prebuilt options for AND you can also create custom!
As your security needs arise (e.g., “hey, only admins should see these new leave types as an option”), you can peruse Workday’s segment types to see ✨ what’s possible ✨ and what’s already built.
Monica would have loved the orderliness that segmented security can bring to a careless WD security setup 😆
Here are a few of our favorite segment types and how you can use them…
✏ Note: While all segment types use the segmented security framework, different types of segments involve their own setup requirements with varying degrees of complexity.
☑️ Pro Tip: First-time segmenter? Run the delivered View Security Groups report, and input “Segment-Based Security Group” in the Security Group Type(s) prompt.
This report can help you see and understand what kind of segmentation is already set up in your tenant…
Understanding new topics in your own real-life context? Always a hot demystification hack 🔥
The nuts and bolts of segmented security setup 🔩
Okay! So now that you get the gist, let’s talk setup. Segments alone don’t lock down anything. They have to be connected to a security group.
That’s where a segment-based security group comes in. This is the type of security group you’ll create to segment access in Workday.
Here’s the core setup…
To create your segmented security group, navigate to the task Create Security Group. Select “Segment-Based Security Group” for Type, and name your security group.
Configure your security group. A segmented security group has two required setup inputs:
The base security group(s): What security group(s) are you narrowing access for? Who should be included? Add an existing security group(s), or create one.
The security segment: How are you narrowing access? You can create a new segment from within this input. You can also create segments ad hoc using the task Create [XYZ] Security Segment, where XYZ is the type of segment (e.g., Leave Type Security Segment).
Can you guess what this security group would help achieve? 👀
Add your new segment-based security group to the appropriate domain and/or BP security policies. This is the most nuanced and context-specific setup step—it requires specific knowledge of security policies for your use case.
For example, for the Leave Type segmented security setup above, here are the specific domain and BP policies you’d add your Manager-based segmented security group to. You’d also need to remove the base Manager security group from these policies:
✏️ Note: Only the aspects of the data that need segmenting should be tied to the segmented security group! All other access can remain with the base security group.
☑️ Pro Tip: If you place the segmented security group and its base security group on the same domain or BP policy, the regular (non-segmented) version overrides the segmented setup 👎
Run the task Activate Pending Security Policy Changes (in a test tenant first, of course, but you knew that 😉), and you’re off to the races! Ensure you test, test, test to validate your setup is working as expected.
🎬 Segmented security in action…
Let's get into an example that further illustrate how this works! ⚙️
Use Case: Document Categories 🗂️
In this example, let’s say you have four document categories you need to lock down: Onboarding, I-9 Documentation, Leave of Absence, and Termination.
👉 Employees need access to two categories, with two different sets of access:
View only for Onboarding.
View and Add for I-9 Documentation.
Note…
Employees should NOT have access to Edit / Delete either document type.
Employees should NOT have access to Leave of Absence and Termination documents. HR Partners will manage these confidential documents entirely.
👉 HR Reps need access to View, Add, and Edit / Delete Onboarding and I-9 docs.
👉 HR Partners need access to View, Add, and Edit / Delete across all four document categories.
Okay! Your requirements are laid out. Time to think through the setup…
You’ll want to ask yourself, “what sets of access do I need to set up?”
Based on your requirements above, you’ve got four different sets of access to set up:
View Only access to Onboarding docs for Employees
View and Add access to I-9 docs for Employees
View, Add, and Edit / Delete access to Onboarding and I-9 docs for HR Reps
View, Add, and Edit / Delete access to all 4 doc categories for HR Partners
Here’s how these sets of access translate to the 4 segment-based security groups you’ll set up (it’s helpful to map out your requirements like this before configuring!)…
✏️ Note: WD has different domain security policies for Viewing and Adding documents VS. Editing and Deleting documents. And, there are separate Worker Data and Self-Service domains for Generated Documents as well!
Here’s what your setup looks like in Workday…
1. View Only access to Onboarding docs for Employees
2. View and Add access to I-9 docs for Employees
3. View, Add, and Edit / Delete access to Onboarding and I-9 docs for HR Reps
4. View, Add, and Edit / Delete access to all 4 doc categories for HR Partners
And you can see that the base security groups themselves are removed from the domain security policies, so they don’t override your segmented setup…
And here are the outcomes from the setup in action…
✅ Well Built employee, Shaun White, can view his worker docs only for the Onboarding and I-9 categories:
✅ He can add docs, but only for the I-9 category:
✅ HR Rep, Bob Hope, can view, add and edit / delete all Onboarding and I-9 docs:
✅ And HR Partner, Ernie Sesame, can view, add, and edit / delete all four document categories:
A bonus use case: Learning 📚
Your Workday Learning module holds hundreds of courses. How do you make sure they’re administered and viewed by the right people? You guessed it 😉 Segmented security!
Here’s a peek at how we were going to use segmented security to lock down access to Well Built Library content in your tenant…
That’s a wrap (for now!)
Master segmented security to turn HR horror 💀 into HR hurray 😎🎉
As always, thank you for being a reader!
We’re celebrating you and your pursuit of a Well Built Workday 🥳
Until next time!
Mia & Ceci
Co-Founders of Well Built Solutions
P.S. Loving the newsletter? Leave us a testimonial here 🥰
Say hi 👋 on LinkedIn — @ceciblomberg, @miaeisenhandler
📚 Learn more about Well Built Library | Book a call | See a sample
▶️ Watch the replay from the first-ever Well Built Webinar
🤝 Want to partner? Get on Well Built’s project waitlist here
