Segregation of Duties and Workday
Updated: Aug 30, 2022
Segregation by itself has a somewhat negative connotation. But Segregation of Duties is enforcing reasonable restrictions on security assignments to mitigate risk. It is vitally important to have a Segregation of Duties policy and to be able to audit the daily changes in Workday that may violate that policy.
What does Segregation of Duties mean? It means that one worker should not have so many security roles and assignments that they can for instance enter time, approve time, and process payroll! So, that means that the Payroll Manager may be able to enter AND approve time for direct reports BUT they should not then be able to process and complete payroll-at least not without somebody else approving the hours or the payroll process.
Segregation of Duties might mean that your Benefits Partner cannot also be a Benefits Administrator. So, while the Benefits Partner can add or remove workers from plans they cannot create new plans and add workers or remove workers from plans AND delete those plans.
If you want to assign security so that Segregation of Duties is enforced you may also need to look at your proxy access policy. If a worker can proxy in as another worker who for instance can add security groups than they could proxy in and add additional security to themselves which might violate your Segregation of Duties policy. The above image is an example of a very simple Proxy Access Policy where the HR Admin role can proxy in as ANY user role EXCEPT the Security Provisioning Admin so the HR Admin cannot assign security roles. This 'carve out' helps enforce your Segregation of Duties policy.
In Workday for a complete Segregation of Duties policy, you will also need to look at Maintain Assignable Roles and ensure that security assignments are restricted. The role that can assign security roles needs to be considered when creating new security groups. If someone can assign themselves security that would conceivably violate your Segregation of Duties policy, then you will need to correct that. Who can assign security and who can proxy in as who are two important considerations in your Segregation of Duties policy. You also need to be able to constantly audit security changes that are made daily in Workday.
An automated audit tool such as Genie can help you maintain and validate your Segregation of Duties policy. You can run scheduled daily audits that immediately call your attention to any combination of security groups that runs afoul of your organization's Segregation of Duties policy. Genie will provide of template of industry-standard Segregation of Duties policy which can be tailored by the customer to meet your specific organization's needs. You may decide to use a combination of the supplied policy and your own configured modifications.
Let us show you how Genie can resolve your Segregation of Duties issues before they become real issues. If your organization is regularly audited by third parties, they will appreciate the rigor and the archived results of the audits run with Genie. Contact us at firstname.lastname@example.org to arrange a Genie demo!