Workday Security Group Best Practices: 15 Misconfigurations We See Every Time
The 15 most common Workday security group misconfigurations we find in nearly every tenant we scan — ranked by frequency and risk, with the exact remediation steps for each.
Why security groups are the #1 audit finding
Workday's security model is uniquely powerful — and uniquely easy to misconfigure. After scanning hundreds of tenants, the same 15 issues appear in nearly every one. Here's the list, ranked by how often we see them. For full automated coverage see our security group audit.
1. Unconstrained Integration System Users (ISUs)
The single most common finding. Integration accounts that can read or modify the entire tenant. Almost always created during initial implementation and never tightened. Constrain to the minimum supervisory org and domain scope each integration actually needs.
2. Terminated workers with active group membership
Stale members in security groups months after their leave date. Implement an automated termination workflow that removes group membership the day of separation.
3. Privilege creep through internal moves
Long-tenured employees accumulating groups across role changes without revocation. Implement a quarterly privilege review for anyone in privileged groups.
4. Segregation of duties violations
The same user able to initiate AND approve sensitive transactions like pay change or supervisory org change. SOX auditors find these immediately.
5. Shadow admins via inherited group membership
Users with effective administrator rights through inherited memberships, who don't appear in any explicit "admin group" list.
6. Orphaned group definitions
Groups with zero members. Often re-used months later and accidentally re-populated with the wrong members.
7. Conflicting domain security policies
Multiple policies granting overlapping access through different group paths. Effective permission is rarely what the security team intended.
8. Long-lived service account credentials
ISUs with passwords or tokens that haven't rotated in years.
9. Test groups in production
"TEMP_TEST_GROUP_DELETE_ME" that never got deleted, granted to two users, now grants production access.
10. Over-broad role-based security groups
Roles assigned at organization level when functional area would suffice. Audit role assignment scope quarterly.
11. Missing group documentation
Groups with no documented owner or business purpose. When the original creator leaves, no one knows whether to remove or maintain.
12. Inactive ISU service accounts still enabled
Old integrations decommissioned without disabling the underlying ISU.
13. Mixed user-based and role-based grants
Same domain access granted via both group types — effective permission becomes hard to reason about.
14. Self-service routing exposing data
BP self-service steps revealing data the user shouldn't see for the in-flight transaction.
15. Workday admin permissions over-distributed
"Workday Admin" group with more members than the org needs. Often grew during implementation and never tightened.
The continuous discipline
Run an automated audit monthly. The 15 items above don't fix themselves. Workday administrators who automate hygiene catch them as line items in a Monday morning report rather than as production incidents at quarter-end.
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan