Workday Security Group Misconfigurations: The Complete Audit Guide
Workday security group misconfigurations are the single most common SOX audit finding in enterprise HR environments. They almost always trace back to one of three patterns: ISU over-access from go-live, user-based group sprawl, or unconstrained groups on payroll and compensation domains. This guide covers all three with the exact Workday navigation paths to find and fix every one.
1. The three security group types and how each one fails
Workday has three security group types, and each fails in a different way.
Role-Based Security Groups are dynamic — membership is tied to org role assignments (HR Partner, Payroll Partner, Benefits Partner) and updates automatically when a worker's role changes. They are the lowest-risk type when configured correctly.
User-Based Security Groups are static and admin-managed. Every member is an explicitly named user. This is where 'the Sarah problem' lives: a worker moves into a new role, the admin adds her to the new group but forgets to remove her from the old one, repeat 200 times over three years, and now nobody knows who has access to what.
Integration System Security Groups (ISSGs) are the robot accounts. Each ISU is associated with an ISSG that grants domain-level permissions for the data the integration reads or writes.
2. The ISU misconfiguration pattern
During go-live, the integration consultant grants the payroll ISU access to the 'Workday Account' domain, the 'All HCM Data' report group, and 'Worker Data: All Positions' — because it was easier than scoping minimal permissions under deadline pressure. Five years later, the integration only needs to read basic worker demographics for a headcount report, but the ISU still has access to every compensation record, every bank detail, and every disciplinary action in the tenant. This is a SOX §404 finding every single time.
3. The 'Do Not Allow UI Sessions' flag
ISUs should interact with Workday via web service calls only — not the UI. If 'Do Not Allow UI Sessions' is not checked on the ISU account, anyone with the ISU credentials can log into the Workday UI directly. No MFA, no SSO, full access to everything the ISU's ISSG permits.
Navigation: ISU account → Edit → check 'Do Not Allow UI Sessions' → Save → activate the pending security policy change.
4. What auditors actually look for
- 'Compare Security Permissions of Two Security Groups' — finds overlapping groups granting unintended cumulative access.
- 'View Security Groups' filtered to User-Based — identifies every static group that requires manual membership management.
- Unconstrained groups — a security group with no org-level constraint on a compensation or payroll domain returns data for ALL workers in the tenant, not just the manager's team. This is a SOX and a GDPR Art. 5 finding simultaneously.
5. The PwC data point
PwC's 2025 Workday security analysis found that companies can reduce Workday security administration cost by 25% with a simplified security model. Security group proliferation — the practice of creating a new group with minor tweaks for a small population rather than reusing existing groups — is the primary driver of audit fee inflation in Workday environments.
6. Remediation steps with exact Workday navigation
- Step 1 — 'View All Security Groups' → filter Type = User-Based → export.
- Step 2 — For each group, 'View Members of Security Group' → identify anyone whose current role no longer justifies membership.
- Step 3 — 'Compare Security Permissions of Two Security Groups' → find overlapping groups and consolidate.
- Step 4 — For ISUs, 'View Integration System User' → check 'Do Not Allow UI Sessions' → review ISSG domain list against what the integration actually reads/writes.
- Step 5 — Document the before/after in the Risk Control Matrix for SOX evidence.
Continue reading
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan