Separation of Duties: Roles and Security in Workday Financials
Modified on: Wed, May 21 2025 4:08 PMAs a Workday user, you interact with the system to complete tasks like placing requisition orders, submitting time off requests, or managing approvals.
Behind the scenes, Workday controls who can do what through a combination of roles and security, a design that supports the principle of Separation of Duties (SoD).
What Is Separation of Duties (SoD)?
Separation of Duties (SoD) is a fundamental internal control used by organizations to reduce the risk of errors, fraud, or misuse of resources.
The fundamental goal is that critical tasks are divided so no single person has full control from start to finish on a given business process.
Common Examples of SoD
|
Process Area |
Roles That Should Be Separated |
|
Procurement |
One person creates a purchase order, another approves it |
|
Payroll |
HR sets up pay; Finance runs the payroll and reviews results |
|
Journal Entries |
One person creates the journal entry; another person approves it |
|
Asset Management |
One person purchases the asset; another tracks or disposes of it |
How Security Works in Workday
In Workday, your role defines your general responsibilities (e.g., Manager, Reviewer, Initiator), while your security group determines the specific tasks, actions, and data you can access.
Security governs:
What fields and data you can view
What actions you are allowed to take (edit, submit, approve, etc.)
What tasks appear in your inbox or dashboard
For example, you might be able to submit a requisition but not approve it. This is intentional—not a system error—and reflects appropriate access controls in support of SoD.
How Workday Enforces SoD
Workday automates Separation of Duties through several built-in mechanisms:
Restricted Role Combinations: Workday can prevent users from holding conflicting roles—such as being both the initiator and approver for the same process.
Automated Approval Routing: Tasks like expense reports or purchase orders are routed based on defined business process rules, ensuring the correct individuals review and approve them.
Audit Trails: All actions in Workday are logged, providing transparency and accountability for compliance and audits.
Security Groups: Role-Based vs. User-Based
Workday manages access by grouping users into security groups, each of which carries a set of permissions. There are two primary types:
Role-Based Security Groups
Assigned based on job function or organizational role (e.g., "Cost Center Manager," as seen below)
Automatically updated as roles change
Scalable and consistent across the organization
User-Based Security Groups
Assigned directly to individuals for special access needs outside of standard roles.
Manually assigned
Best for exceptions or unique cases
Why This Matters for You
As a standard user, you are not expected to manage roles or configure security settings. However, understanding how access is structured can help clarify why:
Certain options or tasks may not be visible or available to you
Specific steps in a process must be completed or approved by someone else
Access may vary between individuals, even within the same department
If you encounter a situation where you are unable to perform an expected action or access particular information, it is likely related to your assigned role or security group. In such cases, your manager can assist with reviewing your access and reaching out to the proper contacts within Stevens if role and security updates are needed.
Experiencing an issue or need additional support? Contact our OneIT Team by
- Opening a support ticket or
- Call us at 201-216-5500
If you need assistance with Workday Financials-specific issues, contact Finance Support.
