Security is heavily scrutinized during any Workday implementation or maintenance, but often overlooked during testing. The main reason for this is that only a handful of users are engaged in testing and they don’t have the time to perform thorough testing as different employee groups or security roles. Of course, that’s no reason to take security protocols lightly. Here are the most common dos and don’ts on Workday Security that you should follow.


  • Do take a complete inventory of all your Business Processes and review security groups that approve and review transactions.
  • Do create segregation of duties by not giving too much power to few groups.
  • Do utilize the power of Intersection and Aggregation security groups and avoid creating too many role-based security groups.
  • Do plan for “Unassigned” transactions during your design and implementation. Otherwise, post-go-live you will end up having too many unassigned tasks causing several orphaned transactions.
  • Do plan for end-to-end testing strategy to check your domain and business process security policies.


  • Don’t create too many user-based security groups as this will grant unconstrained access.
  • Don’t create too many aggregation security groups as this will cause a lot of overhead to maintain in the long run.
  • Don’t isolate testing to only few users. Include as many diverse population as possible for end-to-end testing.
  • Don’t grant too many security groups to few users as this will force you to use aggregations.
  • Don’t forget to detail your security changes in a change management tool or in comments of ‘Security Policy Changes’.

While the above is only the tip of the security iceberg, it’s a good start. The best practice is to always keep a baseline security and then track changes to the baseline. With legislations like GDPR, companies need to ensure data breach does not occur at any cost and worker data is protected from the wrong hands.

Running end-to-end regression testing on a weekly basis is a great way to be proactive than being reactive. While you could run all security testing manually, an automated tool like Genie can help with your end-to-end testing needs and audit your testing results.