kog-service-partner-150

Demystifying Document Segmented Security

Blog
Demystifying Document Segmented Security

Implementing Document Security Segments in Workday

Managing document security in Workday might seem daunting, but with a clear plan, you can ensure the right people have access to the right information—without the headaches. This guide walks you through a simple, organized approach to configuring document access using Functional Groups and Workday domains. Following these steps will help you maintain control, avoid accidental over-sharing, and keep your tenant tidy.

Filling Out the Document Access Worksheet

First things first—start by completing this worksheet to map Document Categories to Functional Groups. Think of this worksheet as your master plan for who should see what.

How to Structure the Worksheet:

  • Document Categories go down the left side (rows).
  • Functional Groups go across the top (columns).
  • Mark an “X” wherever a Functional Group should have access to a Document Category.

Why This Step Matters:

This worksheet is your foundation. It gives you a clear picture of which groups need access to which documents. Plus, once you’ve set this up, adding new documents later is a breeze—just update the worksheet and adjust access as needed.

👉 Pro Tip: Treat this worksheet as a living document. Anytime a new document type is added, update the worksheet to reflect which Functional Groups need access.

Creating Security Segments

With your worksheet ready, it’s time to translate those Functional Groups into Workday Security Segments. These segments act as the “buckets” that hold permissions for document access.

Naming Security Segments:

Use the names from your worksheet to keep things clear and consistent. For example:

  • Document Segment HR View
  • Document Segment HR Add
  • Document Segment HR Edit/Delete
  • Document Segment Payroll View
  • Document Segment Payroll Add
  • Document Segment Payroll Edit/Delete

Why Consistency Matters:

When your Security Segment names match your Functional Groups, it’s easier to track who has access. This also makes future updates and audits a lot simpler.

And here’s the bonus: by setting access at the function level, you don’t need to create a new segment for every single document category. You can manage access in bulk, which saves time and keeps your Workday tenant clean.

Understanding Access Levels

It’s important to understand the distinction between the three primary access levels in Workday:

  • View Access: Allows users to see documents without making changes. This can be granted on either the Add or Edit/Delete domains.
  • Add Access: Allows users to upload new documents.
  • Edit/Delete Access: Allows users to modify or remove existing documents.

By maintaining these clear access levels, you prevent confusion and ensure users only have the permissions they need.

Creating Security Groups

Now that you’ve set up your Security Segments, it’s time to create the corresponding Security Groups in Workday. Think of Security Groups as the actual gates that control who can see and modify documents.

Bridging the Gap: Functional Groups to Security Groups

Security Groups act as the practical application of your Functional Groups and Security Segments. Each Security Group represents a specific level of access, directly connecting your planning to Workday’s security framework. For example, the HR Functional Group will likely be attached to roles like HR Partner, HR Analyst, and HR Generalist. If you distinguish between HR and Benefits, the Benefits Functional Group would use the Benefits Partner role. Compensation would map to Compensation Partner, and so on. Feel free to expand and right-size for your company’s needs—after all, a methodology only works if it makes sense for your functional structure.

Setting Up Security Groups:

  1. Create a Security Group for each Functional Group from your worksheet.
  2. Name your Security Groups carefully. Make sure they match the Functional Group and the Document Segment from the previous section as closely as possible.

For example, if you have a Functional Group called “HR View,” your Security Group should be named “Document Segment HR View.”

👉 Why does this alignment matter? Keeping these names in sync ensures that the right permissions are applied and makes troubleshooting much easier.

Attaching Security Groups to Workday Domains

With your Security Groups ready, the next step is to attach them to the appropriate Workday domains. These domains define where the access rules actually apply.

Which Domains to Modify:

Attach your Security Groups to these four key domains:

  • Worker Data: Add Worker Documents
  • Worker Data: Edit and Delete Worker Documents
  • Self-Service: Add Worker Documents
  • Self-Service: Edit and Delete Worker Documents

Keeping Access in Check:

  • View Access: Link view-only Security Groups to “Add” OR “Edit/Delete” domains with view access only. It doesn’t matter which.
  • Add Access: Ensure Security Groups with upload permissions are linked to “Add” domains.
  • Edit/Delete Access: Ensure Security Groups with modification permissions are linked to “Edit and Delete” domains.

By following this mapping, you ensure that each Security Group only controls the access it’s meant to—no more, no less.

Securing Attachments in Business Processes

When it comes to Business Processes (BPs) like hiring, there’s an extra step to ensure documents are correctly secured.

Why Business Process Security Matters:

In Workday, the Attachment Settings section at the bottom of a Business Process Security Policy governs document visibility. If no specific security is applied here, Workday defaults to using the View permissions from the BP Security Policy itself.

This can lead to unintended document access, so here’s how to avoid it.

How to Secure BP Attachments:

  1. For each Business Process, create View, Add, and Edit/Delete Security Segments.
  2. Assign these new segments to the corresponding Business Process Attachment Settings.

This ensures that documents uploaded during a Business Process (like a hire event) are protected by your Security Segments, not the broader BP Security Policy.

👉 Pro Tip: Always double-check attachment settings when updating Business Processes to prevent unintended document exposure.

Cleaning Up and Removing Unintended Access

Here’s a crucial step that often gets overlooked: Remove any other Security Groups from these domains to prevent accidental access.

Why This Step Is Essential:

If unrelated groups are still attached to these domains, documents could become visible to people who shouldn’t see them. For example, if the “HR Partner” group has modify access and shouldn’t see payroll documents, you need to remove it and let your new “Document Segment Payroll” groups handle the permissions.

👉 Bottom line: Remove anything that doesn’t belong to your new, function-specific Security Groups.

Applying This Approach Beyond Worker Documents

Good news—this method isn’t just for worker documents. You can apply the same principles to other Workday objects like questionnaires, surveys, or any other sensitive information.

Why This Works Across the Board:

By sticking to this worksheet-driven, function-first approach, you’ll:

  • Keep your tenant clean and organized.
  • Avoid duplicating work when adding new document categories.
  • Make audits and future updates quick and painless.

Wrapping Up

By following these steps, you’ll build a Workday document security structure that’s both secure and manageable. The key is to stay consistent—align your Security Segments with your Functional Groups, map them to the right domains, and regularly update your worksheet as your organization grows.

And the best part? This method avoids the need to create Security Segments and Groups for each document category. Once your document visibility is tied to a function, adding new documents is as easy as updating your worksheet and adjusting the relevant segments.

Contact us today to get support in setting up your Worker Documents Framework!

Author

  • A man with short brown hair wearing a plaid shirt, smiling outdoors with a tree in the background.

    Nate Borsella has been with the Workday Ecosystem since 2015 as a day-to-day Manager and HRIS Analyst for everything from a university to a global corporation. Nate has successfully stabilized several implementations, servicing most functional areas in Workday. This includes recruiting, benefits, talent and performance, configurable security, advanced compensation, and his personal favorite, reporting. Nate currently works as a consultant from his home office in rural Idaho.

    View all posts
Tags:
, ,
Share:

Interested in a specific Workday® topic?

We’re always looking for new ideas to help our readers optimize their Workday®. 
Learn More
Click here to share your suggestions.

Talk to a Workday® expert to learn more

Contact Us

Follow Us

Search

Tags

2025R2 Absence Adaptive Planning Advisory Banking Benefits Budgets Capital Projects Clone and Purge Compensation Compliance Customer Experience Data Conversion Documents Feature Release Filament Financial Accounting HCM Implementation Integrations Mergers/ Acquisitions/ Divestitures Payments Payroll performance Press Test Tag 1 Press Test Tag 2 Prism Analytics project management recruiting Release Management Reporting Security Staff Augmentation Student Suppliers talent Talent Optimization Technology Time Tracking Workday Adaptive Planning Workday HCM Workday Learning Workday Recruiting Workday Release Workforce Planning
service-partner-workdayxkog
soc-2 (2)
gdpr-compliant

Workday is a registered trademark of Workday, Inc. Kognitiv is not affiliated with Workday, Inc., nor does Workday, Inc. sponsor or endorse Kognitiv, its products, or its website.

©Copyright 2026 Kognitiv. All Rights Reserved.