Managing document security in Workday might seem daunting, but with a clear plan, you can ensure the right people have access to the right information—without the headaches. This guide walks you through a simple, organized approach to configuring document access using Functional Groups and Workday domains. Following these steps will help you maintain control, avoid accidental over-sharing, and keep your tenant tidy.
First things first—start by completing this worksheet to map Document Categories to Functional Groups. Think of this worksheet as your master plan for who should see what.
This worksheet is your foundation. It gives you a clear picture of which groups need access to which documents. Plus, once you've set this up, adding new documents later is a breeze—just update the worksheet and adjust access as needed.
Pro Tip: Treat this worksheet as a living document. Anytime a new document type is added, update the worksheet to reflect which Functional Groups need access.
With your worksheet ready, it’s time to translate those Functional Groups into Workday Security Segments. These segments act as the "buckets" that hold permissions for document access.
Use the names from your worksheet to keep things clear and consistent. For example:
When your Security Segment names match your Functional Groups, it’s easier to track who has access. This also makes future updates and audits a lot simpler.
And here’s the bonus: by setting access at the function level, you don’t need to create a new segment for every single document category. You can manage access in bulk, which saves time and keeps your Workday tenant clean.
It’s important to understand the distinction between the three primary access levels in Workday:
By maintaining these clear access levels, you prevent confusion and ensure users only have the permissions they need.
Now that you've set up your Security Segments, it's time to create the corresponding Security Groups in Workday. Think of Security Groups as the actual gates that control who can see and modify documents.
Security Groups act as the practical application of your Functional Groups and Security Segments. Each Security Group represents a specific level of access, directly connecting your planning to Workday’s security framework. For example, the HR Functional Group will likely be attached to roles like HR Partner, HR Analyst, and HR Generalist. If you distinguish between HR and Benefits, the Benefits Functional Group would use the Benefits Partner role. Compensation would map to Compensation Partner, and so on. Feel free to expand and right-size for your company’s needs—after all, a methodology only works if it makes sense for your functional structure.
For example, if you have a Functional Group called "HR View," your Security Group should be named "Document Segment HR View."
Why does this alignment matter? Keeping these names in sync ensures that the right permissions are applied and makes troubleshooting much easier.
With your Security Groups ready, the next step is to attach them to the appropriate Workday domains. These domains define where the access rules actually apply.
Attach your Security Groups to these four key domains:
By following this mapping, you ensure that each Security Group only controls the access it’s meant to—no more, no less.
When it comes to Business Processes (BPs) like hiring, there’s an extra step to ensure documents are correctly secured.
In Workday, the Attachment Settings section at the bottom of a Business Process Security Policy governs document visibility. If no specific security is applied here, Workday defaults to using the View permissions from the BP Security Policy itself.
This can lead to unintended document access, so here’s how to avoid it.
This ensures that documents uploaded during a Business Process (like a hire event) are protected by your Security Segments, not the broader BP Security Policy.
Pro Tip: Always double-check attachment settings when updating Business Processes to prevent unintended document exposure.
Here’s a crucial step that often gets overlooked: Remove any other Security Groups from these domains to prevent accidental access.
If unrelated groups are still attached to these domains, documents could become visible to people who shouldn’t see them. For example, if the "HR Partner" group has modify access and shouldn’t see payroll documents, you need to remove it and let your new "Document Segment Payroll" groups handle the permissions.
Bottom line: Remove anything that doesn’t belong to your new, function-specific Security Groups.
Good news—this method isn’t just for worker documents. You can apply the same principles to other Workday objects like questionnaires, surveys, or any other sensitive information.
By sticking to this worksheet-driven, function-first approach, you’ll:
By following these steps, you’ll build a Workday document security structure that’s both secure and manageable. The key is to stay consistent—align your Security Segments with your Functional Groups, map them to the right domains, and regularly update your worksheet as your organization grows.
And the best part? This method avoids the need to create Security Segments and Groups for each document category. Once your document visibility is tied to a function, adding new documents is as easy as updating your worksheet and adjusting the relevant segments.
Contact us today to get support in setting up your Worker Documents Framework!