Separation of Duties: Roles and Security in Workday Financials

As a Workday user, you interact with the system to complete tasks like placing requisition orders, submitting time off requests, or managing approvals.

Behind the scenes, Workday controls who can do what through a combination of roles and security, a design that supports the principle of Separation of Duties (SoD).

What Is Separation of Duties (SoD)?

Separation of Duties (SoD) is a fundamental internal control used by organizations to reduce the risk of errors, fraud, or misuse of resources.

The fundamental goal is that critical tasks are divided so no single person has full control from start to finish on a given business process.

Common Examples of SoD

Process Area

Roles That Should Be Separated

Procurement

One person creates a purchase order, another approves it

Payroll

HR sets up pay; Finance runs the payroll and reviews results

Journal Entries

One person creates the journal entry; another person approves it

Asset Management

One person purchases the asset; another tracks or disposes of it

How Security Works in Workday

In Workday, your role defines your general responsibilities (e.g., Manager, Reviewer, Initiator), while your security group determines the specific tasks, actions, and data you can access.

Security governs:

What fields and data you can view
What actions you are allowed to take (edit, submit, approve, etc.)
What tasks appear in your inbox or dashboard

For example, you might be able to submit a requisition but not approve it. This is intentional—not a system error—and reflects appropriate access controls in support of SoD.

How Workday Enforces SoD

Workday automates Separation of Duties through several built-in mechanisms:

Restricted Role Combinations: Workday can prevent users from holding conflicting roles—such as being both the initiator and approver for the same process.
Automated Approval Routing: Tasks like expense reports or purchase orders are routed based on defined business process rules, ensuring the correct individuals review and approve them.
Audit Trails: All actions in Workday are logged, providing transparency and accountability for compliance and audits.

Security Groups: Role-Based vs. User-Based

Workday manages access by grouping users into security groups, each of which carries a set of permissions. There are two primary types:

Role-Based Security Groups

Assigned based on job function or organizational role (e.g., "Cost Center Manager," as seen below)

Automatically updated as roles change
Scalable and consistent across the organization

User-Based Security Groups

Assigned directly to individuals for special access needs outside of standard roles.

Manually assigned
Best for exceptions or unique cases

Why This Matters for You

As a standard user, you are not expected to manage roles or configure security settings. However, understanding how access is structured can help clarify why:

Certain options or tasks may not be visible or available to you
Specific steps in a process must be completed or approved by someone else
Access may vary between individuals, even within the same department

If you encounter a situation where you are unable to perform an expected action or access particular information, it is likely related to your assigned role or security group. In such cases, your manager can assist with reviewing your access and reaching out to the proper contacts within Stevens if role and security updates are needed.

Experiencing an issue or need additional support? Contact our OneIT Team by

Opening a support ticket or
Call us at 201-216-5500

If you need assistance with Workday Financials-specific issues, contact Finance Support. 