Request A demo

Workday is a widely used cloud-based enterprise software platform designed to manage various aspects of an organization’s workforce, including HR, payroll, and finance. Given the sensitive nature of the data that is accessed and transactions that are performed within Workday, it has become the focus of security and compliance initiatives for many organizations, especially when it comes to identifying and mitigating separation of duties (SoD) risks to prevent financial fraud.

This article looks at how Pathlock’s Access Risk Analysis module helps you identify and mitigate risks in your Workday applications.

Understanding Workday Security Groups

First, let’s look at what these risks are and how they emerge. Like most ERP applications, Workday offers out-of-the-box combinations of permissions known as security groups. These include user-based, job-based, role-based, segment-based security groups, and more.

Though these security groups are meant to make provisioning easier, they could provide broad access to a range of processes and transactions. There may not be risks within each security group, but a single user may be assigned multiple security groups that have conflicting combinations of roles. Also, many of the groups and processes within Workday can be customized to suit the customer’s business needs. These customizations can also introduce new risks into the system.

A simple example would be a user who can approve vendor payments and add new vendors. It is possible that the permission to add vendors was granted due to an urgent requirement for a single instance. However, if that access was not revoked, risk has now been introduced into the system.

While this is just one example, users in a large organization regularly change roles, raise new access requests, and request exceptions, making it almost impossible to keep track of who has access to what.

Implementing Separation of Duties for Workday

One of the most important features to look for in a separation of duties for Workday solution is its ability to analyze Workday-specific role entitlements and identify where the conflicts occur. Pathlock’s Access Risk Analysis module automates SoD and sensitive access risk analysis and reporting for Workday by automatically detecting compliance-related risks.

Upon deployment, the module scans Workday’s security groups – both out-of-the-box and customized groups – and correlates them against a comprehensive library of globally recognized compliant rulesets to identify and highlight specific conflicts within and across security groups.

Pathlock also expedites SoD for Workday conflict resolution by suggesting best-fit alternative roles that will maintain a user’s necessary access without creating SoD violations. This ability to quickly resolve and mitigate risks would otherwise take weeks to identify using spreadsheets.

Usage Logs: Going Beyond Identifying Role Conflicts

It is one thing to identify current risks, but what about compliance violations that have already occurred in the past due to excessive permissions that shouldn’t have been granted? By analyzing historical usage logs, Pathlock offers Workday customers data and insights on violations that have been committed, whether intentionally or inadvertently. This information is critical to better understand risk, quantify the risk, and prioritize remediation measures.

Cross-Application Risks

Businesses today operate in a multi-application environment, and processes are distributed between two or more applications. It is common for employees to have separate identities (access credentials) in multiple applications. The entitlements they possess within an individual application could be in complete compliance. Still, conflicts can arise between roles a user possesses across multiple applications.

Pathlock provides a comprehensive library of rulesets that allows our customers to identify SoD conflicts down to the entitlements level for both users and roles, regardless of whether they span a single app or touch multiple applications. Pathlock’s Access Risk Analysis module provides a single pane of glass to monitor SoD and critical access risks across your application landscape, including risk scores and mitigation statuses.


Compliance in the current age has become a key strategic initiative for most businesses, with many regulations holding the board of directors directly liable for financial inconsistencies. Whether enforced by government regulations or driven by internal security needs, ensuring that applications, processes, and users meet compliance requirements leads to better security, less fraud, and greater accountability. Pathlock ensures quick time-to-value for Workday customers by reducing risk and costs using an automated, cross-application approach to SoD risk analysis.

Get in touch with us today for a demo.

Table of contents