Key Idea
Workday Student security is designed to provide people with an appropriate level of access to information and tasks inside the system based on their university roles and responsibilities.
Jump To: Role-based security | Layered security (multiple roles) | Constrained and unconstrained security | Business process security
Security overview
Security in Workday Student provides people appropriate access to academic and student-related information and tasks based on their university roles and responsibilities.
Within Workday Student, security drives:
- What you can see in Workday (data, reports)
- What you can do in Workday (creating or editing data; performing tasks, including those within a business process like reviews or approvals)
- What training and support materials you may need
When securing data in Workday Student, WashU’s goal is to provide faculty and staff with the flexibility to support as many students as possible, while acknowledging that student information is only to be seen and modified by people who are authorized to do so.
In our current state, there are challenges supporting students who study across schools or are in 3-2 programs because data visibility may be limited by the way SIS is organized: by “prime division.” In Workday Student, security will be configured to better support students with multiple programs of study (majors, minors, etc.) in different schools.
Role-based security
Workday Student security is primarily role-based, which means security is associated with a specific position, or job, in Workday HCM (human resources) rather than an individual.
This means that when someone changes positions (jobs) at WashU, their security also changes to reflect their new roles and responsibilities; additionally, the person hired into someone’s previous position will automatically receive the security associated with that position. This role-based security setup minimizes the risk of permissions incorrectly following someone when they move into a new position and provides greater efficiency in managing security.
It’s important to note that someone’s position, as tracked in Workday HCM, is separate from their title. So, two individuals with the same title won’t necessarily have the same security. For example, two “department administrators” may have very different positions with different roles and responsibilities. One may have duties related to course management while the other is focused on financials. That means their security assignments would also differ.
Layered security (multiple roles)
People and positions can be assigned a combination of security roles to achieve the desired level of access and permissions in Workday Student; this is called layered security.
A faculty member who is both an instructor and advisor, for example, would have one set of security permissions related to the students in their courses and another set of security permissions related to their advisees. For example, as an instructor, they may be able to view basic information about the students in their courses and perform tasks like viewing rosters. As an advisor, they would be able to view their advisees’ academic records and create notes. [As of Spring 2023, instructor and advisor security permissions are still under development.]
If someone has multiple role assignments, the role with the broader level of access supersedes that of a role with narrower access. For example, someone may have view-only access to all student records but higher access to edit student records for one academic unit.
Constrained & unconstrained security
In Workday Student, security can be set up so someone can only view information or perform tasks within their assigned academic unit (school, department) or for all academic units.
Constrained security refers to security that limits a role’s permissions to the academic unit (AU) where it is assigned. For example, a course section management role assigned to the Chemistry AU would be limited to creating and maintaining course sections offered by Chemistry.
Additionally, any security tied to a specific academic unit also grants equal permission to any subordinate academic units, following the concept of inheritance. For example, someone with security to create course sections at the Arts & Sciences AU could also do so for any of its subordinate AUs, like Chemistry, History, Music etc.
Unconstrained security grants permission to the relevant data and actions for any academic unit, regardless of where it’s assigned. For example, an unconstrained role assigned to someone in the Chemistry AU may enable them to view the records of all students, not just the students in Chemistry.
Business process security
The actions someone has permission to perform in Workday Student may be part of a business process. In Workday, a business process, or “BP,” is an automated workflow that can route tasks to specific people based on the security roles assigned to that person in their position.
Depending on someone’s security, they may be able to kick off a process, like creating a new course section. Or they may be able to complete steps within a process, like reviewing or approving a student’s leave of absence request.