01
Audit Scope & Methodology
Systematic review of all Workday security groups, domain access policies, and functional role assignments to assess compliance with the principle of least privilege.
42
Security Groups Reviewed
186
Domain Access Policies
12
Functional Roles Mapped
7
Sensitive Data Domains
| Audit Phase | Method | Deliverable | Status |
|---|---|---|---|
| Security Group Inventory | Export all groups, map to functional roles, identify orphan assignments | Security Group Matrix (42 groups x 12 roles) | Complete |
| Domain Access Review | Map each security group to data domains (Get/Put/View), flag excessive permissions | Domain Access Heat Map | Complete |
| Sensitive Data Classification | Classify domains by data sensitivity (Restricted, Confidential, Internal, Standard) | Data Classification Register | Complete |
| Access vs. Need Analysis | Interview business process owners, compare actual access to documented job requirements | Gap Analysis Report (per role) | Complete |
| Segregation of Duties Check | Identify conflicting permissions (e.g., approve + process payroll) | SoD Violation Report | Complete |
02
Audit Findings
Six findings identified across access control, segregation of duties, and monitoring gaps.
F-01
HR Business Partners Have Unrestricted Compensation Access
Critical
The "HRBP" security group has Get access to the "Compensation — All" domain, which includes base salary, bonus targets, equity grants, and severance packages for all employees company-wide. HRBPs should only see compensation data for employees within their assigned business unit. Three of five HRBPs confirmed they can view executive compensation data they do not need for their role.
F-02
Payroll Specialist Can Both Process and Approve Payroll
Critical
The payroll specialist role holds both "Process Payroll" and "Approve Payroll Run" permissions through overlapping security group memberships. This creates a segregation of duties violation — a single individual could process a fraudulent payment and approve the run without secondary oversight.
F-03
Terminated Contractor Retains Active Security Group Membership
High
One terminated contractor (end date 90+ days prior) still has an active assignment to the "IT Admin" security group with Get/Put access to the Worker Data domain. The deprovisioning process does not automatically revoke security group memberships upon termination, relying instead on a manual checklist that was not completed.
F-04
8 Orphaned Security Groups With No Assigned Members
Medium
Eight security groups inherited from the implementation partner have active domain access policies but zero assigned members. These represent an unnecessary attack surface — if a user were accidentally added, they would inherit pre-configured permissions including access to benefits and time tracking data.
F-05
Managers Can View SSN for Direct Reports
High
The "Manager" security group includes Get access to the "Worker Personal Data" domain, which contains SSN, date of birth, and national ID. Managers have no business need for this data. This appears to be an implementation default that was never scoped down during configuration.
F-06
No Periodic Access Certification Process Defined
Medium
No formal process exists for periodic review and re-certification of security group assignments. Current assignments were configured during implementation and have never been reviewed. Without a certification cadence, privilege creep is inevitable as roles evolve.
03
Security Architecture Redesign
Before and after comparison of the RBAC structure, showing how security groups were restructured to enforce least-privilege and organizational scoping.
Before — Flat, Over-Provisioned
HRBP (1 group, all access)
Compensation — All Employees
Worker Personal Data (incl. SSN)
Benefits — All Plans
Payroll — View All
Manager (broad defaults)
Worker Personal Data (incl. SSN)
Compensation — Direct Reports
Performance — Direct Reports
Payroll Specialist (conflicting)
Process Payroll
Approve Payroll Run
Compensation — View All
8 orphaned groups (no members)
Various domain access still active
After — Segmented, Least-Privilege
HRBP — [Business Unit] (scoped)
Compensation — BU Employees Only
Worker Data — BU Only (SSN excluded)
Benefits — BU Enrollment Only
Manager (scoped, restricted)
Worker Data — Direct Reports (SSN excluded)
Compensation — Direct Reports (base only)
Performance — Direct Reports
Payroll Processor (separated)
Process Payroll
Cannot approve
Payroll Approver (separated)
Approve Payroll Run
Cannot process
Orphaned groups deactivated ✓
Domain Access Reduction by Role
04
Remediation Timeline
Phased remediation plan executed over 4 weeks, prioritized by risk severity, and validated through testing before go-live.
Week 1 — Critical Findings
Segregation of Duties & SSN Access Remediation
Split payroll security groups into Processor and Approver roles (F-02). Removed SSN/national ID from Manager security group domain access (F-05). Both changes validated through unit testing with test employee records.
Week 2 — HRBP Scoping & Deprovisioning
Business Unit Segmentation & Access Lifecycle Fix
Created business-unit-scoped HRBP security groups, migrated all 5 HRBPs to new assignments, and deactivated the flat "HRBP — All" group (F-01). Revoked terminated contractor access and implemented automated deprovisioning via business process trigger on termination events (F-03).
Week 3 — Cleanup & Governance
Orphan Group Deactivation & Certification Process
Deactivated 8 orphaned security groups after confirming zero active dependencies (F-04). Designed and documented a quarterly access certification process with HRIS and IT Security co-ownership (F-06). Created certification template and scheduled first review cycle for 90 days post-go-live.
Week 4 — Validation & Sign-Off
Regression Testing & Stakeholder Approval
Executed full regression test across all 34 active security groups, verifying domain access matches documented design. Conducted walkthrough with CISO and HR leadership. All 6 findings confirmed remediated. Security architecture approved for production go-live.
05
Audit Results Summary
Aggregate outcomes from the RBAC audit and remediation effort.
6
Findings Identified
6
Findings Remediated
78%
Avg. Access Reduction
0
SoD Violations Remaining
| Finding | Severity | Remediation | Validated | Status |
|---|---|---|---|---|
| F-01 HRBP Over-Provisioned Comp Access | Critical | BU-scoped security groups | Regression + walkthrough | Closed |
| F-02 Payroll SoD Violation | Critical | Processor / Approver split | Unit test + parallel payroll | Closed |
| F-03 Terminated Contractor Access | High | Revoked + automated deprovision | BP trigger validated | Closed |
| F-04 Orphaned Security Groups | Medium | 8 groups deactivated | Zero dependency confirmed | Closed |
| F-05 Manager SSN Visibility | High | SSN removed from domain access | 48 managers re-tested | Closed |
| F-06 No Access Certification | Medium | Quarterly certification process | Template + schedule approved | Closed |
Impact
Reduced unnecessary access to sensitive data by an average of 78% across all security groups. Eliminated all segregation of duties violations in the payroll workflow. Closed a systemic access lifecycle gap that left terminated users with active permissions. Established the organization's first formal access certification program with quarterly cadence and dual HRIS/IT Security ownership. Security architecture was approved for production go-live with zero open findings, and the certification framework positions the organization for ongoing compliance as the workforce and system evolve.