We’re designing RBAC for our Workday expense management implementation across five business units with different approval hierarchies and spending policies. Each unit needs isolation but we also have corporate-level auditors who need cross-unit visibility.
I’m debating between a hierarchical RBAC design with inherited permissions versus flat role assignments with explicit grants. The challenge is balancing security posture with operational efficiency - we don’t want managers waiting on approval routing because permissions are too restrictive, but we need proper audit logging and cross-business-unit isolation.
Curious what approaches others have taken for dynamic role assignment in multi-BU scenarios. Do you assign roles based on organizational hierarchy, or use custom security groups? How do you handle approval routing rules when someone needs to approve expenses across multiple cost centers?
Based on implementing this across multiple Workday clients, here’s the comprehensive approach that addresses all the key considerations:
Hierarchical RBAC Design:
Use a three-tier role structure: Base Permissions → Business Unit Extensions → Special Access. Base roles (Expense Submitter, Expense Approver, Expense Auditor) provide foundational access. BU-specific security groups layer on approval limits and data visibility. Special access roles handle edge cases like cross-BU auditors or temporary project approvers. This hierarchy prevents permission sprawl while maintaining flexibility.
Dynamic Role Assignment:
Leverage Workday’s assignment rules tied to job profiles and organizational membership. When someone is hired into a manager position, they automatically receive the Expense Approver role for their BU. Use organizational rules to dynamically grant approval authority based on supervisory relationships - no manual role assignments needed. For temporary needs, use additional job assignments with expiration dates.
Approval Routing Rules:
Implement matrix-based routing that checks multiple conditions: expense amount, cost center, business unit, and organizational relationship. Configure rules like: expenses under $1K route to direct supervisor, $1K-$5K to department head, over $5K to BU finance director. For cross-BU expenses, route to the primary BU approver first, then to corporate finance for secondary approval. Use conditional routing that recognizes when an approver has multi-segment access versus single-segment.
Audit Logging:
Enable comprehensive audit logging that captures: who approved, which role they used, what organizational relationship justified the approval, timestamp, and any delegation chains. Configure reports that flag unusual patterns like approvals outside normal org relationships or cross-segment approvals. Set up automated alerts for high-value approvals or when approval limits are approached.
Cross-Business-Unit Isolation:
Implement security segments at the BU level that restrict data visibility regardless of role permissions. Use segment-based security to ensure that even senior managers only see expense data for their assigned segments unless they have explicit corporate-level access. For auditors needing cross-BU visibility, create a dedicated “Corporate Auditor” role with read-only access across all segments but no approval authority.
Key Implementation Tips:
- Start with minimal permissions and add as needed rather than restricting after granting broad access
- Use security group membership for BU-specific rules rather than hardcoding in role definitions
- Test approval routing thoroughly with edge cases (matrixed employees, temporary assignments, delegated approvers)
- Document the security model clearly so future changes don’t inadvertently create access gaps or overlaps
- Review role assignments quarterly to catch orphaned permissions from organizational changes
This approach balances security with operational efficiency - approvals route quickly within normal hierarchies while maintaining strict isolation between business units and comprehensive audit trails for compliance.
The hybrid approach sounds promising. How do you handle the cross-business-unit isolation though? If a director has approval authority based on supervisory org, doesn’t that potentially give them visibility into expenses from other BUs if someone in their org works on cross-BU projects?
That’s where security segments come in. You need to implement segment-based security that restricts data visibility by BU regardless of approval authority. So a director might have the role permission to approve up to $10K, and the org relationship to approve for their team, but the security segment ensures they only see expense reports tagged to their BU. For cross-BU projects, you’d use a special approval routing rule that escalates to a corporate-level approver who has multi-segment access. The audit logging then clearly shows when cross-segment approvals occur, which is important for compliance reviews.
Don’t forget about dynamic role assignment based on temporary assignments. We had a case where project managers needed temporary approval authority for project-specific expenses across multiple BUs. Rather than creating permanent role assignments, we used Workday’s contingent worker / additional job functionality to grant time-limited approval roles. This automatically expires and requires no manual cleanup. The approval routing rules recognize these temporary assignments and route accordingly. Just make sure your audit logging captures both permanent and temporary role usage.
We went with hierarchical RBAC and it’s worked well. The key is using Workday’s security group inheritance properly. Create a base “Expense Manager” role with minimal permissions, then layer on business-unit-specific groups that add approval authority. For cross-unit auditors, we created a separate “Expense Auditor” role with read-only access constrained by security segments. Dynamic assignment happens through organizational rules - when someone becomes a manager, they automatically get the appropriate expense approval rights.
I’d caution against pure hierarchy because it gets complex fast with matrix organizations. We use a hybrid approach: base roles assigned by job profile, then dynamic security groups for approval authority based on supervisory org and cost center ownership. The approval routing rules are configured to check both role membership AND organizational relationship. This way, a director can approve expenses for anyone in their org tree regardless of which BU they’re in, but they can’t approve outside their tree even if expense amounts are within their limit. Audit logging captures both the role used and the org relationship for each approval.