In Workday HCM, access to worklets, including delivered worklets such as the Pay App, is governed by domain security, not business process security. Worklets display data and provide navigation to reports, tasks, and applications, all of which rely on domain-level permissions to control visibility and access.
To prevent Contingent Workers from seeing or accessing the Pay App on their Home landing page, you must remove their associated security group from the domain security policy that grants access to pay-related data. Once domain access is removed, the Pay App will no longer appear for those users because Workday dynamically displays worklets based on the user’s domain permissions.
Business process security policies control who can participate in transactional processes—such as initiating or approving a Hire, Change Job, or Termination—and do not influence whether a worklet appears on the Home page. Therefore, options B and D are incorrect because modifying business process security would not affect worklet visibility.
Option C is also incorrect because adding a security group to a domain security policy would grant access, not restrict it.
From a Workday Pro HCM best-practice perspective, restricting access to delivered worklets is always achieved through domain security policy configuration. This ensures consistent behavior across dashboards, reports, and applications tied to sensitive data such as compensation and payroll.
Therefore, the correct and Workday-verified way to prevent Contingent Workers from accessing the Pay App is to remove the security group from the domain security policy.
