In Workday HCM, selecting the correct security group type is critical to ensuring users have appropriate access while maintaining strong governance and data security. When HR representatives need access to workers within a specific supervisory organization, such as Sales, the most appropriate solution is a role-based constrained security group.
A role-based constrained security group limits access based on organizational assignment, such as a supervisory organization and its subordinate organizations. This means HR representatives assigned to this role will only have access to workers who belong to the Sales supervisory organization hierarchy. This targeted access aligns with the principle of least privilege and is a core Workday Pro HCM security best practice.
Organization-based (Unconstrained) and role-based (Unconstrained) security groups grant access across all organizations in the tenant. These options would provide broader access than required and could expose sensitive worker data outside the Sales organization. Therefore, they are not appropriate when access should be limited to a specific supervisory organization.
User-based security groups assign access to individual users, not organizational roles. While useful for exceptions or administrators, user-based groups do not scale well and require ongoing maintenance when users change roles or responsibilities.
By using a role-based constrained security group, access automatically follows the role assignment on the Sales supervisory organization. If HR representatives change or new HR staff are assigned, access is updated without reconfiguring security for individual users.
From a Workday Pro HCM perspective, role-based constrained security groups provide the optimal balance of flexibility, control, and scalability. Therefore, the correct and Workday-verified answer is Role-based (Constrained).
