Security group assignment fails for new hires in core-hr module during onboarding

ianplanner · April 22, 2025, 1:15pm

We’re experiencing a critical issue where new hires aren’t being assigned to the correct security groups during the onboarding process. The business process completes successfully, but when the new employee tries to log in, they have no access to their required modules.

Our security group mapping is configured to automatically assign groups based on job profile and location. The role assignment rules look correct in the configuration, but they’re simply not executing. When I manually assign the security groups after hire, everything works fine.


Security Group: Employee_Self_Service
Assignment Rule: Job_Profile = 'Sales_Representative'
Condition: Hire_Date is not null

The business process configuration shows the ‘Assign Security Groups’ step is included and not skipped. We’ve had three new hires this week all experience the same problem. This is blocking their first-day access and creating a poor onboarding experience. Has anyone dealt with security group assignment failures during the hire process?

patricia_singh · May 15, 2025, 7:21pm

That’s exactly what’s happening. The issue is that security group assignments based on job profile require the position and job profile relationships to be fully established in the data model before the assignment rules can evaluate. Even though the hire step completes, there’s a brief window where those relationships aren’t queryable yet. You need to add an intermediate step or use a different assignment trigger.

fr_hcm · April 25, 2025, 12:18am

I’ve seen this when the security group assignment is conditional on fields that aren’t populated yet during the hire process. Your rule checks for Hire_Date not null, but depending on your BP configuration, that field might not be set until a later step. Try adding some debug logging to see what field values are available when the assignment rule evaluates. You might need to adjust the condition to check for a different field that’s guaranteed to be populated earlier, like Worker_Type or Employment_Status.

ianplanner · May 28, 2025, 6:37am

You’re encountering a classic timing and data propagation issue with security group assignments during business process execution. Here’s the comprehensive solution:

For security group mapping, the root cause is that your assignment rule is evaluating before the worker’s job profile relationship is fully committed and indexed in Workday’s security framework. Even though the hire step completes, the security subsystem hasn’t updated its cache with the new worker’s attributes yet.

The role assignment logic needs to be restructured. Instead of using an inline step in your Hire business process, implement this approach:

Remove the current ‘Assign Security Groups’ step from your Hire Employee business process
Create a new business process event subscription:


Event: Worker_Created
Subscriber: Assign_Security_Groups_Process
Trigger Condition: Worker.Primary_Job is not null

Build a dedicated ‘Assign Security Groups’ business process that:
- Accepts Worker reference as input
- Includes a 5-second delay step (use ‘Wait for Condition’ with timeout)
- Queries worker’s current job profile and location
- Applies security group assignment rules based on those attributes
- Includes error handling to retry if job profile is still null

For the business process configuration, this event-driven approach ensures the assignment happens after all worker data is fully propagated. The delay step is critical - it gives Workday’s security framework time to update its internal indexes.

Alternatively, if you must keep it inline, modify your assignment rule to be more defensive:


Security Group: Employee_Self_Service
Assignment Rule: Worker.Primary_Position is not null
             AND Worker.Primary_Job.Job_Profile = 'Sales_Representative'
             AND Worker.Status = 'Active'

This checks for the position relationship first, which is a better indicator that the worker record is fully established.

Also verify in your Hire business process that you have ‘Commit Transaction’ checked on the hire step. Without this, subsequent steps in the same process may not see the committed worker data.

Finally, check your security group’s ‘Assignment Rules’ configuration. Navigate to Security > Security Groups > [Your Group] > Assignment Rules tab. Make sure the rule priority is set correctly if you have multiple rules, and that ‘Automatically Assign’ is enabled.

This solution addresses all three focus areas: proper security group mapping through event-driven assignment, correct role assignment timing with defensive conditions, and robust business process configuration with transaction management. Your new hires should receive proper access on day one.

Topic		Views
Security group misconfiguration blocks access to employee data in HR module Workday question , database-mgt , hr-core , wd-r1-2023 , access-denied , user-permissions , security-groups , hr-operations , domain-security	3	February 1, 2025
Benefits enrollment eligibility rules not triggering for new hires during open enrollment window Workday question , onboarding , cloud-deploy , benefits-admin , wd-r1-2024 , eligibility-rule , eligibility-mismatch , enrollment-delay	5	May 17, 2025
Talent management integration user role sync fails due to SAML attribute mapping Workday HCM question , talent-mgmt , security-auth , saml , sso , wd-r1-2023 , oauth2 , integration-failure , role-sync	5	April 11, 2025
Security group access lost for real estate management after tenant migration in cloud deploy Workday question , cloud-deploy , real-estate-mgmt , wd-r2-2023 , user-access , security-groups , security-admin , security-access , tenant-migration	3	October 17, 2025
Core HR migration fails with missing employee data in wd-r1-2024 Workday question , core-hr , data-migration , xml , employee-data , wd-r1-2024 , data-validation , migration-template , workday-studio	6	June 21, 2025
Access denied in workforce planning when using conditional security policies with delegated roles Workday HCM question , security-auth , permissions , audit-log , security-policy , wd-r2-2023 , access-denied , workforce-planning , delegated-roles	6	May 3, 2025
Multi-tenant data isolation in core HR workflows - security architecture Workday HCM discussion , core-hr , workflow-process , wd-r1-2023 , multi-tenancy , data-privacy , compliance-risk , security-config , data-isolation	4	April 11, 2025
Onboarding integration fails to send new hire data to external HRIS platform Workday HCM question , integration , onboarding , rest-api , wd-r2-2023 , data-mapping , connection-failure , hris-integration , new-hire-data	4	April 22, 2025
Case management task assignment fails due to user role mismatch Appian question , aml , user-management , low-code-dev , role-mapping , task-assignment , case-management , sla-breach , appian-22-2	3	October 28, 2025

Security group assignment fails for new hires in core-hr module during onboarding

Related topics