Review and Approve Role-Based Access Requests

The following article is a guide for employees who review and approve/deny role-based access requests in Workday.

After a Role-Based Access Requester requests a new security role assignment, the request is first routed to the assignee's manager. If the manager approves the role assignment, the request proceeds to the person(s) with the Access Approver (Division) role for the assignee's supervisory organization. If approved again, the process will route to an Access Approver (Campus) in the Office of Human Resources (OHR), which is the final review step in most cases.

Roles at a level of operations above Campus Transactions (Shared Services, Central Processing, and ERP Administration) require an additional approval step. To view the level of operations associated with each security role, see the Simplified HR Security Role Catalog or the UW Security Catalog: Assignable Roles and User Based Groups report in Workday.

Routing order:

• Step 1: Initiation - A role-based access requester initiates the process
• Step 2: Approval of assignee's manager (always required)
• Step 3: Approval of HR Access Approver - Division (always required)
• Step 4: Approval of HR Access Approver - Campus (always required)
• Step 5: Approval of Shared Services, Central Processing, or ERP Administration (required for some security roles)

Approvers at all levels should take these actions to review role-based access requests:

1. From the Workday home page, go to My Tasks.
   1. This can be accessed by selecting Go to My Tasks under Awaiting Your Action, or by selecting the inbox icon in the upper right corner.
2. Select the task for review. Security assignment tasks will start with "Assign Roles".
   1. Note: If there is a warning message included with the task, it is because the requested role assignment would create a Separation of Duties (SOD) conflict, where the assignee could perform multiple related functions in violation of best practices. To ensure checks and balances, role assignments that create SOD conflicts should not be requested or approved. The Simplified HR Security Role Catalog and the UW Security Catalog: Assignable Roles and User Based Groups report in Workday display the SOD conflicts for each role.
3. Review the fields in the task for accuracy and appropriateness:
   1. Effective Date is the first date that the user will have the specified security.
   2. Role Enabled For is the organization that the user will be assigned security for.
   3. Role is the name of the security role being assigned to the user.
   4. Assignees Added is the position that the role will be assigned to, and includes the current incumbent's title and name.
4. Make a decision whether to approve the request or send it back. In the Comments text box, enter a comment explaining why you are taking this action.
   
   
   1. Approve means that you agree with the request. Depending on your role, it will send the request to the next approver, or act as the completion step in the process.
   2. Send Back will return the process to the previous approver, and should be selected if there is a problem with one or more fields in the request (e.g., wrong role or organization).
   3. Less common options can be found by selecting the ellipses button. They include:
      1. Deny will terminate the request, and should be selected if the request was unauthorized or a mistake.
      2. Add Approvers will allow you to choose one or more WEST Security Administrators to forward the request to.
      3. Cancel will discard any changes you've made. The task will remain in My Tasks for you to return to when ready.
5. Note: If multiple people share the same Access Approver security role assignment, the request will route to both people. If one of them takes action on the request, it will disappear from the other person's My Tasks section.