Workday divestiture security: Turning complexity into control

Key takeaways 

• Workday divestiture security is critical and often underestimated, especially when separating entities within a shared tenant, leading to significant operational and compliance risks.

• Effective security goes beyond basic role assignments; it requires a deep dive into dynamic, rule-based, segment-based security, and proxy configurations to prevent unintended access.

• A structured, end-to-end review approach is crucial, encompassing full security model analysis, authentication alignment, administrative access review, and thoughtful access control redesign.

• Implement robust governance and Segregation of Duties (SA/SOD) assessments throughout the process to ensure a clean, auditable, and secure transition, minimizing disruption and protecting against malicious activity.

In today’s market, acquisitions and divestitures are accelerating as organizations reshape portfolios, respond to economic pressure, and pursue strategic focus. As deal volume increases, so does the need to separate or integrate operations quickly—often without the luxury of rebuilding core systems from the ground up. For organizations running Workday, this reality places security at the center of successful execution.

In many Workday divestitures involving separating a single Workday environment into separate organizations, the key security activity is separating two companies that should continue operating within the same environment while securable access, transactions, and administrative responsibilities stay within the necessary boundaries. The challenge is knowing where those overlaps exist, how to prioritize them, and how to move from broad analysis to targeted action without losing control.  

A divestiture creates an immediate challenge: the organization should logically operate separately, even when their systems are built to function as one. As leaders work to meet legal requirements and preserve continuity across payroll, recruiting, finance, and other core processes, Workday security can fall behind.

This becomes even more important when the separation is being managed within a shared tenant rather than through a full tenant separation. In those scenarios, security should be updated to support the new operating model by aligning visibility, transactions, administrative responsibilities, proxy capabilities, and authentication with the boundaries established for each company. 

At first glance, separating two companies in a shared Workday tenant appears straightforward: update organization assignments, adjust a few security groups, and access often follows. In practice, access is influenced by far more than role assignments alone. Self-service and dynamic access, rule-based security, segment-based security, proxy design, administrative governance, and authentication policies play a role in whether securable access and transactions remain within the intended boundaries.

Where organizations often fall short: 

• Complex security design: They focus on the visible parts of the model while overlooking the supporting layers that shape access behind the scenes. Self-service access should be revisited to confirm users can still complete their own tasks and view relevant (e.g., organizational) information without seeing information about workers outside of their company. Rule-based groups need to be reevaluated, so reorganized populations are still grouped correctly. Segment-based security should be replicated for newly created groups, so day-to-day access is preserved, but not overextended. Proxy policies often need to be refreshed because the populations users can act on behalf of can change significantly in a separation.
• Unconstrained access. Some domains and business processes do not support constrained access. When that happens, organizations may need a redesigned security model, not a workaround. Sometimes the right answer is to remove functionality; In other cases, layered security such as intersections are needed to preserve business continuity while still enforcing separation.
• Unintended opening for malicious activity. Cybersecurity teams increasingly observe that attackers do not need to break into systems when they can simply log in, taking advantage of misconfigured access, weak controls, or credentials that were never properly retired. Divestitures can create exactly these conditions at scale, which is why getting access boundaries right is not only an operational concern but a meaningful part of an organization's defense against malicious activity.

If these issues are not identified early, users may still be able to report or transact outside their defined organizational boundaries, administrators may retain broader visibility than intended, and authentication misalignment can create lapses in tenant access that disrupt critical business processes. This is why divestiture security should be approached as a holistic review, not a narrow configuration exercise.

The more effective divestiture projects bring structure to the security requirements from the start.

1. Start with an overall analysis of the security model

A targeted security analysis begins with a broad review of the active security groups and related access settings. That means identifying where no change is required, where assignments need to be updated, and where a deeper access review may be necessary across both core security groups and Workday-delivered dynamic groups, such as Seer or Viewer. 

Re-test rule-based groups  to confirm that reorganized populations are still grouped correctly. Review segment-based security and proxy policies to enable access remains aligned to the new operating boundaries.  

Divestitures operate on tight timelines, so teams should quickly identify the level of security impact and focus effort on higher-risk or more complex areas so updates can move into testing and deployment without delay.

2. Align authentication and network access

The security analysis should also account for how users access the system, not just what they can access.

For organizations leveraging Single Sign-On, changes to identity providers or user populations require updates to authentication and network configurations within the tenant. 

This may include updating authentication policies and tenant setup to route users through a new identity provider, confirming login and redirect flows, and reviewing network-based controls such as IP restrictions.

The goal is to confirm that access is controlled at the point of entry while helping prevent lapses in tenant access that could disrupt critical business transactions.

3. Review administrative and unconstrained access

After a divestiture, administrative access often requires the most deliberate review. You may now need to narrow down support roles to a specific population that needed broad visibility in the past. Further, you may need to shift from unconstrained to constrained access wherever possible, redesign role-based security to align with new organizational boundaries or potentially share custom report outputs with various users if necessary constrained access cannot be granted.  

The goal is to preserve the administrative access needed to support the business while keeping that access appropriately scoped and maintainable.

4. Redesign access controls thoughtfully

A divestiture can quickly increase sensitive access and segregation of duties risk. The volume of assignment changes, combined with the creation of net-new security groups, can introduce high-risk or conflicting access if those updates are not reviewed in context. For example, an employee who takes on a new administrative role may gain the ability to edit workflows, approval routing, or security settings while still retaining transactional access from their prior role. That combination can create a path for the same person to alter a control and then execute the transaction it was designed to govern. A focused SA/SOD assessment helps identify where redesign, monitoring, or compensating controls may be needed.  

5. Govern the change as tightly as the design 

One of the biggest differentiators in a successful divestiture is not just the quality of the solution, but the discipline of execution.

At volume, security changes can become difficult to track, especially when testing spans an extended period, and production continues to move. A stronger governance process that includes a central change tracker helps create a single source of truth for every update, the business reason behind it, and the final action taken. That traceability is imperative for stakeholder alignment and equally important for audit readiness.

A defined freeze period can also reduce rework by limiting production changes during the testing cycle. And when it is time to migrate updates back into production, organizations should use the more controlled method available, whether that is change packaging or a disciplined manual migration supported by tenant comparison and post-deployment assessment.

When this work is done well, security helps support broader divestiture by reducing access risk and limiting disruption during the transition.

The organization can gain a cleaner security model, better alignment between access and accountability, clearer audit traceability through documented changes and business rationale, and lower reliance on broad permissions. Just as important, users retain the access they need to keep the business moving, without introducing avoidable exposure across newly separated entities.  

That is what leaders should expect from a mature approach to Workday divestiture security: clear boundaries, fewer disruption, and a model that can stand up to both operational demands and audit scrutiny. The organizations that navigate these transitions more effectively are not necessarily the ones with the simplest environments, but the ones with an approach that is targeted, disciplined, and grounded in experience. 

Contributors: Tristan Johnson, Sydney Sernick and Jeremy Rhoads