Skip to main content


Workday Adaptive Planning Knowledge Center

Set Up Access Rule Security

Explains how to set up basic view and edit access for users using the rule-based security structure.

Contains preview content for the 2020R2 release.

With the access rule security structure, user profiles and groups, permissions, and rules work with various settings to protect data. Manage these settings in the sheets, accounts, levels and versions.

Access rules define specific intersections of data that users or groups can edit or view.

If your instance uses level-based security, go to Set Up Level-Based Security

Before You Begin

See the Users, Permissions, and Access Overview

Required permissions: 

  • Admin Access > Users
  • Admin Access > Roles
  • Model Management Access > Model
  • Model Management Access > Organization Structure
  • Model Management Access > Versions

How You Get There

Navigation Icon5.png  Go to various areas of your instance, explained in each step.

Basic Steps



  • Create user IDs and passwords, create groups, and assign users to groups if possible. See Create and Edit Users and User Groups.
  • Create and assign access rules to groups based on common security levels or tasks.  Create and assign access rules to users who don't fit in groups. Or create dynamic access rules based on level-ownership. See Create Access Rules.
  • Assign permissions to roles and roles to users. See Create, Edit, or Delete Roles.
Version Access.png

Version Settings


Level Settings


Sheet and Account Settings

Set Up Basic View Access

Follow these steps to allow users to view data:

  1. Create user profile and password. Go to Administration > Users
  2. (Optional best practice) Create a view only group and add the new user to the view only group. Go to Administration > Global User Groups
  3. Create access rules. Go to Administration > Access Rules and use the template to create and upload Full View access rules for the user or the view only group. 
  4. Give the user permission to view data. Go to Administration > Roles.  Assign the user a role with at least Access Sheets, Access Reports, or Access Discovery permissions. 
  5. Make the levels assigned in the access rules visible in the accessible versions. Go to Modeling > Levels and select at least one of the levels assigned to the user or group. Choose the accessible version from the Version selector drop-down and select the checkbox. See Change Level Availability in Versions.
  6. For users to view data on sheets: Add the level to a level assigned sheet. Go to Modeling > Levels and select the owned level. From the Sheets section, select the checkboxes next to the sheets to add the level. This adds all child levels of the level to the sheet automatically.

With these steps completed, any version that isn't hidden is visible to the new user. To check, go to Modeling > Versions and look at the drop-down selection for Users. If you added the user to a group, select the group from the Group drop-down to see the Access Level below it.

Set Up Edit Access to Plan Versions

To allow users to also edit plan versions, add the following:

  1. Give the user permission to edit data. Go to Administration > Roles.  Edit the role and select Editable Sheet Access.
  2. Give the user an Edit rule. Go to Administration > Access Rules to update or add Edit rules to the user or group. 
  3. Give the user edit access to the versions. Go to Modeling > Versions. From the Access Controls section for Editable Sheet Access, choose Full Access.

Or, assign them a user-assigned sheet without the Salary Detail sheet setting. 

Restrict Edit Access to Actuals

If you want only certain users to edit actuals, create a specific role for it and refine the version access. This blocks others without the role from being able to edit actuals versions. 

To create a privileged role for actuals access:

  1. Create a new role. Go to Administration > Roles > New Role. For Role Name, enter a name such as Actuals Access, or Privileged Access.  Select Editable Sheet Access and  Privileged Actuals Access. Then assign the new role to the users who can edit actuals.
  2. Give only privileged users access to the actuals versions. Go to Modeling > Versions. In the Access Control section of the settings for the actuals versions:
    1. From the Privileged Actuals Access drop-down, select Full Access.
    2. For all other user type drop-downs, select any other options besides Full Access. 
    3. Repeat for all actuals, or at least the leaf-level actuals. Only leaf-level actuals are editable. Leaf level actuals are actuals without sub-versions that roll up to it.
  3. Make the actuals versions available. Go to Modeling > Levels. For levels assigned to the users, choose any leaf-level actuals version from the Version Selector drop-down. Select the checkbox.

Now only users with this new role can edit the actuals versions available in the levels they can access. 

To make an existing administration role the only role that can edit actuals:

  1. Go to Administration > Roles and select Edit next to the administrator role.  Select Model > Version and Editable Sheet Access and save. 
  2. Go to Modeling > Versions. For only the Admin user type, select Full Access in each leaf level actuals version.

Now only users with the administration role can edit the actuals versions. 

Refine View and Edit Access

  • Create Limited View access rules: The user or group can't view splits. 
  • Use Salary Detail settings: Make an account's details or modeled sheet viewable and editable to only users who have the Access Salary Detail permission. 
  • Hide or lock accounts on standard sheets: To hide, go to Modeling > Level Assigned Sheets. Select a standard sheet and select Customization for Sub-Levels. To lock, select the sheet and select Account Groups. Select an account from the left box. Select the Read Only checkbox on the right. See Build Standard Sheets.
  • Use cube restrictions: Hide intersections of data in a cube sheet for all users. See Build Cube Sheets.
  • Was this article helpful?