Skip to main content


Workday, Inc.

Hierarchies and Access Rules

Describes terms used to explain how access rules use hierarchies to create intersections of data access for users and groups.


Access rules define specific intersections of data that users or groups can edit or view.

Access rules use a hierarchy logic to define intersections of access. You must understand the hierarchies of the levels, accounts, and dimensions you are securing. The hierarchies affect the access rules you create.

Hierarchy Terminology

Color-Schemed Hierarchy

General Hierarchy Terms

  • Parent of the grays.
  • Ancestor of the grays, greens, and yellows. 
  • Children, or descendants, of the blue.
  • Siblings of other grays.
  • Parent, or ancestor, of the greens or yellows. 
Greens and Yellows
  • Greens are children, or descendants,  of the first gray.
  • Yellows are children, or descendants, of the second gray.
  • Siblings of others of the same color.
  • Descendants of the blue.
Leaf Levels

The yellows, greens, and the last gray are leaf levels in the hierarchy, because they have no children


More on Account Hierarchies

There's separate account hierarchies for general ledger, custom, metric, and assumptions accounts. Also, each cube and modeled sheet has its own account hierarchy. For the accounts, the blue is either the type of account, or the name of the cube or modeled sheet.

If a gray account has children, it's either an account group or an account rollup. Account groups don't hold totals. Accounts rollups hold the total of descendant accounts. If an account doesn't have descendants, it's a leaf level account.

More on the Level Hierarchy

Every model has one level hierarchy, also called the organization structure. Some instances use level dimensions (custom dimensions with a level setting) to create alternate level hierarchies. Because you can't secure level dimensions, the only way to give access to levels is through the main level hierarchy. 

The blue is always the top level, named whatever your admin named it. Every parent level has an (Only) level, which rolls up to the parent level. The last gray is the Top Level (Only) level. The last green and the last yellow are the (Only) levels for the respective gray parents.

More on Custom Dimension Hierarchies

There are hierarchical dimensions and list dimensions. A hierarchical dimension has values that roll up to other values. A list has one level of values. 

List Dimension Example

Hierarchical Dimension Example

Product (All)

  • T-shirts
  • Sweaters
  • Jackets
  • Product Uncategorized

Product (All)

  • T-shirts (All)
    • Graphic T-shirts
    • Solid T-shirts
    • T-shirts Uncategorized
  • Sweaters
  • Jackets
  • Product Uncategorized

The blue is the name of dimension, and the dimension rollup, or the All value. The grays are the dimension values. The last gray, for both lists and hierarchical dimensions, is the root uncategorized value. The root uncategorized value tags data points that weren't tagged explicitly with a dimension value. In the examples, Product Uncategorized is the root.

A list dimension only has grays. For hierarchical custom dimensions, like T-shirts in the example, every value with descendants has an uncategorized value and an All value.

Hierarchies and Access Rules 

General hierarchy rules for access:

  • Access to a parent includes all descendants. You can't use other rules to remove access to descendants once you grant access to parents. 
  • Access to children doesn't include ancestors. So you can restrict a user from seeing any rollups by only giving access to children accounts and levels.
  • All rules include access to the root uncategorized value of secured dimensions . 
  • The only way to give access to (Only) levels is to give access to the parent. 

Using the below example hierarchy for levels, the tables show you the result of each rule or series of rules in the template.


  • G&A  
    • HR 
    • Legal 
  • Product Development
    • Operations
    • Engineering

When you use the Grant column:

Rule with Granted Levels Resulting Level Hierarchy for User

Grant one level.png

Explanation: When you grant G&A, you grant all descendants, no ancestors.


  • HR
  • Legal
  • G&A (Only)

two levels granted.png

Explanation: When you also grant Operations, you don't grant its siblings or ancestor.




  • HR
  • Legal
  • G&A (Only)


conflicting rule.png

Explanation: The new rule is invalid. You cannot add a rule that restricts the descendant of a granted parent. 

No change

When you use the Grant All Except Column

Rule with Grant All Except Levels Resulting Level Hierarchy for User

Grant all except one level.png

Explanation: When you grant all except G&A, you also exclude G&A's ancestors and descendants.

Product Development

  • Operations
  • Engineering
  • Product Development (Only)

Grant a level and grant all except level.png

Explanation: You can add a rule that grants a child of a restricted parent. 


Product Development

  • Operations
  • Engineering
  • Product Development (Only)

Secured Custom Dimensions and Intersections

All data points intersect at a specific level, account, time period, and version. All data also intersects at every custom dimension in your model. For custom dimensions:

  • Data intersects at the root uncategorized value when you don't tag data with a custom dimension value. 
  • Data intersects at the all value of all the custom dimensions at all level, account, and custom dimension rollups.

To see any rollup value on a sheets or reports you need access to all descendants of all rollups. In sheets, you may not see accounts or levels at all if you don't have access to the rollup. In reports and charts, the rollups display partial rollup values. Partial rollup values include only the contributing values that you can access. 

For more information, see Access Rules and Your Model

  • Was this article helpful?