In Workday HCM, changes made to security policies , including business process security policies , follow a two-step lifecycle: save and activate . When you edit a business process security policy—such as granting a security group permission to initiate a business process event—those changes are initially saved only . At this stage, the changes exist in the tenant but are not yet active or enforced .
Workday requires administrators to explicitly run the Activate Pending Security Policy Changes task to make any saved security updates effective. This design ensures controlled deployment of security changes and allows administrators to review, bundle, and activate multiple security updates at once. Until activation occurs, users will not experience any change in access or behavior.
Option B is incorrect because Workday does not automatically activate security policy changes. Option A is incorrect because saving a security policy does not generate an error; it simply leaves the changes inactive. Option D is incorrect because Security Evaluation Moments are system-defined events used by Workday to re-evaluate security, but they are not created automatically as a result of editing a policy.
From a Workday Pro HCM best-practice standpoint, administrators should always validate security updates by confirming that pending changes are activated and tested. Failing to activate pending changes is a common reason why expected access updates do not take effect.
Therefore, without further action, the correct and Workday-verified status is that your changes are saved, but not in effect until they are activated.
