A few key points:
1. Workday-delivered groups
Workday comes with some groups that get automatically assigned, based on WD's rules. You cannot change/modify/delete etc. these groups.
Examples: All workers, All contingent workers, All terminated people, All users, Employee as Self, Manager's Manager, etc.
2. Workday security groups get assigned a 'context'.
This context is not changeable and it dictates what we'd consider to be 'row-level' security. There are 3 types of context possible:
- Unconstrained - in such a group, the users have access to ALL data that the group allows.
- Constrained - imagine a more limited group, a subset that is contrained--such as by organization.
- Mixed - a combination of the above two context. A mixed group can be an 'intersection' or a subset of the two where they overlap, or an 'aggregation', so the two parts together, regardless of overlap.