If a user is a member of both constrained and unconstrained security groups, what will be the user's resulting access for the domain items?

When a user is a member of both constrained and unconstrained security groups, the user's access is ultimately constrained. This is because constrained security groups are expressly designed to limit access to certain domain items to maintain tighter control over permissions. In scenarios where a user has membership in both types of groups, the restrictions of the constrained group take precedence, leading to reduced access rights, even in the presence of broader rights provided by the unconstrained group.

This hierarchical decision-making ensures that sensitive data remains protected, and it emphasizes Workday's focus on security and data governance. Therefore, the resultant access for the user aligns with the limitations established by the constrained security group, effectively overriding potential broader access permissions that could arise from the unconstrained group.