Which statement is true regarding rule-based security?

Rule-based security in Workday utilizes criteria to determine access levels for users based on specific conditions. The correct statement regarding this system is that you do not need to activate pending security policy changes when modifying rule criteria. This means that modifications to rule criteria can be made without necessitating immediate activation, allowing for flexibility in adjusting rules without affecting existing security policies until you decide to activate those changes.

This flexibility is crucial for maintaining operational efficiency; it allows administrators to develop and refine security rules without interrupting current access levels. The ability to make changes without activation ensures that modifications can be tested against existing setups before they go live.

In the context of the other statements, activating changes when modifying rule criteria is indeed necessary to enforce those updates, while rules can often be reused across multiple groups, and there is no requirement for each security group to have completely unique criteria, which could lead to inefficient administration of those rules.