Setup Workday

The Workday connector lets you connect to a Workday instance and access Workday resources using the published APIs.

Following details are required to establish the workday connection

  1. Workday API URL: This URL forms the base URI for every API request. Here are the steps to find out the URL:

    1. In Workday tenant, in the search bar, type: Public web services. Select the Public Web Services report.

    2. Hover over Human Resources and click the three dots to access the menu. Select Web Services. Select View WSDL.

    3. Navigate to the bottom of the page that opens and you'll find the host. Copy the URL. It should look something like: https://wd5-services1.myworkday.com/ccx/service.

image-20240410-192928.png
  1. Workday API version: API Version to use e.g “v40.1” - ensure you prefix the version with the letter “v”

  2. Workday Tenant Name: The tenant for the account. Tenant name is found in the URL when you are logged into Workday. For example, if the URL of your Workday tenant is https://impl.workday.com/sample_company/d/home.html, tenant name is sample_company

  3. Workday Username: The username to connect to the tenant. Workday recommends using an Integration System User (ISU) for integration using third party services like OnLink. This ensures all operations performed by the integration will be logged under this user, and can be audited. Furthermore, it avoids issues of workers getting terminated and their account no longer working.

  4. Workday Password: The password associated with the user.

Creating a Workday Integration System User

For Workday provisioning, Onward’s apps require an Integration System User in Workday with relevant set of permissions. This user account is used to consume data from Workday through the Workday APIs.

You might already have a suitable Integration System User. If not, use the following procedure to add one.

The Integration System User must be part of an Unconstrained Integration System Security Group with a series of Domain Security Policies granted to it to access the appropriate data.

  1. Go to your Workday tenant and enter “create integration system user” in the search field.

  2. Under Tasks & Reports, click Create Integration System User.

  3. Enter a username and password for the new user.

  4. Leave the Require New Password at Next Sign In option clear.

  5. For Session Timeout Minutes, enter 0. This option helps avoid any issues related to timeouts.

  6. Select Do Not Allow UI Sessions to prevent this user from signing into Workday.

  7. Click OK.

Adding the Integration System User to a Security Group

To ensure that the Integration System User can access the appropriate worker data, add it to an Unconstrained Integration System Security Group.

You might already have a suitable Security Group. If not, use the following procedure to add one.

  1. Go to your Workday tenant and enter “create security group” in the search field.

  2. Under Tasks & Reports, click Create Security Group.

  3. For Type of Tenanted Security Group, select Integration System Security Group (Unconstrained).

  4. Enter a name for the security group.

  5. Click OK.

  6. On the Edit Integration Security Group (Unconstrained) screen, add the appropriate user to the group under Integration System Users. You can search or browse for the appropriate user.

  7. Click OK.

Configuring the Domain Security Policy Permissions for the Security Group

Edit the security group to ensure that it has the appropriate permissions.

  1. Go to your Workday tenant and enter “maintain permissions for the security group” in the search field.

  2. Under Tasks & Reports, click Maintain Permissions for Security Group.

  3. For Operation, click Maintain.

  4. For Source Security Group, enter the name of the security group you created earlier.

  5. Click OK.

  6. On the next screen, under Domain Security Policy Permissions, add a separate row for each required Domain Security Policy. To add a new row click the + icon, enter the correct access level and the Domain Security Policy. 

  7. Below are the web services we call. Depending on your use case, add the relevant security policies to the group.

    1. Get Workers 

    2. Put Applicant 

    3. Terminate Employee

    4. Change Worker Contact Information

Activating the Security Policy Changes

After you have reviewed the permissions for the group, activate the security policy changes. If you don’t activate the security policy changes, the Integration System User will not have the necessary permissions.

  1. Go to your Workday tenant and enter “activate pending security policy changes” in the search field.

  2. Under Tasks & Reports, click Activate Pending Security Policy Changes.

  3. Add a comment to describe the security changes and then click OK.

  4. Review the pending security policy changes, then select the Confirm checkbox.

  5. Click OK.

Tip: Use the “Security Analysis for Securable Item and Account” report to figure out if your user has access to the relevant data.