Contents
- Requirements
- Create an Integration System User (ISU)
- Create a Security Group and assign an Integration System User
- Configure domain security policy permissions
- Permissions for HRIS data
- Activate security policy changes
- Validate the authentication policy is sufficient
- Activate all pending authentication policy changes
- Obtain the web services endpoint URL
- Learn more
Note: The written instructions below are updated more frequently than our video guide, which may not always reflect the latest changes to Workday's interface.
Requirements
- To authenticate your Workday account, you will need to provide the following information:
- WSDL
- ISU Username
- ISU Password
- Workday Tenant Name
- You have Administrator permissions in your company's Workday instance
Important:
- Implementation/sandbox tenant Workday accounts will result in slower syncs, as fewer resources are dedicated to the tenant
- In order to increase resourcing for API limits for your Workday tenant, please reach out to Workday Support or your Workday Customer Account Manager.
- You can submit a request to Workday Support through the Workday Community support portal
Create an Integration System User (ISU)
- In your Workday portal, log into the Workday tenant
- In the Search field, type Create Integration System User
- Select the Create Integration System User task
- On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password. Important: "&", "", or ">" characters cannot be included in the password
- Click OK
- To ensure the password doesn't expire, you'll want to add this new user to the list of System Users. To do this, search for the Maintain Password Rules task.
- Add the ISU to the System Users exempt from password expiration field
- Enter the Integration System Username and Password in the linking flow
Create a Security Group and assign an Integration System User
-
In the Search field, type Create Security Group. Select the Create Security Group task.
- On the Create Security Group page, select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group pull-down menu.
- In the Name field, enter a name
- Click OK
-
On the Edit Integration System Security Group (Unconstrained) page, in the Integration System Users field, enter the same name you entered when creating the ISU in the first section
- Click OK
Configure domain security policy permissions
-
In the Search field, type Maintain Permissions for Security Group
-
Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2
- On the next screen, add the corresponding Domain Security Policies depending on your use case:
Permissions for HRIS data
You will need to configure different permission domains in your Workday ISU for HRIS. This guide will walk you through the permissions you need for HRIS data.
Please note that the permissions listed below are the required permissions for the full standard HRIS integration. Required permissions can differ based on the use case. If your use case does not require certain data (e.g., Employee's Dependent data or Timesheet Entries), you can exclude the permissions.
For a more detailed breakdown, see the Breakdown of domains section below.
| Operation | Domain Security Policy |
|---|---|
| Get Only |
Worker Data: Public Worker Reports This is the minimum required permission |
| Get Only |
Person Data: Private Work Email Integration This is required to surface work email of Employees |
| Get Only |
Person Data: Public Work Email Address Integration This is required to surface work email of Employees |
| Get Only | Worker Data: Time Off |
Breakdown of domains
| Parent Domain | Subdomain |
|---|---|
| Person Data: Work Contact Information |
Person Data: Work Email Person Data: Public Work Email Address |
| Worker Data: Time Off |
Worker Data: Time Off (Time Off) Worker Data: Time Off (Time Off Balances) Worker Data: Time Off (Time Off Balances Manager View) Worker Data: Time Off (Time Off Manager View) |
Activate security policy changes
-
In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved
- Add any relevant comments on the window that pops up
-
Confirm the changes in order to accept the changes that are being made and hit OK
Validate the authentication policy is sufficient
-
Search for Manage Authentication Policies
-
Click Edit on the authentication policy row
-
Create an Authentication Rule
-
Enter a name, add the Security Group, and ensure Allowed Authentication Types is set to Specific User Name Password or Any
Note: You don't have to create a new Authentication Rule if you already have an existing one set to User Name Password or Any. You can add the ISU you created to that rule instead. You will need to create a new rule if SAML is the only Authentication Rule you see for "Allowed Authentication Types."
Activate all pending authentication policy changes
-
In the search bar type, activate all pending authentication policy changes
- Proceed to the next screen and confirm the changes. This will save the Authentication Policy that was just created or edited
Obtain the web services endpoint URL
-
Search in Workday for Public Web Services
-
Find Human Resources (Public) to connect Workday HRIS. Click the three dots to access the menu. Click Web Services > View WSDL
- Navigate to the bottom of the page that opens (it may take a few seconds to load)
-
Copy the full URL provided under Human_ResourcesService (Workday HRIS). The URL will have a format similar to
https://wd2-impl-services1.workday.com/ccx/service/acme/Human_Resources/v43.0
-
Enter the Web Services Endpoint URL into the linking flow
- Click Submit