Linking your Workday account
Prerequisites
- Ensure you are an admin of your Workday account before starting.
- After logging into Workday, search for “View API Clients”
- If you can not see this menu item, you are not an admin of the Workday account.
- If you do not see this menu item, figure out who your Workday Admin is and ask them to give your account sufficient permissions or to take over the integration process.
Overview
Estimated, overall setup time: 30 minutes.
Fundamentally, there are 3 main steps you have to complete to set up the integration:
1. You have to create a new integration system user and security group for that user,
2. You have to assign the required permissions to the security group and activate the changes,
3. (Optional, rarely needed: You have to generate a new API client.)
That’s it! The rest of this document is a step-by-step walkthrough of everything you need to know and do to set up the integration.
Find your Workday Service URL
- Click on the “Search” field at the top and enter “View API Clients”
- Click on the task “View API Clients” that just appeared
- At the top of the page that just appeared find and copy the “Workday REST API Endpoint”
Add an integration system user (ISU)
- Click on the “Search” field at the top and enter “Create Integration System User”
- Click on the task “Create Integration System User” that just appeared
- In the dialog that just opened, enter a username and generate a secure password.
You can leave the other fields untouched - At the bottom of the dialog, click “OK”
Add the ISU to your list of system users
While the newly created ISU will work for linking your Workday account, its password will expire after some time unless you add it to your list of system users.
Create a security group and assign the ISU to it
- Click on the “Search” field at the top and enter “Create Security Group”
- Click the task “Create Security Group” that just appeared
- On the page that just appeared locate the dropdown “Type of Tenanted Security Group” and select “Integration System Security Group (Unconstrained)“
- For the “Name” enter the value of the “User Name” when creating the ISU earlier (in this case it would be test_isu, but yours will be different)
- At the bottom of the page, click “OK”
- On the next page, the only thing you have to do is go to the field “Integration System Users” and add the user you created earlier. You can do this by clicking on the field and typing in the name of the ISU (in this case “test_isu”)
- After that, go ahead and click “OK”
Add the required permissions to the security group
- Click on the “Search” field at the top and enter “Maintain Permission for Security Group”
- Click on the task “Maintain Permission for Security Group” that just appeared
- In the window that just appeared, make sure you have the option “Maintain” selected
- Click the field “Source Security Group”, enter the name of the group (in this case test_isu) and hit enter. Then click on the security group to select it.
- Click “OK”
- In the window that just appeared, you can add the permissions you want for the ISU. You can find the list of permissions needed in the connection flow.
_
The list of permissions here is only an example. Please check your own permissions in the connection flow.
For each permission, repeat the following process:
1. Make sure the tab “Domain Security Policy Permissions” is selected
2. Click on the icon with the ”+” on it
3. Click on the cell in the column “View/Modify Access”
If the permission says “Get:”, select “Get Only”. Otherwise select “Get and Put”
4. Click on the cell in the column “Domain Security Policy”,
type in the name of the policy (i.e. “Integration: Build”), hit enter and click on the item that just appeared in a list
Activate your changes
After making any changes to your Workday security policy settings, make sure to apply those changes by executing the “Activate Pending Security Policy Changes” task. Without that, none of your changes with take effect.
- Click on the “Search” field at the top and enter “Activate Pending Security Policy Changes”
- Click on the task “Activate Pending Security Policy Changes” that just appeared
- In the window that just appeared, add any comment for applying the changes (i.e. “Grant ISU test_isu necesssary permissions for integratons”
- Click “OK”
- In the new window, check the box “Confirm”
- Click “OK”
Create an API client
If you want to read/write absence (time off) data from your Workday instance (most of the time this isn’t the case), you will need also to follow these additional setup steps. In case this is necessary, the connection flow will explicitly prompt you for absences data (“Absence Management via REST API”), and you will also get an appropriate error message if you need to set it up but haven’t.
In all other cases you can skip the steps below.
-
Click on the “Search” field at the top and enter “Register API Client for Integrations”
-
Click on the task “Register API Client for Integrations” that just appeared
-
In the window that just appeared, enter a “Client Name”, i.e. “test_isu API client”
-
Make sure the option “Non-Expiring Refresh Tokens” is turned on
-
For the field “Scope (Functional Areas)”, enter the values
Tenant Non-ConfigurableStaffing
Time Off and Leave
System
-
Click “OK”
-
In the new window, copy the Client ID and Client Secret for later use, then do not click “Done”
-
Still on the same page, click the three dots at the top, then “API Client” > “Manage Refresh Tokens for Integrations”
-
In the new window, enter the name of the ISU that you created earlier
-
Click “OK”
-
In the new window, check the box for “Generate New Refresh Token”
-
Click “OK”
-
In the new window, copy the refresh token and store it for later use
Troubleshooting “Invalid username or password!” issues
If you are experiencing trouble logging in due to an error “Invalid username or password!”, try the following:
- Search for “Manage Authentication Policies” in the top bar.
- Click on “Edit” next to the policy
- Create a new “Authentication Rule” by clicking on the + in the top left
- Assign the Security Group that was made earlier to this new rule, and name the rule something relevant.
- Click the + next to “Authentication Condition Name”, name it something relevant.
- Ensure that the “Allowed Authentication Types” is either set to “Specific: User Name Password”, or “Any”.
- Finally, search for “Activate All Pending Authentication Policy Changes” in the top bar, then confirm the changes made.