Endpoints we access
/service/{tenant_name}/Human_Resources
/api/absenceManagement/v1/{tenant_name}/workers/{employee_id}/timeOffDetails
/api/absenceManagement/v1/{tenant_name}/workers
Prerequisites
Please ensure you fulfill all the requirements to set up the integration:
You have Administrator permissions in your company's Workday instance
Step 0: Find the Workday Integration in Adaptive
Navigate to Employees > Sources to view our integrations. For Workday to be your source of truth for provisioning and de-provisioning records, find it in the drop down of the Primary Identity Source section
Once you click Install > Connect, select the below option to continue configuration.
From there you will be taken through the setup flow. The following steps will guide you through the steps you need to take it Workday to then enter information in our setup flow.
Step 1: Create an Integration System User (ISU)
In your Workday portal, log into the Workday tenant
In the Search field, type Create Integration System User
Select the Create Integration System User task
On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password
Important: "&", "<", or ">" characters cannot be included in the password
Click OK
To ensure the password doesn't expire, you'll want to add this new user to the list of System Users. To do this, search for the Maintain Password Rules task.
Add the ISU to the System Users exempt from password expiration field
Enter the Integration System User name in the linking flow
Enter the Integration System User password in the linking flow
Step 2: Create a Security Group and assign an Integration System User
In the Search field, type Create Security Group
Select the Create Security Group task.
On the Create Security Group page, select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group pull-down menu.
In the Name field, enter a name
Click OK
On the Edit Integration System Security Group (Unconstrained) page, in the Integration System Users field, enter the same name you entered when creating the ISU in the first section
Click OK
Step 3: Configure domain security policy permissions
In the Search field, type Maintain Permissions for Security Group
Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2
On the next screen, add the corresponding Domain Security Policies depending on your use case:
Step 4: Configure domain security policies based on your use case
All of the data requests we make to Workday are in the form of SOAP requests, EXCEPT for Time Off data. Workday only supports the full breadth of Time Off data through their REST API, which requires a different set of credentials and domain permissions you can find in the section below.
If you are not interested in time off data
Overview
You will need to configure different permission domains in your Workday ISU for HRIS versus ATS data. This guide will walk you through the permissions you need for HRIS data.
Permissions
Please note that the permissions listed below are the required permissions for the full HRIS integration. Required permissions can differ based on the use case.
Operation | Domain Security Policy |
Get Only | Worker Data: Public Worker Reports |
Get Only | Person Data: Name |
Get Only | Person Data: Personal Data |
Get Only | Person Data: Home Contact Information |
Get Only | Person Data: Work Contact Information |
Get Only | Worker Data: Compensation |
Get Only | Worker Data: Workers |
Get Only | Worker Data: All Positions |
Get Only | Worker Data: Current Staffing Information This is required to surface Employment Status of Employees |
Get Only | Worker Data: Employment Data |
Get Only | Worker Data: Compensation - All Worker’s Positions Past and Present This is required to pull Historical Employments |
Get Only | Worker Data: Organization Information |
Get Only | Reports: Pay Calculation Results for Worker (Results) |
Get Only | Worker Data: Payroll |
Get Only | Process: Export Time Blocks This is required to retrieve Timesheet Entries |
Get Only | Worker Data: Time Off* |
How to Get Timeoff Data from Workday:
Overview
To access Time Off data, you will need both GET and View Access to the Time Off domains.
Here are the minimum set of domains you will need enabled:
Operation | Domain Security Policy |
Get Only | Worker Data: Current Staffing Information |
Get Only | Worker Data: Public Worker Reports |
View Only | Worker Data: Public Worker Reports |
Get Only | Worker Data: Time Off |
View Only | Worker Data: Time Off |
Get Only | Worker Data: Time Off (Time Off) |
View Only | Worker Data: Time Off (Time Off) |
Get Only | Worker Data: Time Off (Time Off Balances Manager View) |
View Only | Worker Data: Time Off (Time Off Balances Manager View) |
Get Only | Worker Data: Time Off (Time Off Balances) |
View Only | Worker Data: Time Off (Time Off Balances) |
Get Only | Worker Data: Time Off (Time Off Manager View) |
View Only | Worker Data: Time Off (Time Off Manager View) |
Once you have finished the main guide, the steps below will guide you in creating an API Client that we can use to access the Time Off data.
Step 5: Create a new API Client for Integrations
In the Search field, type Register api client for integrations.
Select the Register API Client for integrations task.
On the Register API client for Integrations page, in the Client Name field, any name for your API client.
Select the Non-Expiring Refresh Tokens option.
In the Scope (Functional Areas) field, select:
Tenant Non-Configurable
Staffing
Time Off and Leave
Click OK.
The client ID and client secret are displayed.
Save the Client Secret and Client ID.
Click Done
Enter the Client Secret and Client ID to the linking flow
Step 6: Generate a non-expiring Refresh Token
In the Search field, type View API client.
Select the View API Clients task.
On the View API Clients page, click the API Clients for Integrations tab.
Click the client you created in Create a new API Client for Integrations.
Click API Client > Manage Refresh Tokens for Integrations.
On the Manage Refresh Tokens for Integrations page, in the Workday Account field, enter the Workday account of a user who has access to the custom report.
Set up the user as a service account instead of an actual Workday user to prevent permissions being removed from the account due to a job change.
Click OK.
Return to the Workday home page.
In the Search field, type Register api client for integration.
On the Delete or Regenerate Refresh Token page, select the Generate New Refresh Token option.
Click OK.
On the Successfully Regenerated Refresh Token Page, copy the refresh token.
Click Done.
Add the Refresh Token to the linking flow.
Step 7: Find your Token Endpoint URL
Log in to the Workday tenant.
In the Search field, type View API Client.
Select the View API Clients task.
On the View API Clients page, save the URL in the Token Endpoint field.
Add the Workday OAuth Token URL to the linking flow
FAQ
If you are running into issues, see our article around Common Workday Problems.