Workday (OAuth)

Log into Workday

Log into your Workday account. Look at the address bar at the top of the browser window where the URL is displayed. Find your tenant immediately after workday.com/.For example, if your URL is https://my-instance.workday.com/my-tenant/d/etc, your tenant is my-tenant.

Go to Public Web Services

Go to the Public Web Services report.

Find Human Resources

Find Human Resources and hover over it to be able to interact with the menu. Via the three-dots menu, go to Web Service and click on View WSDL (note that the page may take a minute to fully load).

Search for wsdl:service

Search for wsdl:service in the file OR navigate directly to the very bottom of the page. You should see something like this:

Copy everything before service in the location attribute. Do not include the https:// prefix. In the example tenant above, this would be wd2-impl-services1.workday.com/ccx but it may be different for your tenant (e.g., wd5-services1.myworkday.com/ccx).Save this value to be used in a later step.

Search for Create Integration System User

Log in to your Workday tenant in the Workday portal. In the Search field, search for “Create Integration System User”.

Choose the Task

Enter Account Information

Enter a username and password in the Account Information section on the “Create Integration System User” page.

Click OK

Search for Create Security Group

In the Search field, search for “Create Security Group”. Select the “Create Security Group” task.

Select Security Group Type

On the “Create Security Group” page, select “User-Based Security Group” from the Type of Tenanted Security Group pull-down menu. Enter a name in the Name field.

Some Workday Business Processes require User-Based Security Groups to access by default.

Click OK

Assign Security Group

Edit Permissions

The Workday HRIS integration currently requires all of the permissions listed below to be enabled for full support.Workday’s API may return an error response if any of these permissions are missing.

Edit the Domain Security Policy Permissions in the Security Group.You can reach this interface by searching for “Maintain Permissions for Security Group” in the search bar, and selecting the name of the Security Group you created in the previous step.This integration uses the following Workday Security Group Permissions. For each listed permission, add a row for either Get Only for read-only access, or Get and Put for read and write access in the View/Modify Access column.

“View” access may be required for accessing Custom Report and WQL data.

Please note that Security Group Permissions can be customized within a Workday organization, and this list does not account for such customizations.

• Access Leave Type (Segmented)
• Business Process Administration
• Integration Build
• Job Information
• Job Profile: View
• National ID Identification
• System Auditing
• View: National Identifiers - All
• Manage:
  • Location
  • Organization Integration
• Person Data:
  • Citizenship Status
  • Date of Birth
  • Disabilities
  • Gender
  • Home Address
  • Home Contact Information
  • ID Information
  • Marital Status
  • Name
  • Personal Data
  • Personal Information
  • Personal Photo
  • Work Address
  • Work Contact Information
• Reports:
  • Manager
  • Time Tracking
• Set Up:
  • Payroll
  • Payroll (ROE) - CAN
  • Time Off
  • Time Off (Calculations - Absence Specific)
• Worker Data:
  • Add Worker Documents
  • All Positions
  • Compensation
  • Current Staffing Information
  • Employment Data
  • Leave of Absence
  • Leave of Absence (Leave of Absence Manager View)
  • Organization Information
  • Public Worker Reports (requires ‘View’ access)
  • Time Off
  • Time Off (Time Off)
  • Time Off (Time Off Balances)
  • Time Off (Time Off Balances Manager View)
  • Time Off (Time Off Manager View)
  • Workers

Edit Required Business Process Security Policies

Open the “Edit Business Process Security Policy” task for the “Request Time Off” business process.

Grant Initiation Access

Search for Activate Pending Security Policy Changes

Troubleshooting REST Endpoint and Report Field Access

Troubleshooting Calculated Field Access

Go to Register API Client

Go to the Register API Client for Integration Task.

Register API Client

Register the API Client with the following details.

• Client Name: e.g. StackOne_Integrations
• Non-Expiring Refresh Tokens: Check the box
• Scopes: Select the required functional scopes to enable data access via API.
  • Advanced Compensation
  • Core Compensation
  • Implementation
  • Integration
  • Jobs & Positions
  • Organizations and Roles
  • Personal Data
  • Staffing
  • System
  • Tenant Non-Configurable
  • Time Off and Leave
  • Time Tracking
  • Workday Designer
  • Worker Profile and Skills

Select the option Include Workday Owned Scopes and click OK.

Copy the credentials

After registering the client, you will be redirected to a page displaying the Client ID and Client Secret. Make sure to copy and securely store these credentials.

Generate the Refresh token

Follow the steps below to generate the refresh tokens.

• At the top of the page, click the menu (⋯) icon.
• Select API Client from the menu.
• Click on Manage Refresh Tokens for Integrations.

Once you select menu (⋯) → API Client → Manage Refresh Tokens for Integrations, you will be redirected to a screen to choose your Workday account (the Integration System User you created earlier). Select the account and click OK.

Once you’re on the Refresh Token page, select Generate New Refresh Token and click OK.

Once the refresh token is generated successfully, copy the token and click Done.