Skip to main content

Which Workday connector should I use?

ConductorOne offers two Workday connectors: Workday and Workday Accounts (WQL). How you want to work with Workday in ConductorOne will determine which one you should set up.
  • Workday connector: This connector is the best choice if you want to use Workday as a directory. You’ll also need it if you want to enable access requests for Workday role and group assignments.
  • Workday Account (WQL) connector: This connector utilizes the Workday Query Language (WQL), which allows it to pull a different data set than the Workday connector. Workday Accounts (WQL) is the best choice if you want to review who has what kind of access to Workday in your organization, including account type and service center assignments.
ResourceWorkday connector*Workday Accounts (WQL) connector
AccountsSyncSync
RolesSync
Security groupsSyncSync
Account type (Implementers and Integration Users)Sync
Service centersSync
*If the Workday connector is configured using a custom report (see below), it can also pull in information on the account owner’s organization, title, and manager.

Capabilities

ResourceSyncProvision
Accounts
Roles
Security groups

Gather Workday credentials

Configuring the connector requires you to pass in credentials generated in Workday. Gather these credentials before you move on.
To authenticate with Workday, you can use either an API client or a Report-as-a-service (RaaS) custom report in CSV or JSON format.Which authentication method should I use? The API client option pulls available data about Workday accounts, such as each account’s manager and manager email, which can be used as user attributes. The custom report method only pulls data that is explicitly named in the report into ConductorOne.The RaaS custom report option is often preferred by Workday Admins and HR teams, as it’s Workday’s preferred integration method. RaaS allows you fine-grained control over what data is sent to ConductorOne. Additionally, it allows you to transform the format of Workday attributes as needed before sending them to ConductorOne.Follow the relevant set of instructions below to generate your credentials.

Option 1: Authenticate using API client credentials

Here’s the reorganized documentation, with the ISU creation step added in the correct sequence, and the security group assignment moved to be with the ISU creation.

Create Workday API Client Credentials

A user with the permission to create a new API client in Workday must perform this task.
The process involves creating an Integration System User (ISU), creating a security group, associating the ISU with the security group, and then registering the API client and generating a refresh token.

Create an Integration System User (ISU)

1
In Workday, use the search bar to look up “Create Integration System User”.
2
In the Create Integration System User modal, enter a User Name, such as “ConductorOne integration”.
3
Enter and confirm a strong Password for this user.Optionally, you can provide a New Password Never Expires if appropriate for your security policies.
4
Click OK.
5
Make note of the User Name you created, as you will need it later.

Create a new Security Group

1
In Workday, use the search bar to look up “Maintain Permissions for Security Group”.
2
In the Maintain Permissions for Security Group modal, make sure the Maintain button is selected.
3
In the Source Security Group field, navigate to By Type > Integration System Security Group.
4
Create a new security group. Give it a name, such as “ConductorOne integration security group”.
5
On the new group’s Domain Security Policy Permissions tab, leave the Select All box checked.
6
Click the + icon to create six (or seven, see below) new rows, and fill them out as follows:Row 1:
  • View/Modify Access: View Only
  • Domain Security Policy: Worker Data: Public Worker Reports
Row 2:
  • View/Modify Access: View Only
  • Domain Security Policy: Reports: Organization
Row 3:
  • View/Modify Access: View Only
  • Domain Security Policy: Security Administration
Row 4:
  • View/Modify Access: View Only
  • Domain Security Policy: Manager: Organization Roles
Row 5:
  • View/Modify Access: View Only
  • Domain Security Policy: Person Data: Work Email
Row 6:
  • View/Modify Access: View Only
  • Domain Security Policy: Worker Data: Current Staffing Information
Row 7 (needed only if title data is split out from the inherent staffing parent domain):
  • View/Modify Access: View Only
  • Domain Security Policy: Worker Data: Staffing Business Title
7
Click OK.

Assign the Security Group to the Integration System User (ISU)

1
Still in Workday, use the search bar to look up “View Workday Account” and select the Integration System User (ISU) you created previously.
2
Click the three dots icon next to the account name and navigate to Security Profile > Assign Integration System Security Groups.
3
Select the security group you created and click OK.

Activate Security Policy Changes

1
Next, activate the security policy changes. Search for “Activate Pending Security Policy Changes”.
2
Add a comment about the change you’re making and click OK.
3
Review the changes and if everything looks good, click the Confirm checkbox, then click OK.

Create a New Workday API Client

1
In Workday, use the search bar to look up “Register API Client for Integrations”. Make sure to select this name from the results, not the similarly named “Register API Client”.
2
Give the new API client a name, such as “ConductorOne integration”.
3
In the Integration System User field, select the ISU you created earlier. This is crucial for associating the API client with the correct permissions.
4
In the Scopes box, select Custom Objects and search for “Staffing”. Select Staffing and Organizations and Roles and click OK.
5
The newly created client’s client ID and client secret are shown. Carefully copy and save these credentials.Do not click Done at the bottom of the page yet.

Create a Refresh Token

1
Next, click the three dots icon next to the client name and navigate to API Client > Manage Refresh Tokens for Integrations.
2
Select the Integration System User (ISU) you want to associate with the token (this should be the same ISU you selected when registering the API client) and click OK.
3
On the Delete or Regenerate Refresh Token page, scroll down and check the Generate New Refresh Token box.
4
Click OK.
5
Carefully copy and save the new refresh token.
That’s it! Next, move on to the connector configuration instructions.

Option 2: Authenticate using a custom report

A user with the permission to create a custom report in Workday must perform this task.

Set up the custom report

1
In Workday, navigate to the Tasks and Reports menu and select Create Custom Report.
2
When setting report details, set the report type to Advanced and mark Enable As Web Service.
3
When setting data sources, disable the Optimized for Performance option and select All Workers as the data source.
At this point, you can create the custom report in either JSON (recommended) or CSV format by following the relevant directions below.

Expected custom report contents when using the JSON format

When using the JSON format for custom reports, the connector expects a specific structure. Below is a table of the supported fields: Suggested Data Source: All Active and Terminated Workers
Column Heading Override XML Alias/Column Heading OverrideRequiredDescriptionSuggested Workday Object Field
user_idYesUnique identifier for the userWorker: Employee ID
emailNoUser’s email addressWorker: Email - Primary Work
first_nameYesUser’s first nameWorker: First Name
middle_nameNoUser’s middle nameWorker: Middle Name
last_nameYesUser’s last nameWorker: Last Name
activeYesBoolean indicating if user is activeWorker: Active Status
org_nameNoUser’s department or organizationWorker: Supervisory Organization Name
business_titleNoUser’s job titleWorker: Business Title
security_groupsNoUser’s security groupsWorker: User-Based Security Groups for User
rolesNoUser’s rolesWorker: Organization Roles
manager_nameNoManager’s nameCalculated Field - Lookup Related Value: Worker: Manager Level 01: Full Name
manager_emailNoManager’s emailCalculated Field - Lookup Related Value: Worker: Manager Level 01: Email - Primary Work
Notes:
  • The order of the fields does not matter.
  • The Column Heading Override XML Alias value MUST match Column Heading Override.
  • You may substitute the suggested Workday object fields with alternatives as long as they provide equivalent data.

Expected custom report contents when using the CSV format

Add the following fields to the custom report in this order:
  • Active Status
  • User Name
  • Employee ID
  • Worker
  • Security Group
  • Role Name
  • Organization
  • Organization Type
The fields needed in custom reports can vary depending on how your Workday installation is configured. Contact ConductorOne support if you need help figuring out which fields to include.
  1. Create the custom report.

Look up the custom report URL

1
On the Report Definition page, click the Related Actions (three dots) button.
2
Navigate to Actions > Web Service > View URLs.
3
Right-click on the JSON or CSV (as relevant) URL, then carefully copy and save it.
That’s it! Next, move on to the connector configuration instructions.

Configure the Workday connector

To complete this task, you’ll need:
  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Workday credentials generated by following the instructions above
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Admin > Connectors and click Add connector.
2
Search for Workday and click Add.
3
Choose how to set up the new Workday connector:
  • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
  • Add the connector to a managed app (select from the list of existing managed apps)
  • Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
If using an API client to authenticate, select API client and fill our the form:
  1. Enter the Client ID, Client secret, and Refresh token in the relevant fields.
  2. Enter the full URL of your Workday tenant in the Workday URL field.
  3. Enter the Workday tenant name in the Tenant Name field.
8
If using a custom report to authenticate, select Custom report and fill out the form:
  1. Enter the Report URL, Report username, and Report user password in the relevant fields.
  2. Optional. To include extra Workday data in the sync, in the Additional report fields field, enter any additional field names from the Workday JSON report that you want to include in user profiles. Press Enter between each field name. Fields that return multiple values (such as roles or security_groups) are not supported.
9
Click Save.
10
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Workday connector is now pulling access data into ConductorOne.