Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Set up a Workday connector

ConductorOne provides identity governance and just-in-time provisioning for Workday. Integrate your Workday instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

ResourceSyncProvision
Accounts
Workers

Available hosting methods

Choose the hosting method that best suits your needs:

MethodAvailabilityNotes
Cloud hostedA built-in, no-code connector hosted by ConductorOne.
Self-hostedA connector hosted and run in your own environment.

Gather Workday credentials

Each setup method requires you to pass in credentials generated in Workday. Gather these credentials before you move on.

A user with the permission to create a new API client in Workday must perform this task.

Create a new Workday API client

  1. In Workday, use the search bar to look up “Register API Client for Integrations”. Make sure to select this name from the results, not the similarly named “Register API Client”.

  2. In the modal that appears, give the new API client a name, such as “ConductorOne integration”.

  3. In the Scopes box, select Custom Objects and search for “Staffing”. Select Staffing and click OK.

  4. The newly created client’s client ID and client secret are shown. Carefully copy and save these credentials.

    Do not click Done at the bottom of the page yet.

Create a refresh token

  1. Next, click the three dots icon next to the client name and navigate to API Client > Manage Refresh Tokens for Integrations.

  2. Select the Workday account you want to associate with the token and click OK.

  3. On the Delete or Regenerate Refresh Token page, scroll down and check the Generate New Refresh Token box.

  4. Click OK.

  5. Carefully copy and save the new refresh token.

Create a new security group

  1. Still in Workday, use the search bar to look up “Maintain Permissions for Security Group”.

  2. In the Maintain Permissions for Security Group modal, make sure the Maintain button is selected.

  3. In the Source Security Group field, navigate to By Type > Integration System Security Group.

  4. Create a new security group. Give it a name, such as “ConductorOne integration security group”.

  5. On the new group’s Domain Security Policy Permissions tab, leave the Select All box checked.

  6. Click the + icon to create a new row, and fill it out as follows:

    • View/Modify Access: View Only
    • Domain Security Policy: Worker Data: Public Worker Reports

  7. Click OK.

  8. Next, activate the security policy changes. Search for “Activate Pending Security Policy Changes”.

  9. Add a comment about the change you’re making and click OK.

  10. Review the changes and if everything looks good, click the Confirm checkbox, then click OK.

Assign the security group to the Workday account

  1. Still in Workday, use the search bar to look up “View Workday Account” and select the Workday account you used when generating the token.

  2. Click the three dots icon next to the account name and navigate to Security Profile > Assign Integration System Security Groups.

  3. Select the security group you created and click OK.

That’s it! Next, move on to the instructions for your chosen setup method.

Set up a Workday cloud-hosted connector

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Workday credentials generated by following the instructions above

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Workday and click Add.

  3. Choose how to set up the new Workday connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. Find the Settings area of the page and click Edit.

  7. In the Client ID, Client Secret, and Refresh Token fields, enter the relevant credentials.

  8. Enter the full URL of your Workday tenant in the Workday URL field.

  9. Enter the Workday tenant name in the Tenant Name field.

  10. Click Save.

  11. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Workday connector is now pulling access data into ConductorOne.

Set up a Workday cloud-hosted connector using Terraform

As an alternative to the cloud-hosted setup process described above, you can use Terraform to configure the integration between Workday and ConductorOne.

See the ConductorOne Workday integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.

Troubleshooting the Workday connector

Make sure that the integration security group you created when configuring the connector has the domain security policy applied to Report/Task Permissions only.

  1. In Workday, use the search bar to look up “View Security Group”, then navigate to Security Groups > Integration System Security Group (Unconstrained) and select the security group you just created.

  2. On the security group’s page, click the three dots icon next to the security group name and navigate to Security Group > Manage Domain Permissions for Security Group.

  3. Make sure that Worker Data: Public Worker Reports is shown in the Domain Security Policies permitting View access box.