# Workday
Workday (opens new window) is a cloud financial management and human capital management software that seamlessly combines finance and HR for greater business performance and visibility into organizational data.
Workday has 3 primary types of services that can be used to integrate data. Firstly, the Workday Web Services is a set of SOAP APIs which enable users t o read and write data in and out of Workday. Next, the Workday REST is a set of REST APIs predominantly used to manipulate custom objects. Lastly, the Workday Report-as-a-Service (RaaS) allows reading data from all custom reports (must be web service enabled first).
Workato uses these services to create powerful integration scenarios and sync data between your Workday instance and other cloud applications.
# Workday Approved
Workday Approved Badge
Our Workday connector is Workday Approved for all HR Onboarding/HCM use case(s).
# API version
These are the versions Workato uses/supports for each Workday services:
# Workday Web Services
- v29.0
- v32.2
- v34.0
- v35.2
- v36.2
- v38.2
- v39.0
- v40.2
# Workday REST
- v1
# Workday Report-as-a-Service (RaaS)
There are no versions associated with the Workday RaaS.
# How to connect to Workday on Workato
# Before connecting to Workday
Workday recommends using an Integration System User (ISU) for integration using third party services like Workato. There are a few reasons for this. Firstly, all operations performed by the integration will be logged under this worker instead of one dedicated for integration and workflow processes. Furthermore, if this worker security profile changes, or if the worker is terminated, integrations that rely on this worker's user account will no longer work. For security reasons, each ISU should be restricted to a single integration system (like Workato).
Furthermore, you may need to register a Workday API client if you will be working with custom objects. This is required since authentication to use the Workday REST API requires an OAuth client setup.
# Register Integration System User
The ISU should have all the permissions needed to perform the required actions for your integration scenario. When building recipes, you may encounter a 403
error, it means that the ISU does not have sufficient permission for the action.
Error message when ISU does not have enough permission
Step | Description |
---|---|
Create Security Group | Access the Create Security Group task and create an Integration System Security Group. ![]() |
Grant Domain access to Security Group | To grant the security group access to the domains required by your integration, follow these steps for each domain:
Next, access the Activate Pending Security Policy Changes task and activate these changes. ![]() |
Create ISU account | Access the Create Integration System User task and configure a Workday user account for the integration. ![]() Keep the Session Timeout Minutes default value of 0 to prevent session expiration. An expired session can cause the integration to time out before it successfully completes. Select the Do Not Allow UI Sessions checkbox if you wish to prevent the integration system user from signing in to Workday through the UI. To avoid integration errors caused by expired passwords, Workday recommends that you prevent Workday user passwords from expiring. Access the Maintain Password Rules task and add the integration system user to the System Users exempt from password expiration field. |
Assign Security Group to ISU | As a related action on the Workday user, select Security Profile > Assign Integration System Security Groups. At the Integration System Security Group to Assign prompt, select the security group that you created. Access the View Integration System report and access the Connector or Studio integration. Select Workday Account > Edit as a related action on the integration system. On the Edit Account for Integration System task, select the ISU account that you created. |
Optional | In the Global Preferences area, select a preferred locale and display language for the integration system user. These settings control what language Workday uses for the integration data. An outbound integration sends data in the preferred language and an inbound integration saves data in the preferred language. If you leave these fields blank, Workday uses the default locale and display language for integration data. |
You may find out more about setting up an ISU in the Workday documentation (opens new window).
# Register API Client
This step is required only if you wish to work with custom objects in Workday.
Registering a new client
Navigate to "Register API Client" in your Workday instance.
- Select Authorization Grant
- Use
https://www.workato.com/oauth/callback
as the Redirection URL - Add the necessary scope you wish to grant access for
API client credentials
Remember to save the Client ID, Client Secret, Authorization Endpoint and Token Endpoint. They will be required for the Workday integration connector setup.
# Setting up the connection to Workday
The Workday connector is currently split into 3: the main Workday connector, the Workday Web Services connector, and the Workday REST connector. All of them generally follow the same authentication pattern, albeit with slight variations on what's supported in each connector.
# Workday connector
TIP
Workato recommends using OAuth 2.0 or basic authentication separately. Do not use the now deprecated "Hybrid" authentication method.
The Workday connector supports OAuth 2.0 and basic authentication methods. Please note that OAuth 2.0 is required to work with Workday REST API and custom objects.
Workday connector connection fields
Connection field | Description |
---|---|
Connection name | Give this Workday connection a unique name that identifies which Workday tenant it is connected to. |
Location | Where the connection should be stored within the workspace. |
Authentication type | Supports either OAuth 2.0 or basic authentication (username/password). |
Workday web services version | Select the web services version you want to use from the list of supported web services. |
Tenant ID | Tenant ID is found in the URL when you are logged into Workday. For example, if the URL of your Workday tenant is https://impl.workday.com/sample_company/d/home.html (opens new window), tenant ID is sample_company |
WSDL URL | This URL is used to generate schema and forms the base URI for every API requests. Find out how to obtain this URL from this Workday article (opens new window). The default is https://wd2-impl-services1.workday.com/ccx/service/ (opens new window) |
[Basic Auth] Login name | This should be the login name for the ISU. |
[Basic Auth] Password | This should be the login password for the ISU. |
[OAuth 2.0] Client ID | Client ID of the API Client you created to connect to Workato. Only required if using custom objects. |
[OAuth 2.0] Client secret | Client secret of the API Client you created to connect to Workato. Only required if using custom objects. |
[OAuth 2.0] Refresh token | Refresh token of the API Client you created to connect to Workato. Only required if using custom objects. |
[OAuth 2.0] Authorization endpoint | Authorization endpoint of the API Client you created to connect to Workato. Only required if using custom objects. |
[OAuth 2.0] Token endpoint | Token endpoint of the API Client you created to connect to Workato. Only required if using custom objects. |
[Optional] Workday tenant timezone | The timezone in your Workday tenant settings. By default, Workday returns data effective from the current day in PST time, which might differ from your Workday tenant's timezone. |
[Optional] Advanced XML payload for multiple ID values | By default, when Workato constructs the XML from your input, fields with multiple values are each wrapped within a container. For example: <languages><language>english</language></languages><languages><language>chinese</language></languages> Setting the value to yes will unwrap them as follows: <languages><language>english</language><language>chinese</language></languages> Consider enabling this for newer Workday Web Services version, or when you encounter invalid payload errors. |
# Workday Web Services connector
The Workday Web Services connector supports both basic and OAuth 2.0 authentication methods.
Workday Web Services connector connection fields
Connection field | Description |
---|---|
Connection name | Give this Workday connection a unique name that identifies which Workday tenant it is connected to. |
Workday web services version | Select the web services version you want to use from the list of supported web services. |
Tenant ID | Tenant ID is found in the URL when you are logged into Workday. For example, if the URL of your Workday tenant is https://impl.workday.com/sample_company/d/home.html (opens new window), tenant ID is sample_company |
WSDL URL | This URL is used to generate schema and forms the base URI for every API requests. Find out how to obtain this URL from this Workday article (opens new window). The default is https://wd2-impl-services1.workday.com/ccx/service/ (opens new window) |
Authentication type | Supports either OAuth 2.0 or basic authentication (username/password). |
[Basic Auth] Login name | This should be the login name for the ISU. Required when authenticating via basic authentication. |
[Basic Auth] Password | This should be the login password for the ISU. Required when authenticating via basic authentication. |
[OAuth 2.0] Client ID | Client ID of the API Client you created to connect to Workato. Required when authenticating via OAuth 2.0. |
[OAuth 2.0] Client secret | Client secret of the API Client you created to connect to Workato. Required when authenticating via OAuth 2.0. |
[OAuth 2.0] Refresh token | Refresh token of the API Client you created to connect to Workato. Required when authenticating via OAuth 2.0. |
[OAuth 2.0] Authorization endpoint | Authorization endpoint of the API Client you created to connect to Workato. Required when authenticating via OAuth 2.0. |
[OAuth 2.0] Token endpoint | Token endpoint of the API Client you created to connect to Workato. Required when authenticating via OAuth 2.0. |
[Optional] Workday tenant timezone | The timezone in your Workday tenant settings. By default, Workday returns data effective from the current day in PST time, which might differ from your Workday tenant's timezone. |
# Workday REST connector
The Workday REST connector supports authenticating via an OAuth client setup.
Workday REST connector connection fields
Connection field | Description |
---|---|
Connection name | Give this Workday connection a unique name that identifies which Workday tenant it is connected to. |
REST API endpoint | The API of the rest endpoint to be used. Can be found in the API client details page. |
Authorization endpoint | Authorization endpoint of the API Client you created to connect to Workato. |
Token endpoint | Token endpoint of the API Client you created to connect to Workato. |
Client ID | Client ID of the API Client you created to connect to Workato. |
Client secret | Client secret of the API Client you created to connect to Workato. |
Refresh token | Refresh token of the API Client you created to connect to Workato. |
# What's next
More details on the capabilities of the Workday connector can be found in the following sections:
# Triggers
- New/updated business object trigger
- New/updated business object batch trigger
- Scheduled report trigger
- Scheduled report using WQL trigger
# Actions
- Call operation action
- Get custom object action
- Get report action
- Get report using WQL action
- List custom object definitions action
- Create/update custom object action
# Wiki
Last updated: 8/8/2023, 4:32:41 PM