Skip to main content

Integrating Workday

Updated over a year ago

Overview

To authenticate your Workday account, you will need to provide the following information:

  • WSDL

  • ISU Username

  • ISU Password

  • Workday Tenant Name

Prerequisites

Please ensure you fulfill all the requirements to set up the integration:

  • You have Administrator permissions in your company's Workday instance

Instructions

Step 1: Create an Integration System User (ISU)

  1. In your Workday portal, log into the Workday tenant

  2. In the Search field, type Create Integration System User

  3. Select the Create Integration System User task

  4. On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password

  5. Click OK

Notes:

  • Due to xml encoding, "&", "<", and ">" cannot be included in the password

  • Ensure Require New Password at Next Sign In is NOT checked

  • You'll want to add this user to the list of System Users to make sure the password doesn't expire. To do this, search for the Maintain Password Rules task and add the ISU to the System Users exempt from password expiration field.

Step 2: Create a Security Group and assign an Integration System User

  1. In the Search field, type Create Security Group


    Select the Create Security Group task.

  2. Click OK

  3. On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Unconstrained).

    • If you would like to create a Constrained Security Group instead of an Unconstrained Security Group, please see the section in Notes below

  4. In the Name field, enter a name

  5. Click OK

  6. On the Edit Integration System Security Group (Unconstrained) page, in the Name field, enter the same name you entered when creating the ISU in the first section

  7. Click OK

Step 3: Configure domain security policy permissions

  1. In the Search field, type Maintain Permissions for Security Group

  2. Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2

  3. Add the corresponding Domain Security Policies

Permissions

Please note that the permissions listed below are the required permissions for the full ATS integration. Required permissions can differ based on the use case. For example, if you only want to provide read access, you can just input GET operations. For a more detailed breakdown, see the Breakdown of Domains section below.

Operation

Domain Security Policy

Get Only

Worker Data: Public Worker Reports

Get Only

Worker Data: Workers

Get Only

Worker Data: All Positions

Get Only

Worker Data: Current Staffing Information

Get Only

Job Requisition Data

Get Only

Worker Data: Employment Data

Get Only

Worker Data: Organization Information

Get Only

Manage Pre-Hire Process: Manage Pre-Hires

Get and Put

Manage Pre-Hire Data

Get and Put

Candidate Data: Edit Job Application

Get and Put

Job Requisitions for Recruiting

Get and Put

Candidate Data: Personal Information

Get and Put

Set Up: Pre-Hire Process

Get and Put

Candidate Data: Other Information

Get and Put

Manage Pre-Hire Process

View and Modify

Candidate Data: Other Information

Get and Put

Candidate Data: Job Application

Get and Put

Move Candidate

Get and Put

Prospects

Get

Manage: Evergreen Requisitions

Get

Job Postings

Image or attachment is not accessible.

Breakdown of Domains

If you're interested in knowing more about how Workday domains break down into subdomains, see the table below:

Parent Domain

Subdomain

Candidate Data: Job Application

Candidate Data: Interview Schedule

Candidate Data: Offer Details

Candidate Data: Other Jobs

Jobs Requisitions for Recruiting

Candidate Data: Personal Information

Candidate Data: Personal Information

Candidate Data: Other Information

Candidate Data: Photo

Candidate Data: Attachement

Pre-Hire Process Data: Name and Contact Information

Pre-Hire Data: Contact Information

Pre-Hire Data: Names

Job Requisition Data

Person Data: Personal Data

Person Data: Citizenship Status

Person Data: Disabilities

Person Data: ID Information

Person Data: Marital Status

Person Data: Date of Birth

Person Data: Gender

Person Data: Government IDs

Person Data: Personal Information

Person Data: Home Contact Information

Person Data: Home Address

Person Data: Home Email

Person Data: Home Instant Messenger

Person Data: Home Phone

Person Data: Home Web Address

Person Data: Work Contact Information

Person Data: Work Address

Person Data: Work Email

Person Data: Work Instant Messenger

Person Data: Work Phone

Person Data: Work Web Address

Manage: Location

Manage: Evergreen Requisitions

Consolidated Candidate Pool

Evergreen Reporting

Link Evergreen and Job Requisitions

Candidate Data: Interview Schedule

Job Postings

Step 4: Activate security policy changes

  1. In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved

  2. Add any relevant comments on the window that pops up

  3. Confirm the changes in order to accept the changes that are being made

Step 5: Validate the authentication policy is sufficient

Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types – if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.

  1. Editing authentication policies

  2. Create an Authentication Rule, and add the Security Group to the Rule

  3. Make sure the Allowed Authentication Types is set to a specific User Name Password or set to Any

Step 6: Activate all pending authentication policy changes

  1. In the search bar type, activate all pending authentication policy changes

  2. Proceed to the next screen, and confirm the changes. This will save the Authentication Policy that was just created

Step 7: Obtain the web services endpoint

  1. Search in Workday for Public Web Services

  2. Open Public Web Services Report

  3. Hover over Human resources and click the three dots to access the menu.

    • If you are integrating with your Workday ATS, please find Recruiting instead and access that menu

  4. Click Web Services > View WSDL

  5. Navigate to the bottom of the page that opens and you'll find the host

  6. Copy everything until you see /service. This should look something like https://wd5-services1.myworkday.com/ccx.

Step 8: Provide credentials to candidate.fyi team

  1. Workday URL: Provide Web Services Endpoint you found from Step 5

  2. User ID:Provide the Integration System User name for the user created in Step 1.

  3. Password: Provide Integration System User password for the user created in Step 1

  4. Workday tenant name:Provide Workday tenant name.

(Optional) Create a Constrained Security Group instead of Unconstrained

The following steps would replace Step 2 above.

  1. In the Search field, type Create Security Group.

  2. Select the Create Security Group task.

  3. Click OK.

  4. On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Constrained).

  5. In the Name field, enter a name.

  6. Click OK.

  7. On the Edit Integration System Security Group (Constrained) page, in the Integration System Users field, enter the ISU you created in Section 1.

  8. Now under Organizations, you will need to select the appropriate way you'd like to limit access from your Workday instance. You have several options in regards to how you'd like to limit the data accessible to the ISU:

    • We recommend selecting a specific organizational structure within your larger Company to segment by

    • After clicking on "All Organizations by Type", you can further narrow down by selecting which Type you'd like to segment by. The recommended Types are:

      • Company

      • Cost Center

      • Division

      • Region

    • From there, you can select the specific Instances within your Workday Organization that you'd like to be synced over from this security Group (specific Regions, divisions, etc.).

    • After you have configured the Organization Structures you'd like to be accessible from the ISU, please navigate to "Access Rights to Organization".

      1. Depending on how you'd like to configure access, it can either be to the specific criteria you've applied on the Organizations section OR the criteria you applied as well as all organizations that fall under.

        1. If you have only selected a top level organization, you should click "Applies to Current Organization And All Subordinates"

  9. Once is this all completed, please click OK to save the Constrained Security Group

  10. Now continue to Step 3


Did this answer your question?