This article provides step-by-step instructions on integrating Applaud with the Workday tenant.
Prerequisites
Applaud
- Ensure your user has the Integrations Designer role assigned to them in Applaud. This role grants you access to integration settings.
Workday
- Ensure the Integration System User(ISU) is created in Workday.
- Using an ISU ensures that all integration operations are logged under a designated user and separate from regular workflow processes. This is essential as changes to a regular worker’s security profile or termination could disrupt integrations that are reliant on their account. For enhanced security, limit each ISU to a single integration system.
- If your integration involves custom Workday objects, you must register a Workday API client.
This step is required as the Workday REST API requires authentication through an OAuth client setup.
For more about creating the ISU and completing the setup, read the article Connect to Workday using the ISU name and password.
Setup ISU in Workday
Create Integration System User
- Create an Integration System User(ISU) by selecting the Create Integration System User task.
- Enter a username and set a password.
- Set Session Timeout Minutes to 0 to prevent ISU from timing out.
- Select Do Not Allow UI Sessions checkbox to enhance security by restricting UI logins.
- Navigate to Maintain Password Rules task.
- Exempt the integration system user from password expiration by adding them to the System Users exempt from password expiration field.
Create an Integration security group
- Search for Create Security Group in Workday and select the corresponding task.
- Locate the Type of Tenanted Security Group field, and select and name your security group. Workday offers two types:
- Integration System Security Group (Unconstrained): Allows group members to access all data instances secured by the group.
- Integration System Security Group (Constrained): Grants access to a subset of data instances based on context.
Before selecting an option, contact your Workday integration partner to ensure that the appropriate security group type is used for your integration.
You must assign members to your newly created security group. You must add the Integration System User (ISU) you registered in the preceding steps. For a constrained group, you must also specify the organization's scope.
Grant domain access to the security group
- Search for Maintain Permissions for Security Group in Workday and select the task.
- Choose the security group you created from the Source Security Group list to modify its permissions, and click OK to confirm your selection.
- Go to the Maintain Permissions for Security Group > Domain Security Policy Permissions tab and assign the necessary permissions for each domain, such as GET and PUT operations.
- Ensure the security group has GET permissions for the following domain security policies:
- Integration Build
- Integration Process
- Integration Debug
- Integration Event
- Click OK to apply the permissions, then click Done to save your changes.
Activate security policy changes
-
- Type Activate Pending Security Policy Changes into Workday's search box and select the task.
- Start the Activate Pending Security Policy Changes task by entering a reason for your audit in the comment field, then click OK.
- Complete the task on the next screen by selecting the Confirm checkbox, then click OK.
Register a new API client for integrations
This step is required only if you plan to work with custom objects in Workday.
Before you begin registering a new API client for integrations in Workday, ensure you meet the following prerequisites:
- You have admin access to your company’s Workday account.
- You are logged in to Workday with your admin credentials.
- You have authenticated the Integration System User (ISU) and enabled both GET and View access in Workday.
After you have met these prerequisites, complete the following steps to register an API client for integrations in Workday:
- Search for Register API Client for Integrations in Workday's search field.
- Select the Register API Client for integrations task to access the registration page.
- Enter a name for your API client in the Client Name field.
- Select the Non-Expiring Refresh Tokens option.
- Specify the API client's access scope. Ensure that the integration scope is included, which covers essential domain security policies such as Integration Build, Integration Debug, Integration Process, and Integration Event. Including this scope is a minimum requirement for establishing a connection with Workday and any specific call operations required for your integration.
- Click OK to generate the Client ID and Client Secret.
- Save the Client Secret and Client ID.
- Click Done.
Generate a non-expiring refresh token
- Type View API Clients in the search field in Workday.
- Open the View API Clients report from the search results.
- Navigate to the API Clients for Integrations tab.
- Select the API client you registered in the prior steps.
- Click the ellipsis (...) next to the client name and choose API Client > Manage Refresh Tokens for Integrations to manage tokens.
- Input the Workday account of a user authorized to access the custom report in the Workday Account field and click OK.
- Navigate to the Delete or Regenerate Refresh Token page, select the Generate New Refresh Token option, and click OK.
- Copy the refresh token from the Successfully Regenerated Refresh Token page.
- Click Done to complete the process.
Find your token endpoint URL
- Enter View API Clients into the search field in Workday.
- Access the View API Clients report from the search results.
- Save the URL listed in the Token Endpoint field.
Workday connector(out-of-the-box)
- This provides us access to the business objects like “Workers,” “Locations,” etc.
- This provides more flexibility to perform standard operations like Update personal information, Change Person Photo, Enter time off, Request Leave of Absence, etc.
- Use RaaS(Report-as-a-service) reports - Workday RaaS is a feature that exposes reports as web services. For more information: https://doc.workday.com/admin-guide/en-us/reporting-and-analytics/custom-reports-and-analytics/reports-as-a-service-raas-/dan1370796320263.html
Connect and fetch worker data
Workday Authentication Types
- OAuth 2.0
- Basic (ISU username/password based)
Step 1: Connecting to Workday
- Login to your Applaud tenant.
Integrations should be enabled in your Applaud tenant.
- From the Admin home page, select Integrations.
- Select Assets, select CREATE, and then select Connection.
- From the list of available apps, select "Workday."
OAuth 2.0 authentication
- Enter a unique Connection name to identify your Workday account.
- Choose OAuth 2.0 as the Authentication type. This method is required to work with custom objects and query data using Workday Query Language(WQL) with the Workday REST API.
- Select the Workday web services version that is appropriate for your Workday tenant. We recommend you choose the newest version available to access the latest features and updates.
- When logged into Workday, locate and enter your Tenant ID from the URL. For example, the tenant ID is sample_company in https://impl.workday.com/sample_company/d/home.htmld.
- Provide the WSDL URL associated with your Workday services.
- Enter the Client ID and Client Secret from your API client settings.
- If using an API client for integrations, input your Refresh token.
- Enter your Authorization endpoint and Token endpoint from your API client settings to complete the OAuth flow.
- Select the Workday tenant timezone that matches your Workday tenant’s timezone. By default, Workday uses Pacific Standard Time(PST).
- To configure the Advanced XML payload for multiple ID values, click Advanced Settings. By default, when constructing the XML from your input, each value in fields with multiple values that are wrapped within their container.
For example:
<languages><language>english</language></languages><languages><language>chinese</language></languages>
If you set the value to Yes, values are unwrapped, presenting them in a single container:
<languages><language>english</language><language>chinese</language></languages>
- Review the information you entered to ensure it is correct, click Connect to initiate the authorization process, and complete the connection setup.
Basic authentication
- Enter a unique Connection name to identify your Workday account.
- Select Basic as the Authentication type. This method uses your Workday username and password for integration.
- Select the Workday web services version that is appropriate for your Workday tenant. We recommend you choose the newest version available to access the latest features and updates.
- When logged into Workday, locate and enter your Tenant ID from the URL. For example, the tenant ID is sample_company in https://impl.workday.com/sample_company/d/home.htmld.
- Provide the WSDL URL associated with your Workday services.
- Input your Workday Login name and Password.
- Select a Workday tenant timezone that matches your Workday tenant's settings. By default, Workday uses Pacific Standard Time (PST).
- You can click Advanced Settings to configure the Advanced XML payload for multiple ID values if you need to. By default, fields with multiple values are wrapped within a container. Set this option to yes to unwrap the values.
- Review the information you entered to ensure it's correct, click Connect to initiate the authorization process, and complete the connection setup.
Data management:
Event-Driven data synchronization(example: Workers object):
- An event is triggered whenever there is a change in the "Workers" object, such as creating a new worker or updating an existing worker's details.
- These events are detected by a connector that continuously monitors the worker object for changes. The connector identifies and captures specific events related to worker records.
- Once the event is captured, the connector initiates a process to update the corresponding data in Applaud. This ensures that Applaud's records are always synchronized with the source system.
- After the data is updated in Applaud, the system may trigger additional processes, such as sending notifications, initiating workflows, or updating related objects, to ensure all relevant stakeholders and systems are aligned.
Regular Data Synchronization via Scheduled Jobs:
- In addition to event-driven updates, jobs can be scheduled regularly to ensure data consistency between Workday and Applaud. This job systematically checks for any updates made in Workday that may not have been captured through real-time events.
- The scheduled jobs can pull data directly from Workday objects, capturing updates such as new hires, role changes, or terminations. Custom RaaS reports can also extract and synchronize more complex or tailored data sets that are not directly available from standard Workday objects.
- The scheduled job regularly syncing the data ensures that any updates made in Workday are reflected in Applaud, providing the end user with the most up-to-date information. This process helps maintain data integrity and ensures users access accurate and current data.
- Both Workday objects and Custom RaaS reports can be used
Worker/User management:
New user creation:
- When a new worker record is created in Workday, a data feed automatically triggers the creation of a corresponding user in Applaud. This ensures that new employees are promptly added to Applaud, allowing them immediate access to the platform and its resources.
Delete user:
- If a worker leaves the organization, the data feed from Workday identifies this change. The corresponding user in Applaud can then be marked as deleted or deactivated, effectively revoking their access to the platform while maintaining data accuracy.
Handling future end dates:
- When a worker’s end date is set in the future, the data feed from Workday includes this information when it is pushed into Applaud. A workflow is then triggered within Applaud to automatically execute on the specified future date, ensuring that the user is marked as deleted in Applaud exactly when their employment ends.
Build sample integration recipe to pull Worker feed from Workday
- From the Assets page, select Create and then Recipe.
- Enter a Recipe name, select the folder where you want to place the recipe and select Run on Schedule.
- Select the “+” icon to add a step.
- Select Action in App and then the Workday app from the list.
- Then, select the workday connection you created in Step 1.
- Choose the action as Search business object, like in the screenshot:
- Search for the Workers business object and select like in the screenshot:
- Save this recipe and select Test recipe to test it. This should provide us with all the worker information from the Workersobject.