This article explains how to establish a secure connection between Applaud and Workday using Workday REST APIs.
It describes how to:
- Create and configure the Integration System User (ISU)
- Assign required security permissions
- Validate API connectivity for the integration
These steps allow Applaud and Workday to exchange data securely and in a controlled manner.
Prerequisites for Creating an ISU:
- Security Permissions:
- Integration Security domain in the Integration functional area.
- WCP Integration System User Security domain in the System functional area for assigning ISUs to an app.
- Access Requirements:
- Company Administrator, Developer, or Specialist access on the Developer Site.
Prerequisites for Registering an API Client:
- Security Domains:
- Security Administration domain in the System functional area.
- Security Administration domain in the System functional area.
- OAuth 2.0 Settings:
- Enable OAuth 2.0 clients in the tenant setup.
- Enable OAuth 2.0 clients in the tenant setup.
- Client Registration:
- Enter the Client Name and select the Client Grant Type (e.g., Authorization Code Grant).
- Enter the Client Name and select the Client Grant Type (e.g., Authorization Code Grant).
- Scope Selection:
Choose the functional areas that the OAuth 2.0 client requires access to.
These prerequisites ensure you have the required permissions and configuration to successfully create an ISU and register an API client.
Types of connections:
- Integration System User (ISU)
- OAuth API client setup
Integration System User (ISU):
A dedicated account that defines the identity and permissions used by an integration.
- Required for all integrations (SOAP, REST, WQL)
- Primarily used with Basic Authentication for SOAP APIs, but also serves as the identity backbone for REST and WQL connections via OAuth
- Determines data access through assigned security groups and domain permissions
OAuth API client:
The recommended authentication method for accessing Workday REST APIs and Workday Query Language (WQL).
- Used for REST APIs and WQL queries
- Provides secure, token-based authentication
- OAuth client is linked to an ISU
- Access is controlled by ISU security permissions
Configure an Integration System User (ISU) in Workday
Step 1: Create Integration System User
- In Workday, search for Create Integration System User.
- Select the Create Integration System User task and fill in the corresponding details:
Recommendations:
Password: You can generate a password automatically by selecting Generate Random Password.
Do Not Allow UI Sessions: Select this option to prevent the account from signing in to the Workday user interface directly. This is a recommended security practice for integrations.
Session Timeout Minutes Enforced to 20: This setting does not typically affect API or integration authentication. It applies only to interactive Workday UI sessions, which an integration-only ISU does not require.
Step 2: Create ISSG (Integration System Security Group)
After you successfully create the ISU, create a security group and assign it to the ISU.
- In Workday, search for the Create Security Group task.
- Select Integration System Security Group (Unconstrained) as the Type of Tenanted Security Group, and enter a unique Name.
Step 3: Assign Integration System Security Groups (ISSG) to ISU
- Search for All Workday Accounts, and then filter User Name by the newly created Workday account.
- Assign the Integration System Security Group for Integration User, and then select OK.
- Validate the details, and then select Done.
Step 4: Add Domain Security Policies to ISSG
- In Workday, search for the View Security Group task.
- Search for the newly created Security Group, and then select OK.
- Select the Related Actions menu to Add/Remove Domain Permissions for Security Groups.
- Select Security Group and then select Maintain Domain Permissions for Security Group.
- Add the Report/Task Permissions:
- Domain Security Policies permitting Modify access
- Domain Security Policies permitting View access
- Add the Integration Permissions:
- Domain Security Policies permitting Put access
- Domain Security Policies permitting Get access
- After you add all required tasks, select OK.
- Review the details, and then select Done.
For the complete list of required permissions, see:
Step 5: Add Security Groups to Business Process
- In Workday, search for each business process, and then add the appropriate security groups to each web service that sends API requests.
-
Select the Related Actions icon, go to Business Process Type, and then select Edit.
- In Edit Business Process Security Policy, add your security group under Create Job Requisition (Web Service), and then select OK.
For the complete list of required permissions, see:
Step 6: Activate Pending Security Policy Changes
- In Workday, search for Activate Pending Security Policy Changes and open the task.
- Add comments and select OK to apply pending security policy changes.
Step 7: Search for newly created ISU or existing ISUs in Workday
- In Workday, search for View Security Groups for User and open the task.
- Type the name of the ISU in the Person field. and select OK.
Configure an OAuth 2.0 API client in Workday for Integrations
Step 1: Register API Client
In Workday, search for the Register API Client for Integrations task.
Enter Client Details, including Scope (Functional Areas), and select OK.
Below is a full list of Scope (Functional Areas) to add for the solution to work:
Copy client credentials: Client ID and Client Secret, and select Done.
Step 2: Generate a Refresh Token
- In Workday, search for the View API Clients task.
- Open the task and copy the following details:
- Workday REST API Endpoint
- Token Endpoint
- In View API Clients, select the API Clients for Integration tab, and select the API Client that has recently been created.
- Select the Related Actions Menu, then select the Manage Refresh Token for Integrations action to add an ISU account.
- Add the ISU account created earlier for the API client and select OK.
- Select the Generate New Refresh Token checkbox and then select OK.
- Copy the Refresh Token and select Done.