Prerequisites¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
Before installing and configuring the Workday OCF connector, ensure that you configure the network connectivity and set up the service account.
Configure Network Connectivity¶
Open outbound TCP port 443 to the Workday server.
Create a Service Account¶
All authentication flows supported by this connector can be used with either a normal user or an Intergrated System User (ISU).
To create a user, see Create a user for more details.
Create an Integration System User (ISU)¶
Perform the following steps to create an ISU:
Open the Create Integration System User form.
Enter a name for the user in User Name.
Enter a password for the user and verify the password. You will need to save this password if you plan to use this ISU with Basic authentication in SOAP.
Enable the Do Not Allow UI Sessions option. This helps secure the ISU from being used outside the connector.
See Create an Intergrated System User for more information.
The ISU must also be assigned to a security group:
Open the Create Security Group form.
Select Integration Security Group (Unconstrained) for the security group type.
Specify the name of the security group to create and click OK.
Workday creates the group and displays the Edit Integration Security Group form.
Open the Integration System Users list and add the ISU you created.
Click OK.
Once you have an ISU, you need to grant it the necessary permissions for the Workday service you wish to use. This process must be done individually for each security domain you wish to assign.
Open the View Domain report and enter the name of the security domain.
Click on the eyeglass icon under Domain Security Policy.
Click the ellipses (…) button and select Domain Security Policy > Edit Permissions.
In the task permissions section, click the plus (+) button and enter the Integration Security Group.
Enable the View permission, and modify the permission if you want to allow the ISU to write data.
Click Ok.
Once you have made all the necessary changes, use the Activate Pending Security Policy Changes form to review and approve the domain assignments.
This connector requires ISUs that can access different domains depending up on the services you want to use. Note that these domains are the minimum requirements to use the connecctor with the service at all. Most data sources (and reports using them) require additional permissions, which are found by searching for domains that grant access to the specific data source.
WQL requires these domains: Workday Query Language, Reporting Audits
Reports do not require any specific domains, but any report you want to access must be shared with the ISU using the Share tab in the report definition. You can either share the report with all authorized users or share the report with the ISU specifically.
SOAP does not require any specific domains.
Permissions¶
When integrating with Workday, Alation needs specific permissions to interact with the API. These permissions are defined by access scopes, which determine scope of access.
This section provides information about the required access scopes and endpoint domains.
Access Scopes¶
Ensure that the following scopes are assigned to the user:
Scope |
Description |
|---|---|
System |
List views and columns. Required for read access. |
Tenant Non-Configurable |
Access and execute reports as a service. |
Workday Owned Scope |
Include items or components owned and managed by Workday. Required for read access. |
Endpoints¶
Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations.
Allowlisting these domains ensures that the network traffic between the connector and the API is not blocked by firewalls or security settings.
Note
Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.
Domain |
Description |
|---|---|
<Base URL> |
The base URL of your Workday REST API Endpoint, as specified in the BaseURL connection property. |
community.workday.com |
The base URL for the Workday SOAP API. Required if using SOAP for your ConnectionType. |
<CustomReportURL> |
The URL of your report catalog. Required if using Reports for your ConnectionType. |
login.microsoft.com |
The base URL for AzureAD SSO. Required if using AzureAD as your AuthScheme |
Authentication Setup in Workday¶
Create a Custom OAuth Application¶
Custom OAuth applications are used to connect by both Standard Users and Integration System Users (ISUs) with a variety of AuthSchemes.
Standard Users¶
Perform the following steps to create an API Client that can be used by standard users with the OAuth authentication scheme.
Note
Workday restricts each custom application to a single redirection URI. Hence, if you have a mix of Desktop and Web users, create more than one custom application.
Log into Workday.
Open Register API Client form and fill in the following fields:
Client Name: A name for the application.
Grant Type: Authorization Code.
Access Token Type: Bearer.
Specify a Redirection URI for the custom application:
If it is a desktop application: the recommend URI is
https://localhost:33333. If no CallbackURL is provided, the connector will use this URI as the redirection URI automatically.If it is a web application, use any URI; for example,
https://my-website.com/oauth.
Configure scopes to be used with this application:
In the Scope section, enable the following scopes:
Custom Objects > System
Custom Objects > Integration
Workday REST API > Tenant Non-Configurable
Add any additional desired scopes for the driver to have access to. If there is any uncertainty regarding which scopes to include, all the scopes under each subsection can be enabled.
Enable the Include Workday Owned Scope option.
Click OK.
After the application is created, Workday loads the View API Client page with all the information for the new application. Copy the Client ID and Client Secret to your local machine.
ISUs¶
Facilitating ISU authentication involves two steps:
Create an API client that can authenticate via OAuth 2.0.
Register the ISU with the API client.
Create the API Client¶
The following steps create an API Client that can be used by ISUs with the OAuth authentication scheme.
Log into Workday.
Open the Register API Client for Integrations form.
In Client Name field, enter a name for the application.
Configure scopes to be used with this application:
In the Scope section, enable the following scopes:
Custom Objects > System
Custom Objects > Integration
Workday REST API > Tenant Non-Configurable
Add any additional desired scopes for the driver to have access to. If there is any uncertainty regarding which scopes to include, all the scopes under each subsection can be enabled.
Enable the Include Workday Owned Scope option.
Click OK.
After the application is created, Workday loads the View API Client page with all the information for the new app. Copy the Client ID and Client Secret to your local machine.
Register an ISU with the API Client¶
An API Client for Integrations has to be registered with a specific ISU before that ISU can use the API Client to authenticate. If you do not already have an ISU, you need to create; see Create a Service Account.
Perform the following steps to register an ISU with the API client:
Log into Workday.
Navigate to the View API Client page for the API Client.
Next to the API Client name, click the ellipsis (…).
Go to API Client > Manage Refresh Tokens for Integrations. A pop-up menu appears.
Under Workday Account, find and select the ISU that you want to register with the API Client.
Click OK.
Enable the Generate New Refresh Token option AND click OK.
After the ISU is registered, Workday loads a page showing the Refresh Token for the ISU. Copy the Refresh Token to your local machine.