Before linking your Workday, we'll need to make sure that the correct permissions are enabled. Below are some detailed steps for granting permissions. Steps One through Five are done within your Workday portal, whereas the last step is done on your Merge Link prompt.
Step One: Create an Integration System User (ISU)
In your Workday portal, log into the Workday tenant.
In the Search field, type Create Integration System User.
Select the Create Integration System User task.
On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password.
Click OK.
Note: due to xml encoding, "&", "<", and ">" cannot be included in the password.
Note: Ensure Require New Password at Next Sign In is NOT checked.
Note: You'll want to add this user to the list of System Users to make sure the password doesn't expire.
Step Two: Create a Security Group and Assign an Integration System User
Now, add this Integration System User to a Security Group:
In the Search field, type Create Security Group.
Select the Create Security Group task.
Click OK.
On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Unconstrained).
In the Name field, enter a name.
Click OK.
On the Edit Integration System Security Group (Unconstrained) page, in the Name field, enter the same name you entered when creating the ISU in the first section.
Click OK.
Step Three: Configure Domain Security Policy Permissions
In the Search field, type Maintain Permissions for Security Group
Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2.
Add the corresponding Domain Security Policy with GET and PUT operation:
Please note the permissions listed below are the required permissions for the full ATS API. If you only would like to provide read access, you can just input GET functionality.
Operation | Domain Security Policy | Functional Areas |
Get Only | Worker Data: Public Worker Reports | Staffing |
Get Only | Worker Data: Workers | Staffing |
Get Only | Worker Data: All Positions | Staffing |
Get Only | Worker Data: Current Staffing Information | Staffing |
Get Only | Job Requisition Data | Pre-Hire Process |
Get Only | Worker Data: Employment Data | Staffing |
Get Only | Worker Data: Organization Information | Staffing |
Get Only | Manage Pre-Hire Process: Manage Pre-Hires | Pre-Hire Process |
Get and Put | Manage Pre-Hire Data | Pre-Hire Process |
Get and Put | Candidate Data: Edit Job Application | Recruiting |
Get and Put | Job Requisitions for Recruiting | Recruiting |
Get and Put | Candidate Data: Personal Information | Recruiting |
Get and Put | Set Up: Pre-Hire Process | Pre-Hire Process |
Get and Put | Candidate Data: Other Information | Recruiting |
Get and Put | Manage Pre-Hire Process | Pre-Hire Process |
View and Modify | Candidate Data: Other Information | Recruiting |
Get and Put | Candidate Data: Job Application | Recruiting |
Get and Put | Move Candidate | Recruiting |
Get and Put | Prospects | Recruiting
Talent Pipeline |
Step Four: Activate Security Policy Changes
In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved.
Add any relevant comments on the window that pops up
Confirm the changes in order to accept the changes that are being made.
Step Five: Validate Authentication Policy is Sufficient
Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types – if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.
Editing Authentication Policies
Create an Authentication Rule, and add the Security Group to the Rule
Make sure the Allowed Authentication Types is set to specific User Name Password or set to Any
Step Six: Activate All Pending Authentication Policy Changes
In the search bar type, Activate All Pending Authentication Policy Changes
Proceed to the next screen, and confirm the changes. This will save the Authentication Policy that was just created.
Step Seven: Obtain the Web Services Endpoint for Workday Tenant
We'll need access to your specific Workday web services endpoint:
Search in Workday for Public Web Services.
Open Public Web Services Report.
Hover over Recruting and click the three dots to access the menu.
If you are integrating with your Workday ATS, please find Recruiting instead and access that menu.
Click Web Services > View WSDL.
Navigate to the bottom of the page that opens and you'll find the host.
Copy everything until you see /service. This should look something like https://wd5-services1.myworkday.com/ccx.
Enter Credentials into Merge Link
Workday URL: Enter the Web Services Endpoint you found from Step 5 into Merge Link.
User ID: Enter the Integration System User name for the user created in Step One.
Password: Enter the Integration System User password for the user created in Step One.
Workday Tenant Name: Enter your Workday Tenant name.
Example: If you sign in at "https://wd5-services1.workday.com/acme", enter "acme".
Notes
Linked Implementation Workday accounts will result in slower syncs as there are fewer resources dedicated to the tenant.
The password used cannot contain an "&" or "<", ">" signs.
Please make sure to exempt the ISU Account from MFA and SSO