Configure Security Domain Policies at Workday

To connect Workday HCM to One Model, you will need a Workday Integration System User account that has read permissions for human resources domain objects in Workday.

NOTE: You can use a Workday user instead of an Integration System User. However, we recommend that you use a Workday Integration System User.

You must perform one of the following two setup types for the Workday data source in One Model:

  1. Basic Authentication: Create a new user for setting up basic authentication.

  2. OAuth Connection: Set up an API client for connecting using OAuth.

Choose the setup method you prefer for your One Model Workday data source.

Create a new user for Basic Authentication

This is a step that you need to do if you want to setup a basic authentication at One Model.

  1. Log in to your Workday application using an Administrator account.
     
  2. In the application's search box, search for 'create user' and then select Create Integration System User. OneModel uses the Integration System User to access custom reports.
     
  3. Enter a User Name and Password. Please take note of this user name and password because you need this information to setup a Workday Data Source at One Model.
     
  4. Leave the Require New Password at Next Sign In checkbox clear.
     
  5. If you want to use the Basic authentication mode in the One Model setup form, select the Do Not Allow UI Sessions checkbox.
     
  6. Click OK and then click Done.

Connect Using OAuth 

Perform this step only if you want to authenticate the connection using OAuth. Skip to the next step if you want to use Basic authentication for your connection. The API client for integrations uses non-expiring refresh token to set up the connection and thus does not require you to manually authorize the client.

  1. In the search box, search for Register API Client for Integrations.
     
  2. In the Client Name field, enter a unique name for this API client. For example: One Model
     
  3. Select the Refresh Token Timeout (in days). You can select a value between 1 and 365 days. The default value is 30 days.To prevent the refresh token from timing out, Workday automatically selects the Non-Expiring Refresh Tokens check box. You can also select the Disabled check box to prevent the client from requesting access to Workday.
     
  4. From the Scope (Functional Areas) prompt, select the functional areas to which your OAuth 2.0 client requires access. When you plan to use API calls to retrieve data from Workday objects with lookup hierarchy calculated fields, you must register your API client with these scopes: “Custom”. To make API calls to get lookup hierarchy calculated fields, you must have Organizations and Roles scope.
     
  5. (Optional) If your OAuth 2.0 client requires access to core Workday domains that aren't in any functional areas, select the Include Workday Owned Scope check box.
     
  6. (Optional) If you want Workday to authorize OAuth 2.0 client access only from specified IP address ranges, select the ranges from the Restricted to IP Ranges prompt. You can also select Create IP Range to create a named, comma-separated list of IP addresses using one of these formats:
     
    1. X.X.X.X.
    2. CIDR notation. Example: 192.168.0.1/24.
    3. X.X.X.X - Y.Y.Y.Y.

Workday has a limitation on IP ranges that include a dash. If you experience sign-in errors in the Signons and Attempted Signons report after you begin using an IP range that's in that format:Use a tool that converts IP address ranges to CIDR notation, and see if the range breaks down to a series of smaller segments. Such third-party CIDR calculator tools are available online.

Reenter the IP Range in Workday as a comma-separated list of the segments returned by the tool. Example: 199.67.128.0/18, 199.67.192.0/24 or 199.67.128.0-199.67.191.255, 199.67.192.0-199.67.192.255.

  1. Click OK.
     
  2. Make a note of the Client ID and Client Secret. You will need them to configure OneModel Workday Data Source.
     
  3. As a related action on the API client for integrations, select API Client > Manage Refresh Tokens for Integrations.
     
  4. Select the Workday Account from the prompt. No more than 1 refresh token can exist for a given integrations API client and Workday account pair.
     
  5. Select Confirm Delete or Generate New Refresh Token to delete the existing refresh token or generate a new one. You can select both options to delete the existing refresh token and replace it with a new one. Integrations that rely on the refresh token will no longer work unless you update them to use the new token. If you don't select the Generate New Refresh Token check box, then Workday won't generate a new refresh token, and you'll need to run the task again to generate a new one.
     
  6. Click OK.
     
  7. Make a note of the Refresh Token. You will need it to configure One Model Workday Data Source.

Create security group

  1. In the applications search box, search for ‘create security group’ and select the Create Security Group task, set the Type of Tenanted Security Group to Integration System.
     
  2. Security Group (Unconstrained).
     
  3. Enter a Security Group Name and click OK.
     
  4. In the Edit Integration System Security Group (Unconstrained) window, add the integration system user you created in Step 1 in the Integration System Users field.
     
  5. Click OK.

Add domain security policies

  1. In the applications search box, search for ‘maintain security group’ and select Maintain Permissions for Security Group task. 
     
  2. In the Integration Permissions section, in the Domain Security Policies permitting Get access field, select the security domains associated with the data in the reports you want to extract.
     
  3. To ensure your ISU can own and manage custom reports we would recommend that you also add the following Domain Security Policies in this sheet into this screen : https://docs.google.com/spreadsheets/d/1n9I9aAJWwd4WnLOrieFrcPnI0P3tRiKb/edit?usp=sharing&ouid=109072264536229692761&rtpof=true&sd=true 


  1. Enter these security policies into the screen, as shown above. https://docs.google.com/spreadsheets/d/1ZduYYSylXmHoWMgzgWha9MxZUnGZIFbN/edit?usp=sharing&ouid=109072264536229692761&rtpof=true&sd=true

    You don't need to update any of the content under the business process security policy permissions tab or the other usages tab. 
    Note: If you cannot access the above links, we have added the attachments to the bottom of this article. 

Activate policies

  1. In the applications search box, search for ‘Activate Policy Change’ and select the Activate Pending Security Policy Changes task.
     
  2. Give the change a description and click Confirm to activate.
     

Attachments from 3. and 4. 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.