Prerequisites for Creating a Connection

You must satisfy the following prerequisites to create a connection with the Workday Adapter.

• Enable Functional Areas
• Create a Workday User Account
• Mandatory Policies
• Assign a Domain Policy
• Obtain the Workday Hostname and Tenant Name from the Sandbox User Interface
• Register an API Client to Use the Authorization Code Credentials Security Policy

Enable Functional Areas

The following functional areas must be enabled in the Workday application to use the Workday Human Capital Management and Workday Financial Management products in the Adapter Endpoint Configuration Wizard.

• Common Financial Management
• Recruiting
• Staffing

Follow these steps to enable the functional areas:

1. Log in to the Workday application.
2. Search for the Maintain Functional Areas task in the search box.
3. Select the Enabled checkbox for the Common Financial Management, Recruiting, and Staffing functional areas.
4. Click OK, then click Done.
5. Search for Activate Pending Security Policy Changes in the search box.
6. On the Activate Pending Security Policy Changes page, enter your comments in the Comments field, and click OK.
7. Select the Confirm checkbox, and click OK.

Create a Workday User Account

You must have an existing Workday integration system user account. A user account is required to provide the credentials necessary to create the connection and integration. Create the Workday integration system user with the Integration System security group (Unconstrained) group.

Note:

See the Mandatory Policies tables for lists of all domain policies that are required to connect to Oracle Integration and view the operations, reports, and Enterprise Interface Builder (EIB).

Custom Security Group: Create a custom security group for the integration user. This group should include authorizations based on the customer requirement, such as web service operations, task, report, and EIB. Ensure that the custom security group is assigned to the integration system user (ISU).

ISU_SOADEMOEVENT_Group

This is the security group created to assign specific authorizations to the user. Permissions given to this group are based on the customer requirement.

1. Log in to the Workday application.

2. Search for the task Create Integration System User.

3. Set the username and password.

4. Search for the task Create Security Group.

5. Select the type as Integration System security group (Unconstrained).

6. Set the group name and press Enter.

7. Select the integration system username from the dropdown list to assign the user to that group.

Mandatory Policies

• Design-Time: The minimum Workday authorizations/polices required to create the Workday endpoint during the design phase where you select desired Workday services and reports based on the business use case. These policies are categorized as design-time authorization (configuration) in the following tables.
• Run-Time: The minimum Workday authorization/polices required for running the created integration after activation and during the execution. These policies are categorized as runtime authorization (configuration) in the following tables.

Workday Public Web Service (Runtime Configuration)

To access any specific web service, you must have the related domain policy access. See Assign a Domain Policy.

Table 2-1 EIB (Design-time Configuration)

Operation	Domain Policy	Functional Area
View Only	Integration Build	Integration
Get Only	Integration Process	Integration

Table 2-2 EIB (Runtime Configuration)

Operation	Domain Policy	Functional Area
View Only	Integration Build	Integration
Get Only	Integration Process	Integration
Get and Put	Integration Event	Integration

In case of EIB (design time), you must have Integration Process domain policy access to see all integration systems.

For EIB (run time), you must have Integration Event domain policy access to launch the integration and create the integration events. To create integration events, the PUT permission is required for this domain policy.

The integration build is required to access the View Web Service Operations Security Groups report to check the tasks and actions assigned to the user.

In addition, the ISU must have access to the data source of the report being used as a data source in EIB. See Assign a Domain Policy.

Table 2-3 RAAS (Design-Time Configuration)

Operation	Domain Policy	Functional Area
View Only	Manage: All Custom Reports	System

Table 2-4 RAAS (Runtime Configuration)

Operation	Domain Policy	Functional Area
View Only	Manage: All Custom Reports	System

In case of RAAS, the integration system user (ISU) must have access to the Manage: All Custom Reports domain policy that is mandatory to see all custom reports (shared or owned by the user) and execute in Oracle Integration. In addition, ISU must have access to Reports Data Source. See Assign a Domain Policy.

Note:

Ensure the following properties are set for your Workday EIB to be visible in the Adapter Endpoint Configuration Wizard.

• Data source type must be set to Custom Report.
• MIME type must be set to CSV.

Ensure the following properties are set for your Workday RaaS report to be visible in the Adapter Endpoint Configuration Wizard.

• The report type must be set to Advanced or Search.
• The report must be enabled as a Web Service.
• The report must be shared with or owned by the Oracle Integration user.

Assign a Domain Policy

Assign Get access for the Get Worker web service or Put access for the Put School Type web service.

1. Log in to the Workday application.
2. Search for the View Security for Securable Item in the search box.
3. Enter the web service name in the Securable Item field that you need to access, and click OK.
4. On the results page, click View Security for the specific task that you need to evaluate.
5. Click the ellipsis icon (…) for the specific security policy and navigate to Domain > Edit Security Policy Permissions.
6. Add a new row in the Integration Permissions section, search for the security group, and select the Get/Put checkbox to assign the permission.
7. Click OK.
8. On the Activate Pending Security Policy Changes page, enter your comments, and click OK.
9. Select the Confirm checkbox, and click OK.

   Note:

   If there is more than one domain policy, select them one by one and assign the policies. After assigning the policies, activate all of them at once.

Follow these steps to assign a domain policy to Get access on the Report Data Source:

1. Log in to the Workday application.
2. Search for the View Custom Report task in the search box.
3. Enter the report name in the Custom Report field that you need to access, and click OK.
4. In the Data Source field, click the ellipsis icon (…) next to the data source and navigate to Security > View Security.
5. In the Domain column, click the eclipse icon (…) for the specific security policy and navigate to Domain > Edit Security Policy Permissions.
6. Add a new row in the Integration Permissions section, search for the security group to which you need to provide access, and select the Get/Put checkbox to assign the permission.
7. Click OK.
8. On the Activate Pending Security Policy Changes page, enter your comments, and click OK.
9. Select the Confirm checkbox, and click OK.

   Note:

   If there is more than one domain policy, select them one by one and assign the policies. After assigning the policies, activate all of them at once.

Obtain the Workday Hostname and Tenant Name from the Sandbox User Interface

When you create your Workday Adapter connection on the Connections page, you must specify the following details:

• Workday hostname

• Tenant name

The following steps describe how to obtain this information.

To obtain the Workday hostname:

1. Log in to the Workday sandbox or production instance.

2. Search for Public Web Service in the search box.

3. Select Public Web Service from the search results.

4. Under Actions, click the Web Services list and select View WSDL.

   The WSDL file is opened for viewing.

5. Scroll down to the end to find the hostname value assigned to the location element. The Workday hostname value appears. For example:

   location=”https://hostname/ccx/....)”

6. Copy and save the Workday hostname value from the location element. For example:

   wd5-impl-services1.workday.com

To obtain the tenant name from the sandbox:

1. Log in to the Workday sandbox.

2. On the first page, find the tenant details appearing in the upper left corner of the page. The tenant details follow the Sandbox Type – Tenant Name format.

   
   
   Description of the illustration tenant_sandbox.png
   

Register an API Client to Use the Authorization Code Credentials Security Policy

To generate the client ID and client secret, you must register an API client in Workday.

1. Log in to the Workday application.
2. Search for API Client in the search box.
3. Click the Register API Client task.
4. In the Client Name field, enter a client name.
5. In the Client Grant Type field, select Authorization Code Grant.
6. Select the Enforce 60 Minute Access Token Expiry checkbox.
7. In the Access Token Type field, select Bearer.
8. In the Redirection URI field, enter the redirect URI in the following format:

   https://OIC_instance_URL/icsapis/agent/oauth/callback

9. In the Scope (Functional Areas) field, select the scopes in accordance with the operation you need to execute.
10. Select the Include Workday Owned Scope checkbox.
11. Click OK. The client ID and client secret are displayed.
12. Copy the client ID and client secret for your API client. You'll need to enter those values on the Connections page when you configure security for your Workday Adapter connection in Oracle Integration. See Configure Connection Security.
13. Click Done.