Workday Human Capital Management

with workday human capital management (hcm) modules in make, you can manage the staffing, human resources, compensation, absence, recruiting, benefits, learning, finances, resources, performance, and payrolls in your workday human capital management account refer to the workday hcm api documentation https //community workday com/sites/default/files/file hosting/productionapi/index html for a list of available endpoints get started with workday hcm to use workday hcm with make, a workday hcm admin must first complete the following workday human capital management docid\ yngk7qn9vad wlakpriwb workday human capital management docid\ yngk7qn9vad wlakpriwb workday human capital management docid\ yngk7qn9vad wlakpriwb workday human capital management docid\ yngk7qn9vad wlakpriwb workday human capital management docid\ yngk7qn9vad wlakpriwb create an integration system user workday recommends using an integration system user (isu) to integrate with external services such as make for the following reasons isus carry all operations and documents under the isu, rather than using a worker specifically for integration and workflow activities integrations using an isu will not stop working if a worker's security profile changes or they are no longer an employee each isu can and should be limited to a single integration, such as make, for security reasons the isu must have the mandatory permissions to perform the required actions for your {{scenario singular lowercase}} if you receive an error that states the task submitted is not authorized when building a {{scenario singular lowercase}} , the isu does not have sufficient permissions to create an isu task and configure the isu account for the integration, follow these steps in your workday account search bar, search for and select the create integration system user task enter the following details and click ok user name enter the name of the user we recommended including isu in the user name for easy identification generate random password select if you want to generate a random password for the user new password enter a password according to the password requirements new password verify re enter the password to confirm require new password at next sign in select the checkbox to enable the new password settings on the user's next login session timeout minutes enforced this field cannot be edited session timeout minutes leave the session timeout minutes as the default value of 0 to prevent session expiration an expired session can cause the integration to time out before it successfully completes do not allow ui sessions this field can be checked as isus do not typically require the ui you have successfully created the isu and a list of security groups are assigned by default this default list can differ for customer environments specifications to avoid integration errors due to expired passwords, workday recommends preventing the isu password from expiring go to the maintain password rules task and add the isu to the system users exempt from password expiration field create an integrated system security group an integrated system security group (issg) will be used to create a connection between the isu, domain, and web service to create a security group task, follow these steps in your workday account search bar, search for and select the create security group task enter the following details and click ok type of tenanted security group select integration system security group (constrained) or (unconstrained) name enter a name for the security group we recommend including issg in the name for easy identification assign integrated system security group to the isu to assign the issg to the isu open the security group created in the above section, enter the following details, and click ok name enter the security group name comment add applicable notes integration system users select the isu created in the section above to validate the relation between the isu and the security group, search for and select the view security groups for user task in the person field, select the account and click ok verify that the created security group is now assigned to the isu configure domain settings for isu in this section, you will configure the domain settings for the isu there are several ways to access the domain settings screen, make recommends following the steps defined in this section continue from the custom report created in the previous section the following screens will contain examples for configuring domain settings for web service operation name, get worker profile based on the web service matrix , get an employee module filter the report by web service operation name and select the relevant domain for example, get worker profile click on the menu > domain > edit security policy permissions click on the menu > domain > edit security policy permissions confirm the action by clicking ok activate pending security policy changes in this section, you will configure the domain settings for the isu there are several ways to access the domain settings screen, make recommends following the steps defined in this section continue from the custom report created in the previous section the following screens will contain examples for configuring domain settings for web service operation name, get worker profile based on the web service matrix , get an employee module filter the report by web service operation name and select the relevant domain for example, get worker profile click on the menu > domain > edit security policy permissions click on the menu > domain > edit security policy permissions confirm the action by clicking ok validate integration security group to validate the security group in your workday account search bar, search for and select the view security group task enter the security group name you have created verify that the created integration security group has assigned operation for the specified domain connect workday hcm to make you can establish two types of connection between workday hcm and make with user credentials or oauth2 the system administrators must thoroughly understand and review their organization's authentication policy and design the integration user based on it connect workday hcm to make (user credentials) to establish the connection, you must workday human capital management docid\ yngk7qn9vad wlakpriwb establish the connection in make workday human capital management docid\ yngk7qn9vad wlakpriwb workday human capital management docid\ yngk7qn9vad wlakpriwb obtain your host url in workday hcm to obtain a host url from your workday hcm account log in to your workday hcm account as an admin go to view api clients copy a token endpoint and store in a safe place you will use this value in the host url field in make establish the connection with workday hcm in make (user credentials) to establish a connection with user credentials log in to your make account, add a workday hcm module to your {{scenario singular lowercase}} , and click create a connection in the connection type dropdown, select workday hcm enter your host url address that you copied above without a trailing slash for example, https //wd3 services1 myworkday com for your production instance and https //wd3 impl services1 workday com for your sandbox instance enter your tenant id this can be located in your account url address as follows https //hostname workday com/tenantid/d/home/html in the username and password fields, enter the workday hcm login credentials with api access for more information, see the workday human capital management docid\ yngk7qn9vad wlakpriwb section click save you have successfully established the connection you can now edit and add more workday hcm modules if your connection requires reauthorization, follow the connection renewal steps here docid\ so88fm6pkt0g adkddfzz establish the connection with workday hcm in make (oauth2) before establishing an oauth2 connection, your workday system administrator must complete the steps in the workday human capital management docid\ yngk7qn9vad wlakpriwb section to generate client credentials and refresh tokens log in to your make account, add a workday hcm module to your {{scenario singular lowercase}} , and click create a connection in the connection type dropdown, select workday hcm oauth2 enter your host url address that you copied above without a trailing slash for example, https //wd3 services1 myworkday com for your production instance and https //wd3 impl services1 workday com for your sandbox instance enter your tenant id this can be located in your account url address as follows https //hostname workday com/tenantid/d/home/html in the client id and client secret fields, enter your client credentials enter the refresh token for the connection, provided by your workday system administrator each connection should have its own refresh token as sharing tokens may result in connections being broken workday system administrators can generate tokens in workday > view api clients > manage refresh tokens for integrations set the access token expiry in seconds , provided by your workday system administrator this value must be the same as the token expiry settings in workday click save you have successfully established the connection you can now edit and add more workday hcm modules if your connection requires reauthorization, follow the connection renewal steps here docid\ so88fm6pkt0g adkddfzz set up workday hcm for oauth2 connections follow these steps in workday to retrieve the client credentials and refresh tokens necessary to establish an oauth2 connection generate client credentials in your workday account search bar, search for and select the register api client for integrations task fill in the client name field check the non expiring refresh tokens box this is important to minimize risk of integration down time if it is not selected, a new refresh token must be manually created and entered into make after each expiration add the following scopes (functional areas) system for wql functionality and tenant non configurable for raas functionality click ok copy the client id and client secret values and store them in a safe place this is important as you will not be able to view the client secret again after leaving this page and you will be required to generate new credentials you have successfully created the client id and client secret to be used when creating the oauth2 connection in make configure refresh tokens in your workday account, go to view api clients find the relevant api client and click on > api client > manage refresh tokens for integrations note this is also where you can edit api client scopes, generate new client secrets, and find new refresh tokens if an expiration date was set in the manage refresh tokens for integrations window, enter the workday account to be assigned to the api client this account must have access to the reports you would like to work with wql, raas, and soap api security is tied to the workday account click ok in the delete or regenerate refresh token task, click the generate new refresh token box copy the refresh token and store it in a safe place note each workday account will have its own refresh token, but can have the same client id and client secret as other accounts linked to the api client you have successfully created the refresh token to be used when creating the oauth2 connection in make