If the admin account credentials cannot be used in the SCIM integration setup through Starling Connector, the alternative approach is using the credentials of integration system user configured in the Workday tenant. This section describes how to create an integration system user in Workday and to provide the necessary permissions based on the business use-cases.
Creating an integration system user
To create an integration user:
- Sign in to your Workday tenant using an administrator account. In the Workday Application, enter create user in the search box, and then click Create Integration System User.
- Complete the Create Integration System User task by supplying a user name and password for a new Integration System User.
- Leave the Require New Password at Next Sign In option unchecked, because this user will be log on through programmed steps.
- Leave the Session Timeout Minutes with its default value of 0, which will prevent the user's sessions from timing out prematurely.
- Select the option Do Not Allow UI Sessions as it provides an added layer of security that prevents a user with the password of the integration system from logging into Workday.
Creating an integration security group
In this step, you will create an unconstrained or constrained integration system security group in Workday and assign the integration system user created in the previous step to this group.
To create a security group:
-
Enter create security group in the search box, and then click Create Security Group.
-
Complete the Create Security Group task
-
There are two types of security groups in Workday:
- Unconstrained: All members of the security group can access all data instances secured by the security group.
- Constrained: All security group members have contextual access to a subset of data instances (rows) that the security group can access.
- Please check with your Workday integration partner to select the appropriate security group type for the integration.
- Once you know the group type, select Integration System Security Group (Unconstrained) or Integration System Security Group (Constrained) from the Type of Tenanted Security Group dropdown.
- After the Security Group creation is successful, you will see a page where you can assign members to the Security Group.
- Add the new integration system user created in the previous step to this security group. If you are using constrained security group, you will also need to select the appropriate organization scope.
-
Configuring domain security policy permissions
In this step, you'll grant "domain security" policy permissions for the worker data to the security group.
To configure domain security policy permissions:
-
Enter Security Group Membership and Access (or Who are the Members of a Security Group) in the search box and click on the report link.
-
Search and select the security group created in the previous step.
-
Click on the ellipsis (...) next to the group name and from the menu, select Security Group > Maintain Domain Permissions for Security Group.
-
Under Integration Permissions, add the following domains to the list Domain Security Policies permitting Put access:
- External Account Provisioning
- Worker Data: Public Worker Reports
- Person Data: Work Contact Information
- Workday Accounts
-
Under Integration Permissions, add the following domains to the list Domain Security Policies permitting Get access:
- Worker Data: Workers
- Worker Data: All Positions
- Worker Data: Current Staffing Information
- Worker Data: Business Title on Worker Profile
- Worker Data: Qualified Workers (Optional - add this to retrieve worker qualification data for provisioning)
- Worker Data: Skills and Experience (Optional - add this to retrieve worker skills data for provisioning)
- Job Information
- Manage: Location
- Manage: Location Hierarchy
- Manage: Organization Integration
- Manage: Supervisory Organization
- Person Data: Date of Birth
- Person Data: Gender
- Person Data: ID Information
-
After completing above steps, the permissions screen will appear summarizing the selected PUT and GET access permissions.
-
Click OK and Done on the next screen to complete the configuration.
Edit business process security policies
To edit the Business Process Security Policies for Functional Area report:
- Access the Business Process Security Policies for Functional Area report.
- Provide the needed “Functional Area” and the “Business Process”, click Edit Permissions in the bottom of the screen.
- Scroll and find the “Initiating Action” which has “(Web Service)” in it.
- Add the Security Group created above.
- Click OK and Done on the next screen to complete the configuration.
- Following are the use-cases where permissions are needed when using with Starling Connect for Workday:
Use case in the connector |
Functional Area |
Business Process |
Initiating Action |
---|---|---|---|
Edit Other / Custom IDs for Worker | Personal Data |
Edit Other IDs |
Change Other IDs (Web Service) |
Modify home contact information | Contact Information |
Home Contact Change |
Change Home Contact Information (Web Service) |
Modify work contact information |
Contact Information |
Work Contact Change |
Change Work Contact Information (Web Service) |
Modify contact information using maintain contact information API |
Contact Information |
Contact Change |
Maintain Contact Information (Web Service) |
Activating security policy changes
To activate security policy changes:
- Enter activate in the search box, and then click on the link Activate Pending Security Policy Changes.
- Begin the Activate Pending Security Policy Changes task by entering a comment for auditing purposes, and then click OK.
- Complete the task on the next screen by checking the checkbox Confirm, and then click OK.