Search

Workday | Integration System User (ISU) Authentication

In this article, we help you authenticate your Integration System User (ISU) so you can obtain your Workday web services endpoint URL and connect your Workday account to your Oyster account.

Prerequisites

  • You have Admin access to your company’s account.
  • You are logged in to Workday with your Admin credentials.
  • You have completed Steps 1-7 of Connecting Workday to Oyster

Create an Integration System User (ISU)

  1. In the Search field, type: Create integration system user

  2. Select the Create Integration System User task. 

  3. In the Create Integration System User window, do the following:

    • Type a [User Name]
    • Create and verify a password
    • Do not select the Require New Password at Next Sign In check box
    • Type 0 (zero) for Session Timeout Minutes to prevent session expiration

      Make a note of this [User Name], you'll need it soon.

  4. Click OK.

 Workday-ISUsername.png

Add this user to the list of System Users to prevent the password from expiring.

Assign the ISU to a new security group

  1. In the Search field, type: create security group
  2. Select the Create Security Group task. The Create Security Group page appears.

  3. Select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group drop-down.

  4. Type a name in the Name field.

    Make a note of this [Group name], you'll need it in the next section.

 Workday-ISUsecuritygroup.png

  1. Click OK. The Edit Integration System Security Group (Unconstrained) page appears.

  2. In the Name field, type the [Group name] you just created.

  3. In the Integration System Users field, type the [User Name] you created previously.
  4. Click OK.

Workday-ISUsecuritygroup2.png

Configure domain security policy permissions

  1. In the Search field, type: Maintain permissions for security group

  2. Select the Maintain Permissions for Security Group task. The Maintain Permissions for Security Group page appears.

  3. Select the Maintain Operation, as necessary.

  4. Ensure the Source Security Group name is the same as the [Group name] you just assigned.

  5. Click OK.

Workday-ISUsecuritygroup-Permissions.png
  1. Add the corresponding Domain Security Policy Permissions with GET operation:

Please note the permissions listed below are the required permissions for the full HRIS API. Permissions can differ from implementation to implementation.

Parent Domains for HRIS Parent Domains for ATS
  • Job Requisition Data
  • Person Data: Name
  • Person Data: Personal Data

  • Person Data: Home Contact Information

  • Person Data: Work Contact Information

  • Worker Data: Compensation

  • Worker Data: Workers

  • Worker Data: All Positions

  • Worker Data: Current Staffing Information

  • Worker Data: Public Worker Reports

  • Worker Data: Employment Data

  • Worker Data: Organization Information

  • Worker Data: Time Off**

** To access Time Off data: you need both GET and View access to the Time Off domains.

  • Candidate Data: Job Application

  • Candidate Data: Personal Information

  • Candidate Data: Other Information

  • Pre-Hire Process Data: Name and Contact Information

  • Job Requisition Data

  • Person Data: Personal Data

  • Person Data: Home Contact Information

  • Person Data: Work Contact Information

  • Manage: Location

  • Worker Data: Public Worker Reports

     

 

Activate security policy changes

  1. In the search bar, type: Activate Pending Security Policy Changes

  2. Click the Activate Pending Security Policy Changes task to view a summary of the changes in the security policy that need to be approved.

  1. Add any relevant comments in the window that appears.

  2. Select the Confirm checkbox to accept the changes.

Validate the authentication policy

Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types – if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.

  1. Edit the Authentication Policies
  1. Create an Authentication Rule and add the Security Group to the Rule.
  1. Ensure the Allowed Authentication Types is set to either:
    • Specific > Any
    • Specific > User Name Password

Activate all pending authentication policy changes

  1. In the search bar, type Activate All Pending Authentication Policy Changes.
  2. Select the Activate All Pending Authentication Policy Changes task. The Activate All Pending Authentication Policy Changes page appears.

  1. Proceed to the next screen and select the Confirm checkbox. This will activate the Authentication Policy that was just created.

Continue connecting Workday to Oyster

  1. Proceed to obtain your Workday web services endpoint URL.

Was this article helpful?

0 out of 0 found this helpful