Workday

The Workday plugin for InsightConnect is a custom built plugin which connects to Workday via API to pull Worker data, Trigger off of Events and Enable/Disable accounts.

  • You can enable/disable accounts, search workers and trigger off of completed Business Process events in Workday with the Workday plugin for InsightConnect.
  • To use the Workday plugin, you need to import Workday Custom Reports from the Solution Catalog and set up appropriate security.

Depending on your support model, you may need the assistance of HRIS to assist with the set up required for Workday configuration.

Required Knowledge and Skills

This configuration guide is intended for Workday System Integrators, Workday Customer IT Departments and InsightConnect Administrators.

This guide assumes you are familiar with the following:

  • Workday Security Configuration (e.g. Integration System Users, Security Groups, Business Process policies)
  • Workday Solutions
  • Workday Calculated Field Creation and Custom Reports
  • InsightConnect Plugin Configuration

Configuration Steps

This part will of the guide will be split into two parts - steps to perform in your Workday Tenant and steps to perform in InsightConnect. Both parts are to be completed to enable the integration between InsightConnect Workday plugin, and your Workday tenant.

List of configuration steps to perform in Workday:

  1. Importing the Workday Solution
  2. Creating Workday Security Setup

List of configuration steps to perform in InsightConnect:

  1. Configure the InsightConnect Workday plugin connection

Importing the Workday Solution

Login to a non-Preview Workday tenant with a user who has Security Administrator and Security Configurator access.

The easiest way to get the configuration setup in the Workday tenant is to use Workday’s Solution functionality to pull in the required configuration and make modifications from there.

Rapid7 has made a solution available to install the required Custom Reports and Calculated Fields for Event and Worker details.

Prerequisites:

  • Workday User with Security
    • “PUT Solution”
    • Custom Report Administrator
    • Security Configurator
    • Security Administrator
    • Business Process Administrator
  • Non-Preview Workday Tenant
  • Solutions Enabled in the tenant

Enable Security for Solutions

For more details on how to enable Solutions in your Workday tenant please visit Workday Administrator Guide.

You can run the Enable Solutions task which sets up the necessary certificates in the Workday tenant to import solutions.

Enable Security for Solutions

Confirm Enable Solutions

Import the Solution

  1. Search for browse solutions in Workday.

    Browse Solution

  2. Search for solution ID a53d75669349015e314c04326d090cc5 and click OK to confirm.

    Enter Solution ID

  3. You should get the following result. Click on Import All to being the process.

    Import the Solution

  4. Confirm the Solution Import and click OK.

    Confirm Import

  5. Optionally, if you wish to receive notifications when the Solution has been updated, click the Checkbox, select the Tenant (recommend using the Production tenant so tenant refreshes don’t clear the notification) and type the username of the user who should receive the notification.

    Notification Details

  6. Accept the Importing Agreement by ticking the Accept box.

    Accept Import Agreement

  7. The import process will begin. Click on the refresh button peridically, until the process completes.

    Refresh

  8. Once the process is completed, select the Review Import button.

    Review import

    This will show the Objects that were imported as part of the solution. Two key objects are the Custom Reports named RPT InsightConnect Events and RPT InsightConnect Workers. Make sure that these are listed in the import.

    Review solution

Workday Security Setup

The plugin should be set up to run with the permissions of an Integration System User with narrow permissions to only access the data and APIs it needs.

Create the Integration System User

  1. Search and run the Create Integration System User task

    Create Integration System User

  2. Give the account a meaningful name (e.g. “ISU_InsightConnect”) and a complex password. Make sure to save this for later use. Then tick the Do Not Allow UI Sessions checkbox.

    Integration System User Configuration

  3. Click OK to save.

To prevent the password for the ISU from periodically expiring, you can add this user to the Password Expiration Exemption list. If you don’t configure this, you will have to periodically update the ISU password in Workday and in the InsightConnect plugin so that it retains valid credentials.

  1. Navigate and run the Maintain Password Rules task.

    Maintain Password Rules

  2. Scroll down to the bottom and select the username of your Integration System User to add them to the list and click OK.

    Exempt from Password Expiration

Create the Security Group

  1. Navigate and execute the Create Security Group task.

    Create Security Group

  2. Select Integration System Security Group (Unconstrained) and give it a meaningful name (e.g. "ISSG InsightConnect").

    Integration System Security Group

  3. Optionally, add a Comment and select the Integration System User you created in the previous step.

    Commeny Integration User

  4. Now, that the user is created, click OK to save the Security Group and click the Related Action icon and select Security Group / Maintain Domain Permissions for Security Group.

    Maintain Domain Permissions

  5. Add the permissions in the table below.

    Add Permissions

  6. Add the following Security Policies to the Security Group.

    OperationDomain Security PolicyFunctional Areas
    Get and PutWorkday AccountsSystem
    Get OnlyWorker Data: Current Staffing InformationStaffing
    Get OnlyWorker Data: Active and Terminated WorkersStaffing
    Get OnlyPerson Data: Work PhoneContact Information
    Get OnlyPerson Data: Work EmailContact Information
    Get OnlyBusiness Process ReportingSystem
    View and ModifyCustom Report CreationSystem
  7. Click OK to save.

  8. Finally, run the Activate Pending Security Policy Changes so that the security changes take effect.

    Activate Pending Changes

Transfer Custom Report Ownership

The reports are imported from the Solution Catalog without ownership so we have to Transfer Ownership and configure Sharing.

  1. Run the Transfer Ownership of Custom Reports task, as shown below.

    Transfer Custom Reports

  2. Search for Report Name(s) InsightConnect and select the both the RPT InsightConnect Events and RPT InsightConnect Workers reports.

  3. Assign the New Owner to the ISU account you created.

    New Owner

  4. Click on the Related Action icon and select Custom Report / Transfer Ownership.

  1. With the Report Ownership transferred to the ISU, the ISU account can now access the REST API but to ensure it doesn’t lose access we should share the report with security groups.

    Custom Report

  2. Click on the Share tab and select the Share with specific authorized groups and users radio button. Select the InsightConnect security group and optionally add other Administrator groups that should have access to the reports (e.g. HR Administrator).

    Group and Users

  3. Click on OK to save.

Important: Repeat the process for the RPT InsightConnect Workers report.

Get and Save the Custom Report REST URLs

With the report ownership changed and shared appropriately, we can now obtain the URL’s for them so we can configure them in the InsightConnect plugin at a later stage.

  1. Click on the Related Action icon and select Web Service / View URLs on the report. Then, click OK on the prompt screens.

    View Custom Report

  2. Scroll down and right click on the JSON Hyperlink and Copy and Save the URL. It will have a format similar to the following URLs:

    View URL

Important: Repeat this for both the Workers and Events reports and save it for later.

Configure the Workday Events Filter

The RPT InsightConnect Events report is used to listen for Business Process events that have completed. Each InsightConnect workflow client can have a different list of events that they are interested in and want to use as triggers inside InsightConnect.

In order for the ISU to have access to the completed event data, we need to first modify events that we are interested in and secondly modify the Business Process permissions.

Note: These steps are where you will likely need assistance from a Workday HR / Integrations administrator

  1. Search for the CF TF Worker Events Filter Calculated Field which controls which Business Process Types are listened for.

    Worker Events Filter

  2. Review and Modify the Business Process Types, as shown below.

    Review and Modify

    The Calculated Field by default filters for Business Process Types of:

    • Hire / Contract Contingent Worker
    • Termination / End Contingent Worker Contract
    • Create Workday Account
    • Name Changes
    • Change Job / Organization / Locations
    • Request / Return from Leave of Absence

    Depending on what you want your Plugin to listen for and how your organization uses Workday Business Processes, this list may need to be modified.

    List

  3. Once you have selected and saved the Business Process Types to filter on, you need to assign specific Business Process security to our ISU so it can access completed events.

  4. For each Business Process you are listening for in your filter, search for it, use the Related Action icon and select Business Process Policy and click on Edit.

    Business Process

  5. Scroll down to the Who Can Do Actions on Entire Business Process section and add the Security Group to the View Completed Only action.

    Business Process Actions

  6. Click OK to save and repeat this for the other Business Process Types.

  7. Run the Activate Pending Security Policy Changes so that these security changes take effect.

    Activate Pending Changes

InsightConnect Workday Plugin Connection Configuration

Now that you’ve created the user and reports in Workday, you can configure the Workday connection in InsightConnect to use the plugin.

  1. In InsightConnect, open the connection configuration for the Workday plugin.

    • You can do this when selecting the Workday plugin during a workflow building session in the Workflow Builder, or by creating the connection independently by choosing Plugins & Tools from the Settings tab on the left menu. On the Plugins & Tools page, select the Connections tab and click Add Connection in the upper-right corner.

    Add Connection

  2. To use the Plugin in a Workflow, create a new Workflow and select the Workday plugin. Select the Events Polling action.

    Events Polling Action

  3. Select Add a New Connection.

    Add a New Connection

  4. Configure the connection for the Workday plugin.

    • Give the connection a unique and identifiable name
    • Select the orchestrator the plugin should run on
    • Choose the Workday plugin from the list. If it’s not available, import the plugin from the Installed Plugins tab.

    Create Connection

  5. Configure your Workday credentials.

    • In the credentials field, enter the ISU username and password created from the previous step.

    Configure Credentials

    • In the Workday Tenant API Endpoint field, lookup your tenant prefix from the Workday URL column in the table below and enter the Workday Endpoint URL.
    Workday URLWorkday Endpoint URL
    www.myworkday.comhttps://services1.myworkday.com
    wd3.myworkday.comhttps://wd3-services1.myworkday.com
    wd5.myworkday.comhttps://wd5-services1.myworkday.com
    wd12.myworkday.comhttps://e2.wd12.myworkday.com
    wd10.myworkday.comhttps://e2.wd10.myworkday.com
    wd102.myworkday.comhttps://e2.wd102.myworkday.com
    impl.workday.comhttps://wd2-impl-services1.workday.com
    wd3-impl.workday.comhttps://wd3-impl-services1.workday.com
    wd5-impl.workday.comhttps://wd5-impl-services1.workday.com
    impl.wd12.workday.comhttps://impl-e2.wd12.myworkday.com
    impl.wd10.workday.comhttps://impl-e2.wd10.myworkday.com
    impl.wd102.myworkday.comhttps://e2.wd102.myworkday.com
    • In the Workday Events Report enter the JSON URL of the Events report you saved in a previous step.
    • In the Workday Worker Search Report enter the JSON URL of the Workers report you saved in a previous step.
    • In the Workday Tenant Name look at the Workday tenant URL string and enter the unique name of the tenant. For example, if your Workday tenant URL is this https://wd3-impl.workday.com/wday/authgwy/**client_gms1**/login.htmld, then the tenant name is “client_gms1”

    Populated Credentials

Additional Notes

Rescinded Business Process Events in Workday will not trigger Events in the Plugin.