Setup Overview

You will need to provide the following to Moveworks.

• Integration System User (ISU) Credentials
  • Username
  • Password
• API Client for Integrations Credentials
  • Client ID
  • Client Secret
  • API Client Refresh Token for the ISU
• Enable OAuth 2.0 Clients Enabled
  • Edit Tenant Setup
• URLs
  • Any RaaS-Enabled Report URLs
    • Approval Retrieval
    • Time Off Details
  • Token Endpoint
  • Workday REST API Endpoint
  • End User URLs
    • Workday Home Page
    • Absence Calendar

👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email.

Grant ISU Domain Security Permissions

Please create an Integration System User (ISU) and Integration System Security Group (ISSG).

How to Create an ISU with Domain Security Permissions

Create the ISU

1. Use the universal search to find the Create Integration System User (ISU) Workday Task.
   
2. Use the Create Integration System User (ISU) Workday Task to create a user following these settings. Write down the username and password that you use.
   
3. Validate that the ISU has these default permissions after creation.
   

Create an ISSG and add the ISU to it

1. Find the Create Security Group task.
   
2. Create an Integration System Security Group (Unconstrained) (ISSG). Title it "ISSG_Moveworks" for best practices.
   
3. Use the All Workday Accounts report to find the account again.
   
4. Use the action menu to select Assign Integration System Security Groups.
   
5. Add the ISU to the ISSG.
   

Add Domain Security Policies to the ISSG

1. Navigate to the ISSG using the View Security Group Report.
   
2. Use the menu item for Maintain Domain Permissions for Security Group.
   
3. Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions here.
   
4. Activate your permissions with the Activate Pending Security Policy Changes task.
   

Permissions

💡

Note: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using the View and Get permission types.

Create API Client for Integrations

Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier.

How to Create an API Client for Integrations

Create API Client

1. Search for Register API Client for Integrations.
   
2. Set the name to Moveworks and add the scopes required. You can find the full list of scopes here.
   
3. Write down your Client ID and Client Secret.
   
4. Navigate to View API Clients. Write down the Token Endpoint and Workday REST API Endpoint.
   

Provision a Refresh Token for the ISU

1. From the View API Clients view, click on the API Clients for Integrations tab. Click on the API Client you just created.
   
2. From the related actions menu, select Manage Refresh Tokens for Integrations.
   
3. Add the ISU Account you created earlier to the API Client.
   
4. Select Generate Refresh Token.
   
5. Write down your new refresh token.
   

Enable OAuth 2.0 Clients Enabled

👍

Check the box for OAuth 2.0 Clients Enabled

Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled

📘

Follow the above step with the help of this screenshot and box in red

Scopes

Create RaaS-Enabled Reports

Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team.

Approval Retrieval Report

Download

How it is used

We use this report to detect when new approvals are pending in your Workday instance.

Prompt Instructions

When generating the JSON URL, provide any Business Process Definitions that you would like Moveworks to support.

Time Off Details by ID Report

Download

How it is used

We use this report to get time off details for our approval notifications.

Prompt Instructions

You can provide any values for the prompts when generating the JSON URLs, it doesn't matter.

How to Create & Transfer a Workday Report

Repeat the steps below for EACH report you need to create, which are the Approval Retrieval Report and the Time Off Details by ID Report.

Create the Report

1. Download the reports listed above by clicking on the Download link under Approval Retrieval Report and Time Off Details by ID Report.
2. Navigate to the Create Custom Report task.
   
3. Setup the initial report settings.
   
4. Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.
   

🚧

Warning: Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important.

Authorize & share the report definition

1. Authorize the ISU you created earlier to run the report from the Share tab.
   
2. Use View URLs under Web Service to get the URL of the Custom Report.
   
3. For the prompt values, use the Prompt Instructions defined above for the Approval Retrieval Report and Time Off Details by ID Report.
   
4. Right click on JSON and Copy URL. Share this URL with your Moveworks Customer Success team.
   

(Optional) Transfer Ownership of the Report to the ISU

We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company.

1. Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team.
2. Transfer the ownership using related actions on the report definition.
   

Adjust Business Processes

Create a User-Based Security Group and assign our ISU to it. Then, update the Business Process Security Policy to grant Moveworks the permissions to review the relevant action steps. Then, update the Business Process Definition to add your User-Based Security Group to the Approval step(s).

How to Edit Business Processes for Approvals

Set up a User-Based Security Group

We need to setup additional permissions for approvals to allow the ISU user to approve business processes in Workday. Please create a User-Based Security Group to add support for your approvals across various processes.

1. Find the Create Security Group task.
   
2. Create a User-Based Security Group called Moveworks.
   
3. Open the Assign Users to User-Based Security Group task.
   
4. Assign the ISU user you created earlier to the user-based security group.
   

Update your business processes

🚧

Warning: You’ll need to repeat the following steps for EACH business process you want users to be able to approve through Moveworks. You can see the list of business process types to update here.

1. Use the Edit Business Process Security Policy task and select one of the business processes from the list shown below.
   
2. Add the Moveworks Security Group to any required Security Policy Action Step from the list shown below.
   
3. Activate your permissions with the Activate Pending Security Policy Changes task.
   
4. Filter Business Process Definitions using the Business Process Definitions report to matching Business Process Types.
   
5. For Business Process Definitions that are configured for the organization, select Edit Definition.
   
6. Add the Moveworks Security Group to EACH business process step where the Step Type is Approval.
   

Business Process Types