Workday Access Requirements - Approvals
Setup Overview
You will need to provide the following to Moveworks.
- Integration System User (ISU) Credentials
- Username
- Password
- API Client for Integrations Credentials
- Client ID
- Client Secret
- API Client Refresh Token for the ISU
- Enable OAuth 2.0 Clients Enabled
- Edit Tenant Setup
- URLs
- Any RaaS-Enabled Report URLs
- Approval Retrieval
- Time Off Details
- Token Endpoint
- Workday REST API Endpoint
- End User URLs
- Workday Home Page
- Absence Calendar
- Any RaaS-Enabled Report URLs
👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email.
Grant ISU Domain Security Permissions
Please create an Integration System User (ISU) and Integration System Security Group (ISSG).
How to Create an ISU with Domain Security Permissions
Create the ISU
- Use the universal search to find the
Create Integration System User(ISU) Workday Task.
- Use the
Create Integration System User(ISU) Workday Task to create a user following these settings. Write down the username and password that you use.
- Validate that the ISU has these default permissions after creation.
Create an ISSG and add the ISU to it
- Find the
Create Security Grouptask.
- Create an
Integration System Security Group (Unconstrained)(ISSG). Title it "ISSG_Moveworks" for best practices.
- Use the
All Workday Accountsreport to find the account again.
- Use the action menu to select
Assign Integration System Security Groups.
- Add the ISU to the ISSG.
Add Domain Security Policies to the ISSG
- Navigate to the ISSG using the
View Security GroupReport.
- Use the menu item for Maintain Domain Permissions for Security Group.
- Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions here.
- Activate your permissions with the
Activate Pending Security Policy Changestask.
Permissions
| Permission Type | Permission | Business Justification |
|---|---|---|
| Modify | Workday Query Language | Needed to identify users |
| Modify | Custom Report Creation | Needed to identify users |
| Modify | Workday Accounts | Needed to identify users |
| Modify | Person Data: Work Contact Information | Needed to identify users |
| View | Person Data: Work Email | Needed to identify users |
| View | Worker Data: Public Worker Reports | Needed to identify users |
| View | Worker Data: Workers | Needed to identify users |
| View | Custom Report Creation | Needed to identify users |
| Put | Workday Query Language | Needed to identify users |
| Put | Workday Accounts | Needed to identify users |
| Put | Person Data: Work Contact Information | Needed to identify users |
| Get | Worker Data: Public Worker Reports | Needed to identify users |
| Get | Worker Data: Workers | Needed to identify users |
| Get | Worker Data: Worker ID | Needed to identify users |
| Get | Indexed Data Source: Workers | Needed to identify users |
| Put | Business Process Administration | Needed to take approval actions (approve / deny) |
| Put | Business Process Definition View | Needed to take approval actions (approve / deny) |
| Put | Business Process Delegation | Needed to take approval actions (approve / deny) |
| Put | Business Process Reporting | Needed to take approval actions (approve / deny) |
| Put | Integration Event | Needed to take approval actions (approve / deny) |
| Put | Integration Process | Needed to take approval actions (approve / deny) |
| Modify | Business Process Administration | Needed to take approval actions (approve / deny) |
| Modify | Business Process Definition View | Needed to take approval actions (approve / deny) |
| Modify | Business Process Delegation | Needed to take approval actions (approve / deny) |
| Modify | Business Process Reporting | Needed to take approval actions (approve / deny) |
| Modify | Integration Event | Needed to take approval actions (approve / deny) |
| Modify | Integration Process | Needed to take approval actions (approve / deny) |
| View | Worker Data: Leave of Absence | Needed to get details for leave of absence requests |
| View | Worker Data: Leave of Absence (Leave of Absence Manager View) | Needed to get details for leave of absence requests |
| Get | Worker Data: Absence Occurrences | Needed to get details for leave of absence requests |
| Get | Worker Data: Absence Occurrences (Manager View) | Needed to get details for leave of absence requests |
| Get | Worker Data: Leave of Absence (Leave of Absence Manager View) | Needed to get details for leave of absence requests |
| View | Worker Data: Time Off (Time Off Balances) | Needed to retrieve time off balances for a given worker |
| View | Worker Data: Time Off (Time Off Balances Manager View) | Needed to retrieve time off balances for a given worker |
| Get | Worker Data: Time Off (Time Off Balances) | Needed to retrieve time off balances for a given worker |
| Get | Worker Data: Time Off (Time Off Balances Manager View) | Needed to retrieve time off balances for a given worker |
Note: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using the View and Get permission types.
Create API Client for Integrations
Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier.
How to Create an API Client for Integrations
Create API Client
- Search for
Register API Client for Integrations.
- Set the name to Moveworks and add the scopes required. You can find the full list of scopes here.
- Write down your Client ID and Client Secret.
- Navigate to
View API Clients. Write down the Token Endpoint and Workday REST API Endpoint.
Provision a Refresh Token for the ISU
- From the
View API Clientsview, click on theAPI Clients for Integrationstab. Click on the API Client you just created.
- From the related actions menu, select
Manage Refresh Tokens for Integrations.
- Add the ISU Account you created earlier to the API Client.
- Select
Generate Refresh Token.
- Write down your new refresh token.
Enable OAuth 2.0 Clients Enabled
Check the box for OAuth 2.0 Clients Enabled
Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled
Follow the above step with the help of this screenshot and box in red
Scopes
| Functional Area (Scope) | Business Justification |
|---|---|
| Staffing | Needed to identify users |
| System | Needed to identify users & run RaaS reports |
| Tenant Non-Configurable | Needed to identify users & run RaaS reports |
| Contact Information | Needed to identify users |
| Public Data | Needed to identify users |
| Time Off and Leave | Needed for time off plans, time off requests, and leaves of absence |
| Time Tracking | Needed for time off plans, time off requests, and leaves of absence |
Create RaaS-Enabled Reports
Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team.
Approval Retrieval Report
How it is used
We use this report to detect when new approvals are pending in your Workday instance.
Prompt Instructions
When generating the JSON URL, provide any Business Process Definitions that you would like Moveworks to support.
Time Off Details by ID Report
How it is used
We use this report to get time off details for our approval notifications.
Prompt Instructions
You can provide any values for the prompts when generating the JSON URLs, it doesn't matter.
How to Create & Transfer a Workday Report
Repeat the steps below for EACH report you need to create, which are the Approval Retrieval Report and the Time Off Details by ID Report.
Create the Report
- Download the reports listed above by clicking on the Download link under Approval Retrieval Report and Time Off Details by ID Report.
- Navigate to the
Create Custom Reporttask.
- Setup the initial report settings.
- Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.
Warning: Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important.
Authorize & share the report definition
- Authorize the ISU you created earlier to run the report from the Share tab.
- Use
View URLsunderWeb Serviceto get the URL of the Custom Report.
- For the prompt values, use the Prompt Instructions defined above for the Approval Retrieval Report and Time Off Details by ID Report.
- Right click on
JSONand Copy URL. Share this URL with your Moveworks Customer Success team.
(Optional) Transfer Ownership of the Report to the ISU
We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company.
- Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team.
- Transfer the ownership using related actions on the report definition.
Adjust Business Processes
Create a User-Based Security Group and assign our ISU to it. Then, update the Business Process Security Policy to grant Moveworks the permissions to review the relevant action steps. Then, update the Business Process Definition to add your User-Based Security Group to the Approval step(s).
How to Edit Business Processes for Approvals
Set up a User-Based Security Group
We need to setup additional permissions for approvals to allow the ISU user to approve business processes in Workday. Please create a User-Based Security Group to add support for your approvals across various processes.
- Find the
Create Security Grouptask.
- Create a
User-Based Security GroupcalledMoveworks.
- Open the
Assign Users to User-Based Security Grouptask.
- Assign the ISU user you created earlier to the user-based security group.
Update your business processes
Warning: You’ll need to repeat the following steps for EACH business process you want users to be able to approve through Moveworks. You can see the list of business process types to update here.
- Use the
Edit Business Process Security Policytask and select one of the business processes from the list shown below.
- Add the
MoveworksSecurity Group to any required Security Policy Action Step from the list shown below.
- Activate your permissions with the
Activate Pending Security Policy Changestask.
- Filter Business Process Definitions using the Business Process Definitions report to matching Business Process Types.
- For Business Process Definitions that are configured for the organization, select Edit Definition.
- Add the Moveworks Security Group to EACH business process step where the Step Type is Approval.
Business Process Types
| Business Process Type | Security Policy Action Step |
|---|---|
| Request Time Off | Review Time Off Request |
Updated 2 months ago