Workday Access Requirements - HR Cases

Setup Overview

You will need to provide the following to Moveworks.

  • Integration System User (ISU) Credentials
    • Username
    • Password
  • API Client for Integrations Credentials
    • Client ID
    • Client Secret
    • API Client Refresh Token for the ISU
  • Enable OAuth 2.0 Clients Enabled
    • Edit Tenant Setup
  • URLs
    • The following RaaS-Enabled Report URLs
      • Cases Retrieval
      • Case Type Details
    • Token Endpoint
    • Workday REST API Endpoint
    • End User URLs
      • Workday Help - Cases Page

👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email.

Grant ISU Domain Security Permissions

Please create an Integration System User (ISU) and Integration System Security Group (ISSG).

How to Create an ISU with Domain Security Permissions

Create the ISU

  1. Use the universal search to find the Create Integration System User (ISU) Workday Task.
  2. Use the Create Integration System User (ISU) Workday Task to create a user following these settings. Write down the username and password that you use.
  3. Validate that the ISU has these default permissions after creation.

Create an ISSG and add the ISU to it

  1. Find the Create Security Group task.
  2. Create an Integration System Security Group (Unconstrained) (ISSG). Title it "ISSG_Moveworks" for best practices.
  3. Use the All Workday Accounts report to find the account again.
  4. Use the action menu to select Assign Integration System Security Groups.
  5. Add the ISU to the ISSG.

Add Domain Security Policies to the ISSG

  1. Navigate to the ISSG using the View Security Group Report.
  2. Use the menu item for Maintain Domain Permissions for Security Group.
  3. Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions here.
  4. Activate your permissions with the Activate Pending Security Policy Changes task.

Permissions

Permission TypePermission/Domain Security PolicyDomain Security Policies Inheriting PermissionBusiness Justification
View OnlyCustom Report AdministrationNeeded to identify users, retrieve cases
View OnlyManage: All Custom ReportsNeeded to identify users, retrieve cases
View OnlyWorker Data: Worker IDNeeded to identify users
View OnlyWorker Data: Public Worker ReportsNeeded to identify users
View OnlySecurity AdministrationExternal Account Provisioning

Lock Out Workday Accounts

Manage Authorized Applications

Provisioning Group Administration

Set Up: Security Rules

User-Based Security Group Administration

Workday Account Monitoring
Needed to identify users, retrieve cases
View OnlyWorkday AccountsNeeded to identify users
View and ModifyWorkday Query LanguageNeeded to identify users
View and ModifyCustom Report CreationNeeded to identify users, retrieve cases
View OnlyWorker Data: Active EmployeesNeeded to identify users
Get OnlyWorker Data: Active EmployeesNeeded to identify users
View OnlyPerson Data: Work EmailNeeded to identify users
Get OnlyPerson Data: Work EmailNeeded to create cases of behalf of users
View OnlyPerson Data: Work AddressNeeded to identify users
Get OnlyPerson Data: Work AddressNeeded to identify users
View OnlyPerson Data: Work Contact InformationNeeded to identify users
Get OnlyPerson Data: Work Contact InformationNeeded to identify users
View OnlyManage: Organization RolesNeeded to identify users
Get OnlyManage: Organization RolesNeeded to identify users
Get and PutWorkday Query LanguageNeeded to identify users
Get OnlyWorker Data: Public Worker ReportsNeeded to identify users
Get and PutHelp Case External ContactsNeeded to retrieve case details
Get and PutManage: Case Create on Behalf OfNeeded to create a case
Get OnlyWorkday AccountsNeeded to identify users
Get OnlyWorker Data: Worker IDNeeded to identify users
Get OnlyIndexed Data Source: WorkersNeeded to identify users
View and ModifyHelp Case DataHelp Case Internal NotesHelp Case MessagesNeeded to retrieve case details, create case comments
Get and PutHelp Case DataHelp Case Internal NotesHelp Case MessagesNeeded to retrieve case details, create case comments
View and ModifyManage: Case Create on Behalf OfNeeded to create a case
View and ModifyProcess: Help CasesNeeded to create a case, create case comments
Get and PutProcess: Help CasesNeeded to retrieve case details
View OnlyReports: Help Case ManagementNeeded to retrieve case details
Get OnlyReports: Help Case ManagementNeeded to retrieve case details
View OnlySet Up: Help Case ManagementNeeded to retrieve case details
Get OnlySet Up: Help Case ManagementNeeded to retrieve case details
View OnlyView: Confidential Help CasesNeeded to retrieve case details
Get OnlyView: Confidential Help CasesNeeded to retrieve case details
View OnlyManage: Case Create AboutNeeded to retrieve case details
Get OnlyManage: Case Create AboutNeeded to retrieve case details
Get OnlyCustom Report AdministrationNeeded to retrieve case details
Get OnlyManage: All Custom ReportsNeeded to retrieve case details
Get OnlyCustom Report CreationNeeded to retrieve case details
View OnlyReports: QuestionnairesNeeded to retrieve case type details
Get OnlyReports: QuestionnairesNeeded to retrieve case type details
View OnlyQuestion LibraryNeeded to retrieve case type details
Get OnlyQuestion LibraryNeeded to retrieve case type details

💡

Note: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using just the View and Get permission types.

Create API Client for Integrations

Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier.

How to Create an API Client for Integrations


Create API Client

  1. Search for Register API Client for Integrations.
  2. Set the name to Moveworks and add the scopes required. You can find the full list of scopes here.
  3. Write down your Client ID and Client Secret.
  4. Navigate to View API Clients. Write down the Token Endpoint and Workday REST API Endpoint.

Provision a Refresh Token for the ISU

  1. From the View API Clients view, click on the API Clients for Integrations tab. Click on the API Client you just created.
  2. From the related actions menu, select Manage Refresh Tokens for Integrations.
  3. Add the ISU Account you created earlier to the API Client.
  4. Select Generate Refresh Token.
  5. Write down your new refresh token.

Enable OAuth 2.0 Clients Enabled

👍

Check the box for OAuth 2.0 Clients Enabled

Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled

📘

Follow the above step with the help of this screenshot and box in red

Scopes

Functional Area (Scope)Business Justification
StaffingNeeded to identify users
SystemNeeded to identify users, retrieve cases & run RaaS reports
Tenant Non-ConfigurableNeeded to identify users & run RaaS reports
Contact InformationNeeded to identify users
Public DataNeeded to identify users
Personal DataNeeded to identify users
Organizations and RolesNeeded to identify users
HelpNeeded to create case, case comments and run Cases and Case Types RaaS reports

Create RaaS-Enabled Reports

Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team.

Case Retrieval Report

Moveworks Cases Retrieval.xlsx

How it is used

We use this report to detect when new cases are created or previously created cases are updated in your Workday instance.

Prompt Instructions

Please provide all the prompts (default and additional) as mentioned in the file above since they are crucial for the integration to function.

Case Type Details Retrieval Report

Moveworks Case Types Retrieval.xlsx

❗️

Important!

Please ensure your Workday instance has a description (Case Type Description) attached to each of your Case Types. If you don’t have a description field, please create descriptions for your Case Types.

This is important because both the title and the description of the Case Type are required by our Machine Learning models to determine the correct Case Type based on the query that the user has raised.


How it is used

We use this report to get the list of Case Type and their details from your Workday instance.

Prompt Instructions

Please provide all the prompts (default and additional) as mentioned in the file above since they are crucial for the integration to function.

How to Create & Transfer a Workday Report

Repeat the steps below for EACH report you need to create, which are the Case Retrieval Report and the Case Type Details Report.


Create the Report

  1. Download the reports listed above by clicking on the files link under Case Retrieval Report and Case Type Details Retrieval Report.
  2. Navigate to the Create Custom Report task.
  3. Setup the initial report settings.
  4. Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.

🚧

Warning!

Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important.


Authorize & share the report definition

  1. Authorize the ISU you created earlier to run the report from the Share tab.

  2. On the Advanced tab, select the enable as a web service box to enable it for API consumption

    Untitled
  3. Save the report.

  4. From the related actions of the custom report, select Web Service -> View URLs:

    Untitled
  5. Scroll down to JSON and right click on the hyperlink to select “Copy URL”. Share this URL with your Moveworks Customer Success team.

    (Optional) Transfer Ownership of the Report to the ISU

    We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company.

    1. Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team.
    2. Transfer the ownership using related actions on the report definition.