Workday

Connect your Workday tenant to Opal

Opal's integration with Workday lets you leverage HRIS data as an additional source of truth for users, employee metadata, and their attributes.

Getting Started

To get started, go to the Apps page, click + at the top right, and click Workday. Then, click on the Workday tile.

2312

You will see a form to be completed. Since Workday configures permissions on the field level, the set up process will involve creating a Workday Integration System User and Workday Integration Security Group to ensure it has the necessary permissions. To connect your Workday tenant to Opal, please continue on to the below instructions.

Step 1 - In Workday, Create an Integration System User (ISU)

Navigate to the Workday Search bar, enter Create Integration System User, and select the corresponding Task

2312

In the Create Integration System User modal, enter the Account Information, including User Name, Password, and set the Session Timeout Minutes: 0 (recommended to prevent session expiry as it may lead to the integration timing out before completion)

2312

Step 2 - In Workday, Create a Security Group and assign it an Integration System User

Navigate to the Workday Search bar, enter Create Security Group, and select the corresponding Task

2312

In the Create Security Group modal, for the Type of Tenanted Security Group, select Integration System Security Group (Unconstrained) and enter a Name to represent the ISU.

2312

Once created, Edit the Security Group to associate it with the Integration System User you created in Step 1.

2312

Step 3 - In Workday, Configure Domain Security Policy Permissions

Navigate to the Workday Search bar, enter Maintain Permissions for Security Group, and select the corresponding Task

2312

In the task modal, first set the Operation to Maintain and set the Source Security Group to the Security Group you created in Step 2.

2312

Then, edit the Domain Security Policy Permissions and add the following GET ONLY operations:

View/Modify AccessDomain Security Policy
GET ONLYPerson Data: Work Contact Information
GET ONLYWorker Data: Current Staffing Information
GET ONLYWorker Data: Organization Information
GET ONLYWorker Data: Workers
GET ONLYWorker Data: All Positions
GET ONLYWorker Data: Worker ID
GET ONLYWorker Data: Active and Terminated Workers
GET ONLYWorker Data: Public Worker Reports
GET ONLYWorker Data: Employment Data
GET ONLYWorkday Accounts
GET ONLYIntegration Build

In Workday, you can add each by clicking on the + button on the top left of the table, for example:

2312

Step 4 - In Workday, Activate Security Policy Changes

Navigate to the Workday Search bar, enter Activate Pending Security Policy Changes, and select the corresponding Task.

2312

Review and check the Confirm box to activate the Security Policy Changes

2312

Step 5 - In Workday, Manage Authentication Policies

Navigate to the Workday Search bar, enter Manage Authentication Policies, and select the corresponding Report.

2312

Depending on your policy set up, you can choose to edit an existing policy or create a new one.

To create a new one, select Add Authentication Policy on the page.

  • Then, select from the dropdown the corresponding Environment you would like the policy to apply to.
  • In the table below, add an Authentication Ruleset by selecting the + button on the top left.
  • Provide an Authentication Rule Name, set the Security Group to the one you created in Step 2.
  • For the Authentication Conditions, select Any
  • For Allowed Authentication Types, select User Name Password
2312

Step 6 - In Workday, Activate All Pending Authentication Policy Changes

Navigate to the Workday Search bar, enter Activate All Pending Authentication Policy Changes, and select the corresponding Task.

2312

Add any comments, review, and check the Confirm box to activate the Authentication Policy Changes

2312

Step 7 - In Workday, Obtain the Web Services Endpoint for tenant

Navigate to the Workday Search bar, enter Public Web Services, and select the corresponding Report.

2312

In the table, locate the Human Resources (Public) Web Service, hover over it and click on the ... to the right of the text. Under Web Service, select View WSDL. This will open another page in the browser.

2312

In the new page containing the document tree, you can use Cmd + F / Ctrl + F to find /service, and you should see a URL address that looks like the following:

2312

The corresponding highlighted URL segment up to the /service path will be your Workday Web Services Endpoint. Note that each tenant may have a different endpoint, so a new endpoint would need to be created for each environment you would like to connect. The text directly after /service should represent your Workday Tenant Name. As an example, if your Workday log in URL is https://impl.workday.com/HelloWorld, your Workday Tenant Name would be HelloWorld.

Step 8 - Complete the Opal Form to Connect Workday

In Opal, enter the details based on the Workday items you configured in the previous steps:

  • Workday Integration System User username (Step 1)
  • Workday Integration System User password (Step 1)
  • Workday tenant URL subdomain (Step 7)
  • Workday Tenant Name
2312

Once all the information has been correctly filled out, click Create, and your connection should be set up and running!

Manage Access to Workday Groups and Roles

Opal’s integration with Workday allows administrators to view and manage user access to Workday entities such as User Security Groups and Organization Roles, which are typically tied to Domain Security Policies and Role Based Security Groups respectively.

Step 1 - In Workday, Add additional Domain Security Policy Permissions

Navigate to the Workday Search bar, enter Maintain Permissions for Security Group, and select the corresponding Task

2312

In the task modal, first set the Operation to Maintain and set the Source Security Group to the Security Group you created in Step 2 of Getting Started.

2312

Then, edit the Domain Security Policy Permissions and add the following operations:

View/Modify AccessDomain Security Policy
GET and PUTUser-Based Security Group Administration
GET ONLYManage: Organization Roles
GET ONLYManage: Organization Integration
GET ONLYSecurity Administration

Step 2 - In Workday, Edit Business Security Policy

Navigate to the Workday Search bar, enter Edit Business Security Policy, and select the corresponding Task.

In the task modal, set Business Process Type to Assign Roles.

Then, add the Security Group you created in Step 2 of Getting Started to Assign Roles (Web Service)


Step 3 - In Workday, Activate All Pending Authentication Policy Changes

Navigate to the Workday Search bar, enter Activate All Pending Authentication Policy Changes, and select the corresponding Task.

2312

Add any comments, review, and check the Confirm box to activate the Authentication Policy Changes

Step 4 - In Opal, Import Workday Items

Import User Based Security Groups and Organization Roles that you want to manage.


HRIS/User Attribute Source Configuration

To configure Workday as an attribute source in Opal, navigate to Settings > IDP & HR Integrations and select your existing Workday connection as an IDP/HRIS provider.

Attributes ingested by default

The following attributes are ingested from Workday by default. These attributes can be mapped to Opal's user attributes in the IDP/HRIS settings page:

Workday AttributeDefault Opal MappingDescription
emailEmailThe user's email address.
remoteID-Workday object WID.
employeeID-The user's employee ID.
firstName-The user's first name.
lastName-The user's last name.
managerEmailManagerThe email address of the user's manager.
position-The user's job position.
workLocation-The location where the user works.
businessTitleTitleThe user's business title.
employeeType-The type of employment (e.g., full-time, part-time).
employeeTimeType-The time type of the employee (e.g., regular, contract).
hireDate-The date when the user was hired.
managementLevel-The management level of the user.
organizationTeamThe organization to which the user belongs.
onLeave-Indicates whether the user is currently on leave.

Note: In addition to the attributes listed above, Opal also ingests the worker's provisioning status and secondary email addresses. These attributes are automatically mapped to Opal's system attributes.

You can customize these mappings based on your organization's specific requirements by visiting the IDP/HRIS settings page. Ensure that the attributes are correctly mapped to ensure accurate data synchronization between Workday and Opal.

Ingest Custom Attributes

To ingest custom attributes from Workday into Opal, you need to configure the Workday integration system using the Field Override Service. Follow the steps below to set up and map custom attributes effectively:

Step 1: Create a Field Override Service

  1. Access Integration Configuration:

    • Log in to Workday and navigate to the integration configuration section.
  2. Initiate Field Override Service:

    • Search for and select "Create Integration Field Override Service."
    • Start a new Field Override Service setup.
  3. Configure Service Details:

    • Assign a meaningful name to the Field Override Service.
    • Choose the "Worker" business object to associate with the service.
  4. Add and Define Fields:

    • Click the "Plus" icon to add new fields.
    • Enter names for each custom field that correspond to your desired attributes in Opal.
    • Define the necessary settings for each field.
  5. Save Configuration:

    • Click "OK" to save each field entry.
    • Click "Done" once all fields are added and configured.

Step 2: Set Up the Integration System

  1. Create New Integration System:

    • From the Workday Home page, go to Integration System and select Create Integration System.
  2. Name and Template:

    • Provide a name for your new Integration System.
    • Choose New Using Template and select Document Transformation as the template.
    • Confirm by clicking "OK."
  3. Attach Integration Service:

    • Navigate to Actions > Integration System > Configure Integration Attachment Service.
    • Create an Integration Attachment Service by selecting the "Attachment" column and choosing Create Integration Attachment Service.
    • Attach an empty text file and confirm by clicking "OK."
  4. Incorporate Field Override Service:

    • Go to Custom Integration Services in your new Workday Integration System.
    • Click the "Plus" icon to add the Field Override Service created earlier.
    • Confirm by clicking "OK."
  5. Record System ID:

    • Note the System ID for the Integration System; it is needed for retrieving custom attributes.

Step 3: Map and Configure Attributes

  1. Locate Integration System:

    • Search for View Integration System.
    • Enter the name of the Integration System you created and select "OK."
  2. Map Custom Fields:

    • Go to Integration System > Configure Integration Field Overrides.
    • Find the custom or calculated fields and map them to the correct values in the "Override External Field" section.
    • Click "OK" to save the mappings.
  3. Finalize Setup:

    • Click "Done" to complete the setup process.

Step 4: Link the Integration System to Opal

  1. Locate Integration System:
    • Search for View Integration System.
    • Enter the name of the Integration System you created and select "OK."
  2. Locate and Copy Integration System ID:

  1. Add the Integration System ID in your Opal Workday Connection

  1. Configure Attribute Mappings in Opal
    • In Opal, navigate to Settings > IDP & HR Integrations
    • Custom attributes can now be imported, using your configured field name as key