Skip to main content
Opal’s integration with Workday lets you leverage HRIS data as an additional source of truth for users, employee metadata, and their attributes. The integration also allows you to manage access to entitlements such as Workday Security Groups and Roles.

Supported resources

ResourceReadGrant and revoke accessAvailable in Risk Center
Workday Users and user attributes (as HRIS)✔️✔️✔️
Workday User Security Groups✔️✔️✔️
Workday Roles✔️✔️✔️
The Workday integration does not currently support syncing Workday service users.

1. Create an Opal app

To get started, go to the Inventory > Apps page, select +App at the top right, and select +Connect under the Workday tile. 2312 Because Workday configures permissions on the field level, the set up process involves creating a Workday Integration System User and Workday Integration Security Group to ensure it has the necessary permissions.

2. Create an Integration System User (ISU)

In the Workday Search bar, enter Create Integration System User, and select the corresponding Task. 2312 In the Create Integration System User modal, enter the Account Information, including User Name, Password. Set the Session Timeout Minutes to 0 to prevent session expiry, as it may lead to the integration timing out before completion. 2312

3. Create a Security Group and assign it an ISU

In the Workday Search bar, enter Create Security Group, and select the corresponding Task. 2312 In the Create Security Group modal, for the Type of Tenanted Security Group, select Integration System Security Group (Unconstrained) and enter a name to represent the ISU. 2312 Once created, Edit the Security Group to associate it with the Integration System User you created in Step 2. 2312

4. Configure Domain Security Policy Permissions

In the Workday Search bar, enter Maintain Permissions for Security Group, and select the corresponding Task. 2312 In the task modal, first set the Operation to Maintain and set the Source Security Group to the Security Group you created in Step 3. 2312 Then, edit the Domain Security Policy Permissions and add the following GET ONLY operations:
View/Modify AccessDomain Security PolicyRequiredReason
GET ONLYWorker Data: Public Worker ReportsRequiredUsed to import users within resources
GET ONLYWorker Data: WorkersRequiredUsed to import users within resources
GET ONLYSecurity ConfigurationRequiredUsed to check for permissions
GET ONLYWorker Data: Current Staffing InformationRequired if you use Workday as your IDP/HRISUsed to retrieve user statuses
GET ONLYIntegration BuildRequired if you use Workday as your IDP/HRISUsed to retrieve user statuses
GET ONLYWorker Data: Employment DataRequired if you use Workday as your IDP/HRISUsed to import user attributes
GET ONLYWorker Data: All PositionsRequired if you use Workday as your IDP/HRISUsed to import user attributes
In Workday, you can add each by clicking on the + button on the top left of the table. For example: 2312

5. Activate Security Policy Changes

In the Workday Search bar, enter Activate Pending Security Policy Changes, and select the corresponding Task. 2312 Review and check the Confirm box to activate the Security Policy Changes. 2312

6. Manage Authentication Policies

In the Workday Search bar, enter Manage Authentication Policies, and select the corresponding Report. 2312 Depending on your policy set up, you can choose to edit an existing policy or create a new one. To create a new one:
  1. select Add Authentication Policy on the page.
  2. Select from the dropdown the corresponding Environment you would like the policy to apply to.
  3. In the table below, add an Authentication Ruleset by selecting the + button on the top left.
  4. Provide an Authentication Rule Name and set the Security Group to the one you created in Step 2. For the Authentication Conditions, select Any. For Allowed Authentication Types, select User Name Password.
2312

7. Activate All Pending Authentication Policy Changes

In the Workday Search bar, enter Activate All Pending Authentication Policy Changes, and select the corresponding Task. 2312 Add any comments, review, and check the Confirm box to activate the Authentication Policy Changes 2312

8. Obtain the Web Services Endpoint for tenant

In the Workday Search bar, enter Public Web Services, and select the corresponding Report. 2312 In the table, locate the Human Resources (Public) Web Service, hover over it and click on the to the right of the text. Under Web Service, select View WSDL. This will open another page in the browser. 2312 In the new page containing the document tree, you can use Cmd + F / Ctrl + F to find /service, and you should see a URL address that looks like the following: 2312 The corresponding highlighted URL segment up to the /service path is your Workday Web Services Endpoint. Note that each tenant may have a different endpoint, so a new endpoint would need to be created for each environment you would like to connect. The text directly after /service should represent your Workday Tenant Name. As an example, if your Workday log in URL is https://impl.workday.com/HelloWorld, your Workday Tenant Name would be HelloWorld.

9. Complete the Opal form to connect Workday

In Opal, enter the details based on the Workday items you configured in the previous steps:
  • Workday Integration System User username (Step 2)
  • Workday Integration System User password (Step 2)
  • Workday tenant URL subdomain (Step 8)
  • Workday tenant name
2312 Once you’ve completed the form, select Create, and your connection should be set up and running. See Workday Groups and Rules to learn how to manage access to Workday entities such as User Security Groups and Organization Roles, and the Workday IDP/HRIS Integration guide to learn how to sync Workday entities and attributes.

Run app validation checks

After you save your app, you can view existing sync issues from the Setup tab on the app detail page. Missing permissions and sync issues show in the App Validations section. Select the refresh icon to rerun validation checks. You can hover over the validation icons to learn why Opal needs a given permission. To correctly sync your app to Opal, ensure you address any sync errors, marked with the red ! icon. Inspect warnings on a case-by-case basis: warnings might impact features you’re not using and may be safely ignored, but this depends on your use case.