Skip to main content
All CollectionsOnboarding and Configuration Guides
Onboarding Guide - Workday
Onboarding Guide - Workday
Gal Nakash avatar
Written by Gal Nakash
Updated over 2 months ago

Prerequisites

  1. The user performing the integration must be a Workday Admin

  2. A Reco user with Admin Role

Configure Workday

Creating Integration System User

  1. Log in to your Workday account.

  2. On the search bar, search for Create Integration System User, and click Create Integration System User.

  3. On the Create Integration System User pop-up window, enter the following details:

    • Enter the User Name of the integration system user: "Reco Integration System User".

    • Choose a password and enter it in the New Password and New Password Verify fields.

  4. Tick "Do Not Allow UI Sessions" for inhanced secuirty

  5. Click OK, then Done

Configure Permissions for Integration System User

To configure an integration system user in order to authenticate the SaaS Security Posture Management, follow the steps below.

Create an Integration System Security Group

This section explains how to create a new integration system security group and assign it to the integration system user. For more information on security groups, see Workday article on Security Groups.

If you already have an integration system security group, edit the existing security group and assign an integration system user you created in the previous step.

  1. Log in to your Workday account.

  2. On the search bar, search for Create Security Group, and click Create Security Group.

  3. On the Create Security Group pop-up window, enter the following details and click Ok.

    • For Type of Tenant Security Group, select Integration System Security Group (Unconstrained).

    • Enter the name of the security group: "Reco Integration System Security Group"

  4. On the Edit Integration System Security Group (Unconstrained) window, enter the following details:

    • For Integration System Users, select the integration system user you created earlier. This will be the user who will authenticate the SaaS Security Posture Management.

  5. Click Ok and then Done

Add Domain Security Policy to Security Group

This section explains how to add domain security policies and map it to the newly created integration system security group.

  1. Log in to your Workday account.

  2. On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.

  3. On the Maintain Permissions for Security Group pop-up window, enter the following details and click Ok.

    • Select Operation as Maintain.

    • In Source Security Group, select the newly created integration system security group.

  4. On the Maintain Permissions for Security Group window, under the Domain Security Policy Permissions tab, click the + icon.

  5. Enter the following details:

  6. Click OK, then Done.

View / Get Access

Domain Security Policy

Get Only

Manage: Organization Integration

Get Only

User-Based Security Group Administration

View Only

Workday Accounts

Get Only

Special OX Web Services

Get Only

Integration Security

View Only

Security Configuration

View Only

Security Administration

View Only

Security Activation

View Only

Purge Person Data

Get Only

Integration Configure

Get Only

Workday Account Monitoring

View Only

Workday Account Monitoring

Get Only

System Auditing

View Only

System Auditing

Get Only

Former Worker Storage

Get Only

Worker Data: Public Worker Reports

Get Only

Workday Accounts

Get Only

Worker Data: Current Staffing Information

View Only

Worker Data: Current Staffing Information

View Only

Manage: All Custom Reports

Get Only

Manage: All Custom Reports

Get Only

Security Activation

Get Only

Security Configuration

Activate Pending Security Policy Changes

Once you have added the domain security policies, it’s time to commit the pending security policy changes. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Activate Pending Security Policy Changes, and click Activate Pending Security Policy Changes.

  3. On the Activate Pending Security Policy Changes window, enter a comment and click Ok.

  4. Check Confirm and click OK.

  5. Receive an acknowledgement.

Register an API Client for Integrations in Workday

To integrate Reco with Workday, you need to create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Register API Client for Integrations, and click Register API Client for Integrations.

  3. On the Register API Client for Integrations pop up window, enter the following details and click OK:

    • Enter a Client Name: "Reco API Client"

    • Select the Non-Expiring Refresh Tokens checkbox.

    • Under Scope (Functional Areas), select Integration, Organization and Roles, Implementation, Staffing, Tenant Non-Configurable and System.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Reco UI.

    • Client ID

    • Client Secret – Client Secret value is visible as soon as you register the API client. Once you move away from the registration page, the Client Secret value is not visible.

  5. On the same page, click the Settings icon -> API Client -> Manage Refresh Tokens for Integrations.

  6. Select the Workday Account you created in the Create an Integration System User step used to authenticate the Reco service and click OK.

  7. Check Generate New Refresh Token and click OK.

  8. Note down the value of Refresh Token. The value will be required when you set up the Workday instance in the Reco UI.

  9. On the search bar, search for View API Clients, and click View API Clients.

  10. On the View API Clients page, note down the values of the Workday REST API Endpoint and Token Endpoint fields. These values will be required when you set up the Workday instance in the Reco UI.

Integrate Workday with Reco

  1. Login to the Reco Platform

  2. Click on "Configurations" and then "Integrations"

  3. Locate the "Workday" object, and click on "Add Integration"

  4. A new screen will open, click on "Allow"

  5. Fill in the following fields, and click on "Reinstall into Workspace"

    • Client ID

    • Client Secret

    • Refresh Token

    • Token Endpoint

    • REST Endpoint URL

  6. If the integration was successful, the Workday Integration status will become "Active"

What do we ingest exactly?

View / Get Access

Domain Security Policy

Get Only

Manage: Organization Integration

Get Only

User-Based Security Group Administration

View Only

Workday Accounts

Get Only

Special OX Web Services

Get Only

Integration Security

View Only

Security Configuration

View Only

Security Administration

View Only

Security Activation

View Only

Purge Person Data

Get Only

Integration Configure

Get Only

Workday Account Monitoring

View Only

Workday Account Monitoring

Get Only

System Auditing

View Only

System Auditing

Get Only

Former Worker Storage

Get Only

Worker Data: Public Worker Reports

Get Only

Workday Accounts

Get Only

Worker Data: Current Staffing Information

View Only

Worker Data: Current Staffing Information

View Only

Manage: All Custom Reports

Get Only

Manage: All Custom Reports

Get Only

Security Activation

Get Only

Security Configuration

FAQs on connecting Workday to Reco

What data does Reco access in Workday?
Reco exclusively accesses metadata and audit logs within Workday. No Workday data is stored in the Reco environment

Is Reco capable of modifying or changing data in Workday?
No, Reco is a read-only solution. It will not automatically modify or change any data within the Workday system

What permissions and scopes does Reco have for accessing Workday data?
Reco’s access is limited to specific permissions and scopes required for creating security posture reports, such as View Access for Domain Security Policy and View Accounts. Refer to the onboarding document for detailed permissions and scopes

What is the API client in Reco’s integration with Workday?
Reco uses a registered API client configured with specific scopes for controlled access to Workday data, including Integration, Organization, Roles, Implementation, and System. Reco will only ingest the metadata of these objects

How does Reco manage tokens during integration?
Reco ensures secure token management by utilizing non-expiring refresh tokens for sustained and secure integration

How does Reco keep our metadata of Workday safe?
Reco employs robust security measures to ensure the safety and integrity of your Workday metadata. Key measures include:

  • Limited Data Storage: Reco does not store sensitive data; it focuses solely on extracting and utilizing metadata

  • Segregated Environments: Reco segregates environments in its infrastructure, ensuring secure and isolated metadata storage across all customer accounts

  • Security Measures: Reco actively reads configurations for posture management and utilizes the audit log for threat detection

  • Certifications: Reco is a SOC2 type 2 and ISO127001 certified vendor, demonstrating adherence to industry-standard security practices

Did this answer your question?