Workday 2.0

Visualize Workday workers and accounts, map employees to their organizational data, and monitor changes through queries and alerts.

Installation

Installation

To use this integration, you must have a Workday tenant and an Integration System User (ISU) account with the appropriate security group permissions. The integration authenticates via HTTP Basic Auth using the ISU username and password.

note

All tasks below require a Workday administrator. If you do not have administrator access, ask your Workday admin to complete the provider-side steps for you.

Configuration in Workday

Step 1 — Create an Integration System User (ISU)

1. In Workday, use the search bar to find and open the Create Integration System User task.
2. Enter a descriptive Username (for example, ISU_JupiterOne) and a secure Password.
3. Leave Session Timeout Minutes at 0 — this prevents the session from expiring during API calls.
4. Click OK to create the account.

To prevent the ISU password from expiring and disrupting the integration:

5. Search for and open the Maintain Password Rules task.
6. Add the ISU account to the System Users exempt from password expiration list.

Step 2 — Create an Integration System Security Group (ISSG)

1. Search for and open the Create Security Group task.
2. Set Type of Tenanted Security Group to Integration System Security Group (Unconstrained).
3. Enter a descriptive Name (for example, ISSG_JupiterOne).
4. Click OK.
5. On the next screen, add the ISU created in Step 1 as a member of the group.

Step 3 — Grant Domain Security Policies

1. Search for and open the Maintain Permissions for Security Group task.

2. Select the ISSG created in Step 2.

3. Under Domain Security Policy Permissions, grant GET access to the following domains:

   Domain Security Policy	Purpose
   Worker Data: Workers	Fetch active worker records
   Worker Data: Active and Terminated Workers	Required if ingesting terminated workers
   Worker Data: Current Staffing Information	Employment status and job assignments

4. Click OK to save.

Step 4 — Activate Security Policy Changes

1. Search for and open the Activate Pending Security Policy Changes task.
2. Enter a comment describing the change (for example, Create ISU and ISSG for JupiterOne integration).
3. Check the Confirm checkbox and click OK. The domain policy changes take effect immediately.

Step 5 — Verify Authentication Policy

Ensure the ISU is covered by an authentication policy that allows User Name Password authentication:

1. Search for and open the Manage Authentication Policies task.
2. Confirm the ISU account is not restricted to SAML-only authentication.
3. If necessary, create or update an authentication policy that includes User Name Password as an allowed authentication type and assign it to the ISU.

Finding Your Tenant URL

The Workday REST API base URL follows this pattern:

https://<workday-host>/ccx/api/<tenant-name>

To locate your host and tenant name:

1. Log in to Workday as an administrator.
2. Search for and open the Tenant Setup task.
3. Navigate to the Implementation tab.
4. Your Workday Host (for example, wd2-impl-services1.workday.com) and Tenant Name are displayed on this page.

Example: https://wd2-impl-services1.workday.com/ccx/api/acme_corp

Configuration in JupiterOne

To install the Workday integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Workday. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

• The Account Name used to identify the Workday account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Your Workday Tenant URL — the REST API base URL constructed in the previous section (for example, https://wd2-impl-services1.workday.com/ccx/api/acme_corp).

• Your ISU Username and Password created in Step 1.

• Include Terminated Workers (optional) — when enabled, the integration also ingests workers whose employment has ended. Requires the Worker Data: Active and Terminated Workers domain security policy to be granted.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Authorization

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Account	workday_account	Account
Worker	workday_worker	User

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
workday_account	HAS	workday_worker

Types

Workday Account

workday_account inherits from Account

Property	Type	Description	Specifications
tenantUrl *	string	Workday tenant base URL
username *	string	ISU username used for authentication

---

Workday Worker

workday_worker inherits from User

Property	Type	Description	Specifications
employeeType *	string | null	Worker type descriptor (Employee or Contingent Worker)
hiredOn *	number | null	Timestamp (ms) of the most recent hire date
jobTitle *	string | null	Business title from primary job position
location *	string | null	Primary work location name
supervisoryOrganizationId *	string | null	ID of the primary supervisory organization
supervisoryOrganizationName *	string | null	Name of the primary supervisory organization

---

Release Notes