Skip to main content

Workday 2.0

Visualize Workday workers and accounts, map employees to their organizational data, and monitor changes through queries and alerts.

Installation

To use this integration, you must have a Workday tenant and an Integration System User (ISU) account with the appropriate security group permissions. The integration authenticates via OAuth 2.0: you register a Workday API Client backed by the ISU and provide JupiterOne with the client ID, client secret, and a refresh token.

note

All tasks below require a Workday administrator. If you do not have administrator access, ask your Workday admin to complete the provider-side steps for you.

Configuration in Workday

Step 1 — Create an Integration System User (ISU)

  1. In Workday, use the search bar to find and open the Create Integration System User task.
  2. Enter a descriptive Username (for example, ISU_JupiterOne) and a secure Password.
  3. Leave Session Timeout Minutes at 0 — this prevents the session from expiring during API calls.
  4. Click OK to create the account.

To prevent the ISU password from expiring and disrupting the integration:

  1. Search for and open the Maintain Password Rules task.
  2. Add the ISU account to the System Users exempt from password expiration list.

Step 2 — Create an Integration System Security Group (ISSG)

  1. Search for and open the Create Security Group task.
  2. Set Type of Tenanted Security Group to Integration System Security Group (Unconstrained).
  3. Enter a descriptive Name (for example, ISSG_JupiterOne).
  4. Click OK.
  5. On the next screen, add the ISU created in Step 1 as a member of the group.

Step 3 — Grant Domain Security Policies

  1. Search for and open the Maintain Permissions for Security Group task.

  2. Select the ISSG created in Step 2.

  3. Under Domain Security Policy Permissions, grant GET access to the following domains:

    Domain Security PolicyPurpose
    Worker Data: WorkersFetch active worker records
    Worker Data: Active and Terminated WorkersRequired if ingesting terminated workers
    Worker Data: Current Staffing InformationEmployment status and job assignments

  4. Click OK to save.

Step 4 — Activate Security Policy Changes

  1. Search for and open the Activate Pending Security Policy Changes task.
  2. Enter a comment describing the change (for example, Create ISU and ISSG for JupiterOne integration).
  3. Check the Confirm checkbox and click OK. The domain policy changes take effect immediately.

Step 5 — Register an API Client for OAuth 2.0

The Workday REST API requires OAuth 2.0, so register an API Client backed by the ISU:

  1. Search for and open the Register API Client for Integrations task.
  2. Enter a Client Name (for example, JupiterOne).
  3. Enable Non-Expiring Refresh Tokens.
  4. Set the Scope (Functional Areas) to include the areas that cover worker and person data (for example, Staffing and Contact Information). The access token inherits the ISU's permissions, so the scope must allow reading workers, legal names, and work emails.
  5. Click OK. Workday displays the Client ID and Client Secret — copy both now, as the secret is shown only once.

Step 6 — Generate a Refresh Token

  1. Search for and open the View API Clients task, then select the API Client created in Step 5.
  2. From the related actions menu, select Manage Refresh Token for Integration.
  3. Select the ISU created in Step 1, generate a new refresh token, and copy it.

Finding Your Tenant URL

The Workday REST API base URL follows this pattern:

https://<workday-host>/ccx/api/<tenant-name>

To locate your host and tenant name:

  1. Log in to Workday as an administrator.
  2. Search for and open the Tenant Setup task.
  3. Navigate to the Implementation tab.
  4. Your Workday Host (for example, wd2-impl-services1.workday.com) and Tenant Name are displayed on this page.

Example: https://wd2-impl-services1.workday.com/ccx/api/acme_corp

Configuration in JupiterOne

To install the Workday integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Workday. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

  • The Account Name used to identify the Workday account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your Workday Tenant URL — the REST API base URL constructed in the previous section (for example, https://wd2-impl-services1.workday.com/ccx/api/acme_corp).

  • The Client ID, Client Secret, and Refresh Token from the API Client you registered in Steps 5–6.

  • Include Terminated Workers (optional) — when enabled, the integration also ingests workers whose employment has ended. Requires the Worker Data: Active and Terminated Workers domain security policy to be granted.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.