Description
The Workday connector uses the Workday REST API and SOAP-based Web Services to discover worker identities, security groups, and role assignments within a Workday Human Capital Management (HCM) tenant. It authenticates using OAuth 2.0 client credentials and provides visibility into HR system access, including integration system users and security role holders.
System Type Classification
| Field | Value |
|---|
| System Type | Application |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| REST API (HTTPS) | 443 TCP | OAuth 2.0 client credentials flow |
What OrbisID Discovers
| Data | Source |
|---|
| Workers / user accounts | GET /ccx/api/v1/{tenant}/workers |
| Security groups | GET /ccx/api/v1/{tenant}/securityGroups |
| Group memberships | Derived from worker security group assignments |
| Integration System Users | Enumerated as non-human accounts |
| User enabled state | active flag |
Connection Requirements
Required Permissions
Register a Workday API Client and create an Integration System User (ISU) with the required security permissions.
Minimum permissions:
- Get Workers — read access to worker data
- Get Security Groups — read access to security group definitions
- Domain Worker Data: All Positions with View permission
Credential Mapping
| OrbisID Field | Value |
|---|
credential.username | OAuth 2.0 Client ID |
credential.password | OAuth 2.0 Client Secret |
system.hostname | Workday tenant hostname (e.g., wd5.myworkday.com) |
system.tenantId | Workday tenant name (e.g., mycompany) |
Network Requirements
The OrbisID server must have HTTPS access to the Workday tenant on port 443.
Configuration Steps
- In Workday, navigate to Register API Client for Integrations
- Create an Integration System User (ISU) and bind it to a security group with the required domain permissions
- Register an API client and note the Client ID and Client Secret
- Create a Credential in OrbisID:
- Username: OAuth 2.0 Client ID
- Password: OAuth 2.0 Client Secret
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., Workday – Production HCM) |
| OS Type | Workday |
| System Type | Application |
| Hostname | Workday tenant API hostname |
| Tenant ID | Workday tenant name |
| Credential | The API client credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Authentication failed | Invalid client credentials | Verify the Client ID and Secret in Workday API Client settings |
| No workers returned | ISU lacks domain permissions | Add Worker Data domain security policies to the ISU group |
403 Forbidden | Security group not activated | Activate the security group change in Workday |
| Tenant not found | Incorrect tenant name | Verify the tenant name in the Workday URL |