Skip to main content
All CollectionsIntegrationsHR
Connecting your gifting platform to Workday HR

Connecting your gifting platform to Workday HR

Connecting your Workday staff database to the &Open gifting platform is easy and enables staff gifting features.

&Open Support avatar
Written by &Open Support
Updated over 11 months ago

Connecting your Workday staff database to the &Open gifting platform is easy and only takes a few minutes. We just need three pieces of information, and the onboarding process is guided and this document covers it step-by-step.

First you will create a user account in Workday called an “Integration System User” (ISU) through which we'll be given access to the relevant staff information. Once that user is created and correctly configured, we need to know where to look for your particular account on Workday, which we call the “Workday Web Services Endpoint URL”. Finally, we just need your “Workday Tenant Name”, which is normally the name of your company.

Connecting to Workday

When you begin the process from our integrations section, the first step will give you an overview of the data that we use to power the HR gifting features.

If you don't have sufficient access in Workday to synchronise the data you need for your gifting projects, you will need to request a higher level of access within your company, or invite a user from your company who has the required level of access to your gifting platform to perform the linking process for you.

As a reminder, our HR integrations access only the absolute minimum data from your HR system to enable gifting workflows. You can see a list of the data we access and do not access. The fields we read in are either required to send gift invitations (e.g., names and email addresses), or are required to help you search and filter within your staff to find the right recipients (team names, offices etc.).

The main work involved in setting up this integration is to create and properly configure the access levels on your Integration System User (ISU). These steps are laid out under the following section (click the arrow to open):

Creating the Integration System User

Step One: Create new user

  1. In your Workday portal, log into the Workday tenant.

  2. In the Search field, type Create Integration System User.

  3. Select the Create Integration System User task.

  4. On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password.

  5. Click OK.

Some caveats on this screen:

Note: due to XML encoding, "&", "<", and ">" cannot be included in the password.

Ensure “Require New Password at Next Sign In” is not checked.

You'll want to add this user to the list of System Users to make sure the password doesn't expire, as this will interfere with access for the gifting platform.

Please make sure to exempt the ISU Account from MFA and SSO.

You should also set this user to be exempt from password expiration as this will allow the integration to continue working automatically without needing to be re-linked after some time.

Step Two: Create a Security Group and Assign an Integration System User

Now, add this Integration System User to a Security Group:

  1. In the Search field, type Create Security Group.

  2. Select the Create Security Group task.

  3. Click OK.

  4. On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Unconstrained).

  5. In the Name field, enter a name.

  6. Click OK.

  7. On the Edit Integration System Security Group (Unconstrained) page, in the Name field, enter the same name you entered when creating the ISU in the first section.

  8. Click OK.

Step Three: Configure Domain Security Policy Permissions

  1. In the Search field, type Maintain Permissions for Security Group

  2. Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2.

  3. Add the corresponding Domain Security Policy with GET operation:

We need the following Functional Areas enabled:

  • Person Data

  • Contact Information

  • Staffing

The specific Parent Domains and Subdomains that should be enabled are:

Parent Domain:

Person Data: Personal Data

Subdomain:

Person Data: Personal Information

Person Data: Photo

Parent Domain:

Person Data: Work Contact Information

Subdomain:

Person Data: Work Email

Parent Domains:

Worker Data: Workers

Worker Data: All Positions

Worker Data: Current Staffing Information

Worker Data: Public Worker Reports

Worker Data: Employment Data

Worker Data: Organization Information

Step Four: Activate Security Policy Changes

  1. In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved.

  2. Add any relevant comments on the window that pops up

  3. Confirm the changes in order to accept the changes that are being made.

Step Five: Validate Authentication Policy is Sufficient

Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types – if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.

  1. Editing Authentication Policies

  2. Create an Authentication Rule, and add the Security Group to the Rule

  3. Make sure the Allowed Authentication Types is set to specific User Name Password or set to Any

Step Six: Activate All Pending Authentication Policy Changes

  1. In the search bar type, Activate All Pending Authentication Policy Changes

  2. Proceed to the next screen, and confirm the changes. This will save the Authentication Policy that was just created.

Once this user account has been created, we just need to enter the details for the three main requirements.

1. Obtain the Web Services Endpoint for Workday Tenant

We'll need access to your specific Workday web services endpoint. Follow the steps below and add the final text to the dialog box.

  1. Search in Workday for Public Web Services.

  2. Open Public Web Services Report.

  3. Hover over Human resources and click the three dots to access the menu.

  4. Click Web Services > View WSDL.

  5. Navigate to the bottom of the page that opens and you'll find the host.

  6. Copy everything until you see /service. This should look something like https://wd5-services1.myworkday.com/ccx.

2. Enter your Integrations Service User credentials (user ID and password)

3. Enter your Workday tenant name

The final step is to provide your Workday tenant, or account name. This is typically the name of your company or part of your company. For example, if you sign in at "https://wd5-services1.workday.com/companyname", enter "companyname".

Entering our connection details

Once you’ve added those three pieces of information and hit submit, we'll connect the two systems and begin to sync your data. You’ll receive an email from the platform within a few minutes once the initial sync is done and you’re ready to start gifting! Go to the campaign tool to begin using your new integration.

Related Articles
How do I connect my HR system to the platform?
Required and optional data fields for HR integrations
Connecting your gifting platform to Personio
Connecting your gifting platform to BambooHR
Connecting your gifting platform to Hibob HR
Did this answer your question?