Integrations
Post Hire
Workday HRIS Integration Setup
16 min
for an overview of the workday api migration, check out docid\ tur 37ifybpkrdpv6kc3r for more on syncing workday positions with ashby and hired ashby candidates with workday, check out docid\ lser77ihgverwt8ovu5gx our faq can be found at docid\ pudepe2jbfixjwfhhsfud overview ashby connects to workday using several workday apis, each of which requires varying user and permission configurations it is broken down into 3 phases configuring ashby's integration system user (isu) creating the "api client for integrations" for ashby configuring domain security for ashby's isu in each step, we will advise you to copy down some important information that will need to be configured within ashby, in order to connect your ashby and workday instances configuring ashby's integration system user (isu) log in to your workday application using an administrator account in the application's search box, search for create user and then select create integration system user enter a user name and password as a username we recommend ashby isu copy down the username and password for future configuration within ashby note some of workday's copy ui can copy unnecessary details of fields, so check that you are copying just the username and password! leave the require new password at next sign in checkbox unchecked as this user will be accessing workday programmatically leave the session timeout minutes with its default value of 0, which will prevent the user's sessions from timing out prematurely select the option do not allow ui sessions (this prevents the account from logging into workday) if possible, make sure the password does not expire otherwise, ashby's sync will stop when the password expires you can do this by going to the maintain password rules task and adding ashby's isu to the system users exempt from password expiration field create the api client for integrations for ashby for syncing and mapping certain fields, ashby needs additional access to the workday api to run custom reports we will run this report using wql (workday query language) via workday’s rest api access to the rest api requires a special api client to be configured open the register api client for integrations task (via workday search) use the following configuration client name ashby api access non expiring refresh tokens ✅ scope system, recruiting, staffing, pre hire process, organizations and roles, jobs & positions, integration (allows high level access to recruiting and reporting data; data within is still guarded by domain security) included workday owned scope ✅ (access to “worked owned” fields) click ok on the page that appears, copy down the client id and secret the client id and secret will be needed to configure rest api access for ashby on the same page, click the menu next to the client name in the blue header at the top, and then choose api client and then manage refresh tokens for integrations in the workday account box in the dialog that appears, find and choose ashby’s isu, and then click ok on the next page, check the generate new refresh token box, and then click ok copy down the refresh token that appears on the next page the refresh token will be needed to configure rest api access for ashby next, go to the view api clients report (via workday search) on this page/report, there will be 3 “endpoints” at the top of the page copy these down these endpoints will be needed to configure rest api access for ashby collect final tenant information most of the workday side configuration is now done we just need to collect a few final pieces of information before we go to ashby to configure the connection workday tenant id your workday tenant id is found in the url when you’re logged into workday for example, if the url is https //impl workday com/example/d/home html, your tenant id is “example” copy your tenant id down for configuration within ashby wsdl url your wsdl url can be found by following this workday article in short type public web services in the workday search bar under reports, select public web services from the public web services list, select any one of them and click the ellipsis icon to reveal a drop down menu select web service > view wsdl, which displays the full wsdl xml in a separate window search the xml for a url with the text ccx/service in it copy that url up to and including the ccx/service piece this will be the the wsdl url you will add to ashby it may look something like https //wd2 impl services1 workday com/ccx/service copy the wsdl url for configuration within ashby configure security for ashby's isu create a security group in this step, you will create an unconstrained integration system security group in workday and assign the integration system user created in the previous step to this group in the search box, search for 'security group' and then select create security group complete the create security group task select integration system security group (unconstrained) from the type of tenanted security group dropdown after the security group creation is successful, you will see a page where you can assign members to the security group add the new integration system user created in the previous step to this security group configure domain security policy permissions in this step, you'll grant "domain security" policy permissions that will allow ashby access to recruiting and hr data domains related to the ashby analytics integration enter security group membership and access in the search box and click on the report link search and select the security group created in the previous step click on the ellipsis next to the group name and from the menu, select security group > maintain domain permissions for security group add the following domains to the list domain security policies note in rows where multiple are listed, all domains after the first domain listed may be included/inherited in/by the first domain, depending on your workday instance's security configuration note if no reason is explicitly listed, the reason is then that of the nearest row upward domain security policy operation reason manage organization integration get only get list of supervisory organizations and cost center for offers, positions and job requisitions integration build get only access to low level identifiers to connect workday objects together (e g a job to a location) worker data all positions get only & view only sync worker position data into ashby openings and view overlap settings on position restrictions worker data public worker reports get only get list of workers for user sync job requisition data get only sync job requisition data manage evergreen requisitions get only sync evergreen requisition data job information get only get information about job profiles, job families and job family groups manage location get only get list of available locations reporting audits get only allows running reports via rest api wql worker data active and terminated workers get only access data source workers for hcm reporting to sync employee fields manage pre hire process manage pre hires get and put get pre hire records and allow ashby to set fields on pre hire records (e g like referred by) manage pre hire process consider pre hires get only get job considerations for pre hires workday query language view and modify note "view and modify" appears to be required here, even though we can only run queries that fetch data compensation change salary view and modify allows ashby to override the position salary plan when creating an offer person data work contact information get only allows ashby to connect employee list with workday worker using work email person data public work email address integration get only allows ashby to connect employee list with workday worker using work email in get workers web service person data id information get only allows ashby to connect employee list with workday worker using work email manage custom organization get only allows ashby to navigate organization hierarchies (e g cost center, supervisory, custom org) non worker data compensation pay range ( see note) get only view only only if you want to display compensation data (range, grade, grade profile) fields from positions in workday to ashby worker data compensation pay range ( see note) get only view only only if you want to display compensation data (range, grade, grade profile) fields from positions in workday to ashby set up stock( see note) get only only if you are overriding the stock plan target at the time of offer configure business process permissions ashby needs access on recruiting specific business processes to give ashby the right access, you'll need to go to each business process as follows (using "hire" as an example here in step 1) go to bp hire related actions ( menu at the top) > business process policy > edit scroll to who can start the business process in the section initiating action hire employee (web service) add ashby's isg to the security groups list scroll down to who can do actions on entire business process go to view all section add ashby’s isg ashby needs this for the following recruiting business processes (substitute each of the following in for your workday search) hire change job contract contingent worker create position (uncommon only if you need to create new positions in workday from a hire in ashby) after adding all of the above business process permissions, run activate pending security policy changes configure the connection in ashby now that you've collected all of the information we need, you're ready to configure the connection in ashby to do so, go to https //app ashbyhq com/admin/integrations/marketplace/workday, and you'll see the screen below steps your workday tenant id is case sensitive so please take care when entering it in step 2 in the webservice endpoint url, paste the wsdl url (it may look something like https //wd2 impl services1 workday com/ccx/service) add your workday tenant name (case sensitive) in isu username field, enter the isu (one you created for ashby) username in the isu password field, paste the isu password in the rest api base url field, paste the "host" part of the endpoints you copied down when configuring the rest api client it should look something like https //wd5 services1 myworkday com , so it's just the part of the urls that end in myworkday com they should all be the same, though yours may start with wd4 services1 for example in the rest api client id field, paste the client id you copied down when configuring the rest api client in the rest api client secret field, paste the client secret you copied down when configuring the rest api client in the rest api client refresh token field, paste the refresh token you copied down when configuring the rest api client in the workday tenant url, you may leave it blank if you find the open in workday button is not working correctly, we will update this using the portion of your workday tenant url for tasks starting with https // through /d it should look something like https //wd5 impl workday com/example/d once this is complete, let us know, and we'll monitor the initial sync to make sure all is well please note an edit authentication policy task may need to be run to take your isu into account