16.14 Understanding and Configuring Workday Templates

Identity Governance provides the following templates for Workday:

  • Workday Identity

  • Workday Account

  • Workday Permission

  • Workday Fulfillment

Before configuring these templates, create an integration account and ensure that the minimum rights required to integrate with Workday systems are assigned to the integration groups and users in the Workday application.

For additional information about configuring Workday templates, see the following sections:

16.14.1 Required Minimum Rights for Integration with Workday

The three minimum security domain rights that must be assigned to the integration group and users to get the data necessary for the default mappings in the Workday Identity Collector are:

  • Person Data: ID Information

  • Worker Data: Public Worker Reports

  • Workday Accounts

The following rights are required to collect the necessary data for the default mappings in the Workday Application Collector:

  • Account collector

    • Workday Accounts

    • Worker Data: Public Worker Reports

  • Permission collector

    • Manage: Organization Roles

    • Org Designs: Assign Roles

    • User-Based Security Group Administration

    • Manager: Organization Integration

16.14.2 About Workday Collectors

Security groups control access to data in Workday. Security groups are a collection of users or of objects that are related to users. Identity Governance provides default templates for the Workday account and permission collections. Workday permission collectors support two types of permission collections: User Based Security Group and Role Based Permissions. Role-based permissions are always associated with a specific organization. When using role-based permission collectors, you can also collect permission hierarchy. Collected role-based permission in the catalog includes role name, permission, and organization as the name of the permission, and displays permission relationships.

When configuring the Workday Account Collector, configure service parameters as needed, then specify the Account-User Mapping parameter as WorkdayUserName and map it to Object GUID to join accounts to identities.

When configuring the Workday Permission Collector, configure service parameters, then select the permission type.

  • To collect user-based security group permissions, specify the Permission-Account or User Mapping parameter value as WorkdayUserName and map it to Account Name to join permissions to the account.

  • To collect role-based permissions, specify the Permission-Account or User Mapping value as WorkforceID and map it to Workforce ID to map permissions to identities. Additionally, leave the organization type blank to collect all role-based permissions or specify an organization type to collect permissions associated with an organization.

    When specifying a specific organization, to collect the hierarchy of role-based permissions using the organization hierarchy, map the Parent Permission ID to wd-superior_organization. Mapping this will collect and establish the child/parent permission relationship for role-based permissions.