Workday HCM Setup Guide

Follow our setup guide to connect Workday HCM to Fivetran.

Prerequisites

To connect Workday HCM to Fivetran, you need a Workday Integration System User account that has read permissions for human resources domain objects in Workday.

NOTE: You can use a Workday user instead of a Integration System User. However, we recommend that you use a Workday Integration System User.

Setup instructions

Create integration system user

Log in to your Workday application using an Administrator account.
In the application's search box, search for 'create user' and then select Create Integration System User.
Enter a User Name and Password.
Leave the Require New Password at Next Sign In checkbox clear.
If you want to use the Basic authentication mode in the Fivetran setup form, select the Do Not Allow UI Sessions checkbox.
NOTE: If you select the OAuth authentication mode in the Fivetran setup form, do not select the Do Not Allow UI Sessions checkbox. OAuth requires UI sessions.
Click OK and then click Done.

Create integration security group

In the search box, search for 'create security group' and then select Create Security Group.
In the Type of Tenanted Security Group drop-down menu, select Integration System Security Group (Unconstrained).
Enter a Security Group Name and click OK.
In the Edit Integration System Security Group (Unconstrained) window, add the integration system user you created in Step 1 to this security group.
Click OK.

Add domain security policies

In the search box, search for 'security group membership and access' and then select the report link.
Select the security group you created in Step 2 and click OK.
Click the ... symbol next to the security group name.
Select Security Group > Maintain Domain Permissions for Security Group.
In the Integration Permissions section, in the Domain Security Policies permitting Get access field, do the following based on your module:
- For the Absence Management module:
  Search for 'absence'. Select and add all the absence management security domains. On your keyboard, press Shift and the down arrow key, and then press Enter.
  Expand for the complete list of absence management security domains
  - Worker Data: Time Off (Time Off Balances)
- For the Compensation module:
  Search for 'compensation'. Select and add all the compensation security domains. On your keyboard, press Shift and the down arrow key, and then press Enter.
  Expand for the complete list of compensation security domains
  - Audit: Compensation
  - Worker Data: Compensation Summary by Job Profile
  - Add Compensation Plans: Add Unit Salary
  - Add Compensation Plans: Add Salary
  - Add Compensation Plans: Add Period Salary
  - Set Up: Compensation Surveys
  - Add Compensation Plans: Add Hourly
  - Add Compensation Plans: Add Allowance
  - Set Up: Compensation Packages
  - Add Compensation Plans: Add Commission
  - Worker Data: Compensation Plan Type
  - Worker Data: Compensation - All Worker's Positions Past and Present
  - Worker Data: Compensation
  - Audit: Compensation Overall
  - Set Up: Compensation
  - Select Any Compensation Package
  - Process: Compensation Plan Employee Management
  - Worker Data: Compensation Partner Organizations Worklet
  - Process: Cancel Compensation Plan Processes
  - Worker Data: Compensation by Organization
  - Compensation Change
  - Add Compensation Plans
  - Compensation Change: Compensation Basis Details
  - Audit: Compensation for Organizations
  - Compensation Change: Guidelines
  - Compensation Change: Hourly
  - Compensation Change: Manage Compensation Basis
  - Compensation Change: Salary
  - Add Compensation Plans: Add Calculated
  - Compensation Change: Total Base Pay
  - Worker Data: Compensation Basis
  - Non-Worker Data: Compensation Pay Range
  - Non-Worker Data: Compensation
  - Non-Worker Data: Compensation Grade
  - Non-Worker Data: Compensation Basis Pay Range
  - Process: Compensation Plan Events
  - Worker Data: Compensation Pay Range
  - Worker Data: Compensation Grade
  - Worker Data: Compensation Basis Pay Range
  - Non-Worker Data: Compensation by Organization
  - Worker Data: Insurance Calculated Coverage
  - Worker Data: Total Rewards
  - Process: Compensation Review Process Reviewer
  - Worker Data: Compensation Review Statements
  - Add Compensation Plans: Add Bonus
  - Add Compensation Plans: Add Stock
  - Add Compensation Plans: Add Merit
  - Process: Compensation Review Process Controls
  - Process: Compensation Review Events
  - Process: Compensation Review Process Participant
  - Worker Data: Propose Stock Award as Part of Compensation Review
  - Worker Data: Compensation Management by Organization
  - Process: Compensation Management Plan Employee Management
  - Set Up: Compensation Management
  - Process: Compensation Management Events
  - Worker Data: Compensation Management
  - Change Compensation Management Plans
  - Add Compensation Management Plans
  - Process: Compensation Plan Employee Management by Organization
  - Worker Data: Funded Plan Assignments
  - Worker Data: Stock Grants
- For the Human Resource module:
  Add all the Worker Data and Person Data domains along with the following security domains:
  - Job Profile: View
  - Job Directory
  - Job Information
  - Manage: Organization Integration
- For the Payroll module:
  Search for 'payroll'. Select and add all the payroll security domains. On your keyboard, press Shift and the down arrow key, and then press Enter.
  Expand for the complete list of payroll security domains
  - Worker Data: Payroll (Income Withholding Orders) - CAN
  - Audit: Payroll Interface
  - Manage: Effort Certification Work Area
  - Manage: External Payroll Errors
  - Manage: Global Payroll Reconciliation
  - Management Dashboard: Pay Cycle Command Center
  - Management Dashboard: Payroll Year End
  - Pay Calculation (History): Ad-Hoc Actions
  - Pay Calculation: Ad-Hoc Actions
  - Payroll Interface
  - Process: Delete External Payroll Input by Batch ID - batch
  - Process: Delete Payroll Input by Batch ID – batch / Initialize Reference IDs
  - Process: External Payroll Errors
  - Process: Flexible Payments and Deduction Options Management
  - Process: Global Payroll Reconciliation
  - Process: Off-Cycle
  - Process: Payroll (Income Withholding Orders) - USA
  - Process: Payroll Interface Launch
  - Process: Payroll Payment Escheatment
  - Process: Payroll SSP History (Create Data) - UK
  - Process: Payroll SSP History - UK
  - Process: Payroll Settlement
  - Process: Payslip Bulk Print
  - Process: Position Commitment Accounting
  - Process: Run Batch Calculations (Pay Calculation)
  - Process: Run Batch Complete (Pay Complete)
  - Process: Run Batch Payroll Accounting
  - Report: Payroll (Flexible Payments and Deduction Options)
  - Reports: Effort Certification
  - Reports: Manager (Effort Certification)
  - Reports: Pay Calculation Results (Reports: Indexed Data Source Filters)
  - Reports: Pay Calculation Results (Results - Reports based on Pay Component Security)
  - Reports: Pay Calculation Results (Results - Security based on Pay Component Security)
  - Reports: Pay Calculation Results for Organization (Accounting Results)
  - Reports: Pay Calculation Results for Pay Group
  - Reports: Pay Calculation Results for Pay Group (Results) - CAN
  - Reports: Pay Calculation Results for Pay Group - CAN
  - Reports: Pay Calculation Results for Worker
  - Reports: Pay Calculation Results for Worker (Results)
  - Reports: Payroll (BACS) - UK
  - Reports: Payroll (SSP) - UK
  - Reports: Payroll Audit Exception (Assignee)
  - Reports: Payroll SSP History (View Data) - UK
  - Reports: Position Commitments
  - Reports: Pre-Payroll Reporting for Pay Group - UK
  - Reports: Results for Worker (Pay Calculation) - CAN
  - Reports: Results for Worker (ROE) - CAN
  - Reports: Total Rewards Statement (Results - Security based on Pay Component Security)
  - Set Up: Global Payroll Reconciliation
  - Set Up: Maintain Payroll Interface
  - Set Up: Merit and Bonus
  - Set Up: Pay On-Demand
  - Set Up: Payroll
  - Set Up: Payroll (Calculations - Generic)
  - Set Up: Payroll (Calculations - Payroll Specific)
  - Set Up: Payroll (Company Vehicle) – UK
  - Set Up: Payroll (DSN) - FRA
  - Set Up: Payroll (Flexible Payments and Deduction Options)
  - Set Up: Payroll (Holiday Pay) - UK
  - Set Up: Payroll (Income Withholding Orders)
  - Set Up: Payroll (Minimum Wages View) - CAN
  - Set Up: Payroll (Payroll Input Workbooks)
  - Set Up: Payroll (ROE) - CAN
  - Set Up: Payroll (RTI) – UK
  - Set Up: Payroll (SSP) - UK
  - Set Up: Payroll (Taxes View)
  - Set Up: Payroll (US Territory Year End Forms)
  - Set Up: Payroll (Year End) - CAN
  - Set Up: Payroll - CAN
  - Set Up: Payroll - Company Specific
  - Set Up: Payroll - Company Specific (Taxes) - CAN
  - Set Up: Payroll - Company Specific (Taxes) - FRA
  - Set Up: Payroll - Company Specific (Taxes) - USA
  - Set Up: Payroll - FRA
  - Set Up: Payroll - OETH Reporting – FRA
  - Set Up: Payroll - Pay Group Specific
  - Set Up: Payroll - USA
  - Set Up: Payroll Interface
  - Set Up: Payroll Interface (Update Pay Period Status)
  - Set Up: Payroll Interface (deprecated)
  - Set Up: Payroll UK
  - Set Up: Position Commitment Accounting
  - View: Effort Certification
  - View: External Payroll Results
  - View: External Payroll Results - Restricted
  - View: Global Payroll Reconciliation
  - View: Maintain Payroll Interface
  - View: Payee Bank Account for Settlement
  - View: Payroll (Payslip Printing Elections)
  - Worker Data: Effort Certification
  - Worker Data: Payment Elections by Organization
  - Worker Data: Payroll
  - Worker Data: Payroll (Company Specific) - CAN
  - Worker Data: Payroll (Company Specific) - FRA
  - Worker Data: Payroll (Company Specific) - UK
  - Worker Data: Payroll (Company Specific) - USA
  - Worker Data: Payroll (Company Vehicle) - UK
  - Worker Data: Payroll (Costing Override)
  - Worker Data: Payroll (Court Orders) - UK
  - Worker Data: Payroll (Income Withholding Orders)
  - Worker Data: Payroll (Income Withholding Orders) - CAN
  - Worker Data: Payroll (Income Withholding Orders) - USA
  - Worker Data: Payroll (Input by Batch ID)
  - Worker Data: Payroll (Non-Company Specific) - UK
  - Worker Data: Payroll (Pay Group Specific)
  - Worker Data: Payroll (Payroll Input Workbooks)
  - Worker Data: Payroll (Timesheets)
  - Worker Data: Payroll (UK IR35) - UK
  - Worker Data: Payroll (Withholding Orders) - FRA
  - Worker Data: Payroll Interface
  - Worker Data: Payroll Interface (Costing Overrides)
  - Worker Data: Payroll Interface (External Payroll Actuals)
  - Worker Data: Payroll Interface (External Year End Tax Documents)
  - Worker Data: Payroll Interface (Payroll Input by Batch ID)
  - Worker Data: Payroll Public API (Payroll Input)
  - Worker Data: Position and Employee Worktag
  - Worker Data: Unions
  - Worklet: Payroll
- For the Recruiting module:
  Search for 'recruiting'. Select and add all the recruiting security domains. On your keyboard, press Shift and the down arrow key, and then press Enter.
  Expand for the complete list of recruiting security domains
  - Reports: Job Requisition & Positions
  - Reports: Open Positions
  - Manage Pre-Hire Process: View Pre-Hire Interviews
  - Pre-Hire Personal Data
  - Pre-Hire Data: Name and Contact Information
  - Manage Pre-Hire Process: View Pre-Hire
  - Pre-Hire Process: Mass Action on Job Requisitions
  - Manage Pre-Hire Data
  - Manage Pre-Hire Process: Pre-Hire Eligibility
  - Set Up: Pre-Hire Process
  - Reports: Manager (Pre-Hire)
  - Pre-Hire Demographics by Organization
  - Manage Pre-Hire Process: Manage Pre-Hires
  - Pre-Hire Data: Background Check Status
  - Manage Pre-Hire Process: Hire Eligibility Status Comment
  - Manage Pre-Hire Process
  - Pre-Hire Data: Employment Agreement
  - Job Requisitions for Recruiting
  - Recruiting Agency Careers
  - Manage: Job Requisition Recruiting Self-Schedule Calendars
  - Manage: Recruiting Agency
  - Manage: Recruiting Self-Schedule Events
  - Self-Service: Recruiting Agency User
  - Manage: Candidate Recruiting Self-Schedule Event
  - Worklet: Recruiting
  - Recruiting Agency Careers Self-Service
  - Recruiting Email Analytics
  - Candidate Data: Offer Initiation Business Title
  - Candidate Data: Offer Initiation
  - Manage: Candidate Notes
  - Candidate Data: Offer Initiation Weekly Hours
  - Candidate Reporting
  - Candidate Data: Web Service LinkedIn Recruiter System Connect
  - Candidate: Global Search
  - Candidate Data: Other Jobs
  - Candidate Data: LinkedIn Recruiter System Connect
  - Candidate Drop Off Data
  - Candidate Data: Interview Schedule
  - Manage: Candidate Engagement
  - Candidate Data: Mass Actions (Do Not Use)
  - Copy Candidate
  - Set Up: Candidate Engagement
  - Move Candidate
  - Candidate Pools
  - Candidate Data: SMS Opt-In/Opt-Out
  - Candidate Data: Questionnaire Total Score
  - Candidate Communication
  - Candidate Data: Reference Check Results
  - Candidate Pool: Manage Membership
  - Candidate Data: Background Check History
  - Manage: External References
  - Candidate Pool: View and Modify Pool
  - Candidate Pool: Private Pool View and Modify
  - Candidate Pool: Restricted View
  - Candidate Data: Referral Candidate Ownership
  - Candidate Data: Edit Job Application
  - Candidate Data: Other Information
  - Move Candidate to Linked Requisition
  - Candidate Pool: Private Pool Create
  - Candidate Merge
  - Candidate Data: Language Skills
  - Candidate Data: Attachments
  - Candidate Data: Job Application
  - Candidate Data: Employee Referrals
  - Candidate Data: Questionnaires
  - Candidate Data: Aboriginal/Indigenous Identification
  - Manage: Candidate Job Application Notes
  - Manage: Candidate Account
  - Candidate Data: Personal Information
  - Manage: Candidates
  - Candidates for My Jobs
  - Candidate Data: Stock Grant Offer
  - Candidate Data: One-Time Payment Offer
  - Move Candidate from Job Requisition to Job Requisition
  - Candidate Tags
  - Move Candidate from Evergreen to Evergreen
  - Manage: Prospect Consent
  - Create Confidential Prospects
  - View Confidential Prospects
  - Create External Prospects
  - Undo Move from Hire
  - Manage: Maintain Recruiting Notes
  - Set Up: Recruiting Agency
  - Set Up: Recruiting Self-Schedule Calendar
  - Set Up: Recruiting
  - Set Up: External References
  - Prospect Sharing
  - Prospects
- For the Time Tracking module:
  Search for 'Time Tracking'. Select and add all the time tracking security domains. On your keyboard, press Shift and the down arrow key, and then press Enter.
  Expand for the complete list of time tracking security domains
  - Process: Export Time Blocks
NOTE: The above lists of security domains are not comprehensive, and some tables may require additional permissions to sync. To identify the permissions, search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the security domains and then configure these domains in the Workday tenant.
TIP: You will see an alert. You must activate the security policy changes.
Click OK and then click Done.

Activate security policy changes

In the search box, search for 'Activate Pending Security Policy Changes'.
Select Activate Pending Security Policy Changes.
In the comment box, enter 'I approve the changes' and then click OK.
Select the Confirm checkbox and then click OK.

Connect using OAuth

IMPORTANT: Perform this step only if you want to authenticate the connector using OAuth. Skip to the next step if you want to use Basic authentication for your connector.

Create custom OAuth client app

Expand for instructions

In the search box, search for Register API client.
In the Client Name field, enter your custom app name.
In the Client Grant Type field, select Authorization Code Grant.
Select the Enforce 60 Minute Access Token Expiry checkbox.
In the Access Token Type field, select Bearer.
In the Redirection URI, enter https://fivetran.com/integrations/workday_hcm/oauth2/return.
In the Refresh Token Timeout (in days) field, enter a timeout period for your refresh token.
NOTE: By default, the value is set to 30 days. You can enter a timeout period between 1 and 365 days.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
NOTE: To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
NOTE: Be sure not to select the Support Proof Key for Code Exchange (PKCE), Grant Administrative Consent, Include Workday Owned Scope, and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID, Client Secret, and Authorization Endpoint. You will need them to configure Fivetran.

Create custom OAuth client app for Integrations

Expand for instructions

IMPORTANT: Perform this step only if you want to authenticate your account using OAuth with API Client for Integrations.

In the search box, search for Register API Client for Integrations.
In the Client Name field, enter your custom app name.
(Optional) Select the Refresh Token Timeout (in days). You can select a value between 1 and 365 days. The default value is 30 days. To prevent the refresh token from timing out, Workday automatically selects the Non-Expiring Refresh Tokens check box.
NOTE: If you select a timeout period for the refresh token, you need to re-authorize your connector on the Edit connection details tab of the connector details page after the token expires.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
NOTE: To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
NOTE: Do not select the Include Workday Owned Scope and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID and Client Secret. You will need them to configure Fivetran.
Click the Related Actions menu and select API Client > Manage Refresh Tokens for Integrations.
In the Workday Account field, search and select your workday account.
Select the Generate New Refresh Token checkbox.
Click OK.
Make a note of the Refresh Token. You will need it to configure Fivetran.

Finish Fivetran configuration

In the connector setup form, enter the Destination schema name of your choice.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.
Select the authentication mode: Basic or OAuth.
If you chose Basic as the authentication mode, do the following:
i. Enter your Workday Username.
ii. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL: https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....
iii. Enter your Workday Password.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format: https://<Workday-host-name>/ccx/service/....
If you chose OAuth as the authentication mode, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL: https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....
ii. Enter the Client ID you found.
iii. Enter the Client Secret you found.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format: https://<Workday-host-name>/ccx/service/....
v. In the Authorization URL field, enter the authorization endpoint that you found.
vi. Click Authorize to allow Fivetran to access your Workday HCM account using OAuth. You will be redirected to your Workday HCM account to authorize Fivetran's access.
vii. Log in to your Workday HCM account with the integration system user you created in Step 1. Once you have logged in, you will be redirected back to Fivetran.
IMPORTANT: We recommend logging in while in Incognito mode to ensure authorization of the correct account.
If you choose OAuth and register an API Client for Integration, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL: https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....
ii. Enter the Client ID you created.
iii. Enter the Client Secret you created.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format: https://<Workday-host-name>/ccx/service/....
v. Enter the Refresh Token you generated.
(Optional) To sync custom or calculated fields, set the Sync Custom and Calculated fields toggle to ON and then enter the Workday Integration System ID you found.
Click Save & Test. Fivetran will take it from here and sync your Workday HCM data.

Connector Overview

Schema Information

Release Notes

API Connector Configuration

Documentation Home