Workday HCM Setup Guide
Follow our setup guide to connect Workday HCM to Fivetran.
Prerequisites
To connect Workday HCM to Fivetran, you need a Workday Integration System User account that has read permissions for human resources domain objects in Workday.
You can use a Workday user instead of a Integration System User. However, we recommend that you use a Workday Integration System User.
Setup instructions
Create integration system user
- Log in to your Workday application using an Administrator account.
- In the application's search box, search for 'create user' and then select Create Integration System User.
- Enter a User Name and Password.
- Leave the Require New Password at Next Sign In checkbox clear.
- If you want to use the Basic authentication mode in the Fivetran setup form, select the Do Not Allow UI Sessions checkbox.
If you select the OAuth authentication mode in the Fivetran setup form, do not select the Do Not Allow UI Sessions checkbox. OAuth requires UI sessions.
- Click OK and then click Done.
Create integration security group
- In the search box, search for 'create security group' and then select Create Security Group.
- In the Type of Tenanted Security Group drop-down menu, select Integration System Security Group (Unconstrained).
- Enter a Security Group Name and click OK.
- In the Edit Integration System Security Group (Unconstrained) window, add the integration system user you created in Step 1 to this security group.
- Click OK.
Add integration security group to the authentication policy
- In the search box, search for 'manage authentication policies' and then select Manage Authentication Policies.
- Enter the Restricted to Environment value and then select the Authentication Policy Enabled checkbox.
- In the Authentication Allowlist section, enter the Authentication Rule Name.
- Select the Security Group you created.
- Enter the Authentication Condition Name and Authentication Conditions.
- In the Allowed Authentication Types section:
- If you use OAuth, select Any.
- If you don't use OAuth, in the Specific field, select User Name Password.
- In the search box, search for 'Activate All Pending Authentication Policy Changes' and then select the corresponding task.
- In the Comment text box, enter 'I approve the changes' and then click OK.
- Select the Confirm checkbox and then click OK.
Add domain security policies
In the search box, search for 'security group membership and access' and then select the report link.
Select the security group you created in Step 2 and click OK.
Click the ... symbol next to the security group name.
Select Security Group > Maintain Domain Permissions for Security Group.
In the Integration Permissions section, in the Domain Security Policies permitting Get access field, search and select the security domains.
The above lists of security domains are not comprehensive, and some tables may require additional permissions to sync. To identify the permissions, search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the security domains and then configure these domains in the Workday tenant.
You will see an alert. You must activate the security policy changes.
Click OK and then click Done.
Activate security policy changes
- In the search box, search for 'Activate Pending Security Policy Changes'.
- Select Activate Pending Security Policy Changes.
- In the comment box, enter 'I approve the changes' and then click OK.
- Select the Confirm checkbox and then click OK.
Connect using OAuth
Perform this step only if you want to authenticate the connection using OAuth. Skip to the next step if you want to use Basic authentication for your connection. The API client uses rotating refresh tokens and requires you to manually authorize the client while setting up the connection. The API client for integrations uses non-expiring refresh token to set up the connection and thus does not require you to manually authorize the client.
Create custom OAuth client app
Expand for instructions
This option is available only for connections created before February 25, 2025.
In the search box, search for
Register API client.In the Client Name field, enter your custom app name.
In the Client Grant Type field, select Authorization Code Grant.
Select the Enforce 60 Minute Access Token Expiry checkbox.
In the Access Token Type field, select Bearer.
In the Redirection URI, enter
https://fivetran.com/integrations/workday_hcm/oauth2/return.In the Refresh Token Timeout (in days) field, enter a timeout period for your refresh token.
By default, the value is set to 30 days. You can enter a timeout period between 1 and 365 days.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
Be sure not to select the Support Proof Key for Code Exchange (PKCE), Grant Administrative Consent, Include Workday Owned Scope, and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID, Client Secret, and Authorization Endpoint. You will need them to configure Fivetran.
Create custom OAuth client app for Integrations
Expand for instructions
Perform this step only if you want to authenticate your account using OAuth with API Client for Integrations.
In the search box, search for Register API Client for Integrations.
In the Client Name field, enter your custom app name.
(Optional) Select the Refresh Token Timeout (in days). You can select a value between 1 and 365 days. The default value is 30 days. To prevent the refresh token from timing out, Workday automatically selects the Non-Expiring Refresh Tokens check box.
If you select a timeout period for the refresh token, you need to re-authorize your connection on the Edit connection details tab of the connection details page after the token expires.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
Do not select the Include Workday Owned Scope and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID and Client Secret. You will need them to configure Fivetran.
Click the Related Actions menu and select API Client > Manage Refresh Tokens for Integrations.
In the Workday Account field, search and select your workday account.
Select the Generate New Refresh Token checkbox.
Click OK.
Make a note of the Refresh Token. You will need it to configure Fivetran.
Finish Fivetran configuration
In the connection setup form, enter the Destination schema name of your choice.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.
Select the authentication mode: Basic or OAuth.
(Optional) If you chose Basic as the authentication mode, do the following:
i. Enter your Workday Username.
ii. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....iii. Enter your Workday Password.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....(Optional) If you chose OAuth as the authentication mode, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....ii. Enter the Client ID you found.
iii. Enter the Client Secret you found.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....v. In the Authorization URL field, enter the authorization endpoint that you found.
vi. Click Authorize to allow Fivetran to access your Workday HCM account using OAuth. You will be redirected to your Workday HCM account to authorize Fivetran's access.
vii. Log in to your Workday HCM account with the integration system user you created in Step 1. Once you have logged in, you will be redirected back to Fivetran.
We recommend logging in while in incognito mode to ensure authorization of the correct account.
Use toggle button to choose between API client and API client for integration that you created.
If you choose OAuth and register an API Client for Integration, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....ii. Enter the Client ID you created.
iii. Enter the Client Secret you created.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....v. Enter the Refresh Token you generated.
(Optional) To sync custom or calculated fields, set the Sync Custom and Calculated fields toggle to ON and then enter the Workday Integration System ID you found.
Click Save & Test. Fivetran will take it from here and sync your Workday HCM data.
Related articles
description Connector Overview
account_tree Schema Information
settings API Connection Configuration