Workday RaaS Setup Guide

Follow our setup guide to connect Workday RaaS to Fivetran.

Prerequisites

To connect Workday RaaS to Fivetran, you need:

An active Workday report URL
The username and password to access that Workday report URL
To configure the reports as Advanced type reports to enable web service access

Setup instructions

NOTE: You must add a separate Workday RaaS connector in your Fivetran dashboard for each report. Each Workday RaaS connector will sync its report data to its own table in your destination.

Create new user

Log in to your Workday application using an Administrator account.
In the application's search box, search for 'create user' and then select Create Integration System User. Fivetran uses the Integration System User to access custom reports.
Enter a User Name and Password.
Leave the Require New Password at Next Sign In checkbox clear.
If you want to use the Basic authentication mode in the Fivetran setup form, select the Do Not Allow UI Sessions checkbox.
NOTE: If you select the OAuth authentication mode in the Fivetran setup form, do not select the Do Not Allow UI Sessions checkbox. OAuth requires UI sessions.
Click OK and then click Done.

Create security group

In the Create Security Group window, set the Type of Tenanted Security Group to Integration System Security Group (Unconstrained).
Enter a Security Group Name and click OK.
In the Edit Integration System Security Group (Unconstrained) window, add the integration system user you created in Step 1 in the Integration System Users field.
Click OK.

Add domain security policies

Go to Security Group Settings > Maintain Domain Permissions for Security Group.
In the Integration Permissions section, in the Domain Security Policies permitting Get access field, select the security domains associated with the reports you want to sync.
NOTE: For the complete list of security domains associated with the Workday Financial Management and Workday Human Capital Management modules, see our Workday Financial Management setup guide and Workday Human Capital Management setup guide. However, the list of security domains in our setup guides is not comprehensive. Some objects may require additional permissions. To identify the required object permissions, use the View Security for Securable Item task in your Workday tenant.

Activate policies

Go to the Activate Pending Security Policy Changes page and click OK.
Click Confirm to activate.

Create custom report

On the Create Custom Report page, enter the Report Name.
In the Report Type drop-down menu, select Advanced.
Select the Enable as Web Service option.
Add Data Source. Add the fields you want to sync.
NOTE: You can create one or more custom reports.

Add authorized user to report

In the custom report's Share tab, add the user you created in Step 1 in the Authorized Users field.

Finish custom report configuration

In each custom report's Advanced tab, share each report to Report-as-a-WebService.
For each report, go to Actions --> Web Service --> View URLs. Make a note of the REST URL. You will need it to fill in your Fivetran connector setup form.
IMPORTANT: If you want to incrementally sync your reports, you must specify their query parameters as dynamic values in the report URLs. For more information, see our connector overview documentation.
Test each report by pasting it into a new browser session, and log in using the Fivetran ELT web service user. If the Report XML does not display, check your user security settings.
Select the primary key(s). To track history of the report data, make a timestamp column part of the composite primary key.

Connect using OAuth

IMPORTANT: Perform this step only if you want to authenticate your account using OAuth. Skip to the next step if you want to use Basic authentication to sync your data.

Create custom OAuth client app

Expand for instructions

In the search box, search for Register API client.
In the Client Name field, enter your custom app name.
In the Client Grant Type field, select Authorization Code Grant.
Select the Enforce 60 Minute Access Token Expiry checkbox.
In the Access Token Type field, select Bearer.
In the Redirection URI, enter https://fivetran.com/integrations/workday/oauth2/return.
In the Refresh Token Timeout (in days) field, enter a timeout period for your refresh token.
NOTE: By default, the value is set to 30 days. You can enter the timeout period value between 1 and 365 days.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
NOTE: Be sure not to select the Support Proof Key for Code Exchange (PKCE), Grant Administrative Consent, Include Workday Owned Scope, and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID, Client Secret, and Authorization Endpoint. You will need them to configure Fivetran.

Create custom OAuth client app for Integrations

Expand for instructions

IMPORTANT: Perform this step only if you want to authenticate your account using OAuth with API Client for Integrations.

In the search box, search for Register API Client for Integrations.
In the Client Name field, enter your custom app name.
(Optional) Select the Refresh Token Timeout (in days). You can select a value between 1 and 365 days. The default value is 30 days. To prevent the refresh token from timing out, Workday automatically selects the Non-Expiring Refresh Tokens check box.
NOTE: If you select a timeout period for the refresh token, you need to re-authorize your connector on the Edit connection details tab of the connector details page after the token expires.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
NOTE: Do not select the Include Workday Owned Scope and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID and Client Secret. You will need them to configure Fivetran.
Click the Related Actions menu and select API Client > Manage Refresh Tokens for Integrations.
In the Workday Account field, search and select your workday account.
Select the Generate New Refresh Token checkbox to generate a new refresh token.
Click OK.
Make a note of the Refresh Token. You will need it to configure Fivetran.

Finish Fivetran configuration

In your connector setup form, enter the Destination schema name of your choice.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.
Enter the Destination table name of your choice.
Select the authentication mode: Basic or OAuth.
If you choose Basic, do the following:
- Enter the Username and Password for the Fivetran ELT user you created.
If you choose OAuth, do the following:
- Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL: https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....
- Enter the Client ID you created.
- Enter the Client Secret you created.
- Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format: https://<Workday-host-name>/ccx/service/....
- In the Authorization URL field, enter the authorization endpoint that you found.
- Click Authorize to allow Fivetran to access your Workday account using OAuth. You will be redirected to your Workday account to authorize Fivetran's access.
  IMPORTANT: We recommend logging in while in Incognito mode to ensure authorization of the correct account.
- Log in to your Workday account with the integration system user you created in Step 1. Once you have finished, you will be redirected back to Fivetran.
If you choose OAuth and register an API Client for Integration, do the following:
1. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL: https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....
2. Enter the Client ID you created.
3. Enter the Client Secret you created.
4. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format: https://<Workday-host-name>/ccx/service/....
5. Enter the Refresh Token you generated.
Enter the Report URL you found.
In the Report Format drop-down menu, select the report format type. The default format is json.
To unpack the nested columns and sync them separately, set the Enable Unpacking Nested Columns toggle to ON. By default, we sync the nested columns as JSON objects into your destination.
NOTE:
- We can unpack only the nested columns and not the columns with nested arrays.
- When we unpack and sync the nested columns, the unpacked values may exceed the column limits of your destination.
Select the Primary Keys you want to use. If you do not want to select a Primary Key, set the Use Fivetran Generated Primary Key toggle to ON.
NOTE: We do not support selecting columns from within nested child objects as primary keys in your Workday RaaS reports.
Click Save & Test. Fivetran will take it from here and sync your data from your Workday account.