diff --git a/connection-guides/hris/workday_OAuth2.mdx b/connection-guides/hris/workday_OAuth2.mdx
index aad06c0..5909213 100644
--- a/connection-guides/hris/workday_OAuth2.mdx
+++ b/connection-guides/hris/workday_OAuth2.mdx
@@ -96,7 +96,7 @@ import IntegrationFooter from "/snippets/integration-footer.mdx";
-## Add the Integration System User to a Security Group
+## Add the Integration System User to Security Groups
@@ -112,22 +112,26 @@ import IntegrationFooter from "/snippets/integration-footer.mdx";
- On the "Create Security Group" page, select "Integration System Security Group (Unconstrained)" from the Type of Tenanted Security Group pull-down menu. Enter a name in the Name field.
+ On the "Create Security Group" page, select "User-Based Security Group" from the Type of Tenanted Security Group pull-down menu. Enter a name in the Name field.
+
+
+ Some Workday Business Processes require User-Based Security Groups to access by default.
+
Click OK.
-
- On the "Edit Integration System Security Group (Unconstrained)" page, enter the same name you used when creating the ISU in the first section. Click OK.
+
+ On the "Assign Users to User-Based Security Group" page, assign the Integration System User you created in the previous step. Click OK.
@@ -144,7 +148,11 @@ import IntegrationFooter from "/snippets/integration-footer.mdx";
You can reach this interface by searching for "Maintain Permissions for Security Group" in the search bar, and selecting the name of the Security Group you created in the previous step.
- This integration uses the following Workday Security Group Permissions. For each listed permission, select either **Get Only** for read-only access, or **Get and Put** for read and write access in the _View/Modify Access_ column.
+ This integration uses the following Workday Security Group Permissions. For each listed permission, add a row for either **Get Only** for read-only access, or **Get and Put** for read and write access in the _View/Modify Access_ column.
+
+
+ "View" access may be required for accessing Custom Report and WQL data.
+
![]()
Please note that Security Group Permissions can be customized within a Workday organization, and this list does not account for such customizations.
+ - Access Leave Type (Segmented)
+ - Business Process Administration
+ - Integration Build
- Job Information
- Job Profile: View
+ - National ID Identification
+ - System Auditing
+ - View: National Identifiers - All
- **Manage:**
- Location
- Organization Integration
- **Person Data:**
- - Name
- Citizenship Status
- Date of Birth
- Disabilities
- Gender
- - Government IDs
+ - Home Address
+ - Home Contact Information
- ID Information
- Marital Status
- - National ID Identification
- - Personal Information
+ - Name
- Personal Data
+ - Personal Information
- Personal Photo
- - Home Contact Information
- - Home Address
- - Home Email
- - Home Phone
- - Work Contact Information
- Work Address
- - Work Email
- - Work Phone
+ - Work Contact Information
+ - **Reports:**
+ - Manager
+ - Time Tracking
+ - **Set Up:**
+ - Payroll
+ - Payroll (ROE) - CAN
+ - Time Off
+ - Time Off (Calculations - Absence Specific)
- **Worker Data:**
+ - Add Worker Documents
- All Positions
- Compensation
- Current Staffing Information
- Employment Data
+ - Leave of Absence
+ - Leave of Absence (Leave of Absence Manager View)
- Organization Information
- - Public Worker Reports
- - **Time Off**
- - Time Off
- - Time Off Manager View
- - Time Off Balances
- - Time Off Balances Manager View
- - **Leave of Absence**
+ - Public Worker Reports (**requires 'View' access**)
+ - Time Off
+ - Time Off (Time Off)
+ - Time Off (Time Off Balances)
+ - Time Off (Time Off Balances Manager View)
+ - Time Off (Time Off Manager View)
- Workers
- - Add Worker Documents
- - Set Up: Time Off
- - Set Up: Time Off (Calculations - Absence Specific)
- - System Auditing
- - View: National Identifiers - All
- - **System:**
- - Workday Query Language
- - Business Process Administration
+
+
+
+## Edit Required Business Process Security Policies
+
+
+
+
+ Initiation Access for the Request Time Off business process is required by default to access some Worker Time Off data.
+
+ Your tenant may require similar View Access for other business processes.
+
+
+
+ Open the "Edit Business Process Security Policy" task for the "Request Time Off" business process.
+
+
+ 
+
+
+
+
+ Under "Who Can Start the Business Process" > "Initiating Action: Request Time Off (REST Service)", add the Security Group you created in the previous steps.
+
+ Then click OK.
@@ -216,6 +256,47 @@ import IntegrationFooter from "/snippets/integration-footer.mdx";
+## Identifying and Troubleshooting Additional Required Permissions
+
+
+ The API client accesses Workday using the permissions of the Integration System User that is linked via the refresh token. The Integration System User's permissions are determined by the User-Based Security Group you created and assigned to that user (and any others assigned). If you encounter API errors related to missing permissions, you may need to identify and add additional permissions to this Security Group.
+
+
+
+
+ If you receive API errors indicating that a specific REST endpoint or report field is inaccessible, you can identify the required permissions using the "View Security for Securable Item" report.
+
+
+ This report allows you to search for Tasks, Reports, Report Fields, Background Processes, and Data Sources to view their required Functional Areas, Security Policies, and currently-permitted Security Groups.
+
+
+ 1. In the Search bar, search for "View Security for Securable Item".
+ 2. In the modal, search for the specific REST endpoint, report, or report field that is causing the error (e.g., search for "Leave Type" if you're getting an error about the `leaveType` field).
+ 3. From the search results, click the "View Security" button for the relevant item.
+ - There are often multiple items with the same name, so you may need to click the "View Security" button for each item.
+ 4. Review the "Domain Security" section to see which Security Groups currently have access.
+ 5. Check if your User-Based Security Group is listed. If it is not listed:
+ - Note the required Domain Security Policy permissions shown in the modal.
+ - Navigate to "Maintain Permissions for Security Group" and add the required permissions to your Security Group.
+ - After adding permissions, activate the changes using "Activate Pending Security Policy Changes".
+
+
+
+ For calculated fields used in reports, you must check the security requirements using the "View Calculated Field" report.
+
+ 1. In the Search bar, search for "View Calculated Field".
+ 2. Search for the specific calculated field that is causing access issues.
+ 3. Open the calculated field and open the three-dots menu to navigate to "Security" > "View Security".
+ 4. Review the modal to see:
+ - The Security Groups currently permitted to access the calculated field.
+ - The Security Policies that are required for access.
+ 5. If your User-Based Security Group is not listed:
+ - Note the required Security Policies shown in the modal.
+ - Navigate to "Maintain Permissions for Security Group" and add the required Domain Security Policy permissions to your Security Group.
+ - After adding permissions, activate the changes using "Activate Pending Security Policy Changes".
+
+
+
## Register the Rest API Client
@@ -232,22 +313,25 @@ import IntegrationFooter from "/snippets/integration-footer.mdx";
- Register the API Client with the following details and then click on **OK** button
+ Register the API Client with the following details.
- **Client Name**: e.g. StackOne_Integrations
- **Non-Expiring Refresh Tokens**: Check the box
- **Scopes**: Select the required functional scopes to enable data access via API.
- _Advanced Compensation_
- _Core Compensation_
- - _Integrations_
+ - _Implementation_
+ - _Integration_
- _Jobs & Positions_
- _Organizations and Roles_
+ - _Personal Data_
- _Staffing_
- _System_
- _Tenant Non-Configurable_
- _Time Off and Leave_
- _Time Tracking_
- _Workday Designer_
+ - _Worker Profile and Skills_
+
+ Select the option **Include Workday Owned Scopes** and click OK.
After registering the client, you will be redirected to a page displaying the **Client ID** and **Client Secret**. Make sure to copy and securely store these credentials.
diff --git a/images/workday/bp_request_time_off_policy.png b/images/workday/bp_request_time_off_policy.png
new file mode 100644
index 0000000..bb2b8f6
Binary files /dev/null and b/images/workday/bp_request_time_off_policy.png differ
diff --git a/images/workday/user-based-security-group.png b/images/workday/user-based-security-group.png
new file mode 100644
index 0000000..31c0e0c
Binary files /dev/null and b/images/workday/user-based-security-group.png differ