--- title: Workday Access Requirements - Approvals excerpt: '' deprecated: false hidden: false metadata: title: '' description: '' robots: index next: description: '' --- # Setup Overview You will need to provide the following to Moveworks. * Integration System User (ISU) Credentials * Username * Password * API Client for Integrations Credentials * Client ID * Client Secret * API Client Refresh Token for the ISU * Enable OAuth 2.0 Clients Enabled * Edit Tenant Setup * URLs * Any RaaS-Enabled Report URLs * Approval Retrieval * Time Off Details * Token Endpoint * Workday REST API Endpoint * End User URLs * Workday Home Page * Absence Calendar 👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email. # Grant ISU Domain Security Permissions Please create an Integration System User (ISU) and Integration System Security Group (ISSG). ## How to Create an ISU with Domain Security Permissions ### Create the ISU 1. Use the universal search to find the `Create Integration System User` (ISU) Workday Task.\ ![](https://files.readme.io/ba33220-62ba12f-workday_universal_search.png) 2. Use the `Create Integration System User` (ISU) Workday Task to create a user following these settings. Write down the username and password that you use.\ ![](https://files.readme.io/e1b1815-Untitled_-_2023-10-16T151651.126.png) 3. Validate that the ISU has these default permissions after creation.\ ![](https://files.readme.io/5b51351-Untitled_1.png) ### Create an ISSG and add the ISU to it 1. Find the `Create Security Group` task.\ ![](https://files.readme.io/d540e6b-3fac8e8-create_security_group_search.png) 2. Create an `Integration System Security Group (Unconstrained)` (ISSG). Title it "ISSG\_Moveworks" for best practices.\ ![](https://files.readme.io/3024e38-Untitled_2.png) 3. Use the `All Workday Accounts` report to find the account again.\ ![](https://files.readme.io/7c7a36a-1f6244d-wday_accounts.png) 4. Use the action menu to select `Assign Integration System Security Groups`.\ ![](https://files.readme.io/e9dc997-Untitled_4.png) 5. Add the ISU to the ISSG.\ ![](https://files.readme.io/dbad1c9-Untitled_5.png) ### Add Domain Security Policies to the ISSG 1. Navigate to the ISSG using the `View Security Group` Report.\ ![](https://files.readme.io/aa54237-Untitled_6.png) 2. Use the menu item for Maintain Domain Permissions for Security Group.\ ![](https://files.readme.io/bc40341-Untitled_7.png) 3. Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions [here](/docs/workday-access-requirements#permissions).\ ![](https://files.readme.io/e7f7014-permission_copying.png) 4. Activate your permissions with the `Activate Pending Security Policy Changes` task.\ ![](https://files.readme.io/12e8659-Untitled_9.png) ## Permissions | Permission Type | Permission | Business Justification | | :-------------- | :------------------------------------------------------------ | :------------------------------------------------------ | | Modify | Workday Query Language | Needed to identify users | | Modify | Custom Report Creation | Needed to identify users | | Modify | Workday Accounts | Needed to identify users | | Modify | Person Data: Work Contact Information | Needed to identify users | | View | Person Data: Work Email | Needed to identify users | | View | Worker Data: Public Worker Reports | Needed to identify users | | View | Worker Data: Workers | Needed to identify users | | View | Custom Report Creation | Needed to identify users | | Put | Workday Query Language | Needed to identify users | | Put | Workday Accounts | Needed to identify users | | Put | Person Data: Work Contact Information | Needed to identify users | | Get | Worker Data: Public Worker Reports | Needed to identify users | | Get | Worker Data: Workers | Needed to identify users | | Get | Worker Data: Worker ID | Needed to identify users | | Get | Indexed Data Source: Workers | Needed to identify users | | Put | Business Process Administration | Needed to take approval actions (approve / deny) | | Put | Business Process Definition View | Needed to take approval actions (approve / deny) | | Put | Business Process Delegation | Needed to take approval actions (approve / deny) | | Put | Business Process Reporting | Needed to take approval actions (approve / deny) | | Put | Integration Event | Needed to take approval actions (approve / deny) | | Put | Integration Process | Needed to take approval actions (approve / deny) | | Modify | Business Process Administration | Needed to take approval actions (approve / deny) | | Modify | Business Process Definition View | Needed to take approval actions (approve / deny) | | Modify | Business Process Delegation | Needed to take approval actions (approve / deny) | | Modify | Business Process Reporting | Needed to take approval actions (approve / deny) | | Modify | Integration Event | Needed to take approval actions (approve / deny) | | Modify | Integration Process | Needed to take approval actions (approve / deny) | | View | Worker Data: Leave of Absence | Needed to get details for leave of absence requests | | View | Worker Data: Leave of Absence (Leave of Absence Manager View) | Needed to get details for leave of absence requests | | Get | Worker Data: Absence Occurrences | Needed to get details for leave of absence requests | | Get | Worker Data: Absence Occurrences (Manager View) | Needed to get details for leave of absence requests | | Get | Worker Data: Leave of Absence (Leave of Absence Manager View) | Needed to get details for leave of absence requests | | View | Worker Data: Time Off (Time Off Balances) | Needed to retrieve time off balances for a given worker | | View | Worker Data: Time Off (Time Off Balances Manager View) | Needed to retrieve time off balances for a given worker | | Get | Worker Data: Time Off (Time Off Balances) | Needed to retrieve time off balances for a given worker | | Get | Worker Data: Time Off (Time Off Balances Manager View) | Needed to retrieve time off balances for a given worker | > 💡 > > **Note**: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using the View and Get permission types. # Create API Client for Integrations Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier. ## How to Create an API Client for Integrations ### Create API Client 1. Search for `Register API Client for Integrations`.\ ![](https://files.readme.io/a9e9269-Untitled_10.png) 2. Set the name to **Moveworks** and add the scopes required. You can find the full list of scopes [here](/docs/workday-access-requirements#scopes).\ ![](https://files.readme.io/6d10f24-registration.png) 3. Write down your **Client ID** and **Client Secret**.\ ![](https://files.readme.io/0ba00e6-a5984da-client_secret.png) 4. Navigate to `View API Clients`. Write down the **Token Endpoint** and **Workday REST API Endpoint**.\ ![](https://files.readme.io/7c83e62-tokenandapi.png) ### Provision a Refresh Token for the ISU 1. From the `View API Clients` view, click on the `API Clients for Integrations` tab. Click on the API Client you just created.\ ![](https://files.readme.io/473d054-inspectclient.png) 2. From the related actions menu, select `Manage Refresh Tokens for Integrations`.\ ![](https://files.readme.io/c122321-Untitled_14.png) 3. Add the ISU Account you created earlier to the API Client.\ ![](https://files.readme.io/9c804a2-isu_to_client.png) 4. Select `Generate Refresh Token`.\ ![](https://files.readme.io/00ce590-gen_refresh_token.png) 5. Write down your new refresh token.\ ![](https://files.readme.io/c2d9060-9cd43d6-refresh_token.png) ## Enable OAuth 2.0 Clients Enabled > 👍 Check the box for **OAuth 2.0 Clients Enabled** > Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled > 📘 Follow the above step with the help of this screenshot and box in red ![](https://files.readme.io/7c6b067-image_20.png) ## Scopes | Functional Area (Scope) | Business Justification | | :---------------------- | :------------------------------------------------------------------ | | Staffing | Needed to identify users | | System | Needed to identify users & run RaaS reports | | Tenant Non-Configurable | Needed to identify users & run RaaS reports | | Contact Information | Needed to identify users | | Public Data | Needed to identify users | | Time Off and Leave | Needed for time off plans, time off requests, and leaves of absence | | Time Tracking | Needed for time off plans, time off requests, and leaves of absence | # Create RaaS-Enabled Reports Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team. ## Approval Retrieval Report [Download](https://developer.moveworks.com/file-hosting/workday/Moveworks_Approval_Retrieval.xlsx) ### How it is used We use this report to detect when new approvals are pending in your Workday instance. ### Prompt Instructions When generating the JSON URL, provide any Business Process Definitions that you would like Moveworks to support. ![](https://files.readme.io/38c4909-image_7.png) ## Time Off Details by ID Report [Download](https://developer.moveworks.com/file-hosting/workday/Time_Off_Details_by_ID.xlsx) ### How it is used We use this report to get time off details for our approval notifications. ### Prompt Instructions You can provide any values for the prompts when generating the JSON URLs, it doesn't matter. ## How to Create & Transfer a Workday Report Repeat the steps below for EACH report you need to create, which are the Approval Retrieval Report and the Time Off Details by ID Report. ### Create the Report 1. Download the reports listed above by clicking on the Download link under [Approval Retrieval Report](/docs/workday-access-requirements#approval-retrieval-report) and [Time Off Details by ID Report](/docs/workday-access-requirements#time-off-details-by-id-report). 2. Navigate to the `Create Custom Report` task.\ ![](https://files.readme.io/02b18a3-d26ab55-create_custom_report.png) 3. Setup the initial report settings.\ ![](https://files.readme.io/3427cac-image_9.png) 4. Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.\ ![](https://files.readme.io/ddf2f87-report_copying.png) > 🚧 > > **Warning**: Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important. ### Authorize & share the report definition 1. Authorize the ISU you created earlier to run the report from the Share tab.\ ![](https://files.readme.io/77984a4-authorizeISU.png) 2. Use `View URLs` under `Web Service` to get the URL of the Custom Report.\ ![](https://files.readme.io/b59253e-Untitled_18.png) 3. For the prompt values, use the Prompt Instructions defined above for the [Approval Retrieval Report](/docs/workday-access-requirements#prompt-instructions) and [Time Off Details by ID Report](/docs/workday-access-requirements#prompt-instructions-1).\ ![](https://files.readme.io/1228384-Untitled_19.png) 4. Right click on `JSON` and Copy URL. Share this URL with your Moveworks Customer Success team.\ ![](https://files.readme.io/8b72c77-Untitled_20.png) ### (Optional) Transfer Ownership of the Report to the ISU We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company. 1. Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team. 2. Transfer the ownership using related actions on the report definition.\ ![](https://files.readme.io/6682f56-IMG_9143.png) # Adjust Business Processes Create a User-Based Security Group and assign our ISU to it. Then, update the Business Process Security Policy to grant Moveworks the permissions to review the relevant action steps. Then, update the Business Process Definition to add your User-Based Security Group to the Approval step(s). ## How to Edit Business Processes for Approvals ### Set up a User-Based Security Group We need to setup additional permissions for approvals to allow the ISU user to approve business processes in Workday. Please create a User-Based Security Group to add support for your approvals across various processes. 1. Find the `Create Security Group` task.\ ![](https://files.readme.io/8f16a48-3fac8e8-create_security_group_search.png) 2. Create a `User-Based Security Group` called `Moveworks`.\ ![](https://files.readme.io/4546813-create_user_security_group.png) 3. Open the `Assign Users to User-Based Security Group` task.\ ![](https://files.readme.io/eecccfd-7a93124-assign_to_user_security_group.png) 4. Assign the ISU user you created earlier to the user-based security group.\ ![](https://files.readme.io/645eea1-assign_to_user_security_group_isu.png) ### Update your business processes > 🚧 > > **Warning**: You’ll need to repeat the following steps for EACH business process you want users to be able to approve through Moveworks. You can see the list of business process types to update [here](/docs/workday-access-requirements#business-process-types). 1. Use the `Edit Business Process Security Policy` task and select one of the business processes from the [list shown below](/docs/workday-access-requirements#business-process-types).\ ![](https://files.readme.io/4172bb5-4687370-select_bp_security_policy.png) 2. Add the `Moveworks` Security Group to any required Security Policy Action Step from the [list shown below](/docs/workday-access-requirements#business-process-types).\ ![](https://files.readme.io/462a9f8-edit_bp_security_policy.png) 3. Activate your permissions with the `Activate Pending Security Policy Changes` task.\ ![](https://files.readme.io/803af53-Untitled_25.png) 4. Filter Business Process Definitions using the Business Process Definitions report to matching Business Process Types.\ ![](https://files.readme.io/d7102d2-4abe2ae-identifying_bpds.png) 5. For Business Process Definitions that are configured for the organization, select Edit Definition.\ ![](https://files.readme.io/f84dacb-bpd.png) 6. Add the Moveworks Security Group to EACH business process step where the Step Type is Approval.\ ![](https://files.readme.io/8eae443-update_bp_steps.png) ## Business Process Types | Business Process Type | Security Policy Action Step | | :-------------------- | :-------------------------- | | Request Time Off | Review Time Off Request |