For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Service Management
    • Overview
    • Concierge & Ticketing Capabilities Overview
    • Forms
    • Forms - Integration Specific Guides
    • Live Agent Chat / Handoff
    • Triage
    • Approval Mirroring
    • Ticket Interception
    • Generic Ticketing Integration: Ticket Gateway
  • Administration
    • MyMoveworks
    • Organization Information
    • Roles and Permissions
    • MyMoveworks SSO
  • Moveworks Setup
    • Accessing Moveworks Setup
    • First-Time Login via Magic Link
    • Moveworks Setup Modules
    • Moveworks Setup: Module How To Guides
    • Plugin Management
    • Monitor Alerts
    • Audit Logs
    • DSL Fields Defaults
    • Data Crawling View
    • API Playground
    • Setup Homepage
    • Troubleshooting Hub
    • Security and Privacy Settings
    • Configuration Delete
    • Advanced Config Editor
    • Identity configuration
    • Onboarding Stage
  • Security
    • Security
    • Hyperlink & Button Expiry
    • Attachment Handling
    • Moveworks Subprocessors
  • Provision Management
    • Overview
    • Access Software
    • Access Groups
    • Access Account
  • Access Requirements
    • Overview
    • Update Set Modules
    • Ticketing Systems & ITSMs Access
    • Identity and Access Management Systems Access
    • Multi-Factor Authentication (MFA) Systems Access
    • Knowledge Access Requirements
    • Email Distribution List Systems Access
    • Facilities Management Access
    • Live Agent Chat Access
    • HR Information System Access
      • Workday Access Requirements - Approvals
      • Workday Access Requirements - HR Cases
    • Expense Management Access
    • Calendar Management Access
  • Core Platform
    • User Identity
    • Moveworks On-Prem Agent
    • Approvals Engine
    • Entity Catalog
    • Configuration Languages
    • Moveworks Data Objects
    • SIEM
  • Employee Experience Insights
    • Overview
    • Breaking Down the Dashboard
    • Understanding Industry Benchmarks
    • Apps & Services
    • Impact Module
    • EXI Common Use Cases
    • Configure EXI
    • Ticket Backpolling
  • Knowledge Studio
    • Overview
    • Knowledge Studio Configuration
    • AI Powered Recommendations
    • Inspecting & Verifying Sources
    • Publishing Articles
    • Creating Knowledge Articles
    • Resolving IT Tickets Guidance
DeveloperAcademyCommunityStatus
On this page
  • Setup Overview
  • Grant ISU Domain Security Permissions
  • How to Create an ISU with Domain Security Permissions
  • Create the ISU
  • Create an ISSG and add the ISU to it
  • Add Domain Security Policies to the ISSG
  • Permissions
  • Create API Client for Integrations
  • How to Create an API Client for Integrations
  • Create API Client
  • Provision a Refresh Token for the ISU
  • Enable OAuth 2.0 Clients Enabled
  • Scopes
  • Create RaaS-Enabled Reports
  • Approval Retrieval Report
  • How it is used
  • Prompt Instructions
  • Time Off Details by ID Report
  • How it is used
  • Prompt Instructions
  • How to Create & Transfer a Workday Report
  • Create the Report
  • Authorize & share the report definition
  • (Optional) Transfer Ownership of the Report to the ISU
  • Adjust Business Processes
  • How to Edit Business Processes for Approvals
  • Set up a User-Based Security Group
  • Update your business processes
  • Business Process Types
Access RequirementsHR Information System Access

Workday Access Requirements - Approvals

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Workday Access Requirements - HR Cases

Next
Built with

Setup Overview

You will need to provide the following to Moveworks.

  • Integration System User (ISU) Credentials
    • Username
    • Password
  • API Client for Integrations Credentials
    • Client ID
    • Client Secret
    • API Client Refresh Token for the ISU
  • Enable OAuth 2.0 Clients Enabled
    • Edit Tenant Setup
  • URLs
    • Any RaaS-Enabled Report URLs
      • Approval Retrieval
      • Time Off Details
    • Token Endpoint
    • Workday REST API Endpoint
    • End User URLs
      • Workday Home Page
      • Absence Calendar

👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email.

Grant ISU Domain Security Permissions

Please create an Integration System User (ISU) and Integration System Security Group (ISSG).

How to Create an ISU with Domain Security Permissions

Create the ISU

  1. Use the universal search to find the Create Integration System User (ISU) Workday Task.
  2. Use the Create Integration System User (ISU) Workday Task to create a user following these settings. Write down the username and password that you use.
  3. Validate that the ISU has these default permissions after creation.

Create an ISSG and add the ISU to it

  1. Find the Create Security Group task.
  2. Create an Integration System Security Group (Unconstrained) (ISSG). Title it “ISSG_Moveworks” for best practices.
  3. Use the All Workday Accounts report to find the account again.
  4. Use the action menu to select Assign Integration System Security Groups.
  5. Add the ISU to the ISSG.

Add Domain Security Policies to the ISSG

  1. Navigate to the ISSG using the View Security Group Report.
  2. Use the menu item for Maintain Domain Permissions for Security Group.
  3. Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions here.
  4. Activate your permissions with the Activate Pending Security Policy Changes task.

Permissions

Permission TypePermissionBusiness Justification
ModifyWorkday Query LanguageNeeded to identify users
ModifyCustom Report CreationNeeded to identify users
ModifyWorkday AccountsNeeded to identify users
ModifyPerson Data: Work Contact InformationNeeded to identify users
ViewPerson Data: Work EmailNeeded to identify users
ViewWorker Data: Public Worker ReportsNeeded to identify users
ViewWorker Data: WorkersNeeded to identify users
ViewCustom Report CreationNeeded to identify users
PutWorkday Query LanguageNeeded to identify users
PutWorkday AccountsNeeded to identify users
PutPerson Data: Work Contact InformationNeeded to identify users
GetWorker Data: Public Worker ReportsNeeded to identify users
GetWorker Data: WorkersNeeded to identify users
GetWorker Data: Worker IDNeeded to identify users
GetIndexed Data Source: WorkersNeeded to identify users
PutBusiness Process AdministrationNeeded to take approval actions (approve / deny)
PutBusiness Process Definition ViewNeeded to take approval actions (approve / deny)
PutBusiness Process DelegationNeeded to take approval actions (approve / deny)
PutBusiness Process ReportingNeeded to take approval actions (approve / deny)
PutIntegration EventNeeded to take approval actions (approve / deny)
PutIntegration ProcessNeeded to take approval actions (approve / deny)
ModifyBusiness Process AdministrationNeeded to take approval actions (approve / deny)
ModifyBusiness Process Definition ViewNeeded to take approval actions (approve / deny)
ModifyBusiness Process DelegationNeeded to take approval actions (approve / deny)
ModifyBusiness Process ReportingNeeded to take approval actions (approve / deny)
ModifyIntegration EventNeeded to take approval actions (approve / deny)
ModifyIntegration ProcessNeeded to take approval actions (approve / deny)
ViewWorker Data: Leave of AbsenceNeeded to get details for leave of absence requests
ViewWorker Data: Leave of Absence (Leave of Absence Manager View)Needed to get details for leave of absence requests
GetWorker Data: Absence OccurrencesNeeded to get details for leave of absence requests
GetWorker Data: Absence Occurrences (Manager View)Needed to get details for leave of absence requests
GetWorker Data: Leave of Absence (Leave of Absence Manager View)Needed to get details for leave of absence requests
ViewWorker Data: Time Off (Time Off Balances)Needed to retrieve time off balances for a given worker
ViewWorker Data: Time Off (Time Off Balances Manager View)Needed to retrieve time off balances for a given worker
GetWorker Data: Time Off (Time Off Balances)Needed to retrieve time off balances for a given worker
GetWorker Data: Time Off (Time Off Balances Manager View)Needed to retrieve time off balances for a given worker

Note: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using the View and Get permission types.

Create API Client for Integrations

Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier.

How to Create an API Client for Integrations

Create API Client

  1. Search for Register API Client for Integrations.
  2. Set the name to Moveworks and add the scopes required. You can find the full list of scopes here.
  3. Write down your Client ID and Client Secret.
  4. Navigate to View API Clients. Write down the Token Endpoint and Workday REST API Endpoint.

Provision a Refresh Token for the ISU

  1. From the View API Clients view, click on the API Clients for Integrations tab. Click on the API Client you just created.
  2. From the related actions menu, select Manage Refresh Tokens for Integrations.
  3. Add the ISU Account you created earlier to the API Client.
  4. Select Generate Refresh Token.
  5. Write down your new refresh token.

Enable OAuth 2.0 Clients Enabled

Check the box for OAuth 2.0 Clients Enabled

Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled

Follow the above step with the help of this screenshot and box in red

Scopes

Functional Area (Scope)Business Justification
StaffingNeeded to identify users
SystemNeeded to identify users & run RaaS reports
Tenant Non-ConfigurableNeeded to identify users & run RaaS reports
Contact InformationNeeded to identify users
Public DataNeeded to identify users
Time Off and LeaveNeeded for time off plans, time off requests, and leaves of absence
Time TrackingNeeded for time off plans, time off requests, and leaves of absence

Create RaaS-Enabled Reports

Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team.

Approval Retrieval Report

Download

How it is used

We use this report to detect when new approvals are pending in your Workday instance.

Prompt Instructions

When generating the JSON URL, provide any Business Process Definitions that you would like Moveworks to support.

Approval Mirroring: When configuring Workday PTO Approvals, the Approval Retrieval Report URL typically contains a Business_Process_Names prompt parameter. Extract the Business_Process_Names!WID value from the URL and add it as a bp_names!WID key-value pair in the Approvals Config Report Params section of the Workday connector configuration. This step is required to ensure PTO approval requests are retrieved correctly.

Time Off Details by ID Report

Download

How it is used

We use this report to get time off details for our approval notifications.

Prompt Instructions

You can provide any values for the prompts when generating the JSON URLs, it doesn’t matter.

How to Create & Transfer a Workday Report

Repeat the steps below for EACH report you need to create, which are the Approval Retrieval Report and the Time Off Details by ID Report.

Create the Report

  1. Download the reports listed above by clicking on the Download link under Approval Retrieval Report and Time Off Details by ID Report.
  2. Navigate to the Create Custom Report task.
  3. Setup the initial report settings.
  4. Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.

Warning: Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important.

Authorize & share the report definition

  1. Authorize the ISU you created earlier to run the report from the Share tab.
  2. Use View URLs under Web Service to get the URL of the Custom Report.
  3. For the prompt values, use the Prompt Instructions defined above for the Approval Retrieval Report and Time Off Details by ID Report.
  4. Right click on JSON and Copy URL. Share this URL with your Moveworks Customer Success team.

(Optional) Transfer Ownership of the Report to the ISU

We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company.

  1. Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team.
  2. Transfer the ownership using related actions on the report definition.

Adjust Business Processes

Create a User-Based Security Group and assign our ISU to it. Then, update the Business Process Security Policy to grant Moveworks the permissions to review the relevant action steps. Then, update the Business Process Definition to add your User-Based Security Group to the Approval step(s).

How to Edit Business Processes for Approvals

Set up a User-Based Security Group

We need to setup additional permissions for approvals to allow the ISU user to approve business processes in Workday. Please create a User-Based Security Group to add support for your approvals across various processes.

  1. Find the Create Security Group task.
  2. Create a User-Based Security Group called Moveworks.
  3. Open the Assign Users to User-Based Security Group task.
  4. Assign the ISU user you created earlier to the user-based security group.

Update your business processes

Warning: You’ll need to repeat the following steps for EACH business process you want users to be able to approve through Moveworks. You can see the list of business process types to update here.

  1. Use the Edit Business Process Security Policy task and select one of the business processes from the list shown below.
  2. Add the Moveworks Security Group to any required Security Policy Action Step from the list shown below.
  3. Activate your permissions with the Activate Pending Security Policy Changes task.
  4. Filter Business Process Definitions using the Business Process Definitions report to matching Business Process Types.
  5. For Business Process Definitions that are configured for the organization, select Edit Definition.
  6. Add the Moveworks Security Group to EACH business process step where the Step Type is Approval.

Business Process Types

Business Process TypeSecurity Policy Action Step
Request Time OffReview Time Off Request