***
title: Workday Access Requirements - HR Cases
excerpt: ''
deprecated: false
hidden: false
metadata:
title: ''
description: ''
robots: index
next:
description: ''
---------------
# Setup Overview
You will need to provide the following to Moveworks.
* Integration System User (ISU) Credentials
* Username
* Password
* API Client for Integrations Credentials
* Client ID
* Client Secret
* API Client Refresh Token for the ISU
* Enable OAuth 2.0 Clients Enabled
* Edit Tenant Setup
* URLs
* The following RaaS-Enabled Report URLs
* Cases Retrieval
* Case Type Details
* Token Endpoint
* Workday REST API Endpoint
* End User URLs
* Workday Help - Cases Page
👉 Provide provide ALL of the above to your Moveworks Customer Success team via encrypted email.
# Grant ISU Domain Security Permissions
Please create an Integration System User (ISU) and Integration System Security Group (ISSG).
## How to Create an ISU with Domain Security Permissions
### Create the ISU
1. Use the universal search to find the `Create Integration System User` (ISU) Workday Task.\
2. Use the `Create Integration System User` (ISU) Workday Task to create a user following these settings. Write down the username and password that you use.\
3. Validate that the ISU has these default permissions after creation.\
### Create an ISSG and add the ISU to it
1. Find the `Create Security Group` task.\
2. Create an `Integration System Security Group (Unconstrained)` (ISSG). Title it "ISSG\_Moveworks" for best practices.\
3. Use the `All Workday Accounts` report to find the account again.\
4. Use the action menu to select `Assign Integration System Security Groups`.\
5. Add the ISU to the ISSG.\
### Add Domain Security Policies to the ISSG
1. Navigate to the ISSG using the `View Security Group` Report.\
2. Use the menu item for Maintain Domain Permissions for Security Group.\
3. Add any permissions that are needed for your Moveworks bot. You can find the full list of permissions [here](/service-management/access-requirements/hr-information-system/workday#permissions).\
4. Activate your permissions with the `Activate Pending Security Policy Changes` task.\
## Permissions
| **Permission Type** | **Permission/Domain Security Policy** | Domain Security Policies Inheriting Permission | **Business Justification** |
| :------------------ | :------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------- |
| View Only | Custom Report Administration | | Needed to identify users, retrieve cases |
| View Only | Manage: All Custom Reports | | Needed to identify users, retrieve cases |
| View Only | Worker Data: Worker ID | | Needed to identify users |
| View Only | Worker Data: Public Worker Reports | | Needed to identify users |
| View Only | Security Administration | External Account Provisioning Lock Out Workday Accounts Manage Authorized Applications Provisioning Group Administration Set Up: Security Rules User-Based Security Group Administration Workday Account Monitoring | Needed to identify users, retrieve cases |
| View Only | Workday Accounts | | Needed to identify users |
| View and Modify | Workday Query Language | | Needed to identify users |
| View and Modify | Custom Report Creation | | Needed to identify users, retrieve cases |
| View Only | Worker Data: Active Employees | | Needed to identify users |
| Get Only | Worker Data: Active Employees | | Needed to identify users |
| View Only | Person Data: Work Email | | Needed to identify users |
| Get Only | Person Data: Work Email | | Needed to create cases of behalf of users |
| View Only | Person Data: Work Address | | Needed to identify users |
| Get Only | Person Data: Work Address | | Needed to identify users |
| View Only | Person Data: Work Contact Information | | Needed to identify users |
| Get Only | Person Data: Work Contact Information | | Needed to identify users |
| View Only | Manage: Organization Roles | | Needed to identify users |
| Get Only | Manage: Organization Roles | | Needed to identify users |
| Get and Put | Workday Query Language | | Needed to identify users |
| Get Only | Worker Data: Public Worker Reports | | Needed to identify users |
| Get and Put | Help Case External Contacts | | Needed to retrieve case details |
| Get and Put | Manage: Case Create on Behalf Of | | Needed to create a case |
| Get Only | Workday Accounts | | Needed to identify users |
| Get Only | Worker Data: Worker ID | | Needed to identify users |
| Get Only | Indexed Data Source: Workers | | Needed to identify users |
| View and Modify | Help Case Data | Help Case Internal NotesHelp Case Messages | Needed to retrieve case details, create case comments |
| Get and Put | Help Case Data | Help Case Internal NotesHelp Case Messages | Needed to retrieve case details, create case comments |
| View and Modify | Manage: Case Create on Behalf Of | | Needed to create a case |
| View and Modify | Process: Help Cases | | Needed to create a case, create case comments |
| Get and Put | Process: Help Cases | | Needed to retrieve case details |
| View Only | Reports: Help Case Management | | Needed to retrieve case details |
| Get Only | Reports: Help Case Management | | Needed to retrieve case details |
| View Only | Set Up: Help Case Management | | Needed to retrieve case details |
| Get Only | Set Up: Help Case Management | | Needed to retrieve case details |
| View Only | View: Confidential Help Cases | | Needed to retrieve case details |
| Get Only | View: Confidential Help Cases | | Needed to retrieve case details |
| View Only | Manage: Case Create About | | Needed to retrieve case details |
| Get Only | Manage: Case Create About | | Needed to retrieve case details |
| Get Only | Custom Report Administration | | Needed to retrieve case details |
| Get Only | Manage: All Custom Reports | | Needed to retrieve case details |
| Get Only | Custom Report Creation | | Needed to retrieve case details |
| View Only | Reports: Questionnaires | | Needed to retrieve case type details |
| Get Only | Reports: Questionnaires | | Needed to retrieve case type details |
| View Only | Question Library | | Needed to retrieve case type details |
| Get Only | Question Library | | Needed to retrieve case type details |
**Note**: The Modify and Put permissions are not necessarily required to identify users. The View and Get permissions should be enough for the use case. However, we might need to explore those permissions too if we fail to fetch users using just the View and Get permission types.
# Create API Client for Integrations
Please create an API Client for Integrations and provide the following function areas (scopes). Then create a refresh token for the ISU you created earlier.
## How to Create an API Client for Integrations
### Create API Client
1. Search for `Register API Client for Integrations`.\
2. Set the name to **Moveworks** and add the scopes required. You can find the full list of scopes [here](/service-management/access-requirements/hr-information-system/workday#scopes).\
3. Write down your **Client ID** and **Client Secret**.\
4. Navigate to `View API Clients`. Write down the **Token Endpoint** and **Workday REST API Endpoint**.\
### Provision a Refresh Token for the ISU
1. From the `View API Clients` view, click on the `API Clients for Integrations` tab. Click on the API Client you just created.\
2. From the related actions menu, select `Manage Refresh Tokens for Integrations`.\
3. Add the ISU Account you created earlier to the API Client.\
4. Select `Generate Refresh Token`.\
5. Write down your new refresh token.\
## Enable OAuth 2.0 Clients Enabled
Check the box for **OAuth 2.0 Clients Enabled**
> Access the Edit Teams Setup – Security task and select the checkbox for OAuth 2.0 Clients Enabled
Follow the above step with the help of this screenshot and box in red
## Scopes
| **Functional Area (Scope)** | **Business Justification** |
| --------------------------- | ------------------------------------------------------------------------------ |
| Staffing | Needed to identify users |
| System | Needed to identify users, retrieve cases & run RaaS reports |
| Tenant Non-Configurable | Needed to identify users & run RaaS reports |
| Contact Information | Needed to identify users |
| Public Data | Needed to identify users |
| Personal Data | Needed to identify users |
| Organizations and Roles | Needed to identify users |
| Help | Needed to create case, case comments and run Cases and Case Types RaaS reports |
# Create RaaS-Enabled Reports
Create each of the following reports into your Workday instance. Transfer ownership to our ISU, then share the JSON URL with your Moveworks Customer Success team.
## Case Retrieval Report
[Moveworks Cases Retrieval.xlsx](https://developer.moveworks.com/file-hosting/workday/Moveworks_Cases_Retrieval.xlsx)
### How it is used
We use this report to detect when new cases are created or previously created cases are updated in your Workday instance.
### Prompt Instructions
Please provide all the prompts (default and additional) as mentioned in the file above since they are crucial for the integration to function.
## Case Type Details Retrieval Report
[Moveworks Case Types Retrieval.xlsx](https://developer.moveworks.com/file-hosting/workday/Moveworks_Case_Types_Retrieval.xlsx)
!
Please ensure your Workday instance has a description (`Case Type Description`) attached to each of your Case Types. If you don’t have a description field, please create descriptions for your Case Types.
This is important because both the title and the description of the Case Type are required by our Machine Learning models to determine the correct Case Type based on the query that the user has raised.
### How it is used
We use this report to get the list of Case Type and their details from your Workday instance.
### Prompt Instructions
Please provide all the prompts (default and additional) as mentioned in the file above since they are crucial for the integration to function.
## How to Create & Transfer a Workday Report
Repeat the steps below for EACH report you need to create, which are the Case Retrieval Report and the Case Type Details Report.
### Create the Report
1. Download the reports listed above by clicking on the files link under [Case Retrieval Report](/service-management/access-requirements/hr-information-system/workday-cases#case-retrieval-report) and [Case Type Details Retrieval Report](/service-management/access-requirements/hr-information-system/workday-cases#case-type-details-retrieval-report).
2. Navigate to the `Create Custom Report` task.\
3. Setup the initial report settings.\
4. Copy over the tabs for Columns, Filter, Prompts, Advanced EXACTLY as shown in the Excel template.\
!
Make sure to copy over all tabs EXACTLY. The naming and capitalization are both important.
### Authorize & share the report definition
1. Authorize the ISU you created earlier to run the report from the Share tab.\
2. On the Advanced tab, select the enable as a web service box to enable it for API consumption
3. Save the report.
4. From the related actions of the custom report, select `Web Service` -> `View URLs`:
5. Scroll down to `JSON` and right click on the hyperlink to select “Copy URL”. Share this URL with your Moveworks Customer Success team.\
### (Optional) Transfer Ownership of the Report to the ISU
We recommend doing this so that our ISU has access to report even if a member of your Workday Reports team leaves the company.
1. Ensure that the ISU has the domain permissions needed to access the business objects referenced & through their data sources. If you need assistance with this, we recommend getting support from your Workday security team.
2. Transfer the ownership using related actions on the report definition.\
