Workday Integration Instructions

Below are the steps to integrate your Workday and Knoetic accounts. Knoetic will access your Workday instance via what Workday calls an “Integration System User.” This User will allow Knoetic to pull data from Workday, with the scope of data dependent on the type of security access you grant the user.
Your Workday Administrator (or someone with Security Administrator-level permissions in Workday) should complete the tasks below.

Step 1: Create an integration system user

Permissions required in Workday: Modify permission on the “Integration Security” domain.

  1. Log in to Workday with an account that has the required permissions outlined above
  2. Search for and open the "Create Integration System User" task
  3. Set the User Name as “KnoeticAdminUser”
  4. Click “generate random password” and save this password for later - you will need to send this to Knoetic at the end
  5. Leave “Require new password at next sign in” unchecked
  6. Set session timeout minutes to 60
  7. Leave "Do not allow UI session" unchecked
  8. Click "OK"

Step 2: Create an Integration System Security Group to give Knoetic's integration system user access to the necessary data:

Permissions required in Workday: Modify permission on the “Security Configuration” domain

  1. Search for and open the "Create Security Group" task
  2. Select "Type of Tenanted Security Group" = "Integration System Security Group (Unconstrained)"
  3. Name the security group: “Knoetic Integration Security Group”
  4. Add the user "KnoeticAdminUser" that you created under "Integration System Users"
  5. Click "OK"

Step 3: Set the Integration System User you created in Step 1 to be exempt from password expiration

This is to prevent Knoetic's automated process from being locked out of the account during data extracts.

Permissions required in Workday: Modify permission on the “Security Administration” domain in Workday 

  1. Search for the "Maintain Password Rules" task
  2. Scroll to the bottom of the page
  3. Next to “System users exempt from password expiration,” add the integration system user "KnoeticAdminUser"

Step 4: Grant the Knoetic Integration Security Group you created the necessary permissions to access Workday data

Permissions required in Workday: Modify permission on the “Security Configuration” domain

  1. Access your security group by either searching for it in the search bar or running the “View Security Group” task
  2. Click on related actions (the 3 dots) next to the security group’s name at the top of the screen
  3. Hover over “Security Group”
  4. Click on “Maintain Domain Permissions for Security Group”
  5. On the following screen, you can add all necessary permissions in one place
  6. Search for “domain security” and select Domain Security Policies for Functional Area. Assign the security group Knoetic Integration Security Group to the following Functional Areas:
    1. The permissions you need to add are outlined in this document: security permissions
    2. Please note which permissions are “View,” “Get,” “Modify,” and/or “Put,” as these are added in different sections of this screen

Step 5: Give Knoetic access to the necessary "Business Processes" in order to pull in transactional data

Permissions required in Workday: Modify permission on the “Business Process Administration” domain

For each individual Business Process outlined here, please follow these steps:

  1. Go to the individual business process and click on related actions (the three dots at the top of the screen)
  2. Under the "Business Process Policy" menu, click “Edit”
  3. Scroll down to the “View All” permission and add the "Knoetic Integration Security Group" you created previously in step 4
  4. Repeat this process for each applicable Business Process

Step 6: Activate the changes you’ve made

Permissions required in Workday: Modify permission on the “Security Activation” domain. 

  1. Search for “Activate Pending Security Policy Changes” in the search bar and click into the task
    1. Enter a comment on this screen describing the changes you’re making
  2. On the following screen, you’ll see an outline of all of the changes you’ve made
  3. Click the checkbox to confirm you want to activate these changes, then click “OK” 

Note: To help expedite your Workday implementation, please send Knoetic an export of the security group you built:

  • While viewing the security group itself, click on the Excel/spreadsheet icon at the top right of the table that contains the list of all of the security group’s domain permissions.
  • This sheet can be submitted in the keydrop process outlined in the next step

Step 7: Configure Authentication Policies to allow for API access

Permissions required in Workday: Modify permission on the “Security Configuration” domain

  1. Access the Manage Authentication Policies task
  2. Click Edit next to the policy that includes the tenant Knoetic needs access to
  3. If the ISSG that contains the ISU Knoetic is using is not already listed in one of the policies, add a new line with the plus button
  4. Name the policy as you like and add the ISSG that contains the Knoetic ISU
  5. Grant permissions to log into the tenant via username and password
  6. Click OK
  7. Access the Activate All Pending Authentication Policy Changes task
  8. Activate your changes

Step 8: Send Knoetic the credentials to access your Workday tenant

  1. Go to
  2. Fill out the name, email, and company fields
  3. Select "Workday" for HR System
  4. In the "Data" box, please include:
    1. The username and password for the user you created earlier
    2. The URL of your workday instance (the URL you use to log into the Workday tenant, e.g. NAME/login.htmld)
  5. In the Exported File section, submit the file of the security groups you exported in Step 6

How did we do?

Powered by HelpDocs (opens in a new tab)