Skip to content

Workday

SaaS Management integrates directly with Workday, so you can view all user activity within the application. The integration gives you the usage data you need to make informed decisions on inactive licenses and any renewal or purchasing options. For example, you can view when users last logged in to Workday to determine if their licenses are still needed.

Important

This documentation describes the steps to integrate and pull usage data from Workday. If you want SaaS Management to pull spend data, you must integrate Workday Financials.

Integrating with Workday

You must have admin access in Workday to authenticate the application with SaaS Management.

Note

Before you integrate the applications, make sure you have signed out of your individual account within your organization and are signed in to the appropriate service account with the required permissions.

Enabling OAuth 2.0 Clients in Workday

Before you can integrate Workday with SaaS Management, you must enable OAuth 2.0 in your Workday instance.

  1. On the Workday home page, enter "Edit Tenant Setup - Security" in the search bar and select the related task.

  2. In the OAuth 2.0 Settings section, select the OAuth 2.0 Clients Enabled checkbox to enable OAuth 2.0.

  3. Select OK to save your changes.

You can now register an API Client in Workday to generate a Client ID and Client Secret that you'll use to connect Workday and SaaS Management.

Registering API Clients in Workday

  1. On the Workday home page,enter "Register API Client" in the search bar and select the related task.

  2. Enter a descriptive name for the API client to differentiate it from others. For example, you can name the API client "SaaS Management Staging Client".

  3. For Client Grant Type, select Authorization Code Grant.

  4. For Access Token Type, select Bearer.
  5. In the Redirection URI field, enter https://gw.intello.io/oauth2callback/connect/workday.
  6. For Refresh Token Timeout (in days), use the default 30 days.
  7. In the Scope (Functional Areas) field, search for and add Staffing and System. These functional areas are required to integrate Workday with SaaS Management.
  8. Select OK to generate a Client ID and a Client Secret.
  9. Copy and store the Client ID and Client Secret in a safe place. You'll need these credentials to connect Workday to SaaS Management.

    Caution

    Do not close this page without copying your Client Secret. You won't be able to access it again.

Updating Domain Security Policies in Workday

To complete the integration, you must create or add an existing user to a new security group with the appropriate permissions.

Creating an Integration System User

You can use an existing user or create a new user dedicated to this integration. We recommend you create a new user specifically for the integration. You can assign the role to an existing user, but if that user leaves, the integration will no longer function.

  1. Enter "Create Integration System User" in the search bar and select the related task.

  2. Enter a descriptive name for the user to differentiate it from others. For example, you can use "SailPoint SaaS Management User".

  3. Enter a password that meets the listed requirements.
  4. Verify your password.
  5. Select OK to create the user.

Creating an Integration Security Group

  1. Enter "Create Security Group" in the search bar and select the related task.

  2. Select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group dropdown menu.

  3. Enter a name, such as ISG_WorkdayUsage, for the new security group and select OK.

  4. Add the integration system user you created to this security group.

  5. Select OK to create the security group.

Adding Permissions to Security Group

  1. Enter “Maintain Permissions for Security Group” in the search bar and select the related task.

  2. Set the operation to Maintain.

  3. Enter name of the security group you created and select OK.

  4. In the Domain Security Policy Permissions tab, add the following permissions to the security group:

    Access Domain Security Policy Functional Area
    Get Only Workday Accounts System
    Get Only Workday Account Monitoring System
    Get Only Worker Data: Public Worker Reports Staffing
    Get Only Worker Data: Current Staffing Information Staffing
    Get Only Worker Data: Historical Staffing Information Staffing
  5. Select OK to save these permissions.

Applying Permissions to the Security Group

  1. Enter “Activate Pending Security Policy Change” in the search bar and select the related task.

  2. Include a comment that explains why you’re making these changes. For example, you may add "Updated permissions to enable the SaaS Management integration" as a comment. Select OK to continue.

  3. Verify the listed permissions and select the Confirm checkbox.

  4. Select OK to apply these permissions to the security group.

You now use your Client ID and Client secret to connect Workday to SaaS Management.

Connecting Workday to SaaS Management

  1. Go to SaaS Management and select Integrations from the navigation menu.

  2. Select the Workday tile.

  3. Select Add Integration to open the Authenticate with Workday window.

  4. Enter the following information in the appropriate fields:

    • Your Workday Token Endpoint - Your organization's token endpoint in Workday. To view your token endpoint, enter "View API Clients" in the search bar and select the related task.

    • Your Workday Authorization Endpoint - Your organization's authorization endpoint in Workday. To view your authorization endpoint, enter "View API Clients" in the search bar and select the related task.

    • The registered API Client ID - The Client ID from Workday.

    • The registered API Client Secret - The Client Secret from Workday.

  5. Select Submit to connect Workday to SaaS Management. You'll be taken to the Workday login page to complete the integration.

  6. Enter your Workday credentials and select Sign In.

SaaS Management will begin syncing your Workday data to your dashboard.

Requested Scopes

SaaS Management requests the following scopes:

Access Domain Security Policy Functional Area
Get Only Workday Accounts System
Get Only Workday Account Monitoring System
Get Only Worker Data: Public Worker Reports Staffing
Get Only Worker Data: Current Staffing Information Staffing
Get Only Worker Data: Historical Staffing Information Staffing

User Metadata

SaaS Management pulls the following user metadata from Workday. You can filter your usage data by these fields:

Field Description
Account Expiration Date The date the user's account expires. The user will be unable to sign in to Workday.
Position End Date The end date for the user's position.
Position Start Date The user's start date for the position.
Position Title The title of the user's position.
Primary Job Indicates whether the position is the primary position for the worker.
Worker Type Indicates whether the user is an Employee or Contingent Worker.