Skip to content

Workday

SaaS Management integrates directly with Workday, so you can view all user activity within the application. The integration gives you the usage data you need to make informed decisions on inactive licenses and any renewal or purchasing options. For example, you can view when users last logged in to Workday to determine if their licenses are still needed.

Note

This documentation describes the steps to integrate and pull usage data from Workday. If you want SaaS Management to pull spend data, you must integrate Workday Financials.

Integrating with Workday

You must have admin access in Workday to authenticate the application with SaaS Management.

Note

Before you integrate the applications, make sure you have signed out of your individual account within your organization and are signed in to the appropriate service account with the required permissions.

Enabling OAuth 2.0 Clients in Workday

Before you can integrate Workday with SaaS Management, you must enable OAuth 2.0 in your Workday instance.

  1. On the Workday home page, enter "Edit Tenant Setup - Security" in the search bar and select the related task.

  2. In the OAuth 2.0 Settings section, select the OAuth 2.0 Clients Enabled checkbox to enable OAuth 2.0.

  3. Select OK to save your changes.

You can now register an API Client in Workday to generate a Client ID and Client Secret that you'll use to connect Workday and SaaS Management.

Registering API Clients in Workday

  1. On the Workday home page,enter "Register API Client" in the search bar and select the related task.

  2. Enter a descriptive name for the API client to differentiate it from others. For example, you can name the API client "SaaS Management Staging Client".

  3. For Client Grant Type, select Authorization Code Grant.

  4. For Access Token Type, select Bearer.
  5. In the Redirection URI field, enter https://gw.intello.io/oauth2callback/connect/workday.
  6. For Refresh Token Timeout (in days), use the default 30 days.
  7. In the Scope (Functional Areas) field, search for and add Staffing and System. These functional areas are required to integrate Workday with SaaS Management.
  8. Select OK to generate a Client ID and a Client Secret.
  9. Copy and store the Client ID and Client Secret in a safe place. You'll need these credentials to connect Workday to SaaS Management.

    Warning

    Do not close this page without copying your Client Secret. You won't be able to access it again.

Updating Domain Security Policies in Workday

To complete the integration, you must create or add an existing user to a new security group with the appropriate permissions.

Creating an Integration System User

You can use an existing user or create a new user dedicated to this integration. We recommend you create a new user specifically for the integration. You can assign the role to an existing user, but if that user leaves, the integration will no longer function.

  1. Enter "Create Integration System User" in the search bar and select the related task.

  2. Enter a descriptive name for the user to differentiate it from others. For example, you can use "SailPoint SaaS Management User".

  3. Enter a password that meets the listed requirements.
  4. Verify your password.
  5. Select OK to create the user.

Creating an Integration Security Group

  1. Enter "Create Security Group" in the search bar and select the related task.

  2. Select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group dropdown menu.

  3. Enter a name for the new security group and select OK. For example, you can name the security group "ISG_WorkdayUsage".

  4. Add the integration system user you created to this security group.

  5. Select OK to create the security group.

Adding Permissions to Security Group

  1. Enter “Maintain Permissions for Security Group” in the search bar and select the related task.

  2. Set the operation to Maintain.

  3. Enter name of the security group you created and select OK.

  4. In the Domain Security Policy Permissions tab, add the following permissions to the security group:

    Access Domain Security Policy Functional Area
    Get Only Workday Accounts System
    Get Only Workday Account Monitoring System
    Get Only Worker Data: Public Worker Reports Staffing
    Get Only Worker Data: Current Staffing Information Staffing
    Get Only Worker Data: Historical Staffing Information Staffing
  5. Select OK to save these permissions.

Applying Permissions to the Security Group

  1. Enter “Activate Pending Security Policy Change” in the search bar and select the related task.

  2. Include a comment that explains why you’re making these changes. For example, you may add "Updated permissions to enable the SaaS Management integration" as a comment. Select OK to continue.

  3. Verify the listed permissions and select the Confirm checkbox.

  4. Select OK to apply these permissions to the security group.

You now use your Client ID and Client secret to connect Workday to SaaS Management.

Connecting Workday to SaaS Management

  1. Go to SaaS Management and select Integrations from the navigation menu.

  2. Select the Workday tile.

  3. Select Add Integration to open the Authenticate with Workday window.

  4. (Optional) Select the Is Sandbox Tenant checkbox to set up a Sandbox tenant.

  5. Enter the following information in the appropriate fields:

    • Your company's unique identifier at Workday - Your organization's tenant name in Workday. Your tenant name appears after myworkday.com in the URL:https://www.myworkday.com/<uniquieID>.

    • The registered API Client ID - The Client ID from Workday.

    • The registered API Client Secret - The Client Secret from Workday.

  6. Select Submit to connect Workday to SaaS Management. You'll be taken to the Workday login page to complete the integration.

  7. Enter your Workday credentials and select Sign In.

SaaS Management will begin syncing your Workday data to your dashboard.

Requested Scopes

SaaS Management requests the following scopes:

Access Domain Security Policy Functional Area
Get Only Workday Accounts System
Get Only Workday Account Monitoring System
Get Only Worker Data: Public Worker Reports Staffing
Get Only Worker Data: Current Staffing Information Staffing
Get Only Worker Data: Historical Staffing Information Staffing