SaaS Management integrates directly with Workday, so you can view all user activity within the application. The integration gives you the usage data you need to make informed decisions on inactive licenses and any renewal or purchasing options. For example, you can view when users last logged in to Workday to determine if their licenses are still needed.
This documentation describes the steps to integrate and pull usage data from Workday. If you want SaaS Management to pull spend data, you must integrate Workday Financials.
Integrating with Workday
You must have admin access in Workday to authenticate the application with SaaS Management.
Before you integrate the applications, make sure you have signed out of your individual account within your organization and are signed in to the appropriate service account with the required permissions.
Enabling OAuth 2.0 Clients in Workday
Before you can integrate Workday with SaaS Management, you must enable OAuth 2.0 in your Workday instance.
Select OK to save your changes.
Registering API Clients in Workday
For Client Grant Type, select Authorization Code Grant.
- For Access Token Type, select Bearer.
- In the Redirection URI field, enter
- For Refresh Token Timeout (in days), use the default 30 days.
- In the Scope (Functional Areas) field, search for and add Staffing and System. These functional areas are required to integrate Workday with SaaS Management.
- Select OK to generate a Client ID and a Client Secret.
Copy and store the Client ID and Client Secret in a safe place. You'll need these credentials to connect Workday to SaaS Management.
Do not close this page without copying your Client Secret. You won't be able to access it again.
Updating Domain Security Policies in Workday
To complete the integration, you must create or add an existing user to a new security group with the appropriate permissions.
Creating an Integration System User
You can use an existing user or create a new user dedicated to this integration. We recommend you create a new user specifically for the integration. You can assign the role to an existing user, but if that user leaves, the integration will no longer function.
Enter a descriptive name for the user to differentiate it from others. For example, you can use "SailPoint SaaS Management User".
- Enter a password that meets the listed requirements.
- Verify your password.
- Select OK to create the user.
Creating an Integration Security Group
Enter a name, such as ISG_WorkdayUsage, for the new security group and select OK.
Add the integration system user you created to this security group.
Select OK to create the security group.
Adding Permissions to Security Group
Enter “Maintain Permissions for Security Group” in the search bar and select the related task.
Set the operation to Maintain.
Enter name of the security group you created and select OK.
In the Domain Security Policy Permissions tab, add the following permissions to the security group:
Access Domain Security Policy Functional Area Get Only Workday Accounts System Get Only Workday Account Monitoring System Get Only Worker Data: Public Worker Reports Staffing Get Only Worker Data: Current Staffing Information Staffing Get Only Worker Data: Historical Staffing Information Staffing
Select OK to save these permissions.
Applying Permissions to the Security Group
Enter “Activate Pending Security Policy Change” in the search bar and select the related task.
Include a comment that explains why you’re making these changes. For example, you may add "Updated permissions to enable the SaaS Management integration" as a comment. Select OK to continue.
Verify the listed permissions and select the Confirm checkbox.
Select OK to apply these permissions to the security group.
You now use your Client ID and Client secret to connect Workday to SaaS Management.
Connecting Workday to SaaS Management
Go to SaaS Management and select Integrations from the navigation menu.
Select the Workday tile.
Select Add Integration to open the Authenticate with Workday window.
Enter the following information in the appropriate fields:
Your Workday Token Endpoint - Your organization's token endpoint in Workday. To view your token endpoint, enter "View API Clients" in the search bar and select the related task.
Your Workday Authorization Endpoint - Your organization's authorization endpoint in Workday. To view your authorization endpoint, enter "View API Clients" in the search bar and select the related task.
The registered API Client ID - The Client ID from Workday.
The registered API Client Secret - The Client Secret from Workday.
Select Submit to connect Workday to SaaS Management. You'll be taken to the Workday login page to complete the integration.
Enter your Workday credentials and select Sign In.
SaaS Management will begin syncing your Workday data to your dashboard.
SaaS Management requests the following scopes:
|Access||Domain Security Policy||Functional Area|
|Get Only||Workday Accounts||System|
|Get Only||Workday Account Monitoring||System|
|Get Only||Worker Data: Public Worker Reports||Staffing|
|Get Only||Worker Data: Current Staffing Information||Staffing|
|Get Only||Worker Data: Historical Staffing Information||Staffing|
SaaS Management pulls the following user metadata from Workday. You can filter your usage data by these fields:
|Account Expiration Date||The date the user's account expires. The user will be unable to sign in to Workday.|
|Position End Date||The end date for the user's position.|
|Position Start Date||The user's start date for the position.|
|Position Title||The title of the user's position.|
|Primary Job||Indicates whether the position is the primary position for the worker.|
|Worker Type||Indicates whether the user is an Employee or Contingent Worker.|