Identity Governance provides the following templates for Workday:
Workday Identity
Workday Account
Workday Permission
Workday Fulfillment
Before configuring these templates, create an integration account and ensure that the minimum rights required to integrate with Workday systems are assigned to the integration groups and users in the Workday application.
For additional information about configuring Workday templates, see the following sections:
The three minimum security domain rights that must be assigned to the integration group and users to get the data necessary for the default mappings in the Workday Identity Collector are:
Person Data: ID Information
Worker Data: Public Worker Reports
Workday Accounts
The following rights are required to collect the necessary data for the default mappings in the Workday Application Collector:
Account collector
Workday Accounts
Worker Data: Public Worker Reports
Permission collector
Manage: Organization Roles
Org Designs: Assign Roles
User-Based Security Group Administration
Manager: Organization Integration
Security groups control access to data in Workday. Security groups are a collection of users or of objects that are related to users. Identity Governance provides default templates for the Workday account and permission collections. Workday permission collectors support two types of permission collections: User Based Security Group and Role Based Permissions. Role-based permissions are always associated with a specific organization. When using role-based permission collectors, you can also collect permission hierarchy. Collected role-based permission in the catalog includes role name, permission, and organization as the name of the permission, and displays permission relationships.
When configuring the Workday Account Collector, configure service parameters as needed, then specify the Account-User Mapping parameter as WorkdayUserName and map it to Object GUID to join accounts to identities.
When configuring the Workday Permission Collector, configure service parameters, then select the permission type.
To collect user-based security group permissions, specify the Permission-Account or User Mapping parameter value as WorkdayUserName and map it to Account Name to join permissions to the account.
To collect role-based permissions, specify the Permission-Account or User Mapping value as WorkforceID and map it to Workforce ID to map permissions to identities. Additionally, leave the organization type blank to collect all role-based permissions or specify an organization type to collect permissions associated with an organization.
When specifying a specific organization, to collect the hierarchy of role-based permissions using the organization hierarchy, map the Parent Permission ID to wd-superior_organization. Mapping this will collect and establish the child/parent permission relationship for role-based permissions.