Skip to main content

Prerequisites

  • A Workday tenant with the Workday Query Language (WQL) feature enabled.
  • Security administrator access in Workday.
  • An active TechWolf contract with SkillEngine API credentials.

Workday configuration

The setup consists of creating an Integration System User, granting the appropriate security permissions, and registering an API client. Follow each step in order.
1

Create an Integration System User (ISU)

  1. Search for Create Integration System User in the Workday search bar.
  2. Create a new user (e.g. TechWolf_Source_ISU).
  3. Set a password — it will not be used directly but is required by Workday.
  4. Check Do Not Allow UI Sessions to restrict this user to API-only access.
Store the ISU credentials securely. You will need the username when generating a refresh token.
2

Create an Integration Security Group

  1. Search for Create Security Group.
  2. Choose Integration System Security Group (Unconstrained).
  3. Name it (e.g. ISSG_TechWolf_Source).
  4. Add the ISU created in the previous step.
If you want to limit the connector to a specific subset of workers (e.g. a particular country or business unit), you can use a Constrained security group instead. A constrained group lets you scope the ISU’s access to only the workers within a chosen Supervisory Organisation or other organisational boundary. This is useful during pilot phases or when only part of the workforce should be included.
3

Grant domain security permissions

  1. Search for Maintain Permissions for Security Group and select the security group created in the previous step.
  2. Under Integration Permissions, add View access for the Workday Query Language domain. This is required for all data types.
  3. Add Get access for the additional domains required by your selected data types, as listed in the permissions table below.
  4. If your selected data types require it, give View All access on the relevant Business Processes. See the permissions table for details.
  5. Search for Activate Pending Security Policy Changes and activate the changes.
You only need to grant permissions for the data types you plan to use. For example, if you only need Workers and Jobs, you do not need to grant access to Person Data domains.
4

Register an API Client for Integrations

  1. Search for Register API Client for Integrations.
  2. Set a client name (e.g. TechWolf Datasource Integration).
  3. Under Scope (Functional Areas), add System, Tenant Non-Configurable, and Staffing.
  4. Check the following boxes:
    • Non-Expiring Refresh Tokens
    • Include Workday Owned Scope
  5. After creation, securely store the Client ID and Client Secret.
5

Generate a refresh token

  1. Search for View API Clients.
  2. Click the API Clients for Integrations tab.
  3. Find the API client created in the previous step.
  4. Select API Client > Manage Refresh Tokens for Integrations.
  5. Under Workday Account, enter the ISU created in Step 1.
  6. Check Generate New Refresh Token and confirm.
  7. Securely store the refresh token.
The refresh token is displayed only once. If you lose it, you must generate a new one.
6

Find base URL and tenant name

  1. Search for View API Clients in the Workday search bar.
  2. Locate the Workday REST API Endpoint field. It will look like: 
    https://wd2-impl-services1.workday.com/ccx/api/v1/mycompany
  3. The base URL is the host portion: https://wd2-impl-services1.workday.com
  4. The tenant is the last path segment after /v1/: mycompany
The API URL can differ between implementation tenants and production tenants. Repeat this step for each tenant you want to connect.

Share credentials with TechWolf

Once the Workday configuration is complete, securely share the following credentials with TechWolf:
CredentialDescription
Client IDThe API client ID from Step 4
Client secretThe API client secret from Step 4
Refresh tokenThe non-expiring refresh token from Step 5
Base URLThe Workday REST API host (e.g. https://wd2-impl-services1.workday.com)
TenantThe tenant name (e.g. mycompany)
TechWolf will validate that the ISU has the required permissions and that the credentials are correct. If any permissions are missing, the connector will report exactly which security domains need to be added.

Permissions per data type

All data types require View access on the Workday Query Language domain. The table below lists the additional security domains required for each data type.
Data typeRequired security domains
WorkersWorker Data: Current Staffing Information, Worker Data: Current Job Profile Information, Worker Data: Public Reporting Items
Organisational UnitsManage: Supervisory Organization
JobsJob Information
VacanciesJob Requisition Data
External HistoryWorker Data: Current Staffing Information, Person Data: Job History
CertificatesWorker Data: Current Staffing Information, Person Data: Certifications
EducationWorker Data: Current Staffing Information, Person Data: Education
LearningWorker Data: Current Staffing Information, Person Data: Learning
GoalsWorker Data: Current Staffing Information, Worker Data: Employee Goals
Internal HistoryWorker Data: Current Staffing Information, Worker Data: Historical Staffing Information
Internal History additionally requires Business Process Security Policies with View All access on the following business processes: Hire, Change Job, Termination, Contract Contingent Worker, Transfer Contingent Worker Inbound, and End Contingent Worker Contract.

TechWolf configuration

After receiving the credentials, TechWolf will:
  1. Validate the credentials and security permissions.
  2. Configure the connector for the agreed-upon data types.
  3. Set up the connector on a daily schedule.
  4. Run an initial data extraction.
  5. Confirm the integration is operational.
No further action is required from your side unless permission issues are reported.