Prerequisites
- A Workday tenant with the Workday Query Language (WQL) feature enabled.
- Security administrator access in Workday.
- An active TechWolf contract with SkillEngine API credentials.
Workday configuration
The setup consists of creating an Integration System User, granting the appropriate security permissions, and registering an API client. Follow each step in order.Create an Integration System User (ISU)
- Search for Create Integration System User in the Workday search bar.
- Create a new user (e.g.
TechWolf_Source_ISU). - Set a password — it will not be used directly but is required by Workday.
- Check Do Not Allow UI Sessions to restrict this user to API-only access.
Create an Integration Security Group
- Search for Create Security Group.
- Choose Integration System Security Group (Unconstrained).
- Name it (e.g.
ISSG_TechWolf_Source). - Add the ISU created in the previous step.
If you want to limit the connector to a specific subset of workers (e.g. a particular country or business unit), you can use a Constrained security group instead. A constrained group lets you scope the ISU’s access to only the workers within a chosen Supervisory Organisation or other organisational boundary. This is useful during pilot phases or when only part of the workforce should be included.
Grant domain security permissions
- Search for Maintain Permissions for Security Group and select the security group created in the previous step.
- Under Integration Permissions, add View access for the Workday Query Language domain. This is required for all data types.
- Add the required permissions for the additional domains listed in the permissions table below. Most data types require Get access; check the Permission column as some data types require View instead.
- If your selected data types require it, give View All access on the relevant Business Processes. See the permissions table for details.
- Search for Activate Pending Security Policy Changes and activate the changes.
You only need to grant permissions for the data types you plan to use. For example, if you only need Workers and Jobs, you do not need to grant access to Person Data domains.
Register an API Client for Integrations
- Search for Register API Client for Integrations.
- Set a client name (e.g.
TechWolf Datasource Integration). - Under Scope (Functional Areas), add System, Tenant Non-Configurable, and Staffing. If you plan to use the Performance Reviews or Feedback data types, also add Performance Enablement.
- Check the following boxes:
- Non-Expiring Refresh Tokens
- Include Workday Owned Scope
- After creation, securely store the Client ID and Client Secret.
Generate a refresh token
- Search for View API Clients.
- Click the API Clients for Integrations tab.
- Find the API client created in the previous step.
- Select API Client > Manage Refresh Tokens for Integrations.
- Under Workday Account, enter the ISU created in Step 1.
- Check Generate New Refresh Token and confirm.
- Securely store the refresh token.
Find base URL and tenant name
- Search for View API Clients in the Workday search bar.
- Locate the Workday REST API Endpoint field. It will look like:
- The base URL is the host portion:
https://wd2-impl-services1.workday.com - The tenant is the last path segment after
/v1/:mycompany
The API URL can differ between implementation tenants and production tenants. Repeat this step for each tenant you want to connect.
Share credentials with TechWolf
Once the Workday configuration is complete, securely share the following credentials with TechWolf:| Credential | Description |
|---|---|
| Client ID | The API client ID from Step 4 |
| Client secret | The API client secret from Step 4 |
| Refresh token | The non-expiring refresh token from Step 5 |
| Base URL | The Workday REST API host (e.g. https://wd2-impl-services1.workday.com) |
| Tenant | The tenant name (e.g. mycompany) |
Permissions per data type
All data types require View access on the Workday Query Language domain. The table below lists the additional security domains required for each data type.| Data type | Permission | Required security domains |
|---|---|---|
| Workers | Get | Worker Data: Current Staffing Information, Worker Data: Current Job Profile Information, Worker Data: Public Reporting Items |
| Organisational Units | Get | Manage: Supervisory Organization |
| Jobs | Get | Job Information |
| Vacancies | Get | Job Requisition Data |
| External History | Get | Worker Data: Current Staffing Information, Person Data: Job History |
| Certificates | Get | Worker Data: Current Staffing Information, Person Data: Certifications |
| Education | Get | Worker Data: Current Staffing Information, Person Data: Education |
| Learning | Get | Worker Data: Current Staffing Information, Person Data: Learning |
| Goals | Get | Worker Data: Current Staffing Information, Worker Data: Employee Goals |
| Internal History | Get | Worker Data: Current Staffing Information, Worker Data: Historical Staffing Information |
| Courses | Get | Set Up: Learning Catalog, Manage: Learning Content |
| Performance Reviews | Get | Worker Data: Current Staffing Information, Worker Data: Employee Reviews |
| Feedback | View | Worker Data: Anytime Feedback, Worker Data: Role Requested Feedback, Worker Data: Self Requested Feedback, Worker Data: Confidential Feedback, Worker Data: Private Feedback |
| Job Families | Get | Job Information |
TechWolf configuration
After receiving the credentials, TechWolf will:- Validate the credentials and security permissions.
- Configure the connector for the agreed-upon data types.
- Set up the connector on a daily schedule.
- Run an initial data extraction.
- Confirm the integration is operational.