> ## Documentation Index
> Fetch the complete documentation index at: https://developers.techwolf.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Installation
> Step-by-step guide to configure your Workday tenant for the Workday Data Source Connector.
## Prerequisites
* A Workday tenant with the Workday Query Language (WQL) feature enabled.
* Security administrator access in Workday.
* An active TechWolf contract with SkillEngine API credentials.
## Workday configuration
The setup consists of creating an Integration System User, granting the appropriate security permissions, and registering an API client. Follow each step in order.
1. Search for **Create Integration System User** in the Workday search bar.
2. Create a new user (e.g. `TechWolf_Source_ISU`).
3. Set a password — it will not be used directly but is required by Workday.
4. Check **Do Not Allow UI Sessions** to restrict this user to API-only access.
Store the ISU credentials securely. You will need the username when generating a refresh token.
1. Search for **Create Security Group**.
2. Choose **Integration System Security Group (Unconstrained)**.
3. Name it (e.g. `ISSG_TechWolf_Source`).
4. Add the ISU created in the previous step.
If you want to limit the connector to a specific subset of workers (e.g. a particular country or business unit), you can use a **Constrained** security group instead. A constrained group lets you scope the ISU's access to only the workers within a chosen Supervisory Organisation or other organisational boundary. This is useful during pilot phases or when only part of the workforce should be included.
1. Search for **Maintain Permissions for Security Group** and select the security group created in the previous step.
2. Under **Integration Permissions**, add **View** access for the **Workday Query Language** domain. This is required for all data types.
3. Add the required permissions for the additional domains listed in the [permissions table](#permissions-per-data-type) below. Most data types require **Get** access; check the Permission column as some data types require **View** instead.
4. If your selected data types require it, give **View All** access on the relevant **Business Processes**. See the [permissions table](#permissions-per-data-type) for details.
5. Search for **Activate Pending Security Policy Changes** and activate the changes.
You only need to grant permissions for the data types you plan to use. For example, if you only need Workers and Jobs, you do not need to grant access to Person Data domains.
1. Search for **Register API Client for Integrations**.
2. Set a client name (e.g. `TechWolf Datasource Integration`).
3. Under **Scope (Functional Areas)**, add **System**, **Tenant Non-Configurable**, and **Staffing**. If you plan to use the Performance Reviews or Feedback data types, also add **Performance Enablement**.
4. Check the following boxes:
* **Non-Expiring Refresh Tokens**
* **Include Workday Owned Scope**
5. After creation, securely store the **Client ID** and **Client Secret**.
1. Search for **View API Clients**.
2. Click the **API Clients for Integrations** tab.
3. Find the API client created in the previous step.
4. Select **API Client** > **Manage Refresh Tokens for Integrations**.
5. Under **Workday Account**, enter the ISU created in Step 1.
6. Check **Generate New Refresh Token** and confirm.
7. Securely store the refresh token.
The refresh token is displayed only once. If you lose it, you must generate a new one.
1. Search for **View API Clients** in the Workday search bar.
2. Locate the **Workday REST API Endpoint** field. It will look like:
```
https://wd2-impl-services1.workday.com/ccx/api/v1/mycompany
```
3. The **base URL** is the host portion: `https://wd2-impl-services1.workday.com`
4. The **tenant** is the last path segment after `/v1/`: `mycompany`
The API URL can differ between implementation tenants and production tenants. Repeat this step for each tenant you want to connect.
## Share credentials with TechWolf
Once the Workday configuration is complete, securely share the following credentials with TechWolf:
| Credential | Description |
| ------------- | ------------------------------------------------------------------------- |
| Client ID | The API client ID from Step 4 |
| Client secret | The API client secret from Step 4 |
| Refresh token | The non-expiring refresh token from Step 5 |
| Base URL | The Workday REST API host (e.g. `https://wd2-impl-services1.workday.com`) |
| Tenant | The tenant name (e.g. `mycompany`) |
TechWolf will validate that the ISU has the required permissions and that the credentials are correct. If any permissions are missing, the connector will report exactly which security domains need to be added.
## Permissions per data type
All data types require **View** access on the **Workday Query Language** domain. The table below lists the additional security domains required for each data type.
| Data type | Permission | Required security domains |
| -------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workers | Get | Worker Data: Current Staffing Information, Worker Data: Current Job Profile Information, Worker Data: Public Reporting Items |
| Organisational Units | Get | Manage: Supervisory Organization |
| Jobs | Get | Job Information |
| Vacancies | Get | Job Requisition Data |
| External History | Get | Worker Data: Current Staffing Information, Person Data: Job History |
| Certificates | Get | Worker Data: Current Staffing Information, Person Data: Certifications |
| Education | Get | Worker Data: Current Staffing Information, Person Data: Education |
| Learning | Get | Worker Data: Current Staffing Information, Person Data: Learning |
| Goals | Get | Worker Data: Current Staffing Information, Worker Data: Employee Goals |
| Internal History | Get | Worker Data: Current Staffing Information, Worker Data: Historical Staffing Information |
| Courses | Get | Set Up: Learning Catalog, Manage: Learning Content |
| Performance Reviews | Get | Worker Data: Current Staffing Information, Worker Data: Employee Reviews |
| Feedback | View | Worker Data: Anytime Feedback, Worker Data: Role Requested Feedback, Worker Data: Self Requested Feedback, Worker Data: Confidential Feedback, Worker Data: Private Feedback |
| Job Families | Get | Job Information |
**Internal History** additionally requires **Business Process Security Policies** with **View All** access on the following business processes: Hire, Change Job, Termination, Contract Contingent Worker, Transfer Contingent Worker Inbound, and End Contingent Worker Contract.
**Performance Reviews** additionally requires **Business Process Security Policies** with **View All** access on the following business processes: Complete Manager Evaluation for Performance Review and Complete Self Evaluation for Performance Review.
**Feedback** requires **View** permissions, not Get. In Workday, ISSGs have two separate permission types: "Get" (for SOAP/web service access) and "View" (for WQL/report/data source access). Granting only Get on the Feedback domains will result in empty data with no error message.
## TechWolf configuration
After receiving the credentials, TechWolf will:
1. Validate the credentials and security permissions.
2. Configure the connector for the agreed-upon data types.
3. Set up the connector on a daily schedule.
4. Run an initial data extraction.
5. Confirm the integration is operational.
No further action is required from your side unless permission issues are reported.