Skip to main content

About Workday

Workday is a human capital management (HCM) platform that manages employee data, benefits, and organizational information. Connect it to Serval to automate HR workflows and employee lifecycle management.

What the Workday integration enables

CapabilityDescription
Workflow AutomationBuild Serval workflows to automate anything accessible via Workday’s REST APIs
All resources exposed by the Workday REST APIs are available to Serval workflows using Integration System User (ISU) authentication.
Support for building workflows with Workday’s SOAP (WSDL-based) APIs is coming soon.

Workday Configuration

Prerequisites

Before configuring the Workday integration in Serval, ensure you have:
  • Administrator access to your Workday tenant
  • Permissions to create Integration System Users and Security Groups
  • Access to domain security policy configuration
These steps require Workday administrator privileges. If you do not have these privileges, contact your Workday administrator. Workday recommends using Integration System Users (ISUs) for third-party integrations such as Serval.
Throughout this guide, we’ll use example names for entities you create to keep instructions clear:
  • ISU username: “ServalIntegration”
  • Security Group: “Serval Integration Group”
  • API Client: “Serval Workday API Client”
You can use any names you prefer—just substitute your names wherever these examples appear.

Step 1: Create an Integration System User (ISU)

1

Create the ISU Account

  1. Log in to your Workday tenant
  2. In the search bar, type “Create Integration System User”
  3. Select the Create Integration System User task
  4. Fill in the account information:
    • User Name: Enter a descriptive username (e.g., “ServalIntegration”)
    • Password: Create a strong password
    • Confirm Password: Re-enter the same password
Important: The password cannot contain &, <, or > characters.
2

Prevent Password Expiration

  1. Search for “Maintain Password Rules”
  2. Add the ISU username to the “System Users exempt from password expiration” field
  3. Click OK to save
This ensures your integration will not break due to password expiration.

Step 2: Create Security Group and Assign ISU

1

Create Security Group

  1. Search for “Create Security Group”
  2. Select Integration System Security Group (Unconstrained) from the Type dropdown
  3. Enter a descriptive name (e.g., “Serval Integration Group”)
  4. Click OK
2

Assign ISU to Security Group

  1. In the Integration System Users field, enter ServalIntegration (or your ISU’s name)
  2. Click OK to save

Step 3: Configure Domain Security Permissions

1

Set Permissions

  1. Search for “Maintain Permissions for Security Group”
  2. Set Operation to Maintain
  3. Set Source Security Group to Serval Integration Group (or your security group’s name)
  4. Add the Domain Security Policies required for your use case. See below for commonly used policies.
Only add the permissions you need for your specific integration requirements.
2

OperationDomain Security PolicyNotes
Get OnlyWorker Data: Public Worker ReportsMinimum required permission
Get OnlyPerson Data: Name
Get OnlyPerson Data: Personal Data
Get OnlyPerson Data: Home Contact Information
Get OnlyPerson Data: Work Contact Information
Get OnlyPerson Data: Private Work Email IntegrationRequired to surface the work email of employees
Get OnlyPerson Data: Public Work Email Address IntegrationRequired to surface the work email of employees
Get OnlyWorker Data: Compensation
Get OnlyWorker Data: Compensation by Organization
Get OnlyWorker Data: Workers
Get OnlyWorker Data: All Positions
Get OnlyWorker Data: Current Staffing InformationRequired to surface the employment status of employees
Get OnlyWorker Data: Employment Data
Get OnlyWorker Data: Compensation - All Workers’ Positions Past and Present
Get OnlyWorker Data: Organization Information
Get OnlyManage: Organization IntegrationRequired to surface the organization hierarchy
Get OnlyReports: Pay Calculation Results for Worker (Results)
Get OnlyWorker Data: Payroll
Get OnlyProcess: Export Time BlocksRequired to retrieve timesheet entries
Get OnlyWorker Data: Time OffTime Off access may require additional configuration.
OperationDomain Security PolicyNotes
Get OnlyWorker Data: Public Worker Reports
Get OnlyWorker Data: Workers
Get OnlyWorker Data: All Positions
Get OnlyWorker Data: Current Staffing Information
Get OnlyJob Requisition Data
Get OnlyWorker Data: Employment Data
Get OnlyWorker Data: Organization Information
Get OnlyManage Pre-Hire Process: Manage Pre-Hires
Get and PutManage Pre-Hire Data
Get and PutCandidate Data: Edit Job Application
Get and PutJob Requisitions for Recruiting
Get and PutCandidate Data: Personal Information
Get and PutSet Up: Pre-Hire Process
Get and PutCandidate Data: Other Information
Get and PutManage Pre-Hire Process
View and ModifyCandidate Data: Other Information
Get and PutCandidate Data: Job ApplicationGet is the minimum required permission
Get and PutMove Candidate
Get and PutProspects
GetManage: Evergreen Requisitions
GetJob Postings
GetJob Postings External
GetJob Postings Internal
GetQuestionnaire
GetIntegration Build
OperationDomain Security PolicyNotes
Get OnlySystem Monitor AdministratorRequired for accessing system metrics and health data
Get OnlySystem Monitor SupportAlternative permission for system monitoring access
Get OnlySystem Health DashboardRequired for system health monitoring capabilities
3

Activate Security Changes

  1. Search for “Activate Pending Security Policy Changes”
  2. Review and confirm the changes
  3. Click OK to activate

Step 4: Configure Authentication Policy

1

Set Authentication Rules

  1. Search for “Manage Authentication Policies”
  2. Click Edit on the authentication policy
  3. Create or update an Authentication Rule with:
    • Add Serval Integration Group (or your security group’s name)
    • Set Allowed Authentication Types to User Name Password or Any
  4. Click OK to save
2

Activate Authentication Changes

  1. Search for “Activate All Pending Authentication Policy Changes”
  2. Confirm the changes to save the Authentication Policy

Step 5: Register an API Client for Integrations (OAuth 2.0)

1

Create the API Client

  1. Search for “Register API Client for Integrations”
  2. Click OK to start a new registration
  3. Fill in basic details (Name/Description). For the Name, use e.g., Serval Workday API Client.
  4. Set the client as a Confidential application (if prompted)
  5. Enable the Refresh Token grant
  6. Allow Non-Expiring Refresh Tokens
  7. Click Save to register
After registration, Workday shows the Client ID and Client Secret. The secret may only be shown once; store it securely. If rotated later, you must update Serval.

Step 6: Associate the API Client with the ISU and Generate a Refresh Token

1

Generate Refresh Token for the ISU

  1. Search for “Manage Refresh Tokens for Integrations” (sometimes labeled “API Client: Manage Refresh Tokens”)
  2. Select Serval Workday API Client (or your API client’s name)
  3. Add an Authorized User and select ServalIntegration (or your ISU’s name)
  4. Choose an expiration (select Never if your policy allows) and Generate the refresh token
  5. Copy the Refresh Token and store it securely
You will not be able to view the refresh token again once you leave the page. This value is required in Serval as Refresh Token.

Step 7: Collect API Endpoints and SOAP Web Services Endpoint

1

Find REST and Token endpoints on View API Clients

  1. Search for “View API Clients” and open Serval Workday API Client (or your API client’s name)
  2. Copy the REST API endpoint (typically ends with /ccx/api/mycompany, e.g., https://wd2-impl-services1.workday.com/ccx/api/mycompany)
  3. Copy the Token endpoint (typically ends with /ccx/oauth2/token, e.g., https://wd2-impl-services1.workday.com/ccx/oauth2/token)
These two values map directly to Serval fields REST API Endpoint and Token Endpoint.
2

Find SOAP Web Services Endpoint (WSDL)

  1. Search for “Public Web Services” in Workday
  2. If connecting HRIS, locate “Human Resources (Public)”
  3. Click the three dots (⋯) → Web ServicesView WSDL
  4. When the WSDL page loads, scroll to the bottom
  5. Copy the full URL shown under Human_ResourcesService. It will look like https://wd2-impl-services1.workday.com/ccx
Enter this as the Web Services Endpoint URL in Serval. This is the SOAP endpoint prefix, not the full WSDL document URL. Do not include ?wsdl.
3

Determine Tenant Name

Your tenant name is typically visible in your Workday URL. For example, in https://wd2-impl.workday.com/tenant/d/home.html, the tenant name is tenant. You can also ask your administrator.

Serval Configuration

Once you have completed the Workday ISU and API Client setup, follow these steps to configure the integration in Serval:
1

Navigate to Workday Integration

  1. In Serval, go to Apps → Available → Workday → Connect
  2. The Workday configuration form will appear
2

Enter Configuration Details

Fill in the following fields with the information from your Workday configuration:
FieldWhere to find itExample
Tenant NameFrom your Workday URL or adminmycompany
Client IDFrom Step 5 (API Client registration)1234567890abcdef
Client SecretFrom Step 5 (shown once at registration/rotation)••••••••••••
REST API EndpointFrom Step 7 (View API Clients)https://wd2-impl-services1.workday.com/ccx/api/mycompany
Token EndpointFrom Step 7 (View API Clients)https://wd2-impl-services1.workday.com/ccx/oauth2/token
Refresh TokenFrom Step 6 (generated for the ISU)••••••••••••
Web Services Endpoint URLFrom Step 7 (Public Web Services → View WSDL)https://wd2-impl-services1.workday.com/ccx
ISU UsernameFrom Step 1 (ISU you created)ServalIntegration
ISU PasswordFrom Step 1 (ISU password)••••••••••••
Ensure endpoints include the full path (e.g., /ccx/api/mycompany and /ccx/oauth2/token) exactly as shown on the View API Clients page, with the https:// prefix.
3

Submit Configuration Form

  1. Click Submit to complete the integration setup