> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Workday Accounts connector
> C1 provides identity governance and just-in-time provisioning for Workday. Integrate your Workday instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Which Workday connector should I use?
C1 offers two Workday connectors: Workday and Workday Accounts. How you want to work with Workday in C1 will determine which one you should set up.
* **[Workday connector](/baton/workday)**: This connector is the best choice if you want to use Workday as a [directory](/product/admin/directory). You’ll also need it if you want to enable access requests for Workday role and group assignments.
* **[Workday Accounts connector](/baton/workday-wql)**: This connector utilizes the Workday Query Language (WQL), which allows it to pull a different data set than the Workday connector. Workday Accounts is the best choice if you want to review who has what kind of access to Workday in your organization, including account type and service center assignments.
| Resource | Workday connector\* | Workday Accounts connector |
| :------------------------------------------------ | :------------------ | :------------------------- |
| Accounts | Sync | Sync |
| Roles | Sync | |
| Security groups | Sync | Sync |
| Account type (Implementers and Integration Users) | | Sync |
| Service centers | | Sync |
\*If the Workday connector is configured using a custom report, it can also pull in information on the account owner’s organization, title, and manager.
## Capabilities
| Resource | Sync | Provision |
| :------------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Security groups | | |
| User-based security groups | | |
| Account type | | |
| Service center | | |
## Gather Workday credentials
Configuring the connector requires you to pass in credentials generated in Workday. Gather these credentials before you move on.
A user with the permission to create a new API client in Workday must perform this task.
### Look up your Workday REST API endpoint
In Workday, use the search bar to look up "View API Clients". Make sure to select this name from the results, not the similarly named "Register API Client".
Carefully copy and save the Workday REST API endpoint.
### Create a new Workday API client
In Workday, use the search bar to look up "Register API Client for Integrations". Make sure to select this name from the results, not the similarly named "Register API Client".
In the modal that appears, give the new API client a name, such as "C1 integration".
In the **Scopes** box, select **Custom Objects** and search for "System". Select **System** and click **OK**. The System scope is required to access the WQL API.
The newly created client's client ID and client secret are shown. Carefully copy and save these credentials.
**Do not** click **Done** at the bottom of the page yet.
#### Create a refresh token
Next, click the three dots icon next to the client name and navigate to **API Client** > **Manage Refresh Tokens for Integrations**.
Select the Workday account you want to associate with the token and click **OK**.
On the **Delete or Regenerate Refresh Token** page, scroll down and check the **Generate New Refresh Token** box.
Click **OK**.
Carefully copy and save the new refresh token.
#### Create a new security group
Still in Workday, use the search bar to look up "Maintain Permissions for Security Group".
In the **Maintain Permissions for Security Group** modal, make sure the **Maintain** button is selected.
In the **Source Security Group** field, navigate to **By Type** > **Integration System Security Group**.
Create a new security group. Give it a name, such as "C1 WQL integration security group".
On the new group's **Domain Security Policy Permissions** tab, leave the **Select All** box checked.
Click the **+** icon to create new rows, and fill them out as follows:
| View/Modify Access | Domain Security Policy | Functional Areas | Purpose |
| :----------------- | :--------------------------------------- | :--------------- | :------------------------------------- |
| View Only | WQL for Workday Extend | System | (Required) WQL API Access |
| View Only | Workday Accounts | System | (Required) Accounts, Implementers |
| View Only | Worker Data: Public Worker Reports | Staffing | Worker Info (title, managers) |
| View Only | Security Configuration | System | Security Groups |
| View Only | Security Administration | System | Account: Most Recent Sign-on |
| View Only | Manage: Service Center | System | Service Centers |
| Get and Put | User-Based Security Group Administration | System | User-Based Security Group Provisioning |
Click **OK**.
Security group permissions will not take effect until they are activated in the following steps.
#### Activate pending security policy changes
Next, activate the security policy changes. Search for "Activate Pending Security Policy Changes".
Add a comment about the change you're making and click **OK**.
Review the changes. If everything looks good, click the **Confirm** checkbox, then click **OK**.
#### Assign the security group to the Workday account
Still in Workday, use the search bar to look up "View Workday Account" and select the Workday account you used when generating the refresh token.
Click the three dots icon next to the account name and navigate to **Security Profile** > **Assign Integration System Security Groups**.
Select the security group you created and click **OK**.
### Optional: Look up security group types
If you want C1 to sync specific non-user-based security group types (such as `Role-Based Security Group (Constrained)` and `Integration System Security Group`), you'll need to gather the list of these types.
Non-user-based security group types are defined and configured in Workday, and their exact names vary based on how your Workday instance is configured. Remember that security group type names are cases-sensitive.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Workday Accounts connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Workday Accounts credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Workday Accounts** and click **Add**.
Choose how to set up the new Workday Accounts connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the endpoint you looked up in the **Workday REST API Endpoint** field.
Enter the **Client ID**, **Client secret**, and **Refresh token** in the relevant fields.
**Optional.** If desired, click the checkbox to **Sync service centers**.
**Optional.** If desired, click the checkbox to **Sync user-based security groups**.
* If you select this option, you may enter an optional list of the user-based security groups that you want to sync in the **User-based security groups** field.
**Optional.** Enter the list of (non-user-based) security group types you want to sync in the **Other security group types** field. Remember that security group type names are case-sensitive.
**Optional.** Enter the list of (non-user-based) security groups you want to sync in the **Other security groups** field. Remember that security group names are case-sensitive.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Workday Accounts connector is now pulling access data into C1.
**Follow these instructions to use the Workday Accounts connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
[Contact C1's support team](mailto:support@c1.ai) to download the latest version of the connector.
### Step 1: Set up a new Workday Accounts connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Workday Accounts connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Workday Accounts connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workday-wql-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-workday-wql-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Workday credentials
BATON_WORKDAY_REST_API_ENDPOINT:
BATON_WORKDAY_CLIENT_ID:
BATON_WORKDAY_CLIENT_SECRET:
BATON_WORKDAY_REFRESH_TOKEN:
# Optional: include if you want to sync resource IDs
BATON_SYNC_RESOURCES:
# Optional: include if you want to sync service centers
BATON_SYNC_SERVICE_CENTERS: true
# Optional: include if you want to sync user-based security groups (default is true)
BATON_SYNC_USER_BASED_SECURITY_GROUPS: true
# Optional: include if you want to limit the synced user-based security groups to the types listed here
BATON_USER_BASED_SECURITY_GROUP_FILTER:
# Optional: include if you want to limit the synced security groups to the groups listed here
BATON_SECURITY_GROUP_FILTER:
# Optional: include if you want to limit the synced security groups to the types listed here
BATON_SECURITY_GROUP_TYPE_FILTER:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workday-wql.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-workday-wql
labels:
app: baton-workday-wql
spec:
selector:
matchLabels:
app: baton-workday-wql
template:
metadata:
labels:
app: baton-workday-wql
baton: true
baton-app: workday-wql
spec:
containers:
- name: baton-workday-wql
image: ghcr.io/conductorone/baton-workday-wql:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-workday-wql
envFrom:
- secretRef:
name: baton-workday-wql-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Workday Accounts connector to. Workday Accounts data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Workday Accounts connector is now pulling access data into C1.