> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Workday connector
> C1 provides identity governance for Workday. Integrate your Workday instance with C1 for unified visibility and governance over user access.
## Which Workday connector should I use?
C1 offers two Workday connectors: Workday and Workday Accounts (WQL). How you want to work with Workday in C1 will determine which one you should set up.
* **[Workday connector](/baton/workday)**: This connector is the best choice if you want to use Workday as a [directory](/product/admin/directory). You’ll also need it if you want to enable access requests for Workday role and group assignments.
* **[Workday Account (WQL) connector](/baton/workday-wql)**: This connector utilizes the Workday Query Language (WQL), which allows it to pull a different data set than the Workday connector. Workday Accounts (WQL) is the best choice if you want to review who has what kind of access to Workday in your organization, including account type and service center assignments.
| Resource | Workday connector\* | Workday Accounts (WQL) connector |
| :------------------------------------------------ | :------------------ | :------------------------------- |
| Accounts | Sync | Sync |
| Roles | Sync | |
| Security groups | Sync | Sync |
| Account type (Implementers and Integration Users) | | Sync |
| Service centers | | Sync |
\*If the Workday connector is configured using a custom report (see below), it can also pull in information on the account owner’s organization, title, and manager.
## Capabilities
### Custom report (JSON)
| Resource | Sync | Provision |
| :-------------- | :------------------------------------------------------------ | :-------- |
| Accounts | | |
| Roles | | |
| Security groups | | |
### Custom report (CSV)
| Resource | Sync | Provision |
| :-------------- | :------------------------------------------------------------ | :-------- |
| Accounts | | |
| Roles | | |
| Security groups | | |
### API client
| Resource | Sync | Provision |
| :-------------- | :------------------------------------------------------------ | :-------- |
| Accounts | | |
| Roles | | |
| Security groups | | |
## Gather Workday credentials
Configuring the connector requires you to pass in credentials generated in Workday. Gather these credentials before you move on.
To authenticate with Workday, you can use either a Report-as-a-service (RaaS) **custom report** in CSV or JSON format or an **API client**.
**Which authentication method should I use?**
The **RaaS custom report option** is the more popular option, and is often preferred by Workday Admins and HR teams, as it’s Workday’s preferred integration method. RaaS allows you fine-grained control over what data is sent to C1. Additionally, it allows you to transform the format of Workday attributes as needed before sending them to C1.
The **API client option** pulls available data about Workday accounts, such as each account's manager and manager email, which can be used as [user attributes](/product/admin/attributes). The custom report method only pulls data that is explicitly named in the report into C1.
Follow the relevant set of instructions below to generate your credentials.
### Option 1: Authenticate using a custom report
A user with the permission to create a custom report in Workday must perform this task.
#### Set up the custom report
In Workday, navigate to the **Tasks and Reports** menu and select **Create Custom Report**.
When setting report details, set the report type to **Advanced** and mark **Enable As Web Service**.
When setting data sources, disable the **Optimized for Performance** option and select **All Workers** as the data source.
At this point, you can create the custom report in either JSON (recommended) or CSV format by following the relevant directions below.
### Expected custom report contents when using the JSON format
When using the JSON format for custom reports, the connector expects a specific structure. Below is a table of the supported fields:
**Suggested Data Source:** All Active and Terminated Workers
| Column Heading Override XML Alias/Column Heading Override | Required | Description | Suggested Workday Object Field |
| :-------------------------------------------------------- | :------- | :----------------------------------- | :-------------------------------------------------------------------------------------- |
| user\_id | Yes | Unique identifier for the user | Worker: Employee ID |
| email | No | User's email address | Worker: Email - Primary Work |
| first\_name | Yes | User's first name | Worker: First Name |
| middle\_name | No | User's middle name | Worker: Middle Name |
| last\_name | Yes | User's last name | Worker: Last Name |
| active | Yes | Boolean indicating if user is active | Worker: Active Status |
| org\_name | No | User's department or organization | Worker: Supervisory Organization Name |
| business\_title | No | User's job title | Worker: Business Title |
| security\_groups | No | User's security groups | Worker: User-Based Security Groups for User |
| roles | No | User's roles | Worker: Organization Roles |
| manager\_name | No | Manager's name | Calculated Field - Lookup Related Value: Worker: Manager Level 01: Full Name |
| manager\_email | No | Manager's email | Calculated Field - Lookup Related Value: Worker: Manager Level 01: Email - Primary Work |
Notes:
* The order of the fields does not matter.
* The `Column Heading Override XML Alias` value MUST match `Column Heading Override`.
* You may substitute the suggested Workday object fields with alternatives as long as they provide equivalent data.
#### Expected custom report contents when using the CSV format
Add the following fields to the custom report **in this order**:
* Active Status
* User Name
* Employee ID
* Worker
* Security Group
* Role Name
* Organization
* Organization Type
The fields needed in custom reports can vary depending on how your Workday installation is configured. Contact C1 support if you need help figuring out which fields to include.
5. Create the custom report.
#### Look up the custom report URL
On the **Report Definition** page, click the **Related Actions** (three dots) button.
Navigate to **Actions** > **Web Service** > **View URLs**.
Right-click on the **JSON** or **CSV** (as relevant) URL, then carefully copy and save it.
**Done.** Next, move on to the connector configuration instructions.
### Option 2: Authenticate using API client credentials
### Create Workday API Client Credentials
A user with the permission to create a new API client in Workday must perform this task.
The process involves creating an Integration System User (ISU), creating a security group, associating the ISU with the security group, and then registering the API client and generating a refresh token.
#### Create an Integration System User (ISU)
In Workday, use the search bar to look up "Create Integration System User".
In the **Create Integration System User** modal, enter a **User Name**, such as "C1 integration".
Enter and confirm a strong **Password** for this user.
Optionally, you can provide a **New Password Never Expires** if appropriate for your security policies.
Click **OK**.
Make note of the **User Name** you created, as you will need it later.
#### Create a new Security Group
In Workday, use the search bar to look up "Maintain Permissions for Security Group".
In the **Maintain Permissions for Security Group** modal, make sure the **Maintain** button is selected.
In the **Source Security Group** field, navigate to **By Type** > **Integration System Security Group**.
Create a new security group. Give it a name, such as "C1 integration security group".
On the new group's **Domain Security Policy Permissions** tab, leave the **Select All** box checked.
Click the **+** icon to create six (or seven, see below) new rows, and fill them out as follows:
Row 1:
* View/Modify Access: **View Only**
* Domain Security Policy: **Worker Data: Public Worker Reports**
Row 2:
* View/Modify Access: **View Only**
* Domain Security Policy: **Reports: Organization**
Row 3:
* View/Modify Access: **View Only**
* Domain Security Policy: **Security Administration**
Row 4:
* View/Modify Access: **View Only**
* Domain Security Policy: **Manager: Organization Roles**
Row 5:
* View/Modify Access: **View Only**
* Domain Security Policy: **Person Data: Work Email**
Row 6:
* View/Modify Access: **View Only**
* Domain Security Policy: **Worker Data: Current Staffing Information**
Row 7 (needed only if title data is split out from the inherent staffing parent domain):
* View/Modify Access: **View Only**
* Domain Security Policy: **Worker Data: Staffing Business Title**
Click **OK**.
#### Assign the Security Group to the Integration System User (ISU)
Still in Workday, use the search bar to look up "View Workday Account" and select the **Integration System User (ISU)** you created previously.
Click the three dots icon next to the account name and navigate to **Security Profile** > **Assign Integration System Security Groups**.
Select the security group you created and click **OK**.
#### Activate Security Policy Changes
Next, activate the security policy changes. Search for "Activate Pending Security Policy Changes".
Add a comment about the change you're making and click **OK**.
Review the changes and if everything looks good, click the **Confirm** checkbox, then click **OK**.
#### Create a New Workday API Client
In Workday, use the search bar to look up "Register API Client for Integrations". Make sure to select this name from the results, not the similarly named "Register API Client".
Give the new API client a name, such as "C1 integration".
In the **Integration System User** field, select the ISU you created earlier. This is crucial for associating the API client with the correct permissions.
In the **Scopes** box, select **Custom Objects** and search for "Staffing". Select **Staffing** and **Organizations and Roles** and click **OK**.
The newly created client's client ID and client secret are shown. Carefully copy and save these credentials.
**Do not** click **Done** at the bottom of the page yet.
#### Create a Refresh Token
Next, click the three dots icon next to the client name and navigate to **API Client** > **Manage Refresh Tokens for Integrations**.
Select the **Integration System User (ISU)** you want to associate with the token (this should be the same ISU you selected when registering the API client) and click **OK**.
On the **Delete or Regenerate Refresh Token** page, scroll down and check the **Generate New Refresh Token** box.
Click **OK**.
Carefully copy and save the new refresh token.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Workday connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Workday credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Workday** and click **Add**.
Choose how to set up the new Workday connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
If using a custom report to authenticate, select **Custom report** and fill out the form:
1. Enter the **Report URL**, **Report username**, and **Report user password** in the relevant fields.
2. **Optional.** To include extra Workday data in the sync, in the **Additional report fields** field, enter any additional field names from the Workday JSON report that you want to include in user profiles. Press **Enter** between each field name.
Fields that return multiple values (such as `roles` or `security_groups`) are not supported.
If using an API client to authenticate, select **API client** and fill out the form:
1. Enter the **Client ID**, **Client secret**, and **Refresh token** in the relevant fields.
2. **Optional.** Enter the full URL of your Workday tenant in the **Workday URL** field. Defaults to `https://wd2-impl-services1.workday.com` — only change this if your tenant uses a different URL.
3. Enter the Workday tenant name in the **Tenant Name** field.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Workday connector is now pulling access data into C1.
\*\*Follow these instructions to use the Workday connector, hosted and run in your own environment.
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-workday): For stable binaries (Windows/Linux/macOS) and container images.
### Step 1: Set up a new Workday connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Workday connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Workday connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workday-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-workday-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Workday credentials if using a custom report to authenticate
BATON_WORKDAY_FETCH_USERS_FROM_CUSTOM_REPORT: true
BATON_WORKDAY_REPORT_URL:
BATON_WORKDAY_REPORT_USERNAME:
BATON_WORKDAY_REPORT_PASSWORD:
BATON_WORKDAY_ADDITIONAL_REPORT_FIELDS:
# Workday credentials if using an API client to authenticate
BATON_WORKDAY_CLIENT_ID:
BATON_WORKDAY_CLIENT_SECRET:
BATON_WORKDAY_REFRESH_TOKEN:
BATON_WORKDAY_URL:
BATON_TENANT_NAME:
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-workday.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-workday
labels:
app: baton-workday
spec:
selector:
matchLabels:
app: baton-workday
template:
metadata:
labels:
app: baton-workday
baton: true
baton-app: workday
spec:
containers:
- name: baton-workday
image: ghcr.io/conductorone/baton-workday:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-workday
envFrom:
- secretRef:
name: baton-workday-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Workday connector to. Workday data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Workday connector is now pulling access data into C1.
## Troubleshooting the Workday connector
Make sure that the integration security group you created when configuring the connector has the domain security policy applied to **Report/Task Permissions** only.
In Workday, use the search bar to look up "View Security Group", then navigate to **Security Groups** > **Integration System Security Group (Unconstrained)** and select the security group you just created.
On the security group's page, click the three dots icon next to the security group name and navigate to **Security Group** > **Manage Domain Permissions for Security Group**.
Make sure that **Worker Data: Public Worker Reports** is shown in the **Domain Security Policies permitting View access** box.