Workday

Overview

The Veza integration for Workday enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information. This integration supports identity synchronization, security group management, and bidirectional email updates.

This document includes steps to enable the Workday integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Workday

Prerequisites

1. You will need administrative access in Veza to configure the integration and administrative access in Workday to configure security policies.

2. Ensure you have an existing Workday integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Workday integration has completed at least one successful extraction.

4. The Workday integration will need the following additional permissions:

   • Work Contact Change Business Process Security Policy - For email write-back operations

   • Domain Permissions - View and Modify permissions for various Workday data domains (see Configure Security Group Permissions)

   • API Client Scopes - Additional scopes for Staffing, Contact Information, Organizations and Roles (see Update API Client Configuration)

Configuration Steps

Worker data syncs to Veza follow the configured extraction interval (default: 1-hour minimum). See Extraction and Discovery Intervals for scheduling details.

1. Create Business Process Security Policy

1. Log into Workday and search for Edit Business process security policy

2. Under Business Process Type, select Work Contact Change

   
3. Find "Initiating Action: Change Work Contact Information (REST Service)"

4. Create a Segment-Based Security Group

   
5. Configure the security group:

   • Add the security group created for Veza integration

   • Add "Worker" scope to Access Rights

   
6. Verify the security group appears in Initiating Action Security groups

7. Click OK and Done to save changes

2. Activate Security Policy Changes

1. Search for Activate Pending Security Policy Changes

2. Review changes, add a comment, and click OK

   
3. Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

4. Update API Client Configuration

1. Open Edit API Client

2. Add required scopes:

   • Staffing

   • Contact Information

   • System

   • Tenant Non-Configurable

   • Organizations and Roles

   

5. Configure Workday Integration in Veza

1. Navigate to Configurations > Integrations

2. Either:

   • Create a new Workday integration

   • Edit an existing Workday integration

3. Enable Lifecycle Management:

   • Check Enable Lifecycle Management

4. If using custom attributes, configure them in the Custom Properties section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Workday serves as a source for identity information in Lifecycle Management Policies. Worker identity details are synchronized from Workday with changes propagated to connected systems.

Workday can also be a target for relationship management and email write-back actions, based on changes in lifecycle policies or workflows.

The integration supports the following lifecycle management Actions:

Source of Identity

Workday provides identity information for lifecycle policies using the WorkdayWorker entity type. Worker records serve as the authoritative source for employee identity information to trigger lifecycle management workflows.

When used as a source of identity, Workday worker attributes can be mapped to target systems through attribute transformers and lifecycle management policies.

Manage Relationships

Controls access to Workday security groups for Workday accounts. Both adding and removing group memberships are supported.

• Entity Types: Workday Security Group

• Assignee Types: Workday Account

• Supports Relationship Removal: Yes

This action enables automated security group assignments for:

• New employee onboarding

• Role changes and transfers

• Access removal during offboarding

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems. This ensures Workday remains the single source of truth for employee email addresses.

• Entity Type: Workday Worker

• Purpose: Synchronizes email address changes from other systems back to Workday

The integration uses Workday's Work Contact Information Change business process to update email addresses. Each email update creates a new work contact change record that is submitted to Workday for processing.

Custom Properties

The integration supports custom attributes defined in your Workday configuration. Custom properties can be configured in the Workday integration settings and used in lifecycle management conditions and transformers.

API Access Details

The integration uses these API endpoints for email write-back:

For general metadata discovery, WQL queries access:

• allWorkdayAccounts

• allWorkers

• securityGroups

• domainSecurityPolicies

• businessProcessTypes

Implementation Notes

1. Workday Workers are the primary entity for identity information and source of truth

2. Bidirectional management of Account-Security Group relationships is supported

3. Email write-back operates on Worker entities, not Account entities

4. Custom attribute availability depends on your Workday configuration

5. Sync Identities action is not currently supported for Workday (no user provisioning to Workday)

Additional Resources

• Workday Integration Guide

• Lifecycle Management Policies

• Actions Reference

• Attribute Transformers

• Transformer Reference