User Guide
Release Notes

Workday

This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Overview

Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:

  • Automated security group assignments for new employees

  • Dynamic group membership updates during role changes

  • Access removal during offboarding

  • Email synchronization between Workday and downstream systems

Supported Capabilities

Source of Identity

Workday serves as an authoritative source for employee identity information:

  • Entity Type: Workday Worker

  • Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes

Lifecycle Actions

Manage Relationships

Controls access to Workday security groups.

  • Entity Types: Workday Security Group

  • Assignee Types: Workday Account

  • Supports Relationship Removal: Yes

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems.

  • Entity Type: Workday Worker

  • Purpose: Ensures Workday remains the single source of truth for employee email addresses

Custom Properties

The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.

Configuration Steps

1. Create Business Process Security Policy

  1. Log into Workday and search for Edit Business process security policy

  2. Under Business Process Type, select Work Contact Change

  3. Find "Initiating Action: Change Work Contact Information (REST Service)"

  4. Create a Segment-Based Security Group

  5. Configure the security group:

    • Add the security group created for Veza integration

    • Add "Worker" scope to Access Rights

  6. Verify the security group appears in Initiating Action Security groups

  7. Click OK and Done to save changes

2. Activate Security Policy Changes

  1. Search for Activate Pending Security Policy Changes

  2. Review changes, add a comment, and click OK

  3. Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

Person Data:

  • Work Email (View and Modify)

  • Work Contact Information (View and Modify)

Worker Data:

  • Staffing (View and Modify)

  • Public Worker Reports (View and Modify)

System:

  • Security Administration (View and Modify)

  • Workday accounts (View and Modify)

4. Update API Client Configuration

  1. Open Edit API Client

  2. Add required scopes:

    • Staffing

    • Contact Information

    • System

    • Tenant Non-Configurable

5. Configure Workday Integration in Veza

  1. Navigate to Configurations > Integrations

  2. Either:

    • Create a new Workday integration

    • Edit an existing Workday integration

  3. Enable Lifecycle Management:

    • Check Enable Lifecycle Management

  4. If using custom attributes, configure them in the Custom Properties section

API Access Notes

The integration uses these API endpoints for email write-back:

%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges

For general metadata discovery, WQL queries access:

  • allWorkdayAccounts

  • allWorkers

  • securityGroups

  • domainSecurityPolicies

  • businessProcessTypes

Implementation Notes

  1. Workday Workers are the primary entity for identity information

  2. Bidirectional management of Account-Security Group relationships is supported

  3. Email write-back operates on Worker entities, not Account entities

  4. Custom attribute availability depends on your Workday configuration

  5. The Sync Identities action is not currently supported for Workday

PreviousExchange ServerNextVeza Integrations

Last updated