Workday
This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.
Overview
Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:
Automated security group assignments for new employees
Dynamic group membership updates during role changes
Access removal during offboarding
Email synchronization between Workday and downstream systems
Supported Capabilities
Source of Identity
Workday serves as an authoritative source for employee identity information:
Entity Type: Workday Worker
Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes
Lifecycle Actions
Manage Relationships
Controls access to Workday security groups.
Entity Types: Workday Security Group
Assignee Types: Workday Account
Supports Relationship Removal: Yes
Write Back Email
Updates email addresses in Workday worker records to maintain consistency with other systems.
Entity Type: Workday Worker
Purpose: Ensures Workday remains the single source of truth for employee email addresses
Custom Properties
The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.
Configuration Steps
1. Create Business Process Security Policy
Log into Workday and search for Edit Business process security policy
Under Business Process Type, select Work Contact Change
Find "Initiating Action: Change Work Contact Information (REST Service)"
Create a Segment-Based Security Group
Configure the security group:
Add the security group created for Veza integration
Add "Worker" scope to Access Rights
Verify the security group appears in Initiating Action Security groups
Click OK and Done to save changes
2. Activate Security Policy Changes
Search for Activate Pending Security Policy Changes
Review changes, add a comment, and click OK
Verify changes in Business Process Security Policy
3. Configure Security Group Permissions
Add these Domain Permissions to the security group:
View and Modify
Workday Query Language
View and Modify
Person Data: Work Email
View and Modify
Person Data: Work Contact Information
View and Modify
Worker Data: Staffing
View and Modify
Worker Data: Public Worker Reports
Get Only
Security Configuration
Get Only
Business Process Administration
View and Modify
Security Administration
View and Modify
Workday accounts
View and Modify
Special OX Web Services
Get and Put
User-Based Security Group Administration
4. Update API Client Configuration
Open Edit API Client
Add required scopes:
Staffing
Contact Information
System
Tenant Non-Configurable
Organizations and Roles
5. Configure Workday Integration in Veza
Navigate to Configurations > Integrations
Either:
Create a new Workday integration
Edit an existing Workday integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
API Access Notes
The integration uses these API endpoints for email write-back:
For general metadata discovery, WQL queries access:
allWorkdayAccounts
allWorkers
securityGroups
domainSecurityPolicies
businessProcessTypes
Implementation Notes
Workday Workers are the primary entity for identity information
Bidirectional management of Account-Security Group relationships is supported
Email write-back operates on Worker entities, not Account entities
Custom attribute availability depends on your Workday configuration
The Sync Identities action is not currently supported for Workday
Last updated
Was this helpful?
