Connecting to Workday (extractor)
Limited Availability
This extractor is currently in limited availability mode and can be added to your Celonis Platform environment by request only.
To request access to this extractor, please create a support ticket on Celopeers.
You can connect your Workday instance to the Celonis Platform, allowing you to extract your reporting data from 5 different areas: Human Resources, Financial Management, Resource Management, Revenue Management and Reports.
To connect your Workday instance to the Celonis Platform, a number of prerequisites must be matched:
To extract your reporting data, you need to configure a Workday Integration System User (ISU) account with permissions to access Workday's web service operations. For security reasons, Workday restricts each ISU to a single integration system.
While we provide steps for this below, we recommend using the Workday documentation for the latest information: Workday documentation
Select Create Integration System User task.
Keep Session Timeout Minutes default (zero).
Select Do Not Allow UI Sessions to not allow the ISU for logging into your Workday system through the UI.
Select Create Security Group task.
As a type, select Integration System Security Group (Unconstrained) or Integration System Security Group (Constrained). The main difference between those is that constrained version results will only returned for objects that have a connection with constraint. For example, for workers in the US organizational entity only
In Group Criteria, select newly created ISU to be included in the security group.
Identify required security needed for specific operations (View Security for Securable Item) and edit domain security policies.
Select the Domain Security Policies for Functional Area report.
Select a security policy.
Select Edit Permissions.
Grant Get access for specific domain to newly created ISSG.
Access Activate Pending Security Policy Changes task.
Select Confirm checkbox to activate your changes.
To use OAuth2 two further prerequisites are required:
Generate a key pair
Open a key-pair generator tool like Cygwin then generate a key pair that will be stored in a key store called "JWTkeystore.jks" with a password (example uses "Workday123!").
keytool -genkey -keyalg RSA -alias Workday -keystore JWTkeystore.jks -storepass Workday123! -validity 360 -keysize 2048
Extract the public key and save it as file called "public.cert".
keytool -export -alias Workday -keystore JWTkeystore.jks -rfc -file publickey.cert
One way to isolate and extract the private key is to convert the key store .jks file to a PKCS#12 (.p12) format.
keytool -importkeystore -srckeystore JWTkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias Workday -deststorepass Workday123! -destkeypass Workday123!
In PKSC#12 format, you can export the private key unencrypted or encrypted (both versions allegedly work per Workday documentation but this was tested using the unencrypted version).
# Unencrypted Private Keyopenssl pkcs12 -in keystore.p12 -nodes -nocerts -out privatekey.pem # Encrypted Private Keyopenssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
Send the public.cert file to the relevant Workday Admin/Power User.
Ensure the private key file is safe and accessible for when the Workday Data Connection is being entered.
Register API Client in the Workday system
In Workday, create a Register API Client instance.
Select JWT Bearer Grant as the Client Grant type.
Under the “X509 Certificate”, select Create x509 Public Key and paste the content of publickey.cert (entire text of file including “---BEGIN Certificate---" and “---END Certificate---").
Ensure the right Scope (Functional Areas) are selected:
Jobs & Positions, Organizations and Roles, Staffing, and Worker Profile and Skills.
These Scopes are needed for the Workday Test Connection as it will wait for a successful response when it hits these Scopes (Web Services).
Create Integration System User (ISU). The ISU User Name needs to match the Client Name in the API Client. There are no requirements for the password. Perform the following tasks to finalize the creation of the ISU.
Select Create Integration System User task
Keep Session Timeout Minutes default (zero)
Select Do Not Allow UI Sessions to not allow the ISU for logging into your Workday system through the UI.
Create an Integration System Security Group (ISSG). Ensure the Type = Unconstrained. Perform the following tasks to finalize the creation of the ISSG.
Select Create Security Group task.
In Group Criteria, select newly created ISU to be included in the security group.
Identify required security needed for specific operations (View Security for Securable Item).
Select the Domain Security Policies for Functional Area report.
Select a security policy.
Select Edit Permissions.
Grant Get access for specific domain to newly created ISSG (Employee, Employee_Employment_Info, Former_Workers, Job_Categories, Job_Profiles, Locations, Organizations, Supervisory_Organization_Assignment_Restrictions, Worker_Event_History, Worker_Profile, Workers).
Activate pending security policy changes through the following tasks:
Access Activate Pending Security Policy Changes task.
Describe your changes in the Comment.
Select Confirm checkbox to activate your changes.
With access to your Workday authentication credentials, you can create a data connection between your Workday instance and the Celonis Platform from your data pool diagram:
Click Data Connections.
Click Add Data Connection and select Connect to Data Source.
Select Cloud - Workday.
Configure the following connection details:
Name: An internal reference for this data connection.
API version: Select the API you want to use, with the latest being the recommended.
Authentication method: Choose between store credentials (username, password, tenant, and host) and OAuth (client ID, user ID, private key, tenant, and host).
Report configuration: Enter the details for the reports you want to extract from Workday. You can also do this is JSON format, see:
Click Test Connection and correct any issues highlighted.
Click Save.
The connection between your Workday instance and the Celonis Platform is establised. You can manage this connection at any time by clicking Options:
When connecting your Workday instance to the Celonis Platform, the following API endpoints are supported:
The Workday Hire-to-Retire connector uses Workday's SOAP-based Human Resources Web Service which contains operations that expose Workday Human Capital Management Business Services data, incl. employee, contingent worker and organization info. The Celonis Extractor uses the below operations to retrieve data from Workday:
API call | Description |
|---|---|
Get_Employee | Retrieves granular information about individual employments (e.g., position, job, status). |
Get_Employee_Employment_Info | Retrieves granular information about individual employments (e.g., position, job, status). |
Get_Former_Workers | Retrieves data for individuals that have previously been employed but were not included as a Workday worker, incl. their personal/job details and contact info as of termination date. |
Get_Job_Categories | Retrieves job categories data for the specified criteria (all if no criteria specified), incl. reference ID, name, description and inactive flag. |
Get_Job_Profiles | Retrieves data related to job profiles for the specified criteria (all if no criteria is specified), organized into different response groups. |
Get_Locations | Retrieves data related to a location for the specified criteria (all if no criteria is specified). |
Get_Organizations | Retrieves data related to an organization, incl. staffing configuration, structure, etc. |
Get_Supervisory_Organization_Assignment_Restrictions | Retrieves the organization assignment default values and allowed values for supervisory organizations. |
Get_Worker_Event_History | Retrieves references to all events created through workflows associated with a worker based on the event type and data parameters. |
Get_Worker_Profile | Retrieves a subset of data related to a worker and their employment/contract, personal info, as well as compensation. |
Get_Workers | Retrieves public and private information for specified workers. |
GET Payments
GET PaymentTypesTable
GET StopItem
GET BusinessUnits
GET CurrencyConversionRates
GET CurrencyRateTypes
GET CompanyOrganizations
GET CostCenters
GET ResourceCategories
GET FinancialRevenueCategories
GET Suppliers
GET PurchaseOrders
GET PurchaseRequisitions
GET PurchaseItems
GET Receipts
GET PurchaseOrderChangeOrders
GET SpendCategoryHierarchies
GET SupplierInvoiceAdjustments
GET SupplierInvoices
GET SupplierContracts
GET Customers
GET CustomerCategories
GET CustomerDeposits
GET CustomerGroups
GET CustomerInvoiceAdjustments
GET CustomerInvoices
GET CustomerPayments
GET CustomerRefunds
GET RevenueCategories
GET SalesItems
GET SalesItemGroups
GET Report
When connecting your Workday instance to the Celonis Platform, the following filters are supported per table:
Table | Supported filters |
|---|---|
customerDeposits | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
customerPayments | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
formerWorkers | Updated_From_Moment, Update_To_Moment |
jobProfiles | Updated_From, Updated_Through, Effective_From, Effective_Through |
organizations | Updated_From, Updated_Through, Effective_From, Effective_Through |
payments | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
purchaseOrders | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
receipts | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
requisitions | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
supplierContracts | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
supplierInvoiceAdjustments | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
supplierInvoices | Updated_From_{tableName}_After, Updated_From_{tableName}_Before |
workers | Updated_From, Updated_Through, Effective_From, Effective_Through |