Skip to main content
Last updated on

Configure authentication to Workday HCM

Beta

This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Databricks previews.

This page shows how to configure Workday Human Capital Management (HCM) to enable authentication from Databricks. You'll use the credentials from this page to create a connection in Databricks.

Set up an integration system user

  1. Sign in to Workday with an administrator account.
  2. Search for and click Create Integration System User.
  3. Provide a User Name and Password for the user.
  4. Leave the Require New Password at Next Sign In option unselected.
  5. Click OK to confirm, then click Done to complete the setup.

Set up an integration security group

  1. Search for and click Create Security Group.
  2. From the Type of Tenanted Security Group drop-down menu, select Integration System Security Group (Unconstrained).
  3. Enter a name for the security group in the Security Group Name field, then click OK.
  4. In the Edit Integration System Security Group (Unconstrained) window, add the integration system user to the group.
  5. Click OK to save your changes, then click Done.

Add the integration security group to the authentication policy

  1. Search for and click Manage Authentication Policies.
  2. Click Add Authentication Policy.
  3. Specify the Restricted to Environment value and select Authentication Policy Enabled.
  4. In the Authentication Allowlist section, enter an Authentication Rule Name.
  5. Select the security group you created.
  6. Enter the Authentication Condition Name and Authentication Conditions.
  7. Select Any under Allowed Authentication Types.
  8. Search for and click Activate All Pending Authentication Policy Changes.
  9. Type "I approve the changes" in the Comment text box, then click OK.
  10. Select the Confirm checkbox, then click OK to finalize the changes.

Configure domain security policies

  1. Search for Security Group Membership and Access, then click the report link.

  2. Choose the security group you created, then click OK.

  3. Click the ... icon beside the security group name.

  4. Navigate to Security Group > Maintain Domain Permissions for Security Group.

  5. In the Integration Permissions section, locate the Domain Security Policies permitting Get access field.

  6. Search for and select the security domains that correspond to your source tables. To determine which security domains you need, see Security domains.

  7. Add your security group to the domain security policy by selecting Edit Domain Security Policy Permissions and enabling Integration Permissions Get Access.

  8. An alert appears indicating that you need to activate the security policy changes. Click OK, then click Done.

Security domains

Workday API

Security domains

Get_Workers

Worker Data: Public Worker Reports

Workday Usage Metrics

Worker Data: Historical Staffing Information

Get_Payroll_Results

Reports: Pay Calculation Results for Worker (Results)

Activate security policy changes

  1. Search for and click Activate Pending Security Policy Changes.
  2. Type "I approve the changes" in the comment box, then click OK.
  3. Select the Confirm checkbox, then click OK to apply the changes.

Register an OAuth API client

  1. Search for Register API Client for Integrations.

  2. Enter your custom application name in the Client Name field.

  3. Select or clear the Non-Expiring Refresh Tokens check box based on your organization's security policy. If not selected, specify a token validity period (1–365 days). You will need to periodically rotate your refresh token.

  4. Select the necessary scopes from the Scope (Functional Areas) drop-down menu.

    tip

    To determine which scopes (functional areas) are required, search for the table name using the View Security for Securable Item task. Locate the required scope in the All Functional Areas column.

  5. Click OK.

  6. Record the Client ID and Client Secret. These are required to create a connection in Databricks.

  7. Open the Related Actions menu and navigate to API Client > Manage Refresh Tokens for Integrations.

  8. In the Workday Account field, search for and select your Workday account. This account must have the required security domains.

  9. Select Generate New Refresh Token.

  10. Click OK.

  11. Record the Refresh Token. This is required to create a connection in Databricks.

Next steps

Use Catalog Explorer to create a connection so that any user with USE CONNECTION or ALL PRIVILEGES can create pipelines. See Workday HCM.