Skip to main content

Celonis Product Documentation

Connecting to Workday (extractor)

Limited Availability

This extractor is currently in limited availability mode and can be added to your Celonis Platform environment by request only.

To request access to this extractor, please create a support ticket on Celopeers.

You can connect your Workday instance to the Celonis Platform, allowing you to extract your reporting data from both commonly used reporting types and custom repor

There are two methods to connect to your Workday instance:

  • SOAP: This allows you to extract your reporting data from 5 different areas: Human Resources, Financial Management, Resource Management, Revenue Management and Reports. The procedure for this is explained within this topic.

  • REST: This allows you to extract custom reports from your Workday instance. For more information and the steps involved, see: Extracting Workday reports.

To connect your Workday instance to the Celonis Platform, a number of prerequisites must be matched:

To extract your reporting data, you need to configure a Workday Integration System User (ISU) account with permissions to access Workday's web service operations. For security reasons, Workday restricts each ISU to a single integration system.

While we provide steps for this below, we recommend using the Workday documentation for the latest information: Workday documentation

  1. Select Create Integration System User task.

  2. Keep Session Timeout Minutes default (zero).

  3. Select Do Not Allow UI Sessions to not allow the ISU for logging into your Workday system through the UI.

  1. Select Create Security Group task.

  2. As a type, select Integration System Security Group (Unconstrained) or Integration System Security Group (Constrained). The main difference between those is that constrained version results will only returned for objects that have a connection with constraint. For example, for workers in the US organizational entity only

  3. In Group Criteria, select newly created ISU to be included in the security group.

Identify required security needed for specific operations (View Security for Securable Item) and edit domain security policies.

  1. Select the Domain Security Policies for Functional Area report.

  2. Select a security policy.

  3. Select Edit Permissions.

  4. Grant Get access for specific domain to newly created ISSG.

  1. Access Activate Pending Security Policy Changes task.

  2. Select Confirm checkbox to activate your changes.

To use OAuth2 two further prerequisites are required:

Generate a key pair
  1. Open a key-pair generator tool like Cygwin then generate a key pair that will be stored in a key store called "JWTkeystore.jks" with a password (example uses "Workday123!").

    keytool -genkey -keyalg RSA -alias Workday -keystore JWTkeystore.jks -storepass Workday123! -validity 360 -keysize 2048
  2. Extract the public key and save it as file called "public.cert".

    keytool -export -alias Workday -keystore JWTkeystore.jks -rfc -file publickey.cert
  3. One way to isolate and extract the private key is to convert the key store .jks file to a PKCS#12 (.p12) format.

    keytool -importkeystore -srckeystore JWTkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias Workday -deststorepass Workday123! -destkeypass Workday123!
  4. In PKSC#12 format, you can export the private key unencrypted or encrypted (both versions allegedly work per Workday documentation but this was tested using the unencrypted version).

    # Unencrypted Private Keyopenssl pkcs12 -in keystore.p12 -nodes -nocerts -out privatekey.pem 
    
    # Encrypted Private Keyopenssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
  5. Send the public.cert file to the relevant Workday Admin/Power User.

  6. Ensure the private key file is safe and accessible for when the Workday Data Connection is being entered.

Register API Client in the Workday system
  1. In Workday, create a Register API Client instance.

  2. Select JWT Bearer Grant as the Client Grant type.

  3. Under the “X509 Certificate”, select Create x509 Public Key and paste the content of publickey.cert (entire text of file including “---BEGIN Certificate---" and “---END Certificate---").

  4. Ensure the right Scope (Functional Areas) are selected: 

    Jobs & Positions, Organizations and Roles, Staffing, and Worker Profile and Skills.

    These Scopes are needed for the Workday Test Connection as it will wait for a successful response when it hits these Scopes (Web Services).

  5. Create Integration System User (ISU). The ISU User Name needs to match the Client Name in the API Client. There are no requirements for the password. Perform the following tasks to finalize the creation of the ISU.

    1. Select Create Integration System User task

    2. Keep Session Timeout Minutes default (zero)

    3. Select Do Not Allow UI Sessions to not allow the ISU for logging into your Workday system through the UI.

  6. Create an Integration System Security Group (ISSG). Ensure the Type = Unconstrained. Perform the following tasks to finalize the creation of the ISSG.

    1. Select Create Security Group task.

    2. In Group Criteria, select newly created ISU to be included in the security group.

  7. Identify required security needed for specific operations (View Security for Securable Item).

    1. Select the Domain Security Policies for Functional Area report.

    2. Select a security policy.

    3. Select Edit Permissions.

    4. Grant Get access for specific domain to newly created ISSG (Employee, Employee_Employment_Info, Former_Workers, Job_Categories, Job_Profiles, Locations, Organizations, Supervisory_Organization_Assignment_Restrictions, Worker_Event_History, Worker_Profile, Workers).

  8. Activate pending security policy changes through the following tasks:

    1. Access Activate Pending Security Policy Changes task.

    2. Describe your changes in the Comment.

    3. Select Confirm checkbox to activate your changes.

With access to your Workday authentication credentials, you can create a data connection between your Workday instance and the Celonis Platform from your data pool diagram:

  1. Click Data Connections.

    data_connections_within_data_pool_diagram.png
  2. Click Add Data Connection and select Connect to Data Source.

  3. Select Cloud - Workday.

  4. Configure the following connection details:

    • Name: An internal reference for this data connection.

    • API version: Select the API you want to use, with the latest being the recommended.

    • Authentication method: Choose between store credentials (username, password, tenant, and host) and OAuth (client ID, user ID, private key, tenant, and host).

    • Report configuration: Enter the details for the reports you want to extract from Workday. You can also do this is JSON format, see:

  5. Click Test Connection and correct any issues highlighted.

  6. Click Save.

    The connection between your Workday instance and the Celonis Platform is establised. You can manage this connection at any time by clicking Options:

    managing_data_connections.png

When connecting your Workday instance to the Celonis Platform, the following API endpoints are supported:

The Workday Hire-to-Retire connector uses Workday's SOAP-based Human Resources Web Service which contains operations that expose Workday Human Capital Management Business Services data, incl. employee, contingent worker and organization info. The Celonis Extractor uses the below operations to retrieve data from Workday:

API call

Description

Get_Employee

Retrieves granular information about individual employments (e.g., position, job, status).

Get_Employee_Employment_Info

Retrieves granular information about individual employments (e.g., position, job, status).

Get_Former_Workers

Retrieves data for individuals that have previously been employed but were not included as a Workday worker, incl. their personal/job details and contact info as of termination date.

Get_Job_Categories

Retrieves job categories data for the specified criteria (all if no criteria specified), incl. reference ID, name, description and inactive flag.

Get_Job_Profiles

Retrieves data related to job profiles for the specified criteria (all if no criteria is specified), organized into different response groups.

Get_Locations

Retrieves data related to a location for the specified criteria (all if no criteria is specified).

Get_Organizations

Retrieves data related to an organization, incl. staffing configuration, structure, etc.

Get_Supervisory_Organization_Assignment_Restrictions

Retrieves the organization assignment default values and allowed values for supervisory organizations.

Get_Worker_Event_History

Retrieves references to all events created through workflows associated with a worker based on the event type and data parameters.

Get_Worker_Profile

Retrieves a subset of data related to a worker and their employment/contract, personal info, as well as compensation.

Get_Workers

Retrieves public and private information for specified workers.

  • GET Payments

  • GET PaymentTypesTable

  • GET StopItem

  • GET BusinessUnits

  • GET CurrencyConversionRates

  • GET CurrencyRateTypes

  • GET CompanyOrganizations

  • GET CostCenters

  • GET ResourceCategories

  • GET FinancialRevenueCategories

  • GET Suppliers

  • GET PurchaseOrders

  • GET PurchaseRequisitions

  • GET PurchaseItems

  • GET Receipts

  • GET PurchaseOrderChangeOrders

  • GET SpendCategoryHierarchies

  • GET SupplierInvoiceAdjustments

  • GET SupplierInvoices

  • GET SupplierContracts

  • GET Customers

  • GET CustomerCategories

  • GET CustomerDeposits

  • GET CustomerGroups

  • GET CustomerInvoiceAdjustments

  • GET CustomerInvoices

  • GET CustomerPayments

  • GET CustomerRefunds

  • GET RevenueCategories

  • GET SalesItems

  • GET SalesItemGroups

  • GET Report

When connecting your Workday instance to the Celonis Platform, the following filters are supported per table:

Table

Supported filters

customerDeposits

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

customerPayments

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

formerWorkers

Updated_From_Moment, Update_To_Moment

jobProfiles

Updated_From, Updated_Through, Effective_From, Effective_Through

organizations

Updated_From, Updated_Through, Effective_From, Effective_Through

payments

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

purchaseOrders

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

receipts

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

requisitions

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

supplierContracts

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

supplierInvoiceAdjustments

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

supplierInvoices

Updated_From_{tableName}_After, Updated_From_{tableName}_Before

workers

Updated_From, Updated_Through, Effective_From, Effective_Through