Workday Financial Management Setup Guide
Follow our setup guide to connect Workday Financial Management to Fivetran.
Prerequisites
To connect Workday Financial Management to Fivetran, you need a Workday Integration System User account that has read permissions for financials domain objects in Workday.
We have added support for authentication using OAuth. To configure a Workday Financial Management connection, you can use a Workday user or a Workday integration system user. We recommend that you use a Workday integration system user.
Setup instructions
Create integration system user
- Log in to your Workday application using an Administrator account.
- In the application's search box, search for 'create user' and then select Create Integration System User.
- Enter a User Name and Password.
- Leave the Require New Password at Next Sign In checkbox clear.
- (Only for Basic authentication mode) Select the Do Not Allow UI Sessions checkbox.
If you opt for authentication using OAuth, be sure not to select the Do Not Allow UI Sessions checkbox. OAuth requires UI sessions.
- Click OK and then click Done.
Create integration security group
- In the search box, search for 'create security group' and then select Create Security Group.
- In the Type of Tenanted Security Group drop-down menu, select Integration System Security Group (Unconstrained).
- Enter a Security Group Name and click OK.
- In the Edit Integration System Security Group (Unconstrained) window, add the integration system user you created in Step 1 to this security group.
- Click OK.
Add integration security group to the authentication policy
- In the search box, search for 'manage authentication policies' and then select Manage Authentication Policies.
- Enter the Restricted to Environment value and then select the Authentication Policy Enabled checkbox.
- In the Authentication Allowlist section, enter the Authentication Rule Name.
- Select the Security Group you created.
- Enter the Authentication Condition Name and Authentication Conditions.
- In the Allowed Authentication Types section:
- If you use OAuth, select Any.
- If you don't use OAuth, in the Specific field, select User Name Password.
- In the search box, search for 'Activate All Pending Authentication Policy Changes' and then select the corresponding task.
- In the Comment text box, enter 'I approve the changes' and then click OK.
- Select the Confirm checkbox and then click OK.
Add domain security policies
In the search box, search for 'security group membership and access' and then select the report link.
Select the security group you created in Step 2 and click OK.
Click the ... symbol next to the security group name.
Select Security Group > Maintain Domain Permissions for Security Group.
In the Integration Permissions section, in the Domain Security Policies permitting Get access field, search and select the security domains.
You will see an alert. You must activate the security policy changes.
Click OK and then click Done.
Activate security policy changes
- In the search box, search for 'Activate Pending Security Policy Changes'.
- Select Activate Pending Security Policy Changes.
- In the comment box, enter 'I approve the changes' and click OK.
- Select the Confirm checkbox and click OK.
Connect using OAuth
Perform this step only if you want to authenticate the connection using OAuth. Skip to the next step if you want to use Basic authentication for your connection. The API client uses rotating refresh tokens and requires you to manually authorize the client while setting up the connection. The API client for integrations uses non-expiring refresh token to set up the connection and thus does not require you to manually authorize the client.
Create custom OAuth client app
Expand for instructions
This option is available only for connections created before February 25, 2025.
In the search box, search for
Register API client.In the Client Name field, enter your custom app name.
In the Client Grant Type field, select Authorization Code Grant.
Select the Enforce 60 Minute Access Token Expiry checkbox.
In the Access Token Type field, select Bearer.
In the Redirection URI, enter
https://fivetran.com/integrations/workday_financial_management/oauth2/return.In the Refresh Token Timeout (in days) field, enter a timeout period for your refresh token.
By default, the value is set to 30 days. You can enter a timeout period between 1 and 365 days.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
Be sure not to select the Support Proof Key for Code Exchange (PKCE), Grant Administrative Consent, Include Workday Owned Scope, and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID, Client Secret, and Authorization Endpoint. You will need them to configure Fivetran.
Create custom OAuth client app for Integrations
Expand for instructions
Perform this step only if you want to authenticate your account using OAuth with API Client for Integrations.
In the search box, search for Register API Client for Integrations.
In the Client Name field, enter your custom app name.
(Optional) Select the Refresh Token Timeout (in days). You can select a value between 1 and 365 days. The default value is 30 days. To prevent the refresh token from timing out, Workday automatically selects the Non-Expiring Refresh Tokens check box.
If you select a timeout period for the refresh token, you need to re-authorize your connection on the Edit connection details tab of the connection details page after the token expires.
In the Scope (Functional Areas) drop-down menu, select the scopes you need access to.
To identify the required Scopes (Functional Areas), search for the table name in the View Security for Securable Item task. Click View Security and look for the GET requests for the object. Find the required Scope (Functional Area) in the All Functional Areas column.
Do not select the Include Workday Owned Scope and Locked Out due to Excessive Failed Signon Attempts checkboxes.
Click OK.
Make a note of the Client ID and Client Secret. You will need them to configure Fivetran.
Click the Related Actions menu and select API Client > Manage Refresh Tokens for Integrations.
In the Workday Account field, search and select your workday account.
Select the Generate New Refresh Token checkbox.
Click OK.
Make a note of the Refresh Token. You will need it to configure Fivetran.
Finish Fivetran configuration
In the connection setup form, enter the Destination schema name of your choice.
Select the authentication mode: Basic or OAuth.
(Optional): If you choose Basic, do the following:
i. Enter your Workday Username.
ii. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....iii. Enter your Workday Password.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....(Optional): If you choose OAuth, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....ii. Enter the Client ID you found in Step 5.
iii. Enter the Client Secret you found in Step 5.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....v. In the Authorization URL field, enter the authorization endpoint that you found in Step 5.
vi. Click Authorize to allow Fivetran to access your Workday Financial Management account using OAuth. You will be redirected to your Workday Financial Management account to authorize Fivetran's access.
We recommend logging in while in incognito mode to ensure authorization of the correct account.
vii. Log in to your Workday Financial Management account with the integration system user you created in Step 1. Once you have finished, you will be redirected back to Fivetran.
Use toggle button to choose between API client and API client for integration that you created.
If you choose OAuth and register an API Client for Integration, do the following:
i. Enter your Workday Tenant. You can find the tenant in your Workday Web Services URL:
https://<Workday-host-name>/ccx/service/<Workday-Tenant>/....ii. Enter the Client ID you created.
iii. Enter the Client Secret you created.
iv. Enter your Workday Hostname. You can find the Workday Hostname in your Workday Web Services URL, in the following format:
https://<Workday-host-name>/ccx/service/....v. Enter the Refresh Token you generated.
Click Save & Test. Fivetran will take it from here and sync your Workday Financial Management data.
Related articles
description Connector Overview
account_tree Schema Information
settings API Connection Configuration