This onboarding guide takes you through the necessary steps to set up your Workday integration. Having read-only access to Workday allows Expel to dig deeper during incident investigations and to research potential health issues.


  • You must have a Workday account with the following three security groups assigned: System Administrator, System Auditor, Report Administrator.

Quick Links

Setup includes the following steps (click any step for detailed instructions):

  1. Create the Expel User and Group in Workday
  2. Generate the API Credentials
  3. Enable Activity Logging
  4. Create a Custom Signon Report
  5. Add Workday as a Security Device in Workbench

Step 1: Create the Expel User and Group in Workday

You must create a new user account and a new security group just for Expel. Doing this will keep Expel activity separate from all other activity happening in the Workday console. You must keep the Expel username and password on hand, as you will need it later in this guide.

  1. Log into the Workday device using your unique sign-in page.
  2. Use the Search bar to navigate to Create Integration System User.
  3. Fill in the Account Information.
    • User Name - enter "Expel_user".
    • Password - create and verify a password; be sure to save this password to a safe place, as you will need it to configure the integration in Workbench.
    • Session Timeout Minutes - enter 0.
    • Do Not Allow UI Sessions - select this option.
    • Select OK.
  4. Navigate to Maintain Password Rules, and then to System Users exempt from password expiration.
    • Add "Expel_user" to this list.
    • Select OK.
  5. Navigate to Create Security Group.
    • Type of Tenanted Security Group - select Integration System Security Group (Unconstrained).
    • Name - enter "Expel Client Security Group".
    • Select OK.
  6. Navigate to Edit Integration System Security Group (Unconstrained).
    • Add "Expel_user" to this list.
    • Select OK.
  7. Navigate to the System Auditing domain.
  8. Open the System Auditing Actions menu.
  9. Select Domain > Edit Security Policy Permissions.
  10. Add the Expel Client Security Group to each of these tables:
    • Report/Task Permissions - select View.
    • Integration Permissions - select Get.
  11. Select OK.
  12. Navigate to Activate Pending Security Policy Changes.
    • Add a comment to describe what you've done. For example: "Created the Expel ISU and security group. Modified the system auditing domain to include Report/Task view permissions, Integration get permissions."
    • Select OK to activate the changes.

Step 2: Generate the API Credentials

Expel interacts with Workday through the API. To allow for the integration, you must generate a key, secret key, and refresh token. You must also copy and save the REST API endpoint and token endpoint. You will need all of these values during Workbench configuration (Step 5).

  1. Navigate to Register API Client for Integrations.
    • Client Name - enter "Expel CollectorsCo".
    • Non-Expiring Refresh Tokens - select this option.
    • Scope (Functional Areas) - select System.
    • Select OK.
  2. A new Client ID and Client Secret will be generated. Save these keys to a safe place, as you will need them to configure the integration in Workbench. If you lose the Client Secret, you can create a new one with Generate New API Client Secret.
  3. Select Done.
  4. Navigate to View API Clients.
    • First, validate that the ExpelCollectorsCo API client exists.
    • Next, copy and save the following two endpoints from the top of the screen, above the table, as you will need them to configure the integration in Workbench. All endpoints must be set explicitly because of Workday's unique URL structure. 
      • The Workday REST API endpoint - example format:
        https://<tenant hostname>/ccx/api/privacy/v1/<tenant>)
      • The Token endpoint - example format:
        https://<tenant hostname>/ccx/oauth2/<tenant>/token)
  1. Navigate to the API Clients for Integrations tab. 
    • Find the ExpelCollectorsCo client in the list and open the menu using the three dots.
    • Select API Client > Manage Refresh Token for Integrations.
    • In the Workday Account field, select Expel_user.
    • Select OK.
  2. On the Delete or Regenerate Refresh Token screen:
    • Select Generate New Refresh Token.
    • Select OK to generate the token.
    • Make a copy of the refresh token. Be sure to save it in a safe place, as you will need the token to configure the integration in Workbench.
    • Select Done.

Step 3: Enable Activity Logging

Activity logging enables all user activity to be recorded in a secure tenant database in Workday. Expel can then access this data via reporting.

  1. Navigate to Edit Tenant Setup - System and select Enable User Activity Logging.
  2. Select OK.
  3. Navigate to Edit Tenant Setup - Security.
  4. Under OAuth 2.0 settings, select OAuth 2.0 Clients Enabled.
  5. Select OK.

Step 4: Create a Custom Signon Report

The signon report allows Expel to pull and ingest all data from the activity logging.

  1. Navigate to Copy Standard Report to Custom Report.
    • From the Standard Report Name list, select Candidate Signons and Attempted Signons.
    • Select OK.
    • Change the Name to "Custom Signons and Attempted Signons Report for Expel".
    • Select Optimized for Performance.
    • Select OK.
  2. In the Data Source Filter field, select the Workday System Accounts Signons in Range filter.
  3. Go to the Columns tab, and use the + button to add each of the following fields:
    • Operating System
    • Password Changed
    • Request Originator
    • SAML Identity Provider
    • Forgotten Password Reset Request
    • Multi-Factor Type
    • Is Device Managed
    • UI Client Type
    • Browser Type
    • Device is Trusted
  4. In the Column Heading Override column, remove all text if any exists.
  5. Select the Advanced tab.
    • Under Web Service Options, select Enable As Web Service.
    • Select OK.
  6. Open the Share tab.
    • Select Share with specific authorized groups and users.
    • In the Authorized Users group, add the Expel_user.
    • Select OK.
  7. Select Done to save the custom report settings.
  8. In the search bar, search for Custom Signons and Attempted Signons Report for Expel and select OK to run the report.
    • Open the Actions menu and select Web Service > View URLs.
    • Select OK.
    • Find the JSON area and right click on the three dots, then select Copy URL.
  9. Paste the URL somewhere you can edit it, like a text editor.
    • Remove all query parameters from the URL.
    • Update the URL to include the Expel user and report name, so that it looks like this:
    • Save this URL in a safe place as your signon report endpoint, which you will need in the next section.

Step 5: Add Workday as Security Device in Workbench

Now that we have the correct access configured and noted the credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select the Add Security Device button.
  4. In the search box, type “Workday” and then select the Workday integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Workday”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Client ID - enter the API Client ID from Step 2.
    • Client Secret - enter the API Client Secret from Step 2.
    • Refresh Token - enter the Refresh Token from Step 2.
    • Rest API Endpoint - enter the REST API endpoint from Step 2.
    • Token Endpoint - enter the token endpoint from Step 2.
    • Sign on report endpoint - enter the signon report endpoint from Step 4.
    • Sign on report username - enter "Expel_user"
    • Sign on report password - enter the password you created for Expel_user in Step 1
    • Select Save.
  6. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, click on the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.