This procedure helps you integrate your Workday installation with the Expel Workbench.

You must have an account with these security groups assigned to it:

  • Security Administrator

  • System Auditor

  • Report Administrator

Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Workday console.

Step 1: Create an Integration System user account


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log into the Workday device and navigate to Create Integration System User.

  2. Fill in the Account Information like this:

    • For User Name type Expel_user.

    • Create and verify a Password. Make note of it for use later.

    • For Session Timeout Minutes type 0.

    • Select Do Not Allow UI Sessions.

  3. Navigate to Maintain Password Rules and add Expel_user to the list of System Users exempt from password expiration.

Step 2: Create a security group

  1. Navigate to Create Security Group and fill in the fields like this:

    • For Type of Tenanted Security Group select Integration System Security Group (Unconstrained).

    • For Name type Expel Client Security Group.

    • For Email enter:

    • For Roles select the Expel role you created in the previous step.

    • Click Add New User.

  2. In the Edit Integration System Security Group (Unconstrained) window, add Expel_user to the Integration System Users list.

  3. Navigate to View Domain for the System Auditing domain.

  4. Open the System Auditing Actions menu and select Domain > Edit Security Policy Permissions.

  5. Add the Expel Client Security Group to these tables:

    • Report/Task Permissions: select View.

    • Integration Permissions: select Get.

    • Customer Report creation: select View and Modify.

    • System Auditing: select View and Get.

    • Security Administration: select Get.

  6. Navigate to Activate Pending Security Policy Changes and activate the changes.

Step 3: Generate API credentials

The normal interaction with Workday is through the API. This step creates the Access Key that allows Expel to use the API.

  1. Navigate to Register API Client for Integrations and fill in the fields like this:

    • For Client Name type Expel CollectorsCo.

    • Select Non-Expiring Refresh Tokens.

    • For Scope (Functional Areas) select System.

  2. Make note of the newly generated Client Secret and Client ID which are used for registration in Workbench. If you lose the Client Secret, you can create a new one with Generate New API Client Secret.

  3. Navigate to View API Clients. All endpoints must be set explicitly, including the token_endpoint and rest_api_endpoint because of Workday's unique URL structure. Make a copy of these two endpoints for use later:

    • Workday REST API Endpoint (example: https://<tenant hostname>/ccx/api/privacy/v1/<tenant>)

    • Token Endpoint (example: https://<tenant hostname>/ccx/oauth2/<tenant>/token)

  4. Navigate to the API Clients for Integrations tab, find the Expel client in the list, and open the menu (3 dots) for that client.

  5. In the menu, select API Client > Manage Refresh Token for Integrations.

  6. On the Manage Refresh Tokens for Integrations screen, select Expel_user in the Workday Account field and click OK.

  7. On the Delete or Regenerate Refresh Token screen, select Generate New Refresh Token and click OK.

  8. Make a copy of the Refresh Token for use later and click Done.

Step 4: Enable activity logging

  1. Navigate to Edit Tenant Setup - System and select Enable User Activity Logging.

  2. Navigate to Edit Tenant Setup - Security and select OAuth 2.0 Clients Enabled.

Step 5: Create a custom signon report

  1. Navigate to Copy Standard Report to Custom Report and select Candidate Signons and Attempted Signons from the Standard Report Name list.

  2. Change the Name to Custom Signons and Attempted Signons Report for Expel and select Optimized for Performance.

  3. Edit the Data Source Filter field and select the Workday System Accounts Signons in Range filter.

  4. Go to the Columns tab, click the + button and add these fields:

    • Operating System

    • Password Changed

    • Request Originator

    • SAML Identity Provider

    • Forgotten Password Reset Request

    • Multi-Factor Type

    • Is Device Managed

    • UI Client Type

    • Browser Type

    • Device is Trusted

  5. In the Column Heading Override column, remove the text for Field > Session ID and Field > System Account.

  6. Open the Advanced tab, and under Web Service Options, select Enable As Web Service.

  7. Open the Share tab, select Share with specific authorized groups and users, and then add Expel_user to Report Owned by.

  8. Click Done to finish saving the custom report settings.

  9. Search for Custom Signons and Attempted Signons Report for Expel in the search bar and run the report.

  10. On the report screen, open the Actions menu and select Web Service > View URLs.

  11. Click OK and copy the URL from the JSON link.

  12. Remove query parameters from the URL so that it contains <tenant>/<account_name>/<report_name> and add the Expel_user within the URL: https://<instance>/ccx/service/customreport2/<tenantID>/Expel_user/Custom_Signons_and_Attempted_Signons_Report_for_Expel_New

Step 6: Configure the technology in Workbench

  1. In a new browser tab, log into Workbench. This link opens the Add Security Device screen directly.

  2. Fill in the fields like this:

    • Where is your device?: select Cloud.

    • Name and Location: any meaningful name (Expel, for example) and location that help you keep track of the integration.

    • Client ID: Client ID generated in Step 3.3.

    • Client Secret: Client Secret generated in Step 3.3.

    • Refresh token: Refresh token generated in Step 3.10.

    • REST API endpoint: REST API endpoint copied in Step 3.5.

    • Token endpoint: Token endpoint copied in Step 3.5.

    • Sign on report endpoint: Endpoint copied in Step 5.16.

    • Sign on report username: Username created in Step 1.2.

    • Sign on report password: Password created in Step 1.2.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!