Connecting Workday to Drata allows for automated checks and evidence collection to provide details on personnel hire and separation dates as well as their employment status.
Key Capabilities
Personnel synchronization: Syncs employment status, hire dates, and key personnel attributes from the HRIS.
Lifecycle classification: Uses HRIS data to detect hire and termination events that support onboarding and offboarding compliance requirements.
Read-only ingestion: Retrieves HR data using read-only access without modifying information in the HRIS system.
Prerequisites & Data Access
Administrator access to your Workday tenant
Ability to create:
An Integration System User (ISU)
An Integration System Security Group (Unconstrained)
Ability to maintain and activate domain security policies
Must be assigned one of the following Drata roles: Admin, Workspace Managers, DevOps Engineer.
If you have the Access Reviewer Drata role, you can only view the Connections page.
Permissions & Data Table
Permission / Scope | Why It’s Needed | Data Accessed (Read Only) |
Worker Data: Public Worker Reports | Minimum required HRIS visibility | Worker identifiers |
Worker Data: Employment Data | Determine hire and termination dates | Hire date, termination date, status |
Worker Data: Current Staffing Information | Determine current employment state | Active/inactive status |
Worker Data: Workers | Retrieve personnel records | Worker metadata |
Worker Data: All Positions | Retrieve job and position details | Job title, position |
Worker Data: Organization Information | Surface org hierarchy | Department, manager |
Person Data domains | Retrieve identity and contact details | Name, work email |
Reports / Payroll / Time Off (if enabled) | Support optional HRIS data visibility | Payroll, time off, timesheets |
Step-by-Step Setup
Step 1: Create a Workday ISU
In your Workday portal search and click on Create Integration System User.
Create a User Name and Password then click OK. This User Name will be used in the next section as well.
The username will be used later when connecting to Drata.
Do not enable “Require new password at next sign in.”
Passwords must not contain
&,<, or>characters.
To prevent password expiration:
Now search and click on Maintain Password Rules.
Add the ISU that you just created to the section that says System Users exempt from password expiration.
Save the Integration System User name and password. You will need it during the connection process.
Expected outcome:
You have a non-expiring Integration System User ready for the integration.
Step 2: Create and add user to the Security Group
Search and click on Create Security Group
On the Create Security Group page:
Type of Tenanted Security Group: Select Integration System Security Group (Unconstrained)
Name: Enter a name
Select OK.
On the Edit Integration System Security Group (Unconstrained):
Name: Enter a name. Remember the name. You will use it in the next step.
Integration System Users: Enter the same name you entered when creating the ISU in the first section
Select OK.
Expected outcome:
The ISU is assigned to a security group that will control its access.
Step 3: Configure Permissions
Search and click on Maintain Permissions
Ensure Operation is Maintain.
Enter the security group name you created in the previous section for Source Security Group.
On the next screen, add the corresponding Domain Security Policies Permissions:
Operation | Domain Security Policy |
View Only | Worker Data: Public Worker Reports |
Get Only | Manage: Organization Integration This is required to surface the Organization Hierarchy |
Get Only | Worker Data: Organization Information |
Get Only | Person Data: Name |
Get Only | Person Data: Personal Data |
Get Only | Person Data: Home Contact Information |
Get Only | Person Data: Work Contact Information |
Get Only | Person Data: Private Work Email Integration This is required to surface work email of Employees |
Get Only | Person Data: Public Work Email Address Integration This is required to surface work email of Employees |
Get Only | Worker Data: All Positions |
Get Only | Worker Data: Compensation |
Get and View Only | Worker Data: Compensation - All Worker’s Positions Past and Present This is required to surface Employee compensation |
Get Only | Worker Data: Compensation by Organization |
Get Only | Worker Data: Current Staffing Information This is required to surface Employment Status of Employees |
Get Only | Worker Data: Employment Data |
Get Only | Worker Data: Workers |
Get Only | Reports: Pay Calculation Results for Worker (Results) |
Get Only | Worker Data: Payroll |
Get Only | Process: Export Time Blocks This is required to retrieve Timesheet Entries |
Get Only | Worker Data: Time Off* can be found here. |
Learn more at Workday - What permissions do I need for HRIS data?
Expected outcome:
The security group has the required read-only access to HRIS data.
Step 4: Activate Security Policy
We'll need access to your specific Workday web services endpoint:
Search and click on Activate Pending Security Policy Changes
Review the pending changes.
Add comments if required.
Approve and activate the changes.
Expected outcome:
All domain security permissions are active.
Step 5: Validate Authentication Policy
Search and click on Manage Authentication Policies
Click Edit on the authentication policies row
Click the + icon on the left to create a new Authentication Rule
Enter an Authentication Rule Name name.
Select the Security Group that you previously created
Under Allowed Authentication Types” select Specific < User Name Password or Any.
Expected outcome:
The ISU can authenticate successfully using username and password.
Step 6: Activate pending auth policy changes
Search and click on Activate Pending Security Policy Changes
Proceed to the next screen and confirm the changes
This will save the Authentication Policy that was just created or edited
Expected outcome:
The updated authentication policy is active and enforced.
Step 7: Enter your Web Services Endpoint URL
Search in Workday for Public Web Services
Open the Public Web Services Report
Hover over Human Resource and click the three dots to access the menu
Click Web Services, and then click View WSDL
The WSDL opens in a new browser tab as a text-based (XML) page.
Scroll down and locate the line that contains the service address URL (the value inside the
soap:address locationfield).Copy the full URL.
Paste this value into the Web Services Endpoint URL field in Drata.
For the following URL path /service/acme/Human_Resources/v42.1 you would copy this: https://services1.myworkday.com/ccx/service/acme/Human_Resources/v42.1
Expected outcome:
You have entered the correct Workday Web Services Endpoint required to complete the connection.