All Collections
HRIS (Human Resources Information System)
Workday - Constrained Security Group Authentication
Workday - Constrained Security Group Authentication

How to provide access to only a subset of Employees from the Workday System

Collin Peterson avatar
Written by Collin Peterson
Updated over a week ago

This article is intended for HelloTeam users with ADMIN Access Level

Before linking your Workday, we'll need to make sure that the correct permissions are enabled. Below are some detailed steps for granting permissions. Steps One through Five are done within your Workday portal, whereas the last step is done on your HelloTeam representative.

Step One: Create an Integration System User (ISU)

  1. In your Workday portal, log into the Workday tenant.

  2. In the Search field, type Create Integration System User.

  3. Select the Create Integration System User task.

  4. On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password.

  5. Click OK.

Note: due to xml encoding, "&", "<", and ">" cannot be included in the password.

Note: Ensure Require New Password at Next Sign In is NOT checked.

Note: You'll want to add this user to the list of System Users to make sure the password doesn't expire.

Step Two: Create a Constrained Integration Security Group and Assign the above Integration System User

Now, add this Integration System User to a Security Group:

  1. In the Search field, type Create Security Group.

  2. Select the Create Security Group task.

  3. Click OK.

  4. On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Constrained).

  5. In the Name field, enter a name.

  6. Click OK.

  7. On the Edit Integration System Security Group (Constrained) page, in the Integration System Users field, enter the ISU you created in Section 1.

  8. Now under Organizations, you will need to select the appropriate way you'd like to limit access from your Workday instance.

The ways to segment your Workday Access via Organizations

When going through Organizations, you have several options in regards to how you'd like to limit the data accessible to the ISU.

  1. We recommend selecting a specific Organization Structure within your larger Company to segment by.

  2. After clicking on "All Organizations by Type", you can further narrow down by selecting which Type you'd like to segment by.

    1. The recommended Types are:

      1. Company

      2. Cost Center

      3. Division

      4. Region

  3. From there, you can select the specific Instances within your Workday Organization that you'd like to be synced over from this security Group (specific Regions, divisions, etc.)!

  4. After you have configured the Organization Structures you'd like to be accessible from the ISU, please navigate to "Access Rights to Organization".

    1. Depending on how you'd like to configure access, it can either be to the specific criteria you've applied on the Organizations section OR the criteria you applied as well as all organizations that fall under.

      1. If you have only selected a top level organization, you should click "Applies to Current Organization And All Subordinates"

Once is this all completed, please click OK to save the Constrained Security Group!

Step Three: Configure Domain Security Policy Permissions

  1. In the Search field, type Maintain Permissions for Security Group

  2. Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2.

  3. Add the corresponding Domain Security Policy with GET operation:

Please note the permissions listed below are the required permissions for the full HRIS API. Permissions can differ from implementation to implementation.

Parent Domains for HRIS:

  • Job Requisition Data

  • Person Data: Name

  • Person Data: Personal Data

  • Person Data: Home Contact Information

  • Person Data: Work Contact Information

  • Worker Data: Compensation

  • Worker Data: Workers

  • Worker Data: All Positions

  • Worker Data: Current Staffing Information

  • Worker Data: Public Worker Reports

  • Worker Data: Employment Data

  • Worker Data: Organization Information

  • Worker Data: Time Off**

** Specific instructions to allow access to Time Off data can be found here.

Parent Domains for ATS:

  • Candidate Data: Job Application

  • Candidate Data: Personal Information

  • Candidate Data: Other Information

  • Pre-Hire Process Data: Name and Contact Information

  • Job Requisition Data

  • Person Data: Personal Data

  • Person Data: Home Contact Information

  • Person Data: Work Contact Information

  • Manage: Location

  • Worker Data: Public Worker Reports

For a more detailed breakdown of the functional areas that are needed: here

Step Four: Activate Security Policy Changes

  1. In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved.

  2. Add any relevant comments on the window that pops up

  3. Confirm the changes in order to accept the changes that are being made.

Step Five: Validate Authentication Policy is Sufficient

Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types โ€“ if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.

  1. Editing Authentication Policies

  2. Create an Authentication Rule, and add the Security Group to the Rule

  3. Make sure the Allowed Authentication Types is set to specific User Name Password or set to Any

Step Six: Activate All Pending Authentication Policy Changes

  1. In the search bar type, Activate All Pending Authentication Policy Changes

  2. Proceed to the next screen, and confirm the changes. This will save the Authentication Policy that was just created.

Step Seven: Obtain the Web Services Endpoint for Workday Tenant

We'll need access to your specific Workday web services endpoint:

  1. Search in Workday for Public Web Services.

  2. Open Public Web Services Report.

  3. Hover over Human resources and click the three dots to access the menu.

  4. Click Web Services > View WSDL.

  5. Navigate to the bottom of the page that opens and you'll find the host.

  6. Copy everything until you see /service. This should look something like

Share Credentials with your HelloTeam Representative

  1. Workday URL: The Web Services Endpoint you found from Step 5.

  2. User ID: The Integration System User name for the user created in Step One.

  3. Password: The Integration System User password for the user created in Step One.

  4. Workday Tenant Name: Your Workday Tenant name.

    1. Example: If you sign in at "", share "acme".


  • Linked Implementation Workday accounts will result in slower syncs as there are fewer resources dedicated to the tenant.

  • The password used cannot contain an "&" or "<", ">" signs.

  • Please make sure to exempt the ISU Account from MFA and SSO

To ensure you are viewing the most current information
regarding this specific HRIS, please visit:

Did this answer your question?