Brex and Workday HRIS
Overview
This guide covers setup instructions for integrating your Workday account with Brex. Note: Workday configures their permissions on a field level, so we’ll need access to a number of fields to get things up and running.
Integration System Security Group (ISSG)
Create an ISSG
Step 1: Type “create security group” in the Workday search bar and click Create Security Group. Step 2: From Type of Tenanted Security Group, select Integration System Security Group (Unconstrained) and give the group a name like “Sample_Brex_ISSG”. Click Ok.
Step 3: On the next screen, under Integration System Users, add the ISU you created in Step 1 to the list. Click OK, and then Done.
Integration System User (ISU)
Create an ISU
Step 1: Type “Create Integration System User” in the Workday search bar and select the task.
Step 2: Enter a new username and password in accordance with your rules.
Note: Keep the Session Timeout Minutes default value of 0 to prevent session expiration. An expired session can cause the integration to time out before it successfully completes.
Step 3: Select Do Not Allow UI Sessions if you want to prevent the integration system user from signing in to Workday through the UI.
Step 4: To avoid integration errors caused by expired passwords, search for the Maintain Password Rules task and add the integration system user to the System Users exempt from password expiration field.
Assign to ISSG
Step 1: Create your ISSG, following the instructions above. Step 2: On the next screen, under Integration System Users, add your ISU to the list. Step 3: Click OK, and then Done.
Configure domain security policy permissions
Now you can ensure that the ISSG has access to the necessary business domains. In the Security Group, edit the Domain Security Policy Permissions and add the following GET ONLY operations:
- Worker Data: Current Staffing Information
- Worker Data: Public Worker Reports
- Worker Data: Personal Data
To do this, follow these steps. Step 1: Type “View Security Group” in the Workday search bar, select your newly created ISSG, and click OK. Step 2: On the next page, click the ellipsis icon after the Security Group name and select Tenanted Security Group > Copy.
Step 3: Select Maintain to be be added to the specified business domains listed above.
Step 4: Add the necessary domains by selecting “+”.
Step 5: After you’ve added all of the necessary domains, activate the security policy changes by typing “Activate Pending Security Policy Changes” in the Workday search bar and selecting the result. Step 6: Enter a comment (e.g., “Brex implementation”), then click OK to activate.
Step 7: Check the Confirm checkbox verifying the changes that need to be activated.
Manage authentication policies
Step 1: In production, add the ISU security group to the authentication policy in Workday to allow for access. Step 2: Type “Manage Authentication Policies” and select the correct environment.
Step 3: Add the ISSG that was created to the necessary group (this will vary depending on your setup). Click Done.
Step 4: Activate your policy changes after you make the change, located on the Manage Authentication Policies screen. Step 5: Select Activate All Authentication Policies, add the comment, and click OK. Check the Confirm checkbox to activate.
Obtain the web services endpoints for the Workday tenant
You can find your Workday HR endpoints by following the steps below. Step 1: Search for and open Public Web Services in Workday. Step 2: Hover over Human resources and click the three dots to access the menu Step 3: Click Web Services > View WSDL. Step 4: At the bottom of the following page, find the host, which will look something like this:
Note: Endpoints differ across tenants, so please provide us with endpoints for each testing environment.