Skip to content

Managing access to data sources

Scopes and Security Groups will be required to access your chosen Workday data sources.


To create an API client in Workday, refer to Workday Extract authentication guide.

Workday has very granular security, using security groups, domains, roles, and policies, which all overlap. This can increase the complexity to provide users and integrations with the correct scopes (Functional Areas) to ensure appropriate access to data.

There are two important considerations:

  1. API clients created in Workday will be limited by the permissions of the user who created the API client. For example, if an API client is created by a user within the Implementer Security Group, the API client will be limited to only the data sources that the Implementer Security Group and the user has access to.
  2. Access to data sources can be further limited by the use of scopes (Functional Areas) in the API client, limiting the API client access to just the areas of Workday that are pertinent to the integration.

Configuring integration access for the user


It's recommended that the user creating the API client is provided with as wide a range of View/Get access to as many Functional Areas as possible, and then limit access through the actual API Client Scope (Functional Area).

Follow these steps to configure integration access:

  1. On the Workday home page, type "Domain security policies for functional area" into the search bar, then click on the Domain Security Policies for Functional Area report.
  2. The Domain Security Policies for Functional Area dialog will appear. In the Functional Area field, search for and select which Functional Area that will need to be accessed, then click OK.

    Security Policies Search

  3. The Domain Security Policies for Functional Area dialog will appear. In the left panel, select a domain security policy to edit. Then, in the right panel, click Edit Permissions.


    It's recommneded that you provide access to a wide range of functional areas, but to limit the scopes to just Get and View permissions.

    Edit Permissions

  4. The Edit Permissions dialog for the selected domain security policy will appear. Scroll down to the Integrations Permissions table, and click + just below the heading.

  5. A new table row will appear. In the field provided, search for and select the name of a security group in which the user is listed.
  6. Tick the appropriate checkboxes in the Get and Put columns, and click OK.
  7. Tick the checkbox under Get if the integration will be used to load Workday data into Matillion ETL, and/or tick the checkbox under Put if the integration will be used to sync data from Matillion ETL into Workday. Click OK to confirm your changes to the Edit Permissions dialog.


    Notice the Alerts on the top right of the dialog after clicking OK. This is alerting you to the fact that none of the changes made to these security policies will take effect until they are activated.

    Select Columns


    Steps 3-7 will need to be repeated for every security policy the Integration System Security Group will need access to, unless the Integrated System Users are included in a Security Group with greater access privileges.

  8. On the Workday home page, type "Activate pending security policy changes" into the search bar, then click on the Activate Pending Security Policy Changes task.

  9. The Activate Pending Security Policy Changes dialog will appear. A description of the security changes made in the previous steps will need to be entered in the Comment field, before clicking OK.
  10. A summary of these security changes will then appear. These will need to be reviewed and confirmed by ticking the Confirm checkbox. Then click OK.


Configuring integration access for the API Client

From the Workday homepage, type "Register API Client". Click Register API Client in the search results to open the dialog.

Registering API Client

Scroll down the page, and complete the Scope (Functional Areas) field to configure the integration access for the API Client. Use the in-field menus to search for the intended scopes (Functional Areas).


All API clients configured for a Matillion ETL integration will require, as a minimum, the following scopes (Functional Areas):

Scope Description
Integration Create and configure integrations, as well as enabling use of key tooling such as integration systems, integration templates, integration attributes, and integration maps.
System Set up, maintain, and report on Business Processes, Report Writer, Discovery Boards, Scheduling, Security, Calendar, Landing Pages, Data Translation, and other system-wide objects.
Tenant Non-Configurable View transactions that are granted to users inherently in the Workday system, which can't be changed.

The above scopes will provide access to both Custom Reports and WQL.

Example: Get workers

Once all the above-mentioned scopes (Functional Areas) have been configured, if the API client requires access to the Get Workers data sources within the Staffing operation, the following additional scopes (Functional Areas) may be needed depending on what data the Matillion ETL integration seeks to access:

Scope Description
Staffing Set up, manage, and report on positions, jobs, and contracts for workers. Manage the worker employment life cycle—including hire, transfer, termination, and position details.
Organizations and Roles Set up and administer organizations, organization types, and committees. Create and manage reorganization events. Set up organization roles and membership rules.
Regulatory Reporting (HCM) Perform workforce regulatory actions and reporting.