Stephen Gilmore

🛡️ Minimum Workday ISU security

Workday October 4th, 2022 3 minute read.

Just about every Workday integration and integration system user is going to need to do at least one of two things: 1. Own a custom report. 2. Own a scheduled integration event. 3. Share the output of a scheduled report.

Despite my best searching on Workday Community for the last, oh, 5+ years; I haven't seen a definitive post or answer to this anywhere. So, I can't say this is the absolute best way to set things up, but I'm reasonably happy with it.

1. Own a custom report

This is super helpful so that reports and integrations don't start to fail when someone leaves the organization or the report owner changes for some other reason. The task Edit Custom Report requires Modify access on the Custom Report Creation domain security policy.

2. Own a scheduled future process

Same as above, this is very helpful to avoid personnel related issues. The ability to own a scheduled future process requires Modify access to the Integration Event domain security policy.

3. Share the output of a scheduled report

This security enables the ISU's to be able to deliver the results of a scheduled future process report that the ISU owns to other users. Requires View access to the Report Output Sharing domain security policy. Note: you will lose the shared with users when you transfer ownership of the scheduled future process and must manually add them back

Exceptions!

This security shouldn't be applied blindly because it isn't always needed. One of many examples: you have an ISU that just gives someone access to pull data from a report. Your ISU would only need Modify on Custom Report Creation and wouldn't have any need for security around scheduled future processes.

Bonus Tip: Create a common security group for these permissions

It's not too uncommon to eventually end up with 50+ or even 100+ integration systems in Workday, even as a smaller customer. So if you don't want to repeat doing this for every integration you come across, I like to create a single Unconstrained Integration System Security Group with just a few basic permission. Naming it something like ISSG Basic Shared Integration Security would do fine.