Workday requirements
To use Entitlement Management with Workday, you must perform specific configuration steps in both the Workday tenant and the Okta Admin Console. This ensures that the Okta Governance Engine has the necessary permissions and connectivity to manage user assignments.
This integration only supports User-Based Security Groups. Other security group types, such as role-based security groups, aren't supported.
Before you begin
-
You have administrative access to your Workday tenant and the necessary permissions to modify security groups and domains.
-
You've created the User-Based Security Group Event For User in Workday business process.
-
You have the Okta super admin role.
-
If provisioning is already configured for Workday in Okta, you've disabled it while you configure the Governance Engine.
Workday configuration tasks
You have to grant the Okta Integration System User (ISU) permissions to allow Okta to manage security group assignments.
Configure user-based security group permissions
Assign the required functional permissions to the Okta Integration System User (ISU) so it can read and update user-based security groups.
-
In the Workday search bar, enter Maintain Permissions for Security Group.
-
In the Source Security Group, select the security group associated with your Okta Integration System User (ISU).
-
Click OK to confirm your selection.
-
In the Domain Security Policy Permissions, locate the User-Based Security Group Administration domain.
-
Assign the necessary permissions:
-
GET: To read existing group memberships.
-
PUT: To add or remove users from groups.
-
-
Click OK, and then click Done.
Configure Business Process (BP) security
Update the business process policy to allow the Okta Integration System User (ISU) to trigger security group membership changes.
-
In the Workday search bar, enter bp: User-Based Security Group Event For User.
-
Click the Related Actions (ellipsis icon) next to the business process name.
-
Select .
-
Locate the Initiating Action section for the User-Based Security Group Event for User (Web Service).
-
In the Security Groups, add your Okta Integration System security group to the list of allowed security groups.
-
Click OK.
Activate security changes
You must activate permissions that you have assigned to your policy.
-
In the Workday search bar, enter and select Activate Pending Security Policy Changes.
-
In the Comment box, enter a brief description of the change (for example: Enabling permissions for OIG Entitlement Management) and then click OK.
-
Select Confirm to acknowledge the changes.
-
Click OK.
Okta configuration tasks
Once the Workday permissions are set, you must enable the Entitlement management and configure provisioning settings in Okta.
Enable the Governance Engine
Enable Entitlement management on the Workday app instance to allow the Okta Governance Engine to manage security group assignments.
-
In the Admin Console, go to .
-
Select your Workday app and go to the General tab.
-
In the Entitlement management section, click Edit.
-
From the Entitlement management dropdown menu, select Enabled.
If provisioning is configured, disable it on the Provisioning tab first. After you enable Entitlement Management, you must return to the Provisioning tab to re-enable it.
-
Click Save.
Configure the API integration and provisioning
Configure the Workday API settings to allow the Governance Engine to discover security groups and push entitlement updates to users.
-
In the Workday app, go to the Provisioning tab and select Integration.
-
Click Edit and ensure that Enable API Integration is selected.
-
In the Integration settings, ensure that Import Groups is checked. This allows Okta to discover user-based security groups.
-
Click Save.
-
Select To App from the left-side menu and click Edit.
-
Locate Update User Attributes and select Enable. This allows Okta to push entitlement changes back to Workday.
-
Click Save.