Introduction
This guide provides step-by-step instructions for configuring your Workday environment to integrate with Auditoria AP Invoices.
You will:
Create a dedicated Integration System User (ISU).
Create and configure an Integration System Security Group (ISSG).
Assign the required Domain Security Policies (including Workday Query Language/WQL access).
Register an API client and generate a Refresh Token.
Connect Auditoria AP Invoices to your Workday tenant.
These configurations ensure that Auditoria can securely read and (optionally) write AP invoice data in Workday, including vendor master, supplier invoices, and related financial information.
Audience
This article is intended for:
Workday Administrators with:
Integration configuration access.
Security and Domain Security Policy management permissions.
API client registration and WQL access.
Coordination with your Auditoria Customer Success Representative is recommended during initial setup and whenever you modify security or integration scope.
Prerequisites
Before you begin, ensure the following:
An active Auditoria subscription for AP Invoices.
Workday administrator credentials.
Ability to:
Create Integration System Users (ISU).
Create and manage Integration System Security Groups (ISSG).
Configure Domain Security Policies.
Access Workday Public Web Services.
Register API Clients for Integrations in Workday.
1. Get Your Workday Hostname and Tenant Name
To configure the Workday connection in Auditoria, you need your Workday hostname and tenant name.
Log in to Workday using your administrator account.
In the Workday search bar, type
Public Web Servicesand press Enter.In the results, filter the Web Services column to only show entries for Revenue Management.
Locate Revenue Management (Public) Web Service.
Click the ellipsis (three dots) next to it and select:
Web Service > View WSDL.In the WSDL file:
Search for the final occurrence of
Revenue_Management.Locate the endpoint URL, for example:
https://wd1-impl-services1.workday.com/ccx/service/your-tenant-name/Revenue_Management/v37.0From this URL:
Hostname:
wd1-impl-services1.workday.comTenant Name:
your-tenant-name
Copy both values. You will use them later in the Auditoria connection settings.
Note: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.
2. Create the Workday Integration System User (ISU) for Auditoria
Create a dedicated Integration System User that Auditoria will use for API/WQL access.
Log in to Workday as an administrator with ISU management permissions.
In the search bar, type
Create Integration System Userand press Enter.On the Create Integration System User page, configure:
User Name (required):
Use a descriptive name such asISU_Auditoriaor a variant specific to SmartVendor.Generate Random Password (optional):
Check this box if you want Workday to auto-generate a password.
If selected, you do not enter a manual password.
New Password / New Password Verify (required if not generating random):
Enter a secure password that meets the Workday Password Rules (minimum length and complexity).
Require New Password at Next Sign In (optional):
Typically not required for integration users, unless mandated by your security policy.Session Timeout Minutes Enforced / Session Timeout Minutes (optional):
Configure session timeout according to your organization’s policies.
Do Not Allow UI Sessions (optional but recommended):
Check this to prevent the ISU from logging into the UI.
Recommended for integrations to limit access to API/Web Services only.
Click OK to create the ISU.
Best Practice: Use a unique ISU for Auditoria (do not reuse ISUs shared with other integrations) and store its credentials securely.
3. Create a Workday Security Group and Assign the ISU
Create an Integration System Security Group (Unconstrained) and assign your ISU to it.
In the Workday search bar, type
Create Security Groupand press Enter.On the Create Security Group page:
Type of Tenanted Security Group:
Select Integration System Security Group (Unconstrained).Name:
Enter a descriptive name, for example:ISSG_AuditoriaorISSG_Auditoria_SmartVendor12.
Click OK.
On the Edit Integration System Security Group (Unconstrained) page:
In the Integration System Users section, add the ISU created in Step 2 (for example,
ISU_Auditoria).
Click OK to save the security group.
Note: Use a dedicated security group for the Auditoria integration. Do not assign unrelated users to this group.
4. Assign Domain Security Policy Permissions for SmartVendor (AP Invoices)
To enable Auditoria SmartResearch to access the required data from your Workday tenant, you must assign the correct domain security policy permissions to the integration security group you created.
Steps to Assign Security Policy Permissions
- Log in to your Workday console with administrative privileges.
Open Security Group Search:
- Go to the Workday search bar.
- Type "Security group" and select View Security Group from the search results.
Select the Auditoria SmartResearch security group:
- In the prompt, enter the name of your group (for example, ISSG_Auditoria_SmartVendor12).
- Click OK.
Open Domain Permissions for the Group:
- On the Integration System Security Group (Unconstrained) overview page, select the Related Actions (three dots menu) next to the group name.
- Choose Maintain Domain Permissions for Security Group.
- Add Permissions:
- In the Report/Task Permissions and Integration Permissions sections, add the required Domain Security Policies for each SmartResearch data source, using the operation/access level provided in the table below.
- Use Modify, View, Get, or Put access level as specified.
Save and confirm your changes.
- Click OK.
- Remember to activate pending security policy changes using the appropriate Workday task.
Table 1. Security Permissions for AP Invoices Features
| RecordTypesToFetch - From Workday | RecordTypeToMap - In Auditoria | Operation/Level of Access | Domain Security Policy |
|---|---|---|---|
| ALL Records | ALL RECORDS | View and Modify | Workday Query Language |
| ALL Records | ALL RECORDS | Get and Put | Workday Query Language |
| ENTITY, Entity details, Entities list | ENTITY | View Only | Manage: Company |
| ENTITY, Entity details, Entities list | ENTITY | View Only | Set Up: Company |
| ENTITY, Entity details, Entities list | ENTITY | Get Only | Manage: Company |
| ENTITY, Entity details, Entities list | ENTITY | Get Only | Set Up: Company |
| ENTITY, Entity details, Entities list | ENTITY | View Only | Set Up: Company General |
| ENTITY, Entity details, Entities list | ENTITY | Get Only | Set Up: Company General |
| Accounts | ACCOUNT | View Only | Set Up: Accounts |
| Accounts | ACCOUNT | Get Only | Set Up: Accounts |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | View Only | Set Up: Supplier Accounts |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | View Only | View: Supplier |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | View Only | Set Up: Supplier |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | Get Only | Set Up: Supplier Accounts |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | Get Only | View: Supplier |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | Get Only | Set Up: Supplier |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | View Only | Reports: Supplier |
| List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts | VENDOR | Get Only | Reports: Supplier |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Recurring Supplier Invoice |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice - Reporting |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice Payment/Settlement |
| Supplier Invoices - Details, List | VENDOR_BILLS | Get Only | Process: Supplier Invoice |
| Supplier Invoices - Details, List | VENDOR_BILLS | Get Only | Process: Recurring Supplier Invoice |
| Supplier Invoices - Details, List | VENDOR_BILLS | Get Only | Process: Supplier Invoice - Reporting |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice - Request |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice Adjustment |
| Supplier Invoices - Details, List | VENDOR_BILLS | Get Only | Process: Supplier Invoice Adjustment |
| Supplier Invoices - Details, List | VENDOR_BILLS | View Only | Process: Supplier Invoice Adjustment - Reporting |
| Supplier Invoices - Details, List | VENDOR_BILLS | Get Only | Process: Supplier Invoice Adjustment - Reporting |
| Supplier Contract - Details, List | CONTRACT | View Only | Set Up: Supplier Contracts |
| Supplier Contract - Details, List | CONTRACT | View Only | Process: Supplier Contract |
| Supplier Contract - Details, List | CONTRACT | Get Only | Set Up: Supplier Contracts |
| Supplier Contract - Details, List | CONTRACT | Get Only | Process: Supplier Contract |
| Cost Center - List, Details | COST_CENTER | View Only | Manage: Cost Center |
| Cost Center - List, Details | COST_CENTER | Get Only | Manage: Cost Center |
| Spend Categories | SPEND_CATEGORIES | View Only | Manage: Inventory |
| Spend Categories | SPEND_CATEGORIES | Get Only | Manage: Inventory |
| Spend Categories | SPEND_CATEGORIES | View Only | Set Up: Spend Categories |
| Spend Categories | SPEND_CATEGORIES | Get Only | Set Up: Spend Categories |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Modify | Process: Supplier Invoice |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Modify | Process: Supplier Invoice - Request |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Put | Process: Supplier Invoice |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Put | Process: Supplier Invoice - Request |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Modify | Process: Supplier Invoice Adjustment |
| Additional permissions for writing invoice to Workday with attachment | SUPPLIERS_INVOICES | Put | Process: Supplier Invoice Adjustment |
| References | SUPPLIERS GROUPS | Get and View | Integration Build |
Notes:
Note 1: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.
Note 2: Your organization's requirements may differ; always confirm with your implementation team or Auditoria support if unsure which policies are needed.
If you have questions about specific domain security policies or data source configurations, consult your Workday administrator or Auditoria support representative.
To view all Domain Security Policy Permissions in detail, please download the Excel sheet from the attachment section at the end of this article.
5. Update Business Process Security Policies for Functional Area
In addition to Domain Security Policies, you must ensure that your Auditoria security group (for example, ISSG_Auditoria) is allowed to participate in the appropriate Business Processes. This is required particularly when AP Invoices will create or update Supplier Invoices in Workday, and is recommended for consistent visibility for AP Helpdesk.
Follow these steps to update the relevant Business Process Security Policies:
In the Workday search bar, type Business Process Security Policies for Functional Area and press Enter.
Select Business Process Security Policies for Functional Area from the search results. Enter the following parameters and click OK:
- Functional Area: Supplier Accounts
- Business Process: Supplier Invoice Event
Scroll to the bottom of the configuration page and click Edit Permissions.
Locate the following Initiating Actions and update the Security Groups as appropriate:
Import Supplier Invoice (WS Background Process)
Submit Supplier Invoice (Web Service)
Ensure your Auditoria security group (e.g. ISSG_Auditoria) and any other required groups are included.
- Click OK to save and activate your changes.
6. Exempt the Auditoria ISU from the Business Document Attachment Validation
When Auditoria writes invoices to Workday, it uses a two-step process: the first API call writes the invoice data, and the second API call attaches the invoice document. If your Workday tenant has a custom validation that requires a business document attachment at the time of invoice creation, Workday triggers that validation before the second API call completes, causing a processing error.
To prevent this, you must configure the relevant custom validation in Workday to exempt the Auditoria ISU.
- In the Workday search bar, type Maintain Custom Validation and press Enter.
- Open the Maintain Custom Validation report.
- In the left-side menu, locate and select Supplier Invoice. The validations associated with supplier invoices appear in the main panel.
To prevent this, you must configure the relevant custom validation in Workday to exempt the Auditoria ISU.
Using the search bar at the top of the Maintain Custom Validations page, search for one of the following validation names:
- Business Document Attachment is missing
- Supplier invoice attachment is required
Note: The validation name may vary depending on your Workday configuration. Search for both terms if the first does not return a result.
- Select the Actions menu (three-dot icon) next to the validation, then select Custom Validation > Edit.
- On the validation edit screen, review the existing conditions under the Rule Conditions tab.
- Select the + (Add) icon at the top of the Rule Conditions table to add a new condition.
- Click OK to save the validation.
7. Activate Pending Security Policy Changes
After adding or modifying domain permissions, you must activate pending security policy changes.
In the Workday search bar, type
Activate Pending Security Policy Changesand press Enter.On the Activate Pending Security Policy Changes page:
Enter a comment describing the change (for example, “Auditoria SmartVendor integration permissions”).
- Review the Current Security Evaluation Moment and the Proposed Security Evaluation Moment.
- If the details are correct, check the Confirm box to acknowledge the changes.
Click OK to apply the updates and activate the permissions.
Note:
Security changes do not take effect until they are activated. Ensure you have permissions to perform this step.
If you have questions about which policy changes need to be activated, consult your Workday administrator or your implementation team.
8. Register API Client and Retrieve Client Credentials
Register a Workday API Client for Integrations to obtain the Client ID and Client Secret that Auditoria will use.
In the Workday search bar, type
Register API Client for Integrationsand press Enter.On the registration form, configure:
- Client Name (required): Use a clear name, for example:
Auditoria_Client. - Enforce Customized Access Token Expiry (optional): Leave unchecked unless your integration requires custom access token expiration.
- Refresh Token Timeout (in days) (optional): Default
0Typically, it means no expiry when using non-expiring refresh tokens. - Non-Expiring Refresh Tokens (recommended):
- Select this option for integration clients, unless your security policy requires token rotation.
- Disabled (optional):
- Leave unchecked. Use only if you intentionally want to disable the client.
- Scope (Functional Areas) (required): Add all functional areas required for your integration use case, for example:
- Integration
- Staffing
- System
- Workday Everywhere
- Suppliers Accounts
- Suppliers Contracts
- Suppliers
- Include Workday Owned Scope (optional): Leave unchecked unless explicitly required.
- Locked Out due to Excessive Failed Signon Attempts (informational/optional): Leave unchecked; this field is for tracking if the client is locked out.
- Restricted to IP Ranges (optional): Add allowed IP ranges if your organization enforces IP whitelisting; otherwise, leave blank.
- Client Name (required): Use a clear name, for example:
Click OK to complete the registration.
After registration, Workday will display the Client ID and Client Secret.
Important: Record and store the Client ID and Client Secret in a secure password manager or vault. You will need them when configuring the Workday connection in Auditoria.
9. Generate Refresh Token with Updated Permissions
Generate a Refresh Token that ties the API client to your Auditoria ISU.
In the Workday search bar, type
View API Clientand press Enter.- Navigate to API Clients for Integrations, filter on the client name created above.
Filter the list to find the API client you just created (e.g., filter on Client Name containing
Auditoria).Click the ellipsis (three dots) next to your API client and select:
Manage Refresh Tokens for Integrations.In the Manage Refresh Tokens dialog:
Enter or select the ISU from Step 2 (for example,
ISU_Auditoria).Click OK.
On the next screen, enable
Generate New Refresh Tokenand click OK.Workday will display a Refresh Token.
Copy this token immediately and store it securely (you will not be able to see it again later).
Important: Keep the Client ID, Client Secret, and Refresh Token confidential.
These values are required to link your Workday tenant to your Auditoria SmartVendor tenant.
10. Get Account Posting Rule Set
To configure Auditoria, you will need to provide the Account Posting Rule Set information from Workday.
Follow these steps to locate and copy the required Account Posting Rule Set ID:
In your Workday search bar, type View Account Posting Rule Set and press Enter.
In the pop-up window, select the appropriate Account Posting Rule Set that Auditoria should use (for example, "Standard Corporate Account Posting Rule"), and click OK.
On the next screen, locate the name of the selected Account Posting Rule Set at the top. Click the three vertical dots (ellipsis) next to the rule set name, hover over Integration IDs, then click View IDs.
Copy the Workday ID displayed in the Integration IDs section. This ID will be required during the system connection configuration in Auditoria.
Note: If you have any Segmented Security configured in Workday for the following business objects, please ensure that the ISU or the Security Group created for the Auditoria–Workday connection is also added to the same security group.
- Supplier
- Customers
- Customer Invoices
- Supplier Invoices
- Customer Payments
- Supplier Payments
- Purchase Orders
- Entity
Connect Auditoria SmartVendor (AP Invoices) to Workday ERP
After gathering your Workday connection details (hostname, tenant name, Integration System User credentials, API client credentials, and refresh token), you are ready to set up the connection within Auditoria.
Steps to Connect Auditoria to Workday
- Access System Settings:
- Log in to the Auditoria platform with administrative privileges.
- Navigate to Administration > System Settings.
- Add or Update Workday ERP Connection:
- In the "Add New Connection" area of System Settings, select the Workday ERP option.
- To update an existing connection, locate the Workday system tile and click Update.
- Enter Required Connection Information:
- On the ERP Settings page, fill in the following fields with your Workday integration details:
- Instance Name: Enter a recognizable display name for this connection.
- Tenant ID: Enter your Workday tenant name.
- User ID: Enter the Integration System User (ISU) username.
- User Password: Enter the ISU password.
- Host Name: Enter the Workday service URL or host address.
- Client ID: Enter the API Client ID.
- Client Secret: Enter the API Client Secret.
- Refresh Token: Enter the generated refresh token.
- Additional report and configuration fields may be present. Complete these as required for your organization or leave as “-” if not needed.
- On the ERP Settings page, fill in the following fields with your Workday integration details:
- Save and Test Connection:
- Click Save to submit your settings.
- The system may validate your credentials and confirm the connection status.
- Once the setup is complete, proceed to sync entities if prompted or verify that the connection is active.
Notes:
Fill out only the Workday connection fields needed for Auditoria AP Helpdesk functionality. Optional fields may be left blank or set to “-” as indicated on the screen.
If you encounter authentication or connection issues, verify all credentials and confirm that the required permissions in Workday have been assigned and activated.
Best Practices
Distinct, descriptive naming:
Example:
ISU_Auditoria_APInvoices,ISSG_Auditoria_APInvoices,Auditoria_APInvoices_Client.
Limit UI access for ISU:
Select Do Not Allow UI Sessions to restrict access to API/Web Services only.
Review permissions regularly:
Update Workday permissions as AP Invoices data or workflows evolve.
Secure credential storage:
Store ISU password, Client ID, Client Secret, and Refresh Token in an enterprise-grade vault.
Coordinate with Auditoria:
Work with your Auditoria Customer Success Representative during initial setup and when making significant changes (e.g., enabling invoice write-back).
Document changes and approvals:
Maintain a change log for security reviews and audits.
Test incrementally:
After each major configuration (ISU, group, domain policies, API client, refresh token), test connectivity and data access from AP Invoices.
Troubleshooting
| Issue | Possible Solution |
|---|---|
| Insufficient permissions when connecting from Auditoria | Re-check the security group’s Domain Security Policies. Ensure all required AP invoice domains are assigned and activated. |
| API client or refresh token rejected | Confirm you are using the correct Client ID, Client Secret, and Refresh Token. Make sure security changes are activated. |
| Missing suppliers or invoices in Auditoria | Verify that Supplier, Supplier Accounts, and Supplier Invoice domains are included and properly scoped. |
| Unable to write/post vendor bills | Confirm write permissions (Modify / Put) are granted on the Supplier Invoice domains used for write-back. |
| Tokens or credentials lost or expired | Regenerate the refresh token or credentials in Workday and update the configuration in Auditoria. |
| ISU session timing out too frequently | Adjust Session Timeout Minutes for the ISU, in line with your security policies. |
| Error activating security changes | Ensure you have permission to Activate Pending Security Policy Changes and review Workday’s error messages/comments. |
| Unclear API authentication failure | Double-check hostname, tenant name, service URLs, and confirm you are using the correct (prod vs test) credentials. |
Glossary
ISU (Integration System User):
A Workday user account dedicated to integrations. UI access is typically disabled.ISSG (Integration System Security Group):
A Workday security group used to control permissions for integration users.Domain Security Policy:
Defines what operations (View,Get,Modify,Put, etc.) a security group can perform on a given business domain.API Client:
OAuth 2.0 client registration in Workday. Provides the Client ID, Client Secret, and Refresh Token used by integrations.WQL (Workday Query Language):
Workday’s query mechanism, used by Auditoria to read Workday data (including AP invoice data).AP Invoices:
Auditoria functionality focused on automating Accounts Payable invoice processing, including extraction, validation, and (optionally) posting supplier invoices to Workday.Tenant:
Your specific Workday environment (for example,acme-corp-prod), used in Workday URLs.Functional Areas:
Logical groupings in Workday such asSuppliers,Supplier Accounts,Supplier Invoices,Common Financial Management, used to scope API client access.