Setting Up an Integration System User (ISU) for Auditoria SmartCustomer Products (AR Collections, AR Helpdesk, and AR Remittances)

Introduction

This guide provides step-by-step instructions for configuring your Workday environment to integrate with Auditoria SmartCustomer products:

  • AR Collections

  • AR Helpdesk

  • AR Remittances

You will:

  • Create a dedicated Integration System User (ISU).

  • Create and configure an Integration System Security Group (ISSG).

  • Assign the required Domain Security Policies (including Workday Query Language/WQL access).

  • Register an API client and generate a Refresh Token.

These configurations ensure that Auditoria SmartCustomer can securely read and (where required) write data in Workday for AR workflows such as collections, customer hierarchy, and payment posting.


Audience

This article is intended for:

  • Workday Administrators with:

    • Integration configuration access.

    • Security and Domain Security Policy management permissions.

    • API client registration and WQL access.

Coordination with your Auditoria Customer Success Representative is recommended.


Prerequisites

Before you begin, ensure the following:

  • An active Auditoria SmartCustomer subscription (for one or more of:

    • AR Collections

    • AR Helpdesk

    • AR Remittances

  • Workday administrator credentials.

  • Ability to:

    • Create Integration System Users (ISU).

    • Create and manage Integration System Security Groups (ISSG).

    • Configure Domain Security Policies.

    • Access Workday Public Web Services.

    • Register API Clients for Integrations in Workday.

Related Reference:
See your “Workday Connection Settings for Auditoria” article for the field-level connection summary you will enter in Auditoria.


1. Get Your Workday Hostname and Tenant Name

To configure the Workday connection in Auditoria, you need your Workday hostname and tenant name.

  1. Log in to Workday using your administrator account.

  2. In the Workday search bar, type Public Web Services and press Enter.

  3. In the results, filter the Web Services column to only show entries for Revenue Management.

  4. Locate Revenue Management (Public) Web Service.

  5. Click the ellipsis (three dots) next to it and select:
    Web Service > View WSDL.

  6. In the WSDL file:

    • Search for the final occurrence of Revenue_Management.

    • Locate the endpoint URL, for example:
      https://wd1-impl-services1.workday.com/ccx/service/your-tenant-name/Revenue_Management/v37.0

    • From this URL:

      • Hostname: wd1-impl-services1.workday.com

      • Tenant Name: your-tenant-name

  7. Copy both values. You will use them later in the Auditoria connection settings.

Note:
The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.


2. Create the Workday Integration System User (ISU) for Auditoria

Create a dedicated Integration System User that Auditoria will use for API/WQL access.

  1. Log in to Workday as an administrator with ISU management permissions.

  2. In the search bar, type Create Integration System User and press Enter.

  3. On the Create Integration System User page, configure:

    • User Name (required):
      Use a descriptive name such as ISU_Auditoria or a variant specific to SmartCustomer.

    • Generate Random Password (optional):

      • Check this box if you want Workday to auto-generate a password.

      • If selected, you do not enter a manual password.

    • New Password / New Password Verify (required if not generating random):

      • Enter a secure password that meets the Workday Password Rules (minimum length and complexity).

    • Require New Password at Next Sign In (optional):
      Typically not required for integration users, unless mandated by your security policy.

    • Session Timeout Minutes Enforced / Session Timeout Minutes (optional):

      • Configure session timeout according to your organization’s policies.

    • Do Not Allow UI Sessions (optional but recommended):

      • Check this to prevent the ISU from logging into the UI.

      • Recommended for integrations so that access is limited to API/Web Services only.

  4. Click OK to create the ISU.

Best Practice:
Use a unique ISU for Auditoria (do not reuse ISUs shared with other integrations) and store its credentials securely.


3. Create a Workday Security Group and Assign the ISU

Create an Integration System Security Group (Unconstrained) and assign your ISU to it.

  1. In the Workday search bar, type Create Security Group and press Enter.

  2. On the Create Security Group page:

    • Type of Tenanted Security Group:
      Select Integration System Security Group (Unconstrained).

    • Name:
      Enter a descriptive name, for example:
      ISSG_Auditoria or ISSG_Auditoria_SmartCustomer.

  3. Click OK.

  4. On the Edit Integration System Security Group (Unconstrained) page:

    • In the Integration System Users section, add the ISU created in Step 2 (for example, ISU_Auditoria).

  5. Click OK to save the security group.

Note:
Use a dedicated security group for the Auditoria integration. Do not assign unrelated users to this group.


4. Assign Domain Security Policy Permissions for SmartCustomer

To enable Auditoria SmartResearch to access the required data from your Workday tenant, you must assign the correct domain security policy permissions to the integration security group you created.

Steps to Assign Security Policy Permissions

  1. Log in to your Workday console with administrative privileges.
  2. Open Security Group Search:

    • Go to the Workday search bar.
    • Type "Security group" and select View Security Group from the search results.

  3. Select the Auditoria SmartResearch security group:

    • In the prompt, enter the name of your group (for example, ISSG_Auditoria_SmartCustomer12).
    • Click OK.
  4. Open Domain Permissions for the Group:

    • On the Integration System Security Group (Unconstrained) overview page, select the Related Actions (three dots menu) next to the group name.
    • Choose Maintain Domain Permissions for Security Group.
  5. Add Permissions:
    • In the Report/Task Permissions and Integration Permissions sections, add the required Domain Security Policies for each SmartResearch data source, using the operation/access level provided in the table below.
    • Use Modify, View, Get, or Put access level as specified.
  6. Save and confirm your changes.

    • Click OK.
    • Remember to activate pending security policy changes using the appropriate Workday task.

Table 1. Security Permissions for AR Features

RecordTypesToFetch - From WorkdayRecordTypeToMap - In AuditoriaOperation/Level of AccessDomain Security Policy
ALL RecordsALL RecordsView and ModifyWorkday Query Language
ALL RecordsALL RecordsGet and PutWorkday Query Language
ENTITY, Entity details, Enitites listENTITYView OnlyManage: Company
ENTITY, Entity details, Enitites listENTITYView OnlySet Up: Company
ENTITY, Entity details, Enitites listENTITYView OnlySet Up: Company General
ENTITY, Entity details, Enitites listENTITYGet OnlyManage: Company
ENTITY, Entity details, Enitites listENTITYGet OnlySet Up: Company
ENTITY, Entity details, Enitites listENTITYGet OnlySet Up: Company General
AccountsACCOUNTView OnlySet Up: Accounts
AccountsACCOUNTGet OnlySet Up: Accounts
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERView OnlySet Up: Customer
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERView OnlyView: Customer
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERView OnlySet Up: Customer Accounts
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERView OnlyCustomer Collection
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERGet OnlySet Up: Customer
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERGet OnlyView: Customer
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERGet OnlySet Up: Customer Accounts
List Customers, Customer details, Customer Categories, Customer ContactsCUSTOMERGet OnlyCustomer Collection
Customer HierachiesCUSTOMERView OnlyReports: Customer
Customer HierachiesCUSTOMERView OnlyReports: Customer Accounts
Customer HierachiesCUSTOMERGet OnlyReports: Customer
Customer HierachiesCUSTOMERGet OnlyReports: Customer Accounts
Customer CategoriesCUSTOMERView OnlySet Up: Customer Categories
Customer CategoriesCUSTOMERGet OnlySet Up: Customer Categories
Customer Invoices - DetailsINVOICE, CREDIT MEMOView OnlyReports: Customer Invoice Referenced Attachments
Customer Invoices - DetailsINVOICE, CREDIT MEMOView OnlyProcess: Customer Invoice - View
Customer Invoices - DetailsINVOICE, CREDIT MEMOView OnlyManage: Customer Invoice
Customer Invoices - DetailsINVOICE, CREDIT MEMOView OnlyProcess: Customer Invoice (NEW)
Customer Invoices - DetailsINVOICE, CREDIT MEMOView OnlyReports: Customer Invoice
Customer Invoices - DetailsINVOICE, CREDIT MEMOGet OnlyReports: Customer Invoice Referenced Attachments
Customer Invoices - DetailsINVOICE, CREDIT MEMOGet OnlyProcess: Customer Invoice - View
Customer Invoices - DetailsINVOICE, CREDIT MEMOGet OnlyManage: Customer Invoice
Customer Invoices - DetailsINVOICE, CREDIT MEMOGet OnlyProcess: Customer Invoice (NEW)
Customer Invoices - DetailsINVOICE, CREDIT MEMOGet OnlyReports: Customer Invoice
Customer Payment - DetailsPAYMENTView OnlyProcess: Customer Payment
Customer Payment - DetailsPAYMENTView OnlyProcess: Customer Refund/Payment
Customer Payment - DetailsPAYMENTView OnlyProcess: Customer Invoice Payment/Settlement
Customer Payment - DetailsPAYMENTGet OnlyProcess: Customer Payment
Customer Payment - DetailsPAYMENTGet OnlyProcess: Customer Refund/Payment
Customer Payment - DetailsPAYMENTGet OnlyProcess: Customer Invoice Payment/Settlement

Security Permissions for AR Features

Table 2. Additional Permissions for AR Remittances

RecordTypesToFetch - From WorkdayRecordTypeToMap - In AuditoriaOperation/Level of AccessDomain Security Policy
Create/Write Customer PaymentPAYMENTView and ModifyProcess: Customer Payment
Create/Write Customer PaymentPAYMENTView and ModifyProcess: Customer Invoice Payment
Create/Write Customer PaymentPAYMENTView and ModifyProcess: Customer Refund/Payment
Create/Write Customer PaymentPAYMENTView and ModifyProcess: Customer Invoice Payment/Settlement
Create/Write Customer PaymentPAYMENTGet and PutProcess: Customer Payment
Create/Write Customer PaymentPAYMENTGet and PutProcess: Customer Invoice Payment
Create/Write Customer PaymentPAYMENTGet and PutProcess: Customer Refund/Payment
Create/Write Customer PaymentPAYMENTGet and PutProcess: Customer Invoice Payment/Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEView OnlyProcess: Customer Refund Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEView OnlyProcess: Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEView OnlySet Up: Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEGet OnlyProcess: Customer Refund Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEGet OnlyProcess: Settlement
Customer Payment Settlement details, Payment TypesPAYMENT_TYPEGet OnlySet Up: Settlement

Additional Permissions for AR Remittances

RecordTypesToWrite - To WorkdayRecordTypeToMap - In AuditoriaOperation/Level of AccessDomain Security Policy
Customer Invoices - DetailsCustomer Invoices - DetailsView and ModifyManage: Customer Invoice
Customer Invoices - DetailsCustomer Invoices - DetailsGet and PutManage: Customer Invoice

Additional permissions to write schedule payment date and payment amount to Workday

Notes: 

Note 1: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.

Note 2: Your organization's requirements may differ; always confirm with your implementation team or Auditoria support if unsure which policies are needed.

If you have questions about specific domain security policies or data source configurations, consult your Workday administrator or Auditoria support representative.

To view all Domain Security Policy Permissions in detail, please download the Excel sheet from the attachment section at the end of this article.


5. Activate Pending Security Policy Changes

After adding or modifying domain permissions, you must activate pending security policy changes.

  1. In the Workday search bar, type Activate Pending Security Policy Changes and press Enter.

  2. On the Activate Pending Security Policy Changes page:

    • Enter a comment describing the change (for example, “Auditoria SmartCustomer integration permissions”).

  3. Review the Current Security Evaluation Moment and the Proposed Security Evaluation Moment.
  4. If the details are correct, check the Confirm box to acknowledge the changes.
  5. Click OK to apply the updates and activate the permissions.

Note:
Security changes do not take effect until they are activated. Ensure you have permissions to perform this step.

If you have questions about which policy changes need to be activated, consult your Workday administrator or your implementation team.


6. Register API Client and Retrieve Client Credentials

Register a Workday API Client for Integrations to obtain the Client ID and Client Secret that Auditoria will use.

  1. In the Workday search bar, type Register API Client for Integrations and press Enter.

  2. On the registration form, configure:

    • Client Name (required): Use a clear name, for example: Auditoria_Client.
    • Enforce Customized Access Token Expiry (optional): Leave unchecked unless your integration requires custom access token expiration.
    • Refresh Token Timeout (in days) (optional): Default 0 typically means no expiry when using non-expiring refresh tokens.
    • Non-Expiring Refresh Tokens (recommended):
      • Select this option for integration clients, unless your security policy requires token rotation.
    • Disabled (optional):
      • Leave unchecked. Use only if you intentionally want to disable the client.
    • Scope (Functional Areas) (required): Add all functional areas required for your integration use case, for example:
      • Customer Accounts
      • Project Billing
      • Customer Central
      • Customer Contacts
      • Customers
      • Integration 
      • Staffing
      • System
      • Workday Everywhere
    • Include Workday Owned Scope (optional): Leave unchecked unless explicitly required.
    • Locked Out due to Excessive Failed Signon Attempts (informational/optional): Leave unchecked; this field is for tracking if the client is locked out.
    • Restricted to IP Ranges (optional): Add allowed IP ranges if your organization enforces IP whitelisting; otherwise, leave blank.
  3. Click OK to complete the registration.

  4. After registration, Workday will display the Client ID and Client Secret.

Important:
Record and store the Client ID and Client Secret in a secure password manager or vault. You will need them when configuring the Workday connection in Auditoria.


7. Generate Refresh Token with Updated Permissions

Generate a Refresh Token that ties the API client to your Auditoria ISU.

  1. In the Workday search bar, type View API Client and press Enter.

  2. Navigate to API Clients for Integrations, filter on the client name created above.
  3. Filter the list to find the API client you just created (e.g., filter on Client Name containing Auditoria).

  4. Click the ellipsis (three dots) next to your API client and select:
    Manage Refresh Tokens for Integrations.

  5. In the Manage Refresh Tokens dialog:

    • Enter or select the ISU from Step 2 (for example, ISU_Auditoria).

    • Click OK.

  6. On the next screen, enable Generate New Refresh Token and click OK.

  7. Workday will display a Refresh Token.

    • Copy this token immediately and store it securely (you will not be able to see it again later).

Important:
Keep the Client ID, Client Secret, and Refresh Token confidential.
These values are required to link your Workday tenant to your Auditoria SmartCustomer tenant.

Note: If you have any Segmented Security configured in Workday for the following business objects, please ensure that the ISU or the Security Group created for the Auditoria–Workday connection is also added to the same security group.
  • Supplier
  • Customers
  • Customer Invoices
  • Supplier Invoices
  • Customer Payments
  • Supplier Payments
  • Purchase Orders
  • Entity

Connect Auditoria SmartCustomer to Workday ERP

After gathering your Workday connection details (hostname, tenant name, Integration System User credentials, API client credentials, and refresh token), you are ready to set up the connection within Auditoria.

Steps to Connect Auditoria to Workday

  1. Access System Settings:
    • Log in to the Auditoria platform with administrative privileges.
    • Navigate to Administration > System Settings.
  2. Add or Update Workday ERP Connection:
    • In the "Add New Connection" area of System Settings, select the Workday ERP option.
    • To update an existing connection, locate the Workday system tile and click Update.

  1. Enter Required Connection Information:
    • On the ERP Settings page, fill in the following fields with your Workday integration details:
      • Instance Name: Enter a recognizable display name for this connection.
      • Tenant ID: Enter your Workday tenant name.
      • User ID: Enter the Integration System User (ISU) username.
      • User Password: Enter the ISU password.
      • Host Name: Enter the Workday service URL or host address.
      • Client ID: Enter the API Client ID.
      • Client Secret: Enter the API Client Secret.
      • Refresh Token: Enter the generated refresh token.
      • Additional report and configuration fields may be present. Complete these as required for your organization or leave as “-” if not needed.
  2. Save and Test Connection:
    • Click Save to submit your settings.
    • The system may validate your credentials and confirm the connection status.
    • Once the setup is complete, proceed to sync entities if prompted or verify that the connection is active.

Notes:

  • Fill out only the Workday connection fields needed for Auditoria AP Helpdesk functionality. Optional fields may be left blank or set to “-” as indicated on the screen.

  • If you encounter authentication or connection issues, verify all credentials and confirm that the required permissions in Workday have been assigned and activated.


Best Practices

  • Distinct, descriptive naming:

    • Example: ISU_Auditoria, ISSG_Auditoria, Auditoria_Client.

  • Limit UI access for ISU:

    • Select Do Not Allow UI Sessions to restrict access to API/Web Services only.

  • Review permissions regularly:

    • Update Workday permissions as Auditoria modules or data requirements evolve.

  • Secure credential storage:

    • Store ISU password, Client ID, Client Secret, and Refresh Token in an enterprise-grade vault.

  • Coordinate with Auditoria:

    • Work with your Auditoria Customer Success Representative during initial setup and when making significant changes.

  • Document changes and approvals:

    • Maintain a change log for security reviews and audits.

  • Test incrementally:

    • After each major configuration (ISU, group, domain policies, API client, refresh token), test connectivity and access.


Troubleshooting

Issue

Possible Solution

Insufficient permissions when connecting from Auditoria

Re-check the security group’s Domain Security Policies. Ensure all required domains for SmartCustomer are assigned and activated.

API client or refresh token rejected

Confirm you are using the correct Client ID, Client Secret, and Refresh Token. Make sure security changes are activated.

Missing data (customers, invoices, payments) in Auditoria

Verify that all relevant Customer, Customer Accounts, Invoice, and Payment domains are included and properly scoped.

Unable to write payments or collections data (AR Remittances)

Confirm write permissions (View and Modify / Get and Put) are granted on the payment- and settlement-related domains.

Cannot retrieve payment types or settlement info

Check Payment Types / Settlement domain permissions and corresponding functional areas.

Tokens or credentials lost or expired

Regenerate the refresh token or credentials in Workday and update the configuration in Auditoria.

ISU session timing out too frequently

Adjust Session Timeout Minutes for the ISU, in line with your security policies.

Error activating security changes

Ensure you have permission to Activate Pending Security Policy Changes and review Workday’s error messages/comments.

Unclear API authentication failure

Double-check hostname, tenant name, service URLs, and ensure you are using the correct (prod vs test) credentials.


Glossary

  • ISU (Integration System User):
    A Workday user account dedicated to integrations. UI access is typically disabled.

  • ISSG (Integration System Security Group):
    A Workday security group used to control permissions for integration users.

  • Domain Security Policy:
    Defines what operations (View, Get, Modify, etc.) a security group can perform on a given business domain.

  • API Client:
    OAuth 2.0 client registration in Workday. Provides the Client ID, Client Secret, and Refresh Token used by integrations.

  • WQL (Workday Query Language):
    Workday’s query mechanism, used by Auditoria to read Workday data for SmartCustomer workflows.

  • AR Collections / AR Helpdesk / AR Remittances:
    Auditoria SmartCustomer modules focused on automating collections, AR case management, and cash application/remittance processes.

  • Tenant:
    Your specific Workday environment (for example, acme-corp-prod), used in Workday URLs.

  • Functional Areas:
    Logical groupings in Workday such as Customer Accounts, Customers, Common Financial Management, Banking and Settlement.

Attachments