Introduction
This guide provides step-by-step instructions for configuring your Workday environment to integrate with Auditoria SmartCustomer products:
AR Collections
AR Helpdesk
AR Remittances
You will:
Create a dedicated Integration System User (ISU).
Create and configure an Integration System Security Group (ISSG).
Assign the required Domain Security Policies (including Workday Query Language/WQL access).
Register an API client and generate a Refresh Token.
These configurations ensure that Auditoria SmartCustomer can securely read and (where required) write data in Workday for AR workflows such as collections, customer hierarchy, and payment posting.
Audience
This article is intended for:
Workday Administrators with:
Integration configuration access.
Security and Domain Security Policy management permissions.
API client registration and WQL access.
Coordination with your Auditoria Customer Success Representative is recommended.
Prerequisites
Before you begin, ensure the following:
An active Auditoria SmartCustomer subscription (for one or more of:
AR Collections
AR Helpdesk
AR Remittances
Workday administrator credentials.
Ability to:
Create Integration System Users (ISU).
Create and manage Integration System Security Groups (ISSG).
Configure Domain Security Policies.
Access Workday Public Web Services.
Register API Clients for Integrations in Workday.
Related Reference:
See your “Workday Connection Settings for Auditoria” article for the field-level connection summary you will enter in Auditoria.
1. Get Your Workday Hostname and Tenant Name
To configure the Workday connection in Auditoria, you need your Workday hostname and tenant name.
Log in to Workday using your administrator account.
In the Workday search bar, type
Public Web Servicesand press Enter.In the results, filter the Web Services column to only show entries for Revenue Management.
Locate Revenue Management (Public) Web Service.
Click the ellipsis (three dots) next to it and select:
Web Service > View WSDL.In the WSDL file:
Search for the final occurrence of
Revenue_Management.Locate the endpoint URL, for example:
https://wd1-impl-services1.workday.com/ccx/service/your-tenant-name/Revenue_Management/v37.0From this URL:
Hostname:
wd1-impl-services1.workday.comTenant Name:
your-tenant-name
Copy both values. You will use them later in the Auditoria connection settings.
Note:
The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.
2. Create the Workday Integration System User (ISU) for Auditoria
Create a dedicated Integration System User that Auditoria will use for API/WQL access.
Log in to Workday as an administrator with ISU management permissions.
In the search bar, type
Create Integration System Userand press Enter.On the Create Integration System User page, configure:
User Name (required):
Use a descriptive name such asISU_Auditoriaor a variant specific to SmartCustomer.Generate Random Password (optional):
Check this box if you want Workday to auto-generate a password.
If selected, you do not enter a manual password.
New Password / New Password Verify (required if not generating random):
Enter a secure password that meets the Workday Password Rules (minimum length and complexity).
Require New Password at Next Sign In (optional):
Typically not required for integration users, unless mandated by your security policy.Session Timeout Minutes Enforced / Session Timeout Minutes (optional):
Configure session timeout according to your organization’s policies.
Do Not Allow UI Sessions (optional but recommended):
Check this to prevent the ISU from logging into the UI.
Recommended for integrations so that access is limited to API/Web Services only.
Click OK to create the ISU.
Best Practice:
Use a unique ISU for Auditoria (do not reuse ISUs shared with other integrations) and store its credentials securely.
3. Create a Workday Security Group and Assign the ISU
Create an Integration System Security Group (Unconstrained) and assign your ISU to it.
In the Workday search bar, type
Create Security Groupand press Enter.On the Create Security Group page:
Type of Tenanted Security Group:
Select Integration System Security Group (Unconstrained).Name:
Enter a descriptive name, for example:ISSG_AuditoriaorISSG_Auditoria_SmartCustomer.
Click OK.
On the Edit Integration System Security Group (Unconstrained) page:
In the Integration System Users section, add the ISU created in Step 2 (for example,
ISU_Auditoria).
Click OK to save the security group.
Note:
Use a dedicated security group for the Auditoria integration. Do not assign unrelated users to this group.
4. Assign Domain Security Policy Permissions for SmartCustomer
To enable Auditoria SmartResearch to access the required data from your Workday tenant, you must assign the correct domain security policy permissions to the integration security group you created.
Steps to Assign Security Policy Permissions
- Log in to your Workday console with administrative privileges.
Open Security Group Search:
- Go to the Workday search bar.
- Type "Security group" and select View Security Group from the search results.
Select the Auditoria SmartResearch security group:
- In the prompt, enter the name of your group (for example, ISSG_Auditoria_SmartCustomer12).
- Click OK.
Open Domain Permissions for the Group:
- On the Integration System Security Group (Unconstrained) overview page, select the Related Actions (three dots menu) next to the group name.
- Choose Maintain Domain Permissions for Security Group.
- Add Permissions:
- In the Report/Task Permissions and Integration Permissions sections, add the required Domain Security Policies for each SmartResearch data source, using the operation/access level provided in the table below.
- Use Modify, View, Get, or Put access level as specified.
Save and confirm your changes.
- Click OK.
- Remember to activate pending security policy changes using the appropriate Workday task.
Table 1. Security Permissions for AR Features
| RecordTypesToFetch - From Workday | RecordTypeToMap - In Auditoria | Operation/Level of Access | Domain Security Policy |
|---|---|---|---|
| ALL Records | ALL Records | View and Modify | Workday Query Language |
| ALL Records | ALL Records | Get and Put | Workday Query Language |
| ENTITY, Entity details, Enitites list | ENTITY | View Only | Manage: Company |
| ENTITY, Entity details, Enitites list | ENTITY | View Only | Set Up: Company |
| ENTITY, Entity details, Enitites list | ENTITY | View Only | Set Up: Company General |
| ENTITY, Entity details, Enitites list | ENTITY | Get Only | Manage: Company |
| ENTITY, Entity details, Enitites list | ENTITY | Get Only | Set Up: Company |
| ENTITY, Entity details, Enitites list | ENTITY | Get Only | Set Up: Company General |
| Accounts | ACCOUNT | View Only | Set Up: Accounts |
| Accounts | ACCOUNT | Get Only | Set Up: Accounts |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | View Only | Set Up: Customer |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | View Only | View: Customer |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | View Only | Set Up: Customer Accounts |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | View Only | Customer Collection |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | Get Only | Set Up: Customer |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | Get Only | View: Customer |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | Get Only | Set Up: Customer Accounts |
| List Customers, Customer details, Customer Categories, Customer Contacts | CUSTOMER | Get Only | Customer Collection |
| Customer Hierachies | CUSTOMER | View Only | Reports: Customer |
| Customer Hierachies | CUSTOMER | View Only | Reports: Customer Accounts |
| Customer Hierachies | CUSTOMER | Get Only | Reports: Customer |
| Customer Hierachies | CUSTOMER | Get Only | Reports: Customer Accounts |
| Customer Categories | CUSTOMER | View Only | Set Up: Customer Categories |
| Customer Categories | CUSTOMER | Get Only | Set Up: Customer Categories |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | View Only | Reports: Customer Invoice Referenced Attachments |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | View Only | Process: Customer Invoice - View |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | View Only | Manage: Customer Invoice |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | View Only | Process: Customer Invoice (NEW) |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | View Only | Reports: Customer Invoice |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | Get Only | Reports: Customer Invoice Referenced Attachments |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | Get Only | Process: Customer Invoice - View |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | Get Only | Manage: Customer Invoice |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | Get Only | Process: Customer Invoice (NEW) |
| Customer Invoices - Details | INVOICE, CREDIT MEMO | Get Only | Reports: Customer Invoice |
| Customer Payment - Details | PAYMENT | View Only | Process: Customer Payment |
| Customer Payment - Details | PAYMENT | View Only | Process: Customer Refund/Payment |
| Customer Payment - Details | PAYMENT | View Only | Process: Customer Invoice Payment/Settlement |
| Customer Payment - Details | PAYMENT | Get Only | Process: Customer Payment |
| Customer Payment - Details | PAYMENT | Get Only | Process: Customer Refund/Payment |
| Customer Payment - Details | PAYMENT | Get Only | Process: Customer Invoice Payment/Settlement |
Security Permissions for AR Features
Table 2. Additional Permissions for AR Remittances
| RecordTypesToFetch - From Workday | RecordTypeToMap - In Auditoria | Operation/Level of Access | Domain Security Policy |
|---|---|---|---|
| Create/Write Customer Payment | PAYMENT | View and Modify | Process: Customer Payment |
| Create/Write Customer Payment | PAYMENT | View and Modify | Process: Customer Invoice Payment |
| Create/Write Customer Payment | PAYMENT | View and Modify | Process: Customer Refund/Payment |
| Create/Write Customer Payment | PAYMENT | View and Modify | Process: Customer Invoice Payment/Settlement |
| Create/Write Customer Payment | PAYMENT | Get and Put | Process: Customer Payment |
| Create/Write Customer Payment | PAYMENT | Get and Put | Process: Customer Invoice Payment |
| Create/Write Customer Payment | PAYMENT | Get and Put | Process: Customer Refund/Payment |
| Create/Write Customer Payment | PAYMENT | Get and Put | Process: Customer Invoice Payment/Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | View Only | Process: Customer Refund Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | View Only | Process: Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | View Only | Set Up: Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | Get Only | Process: Customer Refund Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | Get Only | Process: Settlement |
| Customer Payment Settlement details, Payment Types | PAYMENT_TYPE | Get Only | Set Up: Settlement |
Additional Permissions for AR Remittances
| RecordTypesToWrite - To Workday | RecordTypeToMap - In Auditoria | Operation/Level of Access | Domain Security Policy |
|---|---|---|---|
| Customer Invoices - Details | Customer Invoices - Details | View and Modify | Manage: Customer Invoice |
| Customer Invoices - Details | Customer Invoices - Details | Get and Put | Manage: Customer Invoice |
Additional permissions to write schedule payment date and payment amount to Workday
Notes:
Note 1: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.
Note 2: Your organization's requirements may differ; always confirm with your implementation team or Auditoria support if unsure which policies are needed.
If you have questions about specific domain security policies or data source configurations, consult your Workday administrator or Auditoria support representative.
To view all Domain Security Policy Permissions in detail, please download the Excel sheet from the attachment section at the end of this article.
5. Activate Pending Security Policy Changes
After adding or modifying domain permissions, you must activate pending security policy changes.
In the Workday search bar, type
Activate Pending Security Policy Changesand press Enter.On the Activate Pending Security Policy Changes page:
Enter a comment describing the change (for example, “Auditoria SmartCustomer integration permissions”).
- Review the Current Security Evaluation Moment and the Proposed Security Evaluation Moment.
- If the details are correct, check the Confirm box to acknowledge the changes.
Click OK to apply the updates and activate the permissions.
Note:
Security changes do not take effect until they are activated. Ensure you have permissions to perform this step.
If you have questions about which policy changes need to be activated, consult your Workday administrator or your implementation team.
6. Register API Client and Retrieve Client Credentials
Register a Workday API Client for Integrations to obtain the Client ID and Client Secret that Auditoria will use.
In the Workday search bar, type
Register API Client for Integrationsand press Enter.On the registration form, configure:
- Client Name (required): Use a clear name, for example:
Auditoria_Client. - Enforce Customized Access Token Expiry (optional): Leave unchecked unless your integration requires custom access token expiration.
- Refresh Token Timeout (in days) (optional): Default
0typically means no expiry when using non-expiring refresh tokens. - Non-Expiring Refresh Tokens (recommended):
- Select this option for integration clients, unless your security policy requires token rotation.
- Disabled (optional):
- Leave unchecked. Use only if you intentionally want to disable the client.
- Scope (Functional Areas) (required): Add all functional areas required for your integration use case, for example:
- Customer Accounts
- Project Billing
- Customer Central
- Customer Contacts
- Customers
- Integration
- Staffing
- System
- Workday Everywhere
- Include Workday Owned Scope (optional): Leave unchecked unless explicitly required.
- Locked Out due to Excessive Failed Signon Attempts (informational/optional): Leave unchecked; this field is for tracking if the client is locked out.
- Restricted to IP Ranges (optional): Add allowed IP ranges if your organization enforces IP whitelisting; otherwise, leave blank.
- Client Name (required): Use a clear name, for example:
Click OK to complete the registration.
After registration, Workday will display the Client ID and Client Secret.
Important:
Record and store the Client ID and Client Secret in a secure password manager or vault. You will need them when configuring the Workday connection in Auditoria.
7. Generate Refresh Token with Updated Permissions
Generate a Refresh Token that ties the API client to your Auditoria ISU.
In the Workday search bar, type
View API Clientand press Enter.- Navigate to API Clients for Integrations, filter on the client name created above.
Filter the list to find the API client you just created (e.g., filter on Client Name containing
Auditoria).Click the ellipsis (three dots) next to your API client and select:
Manage Refresh Tokens for Integrations.In the Manage Refresh Tokens dialog:
Enter or select the ISU from Step 2 (for example,
ISU_Auditoria).Click OK.
On the next screen, enable
Generate New Refresh Tokenand click OK.Workday will display a Refresh Token.
Copy this token immediately and store it securely (you will not be able to see it again later).
Important:
Keep the Client ID, Client Secret, and Refresh Token confidential.
These values are required to link your Workday tenant to your Auditoria SmartCustomer tenant.
Note: If you have any Segmented Security configured in Workday for the following business objects, please ensure that the ISU or the Security Group created for the Auditoria–Workday connection is also added to the same security group.
- Supplier
- Customers
- Customer Invoices
- Supplier Invoices
- Customer Payments
- Supplier Payments
- Purchase Orders
- Entity
Connect Auditoria SmartCustomer to Workday ERP
After gathering your Workday connection details (hostname, tenant name, Integration System User credentials, API client credentials, and refresh token), you are ready to set up the connection within Auditoria.
Steps to Connect Auditoria to Workday
- Access System Settings:
- Log in to the Auditoria platform with administrative privileges.
- Navigate to Administration > System Settings.
- Add or Update Workday ERP Connection:
- In the "Add New Connection" area of System Settings, select the Workday ERP option.
- To update an existing connection, locate the Workday system tile and click Update.
- Enter Required Connection Information:
- On the ERP Settings page, fill in the following fields with your Workday integration details:
- Instance Name: Enter a recognizable display name for this connection.
- Tenant ID: Enter your Workday tenant name.
- User ID: Enter the Integration System User (ISU) username.
- User Password: Enter the ISU password.
- Host Name: Enter the Workday service URL or host address.
- Client ID: Enter the API Client ID.
- Client Secret: Enter the API Client Secret.
- Refresh Token: Enter the generated refresh token.
- Additional report and configuration fields may be present. Complete these as required for your organization or leave as “-” if not needed.
- On the ERP Settings page, fill in the following fields with your Workday integration details:
- Save and Test Connection:
- Click Save to submit your settings.
- The system may validate your credentials and confirm the connection status.
- Once the setup is complete, proceed to sync entities if prompted or verify that the connection is active.
Notes:
Fill out only the Workday connection fields needed for Auditoria AP Helpdesk functionality. Optional fields may be left blank or set to “-” as indicated on the screen.
If you encounter authentication or connection issues, verify all credentials and confirm that the required permissions in Workday have been assigned and activated.
Best Practices
Distinct, descriptive naming:
Example:
ISU_Auditoria,ISSG_Auditoria,Auditoria_Client.
Limit UI access for ISU:
Select Do Not Allow UI Sessions to restrict access to API/Web Services only.
Review permissions regularly:
Update Workday permissions as Auditoria modules or data requirements evolve.
Secure credential storage:
Store ISU password, Client ID, Client Secret, and Refresh Token in an enterprise-grade vault.
Coordinate with Auditoria:
Work with your Auditoria Customer Success Representative during initial setup and when making significant changes.
Document changes and approvals:
Maintain a change log for security reviews and audits.
Test incrementally:
After each major configuration (ISU, group, domain policies, API client, refresh token), test connectivity and access.
Troubleshooting
Issue | Possible Solution |
|---|---|
Insufficient permissions when connecting from Auditoria | Re-check the security group’s Domain Security Policies. Ensure all required domains for SmartCustomer are assigned and activated. |
API client or refresh token rejected | Confirm you are using the correct Client ID, Client Secret, and Refresh Token. Make sure security changes are activated. |
Missing data (customers, invoices, payments) in Auditoria | Verify that all relevant Customer, Customer Accounts, Invoice, and Payment domains are included and properly scoped. |
Unable to write payments or collections data (AR Remittances) | Confirm write permissions ( |
Cannot retrieve payment types or settlement info | Check |
Tokens or credentials lost or expired | Regenerate the refresh token or credentials in Workday and update the configuration in Auditoria. |
ISU session timing out too frequently | Adjust Session Timeout Minutes for the ISU, in line with your security policies. |
Error activating security changes | Ensure you have permission to Activate Pending Security Policy Changes and review Workday’s error messages/comments. |
Unclear API authentication failure | Double-check hostname, tenant name, service URLs, and ensure you are using the correct (prod vs test) credentials. |
Glossary
ISU (Integration System User):
A Workday user account dedicated to integrations. UI access is typically disabled.ISSG (Integration System Security Group):
A Workday security group used to control permissions for integration users.Domain Security Policy:
Defines what operations (View, Get, Modify, etc.) a security group can perform on a given business domain.API Client:
OAuth 2.0 client registration in Workday. Provides the Client ID, Client Secret, and Refresh Token used by integrations.WQL (Workday Query Language):
Workday’s query mechanism, used by Auditoria to read Workday data for SmartCustomer workflows.AR Collections / AR Helpdesk / AR Remittances:
Auditoria SmartCustomer modules focused on automating collections, AR case management, and cash application/remittance processes.Tenant:
Your specific Workday environment (for example,acme-corp-prod), used in Workday URLs.Functional Areas:
Logical groupings in Workday such asCustomer Accounts,Customers,Common Financial Management,Banking and Settlement.