Setting Up a Workday ASU for Auditoria AP Helpdesk

Written by Uday Kumar Updated May 25, 2026 03:18

Overview

This guide provides step-by-step instructions for deploying the Auditoria SmartVendor Agent in your Workday tenant using Workday's Agent System of Record (ASOR) framework.

You will:

Capture your Workday hostname and tenant name.
Create an Integration System Security Group (ISSG) for the SmartVendor Agent.
Assign the required Domain Security Policies (including Workday Query Language / WQL access).
Update Business Process Security Policies for invoice write-back.
Activate pending security policy changes.
Register a Workday API Client and share the credentials with Auditoria for agent definition registration.
Configure and activate the agent in the Workday Agent Management Hub.
Connect the SmartVendor Agent to your Auditoria tenant.

These configurations enable Auditoria to securely retrieve supplier, invoice, and financial reference data from Workday and submit processed invoices back into Workday's OCR pipeline through the SmartVendor Agent.

Audience

This guide is intended for:

Workday Administrators with:
- Agent System of Record (ASOR) functional area access.
- Domain Security Policy management permissions.
- API Client registration permissions.
- Business Process Security Policy management permissions.
Auditoria Implementation Team members responsible for preparing the deployment package and completing the Workday Agent connection setup on the Auditoria platform side.

Coordination with your Auditoria Customer Success Representative is recommended throughout initial setup and whenever you modify security or integration scope.

Agent Description

The Auditoria SmartVendor Agent is a Workday-native ASOR (Agent System of Record) that enables the Auditoria AI platform to securely interact with a customer's Workday tenant. It facilitates automated, bidirectional data exchange — retrieving supplier, invoice, and financial reference data from Workday, and submitting processed invoices and adjustments back into Workday's OCR pipeline. The agent operates under OAuth 2.0 authorization and requires appropriate domain and security permissions to be configured in the customer's Workday tenant before activation.

Skill

The SmartVendor Agent is configured with a single skill group:

Data Retrieval and Submit Invoice to Workday OCR — Enables the Auditoria platform to read supplier and financial reference data from Workday and submit supplier invoices for OCR processing. The user authorizing this skill must have access to Supplier data within the Workday tenant.

Tools

The following tools are registered under this skill. Each tool corresponds to a specific API operation the agent is authorized to perform within the customer's Workday instance.

Table 1. Tools registered under the SmartVendor Agent

Tool Name	Description
Location Data Retriever	Fetches location data including address and site information.
Reference Data Retriever	Retrieves general reference data used across financial transactions.
Supplier Invoice Fetcher	Fetches supplier invoice records from Workday for processing.
Location Account Number Fetcher	Retrieves account numbers associated with specific locations.
OCR Invoice Submitter	Submits supplier invoice attachments to Workday's OCR scanning pipeline.
WQL Data Viewer (GET)	Executes read queries against Workday Query Language (WQL) endpoints via GET.
WQL Data Viewer (POST)	Executes queries against WQL endpoints via POST for larger or filtered datasets.
WQL Data Source Filter Viewer	Retrieves available filter options for a given WQL data source.
WQL Data Source Field Viewer	Retrieves field definitions and metadata for a given WQL data source.
WQL Data Source Viewer	Lists available WQL data sources within the Workday tenant.
Account Set Retriever	Fetches account set definitions used in financial transaction coding.
WQL Global Field Viewer	Retrieves globally defined fields available across WQL data sources.
Business Unit Hierarchy Fetcher	Fetches the hierarchical structure of business units in the tenant.
Business Unit Retriever	Retrieves individual business unit records.
Company ID Definition Fetcher	Fetches company ID definitions used in transaction and supplier records.
Company Contact Info Retriever	Retrieves contact information associated with company records.
Cost Center Retriever	Fetches cost center data for financial coding and allocation.
Company Organization Fetcher	Retrieves company organization structure data.
Payment Terms Retriever	Fetches payment terms configured in Workday for supplier transactions.
Payment Type Retriever	Retrieves available payment types for invoice processing.
Region Data Retriever	Fetches regional data used in supplier and location configuration.
Supplier Category Retriever	Fetches supplier category classifications.
Supplier Lease Amendment Type Fetcher	Retrieves lease amendment type definitions associated with suppliers.
Supplier Tax Info Retriever	Fetches tax-related information for supplier records.
Supporting Balance Retriever	Retrieves supporting balance data for financial reconciliation.
Survey Data Fetcher	Fetches survey data associated with supplier or transaction records.
Tax Applicability Retriever	Retrieves tax applicability rules for transaction processing.
Transaction Tax Code Retriever	Fetches transaction tax codes used in invoice and payment workflows.

Prerequisites

Before you begin deployment, ensure that your Workday tenant, Auditoria subscription, and Workday user permissions meet the following requirements.

Workday Tenant and SKUs

Your Workday tenant must be enabled for the following Workday Platform components:

Workday Agent System of Record (ASOR) — Required to create, configure, and activate the SmartVendor Agent. This must be provisioned by Workday before any agent setup steps can begin.
Workday Accounts Payable — Required to support supplier invoice retrieval, OCR submission, and invoice adjustment workflows.
Workday Supplier Accounts — Required for supplier data access, creation, and invoice information retrieval.
Workday Financial Management — Required for access to cost centers, business units, account sets, payment terms, and company organization data.

Auditoria Subscriptions

The customer must have an active subscription to the following:

Auditoria SmartVendor — Core subscription required to enable the AP automation workflows that the agent supports.
Auditoria Workday Connector — Required to establish the ERP connection between the Auditoria platform and the customer's Workday tenant using the agent's Client ID and Client Secret.

Auditoria Deployment Package

Before the customer begins setup, the Auditoria implementation team prepares and shares the following with the customer's technical team:

Agent definition payload (JSON) containing all required tool WIDs for REST and SOAP APIs.
Redirect URI to be configured in the Workday agent activation screen.
This Deployment Guide.
Environment-specific details (tenant name, host, environment URL).

Workday Functional User — Agent Creation Permissions

The Workday Functional User responsible for creating the SmartVendor Agent must have access to the Agent System of Record functional area and the following domains:

Agent Compliance
Agent Management Hub
Manage: Agents
Reports: Agent Reporting
Setup: Agents

Workday Functional User — Agent Authorization Security Groups

The Workday Functional User responsible for authorizing the SmartVendor Agent must be a member of the following security groups:

Integration Administrator
Supplier Administrator

1. Get Your Workday Hostname and Tenant Name

To configure the Workday connection in Auditoria, you need your Workday hostname and tenant name.

Log in to Workday using your administrator account.
In the Workday search bar, type Public Web Services and press Enter.
In the results, filter the Web Services column to only show entries for Revenue Management.
Locate Revenue Management (Public) Web Service.
Click the ellipsis (three dots) next to it and select:
Web Service > View WSDL.
In the WSDL file:
- Search for the final occurrence of Revenue_Management.
- Locate the endpoint URL, for example:
  https://wd1-impl-services1.workday.com/ccx/service/your-tenant-name/Revenue_Management/v37.0
- From this URL:
  - Hostname: wd1-impl-services1.workday.com
  - Tenant Name: your-tenant-name
Copy both values. You will use them later in the Auditoria connection settings.

Note: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.

2. Create the `ISSG_Auditoria` Integration System Security Group

Before registering the SmartVendor Agent, you must create a dedicated Integration System Security Group (ISSG) named ISSG_Auditoria. This security group will hold all the domain permissions the agent requires to read from and write to your Workday tenant.

Log in to Workday as an administrator with ISU management permissions.
In the search bar, type Create Integration System User and press Enter.
On the Create Integration System User page, configure:
- User Name (required):
  Use a descriptive name such as ISU_Auditoria or a variant specific to SmartVendor.
- Generate Random Password (optional):
  - Check this box if you want Workday to auto-generate a password.
  - If selected, you do not enter a manual password.
- New Password / New Password Verify (required if not generating random):
  - Enter a secure password that meets the Workday Password Rules (minimum length and complexity).
- Require New Password at Next Sign In (optional):
  Typically not required for integration users, unless mandated by your security policy.
- Session Timeout Minutes Enforced / Session Timeout Minutes (optional):
  - Configure session timeout according to your organization’s policies.
- Do Not Allow UI Sessions (optional but recommended):
  - Check this to prevent the ISU from logging into the UI.
  - Recommended for integrations to limit access to API/Web Services only.
Click OK to create the ISU.

Best Practice: Use a unique ISU for Auditoria (do not reuse ISUs shared with other integrations) and store its credentials securely.

3. Create the Workday Security Group for the SmartVendor Agent

Create an Integration System Security Group (Unconstrained) named ISSG_Auditoria that will hold all the domain permissions the SmartVendor Agent requires.

In the Workday search bar, type Create Security Group and press Enter.
On the Create Security Group page:
- Type of Tenanted Security Group:
  Select Integration System Security Group (Unconstrained).
- Name:
  Enter a descriptive name, for example:
  ISSG_Auditoria or ISSG_Auditoria_SmartVendor12.
Click OK.
On the Edit Integration System Security Group (Unconstrained) page:
- In the Integration System Users section, add the ISU created in Step 2 (for example, ISU_Auditoria).
Click OK to save the security group.

Note: Use a dedicated security group for the Auditoria integration. Do not assign unrelated users to this group.

4. Assign Domain Security Policy Permissions for SmartVendor (AP Helpdesk)

To enable Auditoria to access the required data from your Workday tenant, you must assign the correct domain security policy permissions to the integration security group you created.

Steps to Assign Security Policy Permissions

Log in to your Workday console with administrative privileges.
Open Security Group Search:
- Go to the Workday search bar.
- Type "Security group" and select View Security Group from the search results.
Select the Auditoria security group:
- In the prompt, enter the name of your group (for example, ISSG_Auditoria_SmartVendor12).
- Click OK.
Open Domain Permissions for the Group:
- On the Integration System Security Group (Unconstrained) overview page, select the Related Actions (three dots menu) next to the group name.
- Choose Maintain Domain Permissions for Security Group.
Add Permissions:
- In the Report/Task Permissions and Integration Permissions sections, add the required Domain Security Policies for each data source, using the operation/access level provided in the table below.
- Use Modify, View, Get, or Put access level as specified.
Save and confirm your changes.
- Click OK.
- Remember to activate pending security policy changes using the appropriate Workday task.

Table 1. Security Permissions for AP Helpdesk Features

RecordTypesToFetch - From Workday	RecordTypeToMap - In Auditoria	Operation/Level of Access	Domain Security Policy
ALL Records	ALL RECORDS	View and Modify	Workday Query Language
ALL Records	ALL RECORDS	Get and Put	Workday Query Language
ENTITY, Entity details, Entities list	ENTITY	View Only	Manage: Company
ENTITY, Entity details, Entities list	ENTITY	View Only	Set Up: Company
ENTITY, Entity details, Entities list	ENTITY	Get Only	Manage: Company
ENTITY, Entity details, Entities list	ENTITY	Get Only	Set Up: Company
ENTITY, Entity details, Entities list	ENTITY	View Only	Set Up: Company General
ENTITY, Entity details, Entities list	ENTITY	Get Only	Set Up: Company General
Accounts	ACCOUNT	View Only	Set Up: Accounts
Accounts	ACCOUNT	Get Only	Set Up: Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	View Only	Set Up: Supplier Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	View Only	View: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	View Only	Set Up: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	Get Only	Set Up: Supplier Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	Get Only	View: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	Get Only	Set Up: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	View Only	Reports: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers Contacts	VENDOR	Get Only	Reports: Supplier
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	View Only	Process: Supplier Invoice
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	View Only	Process: Recurring Supplier Invoice
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	View Only	Process: Supplier Invoice - Reporting
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	View Only	Process: Supplier Invoice Payment/Settlement
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	Get Only	Process: Supplier Invoice
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	Get Only	Process: Recurring Supplier Invoice
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	Get Only	Process: Supplier Invoice - Reporting
Suppliers Invoices - Details, List	SUPPLIERS INVOICES	View Only	Process: Supplier Invoice - Request
Supplier Payments - Details	PAYMENT	Get Only	Process: Supplier Invoice Payment/Settlement
Supplier Payments - Details	PAYMENT	View Only	Reports: Supplier Payment
Supplier Payments - Details	PAYMENT	Get Only	Reports: Supplier Payment
Supplier Payments - Details	PAYMENT	View Only	View: Bank Entity
Supplier Payments - Details	PAYMENT	View Only	Set Up: Bank Entity
Supplier Payments - Details	PAYMENT	Get Only	Set Up: Bank Reconciliation
Supplier Payments - Details	PAYMENT	Get Only	View: Bank Entity
Supplier Payments - Details	PAYMENT	View Only	Process: Bank Reconciliation
Supplier Payments - Details	PAYMENT	Get Only	Set Up: Bank Entity
Purchase Orders - Details, List	PURCHASE ORDER	View Only	Process: Purchase Order
Purchase Orders - Details, List	PURCHASE ORDER	View Only	Process: Purchase Order - Reporting
Purchase Orders - Details, List	PURCHASE ORDER	Get Only	Process: Purchase Order
Purchase Orders - Details, List	PURCHASE ORDER	Get Only	Process: Purchase Order - Reporting
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Modify	Process: Supplier Invoice
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Modify	Process: Supplier Invoice - Request
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Put	Process: Supplier Invoice
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Put	Process: Supplier Invoice - Request
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	View and Modify	Set Up: Supplier Invoice Work Queue
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Get and Put	Set Up: Supplier Invoice Work Queue
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	View and Modify	Process: Supplier Invoice Work Queue
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	View and Modify	Manage: Supplier Invoice Work Queue
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Get and Put	Process: Supplier Invoice Work Queue
Additional permissions for transferring Invoice to Workday through APIs	SUPPLIERS INVOICES	Get and Put	Manage: Supplier Invoice Work Queue

Notes:
Note 1: Your organization's requirements may differ; always confirm with your implementation team or Auditoria support if unsure which policies are needed.
Note 2: If your tenant uses Segmented Security on the Supplier, Customer, Customer Invoices, Supplier Invoices, Customer Payments, Supplier Payments, Purchase Orders, or Entity business objects, the ISSG_Auditoria security group must also be added to the relevant segmented security groups. Otherwise, the agent will return empty result sets without raising errors.

If you have questions about specific domain security policies or data source configurations, consult your Workday administrator or Auditoria support representative.

To view all Domain Security Policy Permissions in detail, please download the Excel sheet from the attachment section at the end of this article.

5. Update Business Process Security Policies for Functional Area

In addition to Domain Security Policies, you must ensure that your Auditoria security group (for example, ISSG_Auditoria) is allowed to participate in the appropriate Business Processes. This is required particularly when AP Invoices will create or update Supplier Invoices in Workday, and is recommended for consistent visibility for AP Helpdesk.

Follow these steps to update the relevant Business Process Security Policies:

In the Workday search bar, type Business Process Security Policies for Functional Area and press Enter.
Select Business Process Security Policies for Functional Area from the search results. Enter the following parameters and click OK:
- Functional Area: Supplier Accounts
- Business Process: Supplier Invoice Event
Scroll to the bottom of the configuration page and click Edit Permissions.
Locate the following Initiating Actions and update the Security Groups as appropriate:
- Import Supplier Invoice (WS Background Process)
- Submit Supplier Invoice (Web Service)
Ensure your Auditoria security group (e.g. ISSG_Auditoria) and any other required groups are included.
Click OK to save and activate your changes.

5. Activate Pending Security Policy Changes

After adding or modifying domain permissions, you must activate pending security policy changes.

In the Workday search bar, type Activate Pending Security Policy Changes and press Enter.
On the Activate Pending Security Policy Changes page:
- Enter a comment describing the change (for example, “Auditoria SmartVendor integration permissions”).
Review the Current Security Evaluation Moment and the Proposed Security Evaluation Moment.
If the details are correct, check the Confirm box to acknowledge the changes.
Click OK to apply the updates and activate the permissions.

Note:
Security changes do not take effect until they are activated. Ensure you have permissions to perform this step.

If you have questions about which policy changes need to be activated, consult your Workday administrator or your implementation team.

6. Register API Client and Retrieve Client Credentials

Register a Workday API Client for Integrations to obtain the Client ID and Client Secret that Auditoria uses to register the SmartVendor Agent definition in your tenant.

In the Workday search bar, type Register API Client and press Enter.
On the registration form, configure:
- Client Name (required): Use a clear name, for example Auditoria_SmartVendor_Agent.
- Grant Type (required): Select Authorization Code Grant.
- Access Token Type (required): Select Bearer.
- Redirection URI (required): Enter the Redirect URI provided by Auditoria in the deployment package.
- Functional Area (required): Select System and Agent System of Records.
- Include Workday Owned Scope (required): Selected.
- Restricted to IP Ranges (optional): Add allowed IP ranges if your organization enforces IP whitelisting; otherwise, leave blank.
Click OK to complete the registration.
After registration, Workday will display the Client ID and Client Secret.

Important: Record and store the Client ID and Client Secret in a secure password manager or vault. You will need them when configuring the Workday connection in Auditoria.

7. Generate Refresh Token with Updated Permissions

Generate a Refresh Token that ties the API client to your Auditoria ISU.

In the Workday search bar, type View API Client and press Enter.
Navigate to API Clients for Integrations, filter on the client name created above.
Filter the list to find the API client you just created (e.g., filter on Client Name containing Auditoria).
Click the ellipsis (three dots) next to your API client and select:
Manage Refresh Tokens for Integrations.
In the Manage Refresh Tokens dialog:
- Enter or select the ISU from Step 2 (for example, ISU_Auditoria).
- Click OK.
On the next screen, enable Generate New Refresh Token and click OK.
Workday will display a Refresh Token.
- Copy this token immediately and store it securely (you will not be able to see it again later).

Important: Keep the Client ID, Client Secret, and Refresh Token confidential.
These values are required to link your Workday tenant to your Auditoria SmartVendor tenant.

Note: If you have any Segmented Security configured in Workday for the following business objects, please ensure that the ISU or the Security Group created for the Auditoria–Workday connection is also added to the same security group.
Supplier
Customers
Customer Invoices
Supplier Invoices
Customer Payments
Supplier Payments
Purchase Orders
Entity

8. Auditoria Registers the Agent Definition

Once Auditoria receives the credentials, the Auditoria implementation team executes the agent definition REST API call against your Workday tenant using the agent definition payload from the deployment package. There is no Workday UI for this step. The customer does not perform this action — it is documented here for transparency.

Table 3. ASOR endpoints (US region)

Endpoint	URL
REST API Endpoint	`https://agent.us.wcp.workday.com/asor/v1/agentDefinition`
Token Endpoint	`https://agent.us.wcp.workday.com/auth/oauth2/token`
Authorize Endpoint	`https://agent.us.wcp.workday.com/auth/authorize/?response_type=code&client_id={client_id}&state={state}&redirect_uri={redirect_uri}`

Note: Customers in EMEA, APAC, or other regions should request the regional equivalents from Auditoria support before beginning deployment.

Once the agent definition call returns successfully, the SmartVendor Agent is registered in your Workday tenant and becomes visible in the Agent Management Hub for configuration in Section 7.

9. Configure and Activate the SmartVendor Agent

After Auditoria completes the agent definition registration, configure the agent in the Agent Management Hub, assign the ISSG_Auditoria security group to the agent's skill, and activate the agent.

In the Workday tenant, run the Agent Management Hub report.

Browse to the Agent Registry.

Identify the Auditoria SmartVendor Agent and click the agent name.
Click Configure Agent.

Browse to the Skills tab.

Assign the ISSG_Auditoria security group to the Data Retrieval and Submit Invoice to Workday OCR skill.
Use the toggles to enable the skill.
Confirm the Redirect URI matches the value provided by Auditoria in the deployment package.
Click Activate to activate the agent.
Workday displays the OAuth credentials for the activated agent. Record these values immediately and share them with the Auditoria implementation team using your secure-handoff process.

Important: You will not be able to view or update the OAuth credentials after closing the activation screen. Securely save these details based on your company policy.

Connect Auditoria SmartVendor (AP Helpdesk) to Workday ERP

After gathering your Workday connection details (hostname, tenant name, Integration System User credentials, API client credentials, and refresh token), you are ready to set up the connection within Auditoria.

Steps to Connect Auditoria to Workday

Access System Settings:
- Log in to the Auditoria platform with administrative privileges.
- Navigate to Administration > System Settings.
Add or Update Workday ERP Connection:
- In the "Add New Connection" area of System Settings, select the Workday ERP option.
- To update an existing connection, locate the Workday system tile and click Update.

Enter Required Connection Information:
- On the ERP Settings page, fill in the following fields with your Workday integration details:
  - Instance Name: Enter a recognizable display name for this connection.
  - Tenant ID: Enter your Workday tenant name from Section 1 (for example, auditoria_asor_wcpdev1).
  - Host Name: Enter the Workday tenant hostname from Section 1.
  - User ID: Enter the Integration System User (ISU) username, if applicable.
  - User Password: Enter the ISU password, if applicable.
  - Client ID: Enter the Client ID generated during agent activation (Section 7).
  - Client Secret: Enter the Client Secret generated during agent activation (Section 7).
  - Additional configuration fields may be present. Complete these as required for your organization or leave as - if not needed.
Save and Test Connection:
- Click Save to submit your settings.
- The system may validate your credentials and confirm the connection status.
- Once the setup is complete, proceed to sync entities if prompted or verify that the connection is active.

Notes:
Fill out only the Workday connection fields needed for Auditoria AP Helpdesk functionality. Optional fields may be left blank or set to “-” as indicated on the screen.
If you encounter authentication or connection issues, verify all credentials and confirm that the required permissions in Workday have been assigned and activated.

Best Practices

Distinct, descriptive naming:
- Example: ISSG_Auditoria_SmartVendor, Auditoria_SmartVendor_Agent.
Use a dedicated security group:
- Assign the SmartVendor Agent only to the ISSG_Auditoria security group. Do not reuse this group for other integrations or users.
Review permissions regularly:
- Update Workday permissions as Auditoria SmartVendor features and tools evolve.
Secure credential storage:
- Store the Client ID and Client Secret in an enterprise-grade vault. These cannot be retrieved from Workday after their respective generation screens close.
Coordinate with Auditoria:
- Work with your Auditoria Customer Success Representative during initial setup and when making significant changes (e.g., enabling new tools or invoice write-back scope).
Document changes and approvals:
- Maintain a change log for security reviews and audits.
Test incrementally:
- After each major configuration (security group, domain policies, business process policies, API client, agent activation), test connectivity and data access.
Sandbox first:
- Complete the full deployment in a Workday implementation/sandbox tenant before deploying to production. Each environment requires its own API Client registration, agent definition, and Auditoria connection.

Troubleshooting

Issue	Possible Solution
Insufficient permissions when connecting from Auditoria	Re-check the security group's Domain Security Policies. Ensure all required AP invoice domains are assigned and activated.
Agent activation fails — Redirect URI rejected	Verify the Redirect URI entered in the Workday API Client matches exactly what Auditoria provided in the deployment package, including protocol, path, and no trailing spaces.
Client ID and Client Secret not generated after agent activation	Ensure the agent has been fully activated in the Agent Management Hub and that the Data Retrieval and Submit Invoice to Workday OCR skill was enabled prior to activation. If credentials are still not generated, contact your Workday administrator to confirm that the ASOR SKU is provisioned on your tenant.
Agent created successfully but tools not visible in Auditoria	Confirm the agent definition payload included all required REST and SOAP API tool WIDs at the time of creation. Tool WIDs cannot always be added retroactively — you may need to re-execute the agent creation API call with the complete payload from the deployment package.
Missing suppliers or invoices in Auditoria	Verify that Supplier, Supplier Accounts, and Supplier Invoice domains are included and properly scoped. If your tenant uses Segmented Security, also verify the security group is added to the relevant segmented security groups.
Unable to write/post vendor bills	Confirm write permissions (Modify / Put) are granted on the Supplier Invoice domains used for write-back. Confirm Section 4 (Business Process Security Policies) was completed and activated.
Tokens or credentials lost or expired	Regenerate credentials in Workday and update the configuration in Auditoria.
Error activating security changes	Ensure you have permission to Activate Pending Security Policy Changes and review Workday's error messages/comments.
Unclear API authentication failure	Double-check tenant name, hostname, and confirm you are using the correct (prod vs test) credentials.

FAQs

Q: I am unable to initiate a tool. What should I check?

A: This is commonly caused by incorrect permissions for the end user to invoke a specific tool. Review the tool and API access configured for the agent in the Workday tenant and ensure the authorizing user has the required domain security permissions assigned.

Q: The agent activation is failing and the Redirect URI is being rejected. What could be wrong?

A: This is typically caused by a mismatch between the Redirect URI entered in the Workday Console and the URI provided by Auditoria. Verify that the Redirect URI is copied exactly as provided — including the protocol, path, and no trailing spaces — and re-attempt the activation.

Q: The Client ID and Client Secret were not generated after agent activation. Why?

A: Ensure the agent has been fully activated in the Workday Console and that all required skills were enabled prior to activation. If credentials are still not generated, contact your Workday administrator to confirm that the ASOR SKU is provisioned on your tenant.

Q: The agent was created successfully but the tools are not visible in Auditoria. What went wrong?

A: Ensure the agent definition payload included all required tool WIDs at the time of creation. Tool WIDs cannot be added retroactively in all cases, and you may need to recreate the agent with the complete payload. Refer to the agent definition payload document provided in your Auditoria deployment package.

Glossary

ASOR (Agent System of Record): The Workday platform component that hosts third-party AI agents and brokers their access to Workday data and APIs via OAuth 2.0.
Agent Definition: The JSON payload that registers an agent in Workday ASOR, listing all REST and SOAP API WIDs the agent is authorized to use. Submitted via a single POST call to the Agent Definition endpoint.
Agent Management Hub: The Workday admin interface used to configure agent skills, set the Redirect URI, and activate ASOR agents after the agent definition has been registered.
API Client: OAuth 2.0 client registration in Workday. Provides the Client ID and Client Secret used by the SmartVendor Agent.
Client ID / Client Secret: OAuth 2.0 credentials generated by Workday upon API Client registration and agent activation. Used by Auditoria to obtain access tokens via the OAuth Authorization Code flow.
Domain Security Policy: Defines what operations (View, Get, Modify, Put, etc.) a security group can perform on a given Workday business domain.
ISSG (Integration System Security Group): A Workday security group used to control permissions for integrations and agents. The SmartVendor Agent is assigned to ISSG_Auditoria.
Redirect URI: The callback URL Workday returns the OAuth authorization code to. Configured in the API Client registration and confirmed during Agent Management Hub setup.
SmartVendor: Auditoria functionality focused on automating Accounts Payable workflows, including supplier invoice retrieval, OCR submission, and bidirectional data exchange with Workday.
Skill (ASOR): A logical grouping of tools registered to an ASOR agent. The SmartVendor Agent has one skill: Data Retrieval and Submit Invoice to Workday OCR.
Tenant: Your specific Workday environment (for example, auditoria_asor_wcpdev1), used in Workday URLs and passed in API calls as the wd-agent-tenant header value.
Tool (ASOR): A specific API operation an ASOR agent is authorized to perform — for example, Supplier Invoice Fetcher or OCR Invoice Submitter.
WID (Workday ID): A unique identifier used by Workday to reference tools, business objects, and configuration entities.
WQL (Workday Query Language): Workday's query mechanism, used by the SmartVendor Agent to read supplier, invoice, payment, and reference data.