Setting Up an Integration System User (ISU) for Auditoria AP Accruals

Written by Uday Kumar Updated

Introduction

This guide provides step-by-step instructions for configuring your Workday environment to integrate with Auditoria AP Accruals.

You will:

  • Create a dedicated Integration System User (ISU).
  • Create and configure an Integration System Security Group (ISSG).
  • Assign the required Domain Security Policies (including Workday Query Language/WQL access).
  • Register an API client and generate a Refresh Token.
  • Connect Auditoria AP Accruals to your Workday tenant.

These configurations ensure that Auditoria AP Accruals can securely:

  • Read AP-related data in Workday (suppliers, supplier invoices, purchase orders, cost centers, spend categories, regions, business units), and
  • Write journal entries back to Workday for accrual postings.

Audience

This article is intended for:

  • Workday Administrators with:
    • Integration configuration access.
    • Security and Domain Security Policy management permissions.
    • API client registration and WQL access.

Coordination with your Auditoria Customer Success Representative is recommended during initial setup and whenever you modify security or integration scope.

Prerequisites

Before you begin, ensure the following:

  • An active Auditoria AP Accruals subscription.
  • Workday administrator credentials.
  • Ability to:
    • Create Integration System Users (ISU).
    • Create and manage Integration System Security Groups (ISSG).
    • Configure Domain Security Policies.
    • Access Workday Public Web Services.
    • Register API Clients for Integrations in Workday.

1. Get Your Workday Hostname and Tenant Name

To configure the Workday connection in Auditoria, you need your Workday hostname and tenant name.

  1. Log in to Workday using your administrator account.

  2. In the Workday search bar, type Public Web Services and press Enter.

  3. In the results, filter the Web Services column to only show entries for Revenue Management.

  4. Locate Revenue Management (Public) Web Service.

  5. Click the ellipsis (three dots) next to it and select:
    Web Service > View WSDL.

  6. In the WSDL file:

    • Search for the final occurrence of Revenue_Management.

    • Locate the endpoint URL, for example:
      https://wd1-impl-services1.workday.com/ccx/service/your-tenant-name/Revenue_Management/v37.0

    • From this URL:

      • Hostname: wd1-impl-services1.workday.com

      • Tenant Name: your-tenant-name

  7. Copy both values. You will use them later in the Auditoria connection settings.

Note: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.

2. Create the Workday Integration System User (ISU) for Auditoria

Create a dedicated Integration System User that Auditoria will use for API/WQL access.

  1. Log in to Workday as an administrator with ISU management permissions.

  2. In the search bar, type Create Integration System User and press Enter.

  3. On the Create Integration System User page, configure:

    • User Name (required):
      Use a descriptive name such as ISU_Auditoria or a variant specific to SmartVendor.

    • Generate Random Password (optional):

      • Check this box if you want Workday to auto-generate a password.

      • If selected, you do not enter a manual password.

    • New Password / New Password Verify (required if not generating random):

      • Enter a secure password that meets the Workday Password Rules (minimum length and complexity).

    • Require New Password at Next Sign In (optional):
      Typically not required for integration users, unless mandated by your security policy.

    • Session Timeout Minutes Enforced / Session Timeout Minutes (optional):

      • Configure session timeout according to your organization’s policies.

    • Do Not Allow UI Sessions (optional but recommended):

      • Check this to prevent the ISU from logging into the UI.

      • Recommended for integrations to limit access to API/Web Services only.

  4. Click OK to create the ISU.

Best Practice: Use a unique ISU for Auditoria (do not reuse ISUs shared with other integrations) and store its credentials securely.

3. Create a Workday Security Group and Assign the ISU

Create an Integration System Security Group (Unconstrained) and assign your ISU to it.

  1. In the Workday search bar, type Create Security Group and press Enter.

  2. On the Create Security Group page:

    • Type of Tenanted Security Group:
      Select Integration System Security Group (Unconstrained).

    • Name:
      Enter a descriptive name, for example:
      ISSG_Auditoria.

  3. Click OK.

  4. On the Edit Integration System Security Group (Unconstrained) page:

    • In the Integration System Users section, add the ISU created in Step 2 (for example, ISU_Auditoria).

  5. Click OK to save the security group.

Note: Use a dedicated security group for the Auditoria integration. Do not assign unrelated users to this group.

4. Assign Domain Security Policy Permissions for SmartVendor (AP Helpdesk)

To enable Auditoria to access the required data from your Workday tenant, you must assign the correct domain security policy permissions to the integration security group you created.

Steps to Assign Security Policy Permissions

  1. Log in to your Workday console with administrative privileges.

  2. Open Security Group Search:

    • Go to the Workday search bar.
    • Type "Security group" and select View Security Group from the search results.

  3. Select the Auditoria security group:

    • In the prompt, enter the name of your group (for example, ISSG_Auditoria_SmartVendor12).
    • Click OK.

  4. Open Domain Permissions for the Group:

    • On the Integration System Security Group (Unconstrained) overview page, select the Related Actions (three dots menu) next to the group name.
    • Choose Maintain Domain Permissions for Security Group.
  5. Add Permissions:
    • In the Report/Task Permissions and Integration Permissions sections, add the required Domain Security Policies for each data source, using the operation/access level provided in the table below.
    • Use Modify, View, Get, or Put access level as specified.

  6. Save and confirm your changes.

    • Click OK.
    • Remember to activate pending security policy changes using the appropriate Workday task.

Table 1. Security Permissions for AP Accruals

RecordTypesToFetch - From WorkdayRecordTypeToMap - In AuditoriaOperation/Level of AccessDomain Security Policy
ALL RecordsALL RECORDSView and ModifyWorkday Query Language
ALL RecordsALL RECORDSGet and PutWorkday Query Language
ENTITY, Entity details, Entities listENTITYView OnlyManage: Company
ENTITY, Entity details, Entities listENTITYView OnlySet Up: Company
ENTITY, Entity details, Entities listENTITYView OnlySet Up: Company General
ENTITY, Entity details, Entities listENTITYGet OnlyManage: Company
ENTITY, Entity details, Entities listENTITYGet OnlySet Up: Company
ENTITY, Entity details, Entities listENTITYGet OnlySet Up: Company General
AccountsACCOUNTView OnlySet Up: Accounts
AccountsACCOUNTGet OnlySet Up: Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORView OnlySet Up: Supplier Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORView OnlyView: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORView OnlySet Up: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORGet OnlySet Up: Supplier Accounts
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORGet OnlyView: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORGet OnlySet Up: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORView OnlyReports: Supplier
List Suppliers, Suppliers details, Suppliers Categories, Suppliers ContactsVENDORGet OnlyReports: Supplier
Suppliers Invoices - Details, ListSUPPLIERS INVOICESView OnlyProcess: Supplier Invoice
Suppliers Invoices - Details, ListSUPPLIERS INVOICESView OnlyProcess: Recurring Supplier Invoice
Suppliers Invoices - Details, ListSUPPLIERS INVOICESView OnlyProcess: Supplier Invoice - Reporting
Suppliers Invoices - Details, ListSUPPLIERS INVOICESView OnlyProcess: Supplier Invoice Payment/Settlement
Suppliers Invoices - Details, ListSUPPLIERS INVOICESView OnlyProcess: Supplier Invoice - Request
Suppliers Invoices - Details, ListSUPPLIERS INVOICESGet OnlyProcess: Supplier Invoice
Suppliers Invoices - Details, ListSUPPLIERS INVOICESGet OnlyProcess: Recurring Supplier Invoice
Suppliers Invoices - Details, ListSUPPLIERS INVOICESGet OnlyProcess: Supplier Invoice - Reporting
Purchase Orders - Details, ListPURCHASE ORDERView OnlyProcess: Purchase Order
Purchase Orders - Details, ListPURCHASE ORDERView OnlyProcess: Purchase Order - Reporting
Purchase Orders - Details, ListPURCHASE ORDERGet OnlyProcess: Purchase Order
Purchase Orders - Details, ListPURCHASE ORDERGet OnlyProcess: Purchase Order - Reporting
Cost Center - List, DetailsCOST_CENTERView OnlyManage: Cost Center
Cost Center - List, DetailsCOST_CENTERGet OnlyManage: Cost Center
Spend CategoriesSPEND_CATEGORIESView OnlyManage: Inventory
Spend CategoriesSPEND_CATEGORIESGet OnlyManage: Inventory
Spend CategoriesSPEND_CATEGORIESView OnlySet Up: Spend Categories
Spend CategoriesSPEND_CATEGORIESGet OnlySet Up: Spend Categories
Regions - ListREGIONView OnlyManage: Region
Regions - ListREGIONGet OnlyManage: Region
Business Units - ListBUSINESS_UNITSView OnlySet Up: Worktags
Business Units - ListBUSINESS_UNITSGet OnlySet Up: Worktags
Journal Entries - To WriteJOURNALView and ModifyProcess: Journals (NEW)
Journal Entries - To WriteJOURNALGet and PutProcess: Journals (NEW)

Notes:

Note 1: The hostname and tenant name are required to configure the Workday ERP connection in Auditoria.

Note 2: Your organization's requirements may differ; always confirm with your implementation team or Auditoria support if unsure which policies are needed.

If you have questions about specific domain security policies or data source configurations, consult your Workday administrator or Auditoria support representative.

To view all Domain Security Policy Permissions in detail, please download the Excel sheet from the attachment section at the end of this article.

5. Activate Pending Security Policy Changes

After adding or modifying domain permissions, you must activate pending security policy changes.

  1. In the Workday search bar, type Activate Pending Security Policy Changes and press Enter.

  2. On the Activate Pending Security Policy Changes page:

    • Enter a comment describing the change (for example, “Auditoria SmartVendor integration permissions”).

  3. Review the Current Security Evaluation Moment and the Proposed Security Evaluation Moment.
  4. If the details are correct, check the Confirm box to acknowledge the changes.

  5. Click OK to apply the updates and activate the permissions.

Note: Security changes do not take effect until they are activated. Ensure you have permissions to perform this step.

If you have questions about which policy changes need to be activated, consult your Workday administrator or your implementation team.

6. Register API Client and Retrieve Client Credentials

Register a Workday API Client for Integrations to obtain the Client ID and Client Secret that Auditoria will use.

  1. In the Workday search bar, type Register API Client for Integrations and press Enter.

  2. On the registration form, configure:

    • Client Name (required): Use a clear name, for example: Auditoria_Client.
    • Enforce Customized Access Token Expiry (optional): Leave unchecked unless your integration requires custom access token expiration.
    • Refresh Token Timeout (in days) (optional): Default 0 Typically, it means no expiry when using non-expiring refresh tokens.
    • Non-Expiring Refresh Tokens (recommended):
      • Select this option for integration clients, unless your security policy requires token rotation.
    • Disabled (optional):
      • Leave unchecked. Use only if you intentionally want to disable the client.
    • Scope (Functional Areas) (required): Add all functional areas required for your integration use case, for example:
      • Integration 
      • Staffing
      • System
      • Workday Everywhere
      • Suppliers Accounts
      • Suppliers
    • Include Workday Owned Scope (optional): Leave unchecked unless explicitly required.
    • Locked Out due to Excessive Failed Signon Attempts (informational/optional): Leave unchecked; this field is for tracking if the client is locked out.
    • Restricted to IP Ranges (optional): Add allowed IP ranges if your organization enforces IP whitelisting; otherwise, leave blank.

  3. Click OK to complete the registration.

  4. After registration, Workday will display the Client ID and Client Secret.

Important: Record and store the Client ID and Client Secret in a secure password manager or vault. You will need them when configuring the Workday connection in Auditoria.

7. Generate Refresh Token with Updated Permissions

Generate a Refresh Token that ties the API client to your Auditoria ISU.

  1. In the Workday search bar, type View API Client and press Enter.

  2. Navigate to API Clients for Integrations, filter on the client name created above.

  3. Filter the list to find the API client you just created (e.g., filter on Client Name containing Auditoria).

  4. Click the ellipsis (three dots) next to your API client and select:
    Manage Refresh Tokens for Integrations.

  5. In the Manage Refresh Tokens dialog:

    • Enter or select the ISU from Step 2 (for example, ISU_Auditoria).

    • Click OK.

  6. On the next screen, enable Generate New Refresh Token and click OK.

  7. Workday will display a Refresh Token.

    • Copy this token immediately and store it securely (you will not be able to see it again later).

Important: Keep the Client ID, Client Secret, and Refresh Token confidential.
These values are required to link your Workday tenant to your Auditoria SmartVendor tenant.

Note: If you have any Segmented Security configured in Workday for the following business objects, please ensure that the ISU or the Security Group created for the Auditoria–Workday connection is also added to the same security group.
  • Supplier
  • Customers
  • Customer Invoices
  • Supplier Invoices
  • Customer Payments
  • Supplier Payments
  • Purchase Orders
  • Entity

Connect Auditoria AP Accruals to Workday ERP

After gathering your Workday connection details (hostname, tenant name, Integration System User credentials, API client credentials, and refresh token), you are ready to set up the connection within Auditoria.

Steps to Connect Auditoria to Workday

  1. Access System Settings:
    • Log in to the Auditoria platform with administrative privileges.
    • Navigate to Administration > System Settings.
  2. Add or Update Workday ERP Connection:
    • In the "Add New Connection" area of System Settings, select the Workday ERP option.
    • To update an existing connection, locate the Workday system tile and click Update.

  1. Enter Required Connection Information:
    • On the ERP Settings page, fill in the following fields with your Workday integration details:
      • Instance Name: Enter a recognizable display name for this connection.
      • Tenant ID: Enter your Workday tenant name.
      • User ID: Enter the Integration System User (ISU) username.
      • User Password: Enter the ISU password.
      • Host Name: Enter the Workday service URL or host address.
      • Client ID: Enter the API Client ID.
      • Client Secret: Enter the API Client Secret.
      • Refresh Token: Enter the generated refresh token.
      • Additional report and configuration fields may be present. Complete these as required for your organization or leave as “-” if not needed.
  2. Save and Test Connection:
    • Click Save to submit your settings.
    • The system may validate your credentials and confirm the connection status.
    • Once the setup is complete, proceed to sync entities if prompted or verify that the connection is active.

Notes:

  • Fill out only the Workday connection fields needed for Auditoria AP Helpdesk functionality. Optional fields may be left blank or set to “-” as indicated on the screen.

  • If you encounter authentication or connection issues, verify all credentials and confirm that the required permissions in Workday have been assigned and activated.

Best Practices

  • Distinct, descriptive naming:

    • Example: ISU_Auditoria_APInvoices, ISSG_Auditoria_APInvoices, Auditoria_APInvoices_Client.

  • Limit UI access for ISU:

    • Select Do Not Allow UI Sessions to restrict access to API/Web Services only.

  • Review permissions regularly:

    • Update Workday permissions as AP Helpdesk data or workflows evolve.

  • Secure credential storage:

    • Store ISU password, Client ID, Client Secret, and Refresh Token in an enterprise-grade vault.

  • Coordinate with Auditoria:

    • Work with your Auditoria Customer Success Representative during initial setup and when making significant changes (e.g., enabling invoice write-back).

  • Document changes and approvals:

    • Maintain a change log for security reviews and audits.

  • Test incrementally:

    • After each major configuration (ISU, group, domain policies, API client, refresh token), test connectivity and data access from AP Helpdesk.

Troubleshooting

IssuePossible Solution
Insufficient permissions when connecting from AuditoriaRe-check the security group's Domain Security Policies. Ensure all required AP Accruals domains (Supplier, Supplier Invoice, Purchase Order, Cost Center, Spend Category, Region, Worktags, Journals) are assigned and activated.
API client or refresh token rejectedConfirm you are using the correct Client ID, Client Secret, and Refresh Token. Make sure security changes are activated.
Missing suppliers, supplier invoices, or purchase orders in AuditoriaVerify that Supplier, Supplier Accounts, Supplier Invoice, and Purchase Order domains are included and properly scoped.
Missing cost centers or spend categoriesVerify Manage: Cost Center, Manage: Inventory, and Set Up: Spend Categories domains are assigned at both View Only and Get Only access levels.
Missing regions or business unitsVerify Manage: Region and Set Up: Worktags domains are assigned at both View Only and Get Only access levels.
Unable to write accrual journal entries to WorkdayConfirm write permissions (View and Modify / Get and Put) are granted on the Process: Journals (NEW) domain. Verify any required Business Process Security Policy updates for the Journal Event have been completed and activated.
Tokens or credentials lost or expiredRegenerate the refresh token or credentials in Workday and update the configuration in Auditoria.
ISU session timing out too frequentlyAdjust Session Timeout Minutes for the ISU, in line with your security policies.
Error activating security changesEnsure you have permission to Activate Pending Security Policy Changes and review Workday's error messages and comments.
Unclear API authentication failureDouble-check hostname, tenant name, service URLs, and confirm you are using the correct (production vs test) credentials.
Segmented Security blocking record accessIf your tenant uses Segmented Security on Supplier, Supplier Invoices, Purchase Orders, or Entity, add the Auditoria ISU or its security group to the same segmented security group.
WQL queries returning empty or incomplete resultsVerify both View and Modify and Get and Put access levels are granted on Workday Query Language. Both are required for AP Accruals to read all business objects.

Glossary

  • ISU (Integration System User):
    A Workday user account dedicated to integrations. UI access is typically disabled.

  • ISSG (Integration System Security Group):
    A Workday security group used to control permissions for integration users.

  • Domain Security Policy: Defines what operations (View, Get, Modify, Put, etc.) a security group can perform on a given business domain.

  • API Client: OAuth 2.0 client registration in Workday. Provides the Client ID, Client Secret, and Refresh Token used by integrations.

  • WQL (Workday Query Language): Workday's query mechanism, used by Auditoria to read Workday data (including AP supplier, invoice, purchase order, cost center, spend category, region, and business unit data) for AP Accruals workflows.

  • AP Accruals: Auditoria functionality focused on automating period-end accounts payable accrual generation by analyzing supplier invoice, purchase order, and goods receipt data in your ERP, and writing accrual journal entries back to Workday.

  • Journal Entry: A Workday financial accounting record posted to the general ledger. Auditoria AP Accruals writes accrual journal entries to Workday using the Process: Journals (NEW) domain.

  • Tenant: Your specific Workday environment (for example, acme-corp-prod), used in Workday URLs.

  • Functional Areas: Logical groupings in Workday such as Suppliers, Supplier Accounts, Supplier Invoices, Common Financial Management, used to scope API client access.

Attachments