Workday
The Workday connector lets you connect to a Workday instance and access Workday data as a traditional database.
Before you begin
Before using the Workday connector, do the following tasks:
- In your Google Cloud project:
    - Ensure that network connectivity is set up. For information about network patterns, see Network connectivity.
- Grant the roles/connectors.admin IAM role to the user configuring the connector.
- Grant the following IAM roles to the service account that you want to use for the connector:
          - roles/secretmanager.viewer
- roles/secretmanager.secretAccessor
 A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. If you don't have a service account, you must create a service account. The connector and the service account must belong to the same project. For more information, see Creating a service account. 
- Enable the following services:
        - secretmanager.googleapis.com(Secret Manager API)
- connectors.googleapis.com(Connectors API)
 To understand how to enable services, see Enabling services. 
 If these services or permissions have not been enabled for your project previously, you are prompted to enable them when configuring the connector. 
Workday configuration
Set up a Workday account
Login to the Workday Login to create a Workday account. For information about Workday community, see Workday Community. For information about REST APIs, see REST APIs.
Set up a client ID and client secret for Oauth 2.0 authentication
To create and register API client in Workday, do the following:
- Click Register API Client in Workday.
- Enter client name.
- Select the client grant type as authorization code grant.
- Select the bearer access token type, add other scopes as required and click OK.
- Enter all the details, and scopes needed to register API client.
- To set the SOAP authentication type, add the username and password.
Configure the connector
A connection is specific to a data source. It means that if you have many data sources, you must create a separate connection for each data source. To create a connection, do the following:
- In the Cloud console, go to the Integration Connectors > Connections page and then select or create a Google Cloud project.
- Click + Create new to open the Create Connection page.
- In the Location section, choose the location for the connection.
      - Region: Select a location from the drop-down list.
        
          
For the list of all the supported regions, see Locations. 
- Click Next.
 
- Region: Select a location from the drop-down list.
        
          
- In the Connection Details section, complete the following:
      - Connector: Select Workday from the drop down list of available Connectors.
- Connector version: Select the Connector version from the drop down list of available versions.
- In the Connection Name field, enter a name for the Connection instance.
          Connection names must meet the following criteria: - Connection names can use letters, numbers, or hyphens.
- Letters must be lower-case.
- Connection names must begin with a letter and end with a letter or number.
- Connection names cannot exceed 49 characters.
 
- Optionally, enter a Description for the connection instance.
- Optionally, enable Cloud logging,
  and then select a log level. By default, the log level is set to Error.
- Service Account: Select a service account that has the required roles.
- Optionally, configure the Connection node settings:
        - Minimum number of nodes: Enter the minimum number of connection nodes.
- Maximum number of nodes: Enter the maximum number of connection nodes.
 A node is a unit (or replica) of a connection that processes transactions. More nodes are required to process more transactions for a connection and conversely, fewer nodes are required to process fewer transactions. To understand how the nodes affect your connector pricing, see Pricing for connection nodes. If you don't enter any values, by default the minimum nodes are set to 2 (for better availability) and the maximum nodes are set to 50. 
- 
            Tenant: The tenant for the account. For example, abc_cms1. You can get the name of the tenant in your Workday instance configuration details.
- 
            Service: The specific service or services to retrieve data from. Enter as a comma separated
             list. For example, absenceManagement,common,compensation,recruiting,payroll,person
- WSDL Version: The version of the WSDL to use.
- 
            Base Web URL: Optionally, enter the base web URL of the Workday web application. For example, https://impl.workday.com/.
- (Optional) In the Advanced settings section, select the Use proxy checkbox to configure a proxy server for the connection and configure the following values:
- 
            Proxy Auth Scheme: Select the authentication type to authenticate with the proxy server. The following authentication types are supported:
            - Basic: Basic HTTP authentication.
- Digest: Digest HTTP authentication.
 
- Proxy User: A user name to be used to authenticate with the proxy server.
- Proxy Password: The Secret manager secret of the user's password.
- 
            Proxy SSL Type: The SSL type to use when connecting to the proxy server. The following authentication types are supported:
            - Auto: Default setting. If the URL is an HTTPS URL, then the Tunnel option is used. If the URL is an HTTP URL, then the NEVER option is used.
- Always: The connection is always SSL enabled.
- Never: The connection is not SSL enabled.
- Tunnel: The connection is through a tunneling proxy. The proxy server opens a connection to the remote host and traffic flows back and forth through the proxy.
 
-  In the Proxy Server section, enter details of the proxy server.
	        - Click + Add destination.
- Select a Destination Type.
	            - Host address: Specify the hostname or IP address of the destination.
                If you want to establish a private connection to your backend system, do the following: - Create a PSC service attachment.
- Create an endpoint attachment and then enter the details of the endpoint attachment in the Host address field.
 
 
- Host address: Specify the hostname or IP address of the destination.
                
 
- Optionally, click + Add label to add a label to the Connection in the form of a key/value pair.
- Click Next.
 
-  In the Destinations section, enter details of the remote host (backend system) you want to connect to.
        - You can configure any of the following destination types:
           - Base Service URL: Click + Add destination, and then enter the base service URL of your Workday instance. For example, https://wdX-impl-services1.workday.com
- API URL: Click + Add destination, and then enter the API URL of your Workday instance. For example, https://wd5-impl-service23.workday.com/srx/api/v1/TENANT
- WSDL URL: Click + Add destination, and then enter the WSDL URL of your Workday instance.
 You can use either the REST or the SOAP protocol to communicate with your Workday instance. To understand how to configure the connection for each of the protocols, see Configure connection for REST or SOAP. 
- Base Service URL: Click + Add destination, and then enter the base service URL of your Workday instance. For example, 
- Click Next.
 
- You can configure any of the following destination types:
           
- 
      In the Authentication section, enter the authentication details. 
      - Select an Authentication type and enter the relevant details.
            The following authentication types are supported by the Workday connection: - Username and password
- OAuth 2.0 - Authorization code
 
- Click Next.
 To understand how to configure these authentication types, see Configure authentication. 
- Select an Authentication type and enter the relevant details.
            
- Review: Review your connection and authentication details.
- Click Create.
Configure connection for REST or SOAP
Configuration for REST
For the connection to use the REST protocol, you must use the OAuth 2.0 - Authorization code authentication type, and configure the following fields:
In the Connection Details section:
- Tenant
- Service
- WSDL version
In the Destinations section:
- Base URL
- API URL
In the Authentication section:
- Client ID
- Client Secret
Configuration for SOAP
For the connection to use the SOAP protocol, you must use the Username and password authentication type, and configure the following fields:
In the Connection Details section:
- Tenant
- Service
- WSDL version
In the Destinations section:
- Base URL
In the Authentication section:
- Username
- Password
Configure authentication
Enter the details based on the authentication you want to use.
- 
            Username and password
            - Username: Username for connector
- Password: Secret Manager Secret containing the password associated with the connector.
 
- OAuth 2.0 - Authorization code
- Client ID: Client ID as provided by your external application.
- Scopes: Permission scopes.
- Client secret: Select the Secret Manager secret. You should have created the Secret Manager secret prior configuring this authorization.
- Secret version: Secret Manager secret version for client secret.
- Authorization URL: Enter the authorization URL that was generated when you created the Workday instance.
- Connection Type: Select a connection type.
For the OAuth 2.0 - Authorization code authentication type, after creating the connection, you
        should perform a few additional steps for configuring authentication. For more information,
        see Additional steps after connection creation.
Additional steps after connection creation
If you selected OAuth 2.0 - Authorization code for
  authentication, you must do the following additional steps after creating the connection:
- In the Connections page,
    locate the newly created connection.
    Notice that the Status for the new connector will be Authorization required. 
- Click Authorization required.
  This shows the Edit authorization pane. 
- Copy the Redirect URI value to your external application.
- Verify the authorization details.
- Click Authorize.
    If the authorization is successful, the connection status will be set to Active in the Connections page. 
Re-authorization for authorization code
If you are using Authorization code authentication type and have made any cofiguration changes in your Workday application,
        you must re-authorize your Workday connection. To re-authorize a connection, perform the following steps:
- Click on the required connection in the Connections page.
    This opens the connection details page. 
- Click Edit to edit the connection details.
- Verify the OAuth 2.0 - Authorization code details in the Authentication section.
  If required, make the necessary changes. 
- Click Save. This takes you to the connection details page.
- Click Edit authorization in the Authentication section. This shows the Authorize pane.
- Click Authorize.
    If the authorization is successful, the connection status will be set to Active in the Connections page. 
Connection configuration samples
This section lists the sample values for the various fields that you configure when creating the Workday connection.
Username password connection type
| Field name | Details | 
|---|---|
| Location | us-central1 | 
| Connector | Workday | 
| Connector version | 1 | 
| Connection Name | google-cloud-workday-soap-conn | 
| Enable Cloud Logging | No | 
| Service Account | my-service-account@my-project.iam.gserviceaccount.com | 
| Tenant | TENANT_NAME | 
| Service | SERVICE_NAME | 
| WSDL Version | v41.0 | 
| Verbosity level | 5 | 
| Minimum number of nodes | 2 | 
| Maximum number of nodes | 50 | 
| Base URL | BASE_URL | 
| Authentication | USER_PASSWORD | 
| Username | USERNAME | 
| Password | PASSWORD | 
| Secret Version | 1 | 
OAuth 2.0 - Authorization code connection type
| Field name | Details | 
|---|---|
| Location | us-central1 | 
| Connector | Workday | 
| Connector version | 1 | 
| Connection Name | google-cloud-workday-rest-conn | 
| Enable Cloud Logging | No | 
| Service Account | my-service-account@my-project.iam.gserviceaccount.com | 
| Tenant | TENANT_NAME | 
| Verbosity level | 5 | 
| Minimum number of nodes | 2 | 
| Maximum number of nodes | 50 | 
| Base URL | BASE_URL | 
| APIURL | API_URL | 
| Authentication | OAuth 2.0 - Authentication code | 
| Client ID | CLIENT_ID | 
| Scopes | system | 
| Client Secret | CLIENT_SECRET | 
| Secret Version | 1 | 
| Authorization URL | AUTHORIZATION_URL | 
| Connection Type | REST | 
For information about setting up OAuth 2.0 for a REST API client, see Workday documentation.
Integration system user connection type
| Field name | Details | 
|---|---|
| Location | europe-west1 | 
| Connector | Workday | 
| Connector version | 1 | 
| Connection Name | CONNECTION_NAME | 
| Enable Cloud Logging | No | 
| Service Account | my-service-account@my-project.iam.gserviceaccount.com | 
| Tenant | TENANT_NAME | 
| Service | SERVICE_NAME | 
| Minimum number of nodes | 2 | 
| Maximum number of nodes | 50 | 
| Base URL | BASE_URL | 
| Authentication | Integration System User | 
| Client ID | CLIENT_ID | 
| Client Secret | CLIENT_SECRET | 
| Secret Version | 8 | 
| Refresh Token | REFRESH_TOKEN | 
| Secret Version | 7 | 
Entities, operations, and actions
All the Integration Connectors provide a layer of abstraction for the objects of the connected application. You can access an application's objects only through this abstraction. The abstraction is exposed to you as entities, operations, and actions.
- Entity: An entity can be thought of as an object, or a collection of properties, in the
connected application or service. The definition of an entity differs from a connector to a
    connector. For example, in a database connector, tables are the entities, in a
    file server connector, folders are the entities, and in a messaging system connector,
    queues are the entities.
    However, it is possible that a connector doesn't support or have any entities, in which case the Entitieslist will be empty.
- Operation: An operation is the activity that you can perform on an entity. You can perform
any of the following operations on an entity:
    
  Selecting an entity from the available list, generates a list of operations available for the entity. For a detailed description of the operations, see the Connectors task's entity operations. However, if a connector doesn't support any of the entity operations, such unsupported operations aren't listed in the Operationslist.
- Action: An action is a first class function that is made available to the integration
through the connector interface. An action lets you make changes to an entity or entities, and
    vary from connector to connector. Normally, an action will have some input parameters, and an output
    parameter. However, it is possible
    that a connector doesn't support any action, in which case the Actionslist will be empty.
System limitations
The Workday connector can process 3 transaction per second, per node, and throttles any transactions beyond this limit. By default, Integration Connectors allocates 2 nodes (for better availability) for a connection.
For information on the limits applicable to Integration Connectors, see Limits.
Use the Workday connection in an integration
After you create the connection, it becomes available in both Apigee Integration and Application Integration. You can use the connection in an integration through the Connectors task.
- To understand how to create and use the Connectors task in Apigee Integration, see Connectors task.
- To understand how to create and use the Connectors task in Application Integration, see Connectors task.
Entity operation examples
This section shows how to perform some of the entity operations in this connector.
When you use a Workday connection, the entity name appears in the following format: "SCHEMA_NAME.ENTITY_NAME". For example, in "Staffing.Workers_training", Staffing is the schema name and Workers_training is the table name.
Only list and get operations are supported for a view, while all CRUD operations are supported for a table, as defined by the Entity API.
Example - List all records
This example lists all the records in the Scorecards entity.
- In the Configure connector taskdialog, clickEntities.
- Select Scorecardsfrom theEntitylist.
- Select the Listoperation, and then click Done.
- Optionally, in Task Input section of the Connectors task, you can 
    filter your result set by specifying a filter clause. Specify
    the filter clause value always within the single quotes ('). For example, Id='13b1724a91ce448bad2f1986321fc70f'. You can also specify multiple filter conditions by using the logic operators. For example,Id='13b1724a91ce448bad2f1986321fc70f' and Inactive=false.
Example - Get a record
This example gets a record with the specified ID from the Scorecards entity.
- In the Configure connector taskdialog, clickEntities.
- Select Scorecardsfrom theEntitylist.
- Select the Getoperation, and then click Done.
- In the Task Input section of the Connectors task, click EntityId and
    then enter 1|CN=admin,CN=Users,DC=test-ldap,DC=comin the Default Value field.Here, 1|CN=admin,CN=Users,DC=test-ldap,DC=comis a primary key value in theScorecardsentity.
Example - Create a record
This example creates a record in the PayrollInputs entity.
- In the Configure connector taskdialog, clickEntities.
- Select PayrollInputsfrom theEntitylist.
- Select the Createoperation, and then click Done.
- In the Task Input section of the Connectors task, click
  connectorInputPayloadand then enter a value similar to the following in theDefault Valuefield:{ "Worker_Id": "21327", "Worker_Descriptor": "Worker 2" } If the integration is successful, your connector task's connectorOutputPayloadfield will have a value similar to the following:{ "Id": "c3c68bc9a13f901d43ca8e5ddcaa0000" } 
Example - Update a record
This example updates the record with the specified ID in the Scorecards entity.
- In the Configure connector taskdialog, clickEntities.
- Select Scorecardsfrom theEntitylist.
- Select the Updateoperation, and then click Done.
- In the Task Input section of the Connectors task, click
    connectorInputPayloadand then enter a value similar to the following in theDefault Valuefield:{ "ScorecardDescription": "New updated description", "ScorecardName": "Scorecard_1" } 
- Click entityId, and then enter f368471438b14705a1178c6744d75853in the Default Value field.
Example - Delete a record
This example deletes the record with the specified ID in the Scorecards entity.
- In the Configure connector taskdialog, clickEntities.
- Select Scorecardsfrom theEntitylist.
- Select the Deleteoperation, and then click Done.
- In the Task Input section of the Connectors task, click entityId and
      then enter e002de05784910123c443f7eb0970722in the Default Value field.
Create connections using Terraform
You can use the Terraform resource to create a new connection.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
To view a sample terraform template for connection creation, see sample template.
When creating this connection by using Terraform, you must set the following variables in your Terraform configuration file:
| Parameter name | Data type | Required | Description | 
|---|---|---|---|
| tenant | STRING | False | The tenant for the account. | 
| service | STRING | False | The specific service or services to retrieve data from. Enter as a comma separated list. | 
| wsdlversion | STRING | False | The version of the WSDL to use. | 
| proxy_enabled | BOOLEAN | False | Select this checkbox to configure a proxy server for the connection. | 
| proxy_auth_scheme | ENUM | False | The authentication type to use to authenticate to the ProxyServer proxy. Supported values are: BASIC, DIGEST, NONE | 
| proxy_user | STRING | False | A user name to be used to authenticate to the ProxyServer proxy. | 
| proxy_password | SECRET | False | A password to be used to authenticate to the ProxyServer proxy. | 
| proxy_ssltype | ENUM | False | The SSL type to use when connecting to the ProxyServer proxy. Supported values are: AUTO, ALWAYS, NEVER, TUNNEL | 
Get help from the Google Cloud community
You can post your questions and discuss this connector in the Google Cloud community at Cloud Forums.What's next
- Understand how to suspend and resume a connection.
- Understand how to monitor connector usage.
- Understand how to view connector logs.