API call for Workday Accounts connector

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

We are in the process of setting up Workday Accounts connector to aggregate Workday security. We plan to run workday access certification from IdentotyNow. It looks like IDN is only bringing user USER BASED SECURITY GROUPS. We also need to read Role based and Rule based security groups.

I wonder if anyone is able to aggregate Role and Rule based user groups from Workday?

Our Workday team is also asking us for a SOAP call being sent from IDN. Has anyone been able to build it for Workday accounts connector?

Thank you
Haresh Patel

2

Hi Haresh,

According to the Workday Accounts documentation, by default the OrganizationRole group object is not part of the out of the box schema and needs to be added. Have you added this schema? Documentation reference here.

Additionally, SOAP is the type of API Workday primarily utilizes. Any of the calls IDN makes to Workday, including aggregation and provisioning, utilize the SOAP API. As this is an OOTB connector, I am not sure what calls it is making exactly for each action. Is there a specific call you are looking for?

Please let me know if this helps!

Thank you,

  • Zach
3

Thank you Zach for your response. However, I am not able to update source schema with the API call as explained here Link

I am sending POST API call from Postman {{baseUrl}}/sources/:id/schemas with following pay load.

{
“name”: “OrganizationRole”,
“nativeObjectType”: “OrganizationRole”,
“identityAttribute”: “ORG_ROLE##ORG_NAME”,
“displayAttribute”: “ORG_ROLE##ORG_NAME”,
“hierarchyAttribute”: null,
“includePermissions”: false,
“features”: ,
“configuration”: {},
“attributes”: [
{
“name”: “ORG_ROLE##ORG_NAME”,
“type”: “STRING”,
“schema”: null,
“description”: “Associates an organization role reference ID with an organization name reference ID”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
},
{
“name”: “ROLE_NAME”,
“type”: “STRING”,
“schema”: null,
“description”: “Name of the Role”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
},
{
“name”: “ORGANIZATION_NAME”,
“type”: “STRING”,
“schema”: null,
“description”: “Name of the organization”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
},
{
“name”: “ASSOCIATED_SECURITY_GROUP”,
“type”: “STRING”,
“schema”: null,
“description”: “Name of the Associated role-based security group”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
}
]
}

here is the message I get

strong text{
“messages”: [
{
“localeOrigin”: “REQUEST”,
“text”: “An internal fault occurred.”,
“locale”: “en-US”
},
{
“localeOrigin”: “DEFAULT”,
“text”: “An internal fault occurred.”,
“locale”: “en-US”
}
],
“detailCode”: “500.0 Internal fault”,
“trackingId”: “28e3d5d3a5b448bb881310f0cce2183a”
}

Even the Get ( {{baseUrl}}/sources/:id/schemas/accounts) call to download schema does not run successfully.

Thank you
Haresh Patel

4

Hello Zach,

Finally I was able to execute API call to add schema for the Organization Role. however, I am not sure where can I see the update in UI.

Also, my aggregation now fails with following message.

Exception while aggregating workday account for page : 1 : [ ConnectorException ] [ Error details ] a) Please check whether getWorkers API response is valid b) Please verify whether required permission are given to integration system user.

Thanks for any help you can provide.

-Haresh Patel

5

To better help users who see this in the future with a similar issue

  • What was it that needed to be changed to get the schema added through the API?
  • If this issue is resolved, what was the actual issue and it’s fix?

Assuming this is not resolved:

  • Are you able to see the new schema set up when you use the API to pull it back?

  • Does your service account user have permissions to access the endpoint added for the new schema?

  • Do you have the schema configured correctly? If it is not showing in the UI there could be a configuration missing or incorrect.

6

I had a typo in my API call.

After adding “Organization” role schema and schema attribute ORG_ROLE##ORG_NAME, type “OrganizationRole”, multi value attribute, now I see more than 200k entitlements on my source. Looks like it is creating same entitlement for each “ORG” with Orgname appended at the end. For eg. Background_Check_Coordinator##SUP_1001
Background_Check_Coordinator##SUP_1002

I have around 125 User assigned role and then more than 200K, Organization role. I have no idea as how Workday security works.

Hope this helps

Haresh Patel