Workday Refresh token

IdentityIQ (IIQ) IIQ Discussion and Questions
,
2

Hi @niket345,

This error is due to a lack of permissions for the integration user. You need to create two integration users one for read (SailPoint_ReadUser) and the other for write. (SailPoint_WriteUser)

Constrained

  1. On the Workday system, search for the Create Security Group task.
  2. Select Integration System Security Group (Constrained).
  3. Provide a name to the integration group. Create two groups as follows:
  • For the Read group (SailPoint_Read_Group)
  • For the Write (provisioning) group (SailPoint_Write_Group)
  1. Add the Integration System Users created to the respective groups.
  2. Select single or multiple organizations for whom the integration group would have access.Note
    The organizations selected have to be of the same type (such as, SUPERVISORY, COST_CENTER).
  3. For access rights to organizations, select the option for Applies to Current Organization Only.

Unconstrained

  1. Create the Integration System Security Group (Unconstrained).
  2. Perform the following for the Integration System Security Group:
  • Add the user in the Integration System Security Group (Unconstrained). The permissions are given to integration system groups that are attached to the integration system.
  • Modify the Integration System Security Group to associate Maintain Contact information Domain
  • Modify the Integration System Security Group to associate the domains required by the Workday Integration System.
  1. For updating the UserID (User Name on Workday) provide the GET and PUT permission for the relevant security group for the Domain Security Policy:
  • Workday Accounts (Functional area: System)

GET and PUT Permission to Read and Write Security Group

  1. On the Workday system, go to the Actions item of the groups created and select Security Group.
  2. On the Security Group panel, select Maintain Permissions for Security Group from the list.
  3. Add the domain security policies permitting the GET or PUT access list for the Read and Write groups, respectively, from the following table:
  • For the Read group (the SailPoint_Read_Group): GET
  • For the Write (provisioning) group (the SailPoint_Write_Group): PUT
  1. Select Done.
  2. Search for the Activate Pending Security Policy Change task and run it.

In addition to that you will have to provide System Security Group to associate required permissions for the Workday Web Services like Get References, Maintain Contact Information, Home Contact Change, Work Contact Change.

I have appended the Workday Connector Guide here for additional reference.

SailPoint Workday Connector Guide.pdf (541.5 KB)