Saviynt Forums

ejeong · ‎08/10/2022

Can anyone please confirm if we can use REST API to import security groups and its membership from Workday? or do I have to use SOAP API? Currently workday team is giving role with security group so we need to make these security group should be requestable.

If anyone already implemented, could you please share JSON for account / entitlement import and Add/remove Access?

I need to explain what's required from Workday side to workday admin.

Thanks

Sivagami · ‎08/10/2022

Workday 2.0 Connector is available and ask your Workday team to develop Raas reports and provide needed access to the ISU account as mentioned in the documentation - https://saviynt.freshdesk.com/support/solutions/articles/43000618934-workday-connector-guide-2-0

sahajranajee · ‎08/10/2022

Hi @ejeong ,

As @Sivagami mentioned, The integration specific to Security groups for reconciliation is via RaaS reports whereas provisioning/deprovisioning of User Based Security Groups is via SOAP payload.

Please check the guide and let us know if you have further questions : https://saviynt.freshdesk.com/support/solutions/articles/43000618934-workday-connector-guide-2-0

Regards,
Sahaj Ranajee
Sr. Product Specialist

ejeong · ‎08/10/2022

Thank you..

Could you please guide me where and how to apply entitlement import?

I know following is for account import from RaaS but not sure how to add entitlement import info.

{
	"ImportType": "SOAP",
	"ResponsePath": "Body.Get_Workers_Response.Response_Data.Worker”,
	"ImportMapping": {
		"NAME": "Worker_Data.Worker_ID",
		"ACCOUNTID": "Worker_Data.User_ID",
		...
	}
}

ejeong · ‎08/10/2022

Also, i can see provisioning sample for security group with SOAP. Can you please share remove access sample as well which is not in doc?

Thanks

sahajranajee · ‎08/10/2022

@ejeong ,

Both provisioning and deprovisioning use the same WD webservice. Its importing to import all User Based Security groups before doing prov/deprov as the webservice always does a full replace.

For Security Group import, create a RAAS report as specified in the Documentation and update the RAAS_MAPPING_JSON with the details . Please see docs for examples.

For Prov and deprov the Workday Connector utilises the 'Put_Assign_User-Based_Security_Group' Workday Web Service which performs a FULL REPLACEMENT of security groups.

See details below :Workday Web Service Documentation Link : https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v38.2/P...

While provisioning, the Saviynt Connector utilizes the specified payload ( as given in our documentation) and appends it to all the existing access that the user already has and sends the combined payload.

While deprovisioning, the Saviynt Connector automatically calculates which access needs to be removed and sends the payload consisting of all existing access minus the ones requested to be removed. There is no need to specify deprovisioning payload on the connector, the connector automatically does it.

Regards,
Sahaj Ranajee
Sr. Product Specialist

ejeong · ‎08/10/2022

Does this mean i need to add same JSON in both add / remove acess JSON?

Also, can you please let me know the syntax for entitlement import and where to implement.

ejeong · ‎08/10/2022

If you have account/entitlement import mapping JSON, i would appreciate if you can share that to me. Thanks

sahajranajee · ‎08/10/2022

Hi @ejeong ,

When you create a Workday Connector, since its an OOTB you will be seeing specific fields related to the connector. There will not be a generic ADD ACccess/REmove access field available.

You need to specify RAAS_MAPPING_JSON which holds the list of RaaS report urls :

once done, the entitlement mapping is taken care by the connector and it cannot be modified.
You have the ability to override the default account mapping by setting up mapping in ACCOUNT_IMPORT_MAPPING

I would request you to go through the full Workday Connector guide for better understanding :
https://saviynt.freshdesk.com/support/solutions/articles/43000618934-workday-connector-guide-2-0

Regards,
Sahaj Ranajee
Sr. Product Specialist

ejeong · ‎08/10/2022

Thanks. I am using RaaS import for different pupose already but was curios where to define entitlement attribute mapping. it looks like define autoamtically based on config in OOTB.

regarding Payload, I can't find "Security Group Provisioning Payload" in connection to apply xml below

sahajranajee · ‎08/10/2022

Hi @ejeong ,

The payload is provided as an example of what we use. The connector will automatically make use of it and do prov and deprov accordingly. You don't need to specify it. Let us know if you face issues.

Regards,
Sahaj Ranajee
Sr. Product Specialist

ejeong · ‎08/10/2022

I see. Now I completely understood how it works. Thank you very much

Saviynt Forums

Workday Entitlement Management