Brex and Workday

OverviewIntegration System Security Group (ISSG)Integration System User (ISU)Configure domain security policy permissionsManage authentication policiesObtain the web services endpoints for the Workday tenant


This guide covers setup instructions for integrating your Workday account with Brex. Note: Workday configures their permissions on a field level, so we’ll need access to a number of fields to get things up and running.

Integration System Security Group (ISSG)

Create an ISSG

Step 1: Type “create security group” in the Workday search bar and click Create Security Group. Step 2: From Type of Tenanted Security Group, select Integration System Security Group (Unconstrained) and give the group a name like “Sample_Brex_ISSG”. Click Ok.

CX - Workday03

Step 3: On the next screen, under Integration System Users, add the ISU you created in Step 1 to the list. Click OK, and then Done.

Integration System User (ISU)

Create an ISU

Step 1: Type “Create Integration System User” in the Workday search bar and select the task.

CX - Workday01

Step 2: Enter a new username and password in accordance with your rules.

Note: Keep the Session Timeout Minutes default value of 0 to prevent session expiration. An expired session can cause the integration to time out before it successfully completes.

Step 3: Select Do Not Allow UI Sessions if you want to prevent the integration system user from signing in to Workday through the UI.

Step 4: To avoid integration errors caused by expired passwords, search for the Maintain Password Rules task and add the integration system user to the System Users exempt from password expiration field.

Assign to ISSG

Step 1: Create your ISSG, following the instructions above.

Step 2: On the next screen, under Integration System Users, add your ISU to the list.

Step 3: Click OK, and then Done.

CX - Workday04
CX - Workday02

Configure domain security policy permissions

Now you can ensure that the ISSG has access to the necessary business domains. In the Security Group, edit the Domain Security Policy Permissions and add the following GET ONLY operations:

  • Worker Data: Current Staffing Information
  • Worker Data: Public Worker Reports
  • Worker Data: Personal Data

To do this, follow these steps. Step 1: Type “View Security Group” in the Workday search bar, select your newly created ISSG, and click OK. Step 2: On the next page, click the ellipsis icon after the Security Group name and select Tenanted Security Group > Copy.

CX - Workday05

Step 3: Select Maintain to be be added to the specified business domains listed above.

CX - Workday06

Step 4: Add the necessary domains by selecting “+”.

CX - Workday07

Step 5: After you’ve added all of the necessary domains, activate the security policy changes by typing “Activate Pending Security Policy Changes” in the Workday search bar and selecting the result. Step 6: Enter a comment (e.g., “Brex implementation”), then click OK to activate.

CX - Workday08

Step 7: Check the Confirm checkbox verifying the changes that need to be activated.

CX - Workday09

Manage authentication policies

Step 1: In production, add the ISU security group to the authentication policy in Workday to allow for access. Step 2: Type “Manage Authentication Policies” and select the correct environment.

CX - Workday10

Step 3: Add the ISSG that was created to the necessary group (this will vary depending on your setup). Click Done.

CX - Workday10

Step 4: Activate your policy changes after you make the change, located on the Manage Authentication Policies screen. Step 5: Select Activate All Authentication Policies, add the comment, and click OK. Check the Confirm checkbox to activate.

CX - Workday12
CX - Workday13

Obtain the web services endpoints for the Workday tenant

You can find your Workday HR endpoints by following the steps below. Step 1: Search for and open Public Web Services in Workday. Step 2: Hover over Human resources and click the three dots to access the menu Step 3: Click Web Services > View WSDL. Step 4: At the bottom of the following page, find the host, which will look something like this:

CX - Workday14

Note: Endpoints differ across tenants, so please provide us with endpoints for each testing environment.

Was this article helpful?