This document explains how to integrate Workday HRIS with the Oloid Cloud Platform, with Workday serving as the system of record for employee and organizational data. The integration supports key workforce use cases, including:
Workday Time Clock Enablement – Ensures accurate employee, position, schedule, and employment status data for compliant and reliable time punches.
Automated Employee Onboarding & Offboarding – Provisions and de-provisions users automatically in downstream systems such as Brivo, Microsoft Entra ID, ProWatch, and other connected platforms.
By enabling real-time or near real-time data synchronization, the Workday–Oloid integration delivers the following operational and security benefits:
Reduced Human Errors – Eliminates manual data entry and minimizes data inconsistencies.
Faster Onboarding – Enables employees to receive system and facility access as soon as they are onboarded in Workday.
Secure Offboarding – Ensures timely removal of access when an employee leaves the organization.
Data Consistency Across Systems – Maintains a single, accurate source of truth across all integrated platforms.
Operational Efficiency – Reduces administrative overhead and manual coordination efforts.
Improved Compliance & Audit Readiness – Helps meet internal policies and regulatory requirements through accurate and timely data updates.
Now, let's walk through the steps to generate credentials in Workday for user provisioning in Oloid Cloud Platform:
💡 To follow the below steps you require administrative access on your organization's Workday account.
Step 1: Create an Integration System User
In Workday, use the search bar to navigate to the Create Integration System User task, and click on the option presented. (see screenshot 'Step 1.1' below)
Create a new Username (in this example we'll use 'workday_user_provisioning' and Password. Ensure you have a copy of this information as you will need it later.
Ensure the following fields are set as stated below:
'Require new password at Next Sign in' is unchecked
'Session Timeout Minutes' is set to '0'.
'Do Not Allow UI Sessions' is checked
Click OK to create the integration system user.
👉 Make a note of your Username and Password as it will be needed for the integration request.
Step 1.1
Step 1.2-1.4
Step 2: Create an Integration Security Group
Use the search bar to navigate to the Create Security Group task.
For the Type of Tenanted Security Group drop down select Integration System Security Group (Unconstrained)
Create a name for this security group, for example,
'xyz demo_user_provisioning'👉 Make a note of this as you will need it in the next step and click OK.
In the Integration System User field select the name you created in step 1 ('workday_user_provisioning')
Click OK
Click Done
Step 2.2 - 2.3
Step 2.4 - 2.5
Step 3: Setup Integration System Users for Inbound and Outbound and Integration User Group(s) for Securable items in Workday
Add the domains that you want to sync with OLOID to the security group. All domains are listed in a Configurable Security Matrix. You need to add all domains directly –
Search for Maintain Permission for Security Group and select it.
Make sure to add following Domain Security Policies.
For Worker Data
Operation | Domain Security Policy | Functional Areas |
Get Only | Worker Data: All Positions | Staffing |
Get Only | Worker Data: Organization Information | Staffing |
Get Only | Worker Data: Workers | Staffing |
Get Only | Worker Data: Current Staffing Information | Staffing |
Get Only | Person Data: Name | Contact Information |
Get Only | Worker Data: Public Worker Reports | Staffing |
Get Only | Person Data: Work Contact Information | Contact Information |
View Only | Worker Data: Current Staffing Information | Staffing |
View Only | Worker Data: Historical Staffing Information | Staffing |
For Time Punch
Operation | Domain Security Policy | Functional Areas |
View and Modify | Set Up: Time Tracking | Time Tracking |
Get and Put | Time Tracking: Edit Time Clock Event Date and Time | Time Tracking |
View and Modify | Process: Time Clock Event Processing | Time Tracking |
View and Modify | Process: Time Clock Event REST API's | Time Tracking |
Get and Put | Process: Time Clock Event REST API's | Time Tracking |
b. Search for correct Source Security Group.
c. Edit View/Modify access wherever applicable.
Step 4: Activate the Security Policies
Use the search bar to navigate to the Activate Pending Security Policy Changes task.
Enter a comment, for example, 'activated demo_course'.
Click OK, then review the permissions.
Check the Confirm check box and click OK.
The next page will confirm activation.
Step 4.2
Step 5: Register the API Client for Integrations
Use the search bar to navigate to the Register API Client for Integrations task.
In the form that appears, fill in:
Client Name: e.g.,
ACI_Oloid_HCMNon-Expiring Refresh Tokens: Checked
Disabled: Unchecked
Scope (Functional Areas): Add at least Worker Profile and Skills, Staffing, System
Make sure to add following Scope (functional Areas)
For Worker Data
Staffing
Contact Information
Adaptive Planning for Financial Plans (For WQL export)
Adaptive Planning for the Workforce (For WQL export)
System (For WQL export)
For Time Punch
Time Tracking
Include Workday Owned Scope: Unchecked
Restricted to IP Ranges: None
(see screenshot 'Step 5.2' below)
Click OK.
On the next page, you'll be able to see your Client ID and Client Secret.
👉 Make note of the Client ID and Client Secret as you will need to share these with your Oloid Cloud Platform Integrations specialist.
Step 5.2
Step 5.4
Step 6: Generate a Refresh Token
Use the search bar to navigate to the View API Clients report.
Take note of the Workday REST API Endpoint, Token Endpoint, and Authorization Endpoint as you will need to share these with your Oloid Cloud Platform Integrations consultant. (see screenshot 'Step 6.2' below)
Select the API Clients for Integrations tab and locate the API Client created in the previous step. Press the 3 dots and select API Client > Manage refresh tokens for Integrations.
In the pop-up that appears, select the ISU created in an earlier step.
Tick Generate New API Token and press OK. A new refresh token will appear in the list.
👉 Make note of this as you will need to share it with your Oloid Cloud Platform Integrations consultant.
Step 6.2
Step 6.3
Step 6.5
Step 7: Create a Custom Report and Obtain the WQL Query
Use the search bar to navigate to the Create Custom Report tab. In the dialog, name the report, select Report Type: Advanced, and Data Source: Workers for HCM Reporting. (see screenshot 'Step 7.1' below)
Create a report that comprises all the data that you would like to use in Oloid Cloud Platform. At a minimum, add Workday ID, First Name, Last Name, and Email Address. You may also add other metadata like title, department, location, etc.
Save the report.
Use the search bar to navigate to the Convert report to WQL report. In the dialog, select the custom report you just created. A new screen will appear. Take note of the query under the heading “Converted WQL Query String”. It should look something like:
SELECT workdayID, firstName, lastName, email_PrimaryWork FROM workersForHCMReporting
Step 7.1
Step 7.2
Step 8: Share with Oloid Cloud Platform
After completing the above steps, you should have the following information:
Client ID and Client Secret (from Step 5)
Refresh Token (from Step 6)
Workday REST API Endpoint, Token Endpoint, Authorization Endpoint (from Step 6)
WQL Query String (from Step 7)
Please provide this information to your Oloid Cloud Platform CSM or Integrations consultant to complete the integration process.
💡 Remember, the steps above are for a demo scenario. The names and settings you use may vary based on your organization's specific needs and policies. Always ensure you're following your organization's security guidelines when creating and managing users and permissions.