Required Scopes and Endpoint Domains for Workday

When integrating with Workday, your application needs specific permissions to interact with the API.

These permissions are defined by access scopes, which determine what data your application can access and what actions it can perform.

This topic provides information about the required access scopes and endpoint domains for the Workday connector.

Understanding Scopes

Scopes are a way to limit an application's access to a user's data. They define the specific actions that an application can perform on behalf of the user.

For example, a read-only scope might allow an application to view data, while a full access scope might allow it to modify data.

Required Scopes for Workday

Scope	Description
System	List views and columns. Required for read access.
Tenant Non-Configurable	Access and execute reports as a service.
Workday Owned Scope	Include items or components owned and managed by Workday. Required for read access.

Understanding Endpoint Domains

Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations.

Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.

Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.

Required Endpoint Domains for Workday

Domain	Always Required	Description
<Base URL>	TRUE	The base URL of your Workday REST API Endpoint, as specified in the BaseURL connection property.
community.workday.com	FALSE	The base URL for the Workday SOAP API. Required if using SOAP for your ConnectionType.
<CustomReportURL>	FALSE	The URL of your report catalog. Required if using Reports for your ConnectionType.
login.microsoft.com	FALSE	The base URL for AzureAD SSO. Required if using AzureAD as your AuthScheme