Workday Updated Workday-Pro-Integrations Exam Questions and Answers by reina

When creating an Integration System User (ISU) in Workday, the goal is often to ensure that the user is restricted to performing tasks via web services (e.g., API calls or integrations) and cannot log into the Workday user interface (UI). This is a critical security measure to limit the ISU’s access to only what is necessary for integration purposes, adhering to the principle of least privilege. Let’s evaluate each option provided in the question to determine the correct approach based on Workday’s functionality and best practices as outlined in official documentation and the Workday Pro Integrations program.

Option A: Choose a constrained security group.In Workday, security groups define the permissions and access levels for users, including ISUs. There are two types of Integration System Security Groups (ISSGs): constrained and unconstrained. A constrained ISSG limits access to specific organizations or data scopes, while an unconstrained ISSG provides broader access across the tenant. While choosing a constrained security group can enhance security by limiting the scope of data the ISU can access, it does not directly control whether the ISU authenticates via web services or the UI. The type of security group affects data access permissions, not the authentication method or UI access. Therefore, this option does not address the requirement of ensuring authentication only via web services.

Option B: Select the Do Not Allow UI Sessions checkbox.When creating an ISU in Workday, the "Create Integration System User" task presents an option labeled "Do Not Allow UI Sessions." Selecting this checkbox explicitly prevents the ISU from logging into the Workday UI using its credentials. This setting ensures that the ISU can only authenticate and operate through programmatic means, such as web service calls (e.g., SOAP or REST APIs), which is precisely the intent of the question. This is a standard security practice recommended by Workday to isolate integration activities from interactive user sessions, reducing the risk of misuse or unauthorized access through the UI. This option directly aligns with the requirement and is the correct answer.

Option C: Update the session timeout minutes.The "Session Timeout Minutes" field in the ISU creation task determines how long an ISU’s session remains active before it expires. By default, this is set to 0, meaning the session does not expire, which is suitable for integrations that require continuous operation without interruption. Updating this value (e.g., setting it to a specific number of minutes) would cause the session to time out after that period, potentially disrupting long-running integrations. However, this setting pertains to session duration, not the method of authentication or whether UI access is allowed. It does not prevent the ISU from logging into the UI or ensure that authentication occurs only via web services, making this option irrelevant to the question.

Option D: Generate a random password.Generating a random password for the ISU is a good security practice to ensure the credentials are strong and not easily guessable. However, the password itself does not dictate how the ISU authenticates or whether it can access the UI. A random password enhances security but does not inherently restrict the ISU to web service authentication. Without selecting "Do Not Allow UI Sessions," the ISU could still log into the UI with that password, assuming no other restrictions are applied. Thus, this option does not fulfill the requirement of ensuring authentication only via web services.

Why Option B is Correct

The "Do Not Allow UI Sessions" checkbox is a specific configuration in the ISU setup process that directly enforces the restriction of authentication to web services. This setting is part of Workday’s security framework for integrations, ensuring that ISUs—designed as non-human accounts for programmatic access—cannot be used interactively. This aligns with Workday’s best practices for securing integrations, as outlined in the Workday Pro Integrations Study Guide and related documentation. For example, when an ISU is created with this checkbox selected, any attempt to log into the Workday UI with its credentials will fail, while web service requests (e.g., via SOAP or REST APIs) will succeed, assuming proper permissions are granted via an ISSG.

Practical Application

To implement this in Workday:

Log into your Workday tenant with administrative privileges.

Search for and select the "Create Integration System User" task.

Enter a username and password for the ISU.

Check the "Do Not Allow UI Sessions" checkbox.

Leave "Session Timeout Minutes" at 0 (default) to avoid session expiration during integrations.

Save the ISU and assign it to an appropriate ISSG (constrained or unconstrained, depending on the integration’s needs).

This configuration ensures the ISU is locked to web service authentication, meeting the question’s objective.

Verification with Workday Documentation

The Workday Pro Integrations Study Guide emphasizes securing ISUs by restricting them to integration-specific tasks. The "Do Not Allow UI Sessions" option is highlighted as a key control for preventing UI access, ensuring that ISUs operate solely through web services. This is also consistent with broader Workday security training materials, such as those available on Workday Community, which stress isolating integration accounts from human user activities.

Workday Pro Integrations Study Guide References

Section: Integration Security Fundamentals– Discusses the role of ISUs and the importance of restricting their access to programmatic interactions.

Section: Configuring Integration System Users– Details the "Create Integration System User" task, including the "Do Not Allow UI Sessions" checkbox as a security control.

Section: Best Practices for Integration Security– Recommends using this setting to enforce least privilege and protect the tenant from unauthorized UI access by integration accounts.

When setting up security for a Core Connector integration system in Workday, you need to know which web service operation the connector template uses. The best way is to run the "Integration Template Catalog report" within your Workday tenant. This report lists all integration templates and should include details about the web service operations they use, making it easy to configure security.

Why This Matters

This method is efficient because it lets you find the information before running the system, which is crucial for setting up permissions correctly. It's surprising that such a specific report exists, as it simplifies a task that could otherwise involve running the system or guessing from API references.

How It Works

Select the report in your Workday tenant to see a list of all Core Connector templates.

Look for the template you're using and find the associated web service operation listed in the report.

Use this information to set up the right security permissions for your integration.

For more details, check out resources likeWorkday Core ConnectorsorWorkday Integrations.

The scenario involves a Core Connector: Worker integration using the Data Initialization Service (DIS) to export a full file of employee personal data, with a requirement to include a calculated field in the output. Core Connectors rely on predefined field mappings, but custom calculated fields need specific configuration to be included. Let’s analyze the solution:

Requirement:Output the value of a calculated field created for this integration. In Workday, calculated fields are custom-built (e.g., using Report Writer or Calculated Fields) and not part of the standard Core Connector template, so they must be explicitly added to the output.

Integration Field Overrides:In Core Connectors,Integration Field Overridesallow you to replace a delivered field’s value or add a new field to the output by mapping it to a calculated field. This is the standard method to include custom calculated fields in the integration file. You create the calculated field separately,then use overrides to specify where its value appears in the output structure (e.g., as a new column or replacing an existing field).

Option Analysis:

A. Configure Integration Field Attributes: Incorrect. Integration Field Attributes refine how delivered fields are output (e.g., filtering multi-instance data like phone type), but they don’t support adding or mapping calculated fields.

B. Configure Integration Field Overrides: Correct. This configuration maps the calculated field to the output, ensuring its value is included in the exported file.

C. Configure Integration Attributes: Incorrect. Integration Attributes define integration-level settings (e.g., file name, delivery protocol), not field-specific outputs like calculated fields.

D. Configure Integration Maps: Incorrect. Integration Maps transform existing field values (e.g., "Married" to "M"), but they don’t add new fields or directly output calculated fields.

Implementation:

Create the calculated field in Workday (e.g., via Create Calculated Field task).

Edit the Core Connector: Worker integration.

Navigate to theIntegration Field Overridessection.

Add a new override, selecting the calculated field and specifying its output position (e.g., a new field ID or overriding an existing one).

Test the integration to confirm the calculated field value appears in the output file.

References from Workday Pro Integrations Study Guide:

Core Connectors & Document Transformation: Section on "Configuring Integration Field Overrides" explains how to include calculated fields in Core Connector outputs.

Integration System Fundamentals: Notes the use of overrides for custom data in predefined integration templates.

In Workday, when refining a custom report to include specific conditions such as limiting the output to workers hired in the last 30 days, the appropriate place to specify this condition is within theFiltertab of the custom report definition. The Filter tab allows you to define criteria that determine which instances of the primary business object (in this case, "Worker") are included in the report output. This is critical for integrations, as the filtered data ensures that only relevant records are sent to the third-party system.

The requirement here is to restrict the report to workers hired within the last 30 days. In Workday reporting, this can be achieved by adding a filter condition on the "Hire Date" field of the Worker business object. Specifically, you would configure the filter to compare the "Hire Date" against a dynamic date range, such as "Current Date minus 30 days" to "Current Date." This ensures the report dynamically adjusts to include only workers hired in the last 30 days each time it runs, which aligns with the needs of an integration sending real-time data to a third-party system.

Here’s why the other options are incorrect:

A. Subfilter: Subfilters in Workday are used to further refine data within a related business object or a subset of data already filtered by the primary filter. They are not the primary mechanism for applying a condition to the main dataset (e.g., all workers). For this scenario, asubfilter would be unnecessary since the condition applies directly to the Worker business object, not a related object.

B. Output: The Output section of a custom report definition controls how the report is displayed or delivered (e.g., file format, scheduling), not the data selection criteria. It does not allow for specifying conditions like hire date ranges.

C. Columns: The Columns tab defines which fields are displayed in the report output (e.g., Worker ID, Name, Hire Date). While you can add the "Hire Date" field here for visibility, it does not control which workers are included in the report—that is the role of the Filter tab.

To implement this in practice:

In the custom report definition, go to theFiltertab.

Add a new filter condition.

Select the "Hire Date" field from the Worker business object.

Set the operator to "in the range" and define the range as "Current Date - 30 days" to "Current Date" (using dynamic date functions available in Workday).

Save and test the report to ensure it returns only workers hired within the last 30 days.

This filtered report can then be enabled as a web service (via the Advanced tab) or used in an Enterprise Interface Builder (EIB) or Workday Studio integration to send the data to the third-party system, meeting the integration requirement.

References from Workday Pro Integrations Study Guide:

Workday Report Writer Fundamentals: Section on "Creating and Managing Filters" explains how filters are used to limit report data based on specific conditions, such as date ranges.

Integration System Fundamentals: Discusses how custom reports serve as data sources for integrations and the importance of filters in defining the dataset.

Core Connectors & Document Transformation: Highlights the use of filtered custom reports in outbound integrations to third-party systems.