# Security & Integrations #### Authentication * 2FA via authenticator apps. * SSO Through WorkOS ( Future Feature ) #### Integrations * Microsoft Teams & Slack: Get notifications, interact via bot. ( Future Feature ) #### Workday Integrations ## Workday Integration Guide ### EvalFlow ↔ Workday HR Data Synchronization *** ### Table of Contents 1. Introduction 2. Prerequisites 3. Workday Configuration 4. EvalFlow Configuration 5. Status Mapping 6. Sync Behavior 7. Sync Frequency Options 8. Troubleshooting 9. Security Considerations 10. FAQ *** ### Introduction #### What This Integration Does The EvalFlow-Workday integration enables **automatic employee provisioning and synchronization** from your Workday HCM system to EvalFlow. This eliminates manual data entry, ensures consistency, and keeps your performance management platform always up-to-date with your source of truth for employee data. #### Sync Direction > ⚠️ **One-Way Sync**: Workday → EvalFlow > > Data flows **only from Workday to EvalFlow**. Changes made in EvalFlow (such as custom fields or local edits) will not sync back to Workday. #### What Data is Synchronized | Data Type | Description | | ------------------------ | ------------------------------------ | | **Employee Identity** | First name, last name, email address | | **Position** | Job title / business title | | **Department** | Supervisory organization | | **Manager Relationship** | Reporting hierarchy | | **Employment Status** | Active, terminated, on leave, etc. | | **Hire Date** | Original hire date | | **Termination Date** | If applicable | *** ### Prerequisites Before configuring the integration, ensure the following: #### Workday Requirements | Requirement | Details | | -------------------------- | -------------------------------------------------------- | | **Workday Tenant** | Active Workday HCM tenant (Production or Sandbox) | | **Admin Access** | Security Administrator or Integration Administrator role | | **Report Designer Access** | Ability to create Custom Reports (RaaS) | #### EvalFlow Requirements | Requirement | Details | | ----------------- | ------------------------------------ | | **Admin Role** | EvalFlow Admin or Super Admin access | | **Company Setup** | Company already created in EvalFlow | #### Network Considerations * EvalFlow servers must be able to reach your Workday tenant URL * If using Workday in a private cloud or behind a firewall, whitelist EvalFlow's IP ranges (contact support for current IPs) * HTTPS (TLS 1.2+) is required for all connections *** ### Workday Configuration Complete these steps in your Workday tenant. This section is intended for **Workday Administrators**. #### Step 1: Create Integration System User (ISU) The Integration System User is a dedicated service account for EvalFlow to authenticate with Workday. 1. **Navigate to**: Search → "Create Integration System User" 2. **Enter User Details**: * **User Name**: `ISU_EvalFlow` (or your naming convention) * **New Password**: Generate a strong password (save securely) * **Require New Password at Next Sign In**: ❌ Unchecked * **Do Not Allow UI Sessions**: ✅ Checked (recommended for security) 3. **Click OK** to create the user > 💡 **Tip**: Use a naming convention like `ISU_` prefix so integration accounts are easily identifiable. > ⚠️ **Important**: Store the password securely. You'll need it when configuring EvalFlow. #### Step 2: Create Integration System Security Group Security groups control what data the ISU can access. 1. **Navigate to**: Search → "Create Security Group" 2. **Select Type**: `Integration System Security Group (Unconstrained)` 3. **Enter Details**: * **Name**: `ISSG_EvalFlow_Integration` * **Description**: "Security group for EvalFlow HR sync integration" 4. **Click OK** 5. **Add Member**: * Search for and select `ISU_EvalFlow` (the user created in Step 1) * Click OK to save #### Step 3: Assign Domain Permissions Grant the security group read access to worker data. 1. **Navigate to**: Search → "Maintain Permissions for Security Group" 2. **Select**: `ISSG_EvalFlow_Integration` 3. **Under Domain Security Policies**, click **Edit** 4. **Add the following domain permissions**: | Domain | Permission | | ---------------------------------- | -------------- | | Worker Data: Workers | **Get** (View) | | Worker Data: Public Worker Reports | **Get** (View) | 5. **Click OK** to save changes #### Step 4: Activate Security Policy Changes After modifying security policies, you must activate the changes. 1. **Navigate to**: Search → "Activate Pending Security Policy Changes" 2. **Add a Comment**: "Activated EvalFlow integration permissions" 3. **Click OK** to activate > ⚠️ **Note**: In production tenants, this may require approval based on your organization's security workflow. #### Step 5: Create Custom Report (RaaS) Create a Report-as-a-Service (RaaS) report that EvalFlow will query. 1. **Navigate to**: Search → "Create Custom Report" 2. **Report Details**: * **Report Name**: `EvalFlow_Employee_Sync` * **Report Type**: `Advanced` * **Data Source**: `All Active and Terminated Workers` (or your preferred scope) * **Enable As Web Service**: ✅ Checked 3. **Add Report Columns** (exact column names matter): | Report Column Name | Workday Field Path | Required | | ------------------ | ---------------------------------------- | -------- | | `Employee_ID` | Worker → Employee ID | ✅ Yes | | `Email` | Worker → Email - Work (Primary) | ✅ Yes | | `First_Name` | Worker → Legal Name → First Name | ✅ Yes | | `Last_Name` | Worker → Legal Name → Last Name | ✅ Yes | | `Position` | Worker → Business Title | ❌ No | | `Department` | Worker → Supervisory Organization → Name | ❌ No | | `Manager_ID` | Worker → Manager → Employee ID | ❌ No | | `Worker_Status` | Worker → Worker Status | ✅ Yes | | `Hire_Date` | Worker → Hire Date | ❌ No | | `Termination_Date` | Worker → Termination Date | ❌ No | 4. **Configure Filters** (Optional but Recommended): * Exclude contingent workers if not needed * Filter by specific locations or organizations if applicable 5. **Click OK** to save the report #### Step 6: Enable Web Service & Get Endpoint URL 1. **Open the report**: Search → "View Custom Report" → Select `EvalFlow_Employee_Sync` 2. **Click**: Actions → Web Service → View URLs 3. **Copy the JSON endpoint URL**. It will look like: ``` https://wd5.myworkday.com/[tenant]/ccx/service/customreport2/[tenant]/[report_owner]/EvalFlow_Employee_Sync?format=json ``` 4. **Save this URL** - you'll enter it in EvalFlow > 💡 **Tip**: Test the URL by pasting it in a browser while logged into Workday. You should see JSON data. *** ### EvalFlow Configuration Complete these steps in EvalFlow. This section is for **EvalFlow Administrators**. #### Step 1: Navigate to Workday Integration Settings 1. Log in to EvalFlow as an Admin 2. Go to **Settings** → **Integrations** → **Workday** 3. Click **Configure Integration** or **Enable Workday Sync** #### Step 2: Enter Connection Details | Field | Value | Example | | -------------------- | ------------------------------- | ------------------------------------------------------------------------------- | | **Tenant URL** | Your Workday tenant base URL | `https://wd5.myworkday.com/acme` | | **Workers Endpoint** | The RaaS report endpoint path | `/ccx/service/customreport2/acme/john.smith/EvalFlow_Employee_Sync?format=json` | | **Username** | ISU username created in Workday | `ISU_EvalFlow` | | **Password** | ISU password | (stored encrypted) | #### Step 3: Test Connection 1. Click **Test Connection** 2. EvalFlow will attempt to authenticate and fetch a sample of worker data 3. **Success**: You'll see a confirmation with the number of workers found 4. **Failure**: See Troubleshooting section #### Step 4: Configure Sync Settings | Setting | Description | Recommended | | ----------------------------- | ------------------------------------------------ | ------------- | | **Sync Frequency** | How often to sync | Every 6 hours | | **Deactivation Grace Period** | Days before terminated employees are deactivated | 7 days | | **Auto-create Departments** | Create departments from Workday org structure | ✅ Enabled | #### Step 5: Review Status Mapping Review and customize how Workday statuses map to EvalFlow statuses. See Status Mapping section. #### Step 6: Enable Integration 1. Review all settings 2. Click **Enable Sync** 3. Optionally, click **Run Initial Sync** to immediately synchronize all employees *** ### Status Mapping EvalFlow maps Workday worker statuses to internal user statuses. The default mappings are: | Workday Status | EvalFlow Status | Behavior | | -------------- | --------------- | ----------------------------------- | | `Active` | **Active** | Full platform access | | `On Leave` | **Active** | Maintains access during leave | | `Pre-Hire` | **Onboarding** | Limited access for new hires | | `Terminated` | **Inactive** | Access revoked (after grace period) | | `Inactive` | **Inactive** | Access revoked | | `Retired` | **Inactive** | Access revoked | #### Customizing Status Mapping You can customize these mappings in the Workday integration settings: 1. Go to **Settings** → **Integrations** → **Workday** → **Status Mapping** 2. For each Workday status, select the corresponding EvalFlow status 3. Click **Save Mapping** > 💡 **Tip**: If your organization uses custom Workday statuses, add them to the mapping table before the first sync. *** ### Sync Behavior #### New Employee Creation When a new employee appears in Workday: 1. EvalFlow creates a new user account 2. User is created in **Onboarding** or **Active** status (based on Worker\_Status) 3. User receives a welcome email with login instructions 4. Manager relationship is established (if Manager\_ID is provided) #### Employee Updates When employee data changes in Workday: | Field | Update Behavior | | --------------- | ------------------------------------------ | | First/Last Name | ✅ Updated automatically | | Position/Title | ✅ Updated automatically | | Department | ✅ Updated (department created if new) | | Manager | ✅ Updated (manager linked by Employee\_ID) | | Email | ⚠️ **Conditional** - see below | **Email Update Safety** > ⚠️ **Important**: Email addresses are **NOT** automatically updated if: > > * The user has already logged in to EvalFlow, OR > * The user has SSO (WorkOS) authentication enabled > > This prevents authentication issues. Contact support to manually update emails for existing users. #### Employee Termination When an employee is terminated in Workday: 1. **Grace Period**: User remains active for the configured grace period (default: 7 days) 2. **Deactivation**: After grace period, user status changes to **Inactive** 3. **Data Retention**: All user data (feedback, reviews, goals) is preserved 4. **Access Revoked**: User can no longer log in *** ### Sync Frequency Options | Frequency | Best For | API Calls/Day | | ---------------- | ----------------------- | ------------- | | Every 15 minutes | Rapid onboarding needs | \~96 | | Every hour | Most organizations | \~24 | | Every 6 hours | Stable workforce | \~4 | | Every 12 hours | Minimal changes | \~2 | | Daily | Small organizations | 1 | | Manual only | Testing/controlled sync | 0 (on-demand) | > 💡 **Recommendation**: Start with **Every 6 hours** and adjust based on your needs. *** ### Troubleshooting #### Common Errors and Solutions **Authentication Failed (401)** | Cause | Solution | | --------------------------- | ------------------------------------------- | | Incorrect username/password | Verify ISU credentials in Workday | | ISU account locked | Unlock in Workday Security settings | | Password expired | Update password and reconfigure in EvalFlow | **Forbidden (403)** | Cause | Solution | | --------------------------------- | ---------------------------------------------- | | Missing domain permissions | Add "Get" permission for Worker Data domain | | Security policy not activated | Run "Activate Pending Security Policy Changes" | | ISU not in correct security group | Verify ISSG membership | **Report Not Found (404)** | Cause | Solution | | --------------------------------- | ----------------------------------------- | | Incorrect endpoint URL | Verify the RaaS URL path | | Report not enabled as web service | Enable "Web Service" on the custom report | | Report deleted or renamed | Recreate or update the endpoint path | **No Workers Returned** | Cause | Solution | | ------------------------------ | -------------------------------------------------- | | Report filters too restrictive | Adjust report filter criteria | | Wrong data source selected | Use "All Active and Terminated Workers" | | Column names mismatch | Ensure column names match exactly (case-sensitive) | **Manager Relationships Not Syncing** | Cause | Solution | | -------------------------- | ------------------------------------------ | | Manager\_ID column missing | Add Manager → Employee ID to report | | Manager not yet synced | Run sync twice (managers must exist first) | | Circular reference | Check for manager loops in Workday | #### Viewing Sync Logs 1. Go to **Settings** → **Integrations** → **Workday** → **Sync Logs** 2. Review recent sync attempts, success/failure counts, and error details 3. Export logs for support tickets if needed *** ### Security Considerations #### Credential Security * ✅ ISU credentials are **encrypted at rest** using AES-256 * ✅ Credentials are **never logged** or exposed in error messages * ✅ All API calls use **HTTPS/TLS 1.2+** #### Least Privilege Principle The ISU should have **minimum required permissions**: | ✅ Required | ❌ Not Required | | --------------------------- | ----------------------------------- | | Worker Data: Workers (Get) | Worker Data: Workers (Put/Post) | | Public Worker Reports (Get) | Compensation Data | | | Payroll Data | | | Personally Identifiable Information | #### Network Security * Consider restricting the ISU to specific IP ranges if Workday supports it * Use Workday's audit logs to monitor ISU activity * Rotate ISU password periodically (update in EvalFlow after rotation) #### Data Privacy * Only sync data fields that EvalFlow needs * Exclude sensitive fields (SSN, bank info, etc.) from the RaaS report * Review data retention policies for both systems *** ### FAQ #### Q: Can I sync from multiple Workday tenants? **A:** Currently, EvalFlow supports one Workday tenant per company. Contact support for multi-tenant requirements. #### Q: What happens if the sync fails? **A:** EvalFlow retries failed syncs automatically. After 3 consecutive failures, sync is paused and an admin notification is sent. Data remains unchanged until sync succeeds. #### Q: Can I exclude certain employees from syncing? **A:** Yes. Add filters to your Workday RaaS report to exclude specific workers, locations, or worker types. #### Q: How do I sync contractors/contingent workers? **A:** Modify your RaaS report's data source to include contingent workers. Ensure the report includes the same required columns. #### Q: What if an employee's Workday ID changes? **A:** Employee\_ID is the unique identifier. If it changes, EvalFlow will create a new user. Contact support to merge records. #### Q: Can I manually override synced data? **A:** Yes, but manual changes may be overwritten on the next sync for fields controlled by Workday (name, position, department, manager). #### Q: How long does the initial sync take? **A:** Depends on employee count: * < 500 employees: \~1-2 minutes * 500-2,000 employees: \~5-10 minutes * 2,000+ employees: \~15-30 minutes #### Q: Is there a sandbox mode for testing? **A:** Yes. Use your Workday sandbox tenant URL during initial setup. Switch to production when ready. *** ### Support For integration support, contact: * **Email**: * **Documentation**: * **In-App Help**: Settings → Help → Contact Support *** *Last Updated: January 2026* *Version: 1.0*