# Security & Integrations #### Authentication * 2FA via authenticator apps. * SSO Through WorkOS ( Future Feature ) #### Integrations * Microsoft Teams & Slack: Get notifications, interact via bot. ( Future Feature ) #### Workday Integrations ## Workday Integration Guide ### EvalFlow ↔ Workday HR Data Synchronization *** ### Table of Contents 1. Introduction 2. Prerequisites 3. Workday Configuration 4. EvalFlow Configuration 5. Status Mapping 6. Sync Behavior 7. Sync Frequency Options 8. Troubleshooting 9. Security Considerations 10. FAQ *** ### Introduction #### What This Integration Does The EvalFlow-Workday integration enables **automatic employee provisioning and synchronization** from your Workday HCM system to EvalFlow. This eliminates manual data entry, ensures consistency, and keeps your performance management platform always up-to-date with your source of truth for employee data. #### Sync Direction > ⚠️ **One-Way Sync**: Workday → EvalFlow > > Data flows **only from Workday to EvalFlow**. Changes made in EvalFlow (such as custom fields or local edits) will not sync back to Workday. #### What Data is Synchronized | Data Type | Description | | ------------------------ | ------------------------------------ | | **Employee Identity** | First name, last name, email address | | **Position** | Job title / business title | | **Department** | Supervisory organization | | **Manager Relationship** | Reporting hierarchy | | **Employment Status** | Active, terminated, on leave, etc. | | **Hire Date** | Original hire date | | **Termination Date** | If applicable | *** ### Prerequisites Before configuring the integration, ensure the following: #### Workday Requirements | Requirement | Details | | -------------------------- | -------------------------------------------------------- | | **Workday Tenant** | Active Workday HCM tenant (Production or Sandbox) | | **Admin Access** | Security Administrator or Integration Administrator role | | **Report Designer Access** | Ability to create Custom Reports (RaaS) | #### EvalFlow Requirements | Requirement | Details | | ----------------- | ------------------------------------ | | **Admin Role** | EvalFlow Admin or Super Admin access | | **Company Setup** | Company already created in EvalFlow | #### Network Considerations * EvalFlow servers must be able to reach your Workday tenant URL * If using Workday in a private cloud or behind a firewall, whitelist EvalFlow's IP ranges (contact support for current IPs) * HTTPS (TLS 1.2+) is required for all connections *** ### Workday Configuration Complete these steps in your Workday tenant. This section is intended for **Workday Administrators**. #### Step 1: Create Integration System User (ISU) The Integration System User is a dedicated service account for EvalFlow to authenticate with Workday. 1. **Navigate to**: Search → "Create Integration System User" 2. **Enter User Details**: * **User Name**: `ISU_EvalFlow` (or your naming convention) * **New Password**: Generate a strong password (save securely) * **Require New Password at Next Sign In**: ❌ Unchecked * **Do Not Allow UI Sessions**: ✅ Checked (recommended for security) 3. **Click OK** to create the user > 💡 **Tip**: Use a naming convention like `ISU_` prefix so integration accounts are easily identifiable. > ⚠️ **Important**: Store the password securely. You'll need it when configuring EvalFlow. #### Step 2: Create Integration System Security Group Security groups control what data the ISU can access. 1. **Navigate to**: Search → "Create Security Group" 2. **Select Type**: `Integration System Security Group (Unconstrained)` 3. **Enter Details**: * **Name**: `ISSG_EvalFlow_Integration` * **Description**: "Security group for EvalFlow HR sync integration" 4. **Click OK** 5. **Add Member**: * Search for and select `ISU_EvalFlow` (the user created in Step 1) * Click OK to save #### Step 3: Assign Domain Permissions Grant the security group read access to worker data. 1. **Navigate to**: Search → "Maintain Permissions for Security Group" 2. **Select**: `ISSG_EvalFlow_Integration` 3. **Under Domain Security Policies**, click **Edit** 4. **Add the following domain permissions**: | Domain | Permission | | ---------------------------------- | -------------- | | Worker Data: Workers | **Get** (View) | | Worker Data: Public Worker Reports | **Get** (View) | 5. **Click OK** to save changes #### Step 4: Activate Security Policy Changes After modifying security policies, you must activate the changes. 1. **Navigate to**: Search → "Activate Pending Security Policy Changes" 2. **Add a Comment**: "Activated EvalFlow integration permissions" 3. **Click OK** to activate > ⚠️ **Note**: In production tenants, this may require approval based on your organization's security workflow. #### Step 5: Create Custom Report (RaaS) Create a Report-as-a-Service (RaaS) report that EvalFlow will query. 1. **Navigate to**: Search → "Create Custom Report" 2. **Report Details**: * **Report Name**: `EvalFlow_Employee_Sync` * **Report Type**: `Advanced` * **Data Source**: `All Active and Terminated Workers` (or your preferred scope) * **Enable As Web Service**: ✅ Checked 3. **Add Report Columns** (exact column names matter): | Report Column Name | Workday Field Path | Required | | ------------------ | ---------------------------------------- | -------- | | `Employee_ID` | Worker → Employee ID | ✅ Yes | | `Email` | Worker → Email - Work (Primary) | ✅ Yes | | `First_Name` | Worker → Legal Name → First Name | ✅ Yes | | `Last_Name` | Worker → Legal Name → Last Name | ✅ Yes | | `Position` | Worker → Business Title | ❌ No | | `Department` | Worker → Supervisory Organization → Name | ❌ No | | `Manager_ID` | Worker → Manager → Employee ID | ❌ No | | `Worker_Status` | Worker → Worker Status | ✅ Yes | | `Hire_Date` | Worker → Hire Date | ❌ No | | `Termination_Date` | Worker → Termination Date | ❌ No | 4. **Configure Filters** (Optional but Recommended): * Exclude contingent workers if not needed * Filter by specific locations or organizations if applicable 5. **Click OK** to save the report #### Step 6: Enable Web Service & Get Endpoint URL 1. **Open the report**: Search → "View Custom Report" → Select `EvalFlow_Employee_Sync` 2. **Click**: Actions → Web Service → View URLs 3. **Copy the JSON endpoint URL**. It will look like: ``` https://wd5.myworkday.com/[tenant]/ccx/service/customreport2/[tenant]/[report_owner]/EvalFlow_Employee_Sync?format=json ``` 4. **Save this URL** - you'll enter it in EvalFlow > 💡 **Tip**: Test the URL by pasting it in a browser while logged into Workday. You should see JSON data. *** ### EvalFlow Configuration Complete these steps in EvalFlow. This section is for **EvalFlow Administrators**. #### Step 1: Navigate to Workday Integration Settings 1. Log in to EvalFlow as an Admin 2. Go to **Settings** → **Integrations** → **Workday** 3. Click **Configure Integration** or **Enable Workday Sync** #### Step 2: Enter Connection Details | Field | Value | Example | | -------------------- | ------------------------------- | ------------------------------------------------------------------------------- | | **Tenant URL** | Your Workday tenant base URL | `https://wd5.myworkday.com/acme` | | **Workers Endpoint** | The RaaS report endpoint path | `/ccx/service/customreport2/acme/john.smith/EvalFlow_Employee_Sync?format=json` | | **Username** | ISU username created in Workday | `ISU_EvalFlow` | | **Password** | ISU password | (stored encrypted) | #### Step 3: Test Connection 1. Click **Test Connection** 2. EvalFlow will attempt to authenticate and fetch a sample of worker data 3. **Success**: You'll see a confirmation with the number of workers found 4. **Failure**: See Troubleshooting section #### Step 4: Configure Sync Settings | Setting | Description | Recommended | | ----------------------------- | ------------------------------------------------ | ------------- | | **Sync Frequency** | How often to sync | Every 6 hours | | **Deactivation Grace Period** | Days before terminated employees are deactivated | 7 days | | **Auto-create Departments** | Create departments from Workday org structure | ✅ Enabled | #### Step 5: Review Status Mapping Review and customize how Workday statuses map to EvalFlow statuses. See Status Mapping section. #### Step 6: Enable Integration 1. Review all settings 2. Click **Enable Sync** 3. Optionally, click **Run Initial Sync** to immediately synchronize all employees *** ### Status Mapping EvalFlow maps Workday worker statuses to internal user statuses. The default mappings are: | Workday Status | EvalFlow Status | Behavior | | -------------- | --------------- | ----------------------------------- | | `Active` | **Active** | Full platform access | | `On Leave` | **Active** | Maintains access during leave | | `Pre-Hire` | **Onboarding** | Limited access for new hires | | `Terminated` | **Inactive** | Access revoked (after grace period) | | `Inactive` | **Inactive** | Access revoked | | `Retired` | **Inactive** | Access revoked | #### Customizing Status Mapping You can customize these mappings in the Workday integration settings: 1. Go to **Settings** → **Integrations** → **Workday** → **Status Mapping** 2. For each Workday status, select the corresponding EvalFlow status 3. Click **Save Mapping** > 💡 **Tip**: If your organization uses custom Workday statuses, add them to the mapping table before the first sync. *** ### Sync Behavior #### New Employee Creation When a new employee appears in Workday: 1. EvalFlow creates a new user account 2. User is created in **Onboarding** or **Active** status (based on Worker\_Status) 3. User receives a welcome email with login instructions 4. Manager relationship is established (if Manager\_ID is provided) #### Employee Updates When employee data changes in Workday: | Field | Update Behavior | | --------------- | ------------------------------------------ | | First/Last Name | ✅ Updated automatically | | Position/Title | ✅ Updated automatically | | Department | ✅ Updated (department created if new) | | Manager | ✅ Updated (manager linked by Employee\_ID) | | Email | ⚠️ **Conditional** - see below | **Email Update Safety** > ⚠️ **Important**: Email addresses are **NOT** automatically updated if: > > * The user has already logged in to EvalFlow, OR > * The user has SSO (WorkOS) authentication enabled > > This prevents authentication issues. Contact support to manually update emails for existing users. #### Employee Termination When an employee is terminated in Workday: 1. **Grace Period**: User remains active for the configured grace period (default: 7 days) 2. **Deactivation**: After grace period, user status changes to **Inactive** 3. **Data Retention**: All user data (feedback, reviews, goals) is preserved 4. **Access Revoked**: User can no longer log in *** ### Sync Frequency Options | Frequency | Best For | API Calls/Day | | ---------------- | ----------------------- | ------------- | | Every 15 minutes | Rapid onboarding needs | \~96 | | Every hour | Most organizations | \~24 | | Every 6 hours | Stable workforce | \~4 | | Every 12 hours | Minimal changes | \~2 | | Daily | Small organizations | 1 | | Manual only | Testing/controlled sync | 0 (on-demand) | > 💡 **Recommendation**: Start with **Every 6 hours** and adjust based on your needs. *** ### Troubleshooting #### Common Errors and Solutions **Authentication Failed (401)** | Cause | Solution | | --------------------------- | ------------------------------------------- | | Incorrect username/password | Verify ISU credentials in Workday | | ISU account locked | Unlock in Workday Security settings | | Password expired | Update password and reconfigure in EvalFlow | **Forbidden (403)** | Cause | Solution | | --------------------------------- | ---------------------------------------------- | | Missing domain permissions | Add "Get" permission for Worker Data domain | | Security policy not activated | Run "Activate Pending Security Policy Changes" | | ISU not in correct security group | Verify ISSG membership | **Report Not Found (404)** | Cause | Solution | | --------------------------------- | ----------------------------------------- | | Incorrect endpoint URL | Verify the RaaS URL path | | Report not enabled as web service | Enable "Web Service" on the custom report | | Report deleted or renamed | Recreate or update the endpoint path | **No Workers Returned** | Cause | Solution | | ------------------------------ | -------------------------------------------------- | | Report filters too restrictive | Adjust report filter criteria | | Wrong data source selected | Use "All Active and Terminated Workers" | | Column names mismatch | Ensure column names match exactly (case-sensitive) | **Manager Relationships Not Syncing** | Cause | Solution | | -------------------------- | ------------------------------------------ | | Manager\_ID column missing | Add Manager → Employee ID to report | | Manager not yet synced | Run sync twice (managers must exist first) | | Circular reference | Check for manager loops in Workday | #### Viewing Sync Logs 1. Go to **Settings** → **Integrations** → **Workday** → **Sync Logs** 2. Review recent sync attempts, success/failure counts, and error details 3. Export logs for support tickets if needed *** ### Security Considerations #### Credential Security * ✅ ISU credentials are **encrypted at rest** using AES-256 * ✅ Credentials are **never logged** or exposed in error messages * ✅ All API calls use **HTTPS/TLS 1.2+** #### Least Privilege Principle The ISU should have **minimum required permissions**: | ✅ Required | ❌ Not Required | | --------------------------- | ----------------------------------- | | Worker Data: Workers (Get) | Worker Data: Workers (Put/Post) | | Public Worker Reports (Get) | Compensation Data | | | Payroll Data | | | Personally Identifiable Information | #### Network Security * Consider restricting the ISU to specific IP ranges if Workday supports it * Use Workday's audit logs to monitor ISU activity * Rotate ISU password periodically (update in EvalFlow after rotation) #### Data Privacy * Only sync data fields that EvalFlow needs * Exclude sensitive fields (SSN, bank info, etc.) from the RaaS report * Review data retention policies for both systems *** ### FAQ #### Q: Can I sync from multiple Workday tenants? **A:** Currently, EvalFlow supports one Workday tenant per company. Contact support for multi-tenant requirements. #### Q: What happens if the sync fails? **A:** EvalFlow retries failed syncs automatically. After 3 consecutive failures, sync is paused and an admin notification is sent. Data remains unchanged until sync succeeds. #### Q: Can I exclude certain employees from syncing? **A:** Yes. Add filters to your Workday RaaS report to exclude specific workers, locations, or worker types. #### Q: How do I sync contractors/contingent workers? **A:** Modify your RaaS report's data source to include contingent workers. Ensure the report includes the same required columns. #### Q: What if an employee's Workday ID changes? **A:** Employee\_ID is the unique identifier. If it changes, EvalFlow will create a new user. Contact support to merge records. #### Q: Can I manually override synced data? **A:** Yes, but manual changes may be overwritten on the next sync for fields controlled by Workday (name, position, department, manager). #### Q: How long does the initial sync take? **A:** Depends on employee count: * < 500 employees: \~1-2 minutes * 500-2,000 employees: \~5-10 minutes * 2,000+ employees: \~15-30 minutes #### Q: Is there a sandbox mode for testing? **A:** Yes. Use your Workday sandbox tenant URL during initial setup. Switch to production when ready. *** ### Support For integration support, contact: * **Email**: * **Documentation**: * **In-App Help**: Settings → Help → Contact Support *** *Last Updated: January 2026* *Version: 1.0* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.evalflow.com/getting-started/security-and-integrations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.