search

Security & Integrations

Congratulations on Taking the First Step Towards Effective Key Results with Evalflow! With Evalflow's intuitive platform, creating key results is straightforward and efficient. Follow these easy steps

hashtag
Authentication

  • 2FA via authenticator apps.

  • SSO Through WorkOS ( Future Feature )

hashtag
Integrations

  • Microsoft Teams & Slack: Get notifications, interact via bot. ( Future Feature )

hashtag
Workday Integrations

hashtag
Workday Integration Guide

hashtag
EvalFlow ↔ Workday HR Data Synchronization

hashtag
Table of Contents

  1. Introduction

  2. Prerequisites

  3. Workday Configuration

  4. EvalFlow Configuration

  5. Status Mapping

  6. Sync Behavior

  7. Sync Frequency Options

  8. Troubleshooting

  9. Security Considerations

  10. FAQ

hashtag
Introduction

hashtag
What This Integration Does

The EvalFlow-Workday integration enables automatic employee provisioning and synchronization from your Workday HCM system to EvalFlow. This eliminates manual data entry, ensures consistency, and keeps your performance management platform always up-to-date with your source of truth for employee data.

hashtag
Sync Direction

⚠️ One-Way Sync: Workday → EvalFlow

Data flows only from Workday to EvalFlow. Changes made in EvalFlow (such as custom fields or local edits) will not sync back to Workday.

hashtag
What Data is Synchronized

Data Type
Description

Employee Identity

First name, last name, email address

Position

Job title / business title

Department

Supervisory organization

Manager Relationship

Reporting hierarchy

Employment Status

Active, terminated, on leave, etc.

Hire Date

Original hire date

Termination Date

If applicable

hashtag
Prerequisites

Before configuring the integration, ensure the following:

hashtag
Workday Requirements

Requirement
Details

Workday Tenant

Active Workday HCM tenant (Production or Sandbox)

Admin Access

Security Administrator or Integration Administrator role

Report Designer Access

Ability to create Custom Reports (RaaS)

hashtag
EvalFlow Requirements

Requirement
Details

Admin Role

EvalFlow Admin or Super Admin access

Company Setup

Company already created in EvalFlow

hashtag
Network Considerations

  • EvalFlow servers must be able to reach your Workday tenant URL

  • If using Workday in a private cloud or behind a firewall, whitelist EvalFlow's IP ranges (contact support for current IPs)

  • HTTPS (TLS 1.2+) is required for all connections

hashtag
Workday Configuration

Complete these steps in your Workday tenant. This section is intended for Workday Administrators.

hashtag
Step 1: Create Integration System User (ISU)

The Integration System User is a dedicated service account for EvalFlow to authenticate with Workday.

  1. Navigate to: Search → "Create Integration System User"

  2. Enter User Details:

    • User Name: ISU_EvalFlow (or your naming convention)

    • New Password: Generate a strong password (save securely)

    • Require New Password at Next Sign In: ❌ Unchecked

    • Do Not Allow UI Sessions: ✅ Checked (recommended for security)

  3. Click OK to create the user

💡 Tip: Use a naming convention like ISU_ prefix so integration accounts are easily identifiable.

⚠️ Important: Store the password securely. You'll need it when configuring EvalFlow.

hashtag
Step 2: Create Integration System Security Group

Security groups control what data the ISU can access.

  1. Navigate to: Search → "Create Security Group"

  2. Select Type: Integration System Security Group (Unconstrained)

  3. Enter Details:

    • Name: ISSG_EvalFlow_Integration

    • Description: "Security group for EvalFlow HR sync integration"

  4. Click OK

  5. Add Member:

    • Search for and select ISU_EvalFlow (the user created in Step 1)

    • Click OK to save

hashtag
Step 3: Assign Domain Permissions

Grant the security group read access to worker data.

  1. Navigate to: Search → "Maintain Permissions for Security Group"

  2. Select: ISSG_EvalFlow_Integration

  3. Under Domain Security Policies, click Edit

  4. Add the following domain permissions:

Domain
Permission

Worker Data: Workers

Get (View)

Worker Data: Public Worker Reports

Get (View)

  1. Click OK to save changes

hashtag
Step 4: Activate Security Policy Changes

After modifying security policies, you must activate the changes.

  1. Navigate to: Search → "Activate Pending Security Policy Changes"

  2. Add a Comment: "Activated EvalFlow integration permissions"

  3. Click OK to activate

⚠️ Note: In production tenants, this may require approval based on your organization's security workflow.

hashtag
Step 5: Create Custom Report (RaaS)

Create a Report-as-a-Service (RaaS) report that EvalFlow will query.

  1. Navigate to: Search → "Create Custom Report"

  2. Report Details:

    • Report Name: EvalFlow_Employee_Sync

    • Report Type: Advanced

    • Data Source: All Active and Terminated Workers (or your preferred scope)

    • Enable As Web Service: ✅ Checked

  3. Add Report Columns (exact column names matter):

Report Column Name
Workday Field Path
Required

Employee_ID

Worker → Employee ID

✅ Yes

Email

Worker → Email - Work (Primary)

✅ Yes

First_Name

Worker → Legal Name → First Name

✅ Yes

Last_Name

Worker → Legal Name → Last Name

✅ Yes

Position

Worker → Business Title

❌ No

Department

Worker → Supervisory Organization → Name

❌ No

Manager_ID

Worker → Manager → Employee ID

❌ No

Worker_Status

Worker → Worker Status

✅ Yes

Hire_Date

Worker → Hire Date

❌ No

Termination_Date

Worker → Termination Date

❌ No

  1. Configure Filters (Optional but Recommended):

    • Exclude contingent workers if not needed

    • Filter by specific locations or organizations if applicable

  2. Click OK to save the report

hashtag
Step 6: Enable Web Service & Get Endpoint URL

  1. Open the report: Search → "View Custom Report" → Select EvalFlow_Employee_Sync

  2. Click: Actions → Web Service → View URLs

  3. Copy the JSON endpoint URL. It will look like:

  1. Save this URL - you'll enter it in EvalFlow

💡 Tip: Test the URL by pasting it in a browser while logged into Workday. You should see JSON data.

hashtag
EvalFlow Configuration

Complete these steps in EvalFlow. This section is for EvalFlow Administrators.

hashtag
Step 1: Navigate to Workday Integration Settings

  1. Log in to EvalFlow as an Admin

  2. Go to SettingsIntegrationsWorkday

  3. Click Configure Integration or Enable Workday Sync

hashtag
Step 2: Enter Connection Details

Field
Value
Example

Tenant URL

Your Workday tenant base URL

https://wd5.myworkday.com/acme

Workers Endpoint

The RaaS report endpoint path

/ccx/service/customreport2/acme/john.smith/EvalFlow_Employee_Sync?format=json

Username

ISU username created in Workday

ISU_EvalFlow

Password

ISU password

(stored encrypted)

hashtag
Step 3: Test Connection

  1. Click Test Connection

  2. EvalFlow will attempt to authenticate and fetch a sample of worker data

  3. Success: You'll see a confirmation with the number of workers found

  4. Failure: See Troubleshooting section

hashtag
Step 4: Configure Sync Settings

Setting
Description
Recommended

Sync Frequency

How often to sync

Every 6 hours

Deactivation Grace Period

Days before terminated employees are deactivated

7 days

Auto-create Departments

Create departments from Workday org structure

✅ Enabled

hashtag
Step 5: Review Status Mapping

Review and customize how Workday statuses map to EvalFlow statuses. See Status Mapping section.

hashtag
Step 6: Enable Integration

  1. Review all settings

  2. Click Enable Sync

  3. Optionally, click Run Initial Sync to immediately synchronize all employees

hashtag
Status Mapping

EvalFlow maps Workday worker statuses to internal user statuses. The default mappings are:

Workday Status
EvalFlow Status
Behavior

Active

Active

Full platform access

On Leave

Active

Maintains access during leave

Pre-Hire

Onboarding

Limited access for new hires

Terminated

Inactive

Access revoked (after grace period)

Inactive

Inactive

Access revoked

Retired

Inactive

Access revoked

hashtag
Customizing Status Mapping

You can customize these mappings in the Workday integration settings:

  1. Go to SettingsIntegrationsWorkdayStatus Mapping

  2. For each Workday status, select the corresponding EvalFlow status

  3. Click Save Mapping

💡 Tip: If your organization uses custom Workday statuses, add them to the mapping table before the first sync.

hashtag
Sync Behavior

hashtag
New Employee Creation

When a new employee appears in Workday:

  1. EvalFlow creates a new user account

  2. User is created in Onboarding or Active status (based on Worker_Status)

  3. User receives a welcome email with login instructions

  4. Manager relationship is established (if Manager_ID is provided)

hashtag
Employee Updates

When employee data changes in Workday:

Field
Update Behavior

First/Last Name

✅ Updated automatically

Position/Title

✅ Updated automatically

Department

✅ Updated (department created if new)

Manager

✅ Updated (manager linked by Employee_ID)

Email

⚠️ Conditional - see below

Email Update Safety

⚠️ Important: Email addresses are NOT automatically updated if:

  • The user has already logged in to EvalFlow, OR

  • The user has SSO (WorkOS) authentication enabled

This prevents authentication issues. Contact support to manually update emails for existing users.

hashtag
Employee Termination

When an employee is terminated in Workday:

  1. Grace Period: User remains active for the configured grace period (default: 7 days)

  2. Deactivation: After grace period, user status changes to Inactive

  3. Data Retention: All user data (feedback, reviews, goals) is preserved

  4. Access Revoked: User can no longer log in

hashtag
Sync Frequency Options

Frequency
Best For
API Calls/Day

Every 15 minutes

Rapid onboarding needs

~96

Every hour

Most organizations

~24

Every 6 hours

Stable workforce

~4

Every 12 hours

Minimal changes

~2

Daily

Small organizations

1

Manual only

Testing/controlled sync

0 (on-demand)

💡 Recommendation: Start with Every 6 hours and adjust based on your needs.

hashtag
Troubleshooting

hashtag
Common Errors and Solutions

Authentication Failed (401)

Cause
Solution

Incorrect username/password

Verify ISU credentials in Workday

ISU account locked

Unlock in Workday Security settings

Password expired

Update password and reconfigure in EvalFlow

Forbidden (403)

Cause
Solution

Missing domain permissions

Add "Get" permission for Worker Data domain

Security policy not activated

Run "Activate Pending Security Policy Changes"

ISU not in correct security group

Verify ISSG membership

Report Not Found (404)

Cause
Solution

Incorrect endpoint URL

Verify the RaaS URL path

Report not enabled as web service

Enable "Web Service" on the custom report

Report deleted or renamed

Recreate or update the endpoint path

No Workers Returned

Cause
Solution

Report filters too restrictive

Adjust report filter criteria

Wrong data source selected

Use "All Active and Terminated Workers"

Column names mismatch

Ensure column names match exactly (case-sensitive)

Manager Relationships Not Syncing

Cause
Solution

Manager_ID column missing

Add Manager → Employee ID to report

Manager not yet synced

Run sync twice (managers must exist first)

Circular reference

Check for manager loops in Workday

hashtag
Viewing Sync Logs

  1. Go to SettingsIntegrationsWorkdaySync Logs

  2. Review recent sync attempts, success/failure counts, and error details

  3. Export logs for support tickets if needed

hashtag
Security Considerations

hashtag
Credential Security

  • ✅ ISU credentials are encrypted at rest using AES-256

  • ✅ Credentials are never logged or exposed in error messages

  • ✅ All API calls use HTTPS/TLS 1.2+

hashtag
Least Privilege Principle

The ISU should have minimum required permissions:

✅ Required
❌ Not Required

Worker Data: Workers (Get)

Worker Data: Workers (Put/Post)

Public Worker Reports (Get)

Compensation Data

Payroll Data

Personally Identifiable Information

hashtag
Network Security

  • Consider restricting the ISU to specific IP ranges if Workday supports it

  • Use Workday's audit logs to monitor ISU activity

  • Rotate ISU password periodically (update in EvalFlow after rotation)

hashtag
Data Privacy

  • Only sync data fields that EvalFlow needs

  • Exclude sensitive fields (SSN, bank info, etc.) from the RaaS report

  • Review data retention policies for both systems

hashtag
FAQ

hashtag
Q: Can I sync from multiple Workday tenants?

A: Currently, EvalFlow supports one Workday tenant per company. Contact support for multi-tenant requirements.

hashtag
Q: What happens if the sync fails?

A: EvalFlow retries failed syncs automatically. After 3 consecutive failures, sync is paused and an admin notification is sent. Data remains unchanged until sync succeeds.

hashtag
Q: Can I exclude certain employees from syncing?

A: Yes. Add filters to your Workday RaaS report to exclude specific workers, locations, or worker types.

hashtag
Q: How do I sync contractors/contingent workers?

A: Modify your RaaS report's data source to include contingent workers. Ensure the report includes the same required columns.

hashtag
Q: What if an employee's Workday ID changes?

A: Employee_ID is the unique identifier. If it changes, EvalFlow will create a new user. Contact support to merge records.

hashtag
Q: Can I manually override synced data?

A: Yes, but manual changes may be overwritten on the next sync for fields controlled by Workday (name, position, department, manager).

hashtag
Q: How long does the initial sync take?

A: Depends on employee count:

  • < 500 employees: ~1-2 minutes

  • 500-2,000 employees: ~5-10 minutes

  • 2,000+ employees: ~15-30 minutes

hashtag
Q: Is there a sandbox mode for testing?

A: Yes. Use your Workday sandbox tenant URL during initial setup. Switch to production when ready.

hashtag
Support

For integration support, contact:

  • Email: [email protected]

  • Documentation: https://docs.evalflow.com

  • In-App Help: Settings → Help → Contact Support

Last Updated: January 2026 Version: 1.0

PreviousAdmin ToolsNextMicrosoft Teams Integration Guide

Last updated