Configure permissions

Configure Workday permissions for Indeed integration.

 

Who: Workday administrator

Time: ~45 minutes (one-time setup)

Configure Workday permissions to allow Indeed to access your tenant. This process creates the necessary security infrastructure for the integration.

You can complete these steps in your test tenant, production tenant, or both. Consult your Workday administrator to decide your testing strategy.

---

Legacy x509 authentication

For instructions on configuring or refreshing the Indeed x509 public key (legacy installs), see Legacy x509 authentication in the Appendix.

---

Step 1: Create the Integration System User (ISU)

1. Log in to Workday as a user with permission to create integration system users (ISUs).

2. Search for Create Integration System User and select the Task.

Warning

When configuring the Integration System User:

Do not select:

• Generate Random Password - Breaks authentication
• Require New Password at Next Sign In - Causes timeout

Required setting:

• Set Session Timeout Minutes to 0 to prevent timeout

1. In the User Name field, enter ISU_Indeed.

2. Enter a password in the New Password and New Password Verify fields.

3. Select the Do not allow UI sessions checkbox.

   

   Create Integration System User task with step 5 labeled

4. Select OK to save.

---

Step 2: Create the Integration Security Group (ISSG)

1. Search for Create Security Group and select the Task.

2. In the Type of Tenanted Security Group dropdown, select Integration System Security Group (Unconstrained).

   

   Create Security Group task

3. In the Name field, enter ISSG_Indeed.

4. Select OK.

5. In the Edit Integration System Security Group (Unconstrained) screen that appears, enter ISSG_Indeed in the Name field.

   

   Edit Integration System Security Group (Unconstrained)

6. In the Integration System Users field, enter ISU_Indeed.

7. Select OK to save.

---

Step 3: Run the Maintain Password Rules task

Warning

ISU passwords expire after three months by default. After expiration, the integration stops working.

This task exempts ISU_Indeed from password expiration.

1. Search for Maintain Password Rules and select the Task.

2. In the System Users exempt from password expiration field, enter ISU_Indeed.

   

   Maintain Password Rules task

3. Leave all other settings unchanged.

4. Select OK to save.

---

Step 4: Enable OAuth 2.0 clients

1. Search for Edit Tenant Setup - Security and select the Task.

2. In the OAuth 2.0 Settings section, select the OAuth 2.0 Clients Enabled checkbox.

   

   Enable OAuth 2.0 clients task

3. Select OK to save.

---

Step 5: Register the API client for integrations

1. Search for Register API Client for Integrations and select the Task.

2. In the Client Name field, enter Indeed.

   

   Register the API client task

3. Select Non-Expiring Refresh Tokens.

4. In the Scope (Functional Areas) field, add these functional areas:

   • Organization and Roles
   • Pre-Hire Process
   • Public Data
   • Recruiting
   • System
   • Worker Profile and Skills
   • Integration
   • Tenant Non-Configurable
   Warning

   Copy and save the Client ID and Client Secret now. The Client Secret is not visible again after you leave this page.

5. Select OK to save.

   

   Register API Client for Integrations task showing Client ID and Client Secret

6. Share the Client ID and Client Secret with your Indeed administrator.

---

Step 6: Recover a lost Client Secret

If you lose the Client Secret, generate a new one:

1. Search for View API Clients and select the Report.

2. Select API Clients for Integrations tab.

   

   API Clients for Integrations tab in the View API Clients report

3. In the Indeed API Client tab, select Indeed to open the menu, then select API Client > Generate New Client Secret.

   

   API Client context menu with Generate New Client Secret

4. Select the Confirm checkbox.

   

   Generate New Client Secret Confirmation screen with Confirm checkbox

5. Select OK.

6. Copy the new Client Secret and share it with your Indeed administrator.

7. Select Done.

---

Step 7: Generate the refresh token

1. Search for View API Clients and select the Report.

2. Select API Clients for Integrations tab.

   

   API Clients for Integrations tab in the View API Clients report

3. In the Indeed API Client tab, select Indeed to open the menu, then select API Client > Manage Refresh Tokens for Integrations.

   

   API Client context menu with Manage Refresh Tokens for Integrations

4. In the Workday Account field, enter ISU_Indeed, then select OK.

   

   Manage Refresh Tokens for Integrations dialog with ISU_Indeed in Workday Account field

5. Select the Generate New Refresh Token checkbox, then select OK.

   

   Delete or Regenerate Refresh Token screen with Generate New Refresh Token checkbox selected

6. Copy and save the Refresh Token value.

   

   Successfully Regenerated Refresh Token screen showing the refresh token

   注記

   To view the existing refresh token later, return to View API Clients > API Clients for Integrations and use the Indeed button on the Indeed API Client row.

7. Select Done.

---

Step 8: Grant Domain Security Policy permissions to the ISSG

1. Search for View Security Group and select the Task.

2. In the task popup, enter ISSG_Indeed in the Security Group field and select OK.

3. Navigate to the domain permissions:

   1. Select the related action icon.
   2. Scroll down to Security Group.
   3. Select Maintain Domain Permissions for Security Group.

   

   Maintain Domain Permissions for Security Group selected in the Security Group task

4. Add policies to the Integration Permissions section and the Report/Task Permissions section:

   • In the Integration Permissions section, search and add all policies in the Domain Security Policies permitting Get and Put access field.
   • In the Report/Task Permissions section, search and add all policies that permit view and modify access.

   

   Domain Security Policies permitting Get access

5. Search for and add each policy listed in the table below:

   Required policies

   Operation	Domain Security Policy	Domain Security Policies inheriting permission	Purpose
   Get and Put	Candidate Data: Job Application	Candidate Data: Bundle Resumes Candidate Data: Eligibility Results Candidate Data: Quick Stats Candidate Data: Sharing Candidate Data: Language Skills	Get Candidate Get Job Application Additional Data Put Candidate Put Job Application Additional Data
   Get and Put	Candidate Pool: View and Modify Pool	—	Get Candidate Pools NOTE: Only required if using Indeed Smart Sourcing or other product delivering prospects
   Get Only	Integration Build	—	Get References
   Get Only	Job Requisition Data	—	Get Job Requisitions
   Get Only	Job Postings: External	—	—
   Get Only	Job Requisitions for Recruiting	—	Get recruiting-specific job requisition details
   Get Only	Manage: Evergreen Requisitions	Consolidated Candidate Pool, Link Evergreen and Job Requisitions	—
   Get Only	Manage: Location	Location: View	Get Locations
   Get Only	Manage: Organization Integration	—	Get and find organizations
   Get Only	Question Library	—	Access questionnaire data
   Get Only	Questionnaire Creation and Distribution	—	Access questionnaire data
   Get Only	Set Up: Skills and Experience	—	Get Job Requisition education and experience requirements
   View	Workday Query Language	—	Fetch questionnaire data
   Get and Put	Prospects	—	Deliver prospect data to candidate pools NOTE: Only required if using Indeed Smart Sourcing or other product delivering prospects

6. Select OK to save.

---

Step 9: Activate pending security policy changes

1. Search for Activate Pending Security Policy Changes and select the Task.

2. Describe your changes in the Comment field.

3. Select OK to save.

4. Select the Confirm checkbox to activate your changes.

   

   Confirm checkbox in the Activate Pending Security Policy Changes task

5. Select OK to submit.

---

Step 10: Configure resume file types

Warning

Candidate applications fail to deliver to your Workday tenant if resume file types are not enabled.

Configure file types before completing the integration.

1. Search for Edit Tenant Setup - System and select the Task.

2. On the Edit Tenant Setup - System screen, scroll down to the System Setup section.

3. For File Type Setup Instructions, select Allow ONLY Specific File Types.

   

   File Type Setup Instructions section with Allow ONLY Specific File Types selected

4. Verify the Allow ONLY Specific File Types list includes these file extensions:

   • doc
   • docx
   • odt
   • pdf
   • rtf
   • txt

5. If any required file types are missing, add them to the list.

6. Select OK to save.

---

Next steps

You have configured Workday permissions for the Indeed integration.

You completed:

• Created the Integration System User (ISU)
• Created the Integration Security Group (ISSG)
• Configured password rules
• Enabled OAuth 2.0 clients
• Registered the API client for integrations
• Generated a Refresh Token for the ISU
• Granted domain security policy permissions
• Activated pending security policy changes
• Configured resume file types

What's next:

You can optionally configure:

• Configure EEO questionnaire: configure this if your company collects EEO data from applicants
• Configure custom organization: configure this if you need a custom company name for Indeed job postings

Or continue to the next required step:

• Provide API information to your Indeed administrator →

 

このページは役に立ちましたか？