Configure permissions

Configure Workday permissions for Indeed integration.

 

Who: Workday administrator

Time: ~45 minutes (one-time setup)

Configure Workday permissions to allow Indeed to access your tenant. This process creates the necessary security infrastructure for the integration.

You can complete these steps in your test tenant, production tenant, or both. Consult your Workday administrator to decide your testing strategy.

---

Step 1: Create the Integration System User (ISU)

1. Sign in to Workday as a user with permission to create integration system users (ISUs).

2. Search for Create Integration System User and select the Task.

   When configuring the Integration System User:

   Do not select:

   • Generate Random Password - Breaks authentication.
   • Require New Password at Next Sign In - Causes timeout.

   Required setting:

   • Set Session Timeout Minutes to 0 to prevent timeout.

3. Enter ISU_Indeed in the User Name field.

4. Enter a password in the New Password and New Password Verify fields.

5. Select the Do not allow UI sessions checkbox.

   

   Create Integration System User task with step 5 labeled

6. Select OK to save.

---

Step 2: Create the Integration Security Group (ISSG)

1. Search for Create Security Group and select the Task.

2. Select Integration System Security Group (Unconstrained) in the Type of Tenanted Security Group dropdown.

   

   Create Security Group task

3. In the Name field, enter ISSG_Indeed.

4. Select OK.

5. Enter ISSG_Indeed in the Name field on the Edit Integration System Security Group (Unconstrained) screen that appears.

   

   Edit Integration System Security Group (Unconstrained)

6. In the Integration System Users field, enter ISU_Indeed.

7. Select OK to save.

---

Step 3: Run the Maintain Password Rules task

ISU passwords expire after three months by default. After expiration, the integration stops working.

This task exempts ISU_Indeed from password expiration.

1. Search for Maintain Password Rules and select the Task.

2. Enter ISU_Indeed in the System Users exempt from password expiration field.

   

   Maintain Password Rules task

3. Leave all other settings unchanged.

4. Select OK to save.

---

Step 4: Enable OAuth 2.0 clients

1. Search for Edit Tenant Setup - Security and select the Task.

2. Select the OAuth 2.0 Clients Enabled checkbox in the OAuth 2.0 Settings section.

   

   Enable OAuth 2.0 clients task

3. Select OK to save.

---

Step 5: Register the API client for integrations

1. Search for Register API Client for Integrations and select the Task.

2. Enter Indeed in the Client Name field.

   

   Register the API client task

3. Select Non-Expiring Refresh Tokens.

4. Add these functional areas in the Scope (Functional Areas) field:

   • Organization and Roles
   • Pre-Hire Process
   • Public Data
   • Recruiting
   • System
   • Worker Profile and Skills
   • Integration
   • Tenant Non-Configurable

   Copy and save the Client ID and Client Secret now. Workday does not show the Client Secret again after you leave this page.

5. Select OK to save.

   

   Register API Client for Integrations task showing Client ID and Client Secret

6. Share the Client ID and Client Secret with your Indeed administrator.

---

Step 6: Recover a lost Client Secret

If you lose the Client Secret, generate a new one:

1. Search for View API Clients and select the Report.

2. Select API Clients for Integrations tab.

   

   API Clients for Integrations tab in the View API Clients report

3. Select Indeed in the Indeed API Client tab to open the menu, then select API Client > Generate New Client Secret.

   

   API Client context menu with Generate New Client Secret

4. Select the Confirm checkbox.

   

   Generate New Client Secret Confirmation screen with Confirm checkbox

5. Select OK.

6. Copy the new Client Secret and share it with your Indeed administrator.

7. Select Done.

---

Step 7: Generate the refresh token

1. Search for View API Clients and select the Report.

2. Select API Clients for Integrations tab.

   

   API Clients for Integrations tab in the View API Clients report

3. Select Indeed in the Indeed API Client tab to open the menu, then select API Client > Manage Refresh Tokens for Integrations.

   

   API Client context menu with Manage Refresh Tokens for Integrations

4. Enter ISU_Indeed in the Workday Account field, then select OK.

   

   Manage Refresh Tokens for Integrations dialog with ISU_Indeed in Workday Account field

5. Select the Generate New Refresh Token checkbox, then select OK.

   

   Delete or Regenerate Refresh Token screen with Generate New Refresh Token checkbox selected

6. Copy and save the Refresh Token value.

   

   Successfully Regenerated Refresh Token screen showing the refresh token

   To view the refresh token later, return to View API Clients > API Clients for Integrations and use the Indeed button on the Indeed API Client row.

7. Select Done.

---

Step 8: Grant Domain Security Policy permissions to the ISSG

1. Search for View Security Group and select the Task.

2. Enter ISSG_Indeed in the Security Group field in the task popup, then select OK.

3. Navigate to the domain permissions:

   1. Select the related action icon.
   2. Scroll down to Security Group.
   3. Select Maintain Domain Permissions for Security Group.

   

   Maintain Domain Permissions for Security Group selected in the Security Group task

4. Add policies to the Integration Permissions section and the Report/Task Permissions section from the table in step 5:

   • In the Integration Permissions section, search and add all policies in the Domain Security Policies permitting Get and Put access field.
   • In the Report/Task Permissions section, search and add all policies that permit view and modify access.

   

   Domain Security Policies permitting Get access

5. Search for and add each policy in the table:

   Required policies

   Operation	Domain Security Policy	Domain Security Policies inheriting permission	Purpose
   Get and Put	Candidate Data: Job Application	Candidate Data: Bundle Resumes Candidate Data: Eligibility Results Candidate Data: Quick Stats Candidate Data: Sharing Candidate Data: Language Skills	Get Candidate Get Job Application Additional Data Put Candidate Put Job Application Additional Data
   Get and Put	Candidate Pool: View and Modify Pool	—	Get Candidate Pools NOTE: Required only if you use Indeed Smart Sourcing or another product that delivers prospects.
   Get Only	Integration Build	—	Get References
   Get Only	Job Requisition Data	—	Get Job Requisitions
   Get Only	Job Postings: External	—	—
   Get Only	Job Requisitions for Recruiting	—	Get recruiting-specific job requisition details
   Get Only	Manage: Evergreen Requisitions	Consolidated Candidate Pool, Link Evergreen and Job Requisitions	—
   Get Only	Manage: Location	Location: View	Get Locations
   Get Only	Manage: Organization Integration	—	Get and find organizations
   Get Only	Question Library	—	Access questionnaire data
   Get Only	Questionnaire Creation and Distribution	—	Access questionnaire data
   Get Only	Set Up: Skills and Experience	—	Get Job Requisition education and experience requirements
   View	Workday Query Language	—	Fetch questionnaire data
   Get and Put	Prospects	—	Deliver prospect data to candidate pools. NOTE: Required only if you use Indeed Smart Sourcing or another product that delivers prospects.

6. Select OK to save.

---

Step 9: Activate pending security policy changes

1. Search for Activate Pending Security Policy Changes and select the Task.

2. Describe your changes in the Comment field.

3. Select OK to save.

4. Select the Confirm checkbox to activate your changes.

   

   Confirm checkbox in the Activate Pending Security Policy Changes task

5. Select OK to submit.

---

Step 10: Configure resume file types

If resume file types are not enabled, candidate applications do not reach your Workday tenant. Configure file types before you complete the integration.

1. Search for Edit Tenant Setup - System and select the Task.

2. Scroll down to the System Setup section on the Edit Tenant Setup - System screen.

3. Select Allow ONLY Specific File Types for File Type Setup Instructions.

   

   File Type Setup Instructions section with Allow ONLY Specific File Types selected

4. Verify the Allow ONLY Specific File Types list includes these file extensions:

   • doc
   • docx
   • odt
   • pdf
   • rtf
   • txt

5. Add any missing required file types to the list.

6. Select OK to save.

---

Next steps

You have configured Workday permissions for the Indeed integration.

You completed:

• Created the Integration System User (ISU).
• Created the Integration Security Group (ISSG).
• Configured password rules.
• Enabled OAuth 2.0 clients.
• Registered the API client for integrations.
• Generated a Refresh Token for the ISU.
• Granted domain security policy permissions.
• Activated pending security policy changes.
• Configured resume file types.

What's next:

You can optionally configure:

• Configure EEO questionnaire: configure this if your company collects EEO data from applicants.
• Configure custom organization: configure this if you need a custom company name for Indeed job postings.

Or continue to the next required step:

• Provide API information to your Indeed administrator →

---

Legacy x509 authentication

For existing x509 installations, new integrations use refresh-token authentication. Follow the standard steps.

If you received a certificate update notice, use this procedure to replace your current Indeed x509 certificate before it expires. Replacing the certificate keeps job ingestion and application delivery running.

1. Search for Edit X.509 Public Key and select the Task.

2. Select the existing Indeed certificate.

3. Replace the certificate with the following:

   -----BEGIN CERTIFICATE-----
   MIIDCzCCAfOgAwIBAgIURuJaukD4Ow7/z+gr/CkuJ8ogypwwDQYJKoZIhvcNAQEL
   BQAwLjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQKDAZJbmRl
   ZWQwHhcNMjYwMTIyMjEwMTAxWhcNMjcwNjMwMjEwMTAxWjAuMQswCQYDVQQGEwJV
   UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAoMBkluZGVlZDCCASIwDQYJKoZIhvcN
   AQEBBQADggEPADCCAQoCggEBAMDGqa5zY5O/jcrvdzAiheNVIT2hGgLJUHs9CMmM
   HJGza2tu4yQfIucn3n/hdOOs4qJLCUgsfRdTrc7U9UUxpuvSwZ4S+PPkVrPhQB2j
   u9DmocAMisb41gsLdofDo8YGO1+dq7d7NmA+Ke7fTWjetZn4Lt3QPTHyJsnS6UaN
   E8owvKRojT8FRFcsjLWMpGDIAShFomPjv1o5yhPiWoGsKoQYSMp2lu2int10R+91
   a2KAyxonqH8AXG773lhFhzM3dj3C8rtmldk7c5umyw5fnprvcP4Jcqv66ffMTcWX
   xdOr2+3R1D+cAPln+UpLLVk6M7vjSlU7rwY325N/IDZdHPUCAwEAAaMhMB8wHQYD
   VR0OBBYEFHj5SqGn/RPWlavV9ILBCUNh4ebeMA0GCSqGSIb3DQEBCwUAA4IBAQBs
   tBu82blcL2SuIXSuJaGS6urjN5ppsWvRjeLa1smsxOyX6w4fPxEe5i6/aaLrqr8x
   hV9xHIAoN6ZnMfkexAooEeKqmRiEgJFnQdKt0RK0Lk3ykTajfLMiuDeNH3JYYUFr
   kpKskbYbw4a2gzRF2fKRLFYrE/TMKZbOcE3ovMo7+MSCOmNC1Ec8Vs2UvYHGzgEW
   2LU5RFUKox41c5USL8M9hX/MJbsRVBvkhHj6Dp7KFTZr3Ve80uhmixMgax4SHbXi
   +p/WXVUNWwwUmFi6N8Xqh4bR7qeySyNHCYvKfK8JeSdkEQ/cFF/ndnHxt8qWdroF
   /sRsUQ+7k2AD58D+DmVU
   -----END CERTIFICATE-----

   Copy all text in the code block, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

4. Select OK to save.

A certificate update notice might mention "step 4." That refers to the original x509 installation steps, now in Legacy x509 installation. To update your certificate, use the previous procedure.

 

このページは役に立ちましたか？