Workday | Integration System User (ISU) Authentication

This article explains how to authenticate an Integration System User (ISU) for a direct Hyper ↔ Workday integration, scoped specifically for expense creation, accounting, and ad-hoc employee reimbursements.

Scope of This Integration

Hyper integrates directly with Workday to:

• Create expenses (or one expense report per expense if required by tenant configuration)
• Allow Workday to automatically generate accounting (journal entries)
• Initiate employee reimbursement payments using Workday’s Ad Hoc Payments
• Sync reference data (expense items, projects, workers) from Workday into Hyper

Explicitly Out of Scope

• Payroll processing
• Supplier / vendor payments
• ATS or recruiting data
• Performance, compensation, or benefits data
• Time tracking or time off

Prerequisites

Before starting, ensure:

• You have Workday Administrator access
• You are logged in to the correct Workday tenant (sandbox preferred)
• You understand which company / ledger Hyper expenses should post against

Step 1: Create an Integration System User (ISU)

1. In the Workday search bar, type Create Integration System User
2. Select the task
3. In the dialog:
   • Enter a User Name (example: Hyper_integration)
   • Create and confirm a password
   • Do not check Require New Password at Next Sign In
   • Set Session Timeout Minutes = 0
4. Click OK

Note: Save the username and password. They are required for authentication.

Add this user to the list of System Users to prevent password expiration.

Step 2: Create and Assign a Security Group

1. Search for Create Security Group
2. Select Integration System Security Group (Unconstrained)
3. Name the group (example: Hyper_Expense_Integration)
4. Click OK
5. In the Edit Integration System Security Group screen:
   • Add the ISU to Integration System Users
6. Click OK
   

Step 3: Configure Domain Security Policy Permissions

Search for Maintain Permissions for Security Group and select the group you just created.

Required Domains (Expense, Accounting, Payments)

Required Domains (Payee Resolution)

Hyper issues payments only to employees (Workers).

Required Domains (Project Attribution, Optional)

If expenses are associated with projects:

Domains Explicitly Not Required

Do not grant access to the following unless required by a separate integration:

• Time Off
• Compensation
• Benefits
• Recruiting / ATS
• Payroll
• Supplier Accounts

Step 4: Activate Security Policy Changes

1. Search for Activate Pending Security Policy Changes
2. Review the summary
3. Add comments if required
4. Select Confirm to activate
   

  

Step 5: Validate Authentication Policies

1. Search for Manage Authentication Policies
2. Ensure the ISU is included in an authentication policy that allows:
   • User Name / Password authentication
   • Not restricted to SAML only

If needed:

• Create a new Authentication Policy
• Add the Integration Security Group
• Set Allowed Authentication Types to:
  • Specific → User Name Password or
  • Specific → Any

   

Step 6: Activate Authentication Policy Changes

1. Search for Activate All Pending Authentication Policy Changes
2. Review and Confirm
   

  

Step 7: Obtain the Workday Web Services Endpoint URL

Once authentication is active:

1. Search for Public Web Services
2. Locate the Expense Management and Cash Management services
3. Copy the WSDL / endpoint URL

This endpoint will be used by Hyper to:

• Submit expenses
• Initiate ad-hoc employee payments
• Poll for status updates

Summary

This ISU configuration enables Hyper to:

• Submit approved expenses into Workday
• Allow Workday to handle all accounting and journal creation
• Initiate employee reimbursements using existing payment rails
• Maintain a minimal, audit-friendly security footprint

If you have questions about any permission listed above, Hyper can provide a field-level or API-level mapping on request.