Workday | Provisioning a Hyper Admin User for Integration Setup
This article explains how a Workday Administrator can provision a temporary, login-capable admin user for Hyper. This user allows Hyper to log into the Workday UI and complete initial integration setup tasks, including:
- Creating an Integration System User (ISU)
- Creating and configuring Integration Security Groups
- Registering an API Client for Integrations (OAuth)
- Generating OAuth refresh tokens
Important: This user is intended for initial integration setup only and can be disabled or deactivated after credentials are created.
When This Is Needed
This approach is recommended when:
- The customer wants Hyper to self-manage Workday integration setup
- The customer prefers to avoid back-and-forth during OAuth and ISU provisioning
- The integration timeline is tight and requires hands-on configuration by Hyper
If the customer prefers to provision all credentials themselves, this step can be skipped.
Overview of the User Being Created
This is a human Workday user, not an Integration System User.
Capabilities of this user:
- Can log into the Workday UI
- Can run Workday admin tasks
- Can create ISUs and API clients
Limitations:
- Should not be used for day-to-day operations
- Should not be granted payroll or compensation access unless explicitly required
Step 1: Create a Workday User for Hyper
- Log into Workday as a Workday Administrator
- In the search bar, type Create Worker or Create User (tenant-dependent)
Create a user with the following details:
- Name: Hyper Integration Admin
- Email: (provided by Hyper)
- User Name: Hyper.admin (or customer naming standard)
- Complete the task and ensure the user is able to log in
Step 2: Assign Required Administrative Roles
Assign the following roles to the Hyper admin user.
Exact role names may vary slightly by tenant.
Required Roles (Minimum)
| Role | Purpose |
|---|
| Integration Administrator | Create ISUs, security groups, API clients |
| Security Administrator | Assign domain permissions |
Optional (If Required by Tenant)
| Role | Purpose |
|---|
| Workday Administrator | Full access if roles above are insufficient |
Best practice: Start with Integration + Security Administrator and only expand if Workday blocks a required task.
Step 3: Enable UI Authentication
- Search for Manage Authentication Policies
Ensure the Hyper admin user is included in a policy that allows:
- User Name / Password authentication
- Confirm the user is not restricted to SAML-only authentication
- Activate any pending authentication policy changes
Once the user is provisioned, Hyper will log in and perform the following:
- Create an Integration System User (ISU)
- Create an Integration Security Group
- Assign required Domain Security Policy Permissions
- Register an API Client for Integrations
- Generate a non-expiring OAuth refresh token
No additional customer action is required during this phase.
Step 5: Deactivate or Restrict the Admin User (Recommended)
After setup is complete, the customer may:
- Disable the Hyper admin user
- Remove elevated roles
- Restrict authentication policies
The integration will continue to function using the ISU and OAuth credentials.
Security & Audit Notes
- Hyper does not access employee payroll, compensation, or time-off data
- All API access occurs through the ISU after setup
- Admin access is used only for provisioning and can be revoked
Summary
By creating a temporary Hyper admin user, customers can:
- Accelerate Workday integration setup
- Reduce configuration errors
- Maintain control over long-term access
For questions or role validation, Hyper can provide a tenant-specific checklist on request.