Skip to main content
Workday <> Tesorio Integration Guide
Updated over a month ago

Tesorio requires you to create a Workday Integration User and Grant Permissions and to Register an API Client for Integrations.

The Tesorio onboarding sync will be triggered after the customer configures their Workday connection after the welcome email. The onboarding sync will pull company information (Tesorio subsidiaries), all open invoices and customers with open balances and their contacts. After the completion of the onboarding sync, a historical sync is triggered automatically. The historical sync pulls all customers and payments (applied and unapplied) and invoices, looking back 24 months using the created date time stamp on the payment and invoice records.

Incremental syncs are run via an automated, scheduled process or initiated manually by the customer. Customers can schedule up to 3 automated daily syncs by default. If you require more frequent syncs, please contact your CSM to be enabled.

In order for Tesorio to pull your invoice pdfs, you need to set-up invoice prints in your Workday tenant.

Step 1: Create a Workday Integration User and Grant Permissions

A Workday user with access to "Integration security" is required in order to complete the following:

1.1 Access the "Create Integration System User" task.

Please note all tasks on this guide are accessible through the search.

  • Setup a user with the following values and click "OK", then "Done":

Account Information

User Name

tesorio-integration

Generate Random Password

No

New Password

<set a password>

New Password Verify

<copy password>

Require New Password at Next Sign In

No

Session Timeout Minutes

0

Do not allow UI Sessions

No

1.2 Next - access the "Create Security Group" task

  • Setup a security group with the following values and click "OK":

Type of Tenanted Security Group

Integration System Security Group (Unconstrained)

Name

Tesorio Integration Security Group

Please note that "unconstrained" is the advised type according to the documentation:

"An integration system security group (unconstrained) includes one or more integration system user accounts, and provides Get and Put access to web service tasks. Access is based on the domain permissions of the group, and isn't contextual based on organization"

  • Add the Integration System User (ISU) to the security group created, click "OK":

Name

Tesorio Integration Security Group

Comment

<optional comment>

Context Type

Unconstrained

Inactive

No

Integration System Users

tesorio-integration

  • Do not click "Done", instead, select "Maintain Security Permissions" from ActionsSecurity Group.

  • Add the following domains. Click "OK", then "Done" when you finish:

Domain Security Policy

Functional Areas

View and Modify

Workday Query Language ¹


Reports: Customer Documents ²


Private Calculated Field Management ³

1 - required for WQL

2 - Required to schedule prints

3- Required to create calculated fields

View Only

Custom Object Management


Process: Project Billing ¹


Process: Banking²


Process: Customer Invoice Payment²


Reports: Customer Accounts²


Process: Customer Invoice (NEW)¹

1 - Required to view invoice PDFs

2 - required for WQL

Get and Put

Manage: Customer Invoice ¹


Set Up: Bank Entity ²


Process: Customer Payment³


Process: Customer Invoice Payment³


Process: Customer Invoice Payment/Settlement³

1- Required to sync customer invoice notes into Workday

2 - Required to sync contacts into Workday

3- Required for Tesorio Customer Payment Portal

Get Only

Person Data: Name


Process: Bank Statement


Process: Customer Invoice Payment


Process: Purchase Order - Reporting


Process: Project Billing


Reports: Currency Rates


Reports: Customer


Reports: Customer Accounts


Reports: Financial Accounting


Set Up: Company General


Set Up: Customer Accounts


Set Up: Fiscal Schedule


Integration Build

Please note, you can check the security of other items through the "View Security for Securable Item" task.

1.3 These additional steps are required to sync notes and contacts back to Workday:

  • Access the "Edit Business Process Security Policy" task.

  • Select "Customer Event" as the Business Process Type:

  • Add Tesorio's security group to the business process:

Initiating Action

Submit Customer (Web Service)

Security Groups

...

Tesorio Integration Security Group

1.4 Now you have to activate the security changes. Access the "Activate Pending Security Policy Changes" task.

  • Comment changes, and click "OK". Then on the following screen select the "Confirm" checkbox, and click "OK", then "Done".

1.5 Access the "Maintain Password Rules" task, add “tesorio-integration” to the list of System Users exempt from password expiration, and click "OK", then "Done"

  • This step is required to assert that the integration system user's password won't expire according to the tenant expiration rules. This way, there's no risk of the integration stopping due to password expiration issues.

References:

Step 2: Register an API Client for Integrations

This is a step required to use the REST API, which is needed to sync your Workday data into Tesorio using WQL and to fetch invoice PDFs. Due to security restrictions, it must be performed by a user with "Security Administration" domains.

  • Access the “Register API Client for Integrations” task.

  • Create a client with the following values and then click "OK".

Client Name

Tesorio API Client

Refresh Token Timeout (in days)

0

Non-Expiring Refresh Tokens

Yes

Disabled

No

Scope (Functional Areas)

Customer Accounts, System

Include Workday Owned Scope

No

  • After this step, you will be able to see a summary of the API Client. Please, verify that it has the correct settings, as shown on the image below. You will also be able to see a Client ID and Client Secret, make sure to save these codes as they will be requested upon connecting your Workday instance during Tesorio setup.

  • Do not click "Done", instead, select ActionsManage Refresh Tokens for Integrations.

  • Under “Workday Account”, select “tesorio-integration” and click “OK”.

  • Make sure to check the option “Generate New Refresh Token” and click “OK”.

  • After this step, you will be able to see that a new refresh token was created, make sure to save this token as it will be requested later on Tesorio’s registration.

3. Invoice PDFs

Workday does not automatically generate PDF documents for customer invoices.

This video describes the steps your can follow to set-up scheduled prints. This needs to be followed for each subsidiary that exists in your Workday tenant.

If you are manually generating invoice pdfs, Tesorio will be picking up the most recent prints.

Required permissions in your Workday tenant to pull invoice PDFs in Tesorio:

If your Workday tenant is set-up to inherit parent permissions, no additional configuration is required. To check:

  • Search for Domain Security Policies for Functional Area

  • Select Customer Accounts functional area

  • From the list on the left, select Process: Customer Invoice (NEW) and select the child domain of Process: Customer Invoice - View

    • If it is set to inherit parent permissions, as per the screen shot below, no additional configuration is required. If not follow the steps below

  • Add the Tesorio security group to the child domain Process: Customer Invoice - View:

    • Click on Process: Customer Invoice - View, scroll to the bottom on the right panel, and then click on Edit Permissions

    • Add the Tesorio Integration Security Group to both Report/Task Permissions (as View) and Integration Permissions (as Get)

  • Click Done

  • Activate the changes on the activate pending security policy changes

  • In addition, you can check whether the Tesorio Integration Security Group is being used by the Integration System User tesorio-integration:

4. Create a Tesorio Account & Connect Workday to Tesorio

Once your account is created in Tesorio by your CSM, you will receive a welcome email with link to follow to create an account and begin the set-up process

Once the account is created, begin the process to link your Workday instance with Tesorio:

On the Workday Credentials screen in Tesorio, enter the following information:

  • Username

  • Password

  • Tenant

  • API Client ID

  • API Client Secret

  • API Refresh Token

  • Domain - The Workday REST API Endpoint domain. See details below

  • the default currency of your company

  • your time zone

Domain - Search View API Client and copy the domain only from Workday REST API Endpoint (not the whole URL - strip the path after the forward slash as shown below)

Click “Connect” to make the connection between your Workday account and Tesorio. Once connected, your data import will start.

Did this answer your question?