Tesorio requires you to create a Workday Integration User and Grant Permissions and to Register an API Client for Integrations.
The Tesorio onboarding sync will be triggered after the customer configures their Workday connection after the welcome email. The onboarding sync will pull company information (Tesorio subsidiaries), all open invoices and customers with open balances and their contacts. After the completion of the onboarding sync, a historical sync is triggered automatically. The historical sync pulls all customers and payments (applied and unapplied) and invoices, looking back 24 months using the created date time stamp on the payment and invoice records.
Incremental syncs are run via an automated, scheduled process or initiated manually by the customer. Customers can schedule up to 3 automated daily syncs by default. If you require more frequent syncs, please contact your CSM to be enabled.
In order for Tesorio to pull your invoice pdfs, you need to set-up invoice prints in your Workday tenant.
Step 1: Create a Workday Integration User and Grant Permissions
A Workday user with access to "Integration security" is required in order to complete the following:
1.1 Access the "Create Integration System User" task.
Please note all tasks on this guide are accessible through the search.
Setup a user with the following values and click "OK", then "Done":
Account Information
User Name | tesorio-integration |
Generate Random Password | No |
New Password | <set a password> |
New Password Verify | <copy password> |
Require New Password at Next Sign In | No |
Session Timeout Minutes | 0 |
Do not allow UI Sessions | No |
1.2 Next - access the "Create Security Group" task
Setup a security group with the following values and click "OK":
Type of Tenanted Security Group | Integration System Security Group (Unconstrained) |
Name | Tesorio Integration Security Group |
Please note that "unconstrained" is the advised type according to the documentation:
"An integration system security group (unconstrained) includes one or more integration system user accounts, and provides Get and Put access to web service tasks. Access is based on the domain permissions of the group, and isn't contextual based on organization"
Add the Integration System User (ISU) to the security group created, click "OK":
Name | Tesorio Integration Security Group |
Comment | <optional comment> |
Context Type | Unconstrained |
Inactive | No |
Integration System Users | tesorio-integration |
Do not click "Done", instead, select "Maintain Security Permissions" from Actions → Security Group.
Add the following domains. Click "OK", then "Done" when you finish:
| Domain Security Policy | Functional Areas |
View and Modify | Workday Query Language ¹ Reports: Customer Documents ² Private Calculated Field Management ³ | 1 - required for WQL
2 - Required to schedule prints 3- Required to create calculated fields
|
View Only | Custom Object Management Process: Project Billing ¹ Process: Banking² Process: Customer Invoice Payment² Reports: Customer Accounts² Process: Customer Invoice (NEW)¹ | 1 - Required to view invoice PDFs
2 - required for WQL |
Get and Put | Manage: Customer Invoice ¹ Set Up: Bank Entity ² Process: Customer Payment³ Process: Customer Invoice Payment³ Process: Customer Invoice Payment/Settlement³
| 1- Required to sync customer invoice notes into Workday
2 - Required to sync contacts into Workday
3- Required for Tesorio Customer Payment Portal |
Get Only | Person Data: Name Process: Bank Statement Process: Customer Invoice Payment Process: Purchase Order - Reporting Process: Project Billing Reports: Currency Rates Reports: Customer Reports: Customer Accounts Reports: Financial Accounting Set Up: Company General Set Up: Customer Accounts Set Up: Fiscal Schedule Integration Build |
|
Please note, you can check the security of other items through the "View Security for Securable Item" task.
1.3 These additional steps are required to sync notes and contacts back to Workday:
Access the "Edit Business Process Security Policy" task.
Select "Customer Event" as the Business Process Type:
Add Tesorio's security group to the business process:
Initiating Action | Submit Customer (Web Service) |
Security Groups | ... Tesorio Integration Security Group |
1.4 Now you have to activate the security changes. Access the "Activate Pending Security Policy Changes" task.
Comment changes, and click "OK". Then on the following screen select the "Confirm" checkbox, and click "OK", then "Done".
1.5 Access the "Maintain Password Rules" task, add “tesorio-integration” to the list of System Users exempt from password expiration, and click "OK", then "Done"
This step is required to assert that the integration system user's password won't expire according to the tenant expiration rules. This way, there's no risk of the integration stopping due to password expiration issues.
References:
Step 2: Register an API Client for Integrations
This is a step required to use the REST API, which is needed to sync your Workday data into Tesorio using WQL and to fetch invoice PDFs. Due to security restrictions, it must be performed by a user with "Security Administration" domains.
Access the “Register API Client for Integrations” task.
Create a client with the following values and then click "OK".
Client Name | Tesorio API Client |
Refresh Token Timeout (in days) | 0 |
Non-Expiring Refresh Tokens | Yes |
Disabled | No |
Scope (Functional Areas) | Customer Accounts, System |
Include Workday Owned Scope | No |
After this step, you will be able to see a summary of the API Client. Please, verify that it has the correct settings, as shown on the image below. You will also be able to see a Client ID and Client Secret, make sure to save these codes as they will be requested upon connecting your Workday instance during Tesorio setup.
Do not click "Done", instead, select Actions → Manage Refresh Tokens for Integrations.
Under “Workday Account”, select “tesorio-integration” and click “OK”.
Make sure to check the option “Generate New Refresh Token” and click “OK”.
After this step, you will be able to see that a new refresh token was created, make sure to save this token as it will be requested later on Tesorio’s registration.
3. Invoice PDFs
Workday does not automatically generate PDF documents for customer invoices.
This video describes the steps your can follow to set-up scheduled prints. This needs to be followed for each subsidiary that exists in your Workday tenant.
If you are manually generating invoice pdfs, Tesorio will be picking up the most recent prints.
Required permissions in your Workday tenant to pull invoice PDFs in Tesorio:
If your Workday tenant is set-up to inherit parent permissions, no additional configuration is required. To check:
Search for Domain Security Policies for Functional Area
Select Customer Accounts functional area
From the list on the left, select Process: Customer Invoice (NEW) and select the child domain of Process: Customer Invoice - View
If it is set to inherit parent permissions, as per the screen shot below, no additional configuration is required. If not follow the steps below
Add the Tesorio security group to the child domain Process: Customer Invoice - View:
Click on Process: Customer Invoice - View, scroll to the bottom on the right panel, and then click on Edit Permissions
Add the Tesorio Integration Security Group to both Report/Task Permissions (as View) and Integration Permissions (as Get)
Click Done
Activate the changes on the activate pending security policy changes
In addition, you can check whether the Tesorio Integration Security Group is being used by the Integration System User
tesorio-integration:
4. Create a Tesorio Account & Connect Workday to Tesorio
Once your account is created in Tesorio by your CSM, you will receive a welcome email with link to follow to create an account and begin the set-up process
Once the account is created, begin the process to link your Workday instance with Tesorio:
On the Workday Credentials screen in Tesorio, enter the following information:
Username
Password
Tenant
API Client ID
API Client Secret
API Refresh Token
Domain - The Workday REST API Endpoint domain. See details below
the default currency of your company
your time zone
Domain - Search View API Client and copy the domain only from Workday REST API Endpoint (not the whole URL - strip the path after the forward slash as shown below)
Click “Connect” to make the connection between your Workday account and Tesorio. Once connected, your data import will start.