Set up the Openflow Connector for Workday¶

Note

The connector is subject to the Connector Terms.

This topic describes the steps to set up the Openflow Connector for Workday.

Prerequisites¶

Ensure that you have reviewed Openflow Connector for Workday.
Ensure that you have set up Openflow.

Get the credentials¶

As a Workday administrator, perform the following actions:

Create a user in Workday:
1. Go to Workday and log in as an administrator. In the Workday search bar, type Create user.
2. Click Create Integration System User: Task.
3. Enter a username and password.
Create a security group and add the user from step 1 to it:
1. In the Workday search bar, type Create Security Group.
2. Click Create Security Group: Task.
3. Set the type to Integration System Security Group (Unconstrained).
4. Enter a Security Group Name and click OK.
5. In the Edit Integration System Security Group (Unconstrained) window, add the integration system user created in Step 1 in the Integration System Users field.
Add domain security policies to the security group created on step 2:
1. In the Workday search bar, type View Security Group.
2. Go to Security Group Settings » Maintain Domain Permissions for Security Group.
3. In the Integration Permissions section, in the Domain Security Policies permitting Get access field, select the security domains associated with the reports you want to sync.
4. Go to the Activate Pending Security Policy Changes page and click OK.
Create an OAuth client app:
1. In the Workday search bar, type Register API Client, and click Register API Client for Integrations: Task.
2. Enter a Client Name.
3. Click Non-Expiring Refresh Token.
4. In the Scope search bar, type System and select it.
5. Click OK.
6. Copy the Client ID and Client Secret, then click Done.
In the View Integration System Security Group page, note the functional areas under Domain Security Policies. Then, add these as Scopes/Functional Areas in the API Client:
1. In the search bar, type View API Client.
2. Choose your API client from the list.
3. In the top blue bar, click the three dots, then select API Client » API Clients for Integrations.
4. In the Scope (Functional Areas) field, search for and add the functional areas that you noted.
In the same menu as before (5c), select Manage Refresh Tokens for Integrations.
1. In the form, search for the ISU user and select it.
2. Click OK.
3. Click Generate new token and copy the refresh token details which will be used later.

Set up Snowflake account¶

As a Snowflake account administrator, perform the following tasks:

Create a new role or use an existing role and grant the Database privileges.
Create a new Snowflake service user with the type as SERVICE.
Grant the Snowflake service user the role you created in the previous steps.
Configure with key-pair auth for the Snowflake SERVICE user from step 2.
Snowflake strongly recommends this step. Configure a secrets manager supported by Openflow, for example, AWS, Azure, and Hashicorp, and store the public and private keys in the secret store.

Note

If for any reason, you do not wish to use a secrets manager, then you are responsible for safeguarding the public key and private key files used for key-pair authentication according to the security policies of your organization.
1. Once the secrets manager is configured, determine how you will authenticate to it. On AWS, it’s recommended that you the EC2 instance role associated with Openflow as this way no other secrets have to be persisted.
2. In Openflow, configure a Parameter Provider associated with this Secrets Manager, from the hamburger menu in the upper right. Navigate to Controller Settings » Parameter Provider and then fetch your parameter values.
3. At this point all credentials can be referenced with the associated parameter paths and no sensitive values need to be persisted within Openflow.
If any other Snowflake users require access to the raw ingested documents and tables ingested by the connector (for example, for custom processing in Snowflake), then grant those users the role created in step 1.
Designate a warehouse for the connector to use. Start with the smallest warehouse size, then experiment with size depending on the number of tables being replicated, and the amount of data transferred. Large table numbers typically scale better with multi-cluster warehouses, rather than larger warehouse sizes.

Set up the connector¶

As a data engineer, perform the following tasks to configure the connector:

Install the connector¶

Create a database and schema in Snowflake for the connector to store ingested data. Grant required Database privileges to the role created in the first step. Substitute the role placeholder with the actual value and use the following SQL commands:

CREATE DATABASE DESTINATION_DB;
CREATE SCHEMA DESTINATION_DB.DESTINATION_SCHEMA;
GRANT USAGE ON DATABASE DESTINATION_DB TO ROLE <CONNECTOR_ROLE>;
GRANT USAGE ON SCHEMA DESTINATION_DB.DESTINATION_SCHEMA TO ROLE <CONNECTOR_ROLE>;
GRANT CREATE TABLE, CREATE PIPE ON SCHEMA DESTINATION_DB.DESTINATION_SCHEMA TO ROLE <CONNECTOR_ROLE>;

Copy

Navigate to the Openflow Overview page. In the Featured connectors section, select View more connectors.
On the Openflow connectors page, find the connector and select Add to runtime.
In the Select runtime dialog, select your runtime from the Available runtimes drop-down list.
Select Add.

Note

Before you install the connector, ensure that you have created a database and schema in Snowflake for the connector to store ingested data.
Authenticate to the deployment with your Snowflake account credentials and select Allow when prompted to allow the runtime application to access your Snowflake account. The connector installation process takes a few minutes to complete.
Authenticate to the runtime with your Snowflake account credentials.

The Openflow canvas appears with the connector process group added to it.

Configure the connector¶

Right-click on the imported process group and select Parameters.
Populate the required parameter values as described in Flow parameters.

Flow parameters¶

The configuration is divided into three parameter contexts. The Workday Destination Parameters and Workday Source Parameters contexts are responsible for connecting with Snowflake and Workday. The Workday Ingestion Parameters contains all parameters from both configs and other parameters specific to a given report (e.g., Report URL).

Because the Workday Ingestion Parameters parameter context contains report-specific details, new parameter contexts must be created for each new report and process group. To create a new parameter context, go to the menu, select “Parameter Contexts”, and add a new context. It should inherit from both the Workday Destination Parameters and Workday Source Parameters parameter contexts.

Workday Destination Parameters parameter context

Parameter	Description	Required
Destination Database	The database where data will be persisted. It must already exist in Snowflake. The name is case-sensitive. For unquoted identifiers, provide the name in uppercase.	Yes
Destination Schema	The schema where data will be persisted, which must already exist in Snowflake. The name is case-sensitive. For unquoted identifiers, provide the name in uppercase. See the following examples: `CREATE SCHEMA SCHEMA_NAME` or `CREATE SCHEMA schema_name`: use `SCHEMA_NAME` `CREATE SCHEMA "schema_name"` or `CREATE SCHEMA "SCHEMA_NAME"`: use `schema_name` or `SCHEMA_NAME`, respectively	Yes
Snowflake Account Identifier	When using: Session Token Authentication Strategy: Must be blank. KEY_PAIR: Snowflake account name formatted as [organization-name]-[account-name] where data will be persisted.	Yes
Snowflake Authentication Strategy	When using: Snowflake Openflow Deployment: Use SNOWFLAKE_SESSION_TOKEN. This token is managed automatically by Snowflake. BYOC: Use KEY_PAIR as the value for authentication strategy.	Yes
Snowflake Private Key	When using: Session Token Authentication Strategy: Must be blank. KEY_PAIR: Must be the RSA private key used for authentication. The RSA key must be formatted according to PKCS8 standards and have standard PEM headers and footers. Note that either Snowflake Private Key File or Snowflake Private Key must be defined.	No
Snowflake Private Key File	When using: Session token authentication strategy: The private key file must be blank. KEY_PAIR: Upload the file that contains the RSA private key used for authentication to Snowflake, formatted according to PKCS8 standards and including standard PEM headers and footers. The header line begins with `-----BEGIN PRIVATE`. To upload the private key file, select the Reference asset checkbox.	No
Snowflake Private Key Password	When using Session Token Authentication Strategy: Must be blank. KEY_PAIR: Provide the password associated with the Snowflake Private Key File.	No
Snowflake Role	When using Session Token Authentication Strategy: Use your Runtime Role. You can find your Runtime Role in the Openflow UI, by navigating to View Details for your Runtime. KEY_PAIR Authentication Strategy: Use a valid role configured for your service user.	Yes
Snowflake Username	When using Session Token Authentication Strategy: Must be blank. KEY_PAIR: Provide the user name used to connect to the Snowflake instance.	Yes
Snowflake Warehouse	Snowflake warehouse used to run queries.	Yes

Workday Source Parameters parameter context

Parameter	Description
Authorization Type	Choose between OAUTH or BASIC_AUTH. If OAUTH is chosen, then OAuth Client ID, OAuth Client Secret, OAuth Refresh Token and OAuth Token Endpoint must be defined. If BASIC_AUTH is chosen, then Workday Username and Workday Password must be defined.
OAuth Client ID	The client ID of an application registered in Workday.
OAuth Client Secret	The client secret related to the Client ID.
OAuth Refresh Token	The refresh token is obtained by a user during the app registration process. It is used together with the client ID and the client secret to get an access token.
OAuth Token Endpoint	The token endpoint is obtained by a user during the app registration process.
Workday Username	The username is used to log into a Workday account. Must be set only when BASIC_AUTH is chosen.
Workday Password	The password is associated with the Workday username. Must be set only when BASIC_AUTH is chosen.

Workday Ingestion Parameters parameter context

Parameter	Description
Destination Table	The destination table where report data pulled from Workday is stored. It is created by the connector if it does not exist.
Report URL	A RaaS API URL to a report created in Workday.
Run Schedule	Run schedule on which data is retrieved from Workday and saved in Snowflake. This value is a time duration specified by a number followed by a time unit. For example, 1 second or 5 mins.

Run the flow¶

Right-click on the plane and select Enable all Controller Services.
Right-click on the imported process group and select Start. The connector starts the data ingestion.