Workday

Capture Workday activity logs detailing records of user actions, system events, and data changes within the Workday platform.

RunReveal connects to the Workday Privacy API (/ccx/api/privacy/v1/{tenant}/activityLogging) using OAuth2 with a refresh token and polls for new activity logs every 5 minutes.

Workday Source Setup

Workday activity logs start flowing from the time you connect the source. RunReveal does not perform a historical backfill for this source.

Prerequisites

Before connecting, you need four things from Workday:

Item	Where it comes from
Host	Your Workday API hostname (e.g. `wd5-impl-services1.workday.com`)
Tenant	Your Workday tenant name (e.g. `mycompany`)
Client ID + Client Secret	A registered REST API Client in Workday
Refresh Token	Generated via Manage Refresh Tokens for Integrations

Complete Steps 1–4 in Workday before connecting in RunReveal.

Step 1 — Enable tenant-level settings

These two settings must be enabled in your Workday tenant or the Activity Logging API will not work, regardless of permissions or API client configuration.

Search for Edit Tenant Setup - System in Workday. Ensure Enable User Activity Logging is checked.
Search for Edit Tenant Setup - Security in Workday. Ensure OAuth 2.0 Clients Enabled is checked.

Step 2 — Create an Integration System User

RunReveal needs a dedicated service account (Integration System User) with permission to read the Activity Logging data.

Search for Create Integration System User in Workday.
Create a new user (for example, RunReveal_ISU). Set a password and uncheck Require New Password at Next Sign In.
Search for Maintain Password Rules and add the ISU to the System Users exempt from password expiration list.
Search for Create Security Group and create a new Integration System Security Group (Unconstrained) (for example, RunReveal Security Group).
Add your ISU to the new security group.
Search for Maintain Domain Security Policies and grant the security group Get access to the following domain:
- System Auditing (under the Worker Data or Privacy category — search for Manage: Workday Account Activity Logs or System Auditing depending on your Workday version)
Search for Activate Pending Security Policy Changes and activate the changes.

The exact domain name may vary by Workday version. If you cannot find Manage: Workday Account Activity Logs, look for System Auditing or contact your Workday administrator to identify the domain that controls access to activity log reports.

Step 3 — Register an API Client

Search for Register API Client for Integrations in Workday.
Fill in:
- Client Name: RunReveal (or any descriptive name)
- Non-Expiring Refresh Tokens: check this box
- Scope: add System (this covers the Privacy API used for activity logging)
Click OK. Workday displays the Client ID and Client Secret — copy both immediately. The secret is shown only once.

If you need to retrieve the Client ID later, search for View API Clients. The Client Secret cannot be retrieved after creation — if lost, generate a new one.

Step 4 — Generate a Refresh Token

Search for View API Clients in Workday and open the client you registered in Step 3.
Click the Related Actions icon → API Client → Manage Refresh Tokens for Integrations.
In the Workday Account field enter the ISU you created in Step 2.
Check Generate New Refresh Token and click OK.
Copy the refresh token — save it securely. It is only shown once.

Step 5 — Find your Host and Tenant

Your Host is the API hostname Workday uses for your tenant — it is different from your browser login URL and looks like wd5-impl-services1.workday.com.

To find the correct host and tenant:

Search for View API Clients in Workday and open the API Client you registered in Step 3.
Look at the Token Endpoint URL — it will be in the format https://{host}/ccx/oauth2/{tenant}/token.
Extract the hostname (for example wd5-impl-services1.workday.com) and tenant (for example mycompany) from that URL.

Step 6 — Connect in RunReveal

Go to Sources → Add Source and select Workday.
Give the source a name and fill in the fields:

Field	Value
Workday Host	API hostname from Step 5 (e.g. `wd5-impl-services1.workday.com`)
Workday Tenant	Tenant name from Step 5 (e.g. `mycompany`)
Client ID	From Step 3
Client Secret	From Step 3
Refresh Token	From Step 4

Click Save. Logs begin appearing within a few minutes.

Verify It's Working

You can validate RunReveal is receiving your logs by running the following SQL query:

SELECT * FROM workday_logs LIMIT 1

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: workday_logs (45 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String

Column	Type
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`enrichments`	Array(Tuple(data Map(String, String), name String, provider String, type String, value String))
`readOnly`	Bool
`rawLog`	String
`activityAction`	String
`deviceType`	String
`ipAddress`	String
`requestTime`	String
`sessionId`	String
`systemAccount`	String
`taskDisplayName`	String
`taskId`	String
`userAgent`	String

Helpful Links

Workday REST API documentation
Workday Community
Register API Clients for Integrations (Workday docs)
Datadog Workday integration setup — a useful reference for the same Workday API steps

On this page