Step 1: Create a Workday Integration User and Grant Permissions

To complete the following steps, a Workday user with “Integration security” access is required.

(1) (a) Go to the "Create Integration System User" task.

You can access this task and future ones via the search bar at the top.

Create a user with the values seen below and click OK.

Recommended user name: kolleno-integration
⚠️ IMPORTANT: please store the password securely, you will need it later!
Click on Done.

(1) (b) Create the "Security Group"

Go to the Create Security Group task.
Fill in the form as per the table below:

Type of Tenanted Security Group	Integration System Security Group (Unconstrained)
Name	Kolleno Integration Security Group

Add the Integration System User (ISU) you created in (1)(a) to the security group.
Name: Kolleno Integration Security Group

Click on OK then wait.

Before you click Done"(please wait), instead, select from Actions → Security Group → Maintain Security Permissions.

This step is a bit longer: you will need to add these permissions:

Domain Security Policies permitting Modify access	Private Calculated Field Management Reports: Customer Documents Workday Query Language
Domain Security Policies permitting View access	Customer Object Management Process: Banking Process" Customer Invoice (NEW) Process: Customer Invoice Payment Process: Project Billing Reports: Customer Accounts Process: Project Billing
Domain Security Policies permitting Put access	Manage: Customer Invoice Process: Customer Invoice Payment Process: Customer Invoice Payment/Settlement Process: Customer Payment Set Up: Bank Entity
Domain Security Policies permitting Get access	Integration Build Person Data: Name Process: Bank Statement Process: Project Billing Process: Purchase Order - Reporting Reports: Currency Rates Reports: Customer Reports: Customer Accounts Reports: Financial Accounting Set Up: Company General Set Up: Customer Accounts Set Up: Fiscal Schedule

Click on OK then Done.

(1) (c) Activate the security changes.

Access the Activate Pending Security Policy Changes task.

Add a comment so you remember what it is for. For instance:
Additional permissions for the security group Kolleno Integration Security Group (it contains the ISU kolleno-integration).

Click on OK.
Click on the checkbox Confirm.
Click on OK

(1) (d) Exempt from Password expiration

This step ensures that the integration system user's password remains unaffected by the tenant’s expiration policy. This prevents any risk of the integration failing due to password expiration.

Access the task Maintain Password Rules.
Scroll down to the Session Timeout section.

Add kolleno-integration to the list of System Users exempt from password expiration.
Click on OK.

Step 2: Register an API Client for Integrations

This step is required to enable the REST API, which allows you to sync your Workday data into Kolleno using WQL and retrieve invoice PDFs. For security reasons, it must be completed by a user with Security Administration domain privileges.

Access the task Register API Client for Integrations.
Fill in the form as per screenshot.

Client Name: Kolleno API Client
Non-Expiring Refresh Tokens: checked
Scope (Functional Areas): Customer Accounts and System

After completing this step, you will see a summary of the API Client. Verify that the settings match the example shown in the image below. You will also find a Client ID and Client Secret—be sure to save these credentials, as you’ll need them when connecting your Workday instance during the Kolleno setup.

Now WAIT - do not click on Done just yet. Select Actions → API Client → Manage Refresh Tokens for Integrations.

Under Workday Account, select kolleno-integration.
Click on OK.
Check the box Generate New Refresh Token.

Click on OK.
After completing this step, a new Refresh Token will be generated. Make sure to save this token, as it will be required later during Kolleno’s registration process.