Double-layer API Client security in workforce planning: functional area scopes vs domain policies

ERP Workday
, , , , , , , ,
1

I want to discuss the security model for Workday API Clients, specifically how functional area scopes interact with domain security policies on the Integration System User. We’re implementing workforce planning integrations and the documentation isn’t crystal clear on where one layer ends and the other begins.

From what I understand, there are two distinct security layers:

  1. API Client Level: Functional area scopes (Workforce Planning, Recruiting, etc.) that define broad access categories
  2. ISU Level: Domain security policies that control granular data access within those functional areas

What’s unclear is how these interact in practice. If I grant Workforce Planning scope to an API Client but the ISU has limited domain security (say, only certain organizations), does the scope essentially get “filtered” by the ISU’s domain policies? Or are they independent checks that both must pass?

Also curious about the System and Tenant Non-Configurable scopes - when are these actually required versus just functional area scopes? Looking for practical examples of how others have implemented least-privilege access with this dual-layer model.

2

From a compliance perspective, this dual-layer model is actually ideal for audit requirements. We can demonstrate that integrations have minimal necessary scope at the API Client level (functional areas only), and then show granular access control through ISU domain policies. For workforce planning specifically, we grant Workforce Planning scope but restrict the ISU to only the organizations and supervisory structures that the integration legitimately needs to access. This creates a clean audit trail showing both what the integration CAN do (scope) and what it ACTUALLY accesses (domain-filtered data). Makes SOC 2 and privacy audits much cleaner.

3

To add to Sara’s point with a concrete example: we have an API Client with Recruiting scope that pulls candidate data. The ISU has domain security limited to our North America region only. When we call the candidates API, it returns successfully (because the scope allows Recruiting API access), but the response only includes candidates for North America positions. Candidates for EMEA or APAC positions simply don’t appear in the results - no error, just filtered data. This is actually really powerful for implementing least-privilege integrations. We can use the same API Client configuration across regions but control data access purely through ISU domain policies.

4

Excellent discussion on API Client security architecture. Let me synthesize this into a comprehensive model for implementing least-privilege access in Workday integrations, particularly for workforce planning scenarios.

Security Layer Architecture:

The Workday API Client security model operates on two distinct but complementary layers that work together to enforce least-privilege access:

Layer 1: API Client Functional Area Scopes This is the coarse-grained permission layer that controls which API categories the client can invoke. Think of these as “capability grants” - they determine which functional areas the integration has permission to interact with at all.

For workforce planning integrations, relevant scopes include:

  • Workforce Planning: Access to planning cycles, position management, succession plans
  • Workforce Analytics: Access to analytics and reporting endpoints
  • Core HR: Access to worker and organizational data
  • Talent Management: Access to talent pools and development plans

Key insight: Functional area scopes are binary - you either have access to call APIs in that category or you don’t. They don’t provide granular filtering within the functional area.

Layer 2: Integration System User Domain Security Policies This is the fine-grained permission layer that controls which specific data the integration can access within the functional areas granted by scopes. Domain security policies enforce:

  • Organizational visibility (which supervisory organizations can be accessed)
  • Worker population filters (which worker types, locations, or custom criteria)
  • Functional domain constraints (which specific data domains within a functional area)

Critical point: Domain security acts as a filter on API responses. The integration doesn’t receive access denied errors for data outside its domain - that data simply doesn’t appear in responses.

How the Layers Interact:

The permission check follows this logic:


API Request Authorization = (Functional Area Scope Check) AND (Domain Security Filter)

1. Does API Client have scope for this functional area?
   NO → 403 Forbidden (insufficient_scope)
   YES → Proceed to step 2

2. Does ISU have domain security for requested data?
   NO → Return empty/filtered result set (no error)
   YES → Return data within domain boundaries

This AND operation creates powerful least-privilege capabilities. You can grant broad API access through scopes while tightly controlling data visibility through domain policies.

Special Scopes: System and Tenant Non-Configurable

These scopes operate outside the functional area model:

  • System Scope: Required for infrastructure-level APIs that aren’t tied to specific functional areas. Examples include Activity Logs API, system notifications, integration monitoring endpoints. Workforce planning integrations typically don’t need this unless implementing audit logging or system health monitoring.

  • Tenant Non-Configurable Scope: Required for accessing tenant configuration metadata like custom objects, calculated fields, integration system definitions. Needed if your workforce planning integration reads custom field configurations or integration setup metadata dynamically.

Practical Implementation Strategy for Workforce Planning:

  1. Identify Required Functional Areas: Map your integration requirements to functional area scopes. For workforce planning: likely Workforce Planning + Core HR at minimum.

  2. Grant Minimal Scopes: Only enable functional area scopes that map to actual API calls your integration makes. Don’t grant Recruiting scope if you’re not calling recruiting APIs.

  3. Configure Restrictive Domain Security: Set up the ISU with domain security policies that limit visibility to only the organizations, locations, or worker populations the integration legitimately needs. Use security groups and constrained policies rather than broad unconstrained access.

  4. Test with Domain Boundaries: Verify that API responses respect domain security filtering. Request data outside the ISU’s domain and confirm it’s properly excluded from responses.

  5. Document the Security Model: For compliance and audit purposes, document both the functional area scopes granted (the “what can it do”) and the domain security policies applied (the “what data can it see”). This dual documentation satisfies most regulatory frameworks.

Least-Privilege Best Practices:

  • Start with zero scopes and add only what’s required as you develop
  • Use domain security as your primary access control mechanism - it’s more flexible and auditable than scope changes
  • Review ISU domain policies quarterly to ensure they still match business requirements
  • Separate API Clients for different integration purposes rather than creating one super-privileged client
  • Monitor API access patterns to identify if granted scopes are actually being used

The beauty of this dual-layer model is that it separates concerns: developers think about functional area scopes (which APIs to call), while security teams control domain policies (which data to expose). This separation makes both development and compliance management cleaner.

5

That makes sense. So the practical implementation strategy would be: grant functional area scopes based on which API categories the integration needs (Workforce Planning, Recruiting, etc.), then lock down the ISU with specific domain security policies to limit data visibility. What about those System and Tenant Non-Configurable scopes though? When do those come into play?