Workday Integration with Grip Security - Posture (SSPM)

  • Updated on Nov 20, 2025
  • Published on Nov 20, 2025
  • 3 minute(s) read
  • nT
 Prev Next

Overview

This guide explains how to connect Workday with Grip Security.

Integrating with Grip’s SSPM module enables Grip to assess critical security settings, including access control, configuration baseline, and other relevant aspects within your Workday environment.

Note.

Connecting Workday with Grip involves multiple steps, so please make sure to follow each one carefully.

Prerequisites

To configure the integration, you will need to create the system user account and grant permissions through a security group.

Use the Workday Security Administrator account you previously identified to carry out these steps.

Please pay attention 🔔

When setting up configurations in Workday, ensure that you copy all necessary details for the Grip integration. Keep your clipboard open and copy everything systematically to make the data easy to access and use.

Workday setup

Step 1: Create the integration system user.

  • Using the Workday console's search field, search for Create Integration System User (1).

  • Select Create Integration System User (2).

  • Enter a User Name (3).

  • Enter the Password for the account (4).

    Note

    Copy the name and password to your clipboard. You will need it in the next step and during the integration.

  • Ensure that the Do Not Allow UI Sessions is NOT checked.

  • Click OK.

Step 2: Create a security group for the integration system user.

  • Using the Workday console's search field, search for Create Security Group (1)

  • Select Create Security Group (2)

  • On the Create Security Group page, do the following:

    • From the field's drop-down, select Integration System Security Group (Unconstrained) (3).

    • Name the security group

    • Click OK.

On the Edit Integration System Security Group (Unconstrained) page, locate the Integration System Users name of the “integration system user” that you created and saved in step 1 (4).

Click OK.

Step 3: Add domain security policy permissions for the security group.

  • Search for Maintain Permissions for Security Group (1)

  • Select Maintain Permissions for Security Group from the search results (2)

  • Complete the following actions:

    • Select the Maintain operation.

    • In the Source Security Group field, select the name of the security group that you created in step 2.

  • Click OK.

  • You will be directed to the Maintain Permissions for Security Group page.

  • From the Domain Security Policy Permissions tab, add the following 7 domain security policies with the Get Only access permissions to the security group.

  1. Workday Accounts

  2. Worker Data: Public Worker Reports

  3. Security Configuration

  4. System Auditing

  5. Person Data: Work Contact Information

  6. Worker Data: Workers

  7. Workday Query Language.

  • To add a policy permission, click the plus sign (+) icon.

  • Click OK when done.

Step 4: Activate Pending Security Policy Changes

  • Search for and select  Activate Pending Security Policy Changes (1+2)

  • On the 'Activate Pending Security Policy Changes' page, enter a comment describing the security updates you've made, then click OK.

  • Workday shows a second “Activate Pending Security Policy Changes” page that summarizes the modifications you’ve made.

  • Select the Confirm check box.

  • Click OK.

Step 5: Register the API Client

Search for and select the Register API Client (1+2)

In the Register API Client window enter the populate the below information:

  • Enter the API Client Name (3)

  • Client Grant Type – Authorization Code Grant

  • Access Token Type – Bearer

  • Redirection URL (4) - enter your Grip domain name after the “https://.”   https://{client_domain_in_grip}.integrations.grip.security/oauth/callback
    For example, in this URL, https://acme.dep.grip.security/, the {client_domain_in_grip} will be,  acme 

  • Check the Non- Expiring Refresh Tokens

  • Scope (5)System & Tenant Non- Configurable

  • Click OK

The Register API Client summery page is displayed,

  • Copy the details below to your clipboard, as you’ll need them when connecting to Grip.

  • Client ID &  Client Secret (A)

  • From the Token Endpoint copy:

  • Tenant ID (B) – (the Tenant is the final part of the URL after /oauth2/ and before /token

  • Token Domain (C) (everything after https:// and before ccx)

  • Example: If the endpoint is https://wd2-impl-services1.workday.com/ccx/oauth2/yourtenant_abc/token, your Token Domain is wd2-impl-services1.workday.com

  • From the Authorization Endpoint, copy the Authorization Domain (Everything after https:// and before yourtenant)

  • When completed, you must click Done! Otherwise, the API client will not be applied.

Step 6: Connect Workday to Grip SSPM   

  • From the Grip platform, go to Posture » Click on Add Tenant (1) » Workday (2) 

  • In the Add New Workday Tenant window (3), enter the information you copied during Step 5: Register the API Client” setup: Client ID &  Client Secret, Tenant ID, Token Domain, and Authorization domain.

  • Click on Add Tenant

Note

You must log off of Workday and reconnect with the Username and password you created in Step 1- Create the integration system user.

  • Click Allow (6)

  • Once connected, the Tenant will be added to the “Connected Tenants” list.

  • There, you can view and filter your policy statuses, assess your security posture, and address any issues.     

Related articles