This guide walks you through connecting your Workday Human Capital Management (HCM) platform to TruU TOTAL for persona generation and threat detection.

Overview

TOTAL ingests HR lifecycle and organizational context events from Workday via the Workday REST API and SOAP-based Human Resources Web Service. We poll the worker event history and organizational data endpoints on a configurable interval to collect, normalize, and correlate employee lifecycle events — hires, terminations, transfers, promotions, leave events, and organizational changes — that provide critical context for identity personas. Connector Type: Polling

Prerequisites

Workday Administrator access with permission to create Integration System Users (ISUs)
Workday HCM tenant (production or sandbox) with active worker data
Integration Security Group configured with appropriate domain permissions
Approximately 20 minutes to complete setup

Step 1: Identify Your Workday Tenant URL

Your tenant URL follows the format:

https://wd5-impl-services1.workday.com/ccx/service/your_tenant/

or for production:

https://services1.myworkday.com/ccx/service/your_tenant/

Paste the Tenant URL into the TruU Portal

Step 2: Create an Integration System User (ISU)

In Workday, search for the Create Integration System User task
Enter:
- User Name: ISU_TruU_TOTAL
- New Password: Set a strong password
- Require New Password at Next Sign In: Unchecked
- Do Not Allow UI Sessions: Checked (API-only access)
- Session Timeout Minutes: 0 (no timeout for API sessions)
Click OK

Step 3: Create an Integration Security Group

Search for the Create Security Group task
Select Integration System Security Group (Unconstrained)
Enter:
- Name: ISSG_TruU_TOTAL
Click OK
Add ISU_TruU_TOTAL as a member of this security group

Step 4: Configure Domain Security Permissions

Search for the Maintain Permissions for Security Group task
Select ISSG_TruU_TOTAL
Grant Get (read-only) access to the following domain security policies:

Domain	Permission	Purpose
Worker Data: Public Worker Reports	Get	Basic worker information
Worker Data: Workers	Get	Worker profiles and identifiers
Worker Data: Current Staffing Information	Get	Job title, department, manager
Worker Data: Employment Data	Get	Employment status, hire date, termination
Worker Data: Organization Information	Get	Organizational hierarchy
Worker Data: Business Title	Get	Job titles and roles
Staffing: Worker Event History	Get	Lifecycle events (hire, term, transfer)
Person Data: Work Email	Get	Work email for identity resolution
Person Data: Work Phone	Get	Work phone (optional)

Click OK

Step 5: Activate Security Policy Changes

Search for the Activate Pending Security Policy Changes task
Enter a comment: TruU TOTAL integration - read-only API access
Click OK to activate

Security policy changes must be activated before the ISU can access the configured domains.

Step 6: Enter Credentials in the TruU Portal

In the TruU Portal, navigate to Settings → Connectors → Add Connector → Workday and enter:

Workday Tenant URL: Your tenant service URL
Tenant Name: Your Workday tenant name
Username: ISU_TruU_TOTAL
Password: The ISU password

Click Test Connection to verify. TOTAL will authenticate and confirm access to the worker data endpoints.

Security & Privacy

What We Access

Read-only access to worker lifecycle events and organizational data via Workday API
Employee hire, termination, transfer, and promotion events
Organizational hierarchy (department, manager, cost center)
Work email addresses for identity resolution
All queries use effective date filtering — we only fetch new events since the last poll

What We Don’t Have Access To

Personal information (home address, SSN, bank details, compensation)
Write access to any Workday data
Ability to modify worker records, org structures, or business processes
Payroll, benefits, or financial data
Recruiting or talent management data

Updating or Rotating Credentials

Rotate Password (Recommended: Per your organization’s policy)

In Workday, search for the Change Integration System User Password task
Select ISU_TruU_TOTAL
Set a new strong password
Update the password in the TruU Portal
Click Test Connection to verify

Revoke Access

To immediately remove TOTAL’s access:

Option A — Disable in the TruU Portal
Option B — Disable the ISU in Workday (search for Edit Integration System User)
Option C — Remove the ISU from the security group

Rate Limiting & Scalability

Workday API Rate Limits

Parameter	Limit
API request rate	~10 req/s per tenant (shared across all API surfaces)
SOAP response page size	Configurable (typically 100–500 workers per page)
Throttle response	HTTP 429
Rate limit shared across	All integrations in the tenant, not just TOTAL

Ingestion Capacity

HR lifecycle events are inherently low-volume. Even a large enterprise with 100K+ workers generates only 200–2K events/day (hires, terminations, transfers, promotions, role changes). TOTAL polls Workday on a longer interval (default: 15–30 minutes) and typically uses < 1 req/min during steady-state polling — a negligible fraction of the shared ~10 req/s tenant budget. Rate limiting is rarely a factor for this signal class. TOTAL also performs a periodic full worker profile sync (~100K records, run daily or weekly) for persona enrichment. This is scheduled during off-peak hours and uses configurable page sizes to minimize API impact.

Event Freshness

Transaction-based events are available in the Workday API near real-time. Batch processes may lag hours. TOTAL polls on a configurable interval (default: 15–30 minutes). End-to-end latency is typically 15–60 minutes.

Resilience

TOTAL uses cursor-based ingestion with at-least-once delivery. The polling cursor only advances after events are successfully collected, normalized, and published. If any step fails, the cursor stays put and the next poll replays from the last known-good position. No events are lost. Transient failures (429s, 5xx, timeouts) are retried automatically with exponential backoff. After 5 consecutive failures, the connector self-pauses and can be re-enabled from the TruU Portal. Workday retains full transaction history, so data loss is effectively impossible regardless of outage duration.

Connector Design

Each connector polls on an independent, configurable interval. Events are batched and published in per-user order to preserve sequence integrity for persona building. Connector workers are stateless and scale horizontally. Profile syncs run on a configurable schedule with checkpointing. All polling intervals, sync schedules, and batching parameters are tunable from the TruU Portal.

Part 2: Event Types & Data Schema

Signal Classification

Signal Class	TOTAL Category
HR / Identity Lifecycle	Admin, Context

Event Types We Ingest

TOTAL extracts the following categories of events from Workday. Every event ingested is tied to a specific worker (human identity). HR events provide organizational context and behavioral risk indicators — they tell TOTAL who a person is, what they do, how their role is changing, and whether they are under organizational stress (PIPs, disciplinary actions, investigations, compensation changes). This context is essential for building accurate personas and detecting insider threat patterns where behavioral drift correlates with HR friction. Organizational-level events that cannot be attributed to a specific person are excluded.

Employee Lifecycle Events

Workday Business Process	Description	TOTAL Classification
`Hire`	New employee hired and onboarded	Admin
`Termination`	Employee terminated (voluntary or involuntary)	Admin
`Retirement`	Employee retired	Admin
`End Contingent Worker Contract`	Contingent worker contract ended	Admin
`Rescind Termination`	Termination rescinded, employee reinstated	Admin
`Leave of Absence`	Employee placed on leave	Admin
`Return from Leave`	Employee returned from leave	Admin

Job Change Events

Workday Business Process	Description	TOTAL Classification
`Promotion`	Employee promoted to new position	Admin
`Demotion`	Employee demoted	Admin
`Lateral Move`	Employee moved to equivalent position	Admin
`Transfer`	Employee transferred to different department/location	Admin
`Job Requisition Change`	Job requisition modified	Admin
`Change Job`	Job attributes changed (title, department, manager)	Admin
`Change Business Title`	Business title updated	Admin

Organizational Events

Workday Business Process	Description	TOTAL Classification
`Change Organization Assignments`	Worker’s org assignments changed	Admin
`Move Workers (Reorganization)`	Worker moved as part of reorg	Admin

Manager & Reporting Events

Workday Business Process	Description	TOTAL Classification
`Change Manager`	Worker’s manager changed	Admin
`Assign Roles`	Worker assigned new security/functional roles	Admin
`Remove Roles`	Roles removed from worker	Admin
`Delegate Task`	Task delegated to another worker	Admin

Performance & Talent Events

Workday Business Process	Description	TOTAL Classification
`Performance Review Completed`	Annual or mid-year performance review finalized for worker	HR Sentiment
`Performance Improvement Plan (PIP) Initiated`	Worker placed on a formal performance improvement plan	HR Risk
`Performance Improvement Plan (PIP) Completed`	PIP period concluded (successful or unsuccessful)	HR Risk
`Performance Rating Changed`	Worker’s performance rating updated	HR Sentiment
`Goal Changed`	Worker’s performance goals modified mid-cycle	HR Sentiment
`Talent Review Completed`	Worker assessed in a talent/calibration review	HR Sentiment
`Succession Plan Changed`	Worker added to or removed from a succession plan	HR Sentiment
`Development Plan Created`	Formal development plan created for worker	HR Sentiment

Disciplinary Events

Workday Business Process	Description	TOTAL Classification
`Disciplinary Action Issued`	Formal disciplinary action recorded against worker (verbal warning, written warning, suspension)	HR Risk
`Probation Initiated`	Worker placed on probationary period	HR Risk
`Probation Completed`	Worker’s probationary period concluded	HR Risk

Compensation & Benefits Events

Workday Business Process	Description	TOTAL Classification
`Compensation Change`	Worker’s compensation adjusted (raise, reduction, bonus structure change)	HR Sentiment
`One-Time Payment`	Worker received a one-time bonus or payment	HR Sentiment
`Stock Grant`	Worker granted equity/stock	HR Sentiment
`Benefits Change`	Worker modified benefits elections	Context

Worker Profile Context (Enrichment Data)

In addition to events, TOTAL periodically syncs the following worker profile data for persona enrichment:

Field	Description	Persona Use
`Employee ID`	Unique worker identifier	Identity resolution
`Work Email`	Primary work email address	Identity resolution
`Legal Name`	Worker’s legal name	Display and correlation
`Business Title`	Current job title	Role-based persona modeling
`Department`	Current department	Peer group identification
`Cost Center`	Cost center assignment	Organizational context
`Location`	Work location (city, country)	Geographic baseline
`Manager`	Direct manager	Reporting chain context
`Hire Date`	Original hire date	Tenure context
`Worker Type`	Employee, Contingent Worker	Access expectation modeling
`Worker Status`	Active, Terminated, On Leave	Account lifecycle correlation
`Job Family`	Job family/category	Role-based access expectations
`Time Zone`	Worker’s time zone	Working hours baseline

Sample Source Event (Workday — Employee Transfer)

{
  "Worker_Reference": {
    "ID": [
      {
        "type": "Employee_ID",
        "value": "EMP-001234"
      },
      {
        "type": "WID",
        "value": "wid-001234"
      }
    ]
  },
  "Worker_Event_Data": {
    "Effective_Date": "2026-03-15",
    "Event_Type_Reference": {
      "ID": [
        {
          "type": "WID",
          "value": "evt-type-transfer"
        },
        {
          "type": "Business_Process_Type",
          "value": "Transfer"
        }
      ]
    },
    "Event_State": "Completed",
    "Completed_Date": "2026-03-15T00:00:00.000Z",
    "Initiated_By_Reference": {
      "ID": [
        {
          "type": "Employee_ID",
          "value": "EMP-000100"
        }
      ]
    },
    "Worker_Data_Changes": {
      "Previous_Department": "Engineering - Platform",
      "New_Department": "Engineering - Security",
      "Previous_Manager": "EMP-000050",
      "New_Manager": "EMP-000075",
      "Previous_Location": "San Francisco, CA",
      "New_Location": "San Francisco, CA",
      "Previous_Business_Title": "Senior Software Engineer",
      "New_Business_Title": "Senior Security Engineer",
      "Previous_Cost_Center": "CC-ENG-PLAT",
      "New_Cost_Center": "CC-ENG-SEC"
    }
  },
  "Worker_Profile": {
    "Legal_Name": "Jane Doe",
    "Work_Email": "jane.doe@acme.com",
    "Worker_Type": "Employee",
    "Worker_Status": "Active",
    "Hire_Date": "2022-06-15",
    "Job_Family": "Engineering"
  }
}

TOTAL Normalized Events

Transfer Event

{
  "event_id": "d0e1f2a3-b4c5-6789-klmn-012345678901",
  "event_type": "ADMIN",
  "source": "WORKDAY",
  "signal_type": "HR",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-jane-doe-001",
  "timestamp": "2026-03-15T00:00:00.000Z",
  "payload": {
    "user": "jane.doe@acme.com",
    "action": "Transfer",
    "event_state": "Completed",
    "previous_department": "Engineering - Platform",
    "new_department": "Engineering - Security",
    "previous_manager": "EMP-000050",
    "new_manager": "EMP-000075",
    "previous_title": "Senior Software Engineer",
    "new_title": "Senior Security Engineer",
    "worker_type": "Employee",
    "worker_status": "Active"
  },
  "raw_metadata": {
    "platform_event_id": "wid-001234-transfer-20260315",
    "employee_id": "EMP-001234",
    "worker_wid": "wid-001234",
    "event_type": "Transfer",
    "event_state": "Completed",
    "effective_date": "2026-03-15",
    "completed_date": "2026-03-15T00:00:00.000Z",
    "initiated_by": "EMP-000100",
    "previous_department": "Engineering - Platform",
    "new_department": "Engineering - Security",
    "previous_manager": "EMP-000050",
    "new_manager": "EMP-000075",
    "previous_location": "San Francisco, CA",
    "new_location": "San Francisco, CA",
    "previous_business_title": "Senior Software Engineer",
    "new_business_title": "Senior Security Engineer",
    "previous_cost_center": "CC-ENG-PLAT",
    "new_cost_center": "CC-ENG-SEC",
    "worker_type": "Employee",
    "worker_status": "Active",
    "hire_date": "2022-06-15",
    "job_family": "Engineering",
    "created_at": "2026-03-15T00:00:00.000Z",
    "source_platform": "workday"
  },
  "platform_event_id": "wid-001234-transfer-20260315",
  "platform_event_source": "WORKDAY_HCM_API"
}

Performance Improvement Plan Event

{
  "event_id": "f1a2b3c4-d5e6-7890-abcd-ef1234567890",
  "event_type": "HR_RISK",
  "source": "WORKDAY",
  "signal_type": "HR",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-john-smith-002",
  "timestamp": "2026-02-10T14:30:00.000Z",
  "payload": {
    "user": "john.smith@acme.com",
    "action": "Performance_Improvement_Plan_Initiated",
    "event_state": "Completed",
    "pip_reason": "Below Expectations — Q4 Performance Review",
    "pip_duration_days": 60,
    "pip_start_date": "2026-02-15",
    "pip_end_date": "2026-04-15",
    "manager": "EMP-000200",
    "department": "Finance - Accounting",
    "worker_type": "Employee",
    "worker_status": "Active"
  },
  "raw_metadata": {
    "platform_event_id": "wid-005678-pip-20260210",
    "employee_id": "EMP-005678",
    "worker_wid": "wid-005678",
    "event_type": "Performance_Improvement_Plan_Initiated",
    "event_state": "Completed",
    "effective_date": "2026-02-15",
    "completed_date": "2026-02-10T14:30:00.000Z",
    "initiated_by": "EMP-000200",
    "worker_type": "Employee",
    "worker_status": "Active",
    "hire_date": "2020-01-10",
    "job_family": "Finance",
    "created_at": "2026-02-10T14:30:00.000Z",
    "source_platform": "workday"
  },
  "platform_event_id": "wid-005678-pip-20260210",
  "platform_event_source": "WORKDAY_HCM_API"
}

Disciplinary Action Event

{
  "event_id": "a9b8c7d6-e5f4-3210-9876-543210fedcba",
  "event_type": "HR_RISK",
  "source": "WORKDAY",
  "signal_type": "HR",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-sarah-lee-003",
  "timestamp": "2026-01-20T09:15:00.000Z",
  "payload": {
    "user": "sarah.lee@acme.com",
    "action": "Disciplinary_Action_Issued",
    "event_state": "Completed",
    "action_type": "Written Warning",
    "action_reason": "Policy Violation — Acceptable Use",
    "department": "Marketing - Digital",
    "manager": "EMP-000150",
    "worker_type": "Employee",
    "worker_status": "Active"
  },
  "raw_metadata": {
    "platform_event_id": "wid-009012-disc-20260120",
    "employee_id": "EMP-009012",
    "worker_wid": "wid-009012",
    "event_type": "Disciplinary_Action_Issued",
    "event_state": "Completed",
    "effective_date": "2026-01-20",
    "completed_date": "2026-01-20T09:15:00.000Z",
    "initiated_by": "EMP-000150",
    "action_type": "Written Warning",
    "action_reason": "Policy Violation — Acceptable Use",
    "worker_type": "Employee",
    "worker_status": "Active",
    "hire_date": "2021-09-01",
    "job_family": "Marketing",
    "created_at": "2026-01-20T09:15:00.000Z",
    "source_platform": "workday"
  },
  "platform_event_id": "wid-009012-disc-20260120",
  "platform_event_source": "WORKDAY_HCM_API"
}

How This Feeds TOTAL

Persona Building

Workday is the authoritative source of organizational truth for TOTAL personas. HR events provide the context that makes all other signals meaningful:

Role context — A user’s job title, department, and job family determine what applications, data, and systems they should be accessing. Without this context, TOTAL cannot distinguish between normal access for a security engineer and anomalous access for a marketing manager.
Organizational graph — Manager relationships, department structures, and cost centers define peer groups. TOTAL uses peer group analysis to establish behavioral baselines — if everyone in Engineering-Security accesses the same set of tools, that’s normal. If one person suddenly accesses Finance tools, that’s anomalous.
Lifecycle transitions — When a user transfers departments, gets promoted, or goes on leave, their expected behavior changes. Workday events allow TOTAL to proactively adjust personas rather than generating false positives during legitimate role transitions.
Tenure and status — New hires, long-tenured employees, and contingent workers have different behavioral baselines. Workday provides the context to model these differences.

Anomaly Detection

TOTAL’s behavioral engine uses Workday events to detect:

Terminated employee access — continued system access after a termination event in Workday indicates a deprovisioning gap or compromised credentials
Pre-termination data exfiltration — when a termination event is initiated, TOTAL retroactively analyzes the user’s recent behavior for signs of data staging or exfiltration
Role transition abuse — access patterns that don’t align with a user’s new role after a transfer or promotion, indicating the user retained old access they should no longer have
Leave of absence anomalies — system activity during a leave of absence period, indicating potential account compromise
Organizational context for other signals — Workday context enriches every other signal source. An Okta authentication anomaly is more significant when TOTAL knows the user just transferred to a sensitive department

Insider Threat Risk Correlation

HR friction events are among the strongest leading indicators of insider threat activity. TOTAL correlates these signals with digital behavior across all other connectors:

PIP + data access spike — a worker placed on a performance improvement plan who suddenly increases file downloads, SharePoint access, or email forwarding volume is exhibiting a classic pre-exfiltration pattern
Disciplinary action + off-hours activity — a worker who receives a written warning and begins accessing systems outside their normal working hours shows behavioral drift that warrants elevated monitoring
Negative performance review + communication pattern change — a worker who receives a poor review and shifts communication patterns, reduces collaboration, or increases external email volume signals potential flight risk
Compensation change + resignation indicators — a worker who is passed over for a raise or bonus and begins accessing job boards, updating LinkedIn, or downloading personal files may be preparing to leave — and potentially take data with them
Demotion + privilege retention — a worker who is demoted but retains elevated access from their previous role represents both a governance gap and a heightened insider risk

Breach Lifecycle Coverage

Workday events provide cross-cutting context across all breach lifecycle stages. HR events don’t just describe organizational structure — they surface the human motivations and organizational pressures that precede insider threats. By combining lifecycle data (who someone is, what they do) with risk signals (PIPs, disciplinary actions, investigations, compensation changes), TOTAL builds personas that reflect both behavioral baselines and risk posture. This is the critical differentiator between a platform that detects anomalies and one that understands why someone might act.

INTEGRATIONS

​Overview

​Prerequisites

​Step 1: Identify Your Workday Tenant URL

​Step 2: Create an Integration System User (ISU)

​Step 3: Create an Integration Security Group

​Step 4: Configure Domain Security Permissions

​Step 5: Activate Security Policy Changes

​Step 6: Enter Credentials in the TruU Portal

​Security & Privacy

​What We Access

​What We Don’t Have Access To

​Updating or Rotating Credentials

​Rotate Password (Recommended: Per your organization’s policy)

​Revoke Access

​Rate Limiting & Scalability

​Workday API Rate Limits

​Ingestion Capacity

​Event Freshness

​Resilience

​Connector Design

​Part 2: Event Types & Data Schema

​Signal Classification

​Event Types We Ingest

​Employee Lifecycle Events

​Job Change Events

​Organizational Events

​Manager & Reporting Events

​Performance & Talent Events

​Disciplinary Events

​Compensation & Benefits Events

​Worker Profile Context (Enrichment Data)

​Sample Source Event (Workday — Employee Transfer)

​TOTAL Normalized Events

​Transfer Event

​Performance Improvement Plan Event

​Disciplinary Action Event

​How This Feeds TOTAL

​Persona Building

​Anomaly Detection

​Insider Threat Risk Correlation

​Breach Lifecycle Coverage