Workday Integration for Legal Holds

Avatar
[System] Everlaw Support

Everlaw’s Workday people directory integration for Legal Holds allows you to sync Workday employee data to Everlaw. Using this integration, you can create an organization-wide Everlaw legal hold directory that updates whenever it receives employee data from your Workday directory.

Everlaw directories integrated with Workday automatically sync updates at the cadence that has been set by the user on the Workday platform. This means that as long as the regular cadence established by the Workday admin is frequent (e.g. daily or weekly), changes made in Workday to custodian data will almost always be synced correctly in Everlaw. 

This configured synchronization eliminates the need for manual data entry and maintenance of custodian information in Everlaw. This saves significant time, reduces administrative burden, and minimizes the risk of human error associated with updating multiple systems. This is particularly useful for organizations with a large, and frequently changing pool of employees.

This article covers how to create and manage Workday integrated directories.

Note

Everlaw’s Legal Hold tool also supports Static directories and Microsoft Entra ID integrated directories. For more information visit. To learn more about these options, visit Legal Holds Directories.

Requirements

  • To configure or edit a Workday legal hold directory in Everlaw, you must be an Organization Admin

    Note

    Legal Holds Organization Admins can complete all steps to create a Workday directory in Everlaw except for creating the API key. A Legal Holds Organization Admin could create the directory and coordinate with an Organization Admin to have them create the API key.

  • To configure the integration from Workday, you must be a Workday Integration Administrator

    Note

    The Workday Integration Administrator is the minimum role required to set up this integration, but they may need to coordinate with a user in the organization who is a Security Administrator to ensure all security-related functions to the integration are able to be managed.

Set up your Workday directory integration

Everlaw’s Workday Directory integration requires setup in both Workday and Everlaw. The majority of the setup will take place in Workday. 

Step 1: Create a new directory in Everlaw 

Required permissions: Organization Admin 

Note

Legal Holds Organization Admins can complete all steps to create a Workday directory in Everlaw except for creating the API key (step 7). A Legal Holds Organization Admin could create the directory and coordinate with an Organization Admin to have them create the API key.

To create a Workday directory integration in Everlaw:

  1. Go to Organization home > Legal Holds > Directories.
  2. Select + New directory > Workday directory.

    This opens the New Workday directory wizard, which has three steps: Name, General settings, and Summary.
  3. In the Workday directory name field, enter a name for the directory. Then select Next to continue to the General settings step.
  4. Choose one of the following options from the Retain people removed from Workday field:

    • Retain all people (default): Retains a record of all people who have ever existed in the directory, regardless of if they are still included in incoming Workday directory reports

      Note

      We recommend setting the option to Retain all people because you may be sending partial updates on only the specific custodians that have changes/additions on Workday. If Retain only people on legal holds is selected, the other people in the Everlaw directory that may not be included in the incoming partial update but still meant to be retained, will be deleted.

    • Retain only people on legal holds: Does not retain people in Everlaw once they are no longer included in the incoming Workday directory report, unless they are included on any drafted, issued, or released hold notices or any data preservations.

  1. Select Next to continue to the Summary step.
  2. Review the summary provided and select Create Workday directory.
    The directory appears on the page.

  3. To complete the integration setup in Workday, you will need two values from this Workday integration page: the target HTTP address, which is automatically provided, and an API key, which you can generate now by selecting + Create API key.

    Important

    API keys are not visible after their initial creation. When you create the key, copy and paste it in a secure location. You can also wait to generate it until you are ready to use it.

Steps 2-8: Set up the directory integration from Workday

Required permissions: The minimum role required to set up this integration in Workday is the Workday Integration Administrator. However, you may also need to coordinate with an organization Security Administrator to ensure all security-related functions to the integration are able to be managed.

Note

The steps below are performed outside of the Everlaw platform. We cannot guarantee that the Workday interface details (terms, field names) will be perfectly up-to-date, as the Workday platform may change without our immediate knowledge. If you experience any confusion or see unexpected settings, please don’t hesitate to contact Everlaw Support.

Step 2: Create an Integration System User (ISU)

Before you create a report in Workday, you should create an ISU to own the report. There are two reasons to do this:

  • ISUs don’t leave the organization and their permissions remain stable, unlike human users who may leave the organization and possibly break the integration of any reports they own. 
  • You can constrain the permissions for the ISU to access only the data that is absolutely necessary for the integration, rather than having it associated with an individual user’s permissions.

In Workday, use a Create Integration System User task to create your ISU. You will need to enter a username and password (you will not need the password again). All other fields can be left as their defaults.

Step 3: Create a Custom Security Group for your ISU.

Next, you need to create a custom Security Group for your ISU. The Security Group should have the following parameters:

  • Type of Tenanted Security Group should be set to Integration System Security Group (Unconstrained)
  • Integrated System User should be the ISU you just created

Step 4: Create a custom report

Once you’ve created an ISU and a Security Group for it, you are ready to prepare a Workday custom report to be exported to Everlaw. This translates your Workday employee (Worker) data into a format that Everlaw can ingest.

Important

Workday tenants support custom configuration, and the specific fields you have on your Workday Worker objects may differ from the defaults. The instructions below are based on the out-of-the-box Workday tenant.

To prepare the report:

  1. Create calculated fields for employees’ start and end dates and their manager’s email. The fields you create should use the following input:
    • Manager Email:
      1. Field Name: CF_Manager_Email
      2. Business Object: Worker
      3. Function: Lookup Related Value
      4. Lookup Field: Manager - Level 01
      5. Return Value: Email - Work
    • Hire Date:
      1. Field Name: CF_Everlaw_Formatted_Hire_Date
      2. Business Object: Worker
      3. Function: Format Date
      4. Format: Format Mask
      5. Format Mask: yyyy-MM-dd
    • Termination Date:
      1. Field Name: CF_Everlaw_Formatted_Termination_Date
      2. Business Object: Worker
      3. Function: Format Date
      4. Format: Format Mask
      5. Format Mask: yyyy-MM-dd
  2. Create the report using the following settings:
    • Enable as web service: on
    • Optimized for Performance: off
    • Data Source set to Indexed All Workers
  3. Once your report exists, you need to identify which columns to include in it. To do this, add the following values to the report table:

Important

Ensure that each field value matches the ones shown below, particularly for the Column Heading Override columns, as those are the Everlaw fields that the report is mapping to. If a value in the table does not match exactly to the name of the field on Everlaw, it could cause the integration to error or fail when you later run the report.

Business Object Field Column Heading Override Column Heading Override XML Alias
Worker Email - Primary Work email email
Worker Phone - Primary Work business_phone business_phone
Worker Company - Name company_name company_name
Worker CF_Everlaw_Formatted_Hire_Date employee_start_date employee_start_date
Worker First Name first_name first_name
Worker Middle Name middle_name middle_name
Worker Last Name last_name last_name
Worker CF_Everlaw_Formatted_Termination_Date employee_end_date employee_end_date
Worker Manager Preferred Name in General Display Format manager_name manager_name
Worker CF_Manager_Email manager_email manager_email
Worker Mobile Phone Number mobile_phone mobile_phone
Worker Role Name role role
Worker Employee Type employee_type employee_type
Worker Job Family department department
Worker Work Address - Full office_location office_location
Worker Emails other_emails other_emails
Worker Preferred Language preferred_language preferred_language
Worker Workday ID workday_id workday_id

Step 5: [Optional] Create a custom Security Group to withhold select custodians

Due to privacy concerns, or other reasons, you may want to withhold certain employees from being exported to Everlaw. To prevent certain employees from being included in the report, you can create a custom Security Group, and then a custom filter based on that Security Group.

To do this:

  1. Create a new custom Security Group with the following parameters:
    • Type of Tenanted Security Group set to User-Based Security Group.

    • Administered by Security Groups set to Integration Administrator

      Note

      We recommend using the Integration Administrator security group. However, for organization-specific security purposes, some teams prefer to instead create a custom group assigned only to administrators that can modify who gets exported to Everlaw.

  2. Assign users to your new user-based Security Group.
  3. Return to your custom report and apply a new filter with the following values:
    • And/Or set to And
    • Field set to User-Based Security Groups for User
    • Operator set to superset of the selection list
    • Comparison Type set to Value specified in this filter
    • Comparison Value set to the name of the security group you just created

Note

If you have a relatively small list of employees who you actively want to exclude from the exported report, you may prefer to make a Security Group of those employees and configure the filter to exclude, rather than include them. To do this, follow the steps above, but replace the employees with those you want to exclude, and set the Operator to NOT superset of the selection list.

Step 6: Configure ISU security permissions and ownership of the report

Before you export the report to Everlaw, you must assign your ISU ownership of the report by granting it sufficient security permissions on each of the fields to be outputted in the report. Granting permissions on each field allows you to keep your security affordances as constrained as possible. 

To do this:

  1. For every custodian field in the report, open the security details (the View Security for Securable Item page for that field) and enter the name of the Security Policy (e.g. for the Email - Primary Work field, the Security Policy is Person Data: Work Email). 
  2. Return to the Security Group you created in Step 3, and open the domain permission settings (using the three-dot action menu for the Group, select Security Group > Maintain Domain Permissions for Security Group).
  3. Update the Domain Security Policies, as follows:
    1. Add each Security Policy that you just recorded to the following permissions:
      • Domain Security Policies permitting View access and Indexed Data Source: Workers under Report/Task Permissions
      • Domain Security Policies permitting Get access under Integration Permissions
    2. Add Custom Report Creation and Integration Event to Domain Security Policies permitting Modify access under Report/Task Permissions. 
  4. Use the Activate Pending Security Policy task to enact your previous permission changes.
  5. Return to your report.
  6. Change the Report Definition Sharing Options setting to Share with specific authorized groups and users and add yourself and the ISU you created in Step 2 as authorized users. 
  7. Use the Transfer ownership of custom reports action (from the report’s three-dot action menu) to transfer ownership of the report to your ISU. 

Step 7: Export the report from Workday to Everlaw

Now that the report is constructed, your security measures are in place, and a placeholder directory exists in Everlaw, you can export the report from Workday to Everlaw. To do this:

  1. Open a Create EIB task to begin creating an Enterprise Interface Builder (EIB). It must:
    • Point to your custom report
    • Be an outbound integration
    • Have the Alternate Export Format set to CSV
    • Have the Delivery method set to HTTP/SSL
    • Have the HTTP Address set to the Target HTTP Address you got from Everlaw when creating your Everlaw directory.
    • Have the Web Service Integration Type set to Basic Auth
    • Use your Everlaw API key (also generated when you set up your Everlaw directory), as the Password.

  2. Launch the EIB. At this point, your data will begin populating in Everlaw. You can track the status from Workday.

    Note

    This only sends the report to Everlaw when manually run. To keep the data up-to-date in Everlaw, you must schedule a report export (see next step).

Step 8: Schedule report exporting

While you may choose to manually launch your report every time you want to update your Workday employee data in Everlaw, we recommend setting up one or more schedules to automate this process, simplifying your workflow long term. 

  1. Set your EIB’s run schedule. We recommend scheduling it to sync on a weekly occurrence.

  2. To keep your data in Everlaw as up-to-date as possible without running the full report more than once weekly, and to make your data syncs more efficient, we highly recommend creating an abbreviated report for daily updates. Your new report will filter to only include custodians with changes. 
    To do this:

    1. This requires creating additional custom fields, as laid out previously, for the following fields:
      • Email-primary work
      • Phone-primary work 
      • Company-name 
      • Manager preferred name in general display format
      • CF_manager_Email
      • Mobile phone number 
      • Role name
      • Employee type
      • Job family
      • Work address- full
      • Emails
      • Preferred language
      • First name
      • Middle name
      • Last name

    To do this, for each field:

    a. Create a calculated field that looks up the field.
    Example field values:

    Name CF - manager preferred name as of yesterday
    Business Object Worker
    Function Lookup Value As Of Date
    Source Field Manager Preferred Name
    Effective Date Yesterday
    Entry Date Yesterday

    b. Create another custom field that looks up if the field changed.
    Example field values:

    Name CF - manager preferred name - CSY
    Business Object Worker
    Function True/False Condition
    Field CF - manager preferred name as of yesterday
    Operator Not equal to
    Comparison Type Value specified in this filter
    Comparison Value Manager preferred name
  1. You’ll also need to create some calculated fields to check for workers that have been hired or terminated today. For the Fields Hire Date and Termination Date created calculated fields like this:
Name CF - hire date is today
Business Object Worker
Function True/False Condition
Field Hire Date
Operator Equal to
Comparison Type Value specified in this filter
Comparison Value Today
  1. Open your original report, and make a copy of it.
  2. In the copy, create a filter field for each field, like so:
And/Or And
Field CF - manager preferred name - CSY
Operator Equal to
Comparison Type Value specified in this filter

Important

Ensure that these filters interact correctly with the original, non-null email filter. You need to use parenthesis to allow the boolean to calculate correctly. Without parentheses, we could be pulling all the workers with non-null emails and all the workers with the filters by accident.

  1. Make a new EIB, like you did in the previous step, using this report.
  2. Create a new schedule with the run frequency set to daily instead of weekly.

Manage your integrated Workday directory

Once the directory has been created, you can find it on the Organization homeLegal Holds > Directories page. The time since it was last synced is listed next to the directory type.

To view the directory information select View.

This opens the full page for that directory.

Important

Your Workday integrated directory people data only updates if/when a scheduled export is run from Workday. This is controlled completely on the Workday side of the integration. You may schedule multiple export cadences.

To see precisely when your directory was last synced with Workday, select the three-dot menu on the individual directory’s page. The date and time of the last sync is listed under STATUS.

From this three-dot menu, you can also:

  • View or edit your directory settings

  • Delete your directory, severing the connection completely

    Note

    If you do this, we also recommend canceling the associated integration schedules in Workday.

  • Manage people with duplicate emails

Cancel integration schedules

When a directory is no longer needed in Everlaw, we recommend deleting the scheduled exports to eliminate unnecessary API calls. This is done by deleting all scheduled future processes for the integration. No action is required in Everlaw.

When you delete the schedule from Workday, the Everlaw directory will remain available for any future exports.

Was this article helpful?
0 out of 0 found this helpful

Do you have feedback about this article? Let us know