RemotePhoto for Workday Integration Guide

This document outlines the step-by-step configuration required in Workday to support the automated downloading of employee photos from RemotePhoto back into Workday.


📘 Business Context For a high-level overview of the integration's capabilities and business logic, please refer to RemotePhoto ID Photo Capture for Workday


Prerequisites: Workday administrator access with permission to create ISUs, security groups, update domain security policies, and activate pending security changes.


Workday Configuration

Create the Integration System User (ISU)

The integration requires a dedicated Workday ISU account to interact with Workday's public APIs.

  1. Search for and select the Create Integration System User task in the Workday search bar.

    Configure the account with the following parameters:

    • User Name: remotephoto_downloader  
    • New Password / New Password Verify: Enter a strong, randomly generated security password.
    • Do Not Allow UI Sessions: Check this box. Ensures the account is restricted strictly to programmatic API traffic and cannot log into the standard Workday user interface.
  2. Click OK, then click Done.

Create the Integration System Security Group (ISSG)

An unconstrained security group is required to house the ISU and attach the necessary security policy permissions.

  1. Search for and select the Create Security Group task.
  2. From the Type of Security Group dropdown, select Integration System Security Group (Unconstrained).
  3. Name the group: ISSG_RemotePhoto_Downloader .
  4. Click OK.
  5. In the Integration System Users field, search for and add the remotephoto_downloader  user.
  6. Click OK and Done.

Assign Domain Security Policy Permissions

To allow the integration to execute the necessary web services for updating profile photos, the ISSG must be granted explicit permissions inside the Personal Data functional area. We recommend assigning only the minimum required domain permissions described below.

  1. Search for and select the Maintain Permissions for Security Group task.

    Select your security group (ISSG_RemotePhoto_Downloader  ) and click OK.

  2. Under the Domain Security Policy Permissions section, add a new row:
    • Domain: Person Data: Personal Photo  
    • Access Rights Required: Check both Get and Put.
  3. Under the Domain Security Policy Permissions section, add a new row:
    • Domain: Worker Data: Current Staffing Information  
    • Access Rights Required: Check Get Only.
    • Note: this domain is required in order to send photos to workday prior to the start date of the employee.
  4. Click OK.

Activate Pending Security Policy Changes

Security modifications in Workday do not apply globally until they are explicitly deployed.

  1. Search for and select the Activate Pending Security Policy Changes task.

    In the Comment field, enter an audit log entry:

    • “Activating Person Data: Personal Photo (Put_Worker_Photo) and Worker Data: Current Staffing Information permissions for remotephoto_downloader integration.”
  2. Click OK.
  3. Review the summary of changes, check the Confirm box, and click OK to finalize the deployment.

Required Integration Info/Credentials

Securely provide the following to our implementation team (support@remotephoto.ai).

Important: Do not send passwords or secrets through standard email.


  • API URL

    • Description: The base URL where your Workday API is hosted (including the Top-Level Domain, with no trailing paths).

    • How to Find It: 1. Run the Public Web Services report in Workday.

      2. Click the Related Actions ellipsis for Human Resources (Public), then select

      Web Service —> View WSDL.

      3. Scroll to the very bottom of the XML file and locate the <soapbind:address>   tag.

      4. Copy only the base domain portion of the URL.

    • Example: https://impl-services1.wd12.myworkday.com  

      Tenant Name

    • Description: Your specific Workday tenant identifier.
    • How to Find It: Look at the same WSDL URL from the step above. The tenant name is the exact string located immediately after /service/  .

    • Example: If the URL is .../service/mycompany_impl/Human_Resources...  , your tenant name is mycompany_impl  .

      ISU Username

    • Description: The system account credential created specifically for this integration.

    • Required Value: remotephoto_downloader   (or your custom designated ISU name).

      ISU Password

    • Description: The secure, system-generated password assigned to the remotephoto_downloader   account.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us