This question examines the limitations on assigning Integration System Users (ISUs) to integration systems in Workday Pro Integrations. Let’s analyze the relationship and evaluate each option to determine the correct answer.
Understanding ISUs and Integration Systems in Workday
Integration System User (ISU):An ISU is a specialized user account in Workday designed for integrations, functioning as a service account to authenticate and execute integration processes. ISUs are created using the "Create Integration System User" task and are typically configured with settings like disabling UI sessions and setting long session timeouts (e.g., 0 minutes) toprevent expiration during automated processes. ISUs are not human users but are instead programmatic accounts used for API calls, EIBs, Core Connectors, or other integration mechanisms.
Integration Systems:In Workday, an "integration system" refers to the configuration or setup of an integration, such as an External Integration Business (EIB), Core Connector, or custom integration via web services. Integration systems are defined to handle data exchange between Workday and external systems, and they require authentication, often via an ISU, to execute tasks like data retrieval, transformation, or posting.
Assigning ISUs to Integration Systems:ISUs are used to authenticate and authorize integration systems to interact with Workday. When configuring an integration system, you assign an ISU to provide the credentials needed for the integration to run. This assignment ensures that the integration can access Workday data and functionalities based on the security permissions granted to the ISU via its associated Integration System Security Group (ISSG).
Limitation on Assignment:Workday’s security model imposes restrictions to maintain control and auditability. Specifically, an ISU is designed to be tied to a single integration system to ensure clear accountability, prevent conflicts, and simplify security management. This limitation prevents an ISU from being reused across multiple unrelated integration systems, reducing the risk of unintended access or data leakage.
Evaluating Each Option
Let’s assess each option based on Workday’s integration and security practices:
Option A: An ISU can be assigned to five integration systems.
Analysis:This is incorrect. Workday does not impose a specific numerical limit like "five" for ISU assignments to integration systems. Instead, the limitation is more restrictive: an ISU is typically assigned to only one integration system to ensure focused security and accountability. Allowing an ISU to serve multiple systems could lead to confusion, overlapping permissions, or security risks, which Workday’s design avoids.
Why It Doesn’t Fit:There’s no documentation or standard practice in Workday Pro Integrations suggesting a limit of five integration systems per ISU. This option is arbitrary and inconsistent with Workday’s security model.
Option B: An ISU can be assigned to an unlimited number of integration systems.
Analysis:This is incorrect. Workday’s security best practices do not allow an ISU to be assigned to an unlimited number of integration systems. Allowing this would create security vulnerabilities, as an ISU’s permissions (via its ISSG) could be applied across multiple unrelated systems, potentially leading to unauthorized access or data conflicts. Workday enforces a one-to-one or tightly controlled relationship to maintain auditability and security.
Why It Doesn’t Fit:The principle of least privilege and clear accountability in Workday integrations requires limiting an ISU’s scope, not allowing unlimited assignments.
Option C: An ISU can be assigned to only one integration system.
Analysis:This is correct. In Workday, an ISU is typically assigned to a single integration system to ensure that its credentials and permissions are tightly scoped. This aligns with Workday’s security model, where ISUs are created for specific integration purposes (e.g., an EIB, Core Connector, or web service integration). When configuring an integration system, you specify the ISU in the integration setup (e.g., under "Integration System Attributes" or "Authentication" settings), and it is not reused across multiple systems to prevent conflicts or unintended access. This limitation ensures traceability and security, as the ISU’s actions can be audited within the context of that single integration.
Why It Fits:Workday documentation and best practices, including training materials and community forums, emphasize that ISUs are dedicated to specific integrations. For example, when creating an EIB or Core Connector, you assign an ISU, and it is not shared across other integrations unless explicitly reconfigured, which is rare and discouraged for security reasons.
Option D: An ISU can only be assigned to an ISSG and not an integration system.
Analysis:This is incorrect. While ISUs are indeed assigned to ISSGs to inherit security permissions (as established in Question 26), they are also assigned to integration systems toprovide authentication and authorization for executing integration tasks. The ISU’s role includes both: it belongs to an ISSG for permissions and is linked to an integration system for execution. Saying it can only be assigned to an ISSG and not an integration system misrepresents Workday’s design, as ISUs are explicitly configured in integration systems (e.g., EIB, Core Connector) to run processes.
Why It Doesn’t Fit:ISUs are integral to integration systems, providing credentials for API calls or data exchange. Excluding assignment to integration systems contradicts Workday’s integration framework.
Final Verification
The correct answer is Option C, as Workday limits an ISU to a single integration system to ensure security, accountability, and clarity in integration operations. This aligns with the principle of least privilege, where ISUs are scoped narrowly to avoid overexposure. For example, when setting up a Core Connector: Job Postings (as in Question 25), you assign an ISU specifically for that integration, not multiple ones, unless reconfiguring for a different purpose, which is atypical.
Supporting Documentation
The reasoning is based on Workday Pro Integrations security practices, including:
Tutorials on configuring EIBs, Core Connectors, and web services, which show assigning ISUs to specific integrations (e.g.,Workday Advanced Studio Tutorial).
Integration security overviews from implementation partners (e.g., NetIQ, Microsoft Learn, Reco.ai) emphasizing one ISU per integration for security.
Community discussions on Reddit and Workday forums reinforcing that ISUs are tied to single integrations for auditability (r/workday on Reddit).
Submit