errors / soap-web-services / invalid-request-isu-domain-permission

"Invalid Request" — ISU Missing Domain Permission

✓ Verified SOAP Web Services
The error SOAP-ENV:Client.validationError — Invalid request

What it means

Despite the unhelpful wording, this usually isn't a malformed request — it's a security problem. The Integration System User (ISU) calling the API doesn't have the domain security permission for the web service operation it's calling, so Workday rejects the request without explaining why.

Troubleshooting

  1. Identify which web service operation the call uses (e.g. Get_Workers belongs to the Worker Data domain family).
  2. Run View Security for Securable Item on the operation to see which domains secure it.
  3. Check the ISU's security group memberships and whether those groups have Get/Put access on the required domain in the relevant security policy.
  4. Remember to Activate Pending Security Policy Changes — a granted permission does nothing until activated.
  5. If the call works in one tenant but not another, compare the security configuration between tenants.
⚡ Quick fix

Grant the ISU's security group Get (or Put, for writes) access on the domain that secures the operation, activate pending security policy changes, and retry.

✓ Permanent fix

Maintain one security group per integration with documented domain grants, review grants as part of every new-operation rollout, and include a smoke-test call in the deployment checklist so permission gaps surface before go-live.

Related errors

SOAP Web Services Invalid ID Value for a Reference ID Type SOAP Web Services Validation Error — Required Element Missing in Request