Netskope Help

Configure Workday for the Next Generation API Data Protection

To configure Workday for the Next Generation API Data Protection, follow the instructions below.

Enable User Activity Logging

This enables user activity to be recorded in the secured Workday database. To enable it, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for edit tenant setup -system and click Edit Tenant Setup - System.

  3. Under User Activity Logging, check Enable User Activity Logging.

    Figure 27. Workday User Activity Logging
    Workday User Activity Logging


Register an API Client in Workday

To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Register API Client. and click Register API Client.

  3. On the Register API Client page, enter the following details:

    Note

    Only the mandatory fields (asterisk mark) should be configured. Rest of the fields can be left unchanged.

    Figure 28. Workday Register API Client Window
    Workday Register API Client Window


    1. Enter a Client Name.

    2. For Client Grant Type, select Authorization Code Grant.

    3. For Access Token Type, select Bearer.

    4. Set the Redirection URI to https://nso.goskope.com/common/oauthorize.

    5. Select the Non-Expiring Refresh Tokens checkbox.

    6. Under Scope (Functional Areas), select enough scopes to enable the activity logging API for this API Client.

      Note

      Choose enough scopes that cover the security groups with the following domain security policies:

      • System Auditing - View Only

      • Workday Account Monitoring – Get Only

      • Special OX Web Services – Get Only

      Netskope recommends to contact your internal Workday support group to get this information.

    7. Click OK.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.

    Figure 29. Workday Configured Values
    Workday Configured Values


    • Client ID

      Note

      Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.

    • Client Secret

      Note

      Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.

    • Authorization Endpoint

    • Token Endpoint

    • Workday REST API Endpoint

Configure Workday Instance in Netskope UI

To authorize Netskope to access your Workday instance, follow the steps below:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen.

  2. Under Apps, select Workday and click Setup Workday Instance.

    The Setup Instance window opens.

  3. Enter the following details that you already noted after registering the API client in Workday:

    • Client ID

    • Client Secret

    • Authorization Endpoint

    • Token Endpoint

    • Workday REST API Endpoint

  4. Click Grant Access.

    You will be redirected to the Workday sign in page.

  5. Enter the Workday username and password. Click Sign In.

    Note

    The user should have security groups with domain security policies of System Auditing - View Only, Workday Account Monitoring – Get Only, and Special OX Web Services – Get Only.

  6. After logging in, you will be redirected to the successful result page. Click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

In the current release, you can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.