Configure Workday for the Next Generation API Data Protection
To configure Workday for the Next Generation API Data Protection, follow the instructions below.
Enable User Activity Logging
This enables user activity to be recorded in the secured Workday database. To enable it, follow the steps below:
Log in to your Workday account.
On the search bar, search for edit tenant setup -system and click Edit Tenant Setup - System.
Under User Activity Logging, check Enable User Activity Logging.
Figure 27. Workday User Activity Logging
Register an API Client in Workday
To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the steps below:
Log in to your Workday account.
On the search bar, search for Register API Client. and click Register API Client.
On the Register API Client page, enter the following details:
Note
Only the mandatory fields (asterisk mark) should be configured. Rest of the fields can be left unchanged.
Figure 28. Workday Register API Client WindowEnter a Client Name.
For Client Grant Type, select Authorization Code Grant.
For Access Token Type, select Bearer.
Set the Redirection URI to https://nso.goskope.com/common/oauthorize.
Select the Non-Expiring Refresh Tokens checkbox.
Under Scope (Functional Areas), select enough scopes to enable the activity logging API for this API Client.
Note
Choose enough scopes that cover the security groups with the following domain security policies:
System Auditing - View Only
Workday Account Monitoring – Get Only
Special OX Web Services – Get Only
Netskope recommends to contact your internal Workday support group to get this information.
Click OK.
Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.
Figure 29. Workday Configured ValuesClient ID
Note
Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.
Client Secret
Note
Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.
Authorization Endpoint
Token Endpoint
Workday REST API Endpoint
Configure Workday Instance in Netskope UI
To authorize Netskope to access your Workday instance, follow the steps below:
Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen.
Under Apps, select Workday and click Setup Workday Instance.
The Setup Instance window opens.
Enter the following details that you already noted after registering the API client in Workday:
Client ID
Client Secret
Authorization Endpoint
Token Endpoint
Workday REST API Endpoint
Click Grant Access.
You will be redirected to the Workday sign in page.
Enter the Workday username and password. Click Sign In.
Note
The user should have security groups with domain security policies of System Auditing - View Only, Workday Account Monitoring – Get Only, and Special OX Web Services – Get Only.
After logging in, you will be redirected to the successful result page. Click Close.
Refresh your browser, and you should see a green check icon next to the instance name.
In the current release, you can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.