Skip to main content

Netskope Help

Configure Workday for the Next Generation API Data Protection

To configure Workday for the Next Generation API Data Protection, follow the instructions below.

Enable User Activity Logging

This enables user activity to be recorded in the secured Workday database. To enable it, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Edit Tenant Setup -System, and click Edit Tenant Setup - System.

  3. Under User Activity Logging, check Enable User Activity Logging.

    Figure 30. Workday User Activity Logging
    Workday User Activity Logging


Register an API Client in Workday

To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Register API Client, and click Register API Client.

  3. On the Register API Client page, enter the following details:

    Note

    Only the mandatory fields (asterisk mark) should be configured. Rest of the fields can be left unchanged.

    Figure 31. Workday Register API Client Window
    Workday Register API Client Window


    1. Enter a Client Name.

    2. For Client Grant Type, select Authorization Code Grant.

    3. For Access Token Type, select Bearer.

    4. Set the Redirection URI to https://nso.goskope.com/common/oauthorize.

    5. Select the Non-Expiring Refresh Tokens checkbox.

    6. Under Scope (Functional Areas), select System.

    7. Click OK.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.

    Figure 32. Workday Configured Values
    Workday Configured Values


    • Client ID

      Note

      Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.

    • Client Secret

      Note

      Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.

    • Workday REST API Endpoint

    • Token Endpoint

    • Authorization Endpoint

Configure Permissions for Authenticating Workday User

To configure a Workday user to authenticate the Next Generation API Data Protection, follow the steps below.

Create a User-based Security Group

This section explains how to create a new user-based security group. For more information on security groups, see Concept: Security Groups. You will need a community account to access the Workday documentation.

Important

If you already have an user-based security group, you can skip these steps.

To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Create Security Group, and click Create Security Group.

  3. On the Create Security Group pop-up window, enter the following details:

    Workday__Create-Security-Group.png
    • For Type of Tenant Security Group, select User-Based Security Group.

    • Enter the name of security group.

    Click OK.

  4. On the Edit User-Based Security Group window, do not make any changes and click OK, then Done.

    Workday__Edit-User-Based-Security-Group.png
Add Domain Security Policy to Security Group

This section explains how to add domain security policies and map it to the newly created user-based security group. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.

  3. On the Maintain Permissions for Security Group pop-up window, enter the following details:

    Workday__Maintain-Permissions-for-Security-Group.png
    • Keep the Operation radio button set to Maintain.

    • In Source Security Group, select the newly created user-based security group.

    Click OK.

  4. On the Maintain Permissions for Security Group window, under the Domain Security Policy Permissions tab, click the + icon.

    Workday__Maintain-Permissions-for-Security-Group-Plus.png
  5. Enter the following details:

    Workday__Add-Domain-Security-Policy.png

    View/Modify Access

    Domain Security Policy

    View Only

    System Auditing

    Get Only

    Workday Account Monitoring

    Get Only

    Special OX Web Services

    View and Modify

    Workday Query Language

    View Only

    Workday Accounts

    View Only

    Worker Data: Business Assets

    Get Only

    Reports: Drive Admin

  6. Click OK, then Done.

Activate Pending Security Policy Changes

Once you have added the domain security policies, it's time to commit the pending security policy changes. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Activate Pending Security Policy Changes, and click Activate Pending Security Policy Changes.

  3. On the Activate Pending Security Policy Changes window, enter a comment and click OK.

    Workday__Activate-Policy.png
  4. Check Confirm and click OK.

    Workday_Confirm-Policy.png
  5. You should get an acknowledgment.

    Workday_View-Security-Timestamp.png
Assign Security Group to Authenticating Workday User

Once you have committed the pending domain security policies, you should assign the user-based security group to the Workday user who will authenticate Next Generation API Data Protection. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Assign User-Based Security Groups for Person, and click Assign User-Based Security Groups for Person.

  3. On the Assign User-Based Security Groups for Person pop-up window, select the user who will authenticate Next Generation API Data Protection.

    Workday__Assign-User-Based-Security-Groups.png

    Click OK.

  4. On the Assign User-Based Security Groups for Person window, select the user-based security group you created earlier.

    Workday__Assign-User-Based-Security-Groups-1.png

    Click OK, then Done.

Configure Workday Instance in Netskope UI

To authorize Netskope to access your Workday instance, follow the steps below:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen.

  2. Under Apps, select Workday and click Setup Workday Instance.

    The Setup Instance window opens.

  3. Enter the following details that you already noted after registering the API client in Workday:

    • Client ID

    • Client Secret

    • Authorization Endpoint

    • Token Endpoint

    • Workday REST API Endpoint

  4. Click Grant Access.

    You will be redirected to the Workday sign in page.

  5. Enter the Workday username and password. Click Sign In.

    Note

    The Workday user should be the same user to whom you have assigned the user-based security group in the previous procedure.

  6. After logging in, you will be redirected to the successful result page. Click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.