Skip to main content

Netskope Help

Configure Workday for the Next Generation API Data Protection

To configure Workday for the Next Generation API Data Protection, follow the instructions below.

Enable User Activity Logging

This enables user activity to be recorded in the secured Workday database. To enable it, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Edit Tenant Setup -System, and click Edit Tenant Setup - System.

  3. Under User Activity Logging, check Enable User Activity Logging.

    Figure 28. Workday User Activity Logging
    Workday User Activity Logging


Register an API Client in Workday

To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Register API Client, and click Register API Client.

  3. On the Register API Client page, enter the following details:

    Note

    Only the mandatory fields (asterisk mark) should be configured. Rest of the fields can be left unchanged.

    Figure 29. Workday Register API Client Window
    Workday Register API Client Window


    1. Enter a Client Name.

    2. For Client Grant Type, select Authorization Code Grant.

    3. For Access Token Type, select Bearer.

    4. Set the Redirection URI to https://nso.goskope.com/common/oauthorize.

    5. Select the Non-Expiring Refresh Tokens checkbox.

    6. Under Scope (Functional Areas), select System.

    7. Click OK.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.

    Figure 30. Workday Configured Values
    Workday Configured Values


    • Client ID

      Note

      Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.

    • Client Secret

      Note

      Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.

    • Workday REST API Endpoint

    • Token Endpoint

    • Authorization Endpoint

Create an Integration System User

Important

If you already have an integration system user, you can skip these steps.

Netskope integration with Workday requires an integration system user. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Create Integration System User, and click Create Integration System User.

  3. On the Create Integration System User pop-up window, enter the following details:

    Workday___Create-Integration-System-User.png

    • Enter the User Name of the integration system user.

    • Enter the New Password and New Password Verify.

  4. Click OK, then Done.

Configure Permissions for Integration System User

To configure an integration system user to authenticate the Next Generation API Data Protection, follow the steps below.

Create an Integration System Security Group

This section explains how to create a new integration system security group and assign it to the integration system user. For more information on security groups, see Concept: Security Groups. You will need a community account to access the Workday documentation.

Important

If you already have an integration system security group, edit the security group and assign an integration system user you created in the previous step.

To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Create Security Group, and click Create Security Group.

  3. On the Create Security Group pop-up window, enter the following details:

    Workday__Create-Security-Group.png

    • For Type of Tenant Security Group, select Integration System Security Group (Unconstrained).

    • Enter the name of security group.

    Click OK.

  4. On the Edit Integration System Security Group (Unconstrained) window, enter the following details:

    Workday_Edit-Integration-System-Security-Group.png

    • For Integration System Users, select the integration system user you created earlier. This will be the user who will authenticate the Next Generation API Data Protection.

  5. Click OK, then Done.

Add Domain Security Policy to Security Group

This section explains how to add domain security policies and map it to the newly created integration system security group. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.

  3. On the Maintain Permissions for Security Group pop-up window, enter the following details:

    Workday__Maintain-Permissions-for-Security-Group.png

    • Keep the Operation radio button set to Maintain.

    • In Source Security Group, select the newly created integration system security group.

    Click OK.

  4. On the Maintain Permissions for Security Group window, under the Domain Security Policy Permissions tab, click the + icon.

    Workday__Maintain-Permissions-for-Security-Group-Plus.png

  5. Enter the following details:

    Workday__Add-Domain-Security-Policy.png

    View/Modify Access

    Domain Security Policy

    View Only

    System Auditing

    Get Only

    Workday Account Monitoring

    Get Only

    Special OX Web Services

    View and Modify

    Workday Query Language

    View Only

    Workday Accounts

    Get Only

    Reports: Drive Admin

    View Only

    Worker Data: Active and Terminated Workers

    View Only

    Worker Data: Current Staffing Information

  6. Click OK, then Done.

Activate Pending Security Policy Changes

Once you have added the domain security policies, it's time to commit the pending security policy changes. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Activate Pending Security Policy Changes, and click Activate Pending Security Policy Changes.

  3. On the Activate Pending Security Policy Changes window, enter a comment and click OK.

    Workday__Activate-Policy.png

  4. Check Confirm and click OK.

    Workday_Confirm-Policy.png

  5. You should get an acknowledgment.

    Workday_View-Security-Timestamp.png
Add Integration System User to Implementers Security Group

Once you have committed the pending domain security policies, add the integration system user to the implementers security group. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Maintain Implementers and click Maintain Implementers.

  3. Select the integration system user you created earlier.

    Workday_Maintain-Implementers.png

  4. Click OK, then Done.

Configure Workday Instance in Netskope UI

To authorize Netskope to access your Workday instance, follow the steps below:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen.

  2. Under Apps, select Workday and click Setup Workday Instance.

    The Setup Instance window opens.

  3. Enter the following details that you already noted after registering the API client in Workday:

    • Client ID

    • Client Secret

    • Authorization Endpoint

    • Token Endpoint

    • Workday REST API Endpoint

  4. Click Grant Access.

    You will be redirected to the Workday sign in page.

  5. Enter the integration system username and password. Click Sign In.

    Note

    The integration system user should be the same user to whom you have assigned the integration system security group in the earlier procedure.

  6. After logging in, you will be redirected to the successful result page. Click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.

In this section: