Configure Workday Instance for SaaS Security Posture Management

Configure Workday Instance for SaaS Security Posture Management

The installation instructions describe how to integrate your Workday account with Netskope. To configure Workday for SaaS Security Posture Management, you need to authorize Netskope as a web application client to access your Workday account. To configure Workday for SaaS Security Posture Management, follow the instructions.

Create an Integration System User

Netskope integration with Workday requires an integration system user. If you already have created one, you can skip these steps. Follow the steps to create a integration system user:

  1. Log in to your Workday account.

  2. On the search bar, search for Create Integration System User, and click Create Integration System User.

  3. On the Create Integration System User pop-up window, enter the following details:

    • Enter the User Name of the integration system user.

    • Enter the New Password and New Password Verify.

    • Click Do Not Allow UI Sessions checkbox.

  4. Click OK, then Done.

Configure Permissions for Integration System User

To configure an integration system user in order to authenticate the SaaS Security Posture Management, follow the steps below.

Create an Integration System Security Group

This section explains how to create a new integration system security group and assign it to the integration system user. For more information on security groups, see Workday article on Security Groups.

If you already have an integration system security group, edit the existing security group and assign an integration system user you created in the previous step.
  1. Log in to your Workday account.

  2. On the search bar, search for Create Security Group, and click Create Security Group.

  3. On the Create Security Group pop-up window, enter the following details and click Ok.

    • For Type of Tenant Security Group, select Integration System Security Group (Unconstrained).

    • Enter the name of the security group.

  4. On the Edit Integration System Security Group (Unconstrained) window, enter the following details:

    • For Integration System Users, select the integration system user you created earlier. This will be the user who will authenticate the SaaS Security Posture Management.

  5. Click Ok and then Done.

Add Domain Security Policy to Security Group

This section explains how to add domain security policies and map it to the newly created integration system security group.

  1. Log in to your Workday account.

  2. On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.

  3. On the Maintain Permissions for Security Group pop-up window, enter the following details and click Ok.

    • Select Operation as Maintain.

    • In Source Security Group, select the newly created integration system security group.

  4. On the Maintain Permissions for Security Group window, under the Domain Security Policy Permissions tab, click the + icon.

  5. Enter the following details:

    View/Modify AccessDomain Security PolicyDescriptionPurposeTrade-off if not allowed

    Get Only

    Manage: Organization Integration

    This domain provides access to the organization.

    Gets organization details with all organization types for example: company, cost center, custom, matrix, pay group, region, retiree, supervisory, company hierarchy, cost center hierarchy, location hierarchy, region hierarchy.

    The Netskope SSPM asset fetching and evaluation process will fail due to non-accessibility of data.

    Get Only

    User-Based Security Group Administration

    This domain controls which groups can edit any user-based security group.

    Retrieves Workday account and it's assigned user-based security groups.

    View and Modify

    Workday Query Language

    This domain grants access to Workday Query Language (WQL). Users can execute REST calls using the WQL API to extract data from Workday data sources and view associated performance log information.

    Netskope makes WQL API calls to get data.

    View Only

    Workday Accounts

    This domain provides access to the management of Workday accounts.

    Gets Workday accounts for a user.

    Get Only

    Special OX Web Services

    This is a special domain that includes all web services required to migrate objects using Object Transporter (OX). Access to items secured to this domain only occurs while using OX.

    Retrieves data related to Workday accounts associated with an integration system, and view group share configurations in tenant setup.

    Get Only

    Integration Security

    This domain provides access to creation of system users and Workday accounts for integration systems.

    Retrieves data related to Workday accounts associated with an integration system.

    Get Only

    Drive Web Services

    This domain provides access to web service tasks for Drive items, such as viewing all user items, creating new items for users, and removing data for users.

    Retrieves data for group share configurations in tenant setup.

    View Only

    Security Configuration

    This domain provides access to security configuration including functional areas, security groups, domain security policies and business process security policies. It also includes reports to analyze and review the current security configuration.

    Get Workday account details of a user.

    View Only

    Security Administration

    This domain provides access to security administration tasks such as maintaining password rules, user name rules, tenant challenge questions, setting security proxies, etc. It also includes reports for security reviews.

    View Only

    Security Activation

    This domain secures tasks for activating security policies. By having the activation to its own domain, customers can choose to implement segregation of duties, where one group of users has access to maintain policies and a separate group of users has access to activate the pending changes. This effectively introduces an "approval" into the process.

    Note

    On adding this domain security policy, following child polices get added too:

    • Lock Out Workday Accounts

    • Set Up: Public Profile

    • Set Up: Security Rules

    • Manage Authorized Applications

    View Only

    Purge Person Data

    This domain provides access to run purges of privacy-regulated data for all persons returned by the report selected.

    Note

    On adding this domain security policy, Purge Single Entity Data child policy gets added too.

    View Only

    Integration Reports

    This domain provides access to reports on Integration Events and Messages

    Retrieves data related to Integration System

    View Only

    Integrations: EIBs

    This domain provides access to view EIB integration templates

    Retrieves data related to Integration System

    View Only

    Drive Administrator

    This domain provides access to audit-related tasks for Drive items, such as viewing all user items, transferring ownership, and removing sharing data for terminated or inactive accounts

    Retrieves data related to Domain

    View Only

    Business Process Administration

    This domain provides access to Business Process Definitions and all related functionality such as Checklists, Notifications, Conditions Rules, etc

    Retrieves data related to Business Process Type

    Get Only

    Integration Configure

    This domain provides access to configure integration systems once they have been created and defined.

    Retrieves web service security configuration data for integration system user.

  6. Click OK, then Done.

Update permissions for Security Group in Workday

Follow the steps to update permissions for Security Group:

  • On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.

  • On the Maintain Permissions for Security Group pop-up window, set Operation as Maintain and select the Source Security Group.

  • Under the Domain Security Policy Permissions tab, click the + icon and update the domain security policies.

  • Follow Activate Pending Security Policy Changes steps to activate the security policy changes.

Activate Pending Security Policy Changes

Once you have added the domain security policies, it’s time to commit the pending security policy changes. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Activate Pending Security Policy Changes, and click Activate Pending Security Policy Changes.

  3. On the Activate Pending Security Policy Changes window, enter a comment and click Ok.

  4. Check Confirm and click OK.

    Here you may notice the number of domain security policies are more than you added in this procedure, this is because of the child policies to the domain security policies.
  5. Receive an acknowledgement.

Register an API Client for Integrations in Workday

To integrate Netskope with Workday, you need to create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.

  2. On the search bar, search for Register API Client for Integrations, and click Register API Client for Integrations.

  3. On the Register API Client for Integrations pop up window, enter the following details and click OK:

    • Enter a Client Name.

    • Select the Non-Expiring Refresh Tokens checkbox.

    • Under Scope (Functional Areas), select Integration, Organization and Roles, Implementation, and System.

      Update API Client scopes in Workday

      Follow the steps to update API Client scopes:

      • On the search bar, search for View API Clients, and click View API Clients.

      • On the View API Clients page, click API Clients for Integrations tab and select the API Client for Integration which you created for Netskope Integration.

      • Click the three dots and then hover over API Client and Select Edit API Client for Integration.

      • Add required scopes (Functional Areas) to the API Client for Integration.

      • Click Ok and Done to confirm the update of API Client.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.

    • Client ID

      Do not use the Client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.
    • Client Secret – Client Secret value is visible as soon as you register the API client. Once you move away from the registration page, the Client Secret value is not visible.

      Generate a new Client Secret value in Workday

      Search Generate New API Client Secret in the Workday search bar and follow the instructions on the screen to create a new API Client Secret.

  5. On the same page, click the Settings icon -> API Client -> Manage Refresh Tokens for Integrations.

  6. Select the Workday Account you created in the Create an Integration System User step used to authenticate the Netskope service and click OK.

  7. Check Generate New Refresh Token and click OK.

  8. Note down the value of Refresh Token. The value will be required when you set up the Workday instance in the Netskope UI.

  9. On the search bar, search for View API Clients, and click View API Clients.

  10. On the View API Clients page, note down the values of the Workday REST API Endpoint and Token Endpoint fields. These values will be required when you set up the Workday instance in the Netskope UI.

Configure a Workday Instance in the Netskope UI

To authorize Netskope to access your Workday instance:

  1. Log in to the Netskope tenant and go to Settings > Configure App Access > Next Gen > Security Posture.
  2. In the Applications list, select Workday and click the Setup Security Posture Instance button.
  3. The Setup Instance window opens. Enter the following details you noted down when registering the API client for Integration in Workday:
      • Client ID
      • Client Secret
      • Refresh Token
      • Token Endpoint
      • Workday Rest API Endpoint
      • Administrator Email
      • Security Scan Interval – Frequency of security posture scans between 15/30/45/60 minutes
      • Instance Name – Enter the name of the Workday tenant without spaces
    • Click Grant Access.

    Refresh your browser, and you should see a green check icon next to the instance name.

    Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.

    Share this Doc

    Configure Workday Instance for SaaS Security Posture Management

    Or copy link

    In this topic ...