Skip to main content

Netskope Help

Configure Workday Instance for Security Posture

The installation instructions describe how to integrate your Workday account with Netskope. To configure Workday for Netskope SSPM, you need to authorize Netskope as a web application client to access your Workday account. To configure Workday for Netskope SSPM, there are two parts to this procedure:

  • Register API Client in Workday

  • Configure a Workday Instance in the Netskope UI

Register API Client in Workday

To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the procedure below.

  1. Log in to your Workday account as a non-SSO administrator.

  2. On the search bar, search for Register API Client.

  3. On the Register API Client page, enter the following details:


    Only the mandatory fields (asterisk mark) should be configured. Rest of the fields should not be configured.

    1. Enter a Client Name.

    2. For Client Grant Type, select Authorization Code Grant.

    3. For Access Token Type, select Bearer.

    4. Set the Redirection URI to

    5. Select the Non-Expiring Refresh Tokens checkbox. This is important to get audit event notifications from Workday.

    6. Under Scope (Functional Areas), select Integration, Organization and Roles, Staffing, and System.

    7. Click OK.

  4. Note down the values of the following fields. These values will be required when you set up the Workday instance in the Netskope UI.

    • Client ID


      Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.

    • Client Secret


      Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.

    • Workday REST API Endpoint

    • Token Endpoint

    • Authorization Endpoint

Configure a Workday Instance in the Netskope UI

To authorize Netskope to access your Workday instance:

  1. Log in to the Netskope tenant and go to Settings > API-enabled Protection > SaaS > Classic.

  2. Select the Workday icon, and then click Setup Instance.

  3. The Setup Instance window opens. Enter the following details:

    • Instance Name: Enter the name of the Workday account without spaces.

    • Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

      Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).


      See note at the bottom.

    • Then, enter the following details that you already noted after registering the API client in Workday:

      • Client ID

      • Client Secret

      • Authorization Endpoint

      • Token Endpoint

      • Rest API Endpoint

  4. Click Save, then click Grant Access for the app instance you just created. You will be prompted to log in with your admin username and password, and then authorize Workday by clicking Allow. On successful confirmation, click Close.

Refresh your browser, and you should see a green check icon next to the instance name.


There is a known issue where post grant the scan interval gets reset to 60 minutes. To resolve this issue, after granting access, click the instance name, select the appropriate scan interval and save the instance.

Next, you should configure a security posture policy. To do so, see Security Posture Policy Wizard.