Docy

Configure Workday for the Next Generation API Data Protection

Configure Workday for the Next Generation API Data Protection

To configure Workday for the Next Generation API Data Protection, follow the instructions below.

If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

Enable User Activity Logging

This enables user activity to be recorded in the secured Workday database. To enable it, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Edit Tenant Setup -System, and click Edit Tenant Setup – System.
  3. Under User Activity Logging, check Enable User Activity Logging.
    Figure 34. Workday User Activity Logging
    Workday User Activity Logging

Create an Integration System User

Important

If you already have an integration system user, you can skip these steps.

Netskope integration with Workday requires an integration system user. To do so, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Create Integration System User, and click Create Integration System User.
  3. On the Create Integration System User pop-up window, enter the following details:
    Workday___Create-Integration-System-User.png
    • Enter the User Name of the integration system user.Enter the New Password and New Password Verify.
  4. Click OK, then Done.

Configure Permissions for Integration System User

To configure an integration system user to authenticate the Next Generation API Data Protection, follow the steps below.

Create an Integration System Security Group

This section explains how to create a new integration system security group and assign it to the integration system user. For more information on security groups, see Concept: Security Groups. You will need a community account to access the Workday documentation.

Important

If you already have an integration system security group, edit the security group and assign an integration system user you created in the previous step.

To do so, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Create Security Group, and click Create Security Group.
  3. On the Create Security Group pop-up window, enter the following details:
    Workday__Create-Security-Group.png
    • For Type of Tenant Security Group, select Integration System Security Group (Unconstrained).Enter the name of the security group.

    Click OK.

  4. On the Edit Integration System Security Group (Unconstrained) window, enter the following details:
    Workday_Edit-Integration-System-Security-Group.png
    • For Integration System Users, select the integration system user you created earlier. This will be the user who will authenticate the Next Generation API Data Protection.
  5. Click OK, then Done.

Add Domain Security Policy to Security Group

This section explains how to add domain security policies and map it to the newly created integration system security group. To do so, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Maintain Permissions for Security Group, and click Maintain Permissions for Security Group.
  3. On the Maintain Permissions for Security Group pop-up window, enter the following details:
    Workday__Maintain-Permissions-for-Security-Group.png
    • Keep the Operation radio button set to Maintain.In Source Security Group, select the newly created integration system security group.

    Click OK.

  4. On the Maintain Permissions for Security Group window, under the Domain Security Policy Permissions tab, click the + icon.
    Workday__Maintain-Permissions-for-Security-Group-Plus.png
  5. Enter the following details:
    Workday__Add-Domain-Security-Policy.png
    View/Modify AccessDomain Security Policy
    View OnlySystem Auditing
    Get OnlyWorkday Account Monitoring
    Get and PutSpecial OX Web Services
    View and ModifyWorkday Query Language
    View OnlyWorkday Accounts
    Get OnlyReports: Drive Admin
    Get and PutDrive Web Services
    View OnlyWorker Data: Active and Terminated Workers
    View OnlyWorker Data: Current Staffing Information
    View OnlyPerson Data: Work Contact Information

    Note

    On adding this domain security policy, additional child/inherited polices get added too.

  6. Click OK, then Done.

Activate Pending Security Policy Changes

Once you have added the domain security policies, it’s time to commit the pending security policy changes. To do so, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Activate Pending Security Policy Changes, and click Activate Pending Security Policy Changes.
  3. On the Activate Pending Security Policy Changes window, enter a comment and click OK.
    Workday__Activate-Policy.png
  4. Check Confirm and click OK.
    Workday_Confirm-Policy.png
  5. You should get an acknowledgment.
    Workday_View-Security-Timestamp.png

Register an API Client for Integrations

To integrate Netskope with Workday, you should create a new API client in Workday. To do so, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for Register API Client for Integrations, and click Register API Client for Integrations.
  3. On the Register API Client for Integrations page, enter the following details:

    Note

    Only the mandatory fields (asterisk mark) should be configured. Rest of the fields can be left unchanged.

    Workday__Register-_API-_Client-Integrations.png
    1. Enter a Client Name.Select the Non-Expiring Refresh Tokens checkbox.Under Scope (Functional Areas), select Contact Information, Implementation, Staffing, and System.Click OK.
  4. Note down the values of Client ID and Client Secret. These values will be required when you set up the Workday instance in the Netskope UI.
    Workday__Client__ID-_Secret.png
    • Client ID

      Note

      Ensure that you do not use this client ID in any other 3rd party integration. The client ID should be used exclusively for Netskope integration.

      Client Secret

      Note

      Client secret is visible as soon as you register the API client. Once you move away from the registration page, the client secret is not visible anymore. If you miss noting it down, you can generate a new client secret. To do so, search Generate New API Client Secret in the Workday search bar and follow the steps to create a new API client secret.

  5. While on the Register API Client for Integrations page, click the horizontal ellipsis beside the client name, then navigate to API Client > Manage Refresh Tokens for Integrations.
    Workday__API-Client_Manage-Refresh-Tokens.png
  6. On the Manage Refresh Tokens for Integrations pop-up window, select the Workday account and click OK.

    Note

    The Workday account should be the integration system user created as part of Create an Integration System User.

    Workday__Manage-Refresh-Tokens.png
  7. On the Delete or Regenerate Refresh Token page, check Generate New Refresh Token and click OK.
    Workday__Regenerate-Refresh-Token.png
  8. Note down the value of Refresh Token. The value will be required when you set up the Workday instance in the Netskope UI.
    Workday__Refresh-Token.png

View API Client

Before you can configure the Workday instance in Netskope UI, you will need the Workday REST API Endpoint and Token Endpoint values. To find the values, follow the steps below:

  1. Log in to your Workday account.
  2. On the search bar, search for View API Clients, and click View API Clients.
  3. On the View API Clients page, note down the Workday REST API Endpoint and Token Endpoint values. These values will be required when you set up the Workday instance in the Netskope UI.
    Workday_View-API-Clients.png

Configure Workday Instance in Netskope UI

To authorize Netskope to access your Workday instance, follow the steps below:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

  2. Under Apps, select Workday and click Setup CASB API Instance.

    The Setup Instance window opens.

  3. Enter the following details that you already noted after registering the API client in Workday:

    • Client ID

    • Client Secret

    • Refresh Token

    • Token Endpoint

    • Workday RESt API Endpoint

  4. Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.

  5. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  6. Click Grant Access.

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Workday account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.

Share this Doc
In this topic ...