SaaS Security Administrator's Guide
    : Onboard a Workday App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. Onboard a Workday App to SSPM
    Download PDF

    SaaS Security Administrator's Guide

    Onboard a Workday App to SSPM

    Table of Contents

    Onboard a Workday App to SSPM

    Connect a Workday instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your Workday instance, you must onboard your Workday instance to SSPM. Through the onboarding process, SSPM connects to a Workday API and, through the API, scans your Workday instance at regular intervals for misconfigured settings.
    SSPM gets access to your Workday instance through OAuth 2.0 authorization. To enable OAuth 2.0 authorization, you first create an API client application in Workday. In Workday, you must also create an integration system user and a custom report exposed as a web service. During onboarding, SSPM will redirect you to log in to Workday. You will log in to Workday using the credentials for the integration system user account that you created. To scan Workday for misconfigured settings, SSPM will pull data from the custom report.
    During the onboarding process, you will provide SSPM with the following information:
    Item
    Description
    Client ID
    SSPM will access a Workday API through an API client that you create. Workday generates the Client ID to uniquely identify this application.
    Client secret
    SSPM will access a Workday API through an API client that you create. Workday generates the Client Secret, which SSPM uses to authenticate to this application.
    Authorization endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses this endpoint for authorization requests.
    Token endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses the token endpoint to generate an authentication token.
    Custom report web service URL
    The URL that exposes a custom report as a web service. To scan for misconfigured settings, SSPM uses this custom report to pull information from your Workday instance.
    As you complete the following steps, make note of the values of the items described in the preceding table. You will enter these values during onboarding to access and scan your Workday instance from SSPM.

    Register an API Client in Workday

    To enable SSPM to connect to your Workday instance through OAuth 2.0 authentication, create an API client in Workday.
    1. From SSPM, get a redirect URL. You will specify this redirect URL in the OAuth 2.0 application that you will create in Workday. To get this information, you will begin the onboarding process in SSPM, but you will not complete the process.
      1. From the Add Application page in SSPM (
        Posture Security
        Applications
        Add Application
        ), click the Workday tile.
      2. Under posture security instances,
        Add Instance
         or, if there is already an instance configured,
        Add New
         instance.
        SSPM displays a connection page for onboarding a Workday instance. The Redirect URL field displays the redirect URL value.
      3. Copy the URL and paste it into a text file.
        Do not continue to the next step unless you have copied the redirect URL. You will need to specify this URL later when you are configuring the API client.
    2. Identify the administrator account that you will use to create the API client and the integration system user.
      Required Permissions:
       To create an API client and an integration system user, you must have Security Administrator permissions in Workday.
    3. Register the API client.
      1. Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
      2. In the search field, search for Register API Client and select
        Register API client
         from the search results.
        Workday displays the Register API Client page.
      3. On the Register API Client page, specify a name for your client and specify the following information in the fields provided.
        Field
        Value
        Client Grant Type
        Authorization Code Grant
        Access Token Type
        Bearer
        Redirection URI
        The redirect URL that you copied earlier from SSPM.
        Refresh Token Timeout (in days)
        The number of days that the refresh token is valid. For example, 30 days.
        Scope (Functional Areas)
        Tenant Non-Configurable
      4. Click
        OK
        .
        Workday registers your new API client and displays the application credentials and endpoints. Copy the following values and paste them into a text file:
        • Client ID
        • Client Secret
        • Authorization Endpoint
        • Token Endpoint
        Do not continue to the next step unless you have copied the Client ID, Client Secret, Authorization Endpoint, and Token Endpoint. You will provide this information to SSPM during the onboarding process.

    Create an Integration System User

    When you onboard Workday, SSPM will redirect you to the Workday login page for OAuth 2.0 authentication through the API client that you registered. At that time, you will log in to Workday using the integration system user account that you will create now. Complete the following steps to create the integration system user account and to configure the account's permissions through a security group.
    Complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Create the integration system user.
      1. Using the Workday console's search field, search for Create Integration System User. Select
        Create Integration System User
         from the search results.
      2. On the Create Integration System User page, specify a user name and password for the account and click
        OK
        .
    2. Create a security group for the integration system user.
      1. Using the Workday console's search field, search for Create Security Group and select
        Create Security Group
         from the search results.
      2. On the Create Security Group page, complete the following actions:
        1. Locate the Type of Tenanted Security Group field. From the field's drop-down, select
          Integration System Security Group (Unconstrained)
          .
        2. Specify a name for the security group and click
          OK
          .
      3. On the Integration System Security Group (Unconstrained) page, complete the following actions:
        1. Locate the Integration System Users field and select the name of the integration system user that you created earlier.
        2. Click
          OK
          .
    3. Specify domain security policy permissions for the security group.
      1. Using the Workday console's search field, search for Maintain Permissions for Security Group and select
        Maintain Permissions for Security Group
         from the search results.
      2. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Locate the Operation field and select the
          Maintain
           operation.
        2. Locate the Source Security Group field and select the name of the security group that you created earlier.
        3. Click
          OK
          .
          Workday displays a second Maintain Permissions for Security Group page.
      3. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Navigate to the
          Domain Security Policy Permissions
           tab.
        2. Add the following domain security policies with the following access permissions to the security group. To add a policy permission, click the plus sign (
          +
          ) icon.
          Domain Security Policy
          View/Modify Access
          Workday Accounts
          View Only
          Security Administration
          View Only
          Security Configuration
          View Only
          Worker Data: Public Worker Reports
          View Only
    4. Activate Pending Security Policy Changes.
      1. Using the Workday console's search field, search for Activate Pending Security Policy Changes and select
        Activate Pending Security Policy Changes
         from the search results.
      2. On the Activate Pending Security Policy Changes page, type in a comment describing the security changes you made, and click
        OK
        .
        Workday displays a second Activate Pending Security Policy Changes page summarizing the changes that you made.
      3. On the Activate Pending Security Policy Changes page, select the
        Confirm
         check box.
      4. Click
        OK
        .

    Create a Custom Report

    To scan your Workday instance, SSPM pulls data from a custom report that you expose as a web service. To create this report, complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Using the Workday console's search field, search for Create Custom Report and select
      Create Custom Report
       from the search results.
    2. On the Create Custom Report page, complete the following actions:
      1. In the Report Name field, specify a name for your report.
      2. From the Report Name list, select
        Advanced
        .
      3. Select the
        Enable As Web Service
         check box.
      4. Make sure that the
        Optimized for Performance
         check box is not selected. If necessary, clear the check box.
      5. In the Data Source field, specify
        All Workday Accounts
        .
      6. Click
        OK
        .
      Workday displays the Edit Custom Report page, where you can define the information that your report will collect.
    3. On the Edit Custom Report page, in the Additional Info section, select the
      Columns
       tab and add the following columns to the report.
      Business Object
      Field
      Worker
      Worker Instance URL
      Workday Account
      Username
      Workday Account
      Sensitive Data is Masked in Output
      Workday Account
      Session Timeout Minutes
      Workday Account
      Days Since Last Password Change
      Workday Account
      Exempt from Password Expiration
      Workday Account
      One-Time Passcode Authentication Exempt
      Workday Account
      Grace Period Enabled
      Workday Account
      Grace Period Signins Remaining
      Workday Account
      Account Locked, Disabled or Expired
      Workday Account
      Has Chief Human Resources Security Group
      Workday Account
      Has Compensation Administrator Security Group
      Workday Account
      Has Contingent Worker Partner Security Group
      Workday Account
      Has Create / Modify Expense Report Access
      Workday Account
      Has Create Customer Refund Access
      Workday Account
      Has HR Administrator Security Group
      Workday Account
      Has Information Administrator Security Group
      Workday Account
      Has Payment Settlement Access - Expenses
      Workday Account
      Has Payment Settlement Access - Payroll
      Workday Account
      Has Payroll Modification Access
      Workday Account
      Has Project Administrator Access
      Workday Account
      One-Time Passcode Authentication Exempt
      Workday Account
      Security Exception - Customers
      Workday Account
      Security Exception - Expenses
      Workday Account
      Security Exception - Payroll
      Workday Account
      Security Exception - Suppliers
      Under the Group Column Headings section, add the following business object to the report.
      Business Object
      Group Column Heading XML Alias
      Worker
      Worker_group
    4. In the Additional Info section, select the
      Share
       tab and specify the following sharing options using the fields provided.
      Field
      Value
      Report Definition Sharing Options
      Share with specific authorized groups and users
      .
      Authorized Groups
      The name of the security group that you created for the integration system user.
      Authorized Users
      The name of the security integration user that you created earlier.
    5. In the Additional Info section, select the
      Prompts
       tab and, in the prompt defaults area, add the prompt
      Include Disabled Domains/ Functional Areas
       to the report.
    6. To save the report, click
      OK
      .
    7. Get the web service URL for the custom report.
      1. Locate the options menu for your custom report. The options menu is the ellipsis (…) located next to the name of the custom report in the banner of the Create Custom Report page. Select
        ...
        Web Service
        View URLs
        .
        Workday displays the View URLs Web Service page, which lists the various data formats that are available. SSPM requires the JSON data format.
      2. On the View URLs Web Service page, locate the JSON area. Copy the URL destination for the JSON link, and paste the URL into a text file.
        Do not continue to the next step unless you have copied the web service URL for the JSON data format. You will provide this information to SSPM during the onboarding process.

    Connect SSPM to Your Workday Instance

    By adding a Workday app in SSPM, you enable SSPM to connect to your Workday instance.
    1. Sign out of all Workday accounts.
      During onboarding, SSPM will redirect you to log in to Workday and to grant SSPM the access to Workday that it requires. You must log in by using the integration system user account that you created. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    2. From the Add Application page (
      Posture Security
      Applications
      Add Application
      ), click the Workday tile.
    3. Under posture security instances,
      Add Instance
       or, if there is already an instance configured,
      Add New
       instance.
    4. Log in with Credentials
      .
    5. Enter the application credentials (Client ID and Client Secret), the authorization and token endpoints, and the custom report web service URL.
    6. Connect
      .
      SSPM redirects you to the Workday login page.
    7. Log in to Workday using the login credentials for the integration system user that you created.
      Workday displays a consent form that details the access permissions that SSPM requires.
    8. Review the consent form and allow access.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.