Onboard a Workday App to SSPM
Table of Contents
Expand all | Collapse all
-
-
- What’s Data Security?
- Navigate To Data Security in Cloud Management Console
- Activate Data Security on the Hub
- Access Data Security for Standalone SaaS Security
-
- Allowed List of IP Addresses
-
- Begin Scanning an Amazon Web Services App
- Begin Scanning a Bitbucket Cloud App
- Begin Scanning a Box App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Citrix ShareFile App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a GitHub V2 App
- Begin Scanning a Gmail App
- Begin Scanning a Google Cloud Storage App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira Cloud App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Azure Storage App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Microsoft Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a Slack for Enterprise Grid App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Yammer App
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
-
-
-
- SaaS Security with Enterprise DLP
- Predefined Data Patterns on Data Security
- Proximity Keywords
- Confidence Levels
- Shared Data Profiles and Data Patterns
- Modify a Predefined Data Pattern
- Create a Custom Data Profile
- Add a File Property Data Pattern
- Create a Custom Data Pattern
- Use Exact Data Matching (EDM)
- Enable or Disable a Machine Learning Data Pattern
- Configure WildFire Analysis
- Configure Regular Expressions
- Enable or Disable a Data Pattern
- View and Filter Data Pattern Match Results
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- View Asset Details
- Filter Incidents
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Track Down Threats with AutoFocus
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
- What is a Data Violation?
- Assess New Data Violations on Data Security
- Configure Data Violation Alerts on Data Security
- Filter Data Violations on Data Security
- View Asset Snippets for Data Violations on Data Security
- View Data Violation Metrics on Data Security
- Modify Data Violation Status on Data Security
-
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard a Dropbox Business App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitHub Enterprise App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Exchange App to SSPM
- Onboard a Microsoft OneDrive App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Microsoft SharePoint App to SSPM
- Onboard a Microsoft Teams App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard Office 365 Productivity Apps to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Delete SaaS Apps Managed by SSPM
Onboard a Workday App to SSPM
Connect a Workday instance to SSPM to detect posture
risks.
For SSPM to detect posture risks in your Workday instance, you must onboard your
Workday instance to SSPM. Through the onboarding process, SSPM connects to a Workday
API and, through the API, scans your Workday instance at regular intervals for
misconfigured settings.
SSPM gets access to your Workday instance through OAuth 2.0 authorization. To enable
OAuth 2.0 authorization, you first create an API client application in Workday. In
Workday, you must also create an integration system user and a custom report exposed
as a web service. During onboarding, SSPM will redirect you to log in to Workday.
You will log in to Workday using the credentials for the integration system user
account that you created. To scan Workday for misconfigured settings, SSPM will pull
data from the custom report.
To onboard your Workday instance, you complete the following actions:
During the onboarding process, you will provide SSPM with the following
information:
Item | Description |
---|---|
Client ID | SSPM will access a Workday API through an API client that you
create. Workday generates the Client ID to uniquely identify
this application. |
Client secret | SSPM will access a Workday API through an API client that you
create. Workday generates the Client Secret, which SSPM uses
to authenticate to this application. |
Authorization endpoint | SSPM will access a Workday API through an OAuth 2.0
application that you create. SSPM uses this endpoint for
authorization requests. |
Token endpoint | SSPM will access a Workday API through an OAuth 2.0
application that you create. SSPM uses the token endpoint to
generate an authentication token. |
Custom report web service URL | The URL that exposes a custom report as a web service. To
scan for misconfigured settings, SSPM uses this custom
report to pull information from your Workday instance. |
As you complete the following steps, make note of the values of the items described
in the preceding table. You will enter these values during onboarding to access and
scan your Workday instance from SSPM.
Register an API Client in Workday
To enable SSPM to connect to your Workday instance through OAuth 2.0
authentication, create an API client in Workday.
- From SSPM, get a redirect URL. You will specify this redirect URL in the OAuth 2.0 application that you will create in Workday. To get this information, you will begin the onboarding process in SSPM, but you will not complete the process.
- From the Add Application page in SSPM (), click the Workday tile.Posture SecurityApplicationsAdd Application
- Under posture security instances,Add Instanceor, if there is already an instance configured,Add Newinstance.SSPM displays a connection page for onboarding a Workday instance. The Redirect URL field displays the redirect URL value.
- Copy the URL and paste it into a text file.Do not continue to the next step unless you have copied the redirect URL. You will need to specify this URL later when you are configuring the API client.
- Identify the administrator account that you will use to create the API client and the integration system user.Required Permissions:To create an API client and an integration system user, you must have Security Administrator permissions in Workday.
- Register the API client.
- Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
- In the search field, search for Register API Client and selectRegister API clientfrom the search results.Workday displays the Register API Client page.
- On the Register API Client page, specify a name for your client and specify the following information in the fields provided.FieldValueClient Grant TypeAuthorization Code GrantAccess Token TypeBearerRedirection URIThe redirect URL that you copied earlier from SSPM.Refresh Token Timeout (in days)The number of days that the refresh token is valid. For example, 30 days.Scope (Functional Areas)Tenant Non-Configurable
- ClickOK.Workday registers your new API client and displays the application credentials and endpoints. Copy the following values and paste them into a text file:
- Client ID
- Client Secret
- Authorization Endpoint
- Token Endpoint
Do not continue to the next step unless you have copied the Client ID, Client Secret, Authorization Endpoint, and Token Endpoint. You will provide this information to SSPM during the onboarding process.
Create an Integration System User
When you onboard Workday, SSPM will redirect you to the Workday login page for
OAuth 2.0 authentication through the API client that you registered. At that
time, you will log in to Workday using the integration system user account that
you will create now. Complete the following steps to create the integration
system user account and to configure the account's permissions through a
security group.
Complete the following steps using the Workday Security Administrator account
that you identified earlier.
- Create the integration system user.
- Using the Workday console's search field, search for Create Integration System User. SelectCreate Integration System Userfrom the search results.
- On the Create Integration System User page, specify a user name and password for the account and clickOK.
- Create a security group for the integration system user.
- Using the Workday console's search field, search for Create Security Group and selectCreate Security Groupfrom the search results.
- On the Create Security Group page, complete the following actions:
- Locate the Type of Tenanted Security Group field. From the field's drop-down, selectIntegration System Security Group (Unconstrained).
- Specify a name for the security group and clickOK.
- On the Integration System Security Group (Unconstrained) page, complete the following actions:
- Locate the Integration System Users field and select the name of the integration system user that you created earlier.
- ClickOK.
- Specify domain security policy permissions for the security group.
- Using the Workday console's search field, search for Maintain Permissions for Security Group and selectMaintain Permissions for Security Groupfrom the search results.
- On the Maintain Permissions for Security Group page, complete the following actions:
- Locate the Operation field and select theMaintainoperation.
- Locate the Source Security Group field and select the name of the security group that you created earlier.
- ClickOK.Workday displays a second Maintain Permissions for Security Group page.
- On the Maintain Permissions for Security Group page, complete the following actions:
- Navigate to theDomain Security Policy Permissionstab.
- Add the following domain security policies with the following access permissions to the security group. To add a policy permission, click the plus sign (+) icon.Domain Security PolicyView/Modify AccessWorkday AccountsView OnlySecurity AdministrationView OnlySecurity ConfigurationView OnlyWorker Data: Public Worker ReportsView Only
- Activate Pending Security Policy Changes.
- Using the Workday console's search field, search for Activate Pending Security Policy Changes and selectActivate Pending Security Policy Changesfrom the search results.
- On the Activate Pending Security Policy Changes page, type in a comment describing the security changes you made, and clickOK.Workday displays a second Activate Pending Security Policy Changes page summarizing the changes that you made.
- On the Activate Pending Security Policy Changes page, select theConfirmcheck box.
- ClickOK.
Create a Custom Report
To scan your Workday instance, SSPM pulls data from a custom report that you
expose as a web service. To create this report, complete the following steps
using the Workday Security Administrator account that you identified
earlier.
- Using the Workday console's search field, search for Create Custom Report and selectCreate Custom Reportfrom the search results.
- On the Create Custom Report page, complete the following actions:
- In the Report Name field, specify a name for your report.
- From the Report Name list, selectAdvanced.
- Select theEnable As Web Servicecheck box.
- Make sure that theOptimized for Performancecheck box is not selected. If necessary, clear the check box.
- In the Data Source field, specifyAll Workday Accounts.
- ClickOK.
Workday displays the Edit Custom Report page, where you can define the information that your report will collect. - On the Edit Custom Report page, in the Additional Info section, select theColumnstab and add the following columns to the report.Business ObjectFieldWorkerWorker Instance URLWorkday AccountUsernameWorkday AccountSensitive Data is Masked in OutputWorkday AccountSession Timeout MinutesWorkday AccountDays Since Last Password ChangeWorkday AccountExempt from Password ExpirationWorkday AccountOne-Time Passcode Authentication ExemptWorkday AccountGrace Period EnabledWorkday AccountGrace Period Signins RemainingWorkday AccountAccount Locked, Disabled or ExpiredWorkday AccountHas Chief Human Resources Security GroupWorkday AccountHas Compensation Administrator Security GroupWorkday AccountHas Contingent Worker Partner Security GroupWorkday AccountHas Create / Modify Expense Report AccessWorkday AccountHas Create Customer Refund AccessWorkday AccountHas HR Administrator Security GroupWorkday AccountHas Information Administrator Security GroupWorkday AccountHas Payment Settlement Access - ExpensesWorkday AccountHas Payment Settlement Access - PayrollWorkday AccountHas Payroll Modification AccessWorkday AccountHas Project Administrator AccessWorkday AccountOne-Time Passcode Authentication ExemptWorkday AccountSecurity Exception - CustomersWorkday AccountSecurity Exception - ExpensesWorkday AccountSecurity Exception - PayrollWorkday AccountSecurity Exception - SuppliersUnder the Group Column Headings section, add the following business object to the report.Business ObjectGroup Column Heading XML AliasWorkerWorker_group
- In the Additional Info section, select theSharetab and specify the following sharing options using the fields provided.FieldValueReport Definition Sharing OptionsShare with specific authorized groups and users.Authorized GroupsThe name of the security group that you created for the integration system user.Authorized UsersThe name of the security integration user that you created earlier.
- In the Additional Info section, select thePromptstab and, in the prompt defaults area, add the promptInclude Disabled Domains/ Functional Areasto the report.
- To save the report, clickOK.
- Get the web service URL for the custom report.
- Locate the options menu for your custom report. The options menu is the ellipsis (…) located next to the name of the custom report in the banner of the Create Custom Report page. Select....Web ServiceView URLsWorkday displays the View URLs Web Service page, which lists the various data formats that are available. SSPM requires the JSON data format.
- On the View URLs Web Service page, locate the JSON area. Copy the URL destination for the JSON link, and paste the URL into a text file.Do not continue to the next step unless you have copied the web service URL for the JSON data format. You will provide this information to SSPM during the onboarding process.
Connect SSPM to Your Workday Instance
By adding a Workday app in SSPM, you enable SSPM to connect to your Workday
instance.
- Sign out of all Workday accounts.During onboarding, SSPM will redirect you to log in to Workday and to grant SSPM the access to Workday that it requires. You must log in by using the integration system user account that you created. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
- From the Add Application page (), click the Workday tile.Posture SecurityApplicationsAdd Application
- Under posture security instances,Add Instanceor, if there is already an instance configured,Add Newinstance.
- Log in with Credentials.
- Enter the application credentials (Client ID and Client Secret), the authorization and token endpoints, and the custom report web service URL.
- Connect.SSPM redirects you to the Workday login page.
- Log in to Workday using the login credentials for the integration system user that you created.Workday displays a consent form that details the access permissions that SSPM requires.
- Review the consent form and allow access.