>
    Strata Copilot
    Onboard a Workday App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Workday App to SSPM
    Download PDF
    SaaS Security

    Onboard a Workday App to SSPM

    Table of Contents

    Onboard a Workday App to SSPM

    Connect a Workday instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your Workday instance, you must onboard your Workday instance to SSPM. Through the onboarding process, SSPM connects to a Workday API and, through the API, scans your Workday instance at regular intervals for misconfigured settings.
    SSPM gets access to your Workday instance through OAuth 2.0 authorization. To enable OAuth 2.0 authorization, you first create an API client application in Workday. In Workday, you must also create an integration system user and a custom report exposed as a web service. During onboarding, SSPM will redirect you to log in to Workday. You will log in to Workday using the credentials for the integration system user account that you created. To scan Workday for misconfigured settings, SSPM will pull data from the custom report.
    To onboard your Workday instance, you complete the following actions:
    During the onboarding process, you will provide SSPM with the following information:
    ItemDescription
    Client ID
    SSPM will access a Workday API through an API client that you create. Workday generates the Client ID to uniquely identify this application.
    Client secret
    SSPM will access a Workday API through an API client that you create. Workday generates the Client Secret, which SSPM uses to authenticate to this application.
    Authorization endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses this endpoint for authorization requests.
    Token endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses the token endpoint to generate an authentication token.
    Custom report web service URL
    The URL that exposes a custom report as a web service. To scan for misconfigured settings, SSPM uses this custom report to pull information from your Workday instance.
    As you complete the following steps, make note of the values of the items described in the preceding table. You will enter these values during onboarding to access and scan your Workday instance from SSPM.

    Register an API Client in Workday

    To enable SSPM to connect to your Workday instance through OAuth 2.0 authentication, create an API client in Workday.
    1. From SSPM, get a redirect URL. You will specify this redirect URL in the OAuth 2.0 application that you will create in Workday. To get this information, you will begin the onboarding process in SSPM, but you will not complete the process.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Workday tile.
      3. Under posture security instances, Add Instance or, if there is already an instance configured, Add New instance.
        SSPM displays a connection page for onboarding a Workday instance. The Redirect URL field displays the redirect URL value.
      4. Copy the URL and paste it into a text file.
        Don’t continue to the next step unless you have copied the redirect URL. You will need to specify this URL later when you're configuring the API client.
    2. Identify the administrator account that you will use to create the API client and the integration system user.
      Required Permissions: To create an API client and an integration system user, you must have Security Administrator permissions in Workday.
    3. Register the API client.
      1. Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
      2. In the search field, search for Register API Client and select Register API client from the search results.
        Workday displays the Register API Client page.
      3. On the Register API Client page, specify a name for your client and specify the following information in the fields provided.
        FieldValue
        Client Grant Type
        Authorization Code Grant
        Access Token Type
        Bearer
        Redirection URI
        The redirect URL that you copied earlier from SSPM.
        Refresh Token Timeout (in days)
        The number of days that the refresh token is valid. For example, 365 days.
        Scope (Functional Areas)
        Tenant Non-Configurable
        To enable identity scans to collect and display user account information for the Identity Security dashboard, also specify the following scope:
        System
      4. If you specified the System scope to enable identity scans, select the Include Workday Owned Scope checkbox.
      5. Click OK.
        Workday registers your new API client and displays the application credentials and endpoints. Copy the following values and paste them into a text file:
        • Client ID
        • Client Secret
        • Authorization Endpoint
        • Token Endpoint
        Don’t continue to the next step unless you have copied the Client ID, Client Secret, Authorization Endpoint, and Token Endpoint. You will provide this information to SSPM during the onboarding process.

    Create an Integration System User

    When you onboard Workday, SSPM will redirect you to the Workday login page for OAuth 2.0 authentication through the API client that you registered. At that time, you will log in to Workday using the integration system user account that you will create now. Complete the following steps to create the integration system user account and to configure the account's permissions through a security group.
    Complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Create the integration system user.
      1. Using the Workday console's search field, search for Create Integration System User. Select Create Integration System User from the search results.
      2. On the Create Integration System User page, specify a user name and password for the account and click OK.
    2. Create a security group for the integration system user.
      1. Using the Workday console's search field, search for Create Security Group and select Create Security Group from the search results.
      2. On the Create Security Group page, complete the following actions:
        1. Locate the Type of Tenanted Security Group field. From the field's drop-down, select Integration System Security Group (Unconstrained).
        2. Specify a name for the security group and click OK.
      3. On the Integration System Security Group (Unconstrained) page, complete the following actions:
        1. Locate the Integration System Users field and select the name of the integration system user that you created earlier.
        2. Click OK.
    3. Specify domain security policy permissions for the security group.
      1. Using the Workday console's search field, search for Maintain Permissions for Security Group and select Maintain Permissions for Security Group from the search results.
      2. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Locate the Operation field and select the Maintain operation.
        2. Locate the Source Security Group field and select the name of the security group that you created earlier.
        3. Click OK.
          Workday displays a second Maintain Permissions for Security Group page.
      3. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Navigate to the Domain Security Policy Permissions tab.
        2. Add the following domain security policies with the following access permissions to the security group. To add a policy permission, click the plus sign (+) icon.
          Domain Security PolicyView/Modify Access
          Workday Accounts
          View Only
          Worker Data: Public Worker Reports
          View Only
          Security Administration
          View Only
          Security Configuration
          View Only
          System Auditing
          View Only
    4. Activate Pending Security Policy Changes.
      1. Using the Workday console's search field, search for Activate Pending Security Policy Changes and select Activate Pending Security Policy Changes from the search results.
      2. On the Activate Pending Security Policy Changes page, type in a comment describing the security changes you made, and click OK.
        Workday displays a second Activate Pending Security Policy Changes page summarizing the changes that you made.
      3. On the Activate Pending Security Policy Changes page, select the Confirm check box.
      4. Click OK.

    Create a Custom Report

    To scan your Workday instance, SSPM pulls data from a custom report that you expose as a web service. To create this report, complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Using the Workday console's search field, search for Create Custom Report and select Create Custom Report from the search results.
    2. On the Create Custom Report page, complete the following actions:
      1. In the Report Name field, specify a name for your report.
      2. From the Report Name list, select Advanced.
      3. Select the Enable As Web Service check box.
      4. In the Data Source field, specify Processed Transactions for Range, System Account, Task and Business Object.
      5. Click OK.
      Workday displays the Edit Custom Report page, where you can define the information that your report will collect.
    3. On the Edit Custom Report page, in the Additional Info section, select the Columns tab and add the following columns to the report.
      Business ObjectFieldColumn Heading OverrideColumn Heading Override XML Alias
      Processed TransactionClasses UpdatedClasses_Updated
      Processed TransactionInstances UpdatedInstances_Updated
      Processed TransactionSecured Task ExecutedTask_Behavior
      Processed TransactionEntry Momentdate changedEntry_Moment
      Processed TransactionSecured Task ExecutedtaskSecured_Task_Executed
      Processed TransactionProcessed TransactionProcessed_Transaction
      Processed TransactionSystem AccountSystem_Account
      Attibutes that ChangedChanged AttributeChanged_Attribute
      Attributes that ChangedPrevious ValuePrevious_Value
      Attributes that ChangedValueValue
      Under the Group Column Headings section, add the following business object to the report.
      Business Object Group Column Heading XML Alias
      Attributes that ChangedAttributes_that_Changed_group
    4. In the Additional Info section, select the Filter tab and specify the following filters using the fields provided.
      Adding these filters limits the information that the report collects to only the information that SSPM requires. Limiting the report collection in this way improves performance.
      And/OrFieldOperatorComparison TypeComparison Value
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Business Processes
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - HCM
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Global
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Security
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - System
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Reporting and Analytics
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Recruiting
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Payroll
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Integrations
    5. In the Additional Info section, select the Share tab and specify the following sharing options using the fields provided.
      FieldValue
      Report Definition Sharing Options
      Share with specific authorized groups and users.
      Authorized Groups
      The name of the security group that you created for the integration system user.
      Authorized Users
      The name of the security integration user that you created earlier.
    6. To save the report, click OK.
    7. Get the web service URL for the custom report.
      1. Locate the options menu for your custom report. The options menu is the ellipsis (…) located next to the name of the custom report in the banner of the Create Custom Report page. Select ...Web ServiceView URLs.
        Workday displays the View URLs Web Service page, which lists the various data formats that are available. SSPM requires the JSON data format.
      2. On the View URLs Web Service page, locate the JSON area. Copy the URL destination for the JSON link, and paste the URL into a text file.
        Don’t continue to the next step unless you have copied the web service URL for the JSON data format. You will provide this information to SSPM during the onboarding process.

    Connect SSPM to Your Workday Instance

    By adding a Workday app in SSPM, you enable SSPM to connect to your Workday instance.
    1. Sign out of all Workday accounts.
      During onboarding, SSPM will redirect you to log in to Workday and to grant SSPM the access to Workday that it requires. You must log in by using the integration system user account that you created. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    2. From the Add Application page (ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application), click the Workday tile.
    3. On the Posture Security tab, Add New instance.
    4. Log in with Credentials.
    5. Enter the application credentials (Client ID and Client Secret), the authorization and token endpoints, and the custom report web service URL.
    6. Connect.
      SSPM redirects you to the Workday login page.
    7. Log in to Workday using the login credentials for the integration system user that you created.
      Workday displays a consent form that details the access permissions that SSPM requires.
    8. Review the consent form and allow access.

    © 2025 Palo Alto Networks, Inc. All rights reserved.