SaaS Security Administrator's Guide
    : Onboard a Workday App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. Onboard a Workday App to SSPM
    Download PDF

    SaaS Security Administrator's Guide

    Onboard a Workday App to SSPM

    Table of Contents

    Onboard a Workday App to SSPM

    Connect a Workday instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your Workday instance, you must onboard your Workday instance to SSPM. Through the onboarding process, SSPM connects to a Workday API and, through the API, scans your Workday instance at regular intervals for misconfigured settings.
    SSPM gets access to your Workday instance through OAuth 2.0 authorization. To enable OAuth 2.0 authorization, you first create an API client application in Workday. In Workday, you must also create an integration system user and a custom report exposed as a web service. During onboarding, SSPM will redirect you to log in to Workday. You will log in to Workday using the credentials for the integration system user account that you created. To scan Workday for misconfigured settings, SSPM will pull data from the custom report.
    To onboard your Workday instance, you complete the following actions:
    During the onboarding process, you will provide SSPM with the following information:
    ItemDescription
    Client ID
    SSPM will access a Workday API through an API client that you create. Workday generates the Client ID to uniquely identify this application.
    Client secret
    SSPM will access a Workday API through an API client that you create. Workday generates the Client Secret, which SSPM uses to authenticate to this application.
    Authorization endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses this endpoint for authorization requests.
    Token endpoint
    SSPM will access a Workday API through an OAuth 2.0 application that you create. SSPM uses the token endpoint to generate an authentication token.
    Custom report web service URL
    The URL that exposes a custom report as a web service. To scan for misconfigured settings, SSPM uses this custom report to pull information from your Workday instance.
    As you complete the following steps, make note of the values of the items described in the preceding table. You will enter these values during onboarding to access and scan your Workday instance from SSPM.

    Register an API Client in Workday

    To enable SSPM to connect to your Workday instance through OAuth 2.0 authentication, create an API client in Workday.
    1. From SSPM, get a redirect URL. You will specify this redirect URL in the OAuth 2.0 application that you will create in Workday. To get this information, you will begin the onboarding process in SSPM, but you will not complete the process.
      1. From the Add Application page in SSPM (Posture SecurityApplicationsAdd Application), click the Workday tile.
      2. Under posture security instances, Add Instance or, if there is already an instance configured, Add New instance.
        SSPM displays a connection page for onboarding a Workday instance. The Redirect URL field displays the redirect URL value.
      3. Copy the URL and paste it into a text file.
        Do not continue to the next step unless you have copied the redirect URL. You will need to specify this URL later when you are configuring the API client.
    2. Identify the administrator account that you will use to create the API client and the integration system user.
      Required Permissions: To create an API client and an integration system user, you must have Security Administrator permissions in Workday.
    3. Register the API client.
      1. Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
      2. In the search field, search for Register API Client and select Register API client from the search results.
        Workday displays the Register API Client page.
      3. On the Register API Client page, specify a name for your client and specify the following information in the fields provided.
        FieldValue
        Client Grant Type
        Authorization Code Grant
        Access Token Type
        Bearer
        Redirection URI
        The redirect URL that you copied earlier from SSPM.
        Refresh Token Timeout (in days)
        The number of days that the refresh token is valid. For example, 365 days.
        Scope (Functional Areas)
        Tenant Non-Configurable
      4. Click OK.
        Workday registers your new API client and displays the application credentials and endpoints. Copy the following values and paste them into a text file:
        • Client ID
        • Client Secret
        • Authorization Endpoint
        • Token Endpoint
        Do not continue to the next step unless you have copied the Client ID, Client Secret, Authorization Endpoint, and Token Endpoint. You will provide this information to SSPM during the onboarding process.

    Create an Integration System User

    When you onboard Workday, SSPM will redirect you to the Workday login page for OAuth 2.0 authentication through the API client that you registered. At that time, you will log in to Workday using the integration system user account that you will create now. Complete the following steps to create the integration system user account and to configure the account's permissions through a security group.
    Complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Create the integration system user.
      1. Using the Workday console's search field, search for Create Integration System User. Select Create Integration System User from the search results.
      2. On the Create Integration System User page, specify a user name and password for the account and click OK.
    2. Create a security group for the integration system user.
      1. Using the Workday console's search field, search for Create Security Group and select Create Security Group from the search results.
      2. On the Create Security Group page, complete the following actions:
        1. Locate the Type of Tenanted Security Group field. From the field's drop-down, select Integration System Security Group (Unconstrained).
        2. Specify a name for the security group and click OK.
      3. On the Integration System Security Group (Unconstrained) page, complete the following actions:
        1. Locate the Integration System Users field and select the name of the integration system user that you created earlier.
        2. Click OK.
    3. Specify domain security policy permissions for the security group.
      1. Using the Workday console's search field, search for Maintain Permissions for Security Group and select Maintain Permissions for Security Group from the search results.
      2. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Locate the Operation field and select the Maintain operation.
        2. Locate the Source Security Group field and select the name of the security group that you created earlier.
        3. Click OK.
          Workday displays a second Maintain Permissions for Security Group page.
      3. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Navigate to the Domain Security Policy Permissions tab.
        2. Add the following domain security policies with the following access permissions to the security group. To add a policy permission, click the plus sign (+) icon.
          Domain Security PolicyView/Modify Access
          Workday Accounts
          View Only
          Security Administration
          View Only
          Security Configuration
          View Only
          Worker Data: Public Worker Reports
          View Only
    4. Activate Pending Security Policy Changes.
      1. Using the Workday console's search field, search for Activate Pending Security Policy Changes and select Activate Pending Security Policy Changes from the search results.
      2. On the Activate Pending Security Policy Changes page, type in a comment describing the security changes you made, and click OK.
        Workday displays a second Activate Pending Security Policy Changes page summarizing the changes that you made.
      3. On the Activate Pending Security Policy Changes page, select the Confirm check box.
      4. Click OK.

    Create a Custom Report

    To scan your Workday instance, SSPM pulls data from a custom report that you expose as a web service. To create this report, complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Using the Workday console's search field, search for Create Custom Report and select Create Custom Report from the search results.
    2. On the Create Custom Report page, complete the following actions:
      1. In the Report Name field, specify a name for your report.
      2. From the Report Name list, select Advanced.
      3. Select the Enable As Web Service check box.
      4. Make sure that the Optimized for Performance check box is not selected. If necessary, clear the check box.
      5. In the Data Source field, specify All Workday Accounts.
      6. Click OK.
      Workday displays the Edit Custom Report page, where you can define the information that your report will collect.
    3. On the Edit Custom Report page, in the Additional Info section, select the Columns tab and add the following columns to the report.
      Business ObjectField
      WorkerWorker Instance URL
      Workday AccountUsername
      Workday AccountSensitive Data is Masked in Output
      Workday AccountSession Timeout Minutes
      Workday AccountDays Since Last Password Change
      Workday AccountExempt from Password Expiration
      Workday AccountOne-Time Passcode Authentication Exempt
      Workday AccountGrace Period Enabled
      Workday AccountGrace Period Signins Remaining
      Workday AccountAccount Locked, Disabled or Expired
      Workday AccountHas Chief Human Resources Security Group
      Workday AccountHas Compensation Administrator Security Group
      Workday AccountHas Contingent Worker Partner Security Group
      Workday AccountHas Create / Modify Expense Report Access
      Workday AccountHas Create Customer Refund Access
      Workday AccountHas HR Administrator Security Group
      Workday AccountHas Information Administrator Security Group
      Workday AccountHas Payment Settlement Access - Expenses
      Workday AccountHas Payment Settlement Access - Payroll
      Workday AccountHas Payroll Modification Access
      Workday AccountHas Project Administrator Access
      Workday AccountOne-Time Passcode Authentication Exempt
      Workday AccountSecurity Exception - Customers
      Workday AccountSecurity Exception - Expenses
      Workday AccountSecurity Exception - Payroll
      Workday AccountSecurity Exception - Suppliers
      Under the Group Column Headings section, add the following business object to the report.
      Business Object Group Column Heading XML Alias
      WorkerWorker_group
    4. In the Additional Info section, select the Share tab and specify the following sharing options using the fields provided.
      FieldValue
      Report Definition Sharing Options
      Share with specific authorized groups and users.
      Authorized Groups
      The name of the security group that you created for the integration system user.
      Authorized Users
      The name of the security integration user that you created earlier.
    5. In the Additional Info section, select the Prompts tab and, in the prompt defaults area, add the Include Disabled Domains/ Functional Areas and Include Subdomains prompts to the report.
    6. To save the report, click OK.
    7. Get the web service URL for the custom report.
      1. Locate the options menu for your custom report. The options menu is the ellipsis (…) located next to the name of the custom report in the banner of the Create Custom Report page. Select ...Web ServiceView URLs.
        Workday displays the View URLs Web Service page, which lists the various data formats that are available. SSPM requires the JSON data format.
      2. On the View URLs Web Service page, locate the JSON area. Copy the URL destination for the JSON link, and paste the URL into a text file.
        Do not continue to the next step unless you have copied the web service URL for the JSON data format. You will provide this information to SSPM during the onboarding process.

    Connect SSPM to Your Workday Instance

    By adding a Workday app in SSPM, you enable SSPM to connect to your Workday instance.
    1. Sign out of all Workday accounts.
      During onboarding, SSPM will redirect you to log in to Workday and to grant SSPM the access to Workday that it requires. You must log in by using the integration system user account that you created. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
    2. From the Add Application page (Posture SecurityApplicationsAdd Application), click the Workday tile.
    3. Under posture security instances, Add Instance or, if there is already an instance configured, Add New instance.
    4. Log in with Credentials.
    5. Enter the application credentials (Client ID and Client Secret), the authorization and token endpoints, and the custom report web service URL.
    6. Connect.
      SSPM redirects you to the Workday login page.
    7. Log in to Workday using the login credentials for the integration system user that you created.
      Workday displays a consent form that details the access permissions that SSPM requires.
    8. Review the consent form and allow access.

    © 2024 Palo Alto Networks, Inc. All rights reserved.