>
    Strata Copilot
    Onboard a Workday App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Workday App to SSPM
    Download PDF
    SaaS Security

    Onboard a Workday App to SSPM

    Table of Contents

    Onboard a Workday App to SSPM

    Connect a Workday instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your Workday instance, you must onboard your Workday instance to SSPM. Through the onboarding process, SSPM connects to a Workday API and, through the API, scans your Workday instance at regular intervals for misconfigured settings and account risks.
    SSPM gets access to your Workday instance through OAuth 2.0 authorization. To enable OAuth 2.0 authorization, you first create an API Client for Integrations in Workday. In Workday, you must also create an integration system user and a custom report exposed as a web service. During onboarding, you will provide SSPM with a manually generated refresh token associated with the integration system user account that you created. To scan Workday for misconfigured settings, SSPM will pull data from the custom report.
    To onboard your Workday instance, you complete the following actions:
    During the onboarding process, you will provide SSPM with the following information:
    ItemDescription
    Client ID
    SSPM will access a Workday API through an API Client for Integrations that you create. Workday generates the Client ID to uniquely identify this application.
    Client Secret
    SSPM will access a Workday API through an API Client for Integrations that you create. Workday generates the Client Secret, which SSPM uses to authenticate to this application.
    Token Endpoint
    SSPM will access a Workday API through the API Client for Integrations that you create. SSPM uses the token endpoint to generate an authentication token.
    Refresh Token
    SSPM will access a Workday API through an API Client for Integrations that you create. SSPM uses this persistent token to maintain a secure connection that remains active independently of user sessions.
    Custom Audit Log Report Web Service URL
    The URL that exposes a custom report as a web service. To scan for misconfigured settings, SSPM uses this custom report to pull information from your Workday instance.
    As you complete the following steps, make note of the values of the items described in the preceding table. You will enter these values during onboarding to access and scan your Workday instance from SSPM.

    Create an Integration System User

    To enable SSPM to scan your Workday instance securely, you must create a non-human integration system user account. Later, you will associate this account with the API Client for Integrations to allow background scanning to run independently of human user sessions. Complete the following steps to create the integration system user account and to configure the account's permissions through a security group.
    1. Identify the administrator account that you will use to create the integration system user.
      Required Permissions: To create the integration system user, you must have Security Administrator permissions in Workday.
    2. Create the integration system user.
      1. Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
      2. Using the Workday console's search field, search for Create Integration System User. Select Create Integration System User from the search results.
      3. On the Create Integration System User page, specify a user name and password for the account.
      4. For enhanced security, check the Do Not Allow UI Sessions checkbox.
      5. Click OK.
    3. Create a security group for the integration system user.
      1. Using the Workday console's search field, search for Create Security Group and select Create Security Group from the search results.
      2. On the Create Security Group page, complete the following actions:
        1. Locate the Type of Tenanted Security Group field. From the field's drop-down, select Integration System Security Group (Unconstrained).
        2. Specify a name for the security group and click OK.
      3. On the Integration System Security Group (Unconstrained) page, complete the following actions:
        1. Locate the Integration System Users field and select the name of the integration system user that you created earlier.
        2. Click OK.
    4. Specify domain security policy permissions for the security group.
      1. Using the Workday console's search field, search for Maintain Permissions for Security Group and select Maintain Permissions for Security Group from the search results.
      2. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Locate the Operation field and select the Maintain operation.
        2. Locate the Source Security Group field and select the name of the security group that you created earlier.
        3. Click OK.
          Workday displays a second Maintain Permissions for Security Group page.
      3. On the Maintain Permissions for Security Group page, complete the following actions:
        1. Navigate to the Domain Security Policy Permissions tab.
        2. Add the following domain security policies with the following access permissions to the security group. To add a policy permission, click the plus sign (+) icon.
          Domain Security PolicyView/Modify Access
          Workday Accounts
          View Only
          Worker Data: Public Worker Reports
          View Only
          Security Administration
          View Only
          Security Configuration
          View Only
          System Auditing
          View Only
    5. Activate Pending Security Policy Changes.
      1. Using the Workday console's search field, search for Activate Pending Security Policy Changes and select Activate Pending Security Policy Changes from the search results.
      2. On the Activate Pending Security Policy Changes page, type in a comment describing the security changes you made, and click OK.
        Workday displays a second Activate Pending Security Policy Changes page summarizing the changes that you made.
      3. On the Activate Pending Security Policy Changes page, select the Confirm check box.
      4. Click OK.

    Register an API Client for Integrations in Workday

    To enable SSPM to connect to your Workday instance, create an API Client for Integrations. This type of client relies on a persistent refresh token to maintain a secure connection that remains active independently of user sessions.
    1. Identify the administrator account that you will use to create the API Client for Integrations.
      Required Permissions: To register an API Client for Integrations, you must have Security Administrator permissions in Workday.
    2. Register the API Client for Integrations.
      1. Log in to the Workday console using the Workday Security Administrator account that you identified earlier.
      2. In the search field, search for Register API Client for Integrations and select Register API Client for Integrations from the search results.
        Workday displays the Register API Client for Integrations page.
      3. On the Register API Client for Integrations page, specify the following information in the fields provided.
        FieldValue
        Client NameSpecify a unique name, such as SSPM_Integration_Client.
        Refresh Token Timeout (in days)Specify the number of days that the refresh token is valid. For example, 365.
        For enhanced security, do not select the Non-Expiring Refresh Tokens checkbox.
        Scope (Functional Areas)
        Select Tenant Non-Configurable and System.
        For the System functional area, ensure that Workday Query Language is listed under the Includes Domains column. If it is missing, your Workday Security Administrator must verify that the Workday Query Language domain policy is enabled and accessible to integrations in your tenant.
        Include Workday Owned ScopeSelect this checkbox.
      4. Click OK.
        Workday registers your API Client for Integrations and displays the application credentials (Client ID and Client Secret).
      5. Copy and save the Client ID and Client Secret to a text file.
        Do not continue to the next step unless you have copied the Client ID and Client Secret. You will provide this information to SSPM during the onboarding process.
    3. Generate a Refresh Token for the integration system user.
      1. On the Edit API Client for Integrations page, click the ellipsis (...) next to the client name.
      2. Select API ClientManage Refresh Tokens for Integrations to open the Manage Refresh Tokens for Integrations dialog.
      3. From the Workday Account field, locate and select the integration system user that you created earlier and click OK.
      4. On the Delete or Regenerate Refresh Token page, select the Generate New Refresh Token and Confirm Delete checkboxes.
      5. Click OK.
      6. Copy the Refresh Token and paste it into a text file.
        Do not continue to the next step unless you have copied the Refresh Token. You will provide this information to SSPM during the onboarding process.
    4. Get the Token Endpoint.
      1. In the search field, search for View API Clients and select View API Clients from the search results.
        Workday displays the View API Clients page.
      2. From the View API Clients page, copy the Token Endpoint value and paste it into a text file.
        Don’t continue to the next step unless you have copied the Token Endpoint. You will provide this information to SSPM during the onboarding process.

    Create a Custom Report

    To scan your Workday instance, SSPM pulls data from a custom report that you expose as a web service. To create this report, complete the following steps using the Workday Security Administrator account that you identified earlier.
    1. Using the Workday console's search field, search for Create Custom Report and select Create Custom Report from the search results.
    2. On the Create Custom Report page, complete the following actions:
      1. In the Report Name field, specify a name for your report.
      2. From the Report Name list, select Advanced.
      3. Select the Enable As Web Service and Optimized for Performance check boxes.
      4. In the Data Source field, specify Processed Transactions for Range, System Account, Task and Business Object.
      5. Click OK.
      Workday displays the Edit Custom Report page, where you can define the information that your report will collect.
    3. On the Edit Custom Report page, in the Additional Info section, select the Columns tab and add the following columns to the report.
      Business ObjectFieldColumn Heading OverrideColumn Heading Override XML Alias
      Processed TransactionClasses UpdatedClasses_Updated
      Processed TransactionInstances UpdatedInstances_Updated
      Processed TransactionSecured Task ExecutedTask_Behavior
      Processed TransactionEntry Momentdate changedEntry_Moment
      Processed TransactionSecured Task ExecutedtaskSecured_Task_Executed
      Processed TransactionProcessed TransactionProcessed_Transaction
      Processed TransactionSystem AccountSystem_Account
      Attibutes that ChangedChanged AttributeChanged_Attribute
      Attributes that ChangedPrevious ValuePrevious_Value
      Attributes that ChangedValueValue
      Under the Group Column Headings section, add the following business object to the report.
      Business Object Group Column Heading XML Alias
      Attributes that ChangedAttributes_that_Changed_group
    4. In the Additional Info section, select the Filter tab and specify the following filters using the fields provided.
      Adding these filters limits the information that the report collects to only the information that SSPM requires. Limiting the report collection in this way improves performance.
      And/OrFieldOperatorComparison TypeComparison Value
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Business Processes
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - HCM
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Global
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Security
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - System
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Reporting and Analytics
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Recruiting
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Payroll
      OrTask Behaviorexact match with the selection listValue specified in this filterEdit Tenant Setup - Integrations
    5. In the Additional Info section, select the Prompts tab and create the following prompt.
      1. Select the Display Prompt Values in Subtitle check box.
      2. In the fields provided, enter the following specifications. For the From Moment and To Moment fields, make sure the Required check box is selected.
        If the Business Object and Workday Account fields are not available, select the Populate Undefined Prompt Defaults checkbox. Selecting this checkbox will add both these fields.
        FieldLabel For Prompt XML AliasRequired (Check Box)
        From MomentFrom_MomentYes
        To MomentTo_MomentYes
        Business ObjectBusiness_Object
        TaskTask
        Workday AccountWorkday_Account
    6. In the Additional Info section, select the Share tab and specify the following sharing options using the fields provided.
      FieldValue
      Report Definition Sharing Options
      Share with specific authorized groups and users.
      Authorized Groups
      The name of the security group that you created for the integration system user.
      Authorized Users
      The name of the security integration user that you created earlier.
    7. For SSPM to successfully process the custom report, you must not have made changes on the Sort tab. If you added any fields or modified settings on the Sort tab, remove those changes to return the tab to its default state.
    8. To save the report, click OK.
    9. Get the web service URL for the custom report.
      1. Locate the options menu for your custom report. The options menu is the ellipsis (…) located next to the name of the custom report in the banner of the Create Custom Report page. Select ...Web ServiceView URLs.
        Workday displays the View URLs Web Service page, which lists the various data formats that are available. SSPM requires the JSON data format.
      2. On the View URLs Web Service page, locate the JSON area. Copy the URL destination for the JSON link, and paste the URL into a text file.
        Don’t continue to the next step unless you have copied the web service URL for the JSON data format. You will provide this information to SSPM during the onboarding process.

    Connect SSPM to Your Workday Instance

    By adding a Workday app in SSPM, you enable SSPM to connect to your Workday instance.
    1. Log in to Strata Cloud Manager.
    2. From the Add Application page (ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application), click the Workday tile.
    3. On the Posture Security tab, Add New instance.
    4. Log in with Credentials.
    5. Enter the application credentials (Client ID and Client Secret), the token endpoint, the refresh token, and the custom report web service URL.
    6. Connect.
      SSPM establishes a secure connection to your Workday instance using the provided credentials.

    © 2026 Palo Alto Networks, Inc. All rights reserved.