This procedure helps you integrate your Workday installation with the Expel Workbench.
You must have an account with these security groups assigned to it:
-
Security Administrator
-
System Auditor
-
Report Administrator
Enable console access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Workday console.
Step 1: Create an Integration System user account
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Log into the Workday device and navigate to Create Integration System User.
-
Fill in the Account Information like this:
-
For User Name type Expel_user.
-
Create and verify a Password. Make note of it for use later.
-
For Session Timeout Minutes type 0.
-
Select Do Not Allow UI Sessions.
-
-
Navigate to Maintain Password Rules and add Expel_user to the list of System Users exempt from password expiration.
Step 2: Create a security group
-
Navigate to Create Security Group and fill in the fields like this:
-
For Type of Tenanted Security Group select Integration System Security Group (Unconstrained).
-
For Name type Expel Client Security Group.
-
For Email enter: youremailaddress@yourcompanyname.com.
-
For Roles select the Expel role you created in the previous step.
-
Click Add New User.
-
-
In the Edit Integration System Security Group (Unconstrained) window, add Expel_user to the Integration System Users list.
-
Navigate to View Domain for the System Auditing domain.
-
Open the System Auditing Actions menu and select Domain > Edit Security Policy Permissions.
-
Add the Expel Client Security Group to these tables:
-
Report/Task Permissions: select View.
-
Integration Permissions: select Get.
-
Customer Report creation: select View and Modify.
-
System Auditing: select View and Get.
-
Security Administration: select Get.
-
-
Navigate to Activate Pending Security Policy Changes and activate the changes.
Step 3: Generate API credentials
The normal interaction with Workday is through the API. This step creates the Access Key that allows Expel to use the API.
-
Navigate to Register API Client for Integrations and fill in the fields like this:
-
For Client Name type Expel CollectorsCo.
-
Select Non-Expiring Refresh Tokens.
-
For Scope (Functional Areas) select System.
-
-
Make note of the newly generated Client Secret and Client ID which are used for registration in Workbench. If you lose the Client Secret, you can create a new one with Generate New API Client Secret.
-
Navigate to View API Clients. All endpoints must be set explicitly, including the
token_endpoint
andrest_api_endpoint
because of Workday's unique URL structure. Make a copy of these two endpoints for use later:-
Workday REST API Endpoint (example:
https://<tenant hostname>/ccx/api/privacy/v1/<tenant>
) -
Token Endpoint (example:
https://<tenant hostname>/ccx/oauth2/<tenant>/token
)
-
-
Navigate to the API Clients for Integrations tab, find the Expel client in the list, and open the menu (3 dots) for that client.
-
In the menu, select API Client > Manage Refresh Token for Integrations.
-
On the Manage Refresh Tokens for Integrations screen, select Expel_user in the Workday Account field and click OK.
-
On the Delete or Regenerate Refresh Token screen, select Generate New Refresh Token and click OK.
-
Make a copy of the Refresh Token for use later and click Done.
Step 4: Enable activity logging
-
Navigate to Edit Tenant Setup - System and select Enable User Activity Logging.
-
Navigate to Edit Tenant Setup - Security and select OAuth 2.0 Clients Enabled.
Step 5: Create a custom signon report
-
Navigate to Copy Standard Report to Custom Report and select Candidate Signons and Attempted Signons from the Standard Report Name list.
-
Change the Name to Custom Signons and Attempted Signons Report for Expel and select Optimized for Performance.
-
Edit the Data Source Filter field and select the Workday System Accounts Signons in Range filter.
-
Go to the Columns tab, click the + button and add these fields:
-
Operating System
-
Password Changed
-
Request Originator
-
SAML Identity Provider
-
Forgotten Password Reset Request
-
Multi-Factor Type
-
Is Device Managed
-
UI Client Type
-
Browser Type
-
Device is Trusted
-
-
In the Column Heading Override column, remove the text for Field > Session ID and Field > System Account.
-
Open the Advanced tab, and under Web Service Options, select Enable As Web Service.
-
Open the Share tab, select Share with specific authorized groups and users, and then add Expel_user to Report Owned by.
-
Click Done to finish saving the custom report settings.
-
Search for Custom Signons and Attempted Signons Report for Expel in the search bar and run the report.
-
On the report screen, open the Actions menu and select Web Service > View URLs.
-
Click OK and copy the URL from the JSON link.
-
Remove query parameters from the URL so that it contains
<tenant>/<account_name>/<report_name>
and add the Expel_user within the URL:https://<instance>/ccx/service/customreport2/<tenantID>/Expel_user/Custom_Signons_and_Attempted_Signons_Report_for_Expel_New
Step 6: Configure the technology in Workbench
-
In a new browser tab, log into Workbench. This link opens the Add Security Device screen directly.
-
Fill in the fields like this:
-
Where is your device?: select Cloud.
-
Name and Location: any meaningful name (Expel, for example) and location that help you keep track of the integration.
-
Client ID: Client ID generated in Step 3.3.
-
Client Secret: Client Secret generated in Step 3.3.
-
Refresh token: Refresh token generated in Step 3.12.
-
REST API endpoint: REST API endpoint copied in Step 3.5.
-
Token endpoint: Token endpoint copied in Step 3.5.
-
Sign on report endpoint: Endpoint copied in Step 5.16.
-
Sign on report username: Username created in Step 1.2.
-
Sign on report password: Password created in Step 1.2.
-
Comments
0 comments
Article is closed for comments.