1. Expel Support Center
  2. Connect your technology
  3. SaaS integrations

Workday setup for Workbench

  • Updated

This procedure helps you integrate your Workday installation with the Expel Workbench.

In this article

Before you start

You must have an account with these security groups assigned to it:

  • Security Administrator

  • System Auditor

  • Report Administrator

Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Workday console.

Step 1: Create an Integration System user account

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log into the Workday device and navigate to Create Integration System User.

  2. Fill in the Account Information like this:

    • For User Name type Expel_user.

    • Create and verify a Password. Make note of it for use later.

    • For Session Timeout Minutes type 0.

    • Select Do Not Allow UI Sessions.

  3. Click OK.

  4. Navigate to Maintain Password Rules and add Expel_user to the list of System Users exempt from password expiration.

  5. Click OK.

Step 2: Create a security group

  1. Navigate to Create Security Group and fill in the fields like this:

    • For Type of Tenanted Security Group select Integration System Security Group (Unconstrained).

    • For Name type Expel Client Security Group.

    • For Email enter: youremailaddress@yourcompanyname.com.

    • For Roles select the Expel role you created in the previous step.

    • Click Add New User.

  2. Click OK.

  3. In the Edit Integration System Security Group (Unconstrained) window, add Expel_user to the Integration System Users list.

  4. Click OK.

  5. Navigate to View Domain for the System Auditing domain.

  6. Open the System Auditing Actions menu and select Domain > Edit Security Policy Permissions.

  7. Add the Expel Client Security Group to these tables:

    • Report/Task Permissions: select View.

    • Integration Permissions: select Get.

    • Customer Report creation: select View and Modify.

    • System Auditing: select View and Get.

    • Security Administration: select Get.

  8. Click OK.

  9. Navigate to Activate Pending Security Policy Changes and activate the changes.

  10. Click OK.

Step 3: Generate API credentials

The normal interaction with Workday is through the API. This step creates the Access Key that allows Expel to use the API.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

  1. Navigate to Register API Client for Integrations and fill in the fields like this:

    • For Client Name type Expel CollectorsCo.

    • Select Non-Expiring Refresh Tokens.

    • For Scope (Functional Areas) select System.

  2. Click OK.

  3. Make note of the newly generated Client Secret and Client ID which are used for registration in Workbench. If you lose the Client Secret, you can create a new one with Generate New API Client Secret.

  4. Click Done.

  5. Navigate to View API Clients. All endpoints must be set explicitly, including the token_endpoint and rest_api_endpoint because of Workday's unique URL structure. Make a copy of these two endpoints for use later:

    • Workday REST API Endpoint (example: https://<tenant hostname>/ccx/api/privacy/v1/<tenant>)

    • Token Endpoint (example: https://<tenant hostname>/ccx/oauth2/<tenant>/token)

  6. Navigate to the API Clients for Integrations tab, find the Expel client in the list, and open the menu (3 dots) for that client.

  7. In the menu, select API Client > Manage Refresh Token for Integrations.

  8. On the Manage Refresh Tokens for Integrations screen, select Expel_user in the Workday Account field and click OK.

  9. On the Delete or Regenerate Refresh Token screen, select Generate New Refresh Token and click OK.

  10. Make a copy of the Refresh Token for use later and click Done.

Step 4: Enable activity logging

  1. Navigate to Edit Tenant Setup - System and select Enable User Activity Logging.

  2. Click OK.

  3. Navigate to Edit Tenant Setup - Security and select OAuth 2.0 Clients Enabled.

  4. Click OK.

Step 5: Create a custom signon report

  1. Navigate to Copy Standard Report to Custom Report and select Candidate Signons and Attempted Signons from the Standard Report Name list.

  2. Click OK.

  3. Change the Name to Custom Signons and Attempted Signons Report for Expel and select Optimized for Performance.

  4. Click OK.

  5. Edit the Data Source Filter field and select the Workday System Accounts Signons in Range filter.

  6. Go to the Columns tab, click the + button and add these fields:

    • Operating System

    • Password Changed

    • Request Originator

    • SAML Identity Provider

    • Forgotten Password Reset Request

    • Multi-Factor Type

    • Is Device Managed

    • UI Client Type

    • Browser Type

    • Device is Trusted

  7. In the Column Heading Override column, remove the text for Field > Session ID and Field > System Account.

  8. Open the Advanced tab, and under Web Service Options, select Enable As Web Service.

  9. Click OK.

  10. Open the Share tab, select Share with specific authorized groups and users, and then add Expel_user to Report Owned by.

  11. Click OK.

  12. Click Done to finish saving the custom report settings.

  13. Search for Custom Signons and Attempted Signons Report for Expel in the search bar and run the report.

  14. On the report screen, open the Actions menu and select Web Service > View URLs.

  15. Click OK and copy the URL from the JSON link.

  16. Remove query parameters from the URL so that it contains <tenant>/<account_name>/<report_name> and add the Expel_user within the URL: https://<instance>/ccx/service/customreport2/<tenantID>/Expel_user/Custom_Signons_and_Attempted_Signons_Report_for_Expel_New

Step 6: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log into Workbench. This link opens the Add Security Device screen directly.

  2. Fill in the fields like this:

    Workday_AddSecDev_2.png

    • Where is your device?: select Cloud.

    • Name and Location: any meaningful name (Expel, for example) and location that help you keep track of the integration.

    • Client ID: Client ID generated in Step 3.3.

    • Client Secret: Client Secret generated in Step 3.3.

    • Refresh token: Refresh token generated in Step 3.12.

    • REST API endpoint: REST API endpoint copied in Step 3.5.

    • Token endpoint: Token endpoint copied in Step 3.5.

    • Sign on report endpoint: Endpoint copied in Step 5.16.

    • Sign on report username: Username created in Step 1.2.

    • Sign on report password: Password created in Step 1.2.

  3. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles