Workday SSH
Password Safe Custom Platform
Context
While there is an out-of-the-box Workday Platform in Password Safe, some customers would prefer to have access to a customizable Workday integration. This step-by-step guide provides guidance for using an example Custom Platform provided by the BeyondTrust integrations team.
Prerequisites
- Access to a Workday Functional Account with SOAP API access to:
- Workday_Account_for_Worker_Update
- Access to the XML template for the Custom Platform example
- Access to the curl script
- A Linux server with an account matching Workday Functional Account
- A Password policy for Workday
Temporary download link: https://filetransfer.beyondtrust.com/link/em1Ox35ybfF9Ey9to7k7Se
Configure Linux host
Create an account on the Linux host that matches username/password for the Workday Functional Account, like this:
sudo useradd -m -d /home/Workday_FA -s /bin/bash Workday_FA
sudo passwd Workday_FA
Start a session as the new user and create a subdirectory, like this:
mkdir scripting
Copy the curl script into this directory, then make it executable like this:
chmod u+x workday_changePassword.sh
To use a separate Functional Account for the Linux host and Workday API, see the Create host Login Account section below.
Import Custom Platform
- Navigate to Configuration, Custom Platforms, then select Create New Custom Platform, Import Platform (XML).
- Browse to the file, then click Import Platform.
- Make sure that the prompt for your Linux host is included.
- Change the myTenant value for Change Password Step to match your actual Workday tenant.
Note
Some example Error Handling conditions have been included.
After you create a Managed System using the Platform (see next section), and a Functional Account, Unit Testing can be performed via Check/Change Password.
Note
Unit testing via the Custom Platform requires that a single Functional Account is used between the Linux host and Workday API. It is possible to use separate Functional Accounts after unit testing is completed.
Note
Only Change Password Step is implemented.
Create Password Policy, Managed System, and Managed Account
- Create a new password policy for Workday as shown:
- Create a new password policy for Workday as shown:
- Create a Functional Account for Workday.
- Create a new Managed System using the Workday SSH Custom Platform.
- Create a Managed Account with format empl_id:username and set the Password Policy to Workday.
At this point, you should be able to successfully initiate a Change Password action on the Managed Account.
Create Access Policy, Managed Account Smart Group, and Test Group
- Create Access Policy with only View Password enabled.
- Create a Managed Account Smart Rule for Workday.
Now we should be ready to create a Group and Test User.
- Create a Group and add the Smart Rule/Group with Read Only access and Requestor Password Safe Role. Set the Access Policy to Workday.
Create host login account
After unit testing via the Custom Platform is completed, it is possible to use a separate Functional Account to authenticate to the Linux host where the Workday script is located, instead of using the Workday API Functional Account.
sudo useradd -m -d /home/WorkdayLoginAcct -s /bin/bash WorkdayLoginAcct
sudo passwd WorkdayLoginAcct
Connect as the WorkdayLoginAcct and make a copy of the script into a scripting subdirectory.
- Make sure the Workday SSH Custom Platform has a check for Enable Login Account.
- Create a new Functional Account for the Login Account, and for the Workday SSH Platform. The username and password must match the values for the Linux host.
- Edit the Workday SSH Managed System, expand the Credentials section, and add the Login Account.
Updated 6 days ago