Integrate Workday with Password Safe

Workday provides cloud-based software specializing in applications for financial management, enterprise resource planning, and human capital management. Integrating Workday with Password Safe allows the Change Password action to be performed for Workday managed accounts. Test Managed Account and Test Functional Account features are not implemented.

BeyondTrust recommends the assistance of the Professional Services Team to implement this integration. Please contact your BeyondTrust Account Manager to discuss costs and time requirements for this service.

Prerequisites

Before implementing the integration, ensure the following prerequisites are met:

  • Access to Workday cloud tenant
  • The DistinguishedName for the managed account needs to be the WorkerID (e.g. 156) for the managed account
  • Name for the managed account is format ma01@tenant
  • Default password policy configured in Password Safe with no spaces and at least one special character
  • Workday functional account in Password Safe needs access to Workday cloud tenant API and this function: Update_Workday_Account
  • Access to Password Safe Cloud instance, or on-premises version 23.1.1 or later release

Create a Password Policy

Simple Object Access Protocol (SOAP) is a message specification for exchanging information between systems and applications. Take care when adding special characters to the password policy. Some special characters, such as < ,will break the SOAP body.

  1. Log in to the BeyondInsight console as a BeyondInsight administrator.
  2. Go to Configuration > Privileged Access Management Policies > Password Policies.

Add password policy details

  1. Click Create New Password Policy.
  2. Type in a name and then scroll down to the bottom and remove special characters other than ! and @.
  3. Click Update Password Policy.

 

Create a Functional Account

Still logged in as a BeyondInsight administrator, create a functional account as follows:

  1. Go to Configuration > Privileged Access Management > Functional Account.
  2. Click Create New Functional Account. Fill out all required fields.

Create a new functional account

  1. Select Cloud from the Entity Type dropdown.
  2. Select Workday from the Platform dropdown.
  3. Type in the username in the format of Username@tenantid.
  4. Enter the URL in the Domain/LDAP server field:
    • (e.g.; wd2-impl-services1.workday.com)
  5. Enter the password and confirm it.
  6. Enter an alias name. The alias can be the same as the username.
  7. Select the appropriate workgroup from the Workgroup dropdown.
  8. Click Create Functional Account.

 

Create a Managed System

  1. From the left menu in the console, click Managed Systems.
  2. Click Create New Managed System.

Create a new managed system

  1. Select Cloud from the Entity Type dropdown.
  2. Select Workday from the Platform dropdown.
  3. Enter a Name.
  4. Enter the Access URL.
  5. Select the same workgroup as the functional account from the Workgroup dropdown. Fill out all required fields.
  6. Expand the Credential section and select the functional account.
  7. Click Create Managed System.

 

Create a Managed Account

  1. From the left menu in the console, click Managed Systems.
  2. Select Platform from the Filter by dropdown, and then select Workday from the Platform dropdown.

Create a new managed account

  1. Click the vertical ellipsis to the right of the Workday managed system and select Go to Advanced Details.
  2. Under Advanced Details, select Managed Accounts.
  3. Click Create New Managed Account.
  4. Enter the name in the format of ma01@tenant.
  5. Enter the WorkerID (e.g. 156) for the managed account in the Distinguished Name field.
  6. Click Create Account.

 

If you encounter any issues or errors, please contact BeyondTrust Support for additional assistance.