Workato
Early Access: This integration is provided as an Open Authorization API (OAA) connector package. Contact our support team for more information.
OAA Connector for Workato
Python connector for discovering Workato users and role assignments.
Overview
This connector uses the Workato API and the Workato SCIM API to retrieve and map user access to roles. This connector does not gather detailed information about downstream applications connected to workato via recipes.
NOTE: This connector requires Workato API and SCIMv2 support on the Workato platform. Workato API support is an additional feature, provided as part of the API Platform Add-On SCIM support is an additional feature, provided as part of the Advanced Security Add-On
Generic Application Mappings
This connector uses the OAA Application template to map applications and identities to permissions. The following table shows how Custom Application entities correspond to Workato entities:
Workato | Generic Application |
---|---|
Workato Workspace | Application |
User | Local User |
Role | Local Role |
Project | Resource |
Setup
Workato Setup Instructions
Generate a Workato API token for a user with sufficient privileges to view all users and projects. See Workato Help for complete steps.
Create an API Client Role for Veza. The Veza API Client Role requires the following access:
Projects
Projects & Folders
List
List projects
Admin
Collaborator Roles
List non-system roles
Workspace Details
Get details
Configure SCIM provisioning on the Workspace. See Workato SCIM Provisioning for complete steps.
Record the SCIM token.
Veza Setup Instructions
Generate an API key for your Veza user. API keys can be managed in the Veza interface under Administration -> API Keys. For detailed instructions consult the Veza User Guide.
Command Line
With Python 3.8+ install the requirements either into a virtual environment or to the system:
Set the Veza API key and Zendesk API key as environment variables. All other parameters can be passed as either environment variables or command line arguments.
Run the code, provide any parameters not exported as command line arguments:
Identity Format
Due to limitations in the Workato API and SCIM API responses, identity data must be computed during discovery. To ensure that identity information matches other systems discovered by Veza, two parameters must be provided:
The
identity-domain
: The IdP/identity domain of discovered users (ex: example.com)The
identity-format
of usernames: The manner in which full display names (ex: John Doe) will be translated into identites
identity-format
defaults to <first_name>.<last_name>
(ex: "John Doe" -> john.doe). This can be overridden to <first_initial><last_name>
(ex: "John Doe" -> jdoe) by setting identity-format
to first_initial_last_name
when invoking the connector
Parameters
Parameter | Environment Variable | Value |
---|---|---|
|
| The e-mail domain for discovered Workato users (ex: example.com) |
|
| The username format for discovered Workato users (see: Identity-Format) |
|
| URL for the Workato API (defaults to https://www.workato.com/api - the US endpoint) |
|
| URL for the Workato SCIM API (defaults to https://app.workato.com/scim/v2) |
|
| API key generated for Workato |
|
| SCIM API key generated for Workato |
|
| URL of Veza deployment |
|
| API key generated for Veza |
|
| Optional, enable verbose output and debug information |
|
| Optional, save OAA payload to JSON file locally for debugging |
Last updated