Skip to content
This repository has been archived by the owner on Jun 7, 2024. It is now read-only.

Powershell Remoting

Jump to bottom
treestryder edited this page Jan 14, 2020 · 4 revisions

Though ordinary Powershell Remoting can be used to access the WorkdayAPI module, it is possible to create a special remoting configuration to proxy access access to the Workday API behind Windows authentication. The following shows how to create a simple Remoting configuration. A better solution might be to use JEA, Just Enough Administration.

Create a standard user account which will run the WorkdayAPI commands.

$Username = 'WorkdayAPI'
$Password = Read-Host -Prompt 'Enter password for WorkdayAPI' -AsSecureString
New-LocalUser -Description 'WorkdayAPI proxy account.' -Name $Username -Password $Password -PasswordNeverExpires -UserMayNotChangePassword

Enable Powershell Remoting

Enable-PsRemoting

Create a full-access remote configuration.

The Sddl below makes this available to all local administrators. To instead display a security dialog, use the parameter "-ShowSecurityDescriptorUI". Through this dialog, add the users and grant them "Invoke" rights.

$Credential = [PSCredential]::new("$env:COMPUTERNAME\$Username", $Password) # Username and Password from above
New-PSSessionConfigurationFile -ModulesToImport WorkdayApi -LanguageMode ConstrainedLanguage -SessionType Default -Path "$env:TEMP\WorkdayApi.pssc"
Register-PSSessionConfiguration -Name WorkdayApi -RunAsCredential $Credential -Path "$env:TEMP\WorkdayApi.pssc"  -SecurityDescriptorSddl 'O:NSG:BAD:P(A;;GAGX;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)' -Force

Create a configuration for managing the WorkdayAPI connection configuration.

This example shows how to create a remoting configuration for setting and testing the WorkdayAPI configuration. Note that, this would be done to protect the Windows credentials from abuse, not to protect the Workday credentials.

$Credential = Get-Credential -Message 'Enter the Windows credentials which execute t
$AllowedFunctions = 'Set-WorkdayEndpoint', 'Get-WorkdayEndpoint', 'Set-WorkdayCredential', 'Save-WorkdayConfiguration', 'Get-WorkdayDate'
New-PSSessionConfigurationFile -ModulesToImport WorkdayAPI -LanguageMode ConstrainedLanguage -Description 'Just enough WorkdayAPI access to change the connection settings.' -Path "$env:TEMP\WorkdayApiCredential.pssc" -VisibleFunctions $AllowedFunctions
Register-PSSessionConfiguration -Name WorkdayApiCredential -RunAsCredential $Credential -Path "$env:TEMP\WorkdayApiCredential.pssc" -ShowSecurityDescriptorUI -Force

Remove a Powershell Remoting configuration.

Unregister-PSSessionConfiguration -Name WorkdayAPI

Example function to set the Workday credentials.

function Set-RemoteWorkdayApiCredential {
    [CmdletBinding()]
    param (
        [string]$ComputerName,
        [string]$ConfigurationName,
        [PSCredential]$NewCredential
    )
    Invoke-Command -ComputerName $ComputerName -ConfigurationName:$ConfigurationName {
        Set-WorkdayCredential -Credential $Using:NewCredential -ErrorAction Stop
        Save-WorkdayConfiguration
    }
    $result = Invoke-Command -ComputerName $ComputerName -ConfigurationName:$ConfigurationName { Get-WorkdayDate }
    if ($result -isnot [DateTime]) {
        throw 'Invalid UserName, Password or Human_Resource Uri.'
    }
}

$NewCredential = Get-Credential 'Username@Instance'
Set-RemoteWorkdayApiCredential -ComputerName remoteComputer -ConfigurationName WorkdayApiConfiguration -NewCredential $NewCredential
Clone this wiki locally