Workstation – NetSuite Integration
Integration Overview
NetSuite app on Workstation allows to search for the following NetSuite objects:-
- Employee
- Customer
- Vendor
- Contact
- Vendor Bill
- Purchase Order
- Sales Order
- Invoice
Security Overview
The Enterprise Search uses 3rd-party integrations to implement a “federal search”. Searches within Workstation are backed by an NLP engine, and a graph database that supports a great user experience.
Workstation Enterprise Search doesn’t index 3rd-party data on an independently searchable database.
The sequence diagram describes the searching algorithm:
Notes
- Cache layer saves results for a period of five minutes
- Each Adopter Service creates a unique identifier for the results which is meaningless without access to the 3rd-party and stores it in the graph database
3rd-Party Access and Refresh Tokens
To activate the Enterprise Search (and the Personalized Workspace widgets), each employee is required to grant Workstation permission to access the 3rd-party.
The granting process is using the OAuth2.0 protocol.
Each time a new access token is granted to the Workstation, the application will encrypt the access and refresh tokens and store it in a remote database.
The encryption process includes a unique private key (“salt”) that is generated for each individual at the very first bootstrap and stored in the local machine Keychain.
The salt is irreplaceable and not restorable — losing it causes the access tokens to be voided.
This security measure is being taken to eliminate identity spoofing when accessing high-sensitive data.
See figure below to review the salt generation and storage flow.
Accessing 3rd-Party Content
Accessing 3rd-party content requires end-user consent, and in some cases, mostly on Microsoft products, an organization admin consent.
Users grant Workstation the necessary permission by approving an OAuth2.0 consent screen that is being triggered by them from the Workstation application (“Third-party apps”).
The third-party apps are being approved and verified by third-parties products.
By the end of the granting process, the third-party apps provide access and refresh tokens that are used by the search engine to establish the requests.
See 3rd-Party Access and Refresh Tokens section above for more information about the storing mechanism.
While searching, the search engine forwards the request, before hitting the Adopter Service, through the Token Injector; a service that injects the relevant tokens to accomplish the request.
The local private key is being handed off over the search HTTPS request for runtime decryption.
JWT Protection
When a user initiates a search query – the WalkMe enterprise search starts a search flow that is being protected by a JWT assigned by WalkMe IdP integration, as part of the user signing flow:
The JWT is proxying the user identity and keeping any HTTPS request secured and individual.
All Workstation requests are protected by a JWT validation.
Configure an integration in NetSuite for Workstation
- Sign in into NetSuite using an admin account
- Go to Setup -> Company -> Enable Features
3. Go to the SuiteCloud tab-
4. Scroll down and make sure these 3 checkboxes are checked –
5. Scroll down and make sure these 2 checkboxes are checked –
6. Scroll down and make sure these 2 checkboxes are checked –
7. Go to Setup -> Integration -> Manage Integrations -> New
8. Fill the integration form with these details-
-
- Name – Workstation
- State – Enabled
- Token-Based Authentication – check
- Callback URL- choose one of these URL’s –
- Authorization Code Grant- checke
- Redirect URl- choose one of these URL’s-
- If US- https://workstation.walkme.com/netsuite/connected
- If EU- https://eu-workstation.walkme.com/netsuite/connected
- Make sure that these 2 boxes are NOT checked-
- TBA: Authorization Flow
- Authorization code grant
- TBA: Authorization Flow
- Click Save to create the new integration
- 9. In the same screen, on the bottom, you will now have a Client Credentials section. Copy the Consumer Key and Consumer Secret, it will be required later on and there will be no access to them again.
10. Go back to the home screen, go to Setup -> User/Roles -> Manage Roles -> New
11. Fill the role form with these details-
-
- Name- Workstation Integration Role
- Subsidiary Restrictions- Choose ALL and check the last box
Permissions
- Account Detail View
- Accounts Payable View
- Accounts Payable Graphing View
- Accounts Receivable View
- Accounts Receivable Graphing View
- Amortization Reports View
- Balance Sheet View
- Deferred Expense Reports View
- Employee Reminders View
- Expenses View
- Financial Statements View
- General Ledger View
- Income View
- Income Statement View
- Lead Snapshot/Reminders View
- Net Worth View
- Purchase Order Reports View
- Purchases View
- Reconcile Reporting View
- Report Customization View
- Report Scheduling View
- Revenue Recognition Reports View
- Sales View
- Sales Order Fulfillment Reports View
- Sales Order Reports View
- Sales Order Transaction Report View
- SuiteAnalytics Workbook View
- Tax View
- Transaction Detail View
- Trial Balance View
-
- Accounts View
- Accounts Payable Register View
- Accounts Receivable Register View
- Amortization Schedules View
- Bank Account Registers View
- Billing Schedules View
- CRM Groups View
- Calendar View
- Commit Orders View
- Contacts View
- Credit Card Registers View
- Currency View
- Custom Recognition Event Type View
- Custom Record Entries View
- Customers View
- Deferred Revenue Registers View
- Departments View
- Documents and Files View
- Email Template View
- Employee Record View
- Employees View
- Equity Registers View
- Events View
- Export Lists View
- Fair Value Formula View
- Fair Value Price View
- Fixed Asset Registers View
- Item Revenue Category View
- Items View
- Locations View
- Long Term Liability Registers View
- Mass Updates View
- Memorized Transactions View
- Non Posting Registers View
- Notes Tab View
- Other Asset Registers View
- Other Current Asset Registers View
- Other Current Liability Registers View
- Other Names View
- Perform Search View
- Phone Calls View
- Platforms View
- Publish Search View
- Record Custom Field View
- Related Items View
- Resource Create
- Revenue Element View
- Revenue Recognition Field Mapping View
- Revenue Recognition Plan View
- Revenue Recognition Rule View
- Revenue Recognition Schedules View
- Statistical Account Registers View
- Subsidiaries View
- Tasks View
- Track Messages View
- Unbilled Receivable Registers View
- Units View
- Vendors View
- Work Calendar View
- Accounting Book View
- Accounting Lists View
- Accounting Management View
- Allow Non G/L Changes View
- Auto-Generated Numbers View
- Custom Body Fields View
- Custom Column Fields View
- Custom Entity Fields View
- Custom Item Fields View
- Custom Lists View
- Custom Record Types View
- Deleted Records View
- Log in using Access Tokens View
- Log in using OAuth 2.0 Access Tokens View
- Manage Accounting Periods View
- Mobile Device Access View
- OAuth 2.0 Authorized Applications Management View
- Other Custom Fields View
- Other Lists View
- REST Web Services View
- SOAP Web Services View
- Set Up Company View
- SuiteAnalytics Connect View
- SuiteAnalytics Connect – Read All View
- Vicarious emails View
- View SOAP Web Services Logs View
- If you have custom records that are required for processes, it might be a blocker for this integration. We recommend providing permissions to all custom records
- Click Save to create the new integration
-
12. Now you will need to assign the new integration role to a new integration user. Go to Setup -> Users/Roles -> Manage Users
13. Create a new user, make sure the user is of type Employee. Fill the role form with these details-
-
- Name- Workstation Integration User
- Email- any email
- Subsidiary- your organization subsidiary
- Access – check the box-
- Roles- assign the integration role you had previously created (“Workstation Integration Role”)-
- Click Save to create the new Employee user
14. Go to Setup -> Users/Roles -> Access Tokens -> New
15. Create an access token. Fill the role form with these details-
-
- Application Name- choose in the dropdown the Workstation Integration-
- User (from List)- Workstation Integration User
- Role- Workstation Integration Role
- Token Name- will be populated automatically
- Click Save to create the new Access Token
- In the same screen, on the bottom of the access token page, you will now have a Token ID and Token Secret
- Application Name- choose in the dropdown the Workstation Integration-
16. Go to Console to the Workstation -> Integrations page
17. On the NetSuite integration, click on Setup, and configure the following-
- Sub Domains- the domain of your NetSuite URL. For example, if your URL is https://testname.app.netsuite.com/ so your domain is “testname”.
- Client ID and Client Secret- the values created previously in the process (also known as Consumer Key and Consumer Secret).
- Click Save. NetSuite integration should now work on your Workstation App.
Connecting NetSuite on Workstation
- Open the Workstation Menu by clicking the widget (on Windows) / the WalkMe icon on the Mac Menu bar, or by hitting ctrl/cmd+shift+E
- Go to Settings -> Integrations, and click Connect on the NetSuite card
- If the NetSuite card is not available, contact your WalkMe Owner in your organization and ask to enable NetSuite on Workstation