User Management

Manage user accounts and authentication settings from the Administration > User Management page. The Users list shows all system users and local accounts provisioned for users who have logged in with single sign-on.

• Adding local users

• Managing user roles and teams

  • Changing user roles

  • Team assignment and role permissions

• Single sign-on and default roles

  • Enabling SSO

  • Default role configuration

  • SCIM provisioning

• Password requirements and login

  • Password policy

  • Login troubleshooting

• Related documentation

Adding local users

To add a local user and assign teams and roles:

1. Navigate to Administration > User Management

2. Click Add User

3. Enter the required information:

   • User Name: Unique identifier for the user account

   • Email: Primary email address for the user

4. Configure team and role assignments:

   • Root Team: Assign to grant access to all integrated providers based on role

   • Custom Teams: Assign to limit user access to specific integrations

   • Roles: Select appropriate roles using checkboxes (see User Roles and Permissions)

   • Multiple roles can be selected simultaneously for each team assignment

   • Use + Add Another Team to assign multiple teams

5. Click Create User to save the new user account

Managing user roles and teams

Changing user roles

You can modify user roles using two different approaches:

Option 1 - From User Management (recommended for cross-team role management):

1. Go to Administration > User Management

2. Locate the user and click Change Roles

3. Modify existing team roles or add new team assignments

4. Select or deselect roles as needed

5. Click Save to apply changes

Option 2 - From Team Management (for team-specific role changes):

1. Go to Administration > Team Management

2. Click the team name containing the user

3. Locate the user and click Change Roles

4. Select or deselect roles for that specific team

5. Click Save to apply changes

Use the User Management approach when managing a user's roles across multiple teams. Use the Team Management approach when updating roles for multiple users within a specific team.

Team assignment and role permissions

User permissions are determined by their role assignments within each team and the team's scope. Key principles:

• Users can belong to multiple teams with different roles in each

• Root team members have access to all integrated providers

• Custom team members have access only to specific integrations assigned to their team

For complete details on role capabilities, team assignment rules, and permissions matrices, see User Roles and Permissions.

Single sign-on and default roles

Enabling SSO

To enable Single Sign-On for your users:

1. Configure a compatible identity provider (IdP)

2. Set up SAML or OIDC integration

3. Configure default role assignments for federated identities

4. Test the SSO configuration with a test user

After enabling SSO, Veza automatically creates local accounts when users authenticate with their IdP for the first time. This allows you to assign workflow reviewers by email without creating accounts beforehand.

Default role configuration

Your SSO configuration can define a default role for federated identities. Veza recommends validating this behavior and contacting the Veza customer success team to change it if desired. By default, Veza will assign the Access Reviewer role to SSO users.

If you have configured your SSO IdP as a Veza integration, you can:

• Enable reviewer suggestions based on user attributes

• Use manager relationships for Access Review assignments

• Leverage group memberships for automatic team assignment

For detailed configuration, see Global IdP Settings.

SCIM provisioning

For automated user lifecycle management, Veza supports SCIM Provisioning with compatible identity providers:

• Supported IdPs: Okta, Microsoft Entra ID, and other SCIM 2.0 compatible providers

• Capabilities: Automated user provisioning, updates, and deprovisioning

• Benefits: Eliminates manual user management and ensures access is synchronized with your IdP

Password requirements and login

Password policy

Local user passwords must meet the following requirements:

• Minimum length: 10 characters

• Character types: At least one uppercase letter, lowercase letter, number, and symbol

• Password strength: Must meet minimum strength requirements based on complexity analysis

• Password history: Cannot reuse any of the last 8 passwords

Login troubleshooting

If users experience login issues:

1. 401 errors after password change: Clear browser cookies and try again

2. Account lockouts: Contact an administrator to unlock the account

3. SSO issues: Verify IdP configuration and user provisioning status

4. MFA problems: Check multi-factor authentication device and backup codes

For programmatic user management, see Team and User Management APIs.

Related documentation

• User Roles and Permissions - Complete role definitions, permissions matrices, and access control

• Team Management - Team creation, organization, and access scope management

• Multi-factor Authentication - Enhanced account security

• Single Sign-On Configuration - SSO setup and management

• SCIM Provisioning - Automated user lifecycle management

• Support User Access - Granting access to Veza support