Policies
Create and manage automated provisioning policies with conditions and actions for identity lifecycle
Lifecycle Management Policies enable automated identity lifecycle processes through rule-based workflows. These APIs allow you to create, manage, and test policies that govern how identity attributes trigger actions across systems, enabling automated workflows for employee lifecycle events like onboarding, role changes, and offboarding.
These APIs provide ways to:
Create automated provisioning and deprovisioning workflows
Configure conditional logic based on identity attributes
Define actions that execute when workflow conditions are met
Test policy configurations against specific identities without making changes
Manage policy states and versioning for controlled deployments
Policy Concepts
A Lifecycle Management Policy consists of two main components:
Base Policy - Contains metadata such as name, description, state, and data source information
Policy Configuration - Contains the workflows, conditions, and actions that define how the policy operates
Policies are versioned, allowing for change management and testing of configurations before deployment.
Policy States
Policies can be in different operational states:
Newly created policy, not yet active. Use this state when first creating policies to configure them before activation.
Endpoints
Use the following endpoints to interact with Lifecycle Management Policies:
Policy Management Operations
Policy Configuration Operations
Policy Testing Operations
POST
Tests policy execution against a specific identity without making changes
Policy Workflow Structure
Policies contain workflows that define:
Trigger Conditions - SCIM filter expressions that determine when the workflow activates
Success Conditions - Additional conditions evaluated when the trigger is met
Actions - Operations executed when conditions are satisfied
Transformers - Optional attribute transformations
Authentication
All Policy API requests require authentication. See API Authentication for details on how to authenticate with Veza APIs.
Getting Started
To get started with Policy APIs:
Create a policy with basic metadata and datasource information
Update the policy configuration to define workflows, conditions, and actions
Test with a dry run to verify the policy works as expected
Update the policy state to activate the policy for production use
For a comprehensive example of policy configuration, see the Update Policy Configuration documentation.
Policy Migration Between Environments
When moving policies between environments (e.g., sandbox to production), you can export and import policy configurations using the API endpoints.
Export a Policy
Get the base policy information:
GET /api/private/lifecycle_management/policies/{policy_id}Extract the current policy configuration:
From the response, use the
current_version.configobject which contains the complete policy logic including workflows, conditions, actions, and transformers.
Import to New Environment
Create the base policy in the destination environment:
POST /api/private/lifecycle_management/policiesUpdate the policy configuration with your exported configuration:
PATCH /api/private/lifecycle_management/policies/{new_policy_id}/versions/{version_number}
When moving policies between environments, you'll need to update:
Access Profile IDs referenced in actions
Datasource IDs that may differ between environments
Any environment-specific attribute values or conditions
Migration Best Practices
Test First: Always set the imported policy to
DRY_RUNstate initially to test in the new environmentVerify IDs: Ensure all referenced Access Profile IDs and datasource IDs exist in the target environment
Update Conditions: Review trigger strings and condition strings for environment-specific values
Gradual Activation: Move from
DRY_RUN→INITIAL→RUNNINGto ensure proper testing
Related Documentation
For more information about Policy concepts and features, see:
Last updated
Was this helpful?