Create a new policy for identity lifecycle management with conditions and actions
Endpoint
POST/api/private/lifecycle_management/policies
Description
Create a new policy in your Veza Lifecycle Management configuration. Policies define the main object for controlling Lifecycle Management operations and include descriptions. Each policy has multiple versions, one of which is live and up to one of which is in draft mode, with all others being historical.
Use this endpoint to:
Create new lifecycle management policies
Define data source connections for identity management
Configure notification settings for policy events
Set up safety limits and retry behavior
Prerequisites: Before creating policies, ensure you have identified your Source of Identity (SOI) datasources using the List Lifecycle Management Datasources endpoint.
Important: Policy vs Version States
There are two different state systems in the Lifecycle Management API:
Policy States: Control the overall policy execution (INITIAL, RUNNING, PAUSED, DRY_RUN, PENDING)
Version States: Control individual policy version status (DRAFT, PUBLISHED, RETIRED)
When creating a policy with this endpoint, use Policy States. Each policy can have multiple versions, each with their own version state.
API Reference
post
Authorizations
AuthorizationstringRequired
Veza API key for authentication.
Generate keys in Administration > API Keys.
Body
namestringOptional
descriptionstringOptional
stateinteger · enumOptional
datasource_idsstring[]Optional
The source of truth data source(s) for this policy (must have one and must be of the same type)
sync_only_when_source_changesbooleanOptional
If true will only sync if the source of identity changes
The source of truth data source(s) for this policy (must have one and must be of the same type)
event_notification_settings
array[object]
No
What notifications are to be sent when an event occurs
secondary_source_of_identities
array[object]
No
Allows the ability to enrich the primary source of identity
sync_only_when_source_changes
boolean
No
If true will only sync if the source of identity changes
time_before_sync_if_no_source_changes_in_minutes
integer
No
If sync_only_when_source_changes is true, how quickly (in minutes) to run a check when no changes are detected (default is 1 day 1440)
identity_attribute_mappings
array[object]
No
Mappings between the Identity attributes and the SOI attribute
safety_limit_settings
object
No
Settings that determine when to block changes and send warnings
no_retry_for_failed_workflow
boolean
No
If true will not retry failed workflows
max_retries_for_failed_workflow
integer
No
How many times we will retry a failed workflow (default is 10)
Complex Field Details
Event Notification Settings: The event_notification_settings array contains objects that define when and how to send notifications:
Field
Type
Description
event_type
string
The type of event that triggers the notification
notification_settings
object
Configuration for how notifications are sent
Secondary Source of Identity: The secondary_source_of_identities array allows enriching the primary source of identity:
Field
Type
Description
datasource_ids
array[string]
Data sources for the secondary identity source
correlation_attribute_names
object
Key-value pairs mapping primary to secondary attributes
only_enrich_existing
boolean
If true, only enriches existing identities, doesn't create new ones
Identity Attribute Mappings: The identity_attribute_mappings array maps identity attributes to entity attributes:
Field
Type
Description
identity_attribute
string
The identity attribute type (EMAIL, TITLE, EMPLOYEE_ID, DEPARTMENT, MANAGER_IDS)
entity_attribute_name
string
The name of the entity attribute to map to
Safety Limit Settings: The safety_limit_settings object prevents mass changes. Two independent mechanisms are available:
Hard Limit (enable_change_limit): Reactive — stops processing during execution when the configured identity change threshold is reached.
Predictive Safety Limit (enable_predictive_change_limit): Proactive — blocks all changes before execution if predicted workflow runs exceed the threshold.
Field
Type
Description
enable_change_limit
boolean
Enable the Hard Limit (reactive — stops when identity change threshold is reached during processing)
enable_predictive_change_limit
boolean
Enable the Predictive Safety Limit (proactive — blocks before processing if predicted workflow runs exceed threshold)
max_identities_affected_count
integer
Maximum number of identities that can be affected. Used by Hard Limit
max_workflow_runs_count
integer
Maximum number of predicted workflow runs before blocking. Used by Predictive Safety Limit
warning_email_addresses
array[string]
Email addresses to notify when safety limits are triggered
Safety limit settings can also be configured at the individual workflow level within the policy version configuration for granular control over different workflow types.
Request Examples
Basic Policy Creation
Response
post
Authorizations
AuthorizationstringRequired
Veza API key for authentication.
Generate keys in Administration > API Keys.
Body
namestringOptional
descriptionstringOptional
stateinteger · enumOptional
datasource_idsstring[]Optional
The source of truth data source(s) for this policy (must have one and must be of the same type)
sync_only_when_source_changesbooleanOptional
If true will only sync if the source of identity changes
