Release Notes

Run Dry Run on Identity

Execute a policy dry run against a specific identity to preview actions without performing them

Endpoint

POST /api/private/lifecycle_management/policies/{policy_id}/identities/{identity_id}:dry_run

Description

Execute a policy dry run against a specific identity to preview what actions would be taken without actually performing them. This is essential for testing policy configurations, validating conditions, and understanding policy behavior before activation.

Use this endpoint to:

  • Test new policies before activating them

  • Validate policy changes against specific users

  • Debug why policies are or aren't executing for certain identities

  • Demonstrate policy behavior to stakeholders

  • Ensure policy changes won't have unintended consequences

Dry runs are read-only operations that simulate policy execution without making any actual changes to user access or system state.

Authentication Required

This endpoint requires a valid Veza API key for authentication.

See Authentication for more about creating and managing API keys.

All requests must include the API key as a Bearer token in the Authorization header.

Example:

curl -X GET "$BASE_URL/api/preview/keys" \
  -H "authorization: Bearer $VEZA_TOKEN"

API Reference

post
Authorizations
Path parameters
policy_idstringRequired
idstringRequired
Body
policy_idstringOptional
idstringOptional
version_numberinteger · int32Optional
stateinteger · enumOptional
Responses
200

OK

application/json
post
POST /api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 61

{
  "policy_id": "text",
  "id": "text",
  "version_number": 1,
  "state": 1
}
{
  "workflows_matched": [
    "text"
  ],
  "job_requests": [
    {
      "job_id": "text",
      "data_source": {
        "id": "text",
        "external_id": "text",
        "agent_type": "text",
        "data_provider_id": "text",
        "data_source_config": {
          "@type": "text",
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "data_provider_type": 1,
        "data_provider_secret_refs": [
          {
            "id": "text",
            "secret_id": "text",
            "vault_id": "text",
            "vault": {
              "id": "text",
              "name": "text",
              "vault_provider": "text",
              "insight_point_id": "text",
              "deleted": true
            }
          }
        ]
      },
      "input_entities": [
        {
          "table": "text",
          "primary_key": [
            "text"
          ],
          "constraints": [
            {
              "type": 1,
              "field_names": [
                "text"
              ]
            }
          ]
        }
      ],
      "action_type": 1,
      "action_config": {
        "@type": "text",
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "action_job_id": "text",
      "action_name": "text",
      "identity_id": "text",
      "stop_on_error": true,
      "ttl": "text"
    }
  ],
  "messages": [
    "text"
  ],
  "access_profile_ids": [
    "text"
  ],
  "job_request_workflow_names": {
    "ANY_ADDITIONAL_PROPERTY": "text"
  }
}

Request Examples

curl -X POST "https://your-tenant.vezacloud.com/api/private/lifecycle_management/policies/policy-123e4567-e89b-12d3-a456-426614174000/identities/identity-456:dry_run" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": "policy-123e4567-e89b-12d3-a456-426614174000",
    "id": "identity-456",
    "version_number": 2,
    "state": "NEW"
  }'

Response

post
Authorizations
Path parameters
policy_idstringRequired
idstringRequired
Body
policy_idstringOptional
idstringOptional
version_numberinteger · int32Optional
stateinteger · enumOptional
Responses
200

OK

application/json
post
POST /api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 61

{
  "policy_id": "text",
  "id": "text",
  "version_number": 1,
  "state": 1
}
{
  "workflows_matched": [
    "text"
  ],
  "job_requests": [
    {
      "job_id": "text",
      "data_source": {
        "id": "text",
        "external_id": "text",
        "agent_type": "text",
        "data_provider_id": "text",
        "data_source_config": {
          "@type": "text",
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "data_provider_type": 1,
        "data_provider_secret_refs": [
          {
            "id": "text",
            "secret_id": "text",
            "vault_id": "text",
            "vault": {
              "id": "text",
              "name": "text",
              "vault_provider": "text",
              "insight_point_id": "text",
              "deleted": true
            }
          }
        ]
      },
      "input_entities": [
        {
          "table": "text",
          "primary_key": [
            "text"
          ],
          "constraints": [
            {
              "type": 1,
              "field_names": [
                "text"
              ]
            }
          ]
        }
      ],
      "action_type": 1,
      "action_config": {
        "@type": "text",
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "action_job_id": "text",
      "action_name": "text",
      "identity_id": "text",
      "stop_on_error": true,
      "ttl": "text"
    }
  ],
  "messages": [
    "text"
  ],
  "access_profile_ids": [
    "text"
  ],
  "job_request_workflow_names": {
    "ANY_ADDITIONAL_PROPERTY": "text"
  }
}

Example Response

Dry Run Response

This example shows a more detailed response including job requests and workflow matching:

{
  "workflows_matched": [
    "Active Employees"
  ],
  "access_profile_ids": [
    "3a2371b6-95ec-4d9e-b95c-d75d51daa39b",
    "ead4616a-7f0e-45ad-a721-375320e15cfd"
  ],
  "job_requests": [
    {
      "job_id": "fd7624af-cc5f-4b7e-87ef-e21fa9868d87",
      "data_source": {
        "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
        "name": "Workday HRIS",
        "type": "workday"
      },
      "input_entities": [
        {
          "entity_id": "employee_12345",
          "entity_type": "WorkdayWorker",
          "attributes": {
            "employment_status": "ACTIVE",
            "work_location": "US",
            "department": "Sales",
            "manager": true
          }
        }
      ],
      "action_type": "SYNC_IDENTITIES",
      "action_config": {
        "@type": "type.googleapis.com/lifecyclemanagement.v1.SyncIdentitiesJobConfig",
        "attributes_to_sync": {
          "email": "work_email",
          "name": "full_name",
          "department": "department_name"
        },
        "create_allowed": true,
        "continuous_sync_allowed": true,
        "attributes_not_to_continuous_sync": ["manager_approval_date"]
      },
      "action_job_id": "d55fda69-0720-4742-a963-f22bd8fd1b57",
      "action_name": "SyncADIdentities"
    },
    {
      "job_id": "f6b68999-43d8-49ae-8027-94e8985eafd8",
      "data_source": {
        "id": "ad-connector-001",
        "name": "Active Directory",
        "type": "active_directory"
      },
      "input_entities": [
        {
          "entity_id": "employee_12345",
          "entity_type": "ActiveDirectoryUser"
        }
      ],
      "action_type": "MANAGE_RELATIONSHIPS",
      "action_config": {
        "@type": "type.googleapis.com/lifecyclemanagement.v1.ManageRelationshipsJobConfig",
        "relationships_to_create": [
          {
            "entity_type": "ActiveDirectoryGroup",
            "entity_id": "366db2d0-6c4e-47fe-9c57-1a8dc4916da4"
          },
          {
            "entity_type": "ActiveDirectoryGroup",
            "entity_id": "cbb024a6-e227-4aaf-b893-f61478d45f8a"
          }
        ]
      },
      "action_job_id": "09b61164-d50f-4dbe-bcfc-bfff31530438",
      "action_name": "UsActiveDirectoryGroups"
    }
  ],
  "messages": [
    "Policy would execute for identity with email: [email protected]",
    "2 job requests generated",
    "Access profiles affected: 2"
  ]
}

Response Fields

Field
Description

workflows_matched

Array of workflow names that matched the dry run criteria

job_requests

Array of job request objects that would be created

messages

Array of informational messages about the dry run execution

access_profile_ids

Array of access profile IDs that were found in the dry run

PreviousAdd Action to Policy ConfigurationNextSCIM Provisioning

Last updated

Was this helpful?