Run Dry Run on Identity

Execute a policy dry run against a specific identity to preview actions without performing them

Endpoint

POST /api/private/lifecycle_management/policies/{policy_id}/identities/{identity_id}:dry_run

Description

Execute a policy dry run against a specific identity to preview what actions would be taken without actually performing them. This is essential for testing policy configurations, validating conditions, and understanding policy behavior before activation.

Use this endpoint to:

Test new policies before activating them
Validate policy changes against specific users
Debug why policies are or aren't executing for certain identities
Demonstrate policy behavior to stakeholders
Ensure policy changes won't have unintended consequences

Dry runs are read-only operations that simulate policy execution without making any actual changes to user access or system state.

API Reference

post

Authorizations

AuthorizationstringRequired

Bearer token authentication using a Veza Personal API key.

Header Format: Authorization: Bearer <your-api-key>

Creating an API Key:

Log into your Veza tenant
Navigate to Administration → API Keys
Generate a new API key and save the value securely

Path parameters

policy_idstringRequired

idstringRequired

Body

policy_idstringOptional

idstringOptional

version_numberinteger · int32Optional

stateinteger · enumOptional

skip_disabled_workflowsbooleanOptional

Responses

200

application/json

default

Default error response

application/json

post

/api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run

POST /api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 92

{
  "policy_id": "text",
  "id": "text",
  "version_number": 1,
  "state": 1,
  "skip_disabled_workflows": true
}

{
  "workflows_matched": [
    "text"
  ],
  "job_requests": [
    {
      "job_id": "text",
      "data_source": {
        "id": "text",
        "external_id": "text",
        "agent_type": "text",
        "data_provider_id": "text",
        "data_source_config": {
          "@type": "text",
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "data_provider_type": 1,
        "data_provider_secret_refs": [
          {
            "id": "text",
            "secret_id": "text",
            "vault_id": "text",
            "vault": {
              "id": "text",
              "name": "text",
              "vault_provider": "text",
              "insight_point_id": "text",
              "deleted": true
            }
          }
        ]
      },
      "input_entities": [
        {
          "table": "text",
          "primary_key": [
            "text"
          ],
          "constraints": [
            {
              "type": 1,
              "field_names": [
                "text"
              ]
            }
          ]
        }
      ],
      "action_type": 1,
      "action_config": {
        "@type": "text",
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "action_job_id": "text",
      "action_name": "text",
      "identity_id": "text",
      "stop_on_error": true,
      "ttl": "text"
    }
  ],
  "messages": [
    "text"
  ],
  "access_profile_ids": [
    "text"
  ],
  "job_request_workflow_names": {
    "ANY_ADDITIONAL_PROPERTY": "text"
  },
  "workflow_messages": {
    "ANY_ADDITIONAL_PROPERTY": {
      "messages": [
        "text"
      ]
    }
  }
}

Request Examples

curl -X POST "https://your-tenant.vezacloud.com/api/private/lifecycle_management/policies/policy-123e4567-e89b-12d3-a456-426614174000/identities/identity-456:dry_run" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": "policy-123e4567-e89b-12d3-a456-426614174000",
    "id": "identity-456",
    "version_number": 2,
    "state": "NEW"
  }'

Response

post

Authorizations

AuthorizationstringRequired

Bearer token authentication using a Veza Personal API key.

Header Format: Authorization: Bearer <your-api-key>

Creating an API Key:

Log into your Veza tenant
Navigate to Administration → API Keys
Generate a new API key and save the value securely

Path parameters

policy_idstringRequired

idstringRequired

Body

policy_idstringOptional

idstringOptional

version_numberinteger · int32Optional

stateinteger · enumOptional

skip_disabled_workflowsbooleanOptional

Responses

200

application/json

default

Default error response

application/json

post

/api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run

POST /api/private/lifecycle_management/policies/{policy_id}/identities/{id}:dry_run HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 92

{
  "policy_id": "text",
  "id": "text",
  "version_number": 1,
  "state": 1,
  "skip_disabled_workflows": true
}

{
  "workflows_matched": [
    "text"
  ],
  "job_requests": [
    {
      "job_id": "text",
      "data_source": {
        "id": "text",
        "external_id": "text",
        "agent_type": "text",
        "data_provider_id": "text",
        "data_source_config": {
          "@type": "text",
          "ANY_ADDITIONAL_PROPERTY": "anything"
        },
        "data_provider_type": 1,
        "data_provider_secret_refs": [
          {
            "id": "text",
            "secret_id": "text",
            "vault_id": "text",
            "vault": {
              "id": "text",
              "name": "text",
              "vault_provider": "text",
              "insight_point_id": "text",
              "deleted": true
            }
          }
        ]
      },
      "input_entities": [
        {
          "table": "text",
          "primary_key": [
            "text"
          ],
          "constraints": [
            {
              "type": 1,
              "field_names": [
                "text"
              ]
            }
          ]
        }
      ],
      "action_type": 1,
      "action_config": {
        "@type": "text",
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "action_job_id": "text",
      "action_name": "text",
      "identity_id": "text",
      "stop_on_error": true,
      "ttl": "text"
    }
  ],
  "messages": [
    "text"
  ],
  "access_profile_ids": [
    "text"
  ],
  "job_request_workflow_names": {
    "ANY_ADDITIONAL_PROPERTY": "text"
  },
  "workflow_messages": {
    "ANY_ADDITIONAL_PROPERTY": {
      "messages": [
        "text"
      ]
    }
  }
}

Example Response

Dry Run Response

This example shows a more detailed response including job requests and workflow matching:

{
  "workflows_matched": [
    "Active Employees"
  ],
  "access_profile_ids": [
    "3a2371b6-95ec-4d9e-b95c-d75d51daa39b",
    "ead4616a-7f0e-45ad-a721-375320e15cfd"
  ],
  "job_requests": [
    {
      "job_id": "fd7624af-cc5f-4b7e-87ef-e21fa9868d87",
      "data_source": {
        "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
        "name": "Workday HRIS",
        "type": "workday"
      },
      "input_entities": [
        {
          "entity_id": "employee_12345",
          "entity_type": "WorkdayWorker",
          "attributes": {
            "employment_status": "ACTIVE",
            "work_location": "US",
            "department": "Sales",
            "manager": true
          }
        }
      ],
      "action_type": "SYNC_IDENTITIES",
      "action_config": {
        "@type": "type.googleapis.com/lifecyclemanagement.v1.SyncIdentitiesJobConfig",
        "attributes_to_sync": {
          "email": "work_email",
          "name": "full_name",
          "department": "department_name"
        },
        "create_allowed": true,
        "continuous_sync_allowed": true,
        "attributes_not_to_continuous_sync": ["manager_approval_date"]
      },
      "action_job_id": "d55fda69-0720-4742-a963-f22bd8fd1b57",
      "action_name": "SyncADIdentities"
    },
    {
      "job_id": "f6b68999-43d8-49ae-8027-94e8985eafd8",
      "data_source": {
        "id": "ad-connector-001",
        "name": "Active Directory",
        "type": "active_directory"
      },
      "input_entities": [
        {
          "entity_id": "employee_12345",
          "entity_type": "ActiveDirectoryUser"
        }
      ],
      "action_type": "MANAGE_RELATIONSHIPS",
      "action_config": {
        "@type": "type.googleapis.com/lifecyclemanagement.v1.ManageRelationshipsJobConfig",
        "relationships_to_create": [
          {
            "entity_type": "ActiveDirectoryGroup",
            "entity_id": "366db2d0-6c4e-47fe-9c57-1a8dc4916da4"
          },
          {
            "entity_type": "ActiveDirectoryGroup",
            "entity_id": "cbb024a6-e227-4aaf-b893-f61478d45f8a"
          }
        ]
      },
      "action_job_id": "09b61164-d50f-4dbe-bcfc-bfff31530438",
      "action_name": "UsActiveDirectoryGroups"
    }
  ],
  "messages": [
    "Policy would execute for identity with email: [email protected]",
    "2 job requests generated",
    "Access profiles affected: 2"
  ]
}

Response Fields

Field

Description

workflows_matched

Array of workflow names that matched the dry run criteria

job_requests

Array of job request objects that would be created

messages

Array of informational messages about the dry run execution

access_profile_ids

Array of access profile IDs that were found in the dry run

PreviousAdd Action to Policy Configuration NextGet Identity

Last updated 3 months ago

Was this helpful?