Release Notes

Identities

Manage user identities and lifecycle automation in Veza, including synchronization, access profiles, and workflow triggers for joiner, mover, and leaver processes.

Identities

Identities in Veza Lifecycle Management represent a top-level view of an individual user, used to automate provisioning and deprovisioning across systems, applications, or services.

This can include birthright access managed throughout the user's lifecycle, triggered by joiner, mover, or leaver events, as well as ad-hoc, just-in-time access granted upon approval of an access request.

Identities can refer to users who may be employees, contractors, or external collaborators (partners), but generally exclude non-human entities, such as service accounts or AI agents.

With Lifecycle Management, workflows defined within policies dictate the users’ onboarding, job-function change, and offboarding processes, ensuring that corresponding identities have precisely the access they need as their roles evolve or their status within the organization changes. Similarly, access granted to identities may also change as just-in-time access requests are fulfilled or revoked.

The Lifecycle Management > Identities page serves as a central hub for viewing identities known to Lifecycle Management and Access Requests, as well as performing actions on individual identities.

Identities are populated into Lifecycle Management by first identifying the entire user population by integrating their source of identity (SOI) and creating a policy that uses that data source, into a Veza tenant. This may require enabling a built-in integration for your identity source (e.g., Workday integration), uploading user data in CSV format (CSV Upload integration), or using a custom OAA connector.

See Integrations for detailed information on integrating the source of identity.

For Integration management using APIs, see the Datasource Management APIs.

Identity Synchronization

Identities are maintained through synchronization with the identity sources. Syncing identities ensures that all systems reflect the most current user state, whether through onboarding, role changes, or attribute updates, keeping access aligned, consistent, and audit-ready.

The Sync Identities action is used for the automatic synchronization of user identities between an authoritative source (such as an HR system or identity provider) and target systems. In the Lifecycle Management workflow, Sync Identities works alongside other key actions:

  • Manage Relationships (handling group/role memberships)

  • Deprovision Identity (removing access when users leave the organization)

Synchronization is executed through Lifecycle Management policy workflows. Policy workflows can be defined with triggers and actions to synchronize changes in your identity source with target systems. Additionally, SCIM (System for Cross-domain Identity Management) or OAA (Open Authorization API) can enable identity sync for a wide range of target applications that don't have a built-in Veza integration, but do expose standard user and group management APIs or support bulk data export.

Identities Table

Column
Description
Usage

Name

Identity display name

The full display name is an attribute composed of the user's first name and last name.

Status

Current lifecycle status (Active/Inactive)

Indicates employment status.

Property Overrides

Shows "Yes" if identity has custom attribute overrides

Identifies identities with manual attribute modifications (overriding attributes from your SOI )

Department

Organizational department from SOI

Used for access assignment and reporting

Policy

Associated Lifecycle Management policy

Links identity to a specific Lifecycle Management workflow

Access Profiles

Assigned Access Profiles with counts

Shows current access assignments

Last Changed at

Timestamp of the most recent update

Tracks synchronization and change activity

Workflows

Associated Lifecycle Management workflow name

Identifies which policy workflow manages the identity

Note: The display name is not the primary unique identifier, as multiple users may share the same first and last name.

Filter and Search an Identity

To start, you can use filtering options to locate specific identities or analyze a group of identities based on standard criteria. The following filters are available on the Identities overview:

  • Search by name: Locate specific individuals using a name-based search

  • Department filter: View identities by organizational unit

  • Status filter: Filter by Active or Inactive employment status

  • Access Profiles filter: Find identities with specific profile assignments

  • Integrations filter: Filter by source integration system

  • Policy filter: View identities managed by specific policies

  • Workflows Triggered filter: Identify identities that have triggered automation

  • Not in a Workflow: Find identities outside automated workflows

Identity Actions

For each identity record, administrators can perform actions through the Actions menu:

  • View Details: Access identity information, attribute history, and related accounts

  • Trigger Workflow: Manually initiate a workflow in a policy

  • Request Access: Launch an Access Request for additional access (requires Veza Access Requests).

    See Notification Templates for Lifecycle Management for customizing the Request Access Template.

  • Show in Graph: Visualize identity relationships and access patterns

View User Details

Click on your selected identity to open the Identity Details view.

The following fields in the Identity Details view are populated with the current user's information:

  • Title: The user’s position title.

  • Email: The user’s email address.

  • Providers: A list of assigned integrations. When you click on a specific provider, the Integration page appears, displaying the provider’s detailed information, including its Entity Categories distribution.

  • Access Profiles: A list of assigned Access Profiles to the identity. When you click on a specific profile, its detailed information page appears, displaying its status (either Draft or Published). You can also edit the Access Profile if needed.

  • Last Workflow Triggered: The name of the workflow that was recently executed.

  • Primary: The Primary identifier is configured (True or False) to be the authoritative attribute for matching or locating an identity.

  • Secondary Identities: An associated name is connected to the primary identity.

  • ID: The Identification number assigned to the primary identity.

  • Active: The user’s identity is active if True. Otherwise, False when inactive.

  • Last Changed: A time frame (in days, weeks, months) when the identity was last changed.

Attribute Overrides

When executing a policy where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment, you can override the existing attribute with a different value until the issue is corrected. For more information, see Identity Override Attributes.

Here are some examples of incorrect or slow-to-update attributes:

  • Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity

  • Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system

  • Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity

  • Missing manager data: The source of identity is missing a manager value, but this information is required for downstream application provisioning

  • Security incidents: Immediate access restrictions are needed before HR systems can be updated

  • Temporary access grants: Providing temporary access while permanent changes are processed

To create an Override Value, perform the following:

  1. Select an identity by name.

  2. Click Details.

  3. Click Properties in the Details menu.

  4. Click Actions (three dots icon)

  5. Select Create Override.

  6. The Create Override window appears. The Property Name and Actual Value fields are populated.

  7. Enter an Override Value.

  8. Click Save.

Performing Actions on an Identity

Click the overflow icon (three dots) to display options for performing actions on the identity. Next, click on the desired action:

  • Trigger Workflow

  • Request Access

  • Show in Graph

Trigger Workflow

The Trigger Workflow option is a convenient way to test a specific user in a policy workflow. For example, you can test a new employee's identity in a joiner workflow to evaluate whether they have sufficient access to perform their duties.

Use the Trigger Workflow option to manually run a workflow for a specific user.

To trigger a workflow with a specific user, perform the following steps:

  1. Select a workflow in the dropdown menu.

  2. Click Trigger to run the workflow.

Request Access for an Identity

Requests Access allows for additional or temporary access grants, particularly when a user’s current access is insufficient for their duties.

Use the Request Access option in the Identity Details view to grant access to a specific user while reviewing their detailed information. You can grant access to the user through the following actions:

Access Profiles: A collection of entitlements that are granted as part of the user’s identity lifecycle requirements. Access Profiles can:

  • Define reusable collections of entitlements across multiple target systems by business roles, departments, or functions

  • Automate consistent access provisioning

  • Manage access profile types and their capabilities

See Access Profile and Access Profile Types for more information.

To grant an Access Profile, perform the following:

  1. Click the Access Profile radio button.

  2. The Choose from Access Profile window appears.

  3. Enter a Reason for granting the Access Profile for the user.

  4. Select an existing Access Profile from the dropdown menu.

  5. Enter an Expiration Time in Hours or Days.

App: An App refers to a target system, where user access is provisioned or deprovisioned as part of the identity lifecycle process.

To grant an App, perform the following:

  1. Click the Access Profile radio button.

  2. The Request Grant Access window appears.

  3. Enter a Reason for granting the App for the user.

  4. Select an existing Integration from the dropdown menu.

  5. Use the arrows to select an Expiration Time in Days, where 0 means no expiration.

  6. Click Create.

Entitlements: Granting Entitlements to a user provides specific access permissions (roles, permissions, group memberships) required to perform their responsibilities.

Note: By granting Entitlements to a specific user, you pre-fill an Access Request with the appropriate configuration settings and policy.

To grant an Entitlement, perform the following:

  1. Click the Entitlements radio button.

  2. The Request Grant Access window appears.

  3. Enter a Reason for granting the Entitlement for the user.

  4. Select an existing Integration from the dropdown menu.

  5. Based on the integration you selected, the Target Entity Type is automatically populated.

  6. Use the arrows to select a Target Entitlement.

  7. Use the arrows to select an Expiration Time in Days, where 0 means no expiration.

  8. Click Create.

Show in Graph

Use the Show in Graph option to display a graph that represents all assigned Access Profiles, Apps, and Entitlements, including all associations.

This is a graphical representation of John Smith’s assigned access and entitlements to roles/groups.

Graph Example
PreviousImplementation and Core ConceptsNextAccess Profiles

Last updated

Was this helpful?