Implementation and Core Concepts
Last updated
Was this helpful?
Last updated
Was this helpful?
Before you begin creating draft for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.
Implementing Veza Lifecycle Management will require:
Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.
Assigning Profiles to Business Roles to enable business rules.
The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.
Key considerations and requirements
Is a lifecycle management process defined for your organization?
If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.
Do you have one, or even multiple sources of truth for employee identity metadata?
At least one source of identity is required to trigger Lifecycle Management actions when there are changes in the data source. This data source could be an HRIS system, identity provider, directory service, or an exported report.
Veza supports importing employee records from built-in , OAA integrations using the , and .
For example, you may have different sources of identity for full-time and employees and contractors.
What scenarios will be automated?
A range of applications can be sources of identity and targets for Lifecycle Management, with different actions supported for each integration. See and for the current capabilities.
This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:
Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations
Define and list the different populations of employees with different levels of access in your organization (such as by roles, regions, and teams).
Organize the populations hierarchically, each inheriting the access granted to its parent population. For example, you might have a structure "All Employees" > "Sales Team" > "Sales Managers," with each inheriting the access granted to the parent.
Example Business Roles:
Sales
Developers
Executive Employees
US Employees
China Employees
Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.
For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.
Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza authorization graph.
Document how employee populations correspond to the attribute values contained in the source of identity.
Examples: Source attributes for role conditions
Employee Number
Unique identifier for the employee.
Company
The company or subsidiary the employee works for.
First Name
Employee's first name.
Last Name
Employee's last name.
Preferred Name
Employee's preferred first name.
Display Full Name
Full name for display; includes preferred first name if available.
Canonical Name
Employee's canonical name.
Username
Username as shown in the integration UI.
Employee's work email (unique).
IDP ID
ID for connecting to the destination IDP provider.
Personal Email
Employee's personal email.
Home Location
Employee's home location.
Work Location
Employee's work location.
Cost Center
Cost center ID associated with the employee.
Department
Department ID (Group ID) of the employee.
Managers
List of employee IDs of the employee's managers.
Groups
List of group IDs the employee is associated with.
Employment Status
Employment status, e.g., ACTIVE, PENDING, or INACTIVE.
Is Active
Indicates if the employee is active.
Start Date
The date the employee started working.
Termination Date
Employee's termination date, if applicable.
Job Title
Employee's job title.
Employment Types
Type of employment, e.g., FULL_TIME, PART_TIME, INTERN, CONTRACTOR, or FREELANCE.
Primary Time Zone
Employee's primary time zone.
Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:
Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"
Work Location equals "US"
Cost Center equals "R&D"
Start Date on or after "2025-01-01"
A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.
Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Examples: Access Profiles
AD Executive Employees
Active Directory
Executive Employee - Manager US (Active Directory Group)
AD Engineering Managers
Active Directory
Engineering - Manager US (Active Directory Group)
Azure Helpdesk Role
Azure
Helpdesk Administrator (Azure AD Role)
Google China Employees
Google Cloud
Google China Employees (Google Group)
Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.
Examples: Map Business Roles to Profiles
Asia Employees
US Employees
Developers
Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.
For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.
For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Examples: Synced Attributes
Sync Active Directory Accounts for Active Employees (Joiners/Movers)
When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local
user_principal_name
username
{username}@evergreentrucks.com
username
{username}@evergreentrucks.com
display_name
display_full_name
{display_full_name}
given_name
first_name
{first_name}
sur_name
last_name
{last_name}
country_code
work_location
{work_location}
job_title
job_title
{job_title}
primary_group_dn
-
CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local
Sync Active Directory Attributes for Withdrawn Employees (Leavers)
When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local
primary_group_dn
-
CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local
Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.
Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .
Create a in Veza to model each segment.
The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.
Create Lifecycle Management mapped to those entitlements.
When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.
Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.
Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in , and which should only be created (and never modified after creating an entity).