Release Notes

MySQL

Configuring the MySQL integration for Veza Lifecycle Management

Overview

The Veza integration for MySQL enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage role memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls role membership for user identities

DEPROVISION_IDENTITY

Safely disables access for identities without deleting them

DELETE_IDENTITY

Permanently removes user identities from the database

SOURCE_OF_IDENTITY

MySQL can act as a source system for identity lifecycle policies

This document includes steps to enable the MySQL integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

MySQL Version Compatibility: Lifecycle Management supports MySQL 5.7 and later. Role management (MANAGE_RELATIONSHIPS) requires MySQL 8.0 or later.

Enabling Lifecycle Management for MySQL

Prerequisites

Required Access

  1. You will need administrative access in Veza to configure the integration.

  2. Ensure you have an existing MySQL integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your MySQL integration has completed at least one successful extraction.

Required MySQL Service Account Privileges

The MySQL service account used for Lifecycle Management requires specific global privileges depending on which features you plan to use.

Minimal Required Privileges

These privileges are required for core Lifecycle Management functionality:

Privilege
Scope
Required For
Notes

CREATE USER

Global (*.*)

Creating, modifying, and deleting user accounts

Also enables ALTER USER and DROP USER operations automatically

GRANT OPTION

Global (*.*)

Granting roles to users (MANAGE_RELATIONSHIPS)

Required to delegate privileges and assign roles to users

Optional Privileges for Extended Functionality

These privileges enable additional features but are not required for basic operations:

Privilege
Scope
Required For
Notes

SUPER

Global (*.*)

Granting/revoking SUPER privilege via the is_full_admin attribute

High privilege - enables system-wide administrative operations. Only needed if you plan to use is_full_admin. Use a dedicated service account and restrict its host pattern for security.

CREATE ROLE

Global (*.*)

Creating new roles via MANAGE_RELATIONSHIPS (MySQL 8.0+ only)

Only needed if you want Lifecycle Management to create roles dynamically

DROP ROLE

Global (*.*)

Deleting roles via MANAGE_RELATIONSHIPS (MySQL 8.0+ only)

Only needed if you want Lifecycle Management to delete roles

Granting Privileges

-- Create dedicated service account with restricted host pattern
CREATE USER 'veza_lcm'@'10.0.%' IDENTIFIED BY 'secure_password_here';

-- Grant minimal required privileges
GRANT CREATE USER ON *.* TO 'veza_lcm'@'10.0.%' WITH GRANT OPTION;

-- Apply privilege changes
FLUSH PRIVILEGES;

Configuration Steps

To enable the integration:

  1. In Veza, go to the Integrations overview

  2. Search for or create a MySQL integration

  3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your MySQL data remains current:

  1. Go to Veza Administration > System Settings

  2. In Pipeline > Extraction Interval, set your preferred interval

  3. Optionally, set a custom override for MySQL in the Active Overrides section

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

MySQL can serve as a source for identity information in Lifecycle Management Policies, with user identity details synchronized from MySQL and propagated to connected systems. MySQL can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow.

All lifecycle management operations are performed within database transactions, ensuring atomicity - either all changes succeed or all fail.

Important: Active MySQL sessions are not automatically terminated by account changes (locks or deletions). Existing sessions continue until the user logs out. For security incidents, manually terminate sessions using KILL CONNECTION before deprovisioning or deleting accounts.

The integration supports the following lifecycle management Actions:

Sync Identities

The SYNC_IDENTITIES action synchronizes user account attributes between systems. This action can create new users and update existing users.

  • Entity Types: MySQLUserInstance

  • Create Allowed: Yes - New user identities can be created if not found in MySQL

MySQL User Identity Model

MySQL uniquely identifies users by the combination of username and host pattern: 'username'@'host_pattern'. This means 'alice'@'%' and 'alice'@'localhost' are two completely different user accounts with separate privileges and authentication.

Host Pattern Examples:

  • '%' - Can connect from any host (unrestricted)

  • 'localhost' - Can only connect from MySQL server itself

  • '192.168.1.%' - Restricted to specific network range

  • '10.0.%' - Restricted to 10.0.0.0/16 network

For security, use specific network ranges (e.g., '10.0.%') instead of unrestricted access ('%') when possible.

Syncable Attributes

MySQL User Attributes
Property
Required
Type
Description
MySQL Mapping

user

Yes

String

Username portion of MySQL user identity

mysql.user.User column

host

Yes

String

Host pattern defining where user can connect from

mysql.user.Host column

is_full_admin

No

Boolean

Whether user has SUPER privilege (full administrator rights)

mysql.user.Super_priv column

Attribute Behavior

The user and host attributes are required and combined to form the unique identity 'username'@'host_pattern'. The username cannot be changed after creation (renaming not supported). The host pattern supports wildcards including '%' (any host), 'localhost' (local only), IP patterns like '192.168.1.%', and hostname patterns like '%.example.com'.

The optional is_full_admin attribute grants or revokes SUPER privilege via GRANT SUPER ON *.* TO 'user'@'host' or REVOKE SUPER. SUPER enables system-wide administrative operations - for MySQL 8.0+, consider using dynamic privileges for more granular control.

Account Status Control: User account active/inactive status is controlled through the DEPROVISION_IDENTITY action (via ALTER USER ACCOUNT LOCK/UNLOCK), not through SYNC_IDENTITIES attributes. When deprovisioned, new logins are prevented but active sessions continue. To reactivate a deprovisioned user, use SYNC_IDENTITIES to update the user.

Passwords are automatically generated using cryptographically secure random generation at user creation time, using MySQL's default authentication plugin (caching_sha2_password for MySQL 8.0+, mysql_native_password for MySQL 5.7). Password updates are not supported via SYNC_IDENTITIES; use ALTER USER 'username'@'host' IDENTIFIED BY 'new_password' directly in MySQL.

Manage Relationships

The MANAGE_RELATIONSHIPS action controls user membership in MySQL roles. This action can grant roles to users, revoke roles from users, create new roles, and delete existing roles.

  • Supported Relationship Types:

    • MySQLRoleInstance: User membership in MySQL roles (MySQL 8.0+ required)

  • Assignee Types: MySQLUserInstance

  • Supports Removing Relationships: Yes

⚠️ MySQL Version Requirement: Role functionality requires MySQL 8.0 or later. This feature is not available in MySQL 5.7 or earlier versions.

Role Operations

MySQL roles (MySQL 8.0+) are named collections of privileges stored in the mysql.user table with a 'name'@'host' identity format. Role-to-user assignments are tracked in the mysql.role_edges system table.

Operation
SQL Command
Behavior

Grant role to user

GRANT 'role_name'@'role_host' TO 'username'@'user_host'

Links role to user in mysql.role_edges. Role activation required*

Revoke role from user

REVOKE 'role_name'@'role_host' FROM 'username'@'user_host'

Removes link and immediately deactivates role in active sessions

Create role

CREATE ROLE 'role_name'@'role_host'

Creates entry in mysql.user. Role has no privileges by default

Delete role

DROP ROLE 'role_name'@'role_host'

Removes entry and automatically revokes role from all users

* Granting a role does not automatically activate its privileges. To enable automatic activation, configure MySQL: SET GLOBAL activate_all_roles_on_login = ON. Alternatively, set default roles per user: SET DEFAULT ROLE ALL TO 'username'@'host'.

Deprovision Identity

Disables a MySQL user account without deleting it (soft delete). User entry remains in database with all privileges preserved, but login attempts fail.

  • Entity Type: MySQLUserInstance

  • Remove All Relationships: No - Role memberships and privileges preserved

  • Deprovisioning Method: Account Lock via ACCOUNT LOCK feature

  • Reversible: Yes - Reactivate via ACCOUNT UNLOCK or SYNC_IDENTITIES with is_active: true

Executes ALTER USER 'username'@'host' ACCOUNT LOCK, which sets account_locked = 'Y' in the mysql.user table. New login attempts fail immediately while all role memberships, privileges, database objects, and user metadata are preserved. Reactivate via ALTER USER 'username'@'host' ACCOUNT UNLOCK or SYNC_IDENTITIES with is_active: true.

Delete Identity

Permanently removes a MySQL user account from the database (hard delete). Irreversible - user cannot be recovered.

  • Entity Type: MySQLUserInstance

  • Permanence: Irreversible - User cannot be recovered

  • Remove All Relationships: Yes - All privileges and role memberships removed

Executes DROP USER 'username'@'host', which removes the user record from mysql.user and all grant table entries. All privileges and role memberships are removed, but database objects (tables, views, stored procedures, triggers, events) remain with orphaned DEFINER references.

Objects with DEFINER pointing to the deleted user may fail depending on SQL SECURITY mode - objects with DEFINER (default) may fail with "user specified as definer does not exist" error, while objects with INVOKER execute using the invoking user's privileges and are unaffected.

Critical: Always audit database objects before deleting users. Identify affected objects:

-- Find stored procedures/functions with this DEFINER
SELECT ROUTINE_SCHEMA, ROUTINE_NAME, ROUTINE_TYPE
FROM INFORMATION_SCHEMA.ROUTINES
WHERE DEFINER = 'username@host';

-- Find views with this DEFINER
SELECT TABLE_SCHEMA, TABLE_NAME
FROM INFORMATION_SCHEMA.VIEWS
WHERE DEFINER = 'username@host';

Reassign ownership to a service account before deletion: ALTER DEFINER='service_account'@'%' VIEW schema.view_name;

DELETE vs DEPROVISION Comparison

Aspect
DELETE_IDENTITY
DEPROVISION_IDENTITY

User entry

Removed from database

Preserved in mysql.user

Reversible

No (must recreate)

Yes (ACCOUNT UNLOCK)

Privileges

Removed

Preserved

Role memberships

Removed

Preserved

Objects owned

Preserved but orphaned (invalid DEFINER)

Preserved with ownership intact

Audit trail

Lost

Maintained

Prefer DEPROVISION_IDENTITY unless permanent deletion is specifically required. Deprovisioning provides same access control while maintaining recoverability and audit trails.

PreviousGitHubNextOkta

Last updated

Was this helpful?