Configuring the Salesforce integration for Veza Lifecycle Management.
Last updated
Was this helpful?
The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).
Key capabilities include:
User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions
Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency
Permission Management: Assign and remove permission sets and roles based on policies
User Deprovisioning: Safely disable access when users leave the organization
The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as permission set assignments, role assignments, and profile assignments for identities
✅
DEPROVISION_IDENTITY
Safely freezes or disables access for identities, includes user deactivation support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Salesforce permission sets
❌
SOURCE_OF_IDENTITY
Salesforce can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.
Before configuring the integration, ensure you have:
Administrative access in Veza to configure the integration
An existing in Veza or add a new one
At least one successful extraction from your Salesforce integration
The appropriate permissions in Salesforce
Salesforce API v40 or later for user provisioning
The Salesforce integration will need the following permissions:
Assign Permission Sets: Enables assignment and removal of permission sets for users.
Freeze Users: Enables freezing and unfreezing user accounts.
Manage Internal Users: Required for user creation and updates.
Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.
Manage Login Access Policies: Required for configuring login access policies.
Manage Password Policies: Required for setting and resetting passwords during user creation.
Manage Profiles and Permission Sets: Required for permission set and profile assignment.
Manage Roles: Required for role assignments and management.
Manage Sharing: Required for managing sharing rules and access control.
Manage Users: Essential for user lifecycle operations.
Monitor Login History: Required for monitoring user logins.
Reset User Passwords and Unlock Users: Required for account management.
View All Profiles: Required to view profile information for all users.
View All Users: Required to view all user information.
In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.
Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.
The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication
To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission
To enable the integration:
In Veza, go to the Integrations overview.
Check the box to Enable usage for Lifecycle Management.
Save the configuration.
Configure the extraction schedule to ensure your Salesforce data remains current:
Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for Salesforce in the Active Overrides section.
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.
Search for the integration and click the name to view details.
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.
Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:
Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions
The system uses email addresses as the primary key for user lookups
Usernames cannot be changed after creation and must be unique within the Salesforce instance
User profiles are managed through SCIM entitlements
User roles are handled through SCIM roles endpoints
User Deprovisioning is implemented as deactivation (setting active=false)
Permission sets are assigned through Salesforce API calls after user creation
Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.
Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:
Primary action for user management (creating or updating users):
Usernames cannot be changed after creation.
Email addresses must be unique.
Required attributes must be present (Username, Email, FirstName, LastName).
Passwords are set during user creation.
Division and Department attributes are excluded during updates due to Salesforce API limitations.
Salesforce does not support changing usernames after creation.
The following attributes can be synchronized:
username
Yes
String
Primary login identifier
Unique identifier
emails
Yes
String List
User's email addresses
first_name
Yes
String
Given name
last_name
Yes
String
Family name
profile_id
Yes
String
User's profile ID
is_active
No
Boolean
Account status
department
No
String
Organizational department
user_role_id
No
String
User's role ID
The following relationship types are supported:
Groups: Add and remove group memberships (only for groups with Group Type = Regular).
Permission Sets: Add and remove permission set assignments.
Permission Set Groups: Add and remove permission set group assignments.
Profiles: Manage profile assignments.
User Roles: Synchronize user role assignments.
Notes:
Profile and role assignments are managed via SCIM and Salesforce APIs.
When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.
Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.
Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.
Direct creation of permission sets ("Create Entitlement" action) is not currently supported.
When a user is deprovisioned:
The user account is frozen or deactivated (Salesforce does not allow user deletion).
Permission set assignments are removed.
Attribute history is preserved for audit.
The account can be reactivated if needed.
For additional details about Salesforce's SCIM implementation, refer to the .
Search for or create a integration.
Ensure the integration permission set includes the .
The integration supports the following lifecycle management :