Customizing email notifications and Webhook configuration for Lifecycle Management events and Access Requests.
Email Templates Overview
Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.
Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.
Template Management: Currently, notification templates can only be managed via the Notification Templates API. Template management through the Veza UI is not yet available.
In addition to event-specific templates, you can create custom email templates that are not tied to specific lifecycle events. These reusable templates allow you to define notification content once and use it across Send Notification actions and action notification settings. Custom email templates are:
Reusable: Single template for multiple workflows and actions
Event-independent: Not associated with a specific lifecycle event type
Flexible: Can be used in both Send Notification actions and action notification settings (on_success/on_failure)
Standard placeholder support: Supports all the same placeholders as event-based templates
To create a custom email template:
Navigate to Lifecycle Management > Settings > Notifications
Click Create Template
Select For Custom Email (as opposed to "For Event")
Define your template name, subject, and body using HTML and placeholders
Save the template
To use a custom template, select it when configuring the Send Notification action, or in Action Notification Settings:
Send Notification action: Choose from the "Select Email Template" dropdown when configuring the action
Action Notification Settings: Select the template for on_success or on_failure email notifications on any action
When you select "Default template" in these dropdowns, the system uses the event-based template appropriate for the event. When you select a custom template, that template is used regardless of the specific event being processed.
Custom templates support all standard placeholders documented in the Placeholders section. The available values depend on the context in which the template is used (e.g., action notifications have action-related placeholders, event notifications have event-related placeholders).
Default Templates
The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.
Generic Failure Template
When specific event templates aren't available or when events fail, the system uses a generic failure template:
Subject: Lifecycle job {{EVENT_TYPE}} has failed
Body:
<html><body>
<br>
<br> Here is the notification that lifecycle job has failed. <br>
Error message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
For reference:
<br> job_id: {{JOB_ID}}<br>
<br> identity_id: {{EVENT_IDENTITY_ID}}
<br> identity_name: {{EVENT_IDENTITY_NAME}}
<br> entity_type: {{ENTITY_TYPE}}
<br> entity_name: {{ENTITY_NAME}}
</body></html>
Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:
Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.
Identity Management Templates
CREATE_IDENTITY
Subject: New Hire Notification: {{ENTITY_TYPE}} account created
Body:
<html><body>
Hello,<br>
<br>
Here is the information for your new-hire: {{ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
<br>
</body></html>
CREATE_GUEST_ACCOUNT
Subject: New {{ENTITY_TYPE}} Guest Account Created: {{ENTITY_NAME}}
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} attributes have been synced <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>
DELETE_IDENTITY
Subject: Identity Deleted Notification: {{ENTITY_TYPE}} has an account deleted
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been deleted <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>
DISABLE_IDENTITY
Subject: Identity Disabled Notification: {{ENTITY_TYPE}} has an account disabled
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been disabled <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>
Relationship Management Templates
ADD_RELATIONSHIP
Subject: New Relationship Added Notification: {{ENTITY_TYPE}} has an account with new relationship to a {{RELATIONSHIP_ENTITY_TYPE}}
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new relationship to {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>
REMOVE_RELATIONSHIP
Subject: Relationship Removed Notification: {{ENTITY_TYPE}} has an account whose relationship was remove from a {{RELATIONSHIP_ENTITY_TYPE}}
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a relationship removed from {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>
Email Management Templates
CREATE_EMAIL
Subject: New Email Notification: {{ENTITY_TYPE}} has an account with new email
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new email address <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>
WRITE_BACK_EMAIL
Subject: New Write Back Email Notification: {{ENTITY_TYPE}} has had an email sync to it
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has the newly created email synced back to it <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>
Password Management Templates
CHANGE_PASSWORD
Subject: Password Change Notification: {{ENTITY_TYPE}} has an account with a new password
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a password <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
New Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>
RESET_PASSWORD
Subject: Reset Password Notification: {{ENTITY_TYPE}} has had their password reset
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has had their password reset <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
Temporary Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>
Entitlement Management Templates
CREATE_ENTITLEMENT
Subject: Create entitlement notification: an entry of {{ENTITY_TYPE}} is created
Body:
<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is created: {{ENTITY_NAME}} <br>
<br>
</body></html>
RENAME_ENTITLEMENT
Subject: Rename entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:
<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is renamed with new name: {{ENTITY_NAME}} <br>
<br>
</body></html>
SYNC_ENTITLEMENT
Subject: Sync entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:
<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} has been re-synced with the target system: {{ENTITY_NAME}} <br>
<br>
</body></html>
Access Request Templates
ACCESS_REQUEST_COMPLETE
Subject: Access Request {{ACCESS_REQUEST_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} has {{SUCCEED_OR_FAILED}}
Body:
<html><body>
Hello,<br>
<br>
{{ACCESS_REQUEST_ENTITY_NAME}} has been {{ACCESS_REQUEST_TYPE}} with: {{ACCESS_REQUEST_TARGET_NAME}}.<br>
<br>
User Type: {{ACCESS_REQUEST_ENTITY_TYPE}} <br>
Target Type: {{ACCESS_REQUEST_TARGET_TYPE}} <br>
<br>
</body></html>
ACCESS_REQUEST_CREATED
Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:
<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>
ACCESS_REQUEST_FAILED
Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is failed
Body:
<html><body>
Hello,<br>
<br>
The request is failed, with an error message: {{EVENT_ERROR_MESSAGE}}
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>
ACCESS_REQUEST_STATE_CHANGED
Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:
<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>
ACCESS_REQUEST_APPROVER_ASSIGNED
Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} in {{ACCESS_REQUEST_STATE}} as new assigned approvers
Body:
<html><body>
Hello,<br>
<br>
The request currently in {{ACCESS_REQUEST_STATE}} state has new been assigned new approvers.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>
Error and Failure Templates
ACTION_FAILED
Subject: Action Failed: {{ACTION_NAME}} for identity {{IDENTITY_NAME}}
<html><body>
Hello,<br>
<br>
The safety limit for policy {{POLICY_NAME}} has been reached. No further identity changes were processed.<br>
</body></html>
CUSTOM_ACTION
Subject: New Custom Action Notification: {{ENTITY_TYPE}} has performed a custom action
Body:
<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has performed a custom action <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Message: {{EVENT_ERROR_MESSAGE}} <br>
<br>
</body></html>
Image Attachments
From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.
Image Requirements: For API-based template management, small images under 64kb can be attached when configuring a template. The image must be base64-encoded and specified in the attachments field of the API request.
To use an attachment you have uploaded in a template, specify it by attachment.name, for example:
<img src="cid:<name_of_attachment>"
To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.
Placeholders
Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.
Identity and Entity Information
Placeholder
Description
{{ENTITY_TYPE}}
The type of entity (e.g., "ActiveDirectoryUser", "OktaUser")
{{ENTITY_NAME}}
The name of the entity/identity
{{LOGIN_NAME}}
The login/username for the account
{{LOGIN_PASSWORD}}
The password (for password-related notifications)
{{EMAIL}}
Email address associated with the identity
Relationship Information
Placeholder
Description
{{RELATIONSHIP_ENTITY_TYPE}}
Type of the related entity
{{RELATIONSHIP_ENTITY_NAME}}
Name of the related entity
Action and Job Information
Placeholder
Description
{{ACTION_NAME}}
Name of the action being performed
{{ACTION_TYPE}}
Type of action
{{ACTION_JOB_ID}}
Unique identifier for the action job
{{SUCCEED_OR_FAILED}}
Status indicator ("succeeded" or "failed")
{{SENT_INVITE}}
Whether an invite was sent (for guest accounts)
Access Request Information
Placeholder
Description
{{ACCESS_REQUEST_TYPE}}
Type of Access Request
{{ACCESS_REQUEST_ENTITY_NAME}}
Name of the entity requesting access
{{ACCESS_REQUEST_ENTITY_TYPE}}
Type of the requesting entity
{{ACCESS_REQUEST_TARGET_TYPE}}
Type of the target resource
{{ACCESS_REQUEST_TARGET_NAME}}
Name of the target resource
{{ACCESS_REQUEST_URL}}
URL to view the Access Request details
{{ACCESS_REQUEST_STATE}}
Current state of the Access Request
{{ACCESS_REQUEST_SOURCE_TYPE}}
Source type of the Access Request
Event and Error Information
Placeholder
Description
{{EVENT_TYPE}}
Type of lifecycle event
{{JOB_ID}}
Job identifier
{{EVENT_ERROR_MESSAGE}}
Error message for failed events
{{EVENT_IDENTITY_ID}}
Identity ID associated with the event
{{EVENT_IDENTITY_NAME}}
Identity name associated with the event
Policy and Workflow Information
Placeholder
Description
{{POLICY_NAME}}
Name of the lifecycle policy
{{WORKFLOW_NAME}}
Name of the workflow
{{ACTION_ID}}
Action identifier
{{WORKFLOW_ID}}
Workflow identifier
{{DATASOURCE_ID}}
Datasource identifier
Webhook Configuration Overview
Webhook notifications are triggered upon execution of actions during the LCM Policy workflow process. Webhooks inform stakeholders or integrate with external systems of events that are processed within the workflow. Webhook notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed.
For example, a webhook is sent to the company's learning management system to initiate online onboarding training once each new hire's Active Directory account is provisioned, following a successful Sync Identity operation.
Create a Webhook
To create and manage a webhook, perform the following:
Go to Policies and select a policy.
Click Edit Policy.
Click Policy Settings.
Scroll down to Notifications and click Add Notification.
Choose the Webhook notification type.
Choose an event to trigger notifications:
Create Identity
Sync Identity
Add Relationship
Remove Relationship
Create Email
Change Password
Delete Identity
Disable Identity
Manage Relationships
Write Back Email
Access Request Complete
Custom Action
Action Failed
Workflow Task Failed
Extraction Event Failed
Create Entitlement
Create Guest Account
Rename Entitlement
Create Access Review
Reset Password
Create Access Review Queued
Safety Limit Reached
Sync Entitlement
Choose the status to trigger notifications (when an event is Successful, or On Failure).
Select an Existing Veza Action.
A Veza Action is an integration with functionality for sending data to external systems, enabling downstream processes around Veza alerts, and access to reviewer actions. Use a Veza Action to configure generic webhooks or enable email notifications.
See Veza Actions Webhooks on how to create and deploy a webhook.
To customize the Webhook setting, perform the following:
In the Webhook URL field, enter the endpoint configured to receive the webhook payload.
In the Webhook Auth Header field, enter the Auth Header if the webhook listener requires authentication.
When configured, webhook requests include an Authorization header containing the credentials specified in the Webhook Auth Header field. This allows the receiving endpoint to authenticate the request using Bearer tokens, API keys, or other authentication schemes.
