Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings.

PreviousAccess Profiles NextConditions and Actions

Last updated 6 months ago

Was this helpful?

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings.

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. This might include hiring a new employee, terminating an existing employee, or other status changes. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might apply when employees enter an "Active" state (for Joiner/Re-hire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also trigger when an employee hire date is within a certain threshold, such as less than 4 days away, or relative to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
- Another for inactive users to cover Leaver scenarios

Add a Lifecycle Management Policy

To create a policy for a source of identity:

Go to Lifecycle Management > Policies
Click Create Policy
Give the policy a name and description
- The policy name is used to identify it on the Policies list and appears in event logs
- The name should indicate the source of identity the policy applies to
Choose the Data Sources the policy will apply to
- Use the dropdown menu to select the source of identity that will trigger workflows in the policy
- To appear on this list, the integration must have Lifecycle Management enabled and be available as a source of identity
- See for supported providers and steps to enable a Lifecycle Management data source
Save the policy

Edit a Lifecycle Management Policy

To edit a policy:

Go to Lifecycle Management > Policies
Choose a policy from the list and click Edit
Configure the policy summary, details, and identity source.
Click on a tab in the policy builder to configure its settings:
- Workflows: Configure the actions that trigger when there are changes in a source of identity
- Common Transformers: Define shared rules for creating or updating target attributes when provisioning, syncing, or de-provisioning identities
- Notifications: Configure email notifications or webhooks for the policy's workflows, with different notification rules for different types of events (e.g., "Create Identity" or "Delete Identity")
Save the policy

Enabling and Monitoring Lifecycle Management Policies

Use the Policies page for an overview of initial, running, and paused Policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name
- Filter to show all providers by their current state
Click the ⋮ icon in the rightmost column to expand the Actions menu
Choose to Edit, Pause, View Details, or Delete the policy

Adding Workflows to Policies

Policies contain one or more workflows that typically correspond to Active and Inactive user states. Workflows define a sequence of actions to run when a condition is met, based on events and user changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, department changes, or employee departures.

Workflows contain a tree-like sequence of conditions to meet specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

Workflows can trigger:

As soon as an identity is detected with a matching attribute
Relative to an attribute containing a date (such as before or after a hire_date or termination_date)
Based on any attribute available from the source of identity

Create a Workflow in a Policy

To add a workflow to a policy:

Edit a policy and open the Workflows tab
Click Add Workflow to open the sidebar for adding details and conditions
Use the General tab to configure workflow settings:
Workflow Details:
- Name and Description: Identify the workflow's purpose
- Continuous Sync: Enable to update target entities when source identity changes occur
Condition:
- Workflow Condition: Specify the trigger attribute and value
- Supports SCIM query syntax for filter expressions
- Examples:
  - employment_status eq "WITHDRAWN" for terminated employees
  - employment_status eq "ACTIVE" for new hires and movers
Workflow Trigger Details:
- Attribute to Get Execute Date: Specify when workflow actions should run
- Local Time Zone Diff From UTC: Set your UTC offset
  - Eastern Standard Time (EST): -5
  - Pacific Standard Time (PST): -8
  - Note: US UTC offset varies during Daylight Savings Time
- Trigger At Local Time Hour: Set execution time in 1-hour intervals (e.g., 6, 12, 24)
Use the Conditions tab to configure action sequences:
a. Click Add Condition to configure settings:
- Condition Name: Use descriptive names (e.g., "Sync Okta Identities" or "Azure Helpdesk Role")
- Continue Actions if Any Error: Enable to continue workflow despite failures
- Condition Type: Choose between immediate execution or SCIM filter-based conditions
b. Configure Actions:
- Choose Action Type:
  - New: Create an action with custom settings
  - Existing: Select a previously created action
- Use Edit Action > Conditions for nested conditions
c. Add additional conditions as needed
Save changes:
- Click Save in the left sidebar for workflow changes
- Click Save on the policy details page to commit all changes

Common Transformers

Common transformers define one or more rules to apply when synchronizing a target identity's attributes. Use them in situations where you want to create or update attributes using the same conventions across multiple sync or de-de-provision actions.

To add a common transformer:

Edit a policy and open the Common Transformers tab
Give the transformer a name and description, and specify the data source it applies to.
Choose the target Entity Type.
Click Add Attribute to specify an attribute and the value format.
Optionally, enable Continuous Sync to keep the target entity up-to-date with values from the source of truth.
Save the transformer.

Notifications

Events and Actions

Events and Actions: Lifecycle Management Actions can result in multiple events, each associated with a specific operation in a target application. An action might cause more than one event. For example, the "De-provision Identity" action for Active Directory leaver flows could result in a combination of events:

"Disable Identity" (set account to inactive)
"Sync Identity" (update DN and primary group DN)
"Remove Relationship" (remove existing profiles) events. You can review individual events and their status using the Activity Log.

Monitor individual events and their status using the Activity Log.

Notification Configuration

When events occur during the execution of a policy’s workflow, notifications can be triggered by Lifecycle Management as a means to inform stakeholders or integrate with external systems, such as triggering external automation. These notifications are configured in policies and Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure their Active Employee policy to send an email to the manager of each new hire employee after the employee's email address is provisioned. Also, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned - after a successful Sync Identity operation

Use the Notifications tab when editing a policy to add and manage notifications at the policy level:

Choose the notification type (Email or Webhook)
Choose the event to trigger notifications:
- Create Identity
- Sync Identity
- Add Relationship
- Remove Relationship
- Create Email
- Change Password
- Delete Identity
- Disable Identity
- Manage Relationships
- Write Back Email
Choose the status to trigger notifications (when an event is successful, or it fails).
Customize the email or webhook settings:
- Webhook:
  - Webhook URL: The endpoint configured to receive the webhook payload.
  - Webhook Auth Header: if the webhook listener requires authentication, provide it here.
- Email:
  - Emails: Recipients added to the to field.
  - Extra Email Fields (Optional): Recipients added to the cc field.
Save the changes.

Note that emails and webhooks can also be configured on a per-action basis.