search
Release Notes

Notifications

Customizing email notifications and Webhook configuration for Lifecycle Management events and Access Requests.

hashtag
Email Templates Overview

Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.

Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.

circle-info

Template Management: Currently, notification templates can only be managed via the Notification Templates API. Template management through the Veza UI is not yet available.

circle-info

Access Reviews Notification Templates: For access review workflow notifications, see Access Reviews Notification Templates.

hashtag
Managing notification templates

hashtag
Custom Email Templates

In addition to event-specific templates, you can create custom email templates that are not tied to specific lifecycle events. These reusable templates allow you to define notification content once and use it across Send Notification actions and action notification settings. Custom email templates are:

  • Reusable: Single template for multiple workflows and actions

  • Event-independent: Not associated with a specific lifecycle event type

  • Flexible: Can be used in both Send Notification actions and action notification settings (on_success/on_failure)

  • Standard placeholder support: Supports all the same placeholders as event-based templates

To create a custom email template:

  1. Navigate to Lifecycle Management > Settings > Notifications

  2. Click Create Template

  3. Select For Custom Email (as opposed to "For Event")

  4. Define your template name, subject, and body using HTML and placeholders

  5. Save the template

To use a custom template, select it when configuring the Send Notification action, or in Action Notification Settings:

  • Send Notification action: Choose from the "Select Email Template" dropdown when configuring the action

  • Action Notification Settings: Select the template for on_success or on_failure email notifications on any action

When you select "Default template" in these dropdowns, the system uses the event-based template appropriate for the event. When you select a custom template, that template is used regardless of the specific event being processed.

circle-info

Custom templates support all standard placeholders documented in the Placeholders section. The available values depend on the context in which the template is used (e.g., action notifications have action-related placeholders, event notifications have event-related placeholders).

hashtag
Default Templates

The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.

Generic Failure Template

When specific event templates aren't available or when events fail, the system uses a generic failure template:

Subject: Lifecycle job {{EVENT_TYPE}} has failed

Body:

See Default Template Content for all default messages.

Lifecycle Management Events

Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:

chevron-rightIdentity Management Eventshashtag
Event Type
API Usage Value
Description

Create Identity

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY

Sent when a new identity/account is created

Create Identity Failed

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY_FAILED

Sent when identity creation fails

Sync Identity

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY

Sent when an identity is synchronized

Sync Identity Failed

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY_FAILED

Sent when identity sync fails

Delete Identity

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY

Sent when an identity is deleted

Delete Identity Failed

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY_FAILED

Sent when identity deletion fails

Disable Identity

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY

Sent when an identity is disabled

Disable Identity Failed

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY_FAILED

Sent when identity disabling fails

Create Guest Account

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT

Sent when a guest account is created

Create Guest Account Failed

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT_FAILED

Sent when guest account creation fails

chevron-rightRelationship Management Eventshashtag
Event Type
API Usage Value
Description

Add Relationship

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP

Sent when a relationship is added

Add Relationship Failed

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP_FAILED

Sent when adding relationship fails

Remove Relationship

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP

Sent when a relationship is removed

Remove Relationship Failed

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP_FAILED

Sent when removing relationship fails

chevron-rightEmail Management Eventshashtag
Event Type
API Usage Value
Description

Create Email

LIFECYCLE_MANAGEMENT_CREATE_EMAIL

Sent when an email is created

Create Email Failed

LIFECYCLE_MANAGEMENT_CREATE_EMAIL_FAILED

Sent when email creation fails

Write Back Email

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL

Sent when email is synced back

Write Back Email Failed

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL_FAILED

Sent when email sync back fails

chevron-rightPassword Management Eventshashtag
Event Type
API Usage Value
Description

Change Password

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD

Sent when a password is changed

Change Password Failed

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD_FAILED

Sent when password change fails

Reset Password

LIFECYCLE_MANAGEMENT_RESET_PASSWORD

Sent when a password is reset

Reset Password Failed

LIFECYCLE_MANAGEMENT_RESET_PASSWORD_FAILED

Sent when password reset fails

chevron-rightEntitlement Management Eventshashtag
Event Type
API Usage Value
Description

Create Entitlement

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT

Sent when an entitlement is created

Create Entitlement Failed

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT_FAILED

Sent when entitlement creation fails

Rename Entitlement

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT

Sent when an entitlement is renamed

Rename Entitlement Failed

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT_FAILED

Sent when entitlement renaming fails

Sync Entitlement

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT

Sent when an entitlement is synced

Sync Entitlement Failed

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT_FAILED

Sent when entitlement sync fails

chevron-rightActions and Workflows Eventshashtag
Event Type
API Usage Value
Description

Custom Action

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION

Sent when a custom action is performed

Custom Action Failed

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION_FAILED

Sent when custom action fails

Action Succeed

LIFECYCLE_MANAGEMENT_ACTION_SUCCEED

Sent when an action succeeds

Action Failed

LIFECYCLE_MANAGEMENT_ACTION_FAILED

Sent when an action fails

Workflow Task Failed

LIFECYCLE_MANAGEMENT_WORKFLOW_TASK_FAILED

Sent when a workflow task fails

Extraction Event Failed

LIFECYCLE_MANAGEMENT_EXTRACTION_EVENT_FAILED

Sent when extraction processing fails

chevron-rightAccess Reviews Eventshashtag
Event Type
API Usage Value
Description

Create Access Review Queued

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW_QUEUED

Sent when access review is queued

Create Access Review

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW

Sent when access review is created

chevron-rightSafety Eventshashtag
Event Type
API Usage Value
Description

Safety Limit Reached

LIFECYCLE_MANAGEMENT_SAFETY_LIMIT_REACHED

Sent when safety limits are reached

chevron-rightAccess Request Eventshashtag
Event Type
API Usage Value
Description

Access Request Created

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_CREATED

Sent when an Access Request is created

Access Request Action Run

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_ACTION_RUN

Sent when Access Request actions start running

Access Request State Changed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_STATE_CHANGED

Sent when Access Request state changes

Access Request Approver Assigned

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_APPROVER_ASSIGNED

Sent when new approvers are assigned

Access Request Succeed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_SUCCEED

Sent when Access Request succeeds

Access Request Failed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_FAILED

Sent when Access Request fails

hashtag
Default Template Content

Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.

chevron-rightIdentity Management Templateshashtag

CREATE_IDENTITY

  • Subject: New Hire Notification: {{ENTITY_TYPE}} account created

  • Body:

CREATE_GUEST_ACCOUNT

  • Subject: New {{ENTITY_TYPE}} Guest Account Created: {{ENTITY_NAME}}

  • Body:

SYNC_IDENTITY

  • Subject: Sync Identity Notification: {{ENTITY_TYPE}} account synced

  • Body:

DELETE_IDENTITY

  • Subject: Identity Deleted Notification: {{ENTITY_TYPE}} has an account deleted

  • Body:

DISABLE_IDENTITY

  • Subject: Identity Disabled Notification: {{ENTITY_TYPE}} has an account disabled

  • Body:

chevron-rightRelationship Management Templateshashtag

ADD_RELATIONSHIP

  • Subject: New Relationship Added Notification: {{ENTITY_TYPE}} has an account with new relationship to a {{RELATIONSHIP_ENTITY_TYPE}}

  • Body:

REMOVE_RELATIONSHIP

  • Subject: Relationship Removed Notification: {{ENTITY_TYPE}} has an account whose relationship was remove from a {{RELATIONSHIP_ENTITY_TYPE}}

  • Body:

chevron-rightEmail Management Templateshashtag

CREATE_EMAIL

  • Subject: New Email Notification: {{ENTITY_TYPE}} has an account with new email

  • Body:

WRITE_BACK_EMAIL

  • Subject: New Write Back Email Notification: {{ENTITY_TYPE}} has had an email sync to it

  • Body:

chevron-rightPassword Management Templateshashtag

CHANGE_PASSWORD

  • Subject: Password Change Notification: {{ENTITY_TYPE}} has an account with a new password

  • Body:

RESET_PASSWORD

  • Subject: Reset Password Notification: {{ENTITY_TYPE}} has had their password reset

  • Body:

chevron-rightEntitlement Management Templateshashtag

CREATE_ENTITLEMENT

  • Subject: Create entitlement notification: an entry of {{ENTITY_TYPE}} is created

  • Body:

RENAME_ENTITLEMENT

  • Subject: Rename entitlement notification: an entry of {{ENTITY_TYPE}} is renamed

  • Body:

SYNC_ENTITLEMENT

  • Subject: Sync entitlement notification: an entry of {{ENTITY_TYPE}} is renamed

  • Body:

chevron-rightAccess Request Templateshashtag

ACCESS_REQUEST_COMPLETE

  • Subject: Access Request {{ACCESS_REQUEST_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} has {{SUCCEED_OR_FAILED}}

  • Body:

ACCESS_REQUEST_CREATED

  • Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}

  • Body:

ACCESS_REQUEST_FAILED

  • Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is failed

  • Body:

ACCESS_REQUEST_STATE_CHANGED

  • Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}

  • Body:

ACCESS_REQUEST_APPROVER_ASSIGNED

  • Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} in {{ACCESS_REQUEST_STATE}} as new assigned approvers

  • Body:

chevron-rightError and Failure Templateshashtag

ACTION_FAILED

  • Subject: Action Failed: {{ACTION_NAME}} for identity {{IDENTITY_NAME}}

  • Body:

WORKFLOW_TASK_FAILED

  • Subject: Workflow Failed: {{WORKFLOW_NAME}} for identity {{IDENTITY_NAME}}

  • Body:

EXTRACTION_EVENT_FAILED

  • Subject: Lifecycle Management extraction processing failed for {{DATASOURCE_ID}}

  • Body:

chevron-rightAccess Review Templateshashtag

CREATE_ACCESS_REVIEW_QUEUED

  • Subject: Create Access Review Queued Notification: for identity {{IDENTITY_NAME}}

  • Body:

CREATE_ACCESS_REVIEW

  • Subject: Create Access Review Notification: for identity {{IDENTITY_NAME}}

  • Body:

chevron-rightSafety and Custom Action Templateshashtag

SAFETY_LIMIT_REACHED

  • Subject: Safety Limit Reached Notification: Policy {{POLICY_NAME}} has stopped processing identity changes

  • Body:

CUSTOM_ACTION

  • Subject: New Custom Action Notification: {{ENTITY_TYPE}} has performed a custom action

  • Body:

hashtag
Image Attachments

From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.

circle-info

Image Requirements: For API-based template management, small images under 64kb can be attached when configuring a template. The image must be base64-encoded and specified in the attachments field of the API request.

To use an attachment you have uploaded in a template, specify it by attachment.name, for example:

To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.

hashtag
Placeholders

Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.

circle-exclamation

Placeholder Case Sensitivity: Placeholders are case-sensitive and must match the exact casing shown in the documentation. For example, {{ENTITY_TYPE}} will work, but {{entity_type}} or {{EntityType}} will not be replaced unless those exact attribute names exist in your data.

hashtag
How placeholders work

Veza notification templates support two types of placeholders:

1. Static Placeholders (Predefined)

These are uppercase constants documented in the tables below (e.g., {{ENTITY_TYPE}}, {{ENTITY_NAME}}). They are replaced first during template processing and work with all notification templates.

Example:

2. Dynamic Attribute Placeholders

You can also reference any attribute from the entities being processed using two formats:

  • Untyped format: {{attribute_name}} - References an attribute by name alone

  • Typed format: {{EntityType.attribute_name}} - References an attribute from a specific entity type

The attribute name must exactly match the casing used by your integration. For example:

  • If your integration provides an attribute named email, use {{email}}

  • If it provides Email, use {{Email}}

  • If it provides employee_id, use {{employee_id}}

Examples:

circle-info

When to Use Typed Format: Use {{EntityType.attribute}} format when your workflow processes multiple entity types and you need to reference a specific entity's attributes. For example, if your workflow processes both OktaUser and ActiveDirectoryUser, use {{OktaUser.email}} to specifically reference the Okta user's email address.

hashtag
Predefined placeholders

The following static placeholders are available in all notification templates:

chevron-rightIdentity and Entity Informationhashtag

Placeholder

Description

{{ENTITY_TYPE}}

The type of entity (e.g., "ActiveDirectoryUser", "OktaUser")

{{ENTITY_NAME}}

The name of the entity/identity

{{LOGIN_NAME}}

The login/username for the account

{{LOGIN_PASSWORD}}

The password (for password-related notifications)

{{EMAIL}}

Email address associated with the identity

chevron-rightRelationship Informationhashtag

Placeholder

Description

{{RELATIONSHIP_ENTITY_TYPE}}

Type of the related entity

{{RELATIONSHIP_ENTITY_NAME}}

Name of the related entity

chevron-rightAction and Job Informationhashtag

Placeholder

Description

{{ACTION_NAME}}

Name of the action being performed

{{ACTION_TYPE}}

Type of action

{{ACTION_JOB_ID}}

Unique identifier for the action job

{{SUCCEED_OR_FAILED}}

Status indicator ("succeeded" or "failed")

{{SENT_INVITE}}

Whether an invite was sent (for guest accounts)

chevron-rightAccess Request Informationhashtag

Placeholder

Description

{{ACCESS_REQUEST_TYPE}}

Type of Access Request

{{ACCESS_REQUEST_ENTITY_NAME}}

Name of the entity requesting access

{{ACCESS_REQUEST_ENTITY_TYPE}}

Type of the requesting entity

{{ACCESS_REQUEST_TARGET_TYPE}}

Type of the target resource

{{ACCESS_REQUEST_TARGET_NAME}}

Name of the target resource

{{ACCESS_REQUEST_URL}}

URL to view the Access Request details

{{ACCESS_REQUEST_STATE}}

Current state of the Access Request

{{ACCESS_REQUEST_SOURCE_TYPE}}

Source type of the Access Request

chevron-rightEvent and Error Informationhashtag

Placeholder

Description

{{EVENT_TYPE}}

Type of lifecycle event

{{JOB_ID}}

Job identifier

{{EVENT_ERROR_MESSAGE}}

Error message for failed events

{{EVENT_IDENTITY_ID}}

Identity ID associated with the event

{{EVENT_IDENTITY_NAME}}

Identity name associated with the event

chevron-rightPolicy and Workflow Informationhashtag

Placeholder

Description

{{POLICY_NAME}}

Name of the lifecycle policy

{{WORKFLOW_NAME}}

Name of the workflow

{{ACTION_ID}}

Action identifier

{{WORKFLOW_ID}}

Workflow identifier

{{DATASOURCE_ID}}

Datasource identifier

hashtag
Troubleshooting placeholders

Placeholder Not Being Replaced?

If a placeholder appears in your notification email instead of being replaced with a value, check the following:

  1. Verify exact casing: Placeholders are case-sensitive

    • โœ… Correct: {{ENTITY_TYPE}}

    • โŒ Wrong: {{entity_type}}, {{EntityType}}, {{Entity_Type}}

  2. Check placeholder format: Ensure proper syntax with double curly braces

    • โœ… Correct: {{ENTITY_NAME}}

    • โŒ Wrong: {ENTITY_NAME}, {{ENTITY_NAME}, ENTITY_NAME

  3. Verify attribute exists: For dynamic attributes, confirm the attribute is provided by your integration

    • Use the typed format to specify the entity type: {{OktaUser.email}}

    • Check your integration documentation for available attribute names and their casing

  4. Check event context: Some placeholders are only available for specific events

    • For example, {{LOGIN_PASSWORD}} is only available for password-related events

    • {{ACCESS_REQUEST_URL}} is only available for Access Request events

Best Practices:

  • Start with predefined placeholders: Use the documented static placeholders (uppercase) whenever possible

  • Test templates: Send test notifications to verify placeholder replacement before deploying to production

  • Document custom attributes: Keep a reference of the attribute names and casing used by your integrations

  • Use typed format for clarity: When working with multiple entity types, use {{EntityType.attribute}} to avoid ambiguity

hashtag
Webhook Configuration Overview

Webhook notifications are triggered upon execution of actions during the LCM Policy workflow process. Webhooks inform stakeholders or integrate with external systems of events that are processed within the workflow. Webhook notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed.

For example, a webhook is sent to the company's learning management system to initiate online onboarding training once each new hire's Active Directory account is provisioned, following a successful Sync Identity operation.

hashtag
Create a Webhook

To create and manage a webhook, perform the following:

  1. Go to Policies and select a policy.

  2. Click Edit Policy.

  3. Click Policy Settings.

  4. Scroll down to Notifications and click Add Notification.

  5. Choose the Webhook notification type.

  6. Choose an event to trigger notifications:

    • Create Identity

    • Sync Identity

    • Add Relationship

    • Remove Relationship

    • Create Email

    • Change Password

    • Delete Identity

    • Disable Identity

    • Manage Relationships

    • Write Back Email

    • Access Request Complete

    • Custom Action

    • Action Failed

    • Workflow Task Failed

    • Extraction Event Failed

    • Create Entitlement

    • Create Guest Account

    • Rename Entitlement

    • Create Access Review

    • Reset Password

    • Create Access Review Queued

    • Safety Limit Reached

    • Sync Entitlement

  7. Choose the status to trigger notifications (when an event is Successful, or On Failure).

  8. Select an Existing Veza Action.

    A Veza Action is an integration with functionality for sending data to external systems, enabling downstream processes around Veza alerts, and access to reviewer actions. Use a Veza Action to configure generic webhooks or enable email notifications.

    See Veza Actions Webhooks on how to create and deploy a webhook.

  9. To customize the Webhook setting, perform the following:

    • In the Webhook URL field, enter the endpoint configured to receive the webhook payload.

    • In the Webhook Auth Header field, enter the Auth Header if the webhook listener requires authentication.

    When configured, webhook requests include an Authorization header containing the credentials specified in the Webhook Auth Header field. This allows the receiving endpoint to authenticate the request using Bearer tokens, API keys, or other authentication schemes.

  10. Click Save.

PreviousTrigger Conditions ReferenceNextLCM-Triggered Access Reviews

Last updated

Was this helpful?