Provisioning Policies

Overview

Policies define conditions and actions for lifecycle management, such as HR flows for new hires, terminations, and re-hires. Policies will trigger provisioning or de-provisioning events when Veza detects a user that meets the condition associated with the policy.

Actions can include creating or disabling an IdP user, creating email accounts, or writing changes back to the source human resource management system. When creating an IdP user, the active provisioning rules define the parameters for user creation and group assignment. Actions can take place immediately, or at a specified time relative to a hire or termination date.

For example, policies can trigger tasks for:

• Provisioning: When a Workday Is Active changes from null to TRUE, create an AD user and Exchange Server Email, and write the created email address back to Workday on the Hire Date.

• De-provisioning: When Workday Is Active changes from TRUE to FALSE, disable the corresponding AD user on the Termination Date, and remove the AD user from all AD groups.

• Conversion: When Workday Is Active status changes from FALSE to TRUE, re-enable the corresponding AD user, and add the AD user to a list of pre-defined AD groups.

Use the Lifecycle Management > Provisioning Policies page to create and manage policies:

• Click New Policy to add a policy.

• Hover over an existing policy to temporarily pause it, resume it, or permanently delete it. Click View Details to show the properties.

• Use the Export button above the list of policies to download all policies and parameters in CSV or PDF format.

• You can view all provisioning events or conduct a dry run from the Provisioning Rules page.

Create a Provisioning Policy

To add a policy, go to Lifecycle Management > Provisioning Policies > New Policy. The policy configuration determines the associated providers, and the conditions that will trigger actions at a specified date:

1. Give the flow a Name and Description to help identify it.

2. Pick the source Provider to enable selecting attributes Veza has discovered.

3. Define conditions:

   1. Pick a Property or enter a Custom Property

   2. Pick the Action (changes) to trigger the flow when a property in the source provider changes from one value to another

   3. Specify the From Value and To Value. Leave either field blank to trigger the policy on any change or new value.

4. Set an optional execution time:

   1. Pick the property or custom property to use for a date (for example, hire date or termination date).

   2. Optionally, pick the property that identities the timezone (such as Workday Primary Time Zone)

   3. Choose an offset of up to 24 hours to run the action(s).

5. Click Add new task to add actions that will be executed within the specified providers. To execute several actions with the flow, continue adding tasks. Possible actions and providers are:

   • Disable user (Active Directory)

   • Add user (Active Directory)

   • Join AD Group (Active Directory)

   • Write back email (Workday)

   • Create email (Exchange Server)

6. Configure notifications by adding a comma-separated list of email recipients.

7. Under Additional Email Address attribute, choose the field in the source system used for sending a notification email to the provisioned user. Clear the value or leave it blank to prevent notifications for the user.

8. Click Create to save your changes.

When adding a user:

• Groups are conditionally assigned based on Group Membership Rules, and Access Profiles and Business Roles.

• Provisioned users are created with attributes based on User Mapping Rules and source>destination attribute mappings.

Pausing a provisioning flow

You can pause policies by hovering over them individually and clicking Pause. When paused, tasks are created but not executed. When the paused policy is resumed, any queued tasks will run.

Dates and time zones

You can specify an attribute to identity the execution date, such as a hire date or termination timestamp. When Veza connects to the data source, if that timestamp attribute is in the future, the action will in at the specified hour on that date. Actions are not initiated for dates in the past.

• Workday users can have a timezone attribute. In this case, you will specify the time (in 24 hr format) for the action to apply. Veza will run the action at the appropriate hour relative to the timezone. For example, for a Workday user on US-CST, specifying 23 as the hour will cause the action to occur at 11:00 PM, US central time. Custom applications always use Coordinated Universal Time (UTC). Actions will run at the specified hour relative to UTC. To convert UTC to local time, find your local time offset and add it to the UTC time. For example, if your local time offset is -6, and if the UTC time is 11:00, add -6 to 11.