Provisioning Rules
Create rules to determine attributes and access assignments (e.g., AD group assignment) for provisioned users
Overview
Provisioning rules define the attributes and access assignments of users that Veza creates when Provisioning Policies trigger. Each rule applies for user objects in a given source HRIS system (such as Workday) and destination Identity Provider (such as Active Directory). Rules can apply conditionally, based on source entity attributes. By adding rules with different conditions, you can create users with different properties and group assignments based on the source attributes such as Department or Is Guest.
Use the Lifecycle Management > Provisioning Rules page to:
Create and view User Mapping Rules, defining the attributes to create users with based on data from the provisioning source.
Create and view Group Membership Rules, defining group assignments based on configured Business Roles and Access Profiles.
Preview the new AD user and AD group assignment for a new Workday user with a Dry Run
View provisioning activity logs (View Events)
User Mapping Rules
A User Mapping Rule describes how to provision users within a destination system, by mapping source entity attributes to destination entity attributes. User Mapping Rules can apply conditionally, and apply to any users Veza creates in the target system.
To create a User Mapping Rule, go to Lifecycle Management > Provisioning Rules > New User Mapping Rule:
Give the rule a name and description to help identity it and give context for other users.
Pick a source and destination that the rule applies to.
Pick optional conditions to trigger the rule. When provided, all the conditions must be true for the rule to apply. For example, you could create a rule that only applies for Workday users within a specific
Location,Cost Center, orPrimary Time Zone.Use time-based operators (e.g.
ON OR BEFORE) on properties that contain dates to create rules that trigger in relationship to a timestamp, such as a hire date.
On the Shared Attribute Mappings tab, choose an optional pre-defined Shared Mapping to apply a set of default mappings, specified on the Configurations page.
On the Attribute Mappings tab, choose how to assign attributes for users in the destination system. Attributes defined on this tab take precedence over conflicting attributes in a Shared Attribute Mapping.
Use brackets to use source entity attributes as variables.
Click Enable Continuous Sync and choose the properties to synchronize to continually update user attributes in the destination system when the source attributes change. Otherwise, Veza will only write the values when the rule first applies.
Review your choices on the Summary tab and click Save.
Active Directory Attributes for User Mapping Rules
The possible attributes for Active Directory user objects are pre-defined for Alpha. Leave a field blank to omit it when provisioning the user. See the following table for supported attributes:
| User Object Property | Example | Required? |
|---|---|---|
Name | Jane Doe | Yes |
Distinguished Name | CN=Jane Doe,OU=Engineering,DC=corp,DC=cookie,DC=ai | Yes |
Account Name | jane_doe | Yes |
User Principal Name | jane_doe@corp.cookie.ai | Yes |
jane.doe@corp.cookie.ai | No | |
Manager ID | CN=Bob Smith,OU=Management,DC=corp,DC=cookie,DC=ai | No |
City | San Francisco | No |
Company | Cookie Technologies | No |
Country Code | US | No |
Department | Engineering | No |
Description | Senior Software Engineer | No |
Display Name | Jane Doe | No |
Given Name | Jane | No |
Manager ID | CN=Bob Smith,OU=Management,DC=corp,DC=cookie,DC=ai | No |
Physical Delivery Office Name | Building 1, Room 101 | No |
Postal Code | 94107 | No |
Primary Group DN | CN=Engineers,OU=Groups,DC=corp,DC=cookie,DC=ai | No |
State Or Province Name | California | No |
Street Address | 1 Market Street | No |
Surname | Doe | No |
Title | Senior Software Engineer | No |
Group Membership Rules
Group Membership rules control the groups assignments for users Veza creates. You can specify groups individually, or with Business Roles and Access Profiles created on the Configuration page.
To create a Group Membership Rule, go to Lifecycle Management > Provisioning Rules > New Group Membership Rule. Specifying individual groups, access profiles, or business roles is optional, provided that you specify at least one assignment method.
Under Configuration, give the rule an identifying name and description.
Under Conditions, add the source entity properties and operators the rule applies to. All conditions must be true for the rule to take effect.
Pick optional Business Roles to assign groups of Access Profiles.
Pick optional Access Profiles to assign pre-defined collections of groups.
Under Group Selection click Add New Group and pick from individual groups to assign to users who meet the conditions specified by the rule.
Review the Summary and Save the changes.
View Provisioning Events
Click Show Events to see all the provisioning or de-provisioning actions that have occurred.
You can filter the provisioning activity log to search for events by type or by user name.
Click the export icon to download the full list for offline review.
Use the pagination controls at the bottom of the screen to show older events.
Provisioning Dry Run
Use the Dry Run button to show which groups and attributes the user would have been assigned due to the currently-configured User Mapping Rules and Group Membership rules.
Open the Dry Run wizard.
Pick a Provisioning Source from supported integrations.
Pick a User from Authorization Graph data for the chosen integration.
The list of attributes will populate based on entity metadata. Make any customizations, and click Next.
Alternately, leave the user selection blank and manually specify the attributes.
Under Preview, review the attributes and groups the user would be assigned to.
Last updated