Overview

This document provides an introduction to the integrations supported by Veza Lifecycle Management (LCM), including their capabilities and the actions they support. These integrations enable you to automate identity and access management workflows across your identity sources and target applications.

Veza's Open Authorization API (OAA) can support provisioning and deprovisioning for applications not natively supported by the Veza platform. With OAA, Veza or customers can build integrations to any application that has a suitable and accessible API or integration interface.

Supported Integrations

Identity Sources

Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.

Veza currently supports the following as sources of identity for Lifecycle Management workflows:

Target Application Support

The entire catalog of Veza application integrations is Lifecycle Management-ready. Target application support in Lifecycle Management leverages Veza's existing native- and OAA-based integrations plus an intelligent shim layer in order to provide support for provisioning and de-provisioning.

As such, target application support in Lifecycle Management can be enabled for nearly every Veza-supported integration.

Validated Integrations

The following table lists the out-of-the-box, Veza-validated target application integrations for Lifecycle Management.

Other Supported Integrations

For any Veza-supported application not listed above, please contact your Customer Success Manager for more details and instructions on how to enable the specific Veza integration for use with Lifecycle Management as a target application for provisioning and de-provisioning.

Configuring Integrations for Lifecycle Management

Insight Points for Lifecycle Management

An Insight Point is required to enable Lifecycle Management operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for LCM tasks.

A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and LCM job execution. This ensures secure communication between your environment and Veza.

For deployment instructions, refer to the Insight Point Documentation.

Scheduled and Manual Extractions

You can configure extraction intervals for your integrations to ensure data is regularly updated for Lifecycle Management processes.

1. Go to Veza Administration > System Settings

2. In the Pipeline > Extraction Interval section, set the global extraction interval

3. To override the global setting for specific integrations, use the Active Overrides section

Available extraction intervals are:

• Auto (hourly, but may take longer when the extraction pipeline is full)

• 15 Minutes

• 1 Hour

• 6 Hours

• 12 Hours

• 1 Day

• 2 Days

• 3 Days

• 7 Days

• 30 Days

To manually trigger an extraction:

1. Go to Integrations > All Data Sources

2. Search for the desired data source

3. Select Actions > Start Extraction

Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.

Enabling Lifecycle Management

To enable Lifecycle Management for a specific integration:

1. Browse to the main Veza Integrations page, or go to Lifecycle Management > Integrations

2. Search for the integration you want to enable

3. Toggle the Lifecycle Management option to Enabled

Checking on Lifecycle Management Data Sources

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Additional Resources

For more information:

• Refer to individual integration documentation for detailed LCM capabilities

• Consult the Lifecycle Management user guide for troubleshooting and best practices

• Contact Veza support for assistance with enabling or configuring LCM for your integrations

Overview

The Veza integration for AWS IAM Identity Center enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization across AWS organizations.

This document includes steps to enable the AWS IAM Identity Center integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for AWS IAM Identity Center

Prerequisites

1. You will need administrative access in Veza to configure the integration and appropriate permissions in AWS IAM Identity Center.

2. Ensure you have an existing AWS integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your AWS integration has completed at least one successful extraction

4. The AWS integration will need the additional required permissions for Identity Store operations:

   • identitystore:CreateUser - For user creation operations

   • identitystore:UpdateUser - For user attribute synchronization

   • identitystore:DeleteUser - For user deletion (note: AWS uses SCIM deprovisioning which disables rather than deletes)

   • identitystore:GetUserId - For user lookup operations

   • identitystore:CreateGroup - For group creation

   • identitystore:CreateGroupMembership - For group membership management

   • identitystore:DeleteGroupMembership - For removing group memberships

   • identitystore:ListGroups - For group discovery operations

   • identitystore:ListGroupMemberships - For membership enumeration

Important: AWS IAM Identity Center Lifecycle Management requires:

• SCIM endpoint configuration in IAM Identity Center (automatic provisioning must be enabled)

• The integration uses AWS's SCIM v2.0 API implementation over HTTPS

• Authentication is handled through IAM policies and does not require separate SCIM bearer tokens

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an AWS integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your AWS IAM Identity Center data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for AWS in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

AWS IAM Identity Center can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from AWS IAM Identity Center with changes propagated to connected systems.

AWS IAM Identity Center can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Username serves as the unique identifier and cannot be changed after creation

• Email addresses must be unique across the AWS IAM Identity Center instance

• First name, last name, display name, and username are required attributes for user creation

The following attributes can be synchronized:

Manage Relationships

Controls group memberships for users in AWS IAM Identity Center:

• Add and remove group memberships for users

• Synchronize group assignments based on source system changes

• Support for both adding and removing relationships

• Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned in AWS IAM Identity Center:

• User account is disabled (set to inactive) rather than deleted

• All group memberships are automatically removed

• User's permission set assignments are revoked

• Account information is preserved for audit and compliance purposes

• Users can be reactivated if needed by updating the Active attribute

Create Entitlement

• Entity Types: AWS IAM Identity Center Groups

• Assignee Types: AWS IAM Identity Center Users

• Supports Relationship Removal: Yes

Within AWS IAM Identity Center, groups can be associated with:

• Permission sets that grant access to AWS accounts and resources

• AWS applications and third-party SAML applications

• AWS account assignments for cross-account access

• Custom access policies and roles

Workflow Examples

Employee Onboarding

Automate the onboarding process for new employees:

1. Identity Creation: Create AWS IAM Identity Center user account with attributes synchronized from HR system

2. Group Assignment: Add user to department-specific groups based on their role and location

3. Permission Sets: Automatically assign appropriate permission sets for AWS resource access

4. Account Access: Grant access to specific AWS accounts based on job function

Role Change Management

Handle internal role changes and departmental transfers:

1. Attribute Update: Synchronize updated employee information from HR system

2. Group Reassignment: Remove user from previous department groups and add to new ones

3. Permission Adjustment: Update permission set assignments to match new role requirements

Employee Offboarding

Securely remove access when employees leave:

1. Account Deprovisioning: Disable the user account in AWS IAM Identity Center

2. Group Removal: Remove all group memberships and permission set assignments

3. Access Revocation: Ensure all AWS account access is immediately revoked

4. Audit Trail: Maintain complete record of access removal for compliance purposes

Overview

The Veza integration for Coupa Contingent Workforce (CCW) enables automated identity synchronization as a source of truth for contingent worker lifecycle management. Coupa CCW serves as an authoritative source for contingent worker information that can be synchronized with other systems in your environment.

This document includes steps to enable the Coupa CCW integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Coupa CCW

Prerequisites

1. You will need administrative access in Veza to configure the integration and Customer Integration Admin privileges in Coupa CCW.

2. Ensure you have an existing Coupa CCW integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Coupa CCW integration has completed at least one successful extraction

4. The Coupa CCW integration will need the required API scope:

   • ccw.contingent_workers - For accessing contingent worker data

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a Coupa CCW integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Coupa CCW data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Coupa CCW in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Coupa CCW can serve as a source for identity information in Lifecycle Management Policies. Contingent worker identity details are synchronized from Coupa CCW with changes propagated to connected target systems.

Important: Coupa CCW is a source-only integration for Lifecycle Management. It provides authoritative identity information but cannot be used as a provisioning target.

The integration supports the following lifecycle management Actions:

Source of Identity

As a source-only system, Coupa CCW provides:

• Contingent worker identity information synchronized to downstream systems

• Organizational structure data (Account Segments, Cost Centers, Departments)

• Employment status and contract details for lifecycle decisions

• Manager relationships for approval workflows

Workflow Examples

Contingent Worker Onboarding

When a new contingent worker is added to Coupa CCW:

1. Identity Sync: Coupa CCW provides worker details to Veza Lifecycle Management

2. Access Provisioning: Based on department, cost center, and role, appropriate access is granted in target systems

3. Manager Assignment: Hiring manager relationships are established for approval workflows

4. Group Assignment: Worker is added to relevant organizational groups based on Account Segment and Department

Contingent Worker Status Changes

When a contingent worker's status changes (contract end, role change):

1. Status Detection: Coupa CCW reflects updated employment status

2. Access Review: Lifecycle policies evaluate continued access needs

3. De-provisioning: If terminated, appropriate access removal is triggered in target systems

4. Audit Trail: All changes are tracked for compliance reporting

Contract-to-Hire Conversion

When a contingent worker transitions to full-time employee:

1. Status Update: Employment type change is detected in Coupa CCW

2. Access Migration: Existing access is evaluated and potentially expanded

3. System Updates: Worker identity is updated across all connected systems

4. Process Completion: Manager and HR notifications confirm successful transition

This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Supported Capabilities

Lifecycle Actions Supported

Create Email

Supports the creation of email accounts for users within Exchange Server.

• Entity Type: Exchange Server Users

• Attributes Available for Configuration:

  • Identity (Required)

  • Alias (Optional)

Example Use Cases:

• Create email accounts for new employees joining the organization

• Assign email aliases to users to facilitate communication

Configuration Steps

1. Locate Exchange Management Shell Paths

1. Find the Exchange Management Shell shortcut in the Start Menu

2. Right-click > More > Open File Location
3. Right-click the shortcut icon > Properties
4. Copy the Target field value
5. Note the two important paths from the target:

   • PowerShell Path: (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)

   • Remote Exchange Path: (e.g., C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1)

2. Create Application Pool in IIS

1. Open IIS Manager and create a new application pool
2. Name the application pool
3. Configure the application pool:

   • Right-click > Advanced Settings

   • Under Process Model, set the Identity

3. Configure IIS Application

1. Add the application to "Default Web Site"
2. Configure the application:

   • Set alias to "VezaProvisioner"

   • Select the application pool created above
3. Configure authentication:

   • Disable Anonymous Authentication

   • Enable Basic Authentication

4. Install Veza Provisioner

Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.

5. Configure Exchange Server Integration in Veza

1. Go to Configurations > Integrations

2. Click Add New and select Exchange Server

3. Complete the following fields:

   Field

   Description

   Insight Point

   Select if using an Insight Point to access Exchange Server

   Name

   Friendly name for the integration

   Instance URL

   https://<exchange_server_host>/VezaProvisioner

   Username

   Domain username with required Exchange permissions

   Password

   Password for the account

   PowerShell Path

   Path to PowerShell.exe noted in step 1

   Remote Exchange Path

   Path to RemoteExchange.ps1 noted in step 1

4. Enable Lifecycle Management by checking Enable Lifecycle Management

5. Save the configuration

6. Verify Configuration

After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.

Overview

The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Google Cloud

Prerequisites

1. You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.

2. Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Google Cloud integration has completed at least one successful extraction.

4. The Google Cloud integration will need the following additional API scopes:

   • https://www.googleapis.com/auth/admin.directory.user - Required for user management operations

   • https://www.googleapis.com/auth/admin.directory.group - Required for group management operations

   • https://www.googleapis.com/auth/admin.directory.domain - Required for domain management capabilities

   • https://www.googleapis.com/auth/admin.directory.rolemanagement - Required for admin role management

   • https://www.googleapis.com/auth/apps.groups.settings - Required for detailed group settings management

   • https://www.googleapis.com/auth/cloud-platform - Required for Cloud Identity API and broader Google Cloud access

Configuration Steps

1. In Veza, go to the Integrations overview

2. Search for or create a Google Cloud integration

3. Check the box to Enable usage for Lifecycle Management

4. Configure the service account with appropriate permissions:

   • Users > Read/Write

   • Groups > Read/Write

   • Organization Units > Read

   • Roles > Read/Write

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.

Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Entity Types: Google Workspace User

• Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Manage Relationships

Controls relationships between users and Google Workspace groups:

• Supported Relationship Types: Google Workspace Groups

• Assignee Types: Google Workspace Users

• Supports Removing Relationships: Yes

Both adding and removing group memberships are supported:

• Add users to specific Google Workspace groups based on department or role

• Remove access when roles change or users leave

• Maintain consistent group membership based on organizational structure

Deprovision Identity

When a user is deprovisioned:

• Entity Types: Google Workspace User

• De-provisioning Methods: Suspend user (preserves user data while preventing access)

• User is suspended in Google Workspace

• Access to resources is removed

• Account information is preserved for audit purposes

Source of Identity

Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.

Example Workflows

Example: Onboarding Workflow for New Employees

To create a workflow for onboarding new employees:

1. Create a policy with your source of identity (e.g., Workday or CSV upload)

2. Configure a workflow for new employees

3. Add a Sync Identities action to create Google Workspace users:

   Copy

   # Google Workspace User Attributes
   email: {first_name}.{last_name}@company.com
   first_name: {first_name}
   last_name: {last_name}

4. Add a Manage Relationships action to assign appropriate groups:

   • Condition: department eq "Engineering"

     • Add to: "Engineering Team" group

   • Condition: department eq "Sales"

     • Add to: "Sales Team" group

Example: Offboarding Workflow for Departing Employees

To create a workflow for departing employees:

1. Create a policy with your source of identity

2. Configure a workflow with condition: active eq false

3. Add a De-provision Identity action:

   • Entity Type: Google Workspace User

   • Method: Suspend

   • Remove All Relationships: Yes

Overview

The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.

This document includes steps to enable the GitHub integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for GitHub

Prerequisites

1. You will need administrative access in Veza to configure the integration and site administrator privileges in GitHub Enterprise Server.

2. Ensure you have an existing GitHub integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your GitHub integration has completed at least one successful extraction

4. The GitHub integration will need the additional required GitHub App permissions:

   • Organization permissions - Members (Write) - Required for managing organization memberships

   • Organization permissions - Administration (Write) - Required for administrative operations

   • Repository permissions - Administration (Write) - Required for managing team memberships

Important: GitHub LCM operations use Admin API endpoints that require site administrator privileges. These operations are typically available in GitHub Enterprise Server environments, not GitHub.com.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a GitHub integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your GitHub data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for GitHub in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

GitHub can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• User login cannot be changed after creation

• GitHub usernames must be unique and follow GitHub naming rules (39 characters max, alphanumeric plus hyphens)

• Email addresses must be unique across the GitHub instance

• Requires site administrator privileges for user creation operations

The following attributes can be synchronized:

Manage Relationships

Both adding and removing memberships are supported. Organization and team memberships are automatically removed during deprovisioning.

• Add and remove organization memberships with member role

• Add and remove team memberships with member role

• Synchronize access assignments based on external identity changes

• Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned:

• User account is suspended in GitHub Enterprise Server

• All organization and team memberships are removed automatically

• Commit history and attribution are preserved for audit and compliance

• Account can be reactivated if needed (unsuspended)

• User receives appropriate error messages when attempting to access GitHub

Workflow Examples

New Employee Onboarding

Create GitHub accounts and assign appropriate access for new developers:

1. Identity Sync: Create user account with basic profile information

2. Organization Access: Add user to primary GitHub organization

3. Team Assignment: Assign to development teams based on department

4. Profile Setup: Configure public email and display name

Role Change Management

Update GitHub access when employees change departments or roles:

1. Relationship Updates: Remove existing team memberships

2. New Access: Add memberships for new role requirements

3. Audit Trail: Track all membership changes for compliance

Employee Offboarding

Securely remove access while preserving development history:

1. Account Suspension: Suspend GitHub account to prevent access

2. Membership Removal: Remove all organization and team memberships

3. History Preservation: Maintain commit attribution and repository history

4. Compliance: Generate audit trail of all access removal actions

Overview

The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.

This document includes steps to enable the Snowflake integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Snowflake

Prerequisites

1. You will need administrative access in Veza to configure the integration and USERADMIN role or equivalent privileges in Snowflake.

2. Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.

3. Verify your Snowflake integration has completed at least one successful extraction

4. The Snowflake integration will need the additional required privileges:

   • CREATE USER privilege on the account for user provisioning

   • GRANT ROLE privilege for role assignments

   • OWNERSHIP privilege on target roles for role management

   • Access to a warehouse for executing queries during lifecycle operations

Important: The Snowflake user account used for Lifecycle Management operations should have USERADMIN role or higher privileges to ensure proper user and role management capabilities.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a Snowflake integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Snowflake data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Snowflake in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Snowflake can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

• User names must be unique and follow Snowflake identifier naming conventions

• Login names are used for authentication and must be unique

• Passwords are automatically generated and set to require change on first login

• Users are created with appropriate default settings for the Snowflake environment

The following attributes can be synchronized:

Manage Relationships

Role assignment management for users:

• Add and remove role assignments for users

• Synchronize role memberships from source systems

• Support for direct role grants to users

• Roles must exist in Snowflake before assignment

Within Snowflake, roles can be associated with:

• Database and schema access permissions

• Table and view privileges

• Warehouse usage rights

• Administrative privileges for account management

Deprovision Identity

When a user is deprovisioned:

• User account is disabled (set DISABLED = TRUE)

• Role assignments are removed to revoke access

• User attributes are preserved for audit purposes

• Account can be reactivated if needed for compliance requirements

Workflow Examples

Employee Onboarding

Automated provisioning when a new employee joins:

1. Create User Account: Sync identity attributes from HR system to create Snowflake user with name and login details

2. Assign Department Role: Grant role based on department attribute (e.g., SALES_ANALYST, DATA_ENGINEER)

3. Set Default Role: Configure default role for the user's session

4. Add Email and Comments: Populate user profile with contact information and descriptive notes

Role Change Management

Managing access when employees change roles:

1. Update User Attributes: Sync changed attributes like email or comments

2. Remove Old Roles: Revoke previous role assignments that are no longer appropriate

3. Grant New Roles: Assign roles appropriate for the new position

4. Update Default Role: Change the user's default role for new sessions

Employee Offboarding

Secure access removal when employees leave:

1. Disable Account: Set user account to disabled status

2. Revoke All Roles: Remove all role assignments to eliminate data access

3. Preserve Audit Trail: Maintain user record and history for compliance

4. Optional Cleanup: Remove user completely with DROP USER if no audit trail is needed

Overview

The Veza integration for PostgreSQL enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

This document outlines the steps to enable PostgreSQL integration for use in Lifecycle Management, including supported actions and relevant notes. See Supported Actions for more details.

Enabling Lifecycle Management for PostgreSQL

Prerequisites

1. You will need administrative access in Veza to configure the integration and grant API scopes in PostgreSQL.

2. Ensure you have an existing PostgreSQL integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your PostgreSQL integration has completed at least one successful extraction.

4. Ensure the integration service account has the required privileges. The service account must be a superuser to manage other PostgreSQL roles, including those with elevated privileges:

   Copy

   ALTER ROLE veza_service WITH SUPERUSER CREATEROLE;

   Note: SUPERUSER is required because Lifecycle Management may need to create or modify roles with SUPERUSER, BYPASSRLS, or other elevated privileges. Without SUPERUSER, the service account cannot manage roles with privileges equal to or greater than its own.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a PostgreSQL integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your PostgreSQL data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for PostgreSQL in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

PostgreSQL can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from PostgreSQL, with changes propagated to connected systems.

PostgreSQL can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following Lifecycle Management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Entity Types: PostgreSQL User

• Create Allowed: Yes (New user identities can be created if not found)

• SQL Command: CREATE ROLE {username} WITH LOGIN PASSWORD 'password' [attributes]

Note: In PostgreSQL's architecture, users are roles with the LOGIN privilege. When Veza creates a user, it uses CREATE ROLE with the LOGIN attribute. This is functionally identical to PostgreSQL's CREATE USER command, which is simply an alias for CREATE ROLE ... WITH LOGIN.

The following attributes can be synchronized:

Manage Relationships

Controls relationships between users and PostgreSQL groups:

• Supported Relationship Types:

  • PostgreSQL Group: Manages group membership for users

• Assignee Types: PostgreSQL User

• Supports Removing Relationships: Yes

Technical details:

• Adding a user to a group: GRANT {group} TO {user}

• Removing a user from a group: REVOKE {group} FROM {user}

• Group memberships use PostgreSQL's role inheritance system, where users inherit permissions from their assigned groups

Deprovision Identity

Disables a user's ability to authenticate to PostgreSQL while preserving the role and its attributes:

• Entity Type: PostgreSQL User

• Action: Revokes the LOGIN privilege (equivalent to ALTER ROLE {username} WITH NOLOGIN)

• Removes All Group Memberships: Yes (user is removed from all PostgreSQL groups)

• Preserves:

  • The role itself (can be re-enabled later)

  • All role attributes (SUPERUSER, CREATEDB, CREATEROLE, REPLICATION, BYPASSRLS)

  • Ownership of database objects (tables, schemas, etc.)

  • Granted permissions on database resources

Use case: Temporary offboarding or leave of absence where you may need to restore access later.

Security note: A deprovisioned superuser cannot log in but retains SUPERUSER status. If the role is re-enabled without updating attributes, it will have full superuser privileges. Consider using a Sync Identities action to revoke SUPERUSER before deprovisioning if this is a concern.

Delete Identity

Permanently removes a user role from PostgreSQL:

• Entity Type: PostgreSQL User

• Action: Drops the role from the database (equivalent to DROP ROLE {username})

• Impact: Complete and irreversible removal of the role

Important limitations:

• Will fail if the user owns database objects: PostgreSQL prevents dropping roles that own schemas, tables, functions, or other database objects. PostgreSQL will return an error: role "username" cannot be dropped because some objects depend on it

• Will fail if the user has granted permissions: If the role has granted permissions to other roles or is referenced in default privileges, the drop will fail

• Will fail if referenced in policies: Row-level security policies or other database policies that reference the role must be removed first

Note: Unlike some database systems, PostgreSQL allows dropping roles with active connections, but the operation will still fail if any of the above dependencies exist.

Recommended workflow:

1. Use Deprovision Identity first to revoke LOGIN and remove group memberships

2. Verify the user has no owned objects, granted permissions, or policy references

3. Use Delete Identity only when permanent removal is required

Alternative for users with dependencies: PostgreSQL administrators can manually run REASSIGN OWNED BY {username} TO {new_owner} followed by DROP OWNED BY {username} before triggering deletion through Veza, or handle the deletion entirely through PostgreSQL.

Overview

The Veza integration for Oracle DB enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

This document outlines the steps to enable Oracle DB integration for use in Lifecycle Management, including supported actions and relevant notes. See Supported Actions for more details.

Enabling Lifecycle Management for Oracle DB

Prerequisites

1. You will need administrative access in Veza to configure the integration.

2. Ensure you have an existing Oracle Database integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Oracle DB integration has completed at least one successful extraction.

4. Database administrator privileges in Oracle DB (ability to create common users and grant privileges)

5. For multi-tenant configurations: access to CDB$ROOT container

6. Supported Oracle Database versions: 19c, 21c, or 23ai

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an Oracle DB integration

3. Check the box, Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Oracle DB data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Oracle DB in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Oracle DB can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Oracle DB, with changes propagated to connected systems.

Oracle DB can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following Lifecycle Management Actions:

Sync Identities

The following attributes can be synchronized:

SYNC_IDENTITIES

• Entity Type: OracleDB User

• Create Allowed: Yes

• Method: SQL CREATE USER / ALTER USER

MANAGE_RELATIONSHIPS

• Entity Types: OracleDB Role

• Assignee Types: OracleDB User

• Supports Remove: Yes

• Method: SQL GRANT ROLE / REVOKE ROLE

DEPROVISION_IDENTITY

• Entity Type: OracleDB User

• Method: DISABLED (account lock via ALTER USER ... ACCOUNT LOCK)

• Removes Relationships: Yes

DELETE_IDENTITY

• Entity Type: OracleDB User

• Method: Permanent deletion via DROP USER

Workflow Examples

Employee Onboarding

1. Create an Oracle DB user account with the Sync Identities action

2. Assign default role based on department with Manage Relationships

3. Set password (requires change on first login)

4. Configure profiles and tablespaces

Role Change Management

1. Update user attributes (profile, tablespaces) with Sync Identities

2. Remove old role assignments with Manage Relationships

3. Grant new roles appropriate for the new position

Employee Offboarding

1. Lock user account with Deprovision Identity (ACCOUNT LOCK)

2. Remove all role assignments

3. Preserve the user record for audit purposes

4. Optional: Delete user permanently with Delete Identity (DROP USER)

Overview

The Veza integration for Active Directory enables automated user lifecycle management, including user provisioning and deprovisioning, group membership management, and attribute synchronization.

This document includes steps to enable the Active Directory integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Active Directory

Prerequisites

1. You will need administrative access in Veza to configure the integration.

2. Ensure you have an existing Active Directory integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Active Directory integration has completed at least one successful extraction.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an Active Directory integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Active Directory data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Active Directory in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

1. Create a Service Account

Create a dedicated AD user with the minimum required permissions:

Using Active Directory Users and Computers:

1. Open Active Directory Users and Computers

2. Navigate to the target Organizational Unit

3. Right-click > New > User

4. Complete the new user details form

   • Recommended name: "Veza AD Lifecycle Manager"

   • Set a strong password

   • Uncheck "User must change password at next logon"

Using PowerShell:

New-ADUser -Name "Veza AD Lifecycle Manager" `
    -Path "OU=<your_OU>,DC=<domain>,DC=<tld>" `
    -GivenName "Veza" `
    -Surname "AD Lifecycle Manager" `
    -SamAccountName "veza-ad-lcm" `
    -AccountPassword (ConvertTo-SecureString -AsPlainText "<password>" -Force) `
    -ChangePasswordAtLogon $False `
    -DisplayName "Veza AD Lifecycle Manager" `
    -Enabled $True

2. Configure Required Permissions

Grant the service account permissions to manage users in the target OUs:

Using Active Directory Users and Computers:

1. Navigate to the target Organizational Unit

2. Right-click > Delegate Control

3. Click Add and enter the service account name

4. Select these delegated tasks:

   • Create, delete, and manage user accounts

   • Reset user passwords and force password change

   • Read all user information

   • Modify group membership

Using PowerShell:

Import-Module ActiveDirectory
$OrganizationalUnit = "OU=<your_OU>,DC=<domain>,DC=<tld>"
$Users = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
Set-Location AD:

$User = Get-ADUser -Identity "veza-ad-lcm"
$UserSID = [System.Security.Principal.SecurityIdentifier] $User.SID
$Identity = [System.Security.Principal.IdentityReference] $UserSID

# Create permission for managing users
$RuleCreateDeleteUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, "CreateChild, DeleteChild", "Allow", $Users, "All"

# Create permission for password resets
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Users)

# Apply permissions
$ACL = Get-Acl -Path $OrganizationalUnit
$ACL.AddAccessRule($RuleCreateDeleteUsers)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

3. Configure the Integration in Veza

1. Navigate to Configurations > Integrations

2. Either:

   • Create a new Active Directory integration

   • Edit an existing Active Directory integration

3. Enable Lifecycle Management:

   • Check Enable Lifecycle Management

   • Enter the Lifecycle Management Username (service account created above)

   • Enter the Lifecycle Management Password

4. Save the configuration

Supported Actions

Active Directory can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Active Directory, with changes propagated to connected systems.

Active Directory can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Synchronizes identity attributes between systems, with options to:

• Create new identities if they don't exist

• Update attributes of existing identities

• Enable continuous sync to keep attributes aligned with the source of truth

Unique Identifiers

Active Directory uses composite unique identifiers to locate users. Only one unique identifier can be specified per action:

• account_name (sAMAccountName) - Default unique identifier

• distinguished_name - Full LDAP path (e.g., CN=John Doe,OU=Users,DC=company,DC=com)

• user_principal_name - Login format (e.g., [email protected])

The following attributes can be synchronized:

Manage Relationships

Controls relationships between users and Active Directory groups:

• Entity Types: Active Directory Groups

• Assignee Types: Active Directory Users

• Supports Removing Relationships: Yes

Both adding and removing group memberships are supported. Group memberships can be managed individually or removed in bulk during deprovisioning.

Deprovision Identity

When a user is deprovisioned in Active Directory:

• Entity Type: Active Directory User

• Method: Account Disabled (sets userAccountControl to 514)

• Remove All Relationships: Yes (optional - group memberships can be removed)

The following unique identifiers can be used to locate the user:

Create Entitlement

Creates new Active Directory groups:

• Entity Type: Active Directory Group

• Required Attributes: name

• Optional Attributes: description, group_type, is_security_group, member_of, account_name, organizational_unit_dn

Reset Password

Resets a user's password in Active Directory:

• Entity Type: Active Directory User

• Idempotent: No (generates a new password with each execution)

• Password Options:

  • Configurable password complexity (length, character types, excluded characters)

  • Option to require password change on next login

  • Passwords must comply with Active Directory domain password policy

Password Complexity Options:

• Length: Configurable minimum password length

• Character Types: Uppercase, lowercase, numbers, special characters

• Disallowed Characters: Specify characters to exclude from generated passwords

• Require Change: Force user to change password on next login

The following unique identifiers can be used to locate the user:

Delete Identity

Permanently removes a user from Active Directory:

• Entity Type: Active Directory User

• Method: Permanent deletion (DROP USER equivalent)

• Warning: This action cannot be undone

The following unique identifiers can be used to locate the user:

Example Workflows

Employee Onboarding

Automate user creation and group assignment when a new employee joins:

1. Create a Lifecycle Management policy with your HR system as the source of identity

2. Configure a workflow triggered when a new identity is detected

3. Add a Sync Identities action to create the AD user:

   • Map HR attributes to AD attributes (name, email, department, title, manager)

   • Set initial password with "require change on next login"

4. Add a Manage Relationships action to assign initial group memberships based on role/department

Role Change

Update access when an employee changes roles:

1. Create a policy with your HR system as the source of identity

2. Configure a workflow triggered when attributes change (department, title, or manager)

3. Add a Sync Identities action to update user attributes

4. Add a Manage Relationships action to:

   • Remove old role-based group memberships

   • Add new role-based group memberships

Employee Offboarding

Disable access when an employee leaves:

1. Create a policy with your HR system as the source of identity

2. Configure a workflow triggered when termination date is set or employee status changes

3. Add a Deprovision Identity action:

   • Account will be disabled (not deleted)

   • Group memberships will be removed

   • Attributes preserved for audit

4. Optionally schedule a Delete Identity action after retention period (e.g., 90 days)

This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Overview

Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:

• Automated security group assignments for new employees

• Dynamic group membership updates during role changes

• Access removal during offboarding

• Email synchronization between Workday and downstream systems

Worker data syncs to Veza follow the configured extraction interval (default: 1-hour minimum). See Extraction and Discovery Intervals for scheduling details.

Supported Capabilities

Source of Identity

Workday serves as an authoritative source for employee identity information:

• Entity Type: Workday Worker

• Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes

Lifecycle Actions

Manage Relationships

Controls access to Workday security groups.

• Entity Types: Workday Security Group

• Assignee Types: Workday Account

• Supports Relationship Removal: Yes

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems.

• Entity Type: Workday Worker

• Purpose: Ensures Workday remains the single source of truth for employee email addresses

Custom Properties

The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.

Configuration Steps

1. Create Business Process Security Policy

1. Log into Workday and search for Edit Business process security policy

2. Under Business Process Type, select Work Contact Change
3. Find "Initiating Action: Change Work Contact Information (REST Service)"

4. Create a Segment-Based Security Group
5. Configure the security group:

   • Add the security group created for Veza integration

   • Add "Worker" scope to Access Rights
6. Verify the security group appears in Initiating Action Security groups
7. Click OK and Done to save changes

2. Activate Security Policy Changes

1. Search for Activate Pending Security Policy Changes

2. Review changes, add a comment, and click OK
3. Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

4. Update API Client Configuration

1. Open Edit API Client

2. Add required scopes:

   • Staffing

   • Contact Information

   • System

   • Tenant Non-Configurable

   • Organizations and Roles

5. Configure Workday Integration in Veza

1. Navigate to Configurations > Integrations

2. Either:

   • Create a new Workday integration

   • Edit an existing Workday integration

3. Enable Lifecycle Management:

   • Check Enable Lifecycle Management

4. If using custom attributes, configure them in the Custom Properties section

API Access Notes

The integration uses these API endpoints for email write-back:

%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges

For general metadata discovery, WQL queries access:

• allWorkdayAccounts

• allWorkers

• securityGroups

• domainSecurityPolicies

• businessProcessTypes

Implementation Notes

1. Workday Workers are the primary entity for identity information

2. Bidirectional management of Account-Security Group relationships is supported

3. Email write-back operates on Worker entities, not Account entities

4. Custom attribute availability depends on your Workday configuration

5. The Sync Identities action is not currently supported for Workday

Overview

The Veza integration for Atlassian Cloud enables automated user lifecycle management, with support for user provisioning and deprovisioning, group membership management, and attribute synchronization across Atlassian Cloud Admin, Jira Cloud, Confluence Cloud, and Bitbucket Cloud.

This document includes steps to enable the Atlassian Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Atlassian Cloud

Prerequisites

Before enabling Lifecycle Management for Atlassian Cloud, ensure you have the necessary access and configuration in place. You'll need administrative access in both Veza and Atlassian Cloud to complete the setup process.

Veza Requirements:

• Administrative access to configure integrations

• An existing Atlassian Cloud integration that has completed at least one successful extraction

Atlassian Cloud Requirements:

• Administrative access to manage API keys and SCIM configuration

• An active SCIM directory configured in your Atlassian Cloud organization

• Proper API permissions for both SCIM and Atlassian Cloud Admin APIs

Required Configuration Parameters

The following parameters are required to enable lifecycle management operations:

The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.

Optional Parameters: If you're also using the integration for discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories in Veza), you'll need product_token and product_user. These parameters are not required for lifecycle management operations and can be omitted if you're only performing user provisioning and group management.

Configuration Steps

Complete the following steps in Veza to enable and configure Lifecycle Management for your Atlassian Cloud integration.

Enable Lifecycle Management:

1. Navigate to the Integrations overview in Veza

2. Locate your Atlassian Cloud integration (or create a new one if needed)

3. Check the box to Enable usage for Lifecycle Management

Configure Data Synchronization:

Configure the extraction schedule to ensure Atlassian Cloud user and group data remains current. Go to Administration > System Settings, then navigate to Pipeline > Extraction Interval. Set your preferred interval for data synchronization, or create a custom override specifically for Atlassian Cloud in the Active Overrides section if you need more frequent updates than your default schedule.

Verify Configuration:

After enabling Lifecycle Management, verify the integration is functioning correctly by navigating to Lifecycle Management > Integrations (or the main Integrations overview). Locate your Atlassian Cloud integration and click its name to view details. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled to check the health status.

Supported Actions

Atlassian Cloud can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

The Sync Identities action creates new user accounts or updates existing ones in Atlassian Cloud. User provisioning occurs through the SCIM directory API, which ensures that email addresses remain unique across your Atlassian organization. When you create or update a user, Veza automatically establishes cross-service connections between the Cloud Admin user account and their corresponding accounts in Jira, Confluence, and Bitbucket.

Supported User Attributes:

The active status is managed automatically during provisioning and deprovisioning operations and is not available as a sync attribute. When you sync user attributes, Veza translates them to the appropriate SCIM fields shown in the table above before sending them to Atlassian's SCIM API.

Manage Relationships

The Manage Relationships action controls group memberships for users across Atlassian Cloud. You can add users to groups or remove them, with changes synchronized across Atlassian Cloud Admin and all associated products (Jira, Confluence, and Bitbucket). All membership changes are tracked automatically for audit purposes, providing visibility into access modifications over time.

Atlassian Cloud groups can control various types of access, including product-level permissions (such as access to specific Jira projects or Confluence spaces), administrative roles within Atlassian Cloud Admin, site-wide permissions and policies, and integration settings with external identity providers. When you modify a user's group memberships through Veza, these changes apply consistently across all products where the group has assigned permissions.

Important: Groups must already exist in both the SCIM directory and Atlassian Cloud Admin before you can assign users to them. The integration does not support creating or deleting groups. See Group Management Requirements for more details.

Deprovision Identity

The Deprovision Identity action safely removes user access while preserving audit trails for compliance. When you deprovision a user, their account is deactivated through the SCIM API and all group memberships are automatically removed across Atlassian Cloud Admin, Jira, Confluence, and Bitbucket. While the user can no longer access any Atlassian products, their account information and cross-service connection history are preserved to maintain audit trails and historical visibility for compliance reporting.

Delete Identity

The Delete Identity action permanently removes the user account and associated data from Atlassian Cloud. When you delete a user, their account is permanently deleted through the SCIM API, not just deactivated. Unlike deprovisioning, this operation cannot be reversed and should be used with caution only when permanent removal is required.

Current Limitations

The following operations are not supported in the current implementation:

• User Logout: Cannot force user logout from Atlassian products

• License Management: Cannot remove specific licenses from users

• Device Management: Cannot manage or remove personal devices

• Password Management: Password operations are handled through SCIM only

Group Management Requirements

Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.

Key requirements and limitations:

• Groups must already exist in both systems: You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.

• Display name matching: When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.

• Automatic ID mapping: The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.

Technical Architecture

The Atlassian Cloud integration uses a dual-API architecture to provide comprehensive lifecycle management capabilities.

User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.

Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. ID Mapping and Coordination:

To maintain consistency across systems, the integration performs complex ID mapping between SCIM identifiers and Atlassian identifiers. SCIM User IDs are mapped to Atlassian Account IDs, and SCIM Group IDs are mapped to Atlassian Group IDs. The integration automatically extracts the directory ID from your SCIM URL and uses your organization ID to coordinate these operations. This ensures that changes made through Veza are reflected accurately in both the SCIM directory and across all Atlassian products.

Workflow Examples

Employee Onboarding

Automate the provisioning of new employees into Atlassian Cloud:

1. Create User Account: New user account is created via SCIM with basic profile information

2. Assign Base Groups: User is added to organization-wide groups for general access

3. Product Access: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role

4. Department Groups: User is added to department-specific groups for project and space access

Role Change Management

Handle employee role changes and access updates:

1. Update User Attributes: User profile information is updated to reflect new role

2. Remove Previous Access: User is removed from role-specific groups and permissions

3. Grant New Access: User is added to groups appropriate for their new role

4. Cross-Product Sync: Changes are propagated across all Atlassian products

Employee Offboarding

Safely remove access when employees leave:

1. Deactivate Account: User account is disabled via SCIM

2. Remove All Groups: User is removed from all groups and permissions

3. Revoke Product Access: Access is revoked across Jira, Confluence, and Bitbucket

4. Audit Trail: All changes are logged for compliance and historical tracking

Overview

The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).

Key capabilities include:

• User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions

• Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency

• Permission Management: Assign and remove permission sets and roles based on policies

• User Deprovisioning: Safely disable access when users leave the organization

The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.

This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.

Prerequisites and Configuration

Before configuring the integration, ensure you have:

1. Administrative access in Veza to configure the integration

2. An existing Salesforce integration in Veza or add a new one

3. At least one successful extraction from your Salesforce integration

4. The appropriate permissions in Salesforce

5. Salesforce API v40 or later for user provisioning

Required Permissions

The Salesforce integration will need the following permissions:

• Assign Permission Sets: Enables assignment and removal of permission sets for users.

• Freeze Users: Enables freezing and unfreezing user accounts.

• Manage Internal Users: Required for user creation and updates.

• Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.

• Manage Login Access Policies: Required for configuring login access policies.

• Manage Password Policies: Required for setting and resetting passwords during user creation.

• Manage Profiles and Permission Sets: Required for permission set and profile assignment.

• Manage Roles: Required for role assignments and management.

• Manage Sharing: Required for managing sharing rules and access control.

• Manage Users: Essential for user lifecycle operations.

• Monitor Login History: Required for monitoring user logins.

• Reset User Passwords and Unlock Users: Required for account management.

• View All Profiles: Required to view profile information for all users.

• View All Users: Required to view all user information.

In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.

SCIM Requirements

Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.

• The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication

• To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission

For additional details about Salesforce's SCIM implementation, refer to the Salesforce SCIM documentation.

Enabling the Integration

To enable the integration:

1. In Veza, go to the Integrations overview.

2. Search for or create a Salesforce integration.

   1. Ensure the integration permission set includes the required permissions.

3. Check the box to Enable usage for Lifecycle Management.

4. Save the configuration.

Configure the extraction schedule to ensure your Salesforce data remains current:

1. Go to Veza Administration > System Settings.

2. In Pipeline > Extraction Interval, set your preferred interval.

3. Optionally, set a custom override for Salesforce in the Active Overrides section.

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.

2. Search for the integration and click the name to view details.

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.

SCIM Implementation Details

Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:

• Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions

• The system uses email addresses as the primary key for user lookups

• Usernames cannot be changed after creation and must be unique within the Salesforce instance

• User profiles are managed through SCIM entitlements

• User roles are handled through SCIM roles endpoints

• User Deprovisioning is implemented as deactivation (setting active=false)

• Permission sets are assigned through Salesforce API calls after user creation

Supported Actions

Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.

Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Usernames cannot be changed after creation.

• Email addresses must be unique.

• Required attributes must be present (Username, Email, FirstName, LastName).

• Passwords are set during user creation.

• Division and Department attributes are excluded during updates due to Salesforce API limitations.

• Salesforce does not support changing usernames after creation.

The following attributes can be synchronized:

Custom properties: In addition to the standard attributes above, Veza supports synchronizing custom properties for Salesforce User objects, including both direct properties and indirect (referenced) properties using dot notation (e.g., Profile.Name, Manager.Email). For details on configuring custom properties, see User custom properties in the Salesforce integration guide.

Manage Relationships

The following relationship types are supported:

• Groups: Add and remove group memberships (only for groups with Group Type = Regular).

• Permission Sets: Add and remove permission set assignments.

• Permission Set Groups: Add and remove permission set group assignments.

• Profiles: Manage profile assignments.

• User Roles: Synchronize user role assignments.

Notes:

• Profile and role assignments are managed via SCIM and Salesforce APIs.

• When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.

• Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.

• Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.

• Direct creation of permission sets ("Create Entitlement" action) is not currently supported.

Deprovision Identity

When a user is deprovisioned:

• The user account is frozen or deactivated (Salesforce does not allow user deletion).

• Permission set assignments are removed.

• Attribute history is preserved for audit.

• The account can be reactivated if needed.