1 of 22

Integrations

Overview of supported Lifecycle Management integrations in Veza, with capabilities and supported actions for target applications and sources of identity.

Overview

This document provides an introduction to the integrations supported by Veza Lifecycle Management (LCM), including their capabilities and the actions they support. These integrations enable you to automate identity and access management workflows across your identity sources and target applications.

Veza's Open Authorization API (OAA) can support provisioning and deprovisioning for applications not natively supported by the Veza platform. With OAA, Veza or customers can build integrations to any application that has a suitable and accessible API or integration interface.

Custom applications integrated via OAA can also serve as Lifecycle Management targets if they expose SCIM 2.0 compliant endpoints. This enables automated provisioning workflows for home-grown applications while establishing visibility through OAA's flexible entity modeling.

Supported Integrations

Identity Sources

Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.

Veza currently supports the following as sources of identity for Lifecycle Management workflows:

Target Application Support

The entire catalog of Veza application integrations is Lifecycle Management-ready. Target application support in Lifecycle Management leverages Veza's existing native- and OAA-based integrations plus an intelligent shim layer in order to provide support for provisioning and de-provisioning.

As such, target application support in Lifecycle Management can be enabled for nearly every Veza-supported integration.

Validated Integrations

The following table lists the out-of-the-box, Veza-validated target application integrations for Lifecycle Management.

Other Supported Integrations

For any Veza-supported application not listed above, please contact your Customer Success Manager for more details and instructions on how to enable the specific Veza integration for use with Lifecycle Management as a target application for provisioning and de-provisioning.

Configuring Integrations for Lifecycle Management

Insight Points for Lifecycle Management

An Insight Point is required to enable Lifecycle Management operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for LCM tasks.

A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and LCM job execution. This ensures secure communication between your environment and Veza.

For deployment instructions, refer to the .

Scheduled and Manual Extractions

You can configure extraction intervals for your integrations to ensure data is regularly updated for Lifecycle Management processes.

Go to Veza Administration > System Settings
In the Pipeline > Extraction Interval section, set the global extraction interval
To override the global setting for specific integrations, use the Active Overrides section

Available extraction intervals are:

Auto (hourly, but may take longer when the extraction pipeline is full)
15 Minutes
1 Hour
6 Hours

To manually trigger an extraction:

Go to Integrations > All Data Sources
Search for the desired data source
Select Actions > Start Extraction

Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.

Enabling Lifecycle Management

To enable Lifecycle Management for a specific integration:

Browse to the main Veza Integrations page, or go to Lifecycle Management > Integrations
Search for the integration you want to enable
Toggle the Lifecycle Management option to Enabled

Checking on Lifecycle Management Data Sources

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Additional Resources

For more information:

Refer to individual integration documentation for detailed LCM capabilities
Consult the Lifecycle Management user guide for troubleshooting and best practices
Contact Veza support for assistance with enabling or configuring LCM for your integrations

AWS IAM Identity Center

Configuring the AWS IAM Identity Center integration for Veza Lifecycle Management.

Overview

The Veza integration for AWS IAM Identity Center enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization across AWS organizations.

Action Type

Description

Supported

Atlassian Cloud

Configuring the Atlassian Cloud integration for Veza Lifecycle Management.

Overview

The Veza integration for Atlassian Cloud enables automated user lifecycle management, with support for user provisioning and deprovisioning, group membership management, and attribute synchronization across Atlassian Cloud Admin, Jira Cloud, Confluence Cloud, and Bitbucket Cloud.

Action Type

Description

Supported

This document includes steps to enable the Atlassian Cloud integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Atlassian Cloud

Prerequisites

Before enabling Lifecycle Management for Atlassian Cloud, ensure you have the necessary access and configuration in place. You'll need administrative access in both Veza and Atlassian Cloud to complete the setup process.

Veza Requirements:

Administrative access to configure integrations
An existing that has completed at least one successful extraction

Atlassian Cloud Requirements:

Administrative access to manage API keys and SCIM configuration
An active SCIM directory configured in your Atlassian Cloud organization
Proper API permissions for both SCIM and Atlassian Cloud Admin APIs

Required Configuration Parameters

The following parameters are required to enable lifecycle management operations:

Parameter

Description

Purpose

The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.

Optional Parameters: If you're also using the integration for discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories in Veza), you'll need product_token and product_user. These parameters are not required for lifecycle management operations and can be omitted if you're only performing user provisioning and group management.

Configuration Steps

Complete the following steps in Veza to enable and configure Lifecycle Management for your Atlassian Cloud integration.

Enable Lifecycle Management:

Navigate to the Integrations overview in Veza
Locate your Atlassian Cloud integration (or create a new one if needed)
Check the box to Enable usage for Lifecycle Management

Configure Data Synchronization:

Configure the extraction schedule to ensure Atlassian Cloud user and group data remains current. Go to Administration > System Settings, then navigate to Pipeline > Extraction Interval. Set your preferred interval for data synchronization, or create a custom override specifically for Atlassian Cloud in the Active Overrides section if you need more frequent updates than your default schedule.

Verify Configuration:

After enabling Lifecycle Management, verify the integration is functioning correctly by navigating to Lifecycle Management > Integrations (or the main Integrations overview). Locate your Atlassian Cloud integration and click its name to view details. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled to check the health status.

Supported Actions

Atlassian Cloud can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

The Sync Identities action creates new user accounts or updates existing ones in Atlassian Cloud. User provisioning occurs through the SCIM directory API, which ensures that email addresses remain unique across your Atlassian organization. When you create or update a user, Veza automatically establishes cross-service connections between the Cloud Admin user account and their corresponding accounts in Jira, Confluence, and Bitbucket.

Supported User Attributes:

Attribute

Required

Type

Description

SCIM Mapping

Notes

The active status is managed automatically during provisioning and deprovisioning operations and is not available as a sync attribute. When you sync user attributes, Veza translates them to the appropriate SCIM fields shown in the table above before sending them to Atlassian's SCIM API.

Manage Relationships

The Manage Relationships action controls group memberships for users across Atlassian Cloud. You can add users to groups or remove them, with changes synchronized across Atlassian Cloud Admin and all associated products (Jira, Confluence, and Bitbucket). All membership changes are tracked automatically for audit purposes, providing visibility into access modifications over time.

Atlassian Cloud groups can control various types of access, including product-level permissions (such as access to specific Jira projects or Confluence spaces), administrative roles within Atlassian Cloud Admin, site-wide permissions and policies, and integration settings with external identity providers. When you modify a user's group memberships through Veza, these changes apply consistently across all products where the group has assigned permissions.

Important: Groups must already exist in both the SCIM directory and Atlassian Cloud Admin before you can assign users to them. The integration does not support creating or deleting groups. See for more details.

Deprovision Identity

The Deprovision Identity action safely removes user access while preserving audit trails for compliance. When you deprovision a user, their account is deactivated through the SCIM API and all group memberships are automatically removed across Atlassian Cloud Admin, Jira, Confluence, and Bitbucket. While the user can no longer access any Atlassian products, their account information and cross-service connection history are preserved to maintain audit trails and historical visibility for compliance reporting.

Delete Identity

The Delete Identity action permanently removes the user account and associated data from Atlassian Cloud. When you delete a user, their account is permanently deleted through the SCIM API, not just deactivated. Unlike deprovisioning, this operation cannot be reversed and should be used with caution only when permanent removal is required.

Current Limitations

The following operations are not supported in the current implementation:

User Logout: Cannot force user logout from Atlassian products
License Management: Cannot remove specific licenses from users
Device Management: Cannot manage or remove personal devices
Password Management: Password operations are handled through SCIM only

Group Management Requirements

Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.

Key requirements and limitations:

Groups must already exist in both systems: You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.
Display name matching: When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.
Automatic ID mapping: The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.

Technical Architecture

The Atlassian Cloud integration uses a dual-API architecture to provide comprehensive lifecycle management capabilities.

User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.

Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. ID Mapping and Coordination:

To maintain consistency across systems, the integration performs complex ID mapping between SCIM identifiers and Atlassian identifiers. SCIM User IDs are mapped to Atlassian Account IDs, and SCIM Group IDs are mapped to Atlassian Group IDs. The integration automatically extracts the directory ID from your SCIM URL and uses your organization ID to coordinate these operations. This ensures that changes made through Veza are reflected accurately in both the SCIM directory and across all Atlassian products.

Workflow Examples

Employee Onboarding

Automate the provisioning of new employees into Atlassian Cloud:

Create User Account: New user account is created via SCIM with basic profile information
Assign Base Groups: User is added to organization-wide groups for general access
Product Access: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role
Department Groups: User is added to department-specific groups for project and space access

Role Change Management

Handle employee role changes and access updates:

Update User Attributes: User profile information is updated to reflect new role
Remove Previous Access: User is removed from role-specific groups and permissions
Grant New Access: User is added to groups appropriate for their new role
Cross-Product Sync: Changes are propagated across all Atlassian products

Employee Offboarding

Safely remove access when employees leave:

Deactivate Account: User account is disabled via SCIM
Remove All Groups: User is removed from all groups and permissions
Revoke Product Access: Access is revoked across Jira, Confluence, and Bitbucket
Audit Trail: All changes are logged for compliance and historical tracking

Azure AD (Microsoft Entra ID)

Configuring the Azure integration for Veza Lifecycle Management

Overview

The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities as a target system. This integration allows you to provision users from authoritative sources, manage group memberships, assign licenses, and automate the user lifecycle based on changes in external identity sources.

Action Type

Description

Supported

Coupa Contingent Workforce

Configuring the Coupa Contingent Workforce integration for Veza Lifecycle Management.

Overview

The Veza integration for Coupa Contingent Workforce (CCW) enables automated identity synchronization as a source of truth for contingent worker lifecycle management. Coupa CCW serves as an authoritative source for contingent worker information that can be synchronized with other systems in your environment.

This document includes steps to enable the Coupa CCW integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Coupa CCW

Prerequisites

You will need administrative access in Veza to configure the integration and Customer Integration Admin privileges in Coupa CCW.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your Coupa CCW integration has completed at least one successful extraction
The Coupa CCW integration will need the required API scope:

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a Coupa CCW integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Coupa CCW data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Coupa CCW in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Coupa CCW can serve as a source for identity information in Lifecycle Management . Contingent worker identity details are synchronized from Coupa CCW with changes propagated to connected target systems.

Important: Coupa CCW is a source-only integration for Lifecycle Management. It provides authoritative identity information but cannot be used as a provisioning target.

The integration supports the following lifecycle management :

Source of Identity

As a source-only system, Coupa CCW provides:

Contingent worker identity information synchronized to downstream systems
Organizational structure data (Account Segments, Cost Centers, Departments)
Employment status and contract details for lifecycle decisions
Manager relationships for approval workflows

Workflow Examples

Contingent Worker Onboarding

When a new contingent worker is added to Coupa CCW:

Identity Sync: Coupa CCW provides worker details to Veza Lifecycle Management
Access Provisioning: Based on department, cost center, and role, appropriate access is granted in target systems
Manager Assignment: Hiring manager relationships are established for approval workflows
Group Assignment: Worker is added to relevant organizational groups based on Account Segment and Department

Contingent Worker Status Changes

When a contingent worker's status changes (contract end, role change):

Status Detection: Coupa CCW reflects updated employment status
Access Review: Lifecycle policies evaluate continued access needs
De-provisioning: If terminated, appropriate access removal is triggered in target systems
Audit Trail: All changes are tracked for compliance reporting

Contract-to-Hire Conversion

When a contingent worker transitions to full-time employee:

Status Update: Employment type change is detected in Coupa CCW
Access Migration: Existing access is evaluated and potentially expanded
System Updates: Worker identity is updated across all connected systems
Process Completion: Manager and HR notifications confirm successful transition

Exchange Server

This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Supported Capabilities

Lifecycle Actions Supported

Create Email

Supports the creation of email accounts for users within Exchange Server.

Entity Type: Exchange Server Users
Attributes Available for Configuration:
- Identity (Required)
- Alias (Optional)

Example Use Cases:

Create email accounts for new employees joining the organization
Assign email aliases to users to facilitate communication

Configuration Steps

1. Locate Exchange Management Shell Paths

Find the Exchange Management Shell shortcut in the Start Menu
Right-click > More > Open File Location
Right-click the shortcut icon > Properties

2. Create Application Pool in IIS

Open IIS Manager and create a new application pool
Name the application pool
Configure the application pool:

3. Configure IIS Application

Add the application to "Default Web Site"
Configure the application:
- Set alias to "VezaProvisioner"
- Select the application pool created above

4. Install Veza Provisioner

Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.

5. Configure Exchange Server Integration in Veza

Go to Configurations > Integrations
Click Add New and select Exchange Server
Complete the following fields:
Field
Description

6. Verify Configuration

After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.

Google Cloud

Configuring Google Cloud for Veza Lifecycle Management

Overview

The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

GitHub

Configuring the GitHub integration for Veza Lifecycle Management.

Overview

The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.

Action Type

Description

Supported

Oracle Database

Configuring the Oracle Database integration for Veza Lifecycle Management

Overview

The Veza integration for Oracle DB enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

This document outlines the steps to enable Oracle DB integration for use in Lifecycle Management, including supported actions and relevant notes. See for more details.

Enabling Lifecycle Management for Oracle DB

Prerequisites

You will need administrative access in Veza to configure the integration.
Ensure you have an existing integration in Veza or add a new one for use with Lifecycle Management.
Verify your Oracle DB integration has completed at least one successful extraction.
Database administrator privileges in Oracle DB (ability to create common users and grant privileges)

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Oracle DB integration
Check the box, Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Oracle DB data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Oracle DB in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Oracle DB can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Oracle DB, with changes propagated to connected systems.

Oracle DB can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following Lifecycle Management :

Sync Identities

The following attributes can be synchronized:

Property

Required

Type

Description

Notes

SYNC_IDENTITIES

Entity Type: OracleDB User
Create Allowed: Yes
Method: SQL CREATE USER / ALTER USER

MANAGE_RELATIONSHIPS

Entity Types: OracleDB Role
Assignee Types: OracleDB User
Supports Remove: Yes
Method: SQL GRANT ROLE / REVOKE ROLE

DEPROVISION_IDENTITY

Entity Type: OracleDB User
Method: DISABLED (account lock via ALTER USER ... ACCOUNT LOCK)
Removes Relationships: Yes

DELETE_IDENTITY

Entity Type: OracleDB User
Method: Permanent deletion via DROP USER

Workflow Examples

Employee Onboarding

Create an Oracle DB user account with the Sync Identities action
Assign default role based on department with Manage Relationships
Set password (requires change on first login)
Configure profiles and tablespaces

Role Change Management

Update user attributes (profile, tablespaces) with Sync Identities
Remove old role assignments with Manage Relationships
Grant new roles appropriate for the new position

Employee Offboarding

Lock user account with Deprovision Identity (ACCOUNT LOCK)
Remove all role assignments
Preserve the user record for audit purposes
Optional: Delete user permanently with Delete Identity (DROP USER)

Snowflake

Configuring the Snowflake integration for Veza Lifecycle Management.

Overview

The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.

Action Type

Description

Supported

Atlassian Cloud

Configuring the Atlassian Cloud integration for Veza Lifecycle Management.

Overview

Action Type

Description

Supported

This document includes steps to enable the Atlassian Cloud integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Atlassian Cloud

Prerequisites

Veza Requirements:

Administrative access to configure integrations
An existing that has completed at least one successful extraction

Atlassian Cloud Requirements:

Administrative access to manage API keys and SCIM configuration
An active SCIM directory configured in your Atlassian Cloud organization
Proper API permissions for both SCIM and Atlassian Cloud Admin APIs

Required Configuration Parameters

The following parameters are required to enable lifecycle management operations:

Parameter

Description

Purpose

The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.

Configuration Steps

Complete the following steps in Veza to enable and configure Lifecycle Management for your Atlassian Cloud integration.

Enable Lifecycle Management:

Navigate to the Integrations overview in Veza
Locate your Atlassian Cloud integration (or create a new one if needed)
Check the box to Enable usage for Lifecycle Management

Configure Data Synchronization:

Verify Configuration:

Supported Actions

Atlassian Cloud can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Supported User Attributes:

Attribute

Required

Type

Description

SCIM Mapping

Notes

Manage Relationships

Deprovision Identity

Delete Identity

Current Limitations

The following operations are not supported in the current implementation:

User Logout: Cannot force user logout from Atlassian products
License Management: Cannot remove specific licenses from users
Device Management: Cannot manage or remove personal devices
Password Management: Password operations are handled through SCIM only

Group Management Requirements

Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.

Key requirements and limitations:

Groups must already exist in both systems: You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.
Display name matching: When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.
Automatic ID mapping: The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.

Technical Architecture

The Atlassian Cloud integration uses a dual-API architecture to provide comprehensive lifecycle management capabilities.

User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.

Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. ID Mapping and Coordination:

Workflow Examples

Employee Onboarding

Automate the provisioning of new employees into Atlassian Cloud:

Create User Account: New user account is created via SCIM with basic profile information
Assign Base Groups: User is added to organization-wide groups for general access
Product Access: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role
Department Groups: User is added to department-specific groups for project and space access

Role Change Management

Handle employee role changes and access updates:

Update User Attributes: User profile information is updated to reflect new role
Remove Previous Access: User is removed from role-specific groups and permissions
Grant New Access: User is added to groups appropriate for their new role
Cross-Product Sync: Changes are propagated across all Atlassian products

Employee Offboarding

Safely remove access when employees leave:

Deactivate Account: User account is disabled via SCIM
Remove All Groups: User is removed from all groups and permissions
Revoke Product Access: Access is revoked across Jira, Confluence, and Bitbucket
Audit Trail: All changes are logged for compliance and historical tracking

PagerDuty

Configuring the PagerDuty integration for Veza Lifecycle Management

Overview

The Veza integration for PagerDuty enables automated user provisioning, team membership management, and user deletion capabilities. This integration allows you to synchronize identity information, manage team assignments, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

This document includes steps to enable the PagerDuty integration for use in Veza Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for PagerDuty

Prerequisites

You will need administrative access in Veza to configure the integration.
Ensure you have an existing in Veza or add a new one for use with Veza Lifecycle Management.
Verify your PagerDuty integration has completed at least one successful extraction.
The PagerDuty integration will need the following configuration:

For testing and development, you can create a free PagerDuty developer account at . Developer accounts are limited to a maximum of 3 simultaneous users, but you can delete and recreate users as needed.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a PagerDuty integration
Ensure the following configuration is complete:
- URL: Your PagerDuty domain URL (e.g., https://yourcompany.pagerduty.com

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

PagerDuty can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from PagerDuty, with changes propagated to connected systems.

PagerDuty does not support account deactivation or suspension. Users can only be fully deleted from the system. The DEPROVISION_IDENTITY action is not available for this integration. Use DELETE_IDENTITY instead when removing user access.

PagerDuty can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Entity Types: OAA.PagerDuty.User
Create Allowed: Yes - New user identities can be created if not found

The following attributes can be synchronized:

PagerDuty User Attributes

Property

Required

Type

Description

Notes

Identity Model: PagerDuty users are uniquely identified by their email address. The email attribute is used for all user lookup and synchronization operations.

Delete Identity

Permanently removes a user from PagerDuty:

Entity Type: OAA.PagerDuty.User
Remove All Relationships: Yes - All team memberships are automatically removed
Deletion Method: Permanent deletion via PagerDuty API
Requirements:

Permanent Action: User deletion in PagerDuty is permanent and cannot be undone. All user data, including incident history and on-call schedules, will be affected. PagerDuty does not support user suspension or deactivation - deletion is the only method to remove user access.

Example Workflows

Example: Onboarding New Users to PagerDuty

To provision a new user in PagerDuty and assign them to relevant teams:

Create a policy with your HRIS or identity source (e.g., Workday, Okta)
Configure a workflow for user creation with condition: {job_role} == "Engineer"
Add a Sync Identities action:

Example: Offboarding Users from PagerDuty

To remove a departing user from PagerDuty:

Create a policy with your HRIS or identity source
Configure a workflow for user termination with condition: {employee_status} == "Terminated"
Add a Delete Identity action:

Before deleting a user, ensure they are not assigned to any active on-call schedules or escalation policies that could impact incident response.

Additional Notes

API Rate Limiting

PagerDuty enforces API rate limits on all operations. The Veza integration automatically handles rate limiting by:

Monitoring the X-RateLimit-Remaining and X-RateLimit-RetryAfter response headers
Automatically retrying requests after the rate limit reset time
Using exponential backoff for failed requests

If you encounter errors during high-volume operations, consider:

Scheduling bulk provisioning operations during off-peak hours
Batching user creation across multiple workflow executions
Contacting PagerDuty support to discuss rate limit increases for your account

PagerDuty User Limits

Free and developer PagerDuty accounts have user limits:

Developer accounts: Maximum of 3 simultaneous users
Free tier: Check your PagerDuty plan for specific limits

For production use of Lifecycle Management with PagerDuty, verify that your PagerDuty subscription supports the number of users you plan to manage.

Team Entity IDs

When working with PagerDuty teams in lifecycle management:

Teams are referenced by their PagerDuty team ID (e.g., PCALT99)
Team IDs can be found in the PagerDuty UI under People > Teams or via the Veza entity browser
In Veza, team entity IDs follow the format: custom_provider:application:[datasource_id]:pagerduty:team:[team_id]

Splunk Enterprise

Configure automated user provisioning, role assignment, and account management for Splunk Enterprise using Veza Lifecycle Management

Overview

Lifecycle Management for Splunk Enterprise automates user identity and access operations, enabling:

Automated user account creation and updates
Role assignment and removal for access management
User account deletion for offboarding
Attribute synchronization for user profiles

Use this integration with Veza Lifecycle Management to:

Onboard users: Automatically create Splunk Enterprise accounts with initial role assignments
Manage access: Add or remove role memberships based on access policies
Offboard users: Delete accounts when users leave the organization
Update profiles: Synchronize user attributes like email and display name

Splunk Enterprise supports the following Lifecycle Management actions:

Note: Splunk Enterprise does not support the Deprovision Identity action for disabling or locking user accounts. The Splunk API only supports permanent deletion via the Delete Identity action. To offboard users while maintaining audit records, use the Delete Identity action, which preserves activity logs even after account deletion.

Refer to the for more information about creating policy-based provisioning workflows with Veza.

Prerequisites

Before enabling Lifecycle Management for Splunk Enterprise, you will need:

An Existing Integration: Add a Splunk Enterprise integration and complete at least one successful extraction. See .
Sufficient Permissions for Lifecycle Management: The Veza service account needs write capabilities beyond read-only access:

The edit_user capability grants permission to create, modify, and delete any user account in Splunk Enterprise. Ensure this service account is properly secured and monitored.

Enable Lifecycle Management

To enable the Splunk Enterprise integration for Lifecycle Management:

In Veza, navigate to Integrations
Locate your Splunk Enterprise integration
Open the integration details
Enable Usage for Lifecycle Management

See for more information on configuring integrations for Lifecycle Management.

Supported Actions

Sync Identities

Creates new user accounts or updates existing user attributes in Splunk Enterprise.

Capabilities:

Create New Users: Yes
Update Existing Users: Yes
Entity Type: Splunk Enterprise User

Required Attributes

Optional Attributes

When creating a new user:

The name attribute becomes the unique username (must be unique within the Splunk Enterprise instance)
Both email and password are required for user creation. The password must meet your Splunk Enterprise deployment's password complexity requirements, which are configured by your Splunk administrator (e.g., minimum length, required character types).
If realname is not provided, it defaults to the

When updating an existing user:

Only the attributes specified in the update request are modified
Other attributes remain unchanged
The name attribute is used to identify the user, but cannot be changed
Password updates are supported, but require providing the new password value

Manage Relationships

Assigns or removes role memberships for Splunk Enterprise users.

Supported Relationship Types:

Splunk Enterprise implements a role relationship manager that:

Adds roles to users by updating the user's role list
Removes roles from users by updating the user's role list
Validates that the target role exists before assignment
Preserves all other assigned roles when adding or removing a single role

Only existing roles can be assigned. Splunk Enterprise groups (LDAP and SAML) are read-only and managed by external identity providers. Lifecycle Management cannot create or modify groups or create new roles.

How Relationships Work

When Adding a Role:

Veza retrieves the user's current role assignments
Checks if the role is already assigned (skips if already assigned)
Adds the new role to the user's role list
Updates the user with the complete role list

When Removing a Role:

Veza retrieves the user's current role assignments
Checks if the role is currently assigned (skips if not assigned)
Removes the target role from the user's role list
Updates the user with the remaining roles

Notes:

Users must have at least one role in Splunk Enterprise
Removing a user's last role assignment will fail
Role assignments are direct. A role may contain inherited roles depending on Splunk's role inheritance configuration.
Built-in roles (e.g., admin, user

Delete Identity

Permanently deletes user accounts from Splunk Enterprise. Note that Splunk Enterprise does not have a native "disabled" or "locked" state for accounts (except lock-out).

Delete Method: The account and all associated data are permanently removed from Splunk Enterprise.

Required Attributes

Delete Behavior

When deleting a user:

The user account is permanently removed
All role assignments are removed as part of the deletion
User-owned objects (saved searches, dashboards, etc.) may be affected based on Splunk configuration
The username can be reused for a new user after deletion

User deletion is permanent and cannot be undone through the API. While Splunk administrators can view audit logs to access deleted user records, consider removing role assignments (using MANAGE_RELATIONSHIPS) for temporary access revocations. Built-in system accounts (e.g., admin) cannot be deleted.

Example Workflows

Onboarding New Users

Create User Account (SYNC_IDENTITIES): Provide a name, email, password, and optionally realname. The user is created with the default user role.
Assign Roles (MANAGE_RELATIONSHIPS): Add role assignments based on job function.

Modifying Access

Add Role (MANAGE_RELATIONSHIPS): Add a role assignment to the user
Remove Role (MANAGE_RELATIONSHIPS): Remove role assignment from the user

Employee Offboarding

Revoke Access (Reversible): Remove all elevated roles via MANAGE_RELATIONSHIPS, leaving only the base user role.
Delete Account (Permanent): Use DELETE_IDENTITY to remove a user account permanently.

Updating User Profile

Use SYNC_IDENTITIES to update a user's email, realname, or password. Provide the name to identify the user; only the specified attributes are updated.

Oracle HCM

Configuring the Oracle HCM integration for Veza Lifecycle Management.

Overview

Early Access: Oracle HCM integration is currently in Early Access. Please contact our customer success team to enable the INTEG_ORACLE_HCM_HRIS feature flag for your environment.

The Veza integration for Oracle HCM enables automated identity lifecycle management with support for identity synchronization and email write-back capabilities. Oracle HCM is designed to serve as a source of identity for Lifecycle Management workflows.

Action Type

Description

Supported

This document includes steps to enable the Oracle HCM integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Oracle HCM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate access in Oracle HCM.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your Oracle HCM integration has completed at least one successful extraction
The Oracle HCM service account requires specific permissions for different operations:

Important: Oracle HCM integration requires specific report configurations and API access. Ensure your Oracle HCM user account has sufficient privileges to read worker data and update email addresses.

Technical Requirements:

Oracle HCM REST API version: 11.13.18.05
REST Framework version: 4
SCIM 2.0 support for user operations
HTTP Basic Authentication

Configuration Parameters:

url: Oracle HCM instance URL (required)
username: Service account username (required)
password: Service account password (required)
report_path: BI Publisher report path starting with /Custom

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Oracle HCM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Oracle HCM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Oracle HCM in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

BI Publisher Report Configuration

Oracle HCM integration relies on BI Publisher reports to extract worker data. The report must be properly configured with specific requirements:

Report Path Requirements

Must be an absolute path starting with /Custom
Must end with .xdo extension
Example: /Custom/HCM/WorkerDataReport.xdo

Required CSV Column Headers

The BI Publisher report must output CSV data with these exact column headers:

Core Required Columns:

CORRELATION_ID - Unique worker identifier (required)
EMPLOYEE_ID - Employee number/ID (required)
FIRST_NAME - Worker's first name (required)

Additional Standard Columns:

NAME - Full name
COMPANY_NAME - Company name
PREFERRED_FIRST_NAME - Preferred first name

Data Format Requirements

Date Format: All dates must use YYYY-MM-DD format
Employment Status: Must be exactly "ACTIVE" for active workers (case-sensitive)
Boolean Values: Use "Y" or "N" for the ACTIVE column
Duplicate Records: System handles duplicates by keeping the most recent active record

Supported Actions

Oracle HCM serves as a source for identity information in Lifecycle Management . Based on the implementation configuration, Oracle HCM supports only two specific actions:

Source of Identity

Oracle HCM provides authoritative worker information for identity lifecycle policies:

Data Flow: FROM Oracle HCM TO target systems (unidirectional)
Purpose: Serves as the authoritative source for worker identity data
Scope: Worker records from BI Publisher reports are made available to lifecycle policies
Usage: Target systems can query Oracle HCM worker data for provisioning decisions

Available Worker Attributes for Lifecycle Management:

Oracle HCM uses a multi-layer attribute system:

BI Publisher Report Fields: Over 20 fields available for reading worker data (see )
Lifecycle Management Attributes: Only 3 attributes are available for synchronization:

Property

Required

Type

SCIM Mapping

Description

Notes

Important: The SCIM API only supports these three attributes for write operations. All other worker data from BI Publisher reports is read-only.

Worker Identification Methods

Workers can be identified using multiple approaches:

Person Number (Preferred): Extracted from entity ID for most operations
Entity ID: Used for direct operations and testing scenarios
SCIM User ID: Used specifically for email write-back operations

Email Write-Back

Oracle HCM supports writing email addresses from target systems back to worker records:

Direction: Unidirectional - writes email addresses FROM provisioned target systems TO Oracle HCM worker records
Method: Uses SCIM PATCH operation to update worker email addresses
Worker Identification: Supports both entity ID-based and person number-based worker identification
Limitation: Oracle HCM SCIM API supports only one email address per worker record

When an email address is created in a target system (such as Exchange or Google Workspace), the write-back action updates the corresponding Oracle HCM worker record with the new email address via the /hcmRestApi/scim/Users endpoint.

Workflow Examples

New Hire Onboarding

Oracle HCM can serve as the source of truth for new hire provisioning workflows:

Worker Added in Oracle HCM: New worker record is created with basic information
Identity Sync: Worker attributes are synchronized to target systems (Active Directory, Okta, etc.)
Email Creation: Corporate email account is created in the target email system
Email Write-Back: The newly created email address is written back to the Oracle HCM worker record

Employee Information Updates

When worker information changes in Oracle HCM:

Attribute Changes: Worker attributes are updated in Oracle HCM (department, title, etc.)
Continuous Sync: Changes are automatically propagated to connected target systems
Consistency Maintenance: All systems maintain consistent worker information

Email Address Provisioning

For workers who need new email addresses:

Email Creation: Target email system creates a new email account
Write-Back Process: Oracle HCM worker record is updated with the new email address via SCIM API
Identity Sync: Updated email information is synchronized across all connected systems

Troubleshooting

Common Configuration Issues

Report Path Errors:

Ensure report path starts with /Custom and ends with .xdo
Verify the report exists and is accessible
Check BI Publisher permissions

Column Mapping Issues:

Verify all required column headers are present in CSV output
Check column name spelling (case-sensitive)
Ensure date columns use YYYY-MM-DD format

Authentication Failures:

Verify HTTP Basic Authentication credentials
Check user has access to required API endpoints
Confirm SCIM permissions for email write-back

Data Processing Problems:

STATUS column must contain "ACTIVE" for active workers
CORRELATION_ID must be unique for each worker
Handle duplicate records appropriately

Email Write-Back Issues:

Verify worker exists and is identifiable by person number or entity ID
Check SCIM endpoint permissions
Only one email address per worker is supported

PostgreSQL

Configuring PostgreSQL Integration for Veza Lifecycle Management

Overview

The Veza integration for PostgreSQL enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

This document outlines the steps to enable PostgreSQL integration for use in Lifecycle Management, including supported actions and relevant notes. See for more details.

Enabling Lifecycle Management for PostgreSQL

Prerequisites

You will need administrative access in Veza to configure the integration and grant API scopes in PostgreSQL.
Ensure you have an existing PostgreSQL integration in Veza or add a new one for use with Lifecycle Management.
Verify your PostgreSQL integration has completed at least one successful extraction.
Ensure the integration service account has the required privileges. The service account must be a superuser to manage other PostgreSQL roles, including those with elevated privileges:

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a PostgreSQL integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your PostgreSQL data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for PostgreSQL in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

PostgreSQL can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from PostgreSQL, with changes propagated to connected systems.

PostgreSQL can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following Lifecycle Management :

Sync Identities

Primary action for user management (creating or updating users):

Entity Types: PostgreSQL User
Create Allowed: Yes (New user identities can be created if not found)
SQL Command: CREATE ROLE {username} WITH LOGIN PASSWORD 'password' [attributes]

Note: In PostgreSQL's architecture, users are roles with the LOGIN privilege. When Veza creates a user, it uses CREATE ROLE with the LOGIN attribute. This is functionally identical to PostgreSQL's CREATE USER command, which is simply an alias for CREATE ROLE ... WITH LOGIN.

The following attributes can be synchronized:

PostgreSQL User Attributes

Property

Required

Type

Description

Manage Relationships

Controls relationships between users and PostgreSQL groups:

Supported Relationship Types:
- PostgreSQL Group: Manages group membership for users
Assignee Types: PostgreSQL User
Supports Removing Relationships: Yes

Technical details:

Adding a user to a group: GRANT {group} TO {user}
Removing a user from a group: REVOKE {group} FROM {user}
Group memberships use PostgreSQL's role inheritance system, where users inherit permissions from their assigned groups

Deprovision Identity

Disables a user's ability to authenticate to PostgreSQL while preserving the role and its attributes:

Entity Type: PostgreSQL User
Action: Revokes the LOGIN privilege (equivalent to ALTER ROLE {username} WITH NOLOGIN)
Removes All Group Memberships: Yes (user is removed from all PostgreSQL groups)
Preserves:

Use case: Temporary offboarding or leave of absence where you may need to restore access later.

Security note: A deprovisioned superuser cannot log in but retains SUPERUSER status. If the role is re-enabled without updating attributes, it will have full superuser privileges. Consider using a Sync Identities action to revoke SUPERUSER before deprovisioning if this is a concern.

Delete Identity

Permanently removes a user role from PostgreSQL:

Entity Type: PostgreSQL User
Action: Drops the role from the database (equivalent to DROP ROLE {username})
Impact: Complete and irreversible removal of the role

Important limitations:

Will fail if the user owns database objects: PostgreSQL prevents dropping roles that own schemas, tables, functions, or other database objects. PostgreSQL will return an error: role "username" cannot be dropped because some objects depend on it
Will fail if the user has granted permissions: If the role has granted permissions to other roles or is referenced in default privileges, the drop will fail
Will fail if referenced in policies: Row-level security policies or other database policies that reference the role must be removed first

Note: Unlike some database systems, PostgreSQL allows dropping roles with active connections, but the operation will still fail if any of the above dependencies exist.

Recommended workflow:

Use Deprovision Identity first to revoke LOGIN and remove group memberships
Verify the user has no owned objects, granted permissions, or policy references
Use Delete Identity only when permanent removal is required

Alternative for users with dependencies: PostgreSQL administrators can manually run REASSIGN OWNED BY {username} TO {new_owner} followed by DROP OWNED BY {username} before triggering deletion through Veza, or handle the deletion entirely through PostgreSQL.

Salesforce

Configuring the Salesforce integration for Veza Lifecycle Management.

Overview

The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).

Key capabilities include:

User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions
Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency
Permission Management: Assign and remove permission sets and roles based on policies
User Deprovisioning: Safely disable access when users leave the organization

The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.

Action Type

Description

Supported

This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.

Prerequisites and Configuration

Before configuring the integration, ensure you have:

Administrative access in Veza to configure the integration
An existing in Veza or add a new one
At least one successful extraction from your Salesforce integration
The appropriate permissions in Salesforce

Required Permissions

The Salesforce integration will need the following permissions:

Assign Permission Sets: Enables assignment and removal of permission sets for users.
Freeze Users: Enables freezing and unfreezing user accounts.
Manage Internal Users: Required for user creation and updates.
Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.

In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.

SCIM Requirements

Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.

The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication
To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission

For additional details about Salesforce's SCIM implementation, refer to the .

Enabling the Integration

To enable the integration:

In Veza, go to the Integrations overview.
Search for or create a integration.
1. Ensure the integration permission set includes the .
Check the box to Enable usage for Lifecycle Management.

Configure the extraction schedule to ensure your Salesforce data remains current:

Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for Salesforce in the Active Overrides section.

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.
Search for the integration and click the name to view details.
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.

SCIM Implementation Details

Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:

Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions
The system uses email addresses as the primary key for user lookups
Usernames cannot be changed after creation and must be unique within the Salesforce instance
User profiles are managed through SCIM entitlements

Supported Actions

Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.

Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Usernames cannot be changed after creation.
Email addresses must be unique.
Required attributes must be present (Username, Email, FirstName, LastName).
Passwords are set during user creation.

The following attributes can be synchronized:

Property

Required

Type

Description

Notes

Custom properties: In addition to the standard attributes above, Veza supports synchronizing custom properties for Salesforce User objects, including both direct properties and indirect (referenced) properties using dot notation (e.g., Profile.Name, Manager.Email). For details on configuring custom properties, see in the Salesforce integration guide.

Manage Relationships

The following relationship types are supported:

Groups: Add and remove group memberships (only for groups with Group Type = Regular).
Permission Sets: Add and remove permission set assignments.
Permission Set Groups: Add and remove permission set group assignments.
Profiles: Manage profile assignments.

Notes:

Profile and role assignments are managed via SCIM and Salesforce APIs.
When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.
Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.

Deprovision Identity

When a user is deprovisioned:

The user account is frozen or deactivated (Salesforce does not allow user deletion).
Permission set assignments are removed.
Attribute history is preserved for audit.
The account can be reactivated if needed.

Custom Application with SCIM (OAA)

Enable SCIM-based provisioning for custom applications with Open Authorization API

Overview

Veza can automate user provisioning and de-provisioning for any application that uses the Open Authorization API (OAA) for data gathering and authorization modeling, and exposes SCIM-compliant endpoints for user and group management.

This enables organizations to:

Use your application's existing SCIM endpoints for automated provisioning operations
Model complex authorization structures using OAA's flexible templates (applications, resources, permissions, custom properties) for Access Graph visibility, Access Reviews, and other Veza features.
Gather authorization metadata using a variety of methods (custom connectors, APIs, manual JSON payloads, CSV files)

Supported Actions

Action Type

Supported

Description

Lifecycle Management and Access Requests with Open Authorization API

There are several potential ways to integrate a custom application for automated lifecycle management and access requests:

External SCIM for Open Authorization API: You may build your OAA integration using the custom application template and leverage dedicated SCIM endpoints for user and group management. This is useful when you need full control over how authorization metadata is represented in the Veza Access Graph:
- Your application supports SCIM, and you want to model a wider range of authorization entities and metadata (e.g., credentials, resources) than the Veza SCIM integration supports.
- You already have a custom OAA integration and want to add provisioning capabilities using SCIM.

Aspect

External OAA with SCIM Write-Back

Built-In SCIM Connector

This document describes how to enable External SCIM for an Open Authorization API integration, and supported actions.

How It Works

Data Gathering (OAA):

You will need to design and build a custom integration to publish information about the application to the Veza Access Graph:

The payload can include local users, groups, permissions, resources, and complex authorization relationships
Data can be gathered from any source: APIs, databases, configuration files, etc.

See the rest of the Open Authorization API documentation for examples and best practices when designing and deploying custom integrations.

Lifecycle Management (SCIM):

You can enable the SCIM connection at the custom provider level:

Setting provisioning: true and external_lifecycle_management_type: SCIM for the custom provider enables Veza to use your application's SCIM endpoints for provisioning
Provide SCIM connection information and credentials (configuration_json)
Veza maps lifecycle actions to SCIM operations (POST /Users, PATCH /Users/{id}

Important: When configuring a custom application for SCIM integration, the OAA payload structure (Application template) and SCIM configuration serve different purposes:

The OAA Payload (push_application() or API push) defines local users, groups, permissions, and resources used for visibility and authorization modeling in Veza, and can be updated independently.
The SCIM Configuration (configuration_json) for the custom provider defines how to connect to SCIM endpoints (including authentication, URL, and endpoint paths), and is used only for lifecycle management and access request operations.

Both must be consistent (describe and contain the same users and groups), but are configured separately.

Required SCIM 2.0 Endpoints

Your application must expose SCIM 2.0 compliant endpoints with the following operations:

User Management:

GET /Users - List and filter users
GET /Users?filter=userName eq "{username}" - Query users by userName
POST /Users - Create new users

Group Management:

GET /Groups - List groups
GET /Groups/{id} - Retrieve specific group by ID
POST /Groups - Create new groups

Note: If the Users and Groups APIs are not at the standard /Users and /Groups paths, you can specify alternate endpoint paths in the configuration.

Authentication

Your SCIM API must support one of the following authentication methods:

Bearer Token: API token passed in Authorization: Bearer {token} header
Basic HTTP Authentication: Username and password passed in Authorization: Basic {credentials} header

The authentication credentials must have both read and write permissions to the SCIM endpoints.

Optional: Extension Attributes

To synchronize custom attributes beyond the standard SCIM user schema:

Expose a GET /Schemas endpoint that returns SCIM schema definitions
Enable schema fetching in your configuration (see Configuration section)

Configuration

External SCIM for Lifecycle Management is configured via the Veza REST API.

Create Custom Provider with External SCIM

Create a Custom Provider that uses external SCIM endpoints specifically for lifecycle management:

Required Fields

Field

Required

Description

Configuration JSON Parameters

The configuration_json field contains SCIM endpoint connection details used only for provisioning operations. It does not affect your OAA payload structure.

Configuration Key

Required

Description

Example Value

* One of scim_token or the username/password pair is required for authentication.

Example Configuration with Bearer Token:

Example Configuration with Basic Authentication:

Push OAA Payload

Push the OAA Application Payload as normal. See the for details.

Entity Types and Identity Mapping

Veza creates entities in Access Graph based on the OAA payload, which can be targeted in lifecycle management operations:

local_users in your Application template → Users to provision via SCIM
local_groups in your Application template → Groups to manage via SCIM

Entity types are named according to the following pattern:

User Entity Type: OAA.{application_type}.User
Group Entity Type: OAA.{application_type}.Group

Where {application_type} is the value you specify in your OAA Application template when building the payload. For example, if the application is defined:

The resulting entity types are:

OAA.CustomerPortal.User
OAA.CustomerPortal.Group

Attribute Synchronization

Mapping OAA to SCIM

When Veza provisions users via SCIM, transformers can map attributes from your policy source of identity to SCIM properties:

Veza Attribute (in Policy)

SCIM Property

Type

Required

Description

Extension Attributes

If the SCIM service exposes a /Schemas endpoint and you enable scim_extension_schemas: true, Veza can synchronize custom extension attributes beyond the standard SCIM user schema. Extension attributes are mapped using the schema URN as defined by your SCIM implementation.

Provisioning Operations

The following SCIM operations are performed when Lifecycle Management actions execute:

Sync Identities (Create User)

Create a new user in the target application.

SCIM Operation:

The SCIM endpoint creates the user and returns the user object with an assigned id.

Sync Identities (Update User)

Updates an existing user's attributes (one-time or continuously).

SCIM Operations:

Query for existing user:
Update the user:

De-provision Identity

Remove access when a user leaves the organization or changes roles. The user account is deactivated, but data is preserved.

SCIM Operation:

Deprovision sets active=false, which disables login but preserves the user record.

Delete Identity

Permanently remove a user account.

SCIM Operation:

Manage Relationships (Add User to Group)

Grant a user access via group membership.

SCIM Operations:

Retrieve group details:
Add user to group:

Manage Relationships (Remove User from Group)

Revoke a user's access by removing group membership.

SCIM Operation:

Create Entitlement (Create Group)

Creates a new group so that it can be granted as an entitlement.

SCIM Operation:

SCIM

Configuring SCIM integrations for Veza Lifecycle Management.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and deprovisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

Direct SCIM vs. OAA SCIM Integration

This guide covers direct SCIM integrations where Veza connects directly to an application's SCIM endpoints. For custom applications built with the Open Authorization API (OAA) that expose SCIM endpoints, see .

Use direct SCIM when connecting to standard SaaS applications with native SCIM support, and you only need user and group provisioning without complex entity modeling.

You can use OAA SCIM for integrating custom or home-grown applications via OAA, and need comprehensive visibility beyond users and groups (permissions, resources, etc.)

Action Type

Description

Supported

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction
The SCIM integration will need the required API permissions:

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Username (user_name) is required and serves as the unique identifier
Email addresses are managed through the SCIM emails array
User activation/deactivation is controlled via the active attribute

Veza supports comprehensive SCIM 2.0 user attributes for both read-only data extraction (Access Graph) and bidirectional synchronization (Lifecycle Management). The tables below indicate which attributes support LCM synchronization (✅) versus read-only extraction (📖).

Core User Attributes

Veza supports all standard SCIM 2.0 core user attributes, organized by functional category:

Identity & Authentication

Attribute

Required for LCM

Type

LCM Sync

Description

Enterprise Extension Attributes

Veza supports the SCIM Enterprise User Extension schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) for both extraction and LCM synchronization:

Attribute

Type

LCM Sync

Description

Custom Extension Attributes

Veza automatically discovers and extracts all custom vendor-specific SCIM extension attributes for read-only purposes:

Extraction Capabilities:

Veza calls the SCIM /Schemas endpoint to discover all available schemas (requires SCIM Extension Schemas enabled in integration configuration)

Using Extension Attributes in LCM Workflows

Extension attributes must be referenced by their normalized names in LCM attribute transformers.

Core SCIM attributes use simplified names:

user_name, display_name, email, title, department, division, etc.

Extension attributes require full normalized names:

Example: Enterprise Extension Attributes

Example: Custom Vendor Extensions

Manage Relationships

Group membership management with full add/remove capabilities:

Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows
Relationship changes are immediate and reflected in target application

Deprovision Identity

When a user is deprovisioned:

User account is deactivated (sets active: false)
Group memberships are automatically removed
Account can be reactivated if needed
User data is preserved for audit purposes

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

Application-specific permissions and roles
Resource access controls
Team or organizational structures
Custom entitlements defined by the SCIM provider

SCIM Group Attributes

Veza supports all standard SCIM 2.0 group attributes for both extraction and LCM operations:

Attribute

Required for LCM

Type

LCM Sync

Description

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
- SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}
- Full user and group provisioning support

Development & Collaboration Tools

Fivetran
- SCIM Endpoint: https://api.fivetran.com/scim/v2
- User and group provisioning
Harness

Security & Infrastructure

Twingate
- SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2
- User provisioning and group assignment
ThousandEyes

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically
Access Verification: Confirm user can access application and assigned resources

Role Change Management

When an employee changes roles or departments:

Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position
Notification: Alert managers and IT of completed changes

Employee Offboarding

When an employee leaves the organization:

Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance
Manager Notification: Alert appropriate stakeholders of access removal

Bulk User Management

For large-scale provisioning operations:

Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships
Rollback Capability: Support for reversing bulk operations if needed