This guide describes how to enable and configure Active Directory for Lifecycle Management in Veza, including supported capabilities and required configuration steps.

Overview

Active Directory integration with Lifecycle Management enables automated user provisioning, access management, and de-provisioning capabilities. This includes creating and managing AD users, group memberships, and disabling accounts when employees leave the organization.

Supported Capabilities

Identity Provider Status

Active Directory serves as an Identity Provider in Lifecycle Management workflows and supports custom properties defined in the integration configuration.

Supported Actions

Manage Relationships

Controls relationships between users and Active Directory groups.

• Entity Types: Active Directory Groups

• Assignee Types: Active Directory Users

• Supports Removing Relationships: Yes

Example Use Cases:

• Add users to specific Active Directory groups to manage access

• Remove users from groups when access requirements change

Sync Identities

Synchronizes identity attributes between Active Directory and downstream systems.

• Create Allowed: Yes (New user identities can be created if not found)

• Supported Attributes:

  • Required (Unique Identifiers):

    • AccountName (No Continuous Sync)

    • DistinguishedName

    • UserPrincipalName

  • Optional:

    • Email, GivenName, DisplayName, SurName, Title

    • Description, ManagerID, PrimaryGroupDN

    • StreetAddress, City, StateOrProvinceName

    • CountryCode, PostalCode, Company

    • PhysicalDeliveryOfficeName, JobTitle

    • Department, CountryOrRegion, Office

Example Use Cases:

• Create new user accounts when users are added

• Keep user information synchronized across integrated systems

De-provision Identity

Safely removes or disables access when users leave or no longer need access.

• Entity Type: Active Directory Users

• Remove All Relationships: Yes (Removes existing group memberships)

• De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)

Example Use Cases:

• Disable accounts when employees leave

• Remove group memberships while retaining audit information

Configuration Steps

1. Create a Service Account

Create a dedicated AD user with minimum required permissions:

Using Active Directory Users and Computers:

1. Open Active Directory Users and Computers

2. Navigate to the target Organizational Unit

3. Right-click > New > User

4. Complete the new user details form

   • Recommended name: "Veza AD Lifecycle Manager"

   • Set a strong password

   • Uncheck "User must change password at next logon"

Using PowerShell:

New-ADUser -Name "Veza AD Lifecycle Manager" `
    -Path "OU=<your_OU>,DC=<domain>,DC=<tld>" `
    -GivenName "Veza" `
    -Surname "AD Lifecycle Manager" `
    -SamAccountName "veza-ad-lcm" `
    -AccountPassword (ConvertTo-SecureString -AsPlainText "<password>" -Force) `
    -ChangePasswordAtLogon $False `
    -DisplayName "Veza AD Lifecycle Manager" `
    -Enabled $True

2. Configure Required Permissions

Grant the service account permissions to manage users in the target OUs:

Using Active Directory Users and Computers:

1. Navigate to the target Organizational Unit

2. Right-click > Delegate Control

3. Click Add and enter the service account name

4. Select these delegated tasks:

   • Create, delete, and manage user accounts

   • Reset user passwords and force password change

   • Read all user information

   • Modify group membership

Using PowerShell:

Import-Module ActiveDirectory
$OrganizationalUnit = "OU=<your_OU>,DC=<domain>,DC=<tld>"
$Users = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
Set-Location AD:

$User = Get-ADUser -Identity "veza-ad-lcm"
$UserSID = [System.Security.Principal.SecurityIdentifier] $User.SID
$Identity = [System.Security.Principal.IdentityReference] $UserSID

# Create permission for managing users
$RuleCreateDeleteUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, "CreateChild, DeleteChild", "Allow", $Users, "All"

# Create permission for password resets
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Users)

# Apply permissions
$ACL = Get-Acl -Path $OrganizationalUnit
$ACL.AddAccessRule($RuleCreateDeleteUsers)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

3. Configure the Integration in Veza

1. Navigate to Configurations > Integrations

2. Either:

   • Create a new Active Directory integration

   • Edit an existing Active Directory integration

3. Enable Lifecycle Management:

   • Check Enable Lifecycle Management

   • Enter the Lifecycle Management Username (service account created above)

   • Enter the Lifecycle Management Password

4. Save the configuration

Note: The AD User created for lifecycle management can be the same as the primary AD User created for extraction, provided that the user has all required permissions listed above.

This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Supported Capabilities

Lifecycle Actions Supported

Create Email

Supports the creation of email accounts for users within Exchange Server.

• Entity Type: Exchange Server Users

• Attributes Available for Configuration:

  • Identity (Required)

  • Alias (Optional)

Example Use Cases:

• Create email accounts for new employees joining the organization

• Assign email aliases to users to facilitate communication

Configuration Steps

1. Locate Exchange Management Shell Paths

1. Find the Exchange Management Shell shortcut in the Start Menu

2. Right-click > More > Open File Location
3. Right-click the shortcut icon > Properties
4. Copy the Target field value
5. Note the two important paths from the target:

   • PowerShell Path: (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)

   • Remote Exchange Path: (e.g., C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1)

2. Create Application Pool in IIS

1. Open IIS Manager and create a new application pool
2. Name the application pool
3. Configure the application pool:

   • Right-click > Advanced Settings

   • Under Process Model, set the Identity

3. Configure IIS Application

1. Add the application to "Default Web Site"
2. Configure the application:

   • Set alias to "VezaProvisioner"

   • Select the application pool created above
3. Configure authentication:

   • Disable Anonymous Authentication

   • Enable Basic Authentication

4. Install Veza Provisioner

Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.

5. Configure Exchange Server Integration in Veza

1. Go to Configurations > Integrations

2. Click Add New and select Exchange Server

3. Complete the following fields:

   Field

   Description

   Insight Point

   Select if using an Insight Point to access Exchange Server

   Name

   Friendly name for the integration

   Instance URL

   https://<exchange_server_host>/VezaProvisioner

   Username

   Domain username with required Exchange permissions

   Password

   Password for the account

   PowerShell Path

   Path to PowerShell.exe noted in step 1

   Remote Exchange Path

   Path to RemoteExchange.ps1 noted in step 1

4. Enable Lifecycle Management by checking Enable Lifecycle Management

5. Save the configuration

6. Verify Configuration

After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.

Overview

The Veza integration for Coupa Contingent Workforce (CCW) enables automated identity synchronization as a source of truth for contingent worker lifecycle management. Coupa CCW serves as an authoritative source for contingent worker information that can be synchronized with other systems in your environment.

This document includes steps to enable the Coupa CCW integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Coupa CCW

Prerequisites

1. You will need administrative access in Veza to configure the integration and Customer Integration Admin privileges in Coupa CCW.

2. Ensure you have an existing Coupa CCW integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Coupa CCW integration has completed at least one successful extraction

4. The Coupa CCW integration will need the required API scope:

   • ccw.contingent_workers - For accessing contingent worker data

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a Coupa CCW integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Coupa CCW data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Coupa CCW in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Coupa CCW can serve as a source for identity information in Lifecycle Management Policies. Contingent worker identity details are synchronized from Coupa CCW with changes propagated to connected target systems.

Important: Coupa CCW is a source-only integration for Lifecycle Management. It provides authoritative identity information but cannot be used as a provisioning target.

The integration supports the following lifecycle management Actions:

Source of Identity

As a source-only system, Coupa CCW provides:

• Contingent worker identity information synchronized to downstream systems

• Organizational structure data (Account Segments, Cost Centers, Departments)

• Employment status and contract details for lifecycle decisions

• Manager relationships for approval workflows

Workflow Examples

Contingent Worker Onboarding

When a new contingent worker is added to Coupa CCW:

1. Identity Sync: Coupa CCW provides worker details to Veza Lifecycle Management

2. Access Provisioning: Based on department, cost center, and role, appropriate access is granted in target systems

3. Manager Assignment: Hiring manager relationships are established for approval workflows

4. Group Assignment: Worker is added to relevant organizational groups based on Account Segment and Department

Contingent Worker Status Changes

When a contingent worker's status changes (contract end, role change):

1. Status Detection: Coupa CCW reflects updated employment status

2. Access Review: Lifecycle policies evaluate continued access needs

3. De-provisioning: If terminated, appropriate access removal is triggered in target systems

4. Audit Trail: All changes are tracked for compliance reporting

Contract-to-Hire Conversion

When a contingent worker transitions to full-time employee:

1. Status Update: Employment type change is detected in Coupa CCW

2. Access Migration: Existing access is evaluated and potentially expanded

3. System Updates: Worker identity is updated across all connected systems

4. Process Completion: Manager and HR notifications confirm successful transition

Overview

The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Google Cloud

Prerequisites

1. You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.

2. Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Google Cloud integration has completed at least one successful extraction.

4. The Google Cloud integration will need the following additional API scopes:

   • https://www.googleapis.com/auth/admin.directory.user - Required for user management operations

   • https://www.googleapis.com/auth/admin.directory.group - Required for group management operations

   • https://www.googleapis.com/auth/admin.directory.domain - Required for domain management capabilities

   • https://www.googleapis.com/auth/admin.directory.rolemanagement - Required for admin role management

   • https://www.googleapis.com/auth/apps.groups.settings - Required for detailed group settings management

   • https://www.googleapis.com/auth/cloud-platform - Required for Cloud Identity API and broader Google Cloud access

Configuration Steps

1. In Veza, go to the Integrations overview

2. Search for or create a Google Cloud integration

3. Check the box to Enable usage for Lifecycle Management

4. Configure the service account with appropriate permissions:

   • Users > Read/Write

   • Groups > Read/Write

   • Organization Units > Read

   • Roles > Read/Write

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.

Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Entity Types: Google Workspace User

• Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Manage Relationships

Controls relationships between users and Google Workspace groups:

• Supported Relationship Types: Google Workspace Groups

• Assignee Types: Google Workspace Users

• Supports Removing Relationships: Yes

Both adding and removing group memberships are supported:

• Add users to specific Google Workspace groups based on department or role

• Remove access when roles change or users leave

• Maintain consistent group membership based on organizational structure

Deprovision Identity

When a user is deprovisioned:

• Entity Types: Google Workspace User

• De-provisioning Methods: Suspend user (preserves user data while preventing access)

• User is suspended in Google Workspace

• Access to resources is removed

• Account information is preserved for audit purposes

Source of Identity

Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.

Example Workflows

Example: Onboarding Workflow for New Employees

To create a workflow for onboarding new employees:

1. Create a policy with your source of identity (e.g., Workday or CSV upload)

2. Configure a workflow for new employees

3. Add a Sync Identities action to create Google Workspace users:

   Copy

   # Google Workspace User Attributes
   email: {first_name}.{last_name}@company.com
   first_name: {first_name}
   last_name: {last_name}

4. Add a Manage Relationships action to assign appropriate groups:

   • Condition: department eq "Engineering"

     • Add to: "Engineering Team" group

   • Condition: department eq "Sales"

     • Add to: "Sales Team" group

Example: Offboarding Workflow for Departing Employees

To create a workflow for departing employees:

1. Create a policy with your source of identity

2. Configure a workflow with condition: active eq false

3. Add a De-provision Identity action:

   • Entity Type: Google Workspace User

   • Method: Suspend

   • Remove All Relationships: Yes

Overview

The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.

This document includes steps to enable the GitHub integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for GitHub

Prerequisites

1. You will need administrative access in Veza to configure the integration and site administrator privileges in GitHub Enterprise Server.

2. Ensure you have an existing GitHub integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your GitHub integration has completed at least one successful extraction

4. The GitHub integration will need the additional required GitHub App permissions:

   • Organization permissions - Members (Write) - Required for managing organization memberships

   • Organization permissions - Administration (Write) - Required for administrative operations

   • Repository permissions - Administration (Write) - Required for managing team memberships

Important: GitHub LCM operations use Admin API endpoints that require site administrator privileges. These operations are typically available in GitHub Enterprise Server environments, not GitHub.com.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a GitHub integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your GitHub data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for GitHub in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

GitHub can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• User login cannot be changed after creation

• GitHub usernames must be unique and follow GitHub naming rules (39 characters max, alphanumeric plus hyphens)

• Email addresses must be unique across the GitHub instance

• Requires site administrator privileges for user creation operations

The following attributes can be synchronized:

Manage Relationships

Both adding and removing memberships are supported. Organization and team memberships are automatically removed during deprovisioning.

• Add and remove organization memberships with member role

• Add and remove team memberships with member role

• Synchronize access assignments based on external identity changes

• Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned:

• User account is suspended in GitHub Enterprise Server

• All organization and team memberships are removed automatically

• Commit history and attribution are preserved for audit and compliance

• Account can be reactivated if needed (unsuspended)

• User receives appropriate error messages when attempting to access GitHub

Workflow Examples

New Employee Onboarding

Create GitHub accounts and assign appropriate access for new developers:

1. Identity Sync: Create user account with basic profile information

2. Organization Access: Add user to primary GitHub organization

3. Team Assignment: Assign to development teams based on department

4. Profile Setup: Configure public email and display name

Role Change Management

Update GitHub access when employees change departments or roles:

1. Relationship Updates: Remove existing team memberships

2. New Access: Add memberships for new role requirements

3. Audit Trail: Track all membership changes for compliance

Employee Offboarding

Securely remove access while preserving development history:

1. Account Suspension: Suspend GitHub account to prevent access

2. Membership Removal: Remove all organization and team memberships

3. History Preservation: Maintain commit attribution and repository history

4. Compliance: Generate audit trail of all access removal actions

This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Overview

Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:

• Automated security group assignments for new employees

• Dynamic group membership updates during role changes

• Access removal during offboarding

• Email synchronization between Workday and downstream systems

Supported Capabilities

Source of Identity

Workday serves as an authoritative source for employee identity information:

• Entity Type: Workday Worker

• Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes

Lifecycle Actions

Manage Relationships

Controls access to Workday security groups.

• Entity Types: Workday Security Group

• Assignee Types: Workday Account

• Supports Relationship Removal: Yes

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems.

• Entity Type: Workday Worker

• Purpose: Ensures Workday remains the single source of truth for employee email addresses

Custom Properties

The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.

Configuration Steps

1. Create Business Process Security Policy

1. Log into Workday and search for Edit Business process security policy

2. Under Business Process Type, select Work Contact Change
3. Find "Initiating Action: Change Work Contact Information (REST Service)"

4. Create a Segment-Based Security Group
5. Configure the security group:

   • Add the security group created for Veza integration

   • Add "Worker" scope to Access Rights
6. Verify the security group appears in Initiating Action Security groups
7. Click OK and Done to save changes

2. Activate Security Policy Changes

1. Search for Activate Pending Security Policy Changes

2. Review changes, add a comment, and click OK
3. Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

4. Update API Client Configuration

1. Open Edit API Client

2. Add required scopes:

   • Staffing

   • Contact Information

   • System

   • Tenant Non-Configurable

   • Organizations and Roles

5. Configure Workday Integration in Veza

1. Navigate to Configurations > Integrations

2. Either:

   • Create a new Workday integration

   • Edit an existing Workday integration

3. Enable Lifecycle Management:

   • Check Enable Lifecycle Management

4. If using custom attributes, configure them in the Custom Properties section

API Access Notes

The integration uses these API endpoints for email write-back:

%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges

For general metadata discovery, WQL queries access:

• allWorkdayAccounts

• allWorkers

• securityGroups

• domainSecurityPolicies

• businessProcessTypes

Implementation Notes

1. Workday Workers are the primary entity for identity information

2. Bidirectional management of Account-Security Group relationships is supported

3. Email write-back operates on Worker entities, not Account entities

4. Custom attribute availability depends on your Workday configuration

5. The Sync Identities action is not currently supported for Workday

Overview

The Veza integration for AWS IAM Identity Center enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization across AWS organizations.

This document includes steps to enable the AWS IAM Identity Center integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for AWS IAM Identity Center

Prerequisites

1. You will need administrative access in Veza to configure the integration and appropriate permissions in AWS IAM Identity Center.

2. Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.

3. Verify your AWS integration has completed at least one successful extraction

4. The AWS integration will need the additional required permissions for Identity Store operations:

   • identitystore:CreateUser - For user creation operations

   • identitystore:UpdateUser - For user attribute synchronization

   • identitystore:DeleteUser - For user deletion (note: AWS uses SCIM deprovisioning which disables rather than deletes)

   • identitystore:GetUserId - For user lookup operations

   • identitystore:CreateGroup - For group creation

   • identitystore:CreateGroupMembership - For group membership management

   • identitystore:DeleteGroupMembership - For removing group memberships

   • identitystore:ListGroups - For group discovery operations

   • identitystore:ListGroupMemberships - For membership enumeration

Important: AWS IAM Identity Center Lifecycle Management requires:

• SCIM endpoint configuration in IAM Identity Center (automatic provisioning must be enabled)

• The integration uses AWS's SCIM v2.0 API implementation over HTTPS

• Authentication is handled through IAM policies and does not require separate SCIM bearer tokens

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an AWS integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your AWS IAM Identity Center data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for AWS in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

AWS IAM Identity Center can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from AWS IAM Identity Center with changes propagated to connected systems.

AWS IAM Identity Center can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

• Username serves as the unique identifier and cannot be changed after creation

• Email addresses must be unique across the AWS IAM Identity Center instance

• First name, last name, display name, and username are required attributes for user creation

The following attributes can be synchronized:

Manage Relationships

Controls group memberships for users in AWS IAM Identity Center:

• Add and remove group memberships for users

• Synchronize group assignments based on source system changes

• Support for both adding and removing relationships

• Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned in AWS IAM Identity Center:

• User account is disabled (set to inactive) rather than deleted

• All group memberships are automatically removed

• User's permission set assignments are revoked

• Account information is preserved for audit and compliance purposes

• Users can be reactivated if needed by updating the Active attribute

Create Entitlement

• Entity Types: AWS IAM Identity Center Groups

• Assignee Types: AWS IAM Identity Center Users

• Supports Relationship Removal: Yes

Within AWS IAM Identity Center, groups can be associated with:

• Permission sets that grant access to AWS accounts and resources

• AWS applications and third-party SAML applications

• AWS account assignments for cross-account access

• Custom access policies and roles

Workflow Examples

Employee Onboarding

Automate the onboarding process for new employees:

1. Identity Creation: Create AWS IAM Identity Center user account with attributes synchronized from HR system

2. Group Assignment: Add user to department-specific groups based on their role and location

3. Permission Sets: Automatically assign appropriate permission sets for AWS resource access

4. Account Access: Grant access to specific AWS accounts based on job function

Role Change Management

Handle internal role changes and departmental transfers:

1. Attribute Update: Synchronize updated employee information from HR system

2. Group Reassignment: Remove user from previous department groups and add to new ones

3. Permission Adjustment: Update permission set assignments to match new role requirements

Employee Offboarding

Securely remove access when employees leave:

1. Account Deprovisioning: Disable the user account in AWS IAM Identity Center

2. Group Removal: Remove all group memberships and permission set assignments

3. Access Revocation: Ensure all AWS account access is immediately revoked

4. Audit Trail: Maintain complete record of access removal for compliance purposes

Overview

The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).

Key capabilities include:

• User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions

• Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency

• Permission Management: Assign and remove permission sets and roles based on policies

• User Deprovisioning: Safely disable access when users leave the organization

The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.

This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.

Prerequisites and Configuration

Before configuring the integration, ensure you have:

1. Administrative access in Veza to configure the integration

2. An existing Salesforce integration in Veza or add a new one

3. At least one successful extraction from your Salesforce integration

4. The appropriate permissions in Salesforce

5. Salesforce API v40 or later for user provisioning

Required Permissions

The Salesforce integration will need the following permissions:

• Assign Permission Sets: Enables assignment and removal of permission sets for users.

• Freeze Users: Enables freezing and unfreezing user accounts.

• Manage Internal Users: Required for user creation and updates.

• Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.

• Manage Login Access Policies: Required for configuring login access policies.

• Manage Password Policies: Required for setting and resetting passwords during user creation.

• Manage Profiles and Permission Sets: Required for permission set and profile assignment.

• Manage Roles: Required for role assignments and management.

• Manage Sharing: Required for managing sharing rules and access control.

• Manage Users: Essential for user lifecycle operations.

• Monitor Login History: Required for monitoring user logins.

• Reset User Passwords and Unlock Users: Required for account management.

• View All Profiles: Required to view profile information for all users.

• View All Users: Required to view all user information.

In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.

SCIM Requirements

Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.

• The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication

• To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission

For additional details about Salesforce's SCIM implementation, refer to the Salesforce SCIM documentation.

Enabling the Integration

To enable the integration:

1. In Veza, go to the Integrations overview.

2. Search for or create a Salesforce integration.

   1. Ensure the integration permission set includes the required permissions.

3. Check the box to Enable usage for Lifecycle Management.

4. Save the configuration.

Configure the extraction schedule to ensure your Salesforce data remains current:

1. Go to Veza Administration > System Settings.

2. In Pipeline > Extraction Interval, set your preferred interval.

3. Optionally, set a custom override for Salesforce in the Active Overrides section.

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.

2. Search for the integration and click the name to view details.

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.

SCIM Implementation Details

Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:

• Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions

• The system uses email addresses as the primary key for user lookups

• Usernames cannot be changed after creation and must be unique within the Salesforce instance

• User profiles are managed through SCIM entitlements

• User roles are handled through SCIM roles endpoints

• User Deprovisioning is implemented as deactivation (setting active=false)

• Permission sets are assigned through Salesforce API calls after user creation

Supported Actions

Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.

Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Usernames cannot be changed after creation.

• Email addresses must be unique.

• Required attributes must be present (Username, Email, FirstName, LastName).

• Passwords are set during user creation.

• Division and Department attributes are excluded during updates due to Salesforce API limitations.

• Salesforce does not support changing usernames after creation.

The following attributes can be synchronized:

Manage Relationships

The following relationship types are supported:

• Groups: Add and remove group memberships (only for groups with Group Type = Regular).

• Permission Sets: Add and remove permission set assignments.

• Permission Set Groups: Add and remove permission set group assignments.

• Profiles: Manage profile assignments.

• User Roles: Synchronize user role assignments.

Notes:

• Profile and role assignments are managed via SCIM and Salesforce APIs.

• When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.

• Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.

• Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.

• Direct creation of permission sets ("Create Entitlement" action) is not currently supported.

Deprovision Identity

When a user is deprovisioned:

• The user account is frozen or deactivated (Salesforce does not allow user deletion).

• Permission set assignments are removed.

• Attribute history is preserved for audit.

• The account can be reactivated if needed.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and de-provisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

1. You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.

2. Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.

3. Verify your SCIM integration has completed at least one successful extraction

4. The SCIM integration will need the required API permissions:

   • Read permissions: scim:read or equivalent for user and group discovery

   • Write permissions: scim:write or equivalent for provisioning operations

   • Specific endpoints: Access to /Users and /Groups endpoints

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a SCIM integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

• Username (user_name) is required and serves as the unique identifier

• Email addresses are managed through the SCIM emails array

• User activation/deactivation is controlled via the active attribute

• Custom attributes are mapped according to SCIM schema extensions

The following attributes can be synchronized:

Manage Relationships

Group membership management with full add/remove capabilities:

• Add users to groups for role-based access control

• Remove users from groups during role changes or de-provisioning

• Support for nested group structures where the SCIM provider allows

• Relationship changes are immediate and reflected in target application

Deprovision Identity

When a user is deprovisioned:

• User account is deactivated (sets active: false)

• Group memberships are automatically removed

• Account can be reactivated if needed

• User data is preserved for audit purposes

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

• Entity Types: SCIM Groups

• Assignee Types: SCIM Users

• Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

• Application-specific permissions and roles

• Resource access controls

• Team or organizational structures

• Custom entitlements defined by the SCIM provider

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

• Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)

  • SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}

  • Full user and group provisioning support

• Egnyte

  • SCIM Endpoint: https://{domain}.egnyte.com/pubapi/scim/v2

  • User provisioning and group management

• Sigma Computing

  • SCIM Endpoint: https://aws-api.sigmacomputing.com/scim/v2

  • User lifecycle and team assignment

Development & Collaboration Tools

• Fivetran

  • SCIM Endpoint: https://api.fivetran.com/scim/v2

  • User and group provisioning

• Harness

  • SCIM Endpoint: https://app.harness.io/gateway/ng/api/scim/account/{accountid}

  • User management and role assignment

• Zapier

  • SCIM Endpoint: https://zapier.com/scim/v2

  • User provisioning and team management

Security & Infrastructure

• Twingate

  • SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2

  • User provisioning and group assignment

• ThousandEyes

  • SCIM Endpoint: https://api.thousandeyes.com/scim

  • User management (groups via custom implementation)

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

1. Identity Sync: Create user account in SCIM application with basic attributes

2. Email Setup: Configure primary email and secondary contacts

3. Group Assignment: Add user to department and role-based groups automatically

4. Access Verification: Confirm user can access application and assigned resources

Role Change Management

When an employee changes roles or departments:

1. Attribute Update: Sync new job title, department, and manager information

2. Group Reassignment: Remove old role groups, add new role groups

3. Access Review: Verify appropriate access levels for new position

4. Notification: Alert managers and IT of completed changes

Employee Offboarding

When an employee leaves the organization:

1. Account Deactivation: Set user status to inactive in SCIM application

2. Group Removal: Remove all group memberships and access rights

3. Data Preservation: Maintain account record for audit and compliance

4. Manager Notification: Alert appropriate stakeholders of access removal

Bulk User Management

For large-scale provisioning operations:

1. Batch Processing: Create multiple users efficiently through SCIM bulk operations

2. Group Pre-creation: Establish organizational groups before user assignment

3. Validation: Verify all users are created with correct attributes and memberships

4. Rollback Capability: Support for reversing bulk operations if needed

Overview

The Veza integration for Okta enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization.

This document includes steps to enable the Okta integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Okta

Prerequisites

1. You will need administrative access in Veza to configure the integration and grant API scopes in Okta.

2. Ensure you have an existing Okta integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Okta integration has completed at least one successful extraction

4. The Okta integration will need the additional required API scopes:

   • okta.users.manage - For user lifecycle operations

   • okta.groups.manage - For group membership management

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an Okta integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Okta data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Okta in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Okta can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Okta with changes propagated to connected systems

Okta can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Login ID cannot be changed after creation

• Email addresses must be unique

• Required attributes must be present (login, email, first_name, last_name)

The following attributes can be synchronized:

Manage Relationships

Both adding and removing memberships are supported. Group memberships are removed in deprovisioning.

• Add and remove group memberships

• Synchronize group assignments

• Track membership changes

Deprovision Identity

When a user is deprovisioned:

• User account is disabled

• Group memberships are removed

• Attribute history is preserved for audit

• Account can be reactivated if needed

Create Entitlement

• Entity Types: Okta Groups

• Assignee Types: Okta Users

• Supports Relationship Removal: Yes

Within Okta, groups can be associated with:

• Application group assignments controlling SSO access

• Permissions to resources within specific applications

• Synchronized AWS SSO groups

• Role-based access controls within Okta

Reset Password

Allows password reset operations for Okta users:

• Requires the login attribute as a unique identifier

• Non-idempotent action (each execution creates a new password reset event)

• Will trigger Okta's standard password reset flow for the specified user

Overview

This document provides an introduction to the integrations supported by Veza Lifecycle Management (LCM), including their capabilities and the actions they support. These integrations enable you to automate identity and access management workflows across your identity sources and target applications.

Veza's Open Authorization API (OAA) can support provisioning and deprovisioning for applications not natively supported by the Veza platform. With OAA, Veza or customers can build integrations to any application that has a suitable and accessible API or integration interface.

Supported Integrations

Identity Sources

Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.

Veza currently supports the following as sources of identity for Lifecycle Management workflows:

Target Application Support

The entire catalog of Veza application integrations is Lifecycle Management-ready. Target application support in Lifecycle Management leverages Veza's existing native- and OAA-based integrations plus an intelligent shim layer in order to provide support for provisioning and de-provisioning.

As such, target application support in Lifecycle Management can be enabled for nearly every Veza-supported integration.

Validated Integrations

The following table lists the out-of-the-box, Veza-validated target application integrations for Lifecycle Management.

Other Supported Integrations

For any Veza-supported application not listed above, please contact your Customer Success Manager for more details and instructions on how to enable the specific Veza integration for use with Lifecycle Management as a target application for provisioning and de-provisioning.

Configuring Integrations for Lifecycle Management

Insight Points for Lifecycle Management

An Insight Point is required to enable Lifecycle Management operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for LCM tasks.

A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and LCM job execution. This ensures secure communication between your environment and Veza.

For deployment instructions, refer to the Insight Point Documentation.

Scheduled and Manual Extractions

You can configure extraction intervals for your integrations to ensure data is regularly updated for Lifecycle Management processes.

1. Go to Veza Administration > System Settings

2. In the Pipeline > Extraction Interval section, set the global extraction interval

3. To override the global setting for specific integrations, use the Active Overrides section

Available extraction intervals are:

• Auto (hourly, but may take longer when the extraction pipeline is full)

• 15 Minutes

• 1 Hour

• 6 Hours

• 12 Hours

• 1 Day

• 2 Days

• 3 Days

• 7 Days

• 30 Days

To manually trigger an extraction:

1. Go to Integrations > All Data Sources

2. Search for the desired data source

3. Select Actions > Start Extraction

Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.

Enabling Lifecycle Management

To enable Lifecycle Management for a specific integration:

1. Browse to the main Veza Integrations page, or go to Lifecycle Management > Integrations

2. Search for the integration you want to enable

3. Toggle the Lifecycle Management option to Enabled

Checking on Lifecycle Management Data Sources

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Additional Resources

For more information:

• Refer to individual integration documentation for detailed LCM capabilities

• Consult the Lifecycle Management user guide for troubleshooting and best practices

• Contact Veza support for assistance with enabling or configuring LCM for your integrations

Overview

The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, assign licenses, and automate the user lifecycle from onboarding to offboarding.

This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Azure

Prerequisites

1. You will need administrative access in Veza to configure the integration.

2. Ensure you have an existing Azure integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Azure integration has completed at least one successful extraction.

4. The Azure integration will need the following additional Microsoft Graph API permissions:

   • Directory.ReadWrite.All - Required for creating, updating, and managing directory objects

   • Group.ReadWrite.All - Required for creating and managing groups

   • GroupMember.ReadWrite.All - Required for managing group memberships

   • User.EnableDisableAccount.All - Required for enabling/disabling user accounts

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create an Azure integration

3. Check the box to Enable usage for Lifecycle Management

4. For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the Azure Integration Guide

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Azure AD can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Azure AD with changes propagated to connected systems.

Azure AD can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• Entity Types: Azure AD User

• Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Create Guest User Accounts

Creates guest user accounts in Azure AD by sending invitations:

• Required Attributes:

  • invited_user_email_address - Email address of the person to invite

  • invite_redirect_url - URL where the user is redirected after accepting the invitation

• Optional Attributes:

  • principal_name - User principal name (if not provided, generated from email)

  • display_name - Display name (if not provided, generated from email)

  • mail_nickname - Mail nickname (if not provided, generated from email)

  • Other standard user attributes as needed

Manage Relationships

Controls relationships between users and Azure AD entities:

• Supported Relationship Types:

  • Groups: Add or remove users from Azure AD groups

  • Roles: Assign or remove Azure AD roles

  • Licenses: Assign or remove license assignments

  • Distribution Lists: Manage Exchange Online distribution list memberships

• Assignee Types: Azure AD Users

• Supports Removing Relationships: Yes

Create Email

Creates or enables email functionality for users in Azure AD:

• Implementation: Assigns Exchange Online license to the user

• Requirements: Available Exchange Online license in your tenant

• Results: Email-enabled user account with Exchange Online capabilities

Create Entitlement

Creates new entitlements in Azure AD, including groups and distribution lists:

• Azure AD Group Creation:

  • Required Attributes: name

  • Optional Attributes:

    • mail_enabled - Whether the group is mail-enabled

    • is_security_group - Whether it's a security group

    • visibility - Privacy setting (Public, Private, HiddenMembership)

    • description - Group description

• Distribution Group Creation:

  • Required Attributes: name

  • Optional Attributes:

    • identity - Unique identifier

    • alias - Email alias

    • primary_smtp_address - Primary email address

    • group_type - Type of distribution group

Deprovision Identity

When a user is deprovisioned:

• Entity Type: Azure AD Users

• Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)

• De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)

• Additional Options:

  • User Logout - Force user to log out from all active sessions

  • Remove All Licenses - Remove all license assignments

  • Remove All Personal Devices - Remove device registrations

Disable Guest Accounts

Specifically handles deprovisioning of guest user accounts:

• Required Attributes:

  • invited_user_email_address - Email address of the guest user

• Optional Attributes:

  • display_name - Display name of the guest user

Custom Properties

Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.

Overview

The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.

This document includes steps to enable the Snowflake integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Snowflake

Prerequisites

1. You will need administrative access in Veza to configure the integration and USERADMIN role or equivalent privileges in Snowflake.

2. Ensure you have an existing Snowflake integration in Veza or add a new one for use with Lifecycle Management.

3. Verify your Snowflake integration has completed at least one successful extraction

4. The Snowflake integration will need the additional required privileges:

   • CREATE USER privilege on the account for user provisioning

   • GRANT ROLE privilege for role assignments

   • OWNERSHIP privilege on target roles for role management

   • Access to a warehouse for executing queries during lifecycle operations

Important: The Snowflake user account used for Lifecycle Management operations should have USERADMIN role or higher privileges to ensure proper user and role management capabilities.

Configuration Steps

To enable the integration:

1. In Veza, go to the Integrations overview

2. Search for or create a Snowflake integration

3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Snowflake data remains current:

1. Go to Veza Administration > System Settings

2. In Pipeline > Extraction Interval, set your preferred interval

3. Optionally, set a custom override for Snowflake in the Active Overrides section

To verify the health of the Lifecycle Management data source:

1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

2. Search for the integration and click the name to view details

3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Snowflake can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

• User names must be unique and follow Snowflake identifier naming conventions

• Login names are used for authentication and must be unique

• Passwords are automatically generated and set to require change on first login

• Users are created with appropriate default settings for the Snowflake environment

The following attributes can be synchronized:

Manage Relationships

Role assignment management for users:

• Add and remove role assignments for users

• Synchronize role memberships from source systems

• Support for direct role grants to users

• Roles must exist in Snowflake before assignment

Within Snowflake, roles can be associated with:

• Database and schema access permissions

• Table and view privileges

• Warehouse usage rights

• Administrative privileges for account management

Deprovision Identity

When a user is deprovisioned:

• User account is disabled (set DISABLED = TRUE)

• Role assignments are removed to revoke access

• User attributes are preserved for audit purposes

• Account can be reactivated if needed for compliance requirements

Workflow Examples

Employee Onboarding

Automated provisioning when a new employee joins:

1. Create User Account: Sync identity attributes from HR system to create Snowflake user with name and login details

2. Assign Department Role: Grant role based on department attribute (e.g., SALES_ANALYST, DATA_ENGINEER)

3. Set Default Role: Configure default role for the user's session

4. Add Email and Comments: Populate user profile with contact information and descriptive notes

Role Change Management

Managing access when employees change roles:

1. Update User Attributes: Sync changed attributes like email or comments

2. Remove Old Roles: Revoke previous role assignments that are no longer appropriate

3. Grant New Roles: Assign roles appropriate for the new position

4. Update Default Role: Change the user's default role for new sessions

Employee Offboarding

Secure access removal when employees leave:

1. Disable Account: Set user account to disabled status

2. Revoke All Roles: Remove all role assignments to eliminate data access

3. Preserve Audit Trail: Maintain user record and history for compliance

4. Optional Cleanup: Remove user completely with DROP USER if no audit trail is needed