1 of 31

Lifecycle Management

Introduction to Lifecycle Management with Veza

Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.

Key Features

Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template

Core Concepts

Policies

Policies define the rules and actions for managing identities throughout their lifecycle. They specify what actions should occur when there are changes in a source of identity, such as when a user is created or their attributes change.

After configuring a policy for a source of identity in your organization, Veza Lifecycle Management tracks the source for changes. When employee records are added or changed, actions will trigger based on the workflows and actions specified in the policy.

Learn more about Policies

Workflows

Workflows are sequences of actions within a policy that execute based on specific conditions. They enable automation of lifecycle management processes such as onboarding, role changes, and offboarding.

Workflows only execute actions on users that meet specific conditions, and Policies can contain more than one Workflow. This enables you to create a single policy for your source of identity that contains multiple workflows, with one applying to new hires, another applying to terminated employees, and so on for the different JML scenarios you want to automate.

Learn more about Workflows

Access Profiles

Access Profiles define sets of entitlements (such as group memberships or role assignments within a target application) that should be granted to users based on their role within the organization (or another distinguishing attribute). You can use Access Profiles to define both Business Roles – segments of employees, and Profiles – collections of entitlements in a target application.

Assigning Business Roles to the Profiles they should inherit enables you to define the birthright entitlements for different types of employees in your organization. You can then assign those Business Roles when configuring workflows that add or remove access to an application.

Learn more about Access Profiles

Actions

Lifecycle Management Actions are tasks performed within a workflow, such as creating a user account, assigning group memberships, or disabling an account. Actions can be combined to trigger in sequence when there are changes in the source of identity. Actions can run for any identity that meets the workflow conditions, or only apply when action-level conditions are met.

Learn more about available Actions

Attribute Transformers

Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.

Lifecycle Management will provision new users with these attributes and can keep their accounts up-to-date when there are changes in the source of identity. Target entity attributes can be set to specific values or use metadata from the source of identity, and support a range of transformation functions.

Learn about Transformers

Notification Templates

Customize email notifications sent during Lifecycle Management events and Access Request workflows. You can personalize messaging, add branding, and include event-specific information through placeholders.

Learn more about Notification Templates

Getting Started

Enable Integrations: Configure your data sources and enable them for Lifecycle Management. Lifecycle Management Integrations
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements. Creating Access Profiles
Create Policies: Add policies to automate identity management processes. Building Lifecycle Management Policies
Configure Workflows: Design workflows within policies to handle specific lifecycle events. Configuring Workflows

For an overview of Lifecycle Management configuration using Okta, Workday, and Active Directory, see Lifecycle Management with Workday, Okta, and Active Directory.

For API documentation, see Lifecycle Management APIs.

Lifecycle Management Dashboard

Managing and monitoring Lifecycle Management from a central dashboard

The Lifecycle Management Dashboard provides a centralized interface for monitoring automatic provisioning and deprovisioning of user access - both birthright access granted by Veza Lifecycle Management and just-in-time access granted by Veza Access Reviews. This dashboard gives you an at-a-glance view of your configuration, status, and recent activity.

The dashboard is the primary landing page for Lifecycle Management and Access Requests and can help with routine monitoring, error resolution, policy validation, activity review, and integration health checks.

Dashboard Overview

The dashboard is organized into several key sections:

Policies: Displays your most recently updated Lifecycle Management Policies and their status
Access Profiles: Shows configured Access Profiles and usage metrics
Identities: Provides a visualization of managed identities
Integrations: Top Integrations enabled for Lifecycle Management and Access Requests along with any error statuses
Access Requests: Tracks pending and completed access requests
Errors: Displays recent Lifecycle Management and Access Requests errors requiring attention (past day, week, or month)
Recent Activity: Shows the most recent Lifecycle Management and Access Requests Events

To navigate to more detailed information, click on any section heading to open the related overview. Click on specific items (such as a policy or integration) to view or edit configuration details.

Dashboard Actions

From the dashboard, you can perform common tasks including:

Create a new policy: Click the "Create Policy" button in the Policies section
Configure Access Profiles: Click the "Create Access Profile" button in the Access Profiles section
Set up a new integration: Click the "Set up Integration" button in the Integrations section
Monitor system health: Review the Errors section for any issues
Track recent changes: Review the Recent Activity section for a log of recent events
Filter activity by time period: Use the time period dropdown (e.g., "Past day") to adjust the view

Policies

The Policies section displays all configured Lifecycle Management policies with their current status. Each policy shows its name, associated identity source, number of identities managed, and current status (Running/Stopped).

You can view all policies at a glance, create new ones with the "Create Policy" button, see which policies are actively running, access detailed configuration by clicking on a specific policy, and verify that policies in "Running" status should be active. Learn more about creating and managing policies.

Access Profiles

The Access Profiles section shows the total number of configured access profiles and provides a visual representation of profile activity. Access profiles define sets of entitlements granted to users based on their roles.

You can see the total number of configured profiles, create new ones using the "Create Access Profile" button, view profile activity and utilization, and access detailed configuration by clicking into the section. Learn more about Configuring Access Profiles.

Identities

The Identities section provides a visual representation of all identities managed through Lifecycle Management and Access Requests. The chart displays the distribution of identities by type or status, giving you an immediate understanding of your identity landscape.

This visualization helps you understand the overall composition of your managed identities, identify distribution patterns across different categories, and track changes in identity distribution over time.

Integrations

The Integrations section lists all systems connected to Lifecycle Management and Access Requests, displaying the total number of integrations, error status and counts, recently created integrations, and last update timestamps. For each integration, you can see its name and type, current status (including error indicators), and last update timestamp. You can set up new integrations using the "Set up Integration" button, identify and troubleshoot integration errors, and view all integrations by clicking "View all." Review this section regularly to identify any integrations with error states. See Lifecycle Management integrations for more information.

Access Requests

The Access Requests section tracks pending access requests, recently completed requests, and request status (Pending, Completed, Rejected, Cancelled). This section provides visibility into the access request process, allowing you to monitor request volume and status, track completion rates, and identify potential bottlenecks in the access request workflow.

Errors

The Errors section displays any Lifecycle Management and Access Requests errors that require attention. When functioning normally with no issues, this section will display "No issues found." If errors occur, this section will list the specific errors, provide context about when and where they occurred, and offer guidance on troubleshooting and resolution. Check this section regularly for any reported issues.

Recent Activity

The Recent Activity section shows a chronological log of Lifecycle Management and Access Requests events, including event type, timestamp, affected identity, and entity name. Examine this section to identify any unusual patterns or failed operations. This activity log helps you track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management or Access Requests implementation.

Next Steps

After familiarizing yourself with the dashboard:

Learn about creating Lifecycle Management policies
Configure access profiles for your organization
Set up integrations with identity sources
Understand available Lifecycle Management actions

Activity Log

Understanding the Lifecycle Management Activity Log for tracking provisioning operations

The Lifecycle Management Activity Log provides visibility into all provisioning operations performed by Veza's Lifecycle Management system. It serves as a record of all activities, including successful actions, errors, and failures.

Overview

A Lifecycle Management policy defines automated workflows that execute when changes occur in a source of identity. The Activity Log tracks all aspects of these operations through a hierarchical structure:

Policies define the overall automation framework for managing identities
Workflows determine which actions should be executed for specific identities
Actions represent specific operations to be performed on target systems
Jobs are individual tasks executed as part of actions
Events record atomic changes resulting from successful jobs

The Activity Log provides four views of this activity across different tabs: Events, Jobs, Actions, and Workflow Tasks.

Activity Log Tabs

Each tab can help track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management implementation.

Events Tab

The Events tab shows individual changes made to entities and relationships within the system. Each event represents an atomic change resulting from a successful action.

Column

Description

Jobs Tab

The Jobs tab displays individual jobs executed as part of actions. Jobs represent specific tasks performed on target systems, such as creating a user account or updating attributes. Use this tab to review whether individual jobs executed successfully or encountered an error and could not be completed.

Column

Description

Actions Tab

The Actions tab shows high-level operations triggered by workflows. Actions typically involve one or more jobs that work together to accomplish a specific goal.

Column

Description

See for more details on supported actions and configuration options.

Workflow Tasks Tab

The Workflow Tasks tab displays workflows executed for specific identities. Workflows represent a sequence of actions executed as part of a Lifecycle Management .

Column

Description

Workflow Execution Process

For each identity, Lifecycle Management follows this process:

Validation: The system validates the identity against workflow trigger conditions
Execution Determination: The system determines whether execution is needed based on:
- Identity state (e.g., CREATED, CHANGED, UNCHANGED)
- Continuous sync settings
- Last execution time (for unchanged identities)
Task Creation: If execution is needed, a workflow task is created
Action Execution: The system executes conditions and actions via the task runner
Result Storage: The result is stored as an event in the Activity Log

Using the Activity Log

The Activity Log provides filtering and search options to help locate particular events:

Filter by time period: Use the date range filters to focus on date ranges
Search by identity or entity: Use the search fields to find activities related to unique identities or entities
Filter by event type or state: Use the dropdown filters to focus on event type or state
View error messages: Review issues by checking for error messages in the Message column

Log Retention and Security

Veza maintains all Lifecycle Management activity logs for audit purposes. These logs are retained even if the associated integration is removed, maintaining a full historical record of all provisioning operations.

Note: Events shown in the Activity Log are distinct from the system-wide Event Logs found in the Veza Administration section.

Identities

Manage user identities and lifecycle automation in Veza, including synchronization, access profiles, and workflow triggers for joiner, mover, and leaver processes.

Identities

Identities in Veza Lifecycle Management represent a top-level view of an individual user, used to automate provisioning and deprovisioning across systems, applications, or services.

This can include birthright access managed throughout the user's lifecycle, triggered by joiner, mover, or leaver events, as well as ad-hoc, just-in-time access granted upon approval of an access request.

Identities can refer to users who may be employees, contractors, or external collaborators (partners), but generally exclude non-human entities, such as service accounts or AI agents.

With Lifecycle Management, workflows defined within policies dictate the users’ onboarding, job-function change, and offboarding processes, ensuring that corresponding identities have precisely the access they need as their roles evolve or their status within the organization changes. Similarly, access granted to identities may also change as just-in-time access requests are fulfilled or revoked.

The Lifecycle Management > Identities page serves as a central hub for viewing identities known to Lifecycle Management and Access Requests, as well as performing actions on individual identities.

Identities are populated into Lifecycle Management by first identifying the entire user population by integrating their source of identity (SOI) and creating a policy that uses that data source, into a Veza tenant. This may require enabling a built-in integration for your identity source (e.g., Workday integration), uploading user data in CSV format (CSV Upload integration), or using a custom OAA connector.

See Integrations for detailed information on integrating the source of identity.

For Integration management using APIs, see the Datasource Management APIs.

Identity Synchronization

Identities are maintained through synchronization with the identity sources. Syncing identities ensures that all systems reflect the most current user state, whether through onboarding, role changes, or attribute updates, keeping access aligned, consistent, and audit-ready.

The Sync Identities action is used for the automatic synchronization of user identities between an authoritative source (such as an HR system or identity provider) and target systems. In the Lifecycle Management workflow, Sync Identities works alongside other key actions:

Manage Relationships (handling group/role memberships)
Deprovision Identity (removing access when users leave the organization)

Synchronization is executed through Lifecycle Management policy workflows. Policy workflows can be defined with triggers and actions to synchronize changes in your identity source with target systems. Additionally, SCIM (System for Cross-domain Identity Management) or OAA (Open Authorization API) can enable identity sync for a wide range of target applications that don't have a built-in Veza integration, but do expose standard user and group management APIs or support bulk data export.

See SCIM for more information on usage.
See Open Authorization API (OAA) for detailed information.

Identities Table

Column

Description

Usage

Name

Identity display name

The full display name is an attribute composed of the user's first name and last name.

Status

Current lifecycle status (Active/Inactive)

Indicates employment status.

Property Overrides

Shows "Yes" if identity has custom attribute overrides

Identifies identities with manual attribute modifications (overriding attributes from your SOI )

Department

Organizational department from SOI

Used for access assignment and reporting

Policy

Associated Lifecycle Management policy

Links identity to a specific Lifecycle Management workflow

Access Profiles

Assigned Access Profiles with counts

Shows current access assignments

Last Changed at

Timestamp of the most recent update

Tracks synchronization and change activity

Workflows

Associated Lifecycle Management workflow name

Identifies which policy workflow manages the identity

Note: The display name is not the primary unique identifier, as multiple users may share the same first and last name.

Filter and Search an Identity

To start, you can use filtering options to locate specific identities or analyze a group of identities based on standard criteria. The following filters are available on the Identities overview:

Search by name: Locate specific individuals using a name-based search
Department filter: View identities by organizational unit
Status filter: Filter by Active or Inactive employment status
Access Profiles filter: Find identities with specific profile assignments
Integrations filter: Filter by source integration system
Policy filter: View identities managed by specific policies
Workflows Triggered filter: Identify identities that have triggered automation
Not in a Workflow: Find identities outside automated workflows

Identity Actions

For each identity record, administrators can perform actions through the Actions menu:

View Details: Access identity information, attribute history, and related accounts
Trigger Workflow: Manually initiate a workflow in a policy
Request Access: Launch an Access Request for additional access (requires Veza Access Requests).
See Notification Templates for Lifecycle Management for customizing the Request Access Template.
Show in Graph: Visualize identity relationships and access patterns

View User Details

Click on your selected identity to open the Identity Details view.

The following fields in the Identity Details view are populated with the current user's information:

Title: The user’s position title.
Email: The user’s email address.
Providers: A list of assigned integrations. When you click on a specific provider, the Integration page appears, displaying the provider’s detailed information, including its Entity Categories distribution.
Access Profiles: A list of assigned Access Profiles to the identity. When you click on a specific profile, its detailed information page appears, displaying its status (either Draft or Published). You can also edit the Access Profile if needed.
Last Workflow Triggered: The name of the workflow that was recently executed.
Primary: The Primary identifier is configured (True or False) to be the authoritative attribute for matching or locating an identity.
Secondary Identities: An associated name is connected to the primary identity.
ID: The Identification number assigned to the primary identity.
Active: The user’s identity is active if True. Otherwise, False when inactive.
Last Changed: A time frame (in days, weeks, months) when the identity was last changed.

Attribute Overrides

When executing a policy where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment, you can override the existing attribute with a different value until the issue is corrected. For more information, see Identity Override Attributes.

Here are some examples of incorrect or slow-to-update attributes:

Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system
Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity
Missing manager data: The source of identity is missing a manager value, but this information is required for downstream application provisioning
Security incidents: Immediate access restrictions are needed before HR systems can be updated
Temporary access grants: Providing temporary access while permanent changes are processed

To create an Override Value, perform the following:

Select an identity by name.
Click Details.
Click Properties in the Details menu.
Click Actions (three dots icon)
Select Create Override.
The Create Override window appears. The Property Name and Actual Value fields are populated.
Enter an Override Value.
Click Save.

Performing Actions on an Identity

Click the overflow icon (three dots) to display options for performing actions on the identity. Next, click on the desired action:

Trigger Workflow
Request Access
Show in Graph

Trigger Workflow

The Trigger Workflow option is a convenient way to test a specific user in a policy workflow. For example, you can test a new employee's identity in a joiner workflow to evaluate whether they have sufficient access to perform their duties.

Use the Trigger Workflow option to manually run a workflow for a specific user.

To trigger a workflow with a specific user, perform the following steps:

Select a workflow in the dropdown menu.
Click Trigger to run the workflow.

Request Access for an Identity

Requests Access allows for additional or temporary access grants, particularly when a user’s current access is insufficient for their duties.

Use the Request Access option in the Identity Details view to grant access to a specific user while reviewing their detailed information. You can grant access to the user through the following actions:

Access Profiles: A collection of entitlements that are granted as part of the user’s identity lifecycle requirements. Access Profiles can:

Define reusable collections of entitlements across multiple target systems by business roles, departments, or functions
Automate consistent access provisioning
Manage access profile types and their capabilities

See Access Profile and Access Profile Types for more information.

To grant an Access Profile, perform the following:

Click the Access Profile radio button.
The Choose from Access Profile window appears.
Enter a Reason for granting the Access Profile for the user.
Select an existing Access Profile from the dropdown menu.
Enter an Expiration Time in Hours or Days.

App: An App refers to a target system, where user access is provisioned or deprovisioned as part of the identity lifecycle process.

To grant an App, perform the following:

Click the Access Profile radio button.
The Request Grant Access window appears.
Enter a Reason for granting the App for the user.
Select an existing Integration from the dropdown menu.
Use the arrows to select an Expiration Time in Days, where 0 means no expiration.
Click Create.

Entitlements: Granting Entitlements to a user provides specific access permissions (roles, permissions, group memberships) required to perform their responsibilities.

Note: By granting Entitlements to a specific user, you pre-fill an Access Request with the appropriate configuration settings and policy.

To grant an Entitlement, perform the following:

Click the Entitlements radio button.
The Request Grant Access window appears.
Enter a Reason for granting the Entitlement for the user.
Select an existing Integration from the dropdown menu.
Based on the integration you selected, the Target Entity Type is automatically populated.
Use the arrows to select a Target Entitlement.
Use the arrows to select an Expiration Time in Days, where 0 means no expiration.
Click Create.

Show in Graph

Use the Show in Graph option to display a graph that represents all assigned Access Profiles, Apps, and Entitlements, including all associations.

This is a graphical representation of John Smith’s assigned access and entitlements to roles/groups.

Access Profiles

Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.

Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, which could include business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.

Profiles can be configured hierarchically to create a fine-grained model of how access should be assigned to different groups of employees. Administrators can position child profiles underneath a parent profile, with each child profile inheriting the entitlements from the parent profile.

For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.

Example Profiles

Profile Name

Target

Relationship

Executive Employees

Active Directory

Executive Employee - Manager US (Active Directory Group)

US Engineering Managers

Active Directory

Engineering - Manager US (Active Directory Group)

Azure Helpdesk Role

Azure

Helpdesk Administrator (Azure AD Role)

Google Asia Employees

Google Cloud

Google Asia Employees (Google Group)

Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.

The access granted by a Profile can be defined by both:

Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.

The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.

Access Profile Types

Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:

Profiles

Profiles are a type of Access Profile for defining access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.

Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.

Business Roles

Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."

Best Practices for Access Profile Types

Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").

Create Business Roles that align with your organizational structure, especially taking location, business unit, and functional organization into consideration. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.

Configuring Access Profiles

To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.

Click Create Access Profile
Under Access Profile Details, choose the Profile Type to create:
1. Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.
2. Profile: Profiles define entitlements that can be assigned to users in target applications, such as groups, roles, or permission sets assigned to users as birthright entitlements. Profiles cannot be inherited from other Access Profiles, but can be inherited by Business Roles. Use this profile type to define the birthright entitlements within one or more applications (such as group memberships or role assignments).
Profile Name and Description: You should follow a standard naming convention for all profiles to help identify them, describing the employee segment or applications the Access Profile applies to.
Profile Labels: Labels are available for quickly finding access profiles when configuring actions in a policy. Apply and create labels as needed to organize your Access Profiles by the employee segments and applications they apply to.
Assigned Relationships:
1. Click Add Relationship
2. Choose the type of relationship to add:
  - Access Profile: Use the Relationship menu to pick one or more Access Profiles to grant those business roles or entitlements. This option is not available for Access Profiles with the "Profile" type.
  - Relationship: Choose the target data source and specific entities the Profile will govern access to (such as Google Cloud Platform > Google Group). This option is not available for Access Profiles with the "Business Role" type.
Click Assign to save the changes.

After saving an Access Profile, you can view details, edit, or pause and resume it on the Lifecycle Management > Access Profiles page.

When configuring a policy to include the Manage Relationships action, you can choose from any active profiles for the target data source.

Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Overview

Access Profile Types determine the behavior of Access Profiles for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:

Whether the profile can inherit entitlements from other profiles
If the profile can grant entitlements in one or more target applications
The maximum number of entitlements the profile can grant
The specific integrations where entitlements can be granted

Veza provides built-in profile types, such as Profiles and Business Roles, for hierarchical management of birthright entitlements by employee population. You can also create new profile types to meet your organization's Access Requests and Lifecycle Management needs.

Common Access Profile Type Categories

Access Profiles define collections of entitlements within one or more target applications that can be assigned to an identity. Depending on the profile type, an access profile can include certain groups or roles, or inherit entitlements from another profile.

For example, you can create different types to organize profiles by:

Applications: Granting access to an application without specific entitlements, such as access to Zoom
Single Entitlements: Defining a single entitlement within a single application, such as a user being added to the DNS Admin group in Active Directory or the Domain Name Administrator role in Entra ID
Application Entitlements: Defining multiple entitlements within a single application, such as access to several Okta Groups
Multi-Application Entitlements: Defining multiple entitlements across different applications, such as for site reliability engineers who need access to GitHub, AWS, Jira, and Snowflake, along with one or more roles and group memberships within each of those applications
Business Roles: Inheriting combinations of other profile types to model sophisticated access privileges, such as all US Call Center employees inheriting US Employee access

Managing Access Profile Types

Use Access Profile Types to set rules for all profiles using that type. You can create new profile types to implement Lifecycle Management and Access Requests based on how and what access you will grant to employees.

Creating a New Profile Type

Open Lifecycle Management > Settings
In the Profile Types section, click New Profile Type
In the sidebar, configure the new type:
- Basic Information shown when creating Access Profiles:
  - Name: Display name for the profile type, shown when creating new Access Profiles
  - Description: Extended description to document the purpose of the profile type
  - Instructions: Optional custom instructions for using the profile type, shown when creating new profiles. Note that this is useful if allowing self-service Access Profile creation.
- On Create Behavior: Set the default policy state for Access Profiles created with this profile type:
  - Default: Uses Veza's default behavior (currently sets the profile to Initial state, but this may change in future releases)
  - Initial: The Access Profile is created but remains inactive/non-functional until a user explicitly starts it to move it to Running state
  - Running: The Access Profile starts in an active state and is immediately functional with no additional action required
  - Initial Start By Admin: The Access Profile starts in Initial state but requires an administrator (not a regular user) to explicitly start it to move it to Running state
- Relationship Options:
  - Allow Inheritance from Other Access Profiles: When enabled, profiles with this type can use another access profile to specify the exact entitlements.
  - Allow Direct Relationships: When enabled, you will specify the exact entitlements when creating a profile with this type. When disabled, profiles with this type can only inherit entitlements from another profile
- Access Request Policy: Choose the default Access Request Policy to apply access duration controls and approval workflow.
  - Allow overwrite of Access Request Policy: Enable selection of an alternative policy when Access Profile creators and owners create Access Profiles of this type.
- Integrations: Choose if the Access Profile of this type supports multiple integrations, integrations of a single type, or a single instance of a single integration:
  - Allow multiple integration types: Profiles can have specific entitlements in more than one target integration type (such as one or more entitlements from any Active Directory or Okta integration)
  - Limit to a single integration type: Entitlements must be within integrations of a specific type (such as one or more entitlements from any Okta integration)
  - Limit to a single integration: Profiles are limited to a single integration (such as one or more entitlements from a specific Okta integration)
  - Create a local user account only (if limited to a single integration): Create a local user account without specific entitlements.
- Entitlements: Set the maximum number of entitlements that can be added to profiles with this type (0 for unlimited entitlements).
  - Access Profile creators and owners can choose specific entitlements when editing the profile.
  - Create New Entitlement if None Exists: Configure the CREATE_ENTITLEMENT action to run when the policy is applied, including:
    The target integration and entity type to create
    Any member conditions (ANY to apply to all identities, or restricted by a condition string)
    Attributes for the created entities using the specified formatters.
    Enabling Continuous Sync to periodically recreate and reapply entitlements if removed within the target system.
Click Create Profile Type to save the changes

After saving a profile type, you can edit or delete it on the Lifecycle Management Settings > Profile Types tab.

To manage the users or groups allowed to create profiles of that type, click Actions > Manage Permissions.
To view profiles with a specific type, choose a profile type and click Show Access Profiles.

Best Practices for Access Profile Types

When working with Access Profile Types, consider the following best practices:

Consistent Naming: Use clear, descriptive names for profile types that indicate their purpose and scope
Appropriate Granularity: Create profile types with the right level of granularity for your organization's needs
Documentation: Add thorough descriptions and instructions to help others understand when to use each profile type
Inheritance Planning: Carefully plan which profile types should inherit from others to create a logical hierarchy
Regular Review: Periodically review profile types to ensure they continue to meet your organization's needs
Good Hygiene: Eliminate profile types that are no longer in use (when the count of Access Profiles with that type equals zero)

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings.

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. This might include hiring a new employee, terminating an existing employee, or other status changes. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might apply when employees enter an "Active" state (for Joiner/Re-hire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also trigger when an employee hire date is within a certain threshold, such as less than 4 days away, or relative to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
- Another for inactive users to cover Leaver scenarios

Add a Lifecycle Management Policy

To create a policy for a source of identity:

Go to Lifecycle Management > Policies
Click Create Policy
Give the policy a name and description
- The policy name is used to identify it on the Policies list and appears in event logs
- The name should indicate the source of identity the policy applies to
Choose the Data Sources the policy will apply to
- Use the dropdown menu to select the source of identity that will trigger workflows in the policy
- To appear on this list, the integration must have Lifecycle Management enabled and be available as a source of identity
- See Integrations for supported providers and steps to enable a Lifecycle Management data source
Save the policy

Edit a Lifecycle Management Policy

To edit a policy:

Go to Lifecycle Management > Policies
Choose a policy from the list and click Edit
Configure the policy summary, details, and identity source.
Click on a tab in the policy builder to configure its settings:
- Workflows: Configure the actions that trigger when there are changes in a source of identity
- Common Transformers: Define shared rules for creating or updating target attributes when provisioning, syncing, or de-provisioning identities
- Notifications: Configure email notifications or webhooks for the policy's workflows, with different notification rules for different types of events (e.g., "Create Identity" or "Delete Identity")
Save the policy

Enabling and Monitoring Lifecycle Management Policies

Use the Policies page for an overview of initial, running, and paused Policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name
- Filter to show all providers by their current state
Click the ⋮ icon in the rightmost column to expand the Actions menu
Choose to Edit, Pause, View Details, or Delete the policy

Adding Workflows to Policies

Policies contain one or more workflows that typically correspond to Active and Inactive user states. Workflows define a sequence of actions to run when a condition is met, based on events and user changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, department changes, or employee departures.

Workflows contain a tree-like sequence of conditions to meet specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

Workflows can trigger:

As soon as an identity is detected with a matching attribute
Relative to an attribute containing a date (such as before or after a hire_date or termination_date)
Based on any attribute available from the source of identity

Create a Workflow in a Policy

To add a workflow to a policy:

Edit a policy and open the Workflows tab
Click Add Workflow to open the sidebar for adding details and conditions
Use the General tab to configure workflow settings:
Workflow Details:
- Name and Description: Identify the workflow's purpose
- Continuous Sync: Enable to update target entities when source identity changes occur
Condition:
- Workflow Condition: Specify the trigger attribute and value
- Supports SCIM query syntax for filter expressions
- Examples:
  - employment_status eq "WITHDRAWN" for terminated employees
  - employment_status eq "ACTIVE" for new hires and movers
Workflow Trigger Details:
- Attribute to Get Execute Date: Specify when workflow actions should run
- Local Time Zone Diff From UTC: Set your UTC offset
  - Eastern Standard Time (EST): -5
  - Pacific Standard Time (PST): -8
  - Note: US UTC offset varies during Daylight Savings Time
- Trigger At Local Time Hour: Set execution time in 1-hour intervals (e.g., 6, 12, 24)
Use the Conditions tab to configure action sequences:
a. Click Add Condition to configure settings:
- Condition Name: Use descriptive names (e.g., "Sync Okta Identities" or "Azure Helpdesk Role")
- Continue Actions if Any Error: Enable to continue workflow despite failures
- Condition Type: Choose between immediate execution or SCIM filter-based conditions
b. Configure Actions:
- Choose Action Type:
  - New: Create an action with custom settings
  - Existing: Select a previously created action
- Use Edit Action > Conditions for nested conditions
c. Add additional conditions as needed
Save changes:
- Click Save in the left sidebar for workflow changes
- Click Save on the policy details page to commit all changes

Common Transformers

Common transformers define one or more rules to apply when synchronizing a target identity's attributes. Use them in situations where you want to create or update attributes using the same conventions across multiple sync or de-de-provision actions.

To add a common transformer:

Edit a policy and open the Common Transformers tab
Give the transformer a name and description, and specify the data source it applies to.
Choose the target Entity Type.
Click Add Attribute to specify an attribute and the value format.
Optionally, enable Continuous Sync to keep the target entity up-to-date with values from the source of truth.
Save the transformer.

See Transformers for available transformation functions.

Notifications

Events and Actions

Events and Actions: Lifecycle Management Actions can result in multiple events, each associated with a specific operation in a target application. An action might cause more than one event. For example, the "De-provision Identity" action for Active Directory leaver flows could result in a combination of events:

"Disable Identity" (set account to inactive)
"Sync Identity" (update DN and primary group DN)
"Remove Relationship" (remove existing profiles) events. You can review individual events and their status using the Activity Log.

Monitor individual events and their status using the Activity Log.

Notification Configuration

When events occur during the execution of a policy’s workflow, notifications can be triggered by Lifecycle Management as a means to inform stakeholders or integrate with external systems, such as triggering external automation. These notifications are configured in policies and Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure their Active Employee policy to send an email to the manager of each new hire employee after the employee's email address is provisioned. Also, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned - after a successful Sync Identity operation

Use the Notifications tab when editing a policy to add and manage notifications at the policy level:

Choose the notification type (Email or Webhook)
Choose the event to trigger notifications:
- Create Identity
- Sync Identity
- Add Relationship
- Remove Relationship
- Create Email
- Change Password
- Delete Identity
- Disable Identity
- Manage Relationships
- Write Back Email
Choose the status to trigger notifications (when an event is successful, or it fails).
Customize the email or webhook settings:
- Webhook:
  - Webhook URL: The endpoint configured to receive the webhook payload.
  - Webhook Auth Header: if the webhook listener requires authentication, provide it here.
- Email:
  - Emails: Recipients added to the to field.
  - Extra Email Fields (Optional): Recipients added to the cc field.
Save the changes.

Note that emails and webhooks can also be configured on a per-action basis.

Fallback Formatters

Configure fallback formatters for uniquely identifying attributes during identity synchronization

Overview

Fallback formatters can help resolve conflicts when provisioning identities with unique attributes. This is particularly useful when automated provisioning requires unique identifiers, but the standard generated values are already in use.

Understanding Fallback Formatters

When provisioning new identities through Lifecycle Management, unique attributes like usernames, login IDs, or email addresses must not conflict with existing values. Fallback formatters provide an automated way to generate alternative values when conflicts arise, ensuring provisioning can proceed without manual intervention.

You can configure fallback formatters when configuring a Sync Identities Action to ensure new users can be onboarded efficiently, regardless of naming conflicts.

Use Case: Username Conflicts

The most common use case for fallback formatters is handling username conflicts. For example:

Your organization uses a standard username format of first initial + last name (e.g., jsmith for John Smith).

When multiple employees have similar names, this can lead to conflicts:

John Smith already has jsmith
Jane Smith already has jsmith1
James Smith already has jsmith2

When Jennifer Smith joins, the fallback formatter automatically assigns jsmith3, maintaining your naming convention while ensuring uniqueness.

Configuring Fallback Formatters

Fallback formatters can be configured as part of the "Sync Identities" action within a Lifecycle Management workflow:

Edit or create a Lifecycle Management policy
Edit the workflow containing the Sync Identities action
In the Sync Identities action configuration, click Add Fallback
Configure the Transformer to use as a fallback pattern for the unique attribute that might experience conflicts
Close the action sidebar and save your changes to the policy.

Transformer Options for Fallback Formatters

Several transformers can be used for implementing fallback formatters depending on your specific use case.

Using the NEXT_NUMBER Transformer

A typical approach is to use the NEXT_NUMBER transformer, which is specifically designed to generate sequential numerical alternatives when naming conflicts occur.

The NEXT_NUMBER transformer:

Generates a set of sequential integers as strings
Takes two parameters: BeginInteger (starting number) and Length (how many numbers to generate)
Is unique among transformers in that it returns multiple values, making it ideal for fallback scenarios

Other Useful Transformers for Fallbacks

In addition to NEXT_NUMBER, other transformers can be valuable for creating fallback formatters:

Using Random Alphanumeric for Unique Usernames:

{first_initial}{last_name}{RANDOM_ALPHANUMERIC_GENERATOR(4)}

This could generate usernames like jsmith8f3d instead of sequential jsmith1, jsmith2, etc.

Using UUID for Guaranteed Uniqueness:

{first_initial}{last_name}-{UUID_GENERATOR() | SUB_STRING,0,8}

This would append the first 8 characters of a UUID, creating identifiers like jsmith-a7f3e9c2.

Implementation Example

When configuring a fallback formatter with the NEXT_NUMBER transformer:

Select the attribute that requires uniqueness (e.g., username, email)
Configure the primary pattern (e.g., {first_initial}{last_name})
Add a fallback using the NEXT_NUMBER transformer to generate sequential alternatives:

{first_initial}{last_name}{NEXT_NUMBER(1, 10)}

This will generate up to 10 alternatives: jsmith1, jsmith2, ... jsmith10

Common Fallback Patterns

Here are some commonly used fallback patterns:

Primary Format

Fallback Pattern

Examples

{first_initial}{last_name}

{first_initial}{last_name}{NEXT_NUMBER(1, 10)}

jsmith, jsmith1, jsmith2, etc.

{first_name}.{last_name}

{first_name}.{last_name}{NEXT_NUMBER(1, 10)}

john.smith, john.smith1, john.smith2

{username}@domain.com

{username}{NEXT_NUMBER(1, 10)}@domain.com

[email protected], [email protected]

{first_name}{last_initial}

{first_name}{last_initial}{NEXT_NUMBER(1, 10)}

johns, johns1, johns2

How Fallback Resolution Works

When Lifecycle Management attempts to provision a new identity with a unique attribute value that already exists:

The system first tries the primary format (e.g., jsmith)
If a conflict is detected, it automatically tries the first alternative using the NEXT_NUMBER transformer (e.g., jsmith1)
If that value also exists, it tries the next alternative (e.g., jsmith2)
This process continues until either:
- A unique value is found
- All alternatives from the NEXT_NUMBER range are exhausted (in which case an error would be reported)

This automated conflict resolution ensures provisioning can proceed without manual intervention, even when your standard naming conventions result in conflicts.

Lookup Tables

Use lookup tables to transform identity attributes for target systems

Overview

You can use Lookup transformers to convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

For example, you might need to transform a "Location" attribute from Workday (which might be stored as location codes like "MN001") into corresponding values for country, country code, or city names in a target system.

Use Table Lookup Transformers when:

You need to map source attribute values to different values in target systems
You have standardized reference data that must be consistent across applications
You need to extract different pieces of information from a single attribute value
You have complex mapping requirements that built-in transformers cannot support

Examples

Geographic Information:
- Transform location codes to country, region, city, or timezone information
- Map office codes to physical addresses or facility types
Organizational Mapping:
- Convert department codes to department names or business units
- Map cost centers to budget codes or accounting categories
System-Specific Configurations:
- Transform job titles to role designations in target systems
- Convert skill codes to certification requirements or training needs

How It Works

The Table Lookup Transformer references CSV-based mappings between source and destination values. When synchronizing user attributes, Veza:

Takes the source attribute value
Looks up this value in the specified lookup table
Returns the corresponding value from the designated return column
Applies this value to the target attribute

Lookup Table Structure

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

For example, a location mapping table might look like:

Creating and Managing Lookup Tables

Creating a Lookup Table

To create a new lookup table:

Navigate to the Lookup Tables tab within your policy configuration
Click Edit mode to enable policy changes
Click Add New to create a new lookup table
Provide a Name and optional Description for the lookup table
Drag a CSV file or click Browse to upload your reference data
Review the automatically detected column names
Click Save to store the lookup table

Managing Lookup Tables

From the Lookup Tables tab, you can:

Edit table descriptions or upload a new CSV
Delete tables that are no longer needed

Using Table Lookup Transformers

Basic Syntax

To use a Table Lookup Transformer in a common or action-synced attribute:

In Destination Attribute, choose the attribute on the target entity that will be updated
In Formatter, choose the source attribute to transform
In Pipeline Functions, specify the lookup table name, the column to match against, and the column containing values to return.

The full syntax for using lookup table transformers is:

Where:

<value> is the source attribute to transform (e.g., {location})
<table_name> is the name of the lookup table to use
<column_name> is the column in the table to match against
<return_column_name> is the column containing the value to return

Examples

Assuming a user has "location": "IL001" and a lookup table named locationTable structured as shown earlier:

Formatter

Result

Advanced Features

Pipeline Transformations

You can combine lookup transformations with other transformation functions in a pipeline:

This would look up the state_code corresponding to the location value and convert it to lowercase.

Handling Missing Values

When a lookup value is not found in the table, the transformation will fail for that specific attribute.

For full coverage, ensure your lookup table includes entries for all possible source values that may be encountered during provisioning.

To ensure robust provisioning workflows, it's important to include all expected values in your lookup table, validate source data before implementing lookup transformations, and test transformations with representative data sets.

Technical Details

Implementation Notes

Lookup tables are immutable and automatically deleted when no longer referenced by any policy version
Multiple policy versions can reference the same lookup table (e.g., an active version and a draft version)
Lookup tables are defined at the policy level and can be referenced by any transformer within the policy
Lookup tables can have multiple columns to support different transformations from the same reference data

Best Practices

Standardize Naming: To use a lookup-based transformer, you will reference the table by file name. Apply consistent conventions for both the table and columns.
Document Mappings: Add descriptions for each lookup table to explain its purpose
Validate Data: Ensure lookup tables are complete and accurate before using them in transformers. Consider how lookup tables will be maintained over time, especially for values expected to change.

Troubleshooting

Common Issues

Issue

Resolution

System Attributes

Computed properties for advanced workflow triggering and conditional transformations in Lifecycle Management

Overview

System attributes are computed properties that Lifecycle Management automatically generates during identity processing. These attributes enable advanced automation scenarios by providing runtime information about identity changes and transformation results.

All system attributes follow the sys_attr__ prefix convention and cannot be manually set or modified.

Available System Attributes

`sys_attr__is_mover`

A persistent boolean attribute that indicates whether an identity has undergone changes to monitored properties.

Type: Boolean Persistence: Stored with identity record Available in: Workflow triggers, conditions, and transformers

Configuration: Define monitored properties in the policy configuration:

Workflow Trigger Example:

Combined Condition Example:

The attribute is automatically set to true when any property in mover_properties changes during identity update. It is cleared when the identity is unchanged in an extraction cycle, and excluded from change detection to prevent recursive updates.

System attribute names are case-sensitive and must be lowercase in all expressions.

`sys_attr__would_be_value`

A transient attribute that provides a preview of the transformation result during conditional evaluation.

Type: String Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Conditional Domain Addition:

The above transformer will check if the transformed email already contains "@", preserve existing email addresses, and add domain only when needed.

`sys_attr__would_be_value_len`

A transient attribute that provides the character length of the transformation result during conditional evaluation.

Type: Number Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Progressive Username Truncation:

For "Leonevenkataramanathan Foster":

First check (≤30 chars): leonevenkataramanathan.foster (30 chars - passes first condition)
If >30 chars, second check (≤20 chars): leonevenkataramana.foster (25 chars - fails second condition)
If >20 chars, fallback: l.f (3 chars - always succeeds)
Alternatives with NEXT_NUMBER: l.f2, l.f3, l.f4

Integration with `NEXT_NUMBER`

Preview attributes work with the NEXT_NUMBER transformer for generating unique alternatives:

This evaluates the base value length before applying numbering, ensuring the final result (including numbers) meets constraints.

Only one NEXT_NUMBER transformer is allowed per conditional branch.

Workflow Trigger Properties

The sys_attr__is_mover attribute supports additional trigger properties for fine-grained control:

This workflow triggers only when:

The identity is marked as a mover (department or location changed)
The identity is active
At least one of the trigger_properties has changed since last extraction

Performance Notes
Mover Detection: Comparison occurs for all properties in mover_properties during each extraction
Preview Evaluation: Each IF branch with preview attributes requires transformation execution
Optimization: Place most common conditions first to minimize preview evaluations
Caching: Preview values are calculated once per condition branch and reused

Identity Override Attributes

Overview

This guide explains how to configure identity override attributes in Lifecycle Management to address scenarios where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment for policy execution.

Identity override attributes allow Lifecycle Management administrators to override the value of any user attribute set at the source of identity. These overrides take precedence over actual values during Lifecycle Management workflows.

Problem scenarios for attribute overrides

Identity override attributes address operational challenges where the source of identity doesn't immediately reflect ground truth:

Incorrect or slow-to-update attributes:
- Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
- Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system
- Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity
- Missing manager data: The source of identity is missing a manager value, but this information is required for downstream application provisioning
Emergency access control:
- Security incidents: Immediate access restrictions are needed before HR systems can be updated
- Temporary access grants: Providing temporary access while permanent changes are processed

Before you start

Before you configure identity override attributes, verify that override values comply with organizational policies and data standards, and assess the downstream impact of attribute changes. Ensure:

You have administrative access to Veza Lifecycle Management
You understand which source identity attributes need to be overridden
You have identified the specific identities requiring attribute overrides
You understand that overrides only affect Lifecycle Management workflows, not Access Visibility
You recognize that overrides should be used for exceptional cases, not routine operations

Configure identity override attributes

Veza supports overrides for various property types from the source of identity:

Text properties (e.g., Department, Manager, Job Title)
Date properties (e.g., Activated At, Hire Date, End Date)
Numeric properties (e.g., Employee ID)
Boolean properties (e.g., Active status, Enabled flags)

Create attribute overrides for individual identities

You can view, create, edit, and delete overrides from the identity details view.

Click Lifecycle Management in the main navigation, then select the Identities tab.
Locate the identity requiring an attribute override.
2.1. Use the Search by name field to find the specific user
2.2. Click on the identity name to show more information in the sidebar
2.3 Click Details to open the expanded details view
Open the identity's Properties tab:
3.1 In the identity detail view, click the Properties tab to view all available attributes from the source of identity.
The Properties tab displays both original attribute values and any existing overrides.
Create a new attribute override:
4.1. Find the attribute you want to override in the properties table
4.2. Click the Actions menu (three dots) for that attribute
4.3. Select Create Override from the dropdown menu
Set the override value in the Create Override dialog:
5.1. Enter the desired override value in the Override Value field
5.2. For date attributes, use the calendar picker to select the appropriate date and time
5.3. For text attributes, type the new value directly
5.5. Click Save to apply the override, or Cancel to discard changes
The Create Override modal displays the attribute name and the current actual value for reference.
Verify the attribute override is active:
- The Override column now shows "yes" for the modified attribute
- The Override Value column displays your custom value
- The override count updates in the Property Overrides filter (e.g., "1 Override")
View the override summary in the identity details Overview tab:
7.1. Return to the Overview tab for the identity
7.2. Check the Property Overrides section to see all configured overrides for the identity
7.3. Each override displays the attribute name, override value, and actual value from the source

The identity details view provides visibility into both original and overridden values. A visual indicator will highlight any attributes with overrides:

Properties: Use this tab to show side-by-side comparisons of actual values from the source of identity and override values
Overview: This tab includes a consolidated view of all active overrides for an identity

Update existing overrides

To change the value of an attribute override:

Navigate to the identity's Properties tab. Access the same identity detail view where you created the override.
Locate the attribute with an active override. Find the attribute showing "yes" in the Override column.
Edit the override value.
3.1. Click the Actions menu (three dots) for the overridden attribute
3.2. Select Edit Override from the dropdown menu

3.3. Modify the Override Value in the dialog 3.4. Click Save to apply the changes

Cancel attribute value overrides

To remove an override:

Access the identity's Properties tab. Navigate to the identity detail view with active overrides.
Identify the override to remove. Locate the attribute with "yes" in the Override column.
Clear the override.
3.1. Click the Actions menu (three dots) for the overridden attribute
3.2. Select Clear Override from the dropdown menu
3.3. Confirm the action when prompted

The attribute will revert to using the source of identity value, and the Override column will show "no".

Important considerations

Override scope and limitations

The current implementation supports overrides at the individual identity level. Note that any attribute overrides are not reflected in the Veza Access Graph.

Lifecycle Management only: Attribute overrides affect only Lifecycle Management workflows and policy execution
Access Visibility unchanged: The authorization graph and Access Visibility features continue to use the actual source of identity values
Source system independence: Overrides do not modify data in the originating identity providers or HR systems

Operational best practices

You should typically use overrides as temporary measures while addressing root causes in source systems. Maintain clear records of why each override was implemented and the business justification.

Consider the following best practices when implementing attribute overrides:

Regular review process: Establish periodic audits of active overrides to ensure they're still necessary
Monitor policy impact: Review workflow execution logs to confirm that overrides produce expected policy outcomes. You can review the identity details Activity tab and Lifecycle Management Activity Logs to ensure that override values are applied as expected during provisioning, deprovisioning, and other lifecycle actions.
Emergency response procedures: Establish clear protocols for when and how to use overrides in approved scenarios.
Change management coordination: Communicate with HR and identity provider teams when overrides are needed.

Active Directory

This guide describes how to enable and configure Active Directory for Lifecycle Management in Veza, including supported capabilities and required configuration steps.

Overview

Active Directory integration with Lifecycle Management enables automated user provisioning, access management, and de-provisioning capabilities. This includes creating and managing AD users, group memberships, and disabling accounts when employees leave the organization.

Supported Capabilities

Identity Provider Status

Active Directory serves as an Identity Provider in Lifecycle Management workflows and supports custom properties defined in the integration configuration.

Supported Actions

Manage Relationships

Controls relationships between users and Active Directory groups.

Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes

Example Use Cases:

Add users to specific Active Directory groups to manage access
Remove users from groups when access requirements change

Sync Identities

Synchronizes identity attributes between Active Directory and downstream systems.

Create Allowed: Yes (New user identities can be created if not found)
Supported Attributes:
- Required (Unique Identifiers):
  - AccountName (No Continuous Sync)
  - DistinguishedName
  - UserPrincipalName
- Optional:
  - Email, GivenName, DisplayName, SurName, Title
  - Description, ManagerID, PrimaryGroupDN
  - StreetAddress, City, StateOrProvinceName
  - CountryCode, PostalCode, Company
  - PhysicalDeliveryOfficeName, JobTitle
  - Department, CountryOrRegion, Office

Example Use Cases:

Create new user accounts when users are added
Keep user information synchronized across integrated systems

De-provision Identity

Safely removes or disables access when users leave or no longer need access.

Entity Type: Active Directory Users
Remove All Relationships: Yes (Removes existing group memberships)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)

Example Use Cases:

Disable accounts when employees leave
Remove group memberships while retaining audit information

Configuration Steps

1. Create a Service Account

Create a dedicated AD user with minimum required permissions:

Using Active Directory Users and Computers:

Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User
Complete the new user details form
- Recommended name: "Veza AD Lifecycle Manager"
- Set a strong password
- Uncheck "User must change password at next logon"

Using PowerShell:

New-ADUser -Name "Veza AD Lifecycle Manager" `
    -Path "OU=<your_OU>,DC=<domain>,DC=<tld>" `
    -GivenName "Veza" `
    -Surname "AD Lifecycle Manager" `
    -SamAccountName "veza-ad-lcm" `
    -AccountPassword (ConvertTo-SecureString -AsPlainText "<password>" -Force) `
    -ChangePasswordAtLogon $False `
    -DisplayName "Veza AD Lifecycle Manager" `
    -Enabled $True

2. Configure Required Permissions

Grant the service account permissions to manage users in the target OUs:

Using Active Directory Users and Computers:

Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name
Select these delegated tasks:
- Create, delete, and manage user accounts
- Reset user passwords and force password change
- Read all user information
- Modify group membership

Using PowerShell:

Import-Module ActiveDirectory
$OrganizationalUnit = "OU=<your_OU>,DC=<domain>,DC=<tld>"
$Users = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
Set-Location AD:

$User = Get-ADUser -Identity "veza-ad-lcm"
$UserSID = [System.Security.Principal.SecurityIdentifier] $User.SID
$Identity = [System.Security.Principal.IdentityReference] $UserSID

# Create permission for managing users
$RuleCreateDeleteUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, "CreateChild, DeleteChild", "Allow", $Users, "All"

# Create permission for password resets
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Users)

# Apply permissions
$ACL = Get-Acl -Path $OrganizationalUnit
$ACL.AddAccessRule($RuleCreateDeleteUsers)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

3. Configure the Integration in Veza

Navigate to Configurations > Integrations
Either:
- Create a new Active Directory integration
- Edit an existing Active Directory integration
Enable Lifecycle Management:
- Check Enable Lifecycle Management
- Enter the Lifecycle Management Username (service account created above)
- Enter the Lifecycle Management Password
Save the configuration

Note: The AD User created for lifecycle management can be the same as the primary AD User created for extraction, provided that the user has all required permissions listed above.

AWS IAM Identity Center

Configuring the AWS IAM Identity Center integration for Veza Lifecycle Management.

Overview

The Veza integration for AWS IAM Identity Center enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization across AWS organizations.

Action Type

Description

Supported

This document includes steps to enable the AWS IAM Identity Center integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for AWS IAM Identity Center

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate permissions in AWS IAM Identity Center.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your AWS integration has completed at least one successful extraction
The AWS integration will need the additional required permissions for Identity Store operations:
- identitystore:CreateUser - For user creation operations
- identitystore:UpdateUser - For user attribute synchronization
- identitystore:DeleteUser - For user deletion (note: AWS uses SCIM deprovisioning which disables rather than deletes)
- identitystore:GetUserId - For user lookup operations
- identitystore:CreateGroup - For group creation
- identitystore:CreateGroupMembership - For group membership management
- identitystore:DeleteGroupMembership - For removing group memberships
- identitystore:ListGroups - For group discovery operations
- identitystore:ListGroupMemberships - For membership enumeration

Important: AWS IAM Identity Center Lifecycle Management requires:

SCIM endpoint configuration in IAM Identity Center (automatic provisioning must be enabled)
The integration uses AWS's SCIM v2.0 API implementation over HTTPS
Authentication is handled through IAM policies and does not require separate SCIM bearer tokens

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an AWS integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your AWS IAM Identity Center data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for AWS in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

AWS IAM Identity Center can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from AWS IAM Identity Center with changes propagated to connected systems.

AWS IAM Identity Center can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Username serves as the unique identifier and cannot be changed after creation
Email addresses must be unique across the AWS IAM Identity Center instance
First name, last name, display name, and username are required attributes for user creation

The following attributes can be synchronized:

AWS IAM Identity Center User Attributes

Property

Required

Type

Description

Notes

Manage Relationships

Controls group memberships for users in AWS IAM Identity Center:

Add and remove group memberships for users
Synchronize group assignments based on source system changes
Support for both adding and removing relationships
Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned in AWS IAM Identity Center:

User account is disabled (set to inactive) rather than deleted
All group memberships are automatically removed
User's permission set assignments are revoked
Account information is preserved for audit and compliance purposes
Users can be reactivated if needed by updating the Active attribute

Create Entitlement

Entity Types: AWS IAM Identity Center Groups
Assignee Types: AWS IAM Identity Center Users
Supports Relationship Removal: Yes

Within AWS IAM Identity Center, groups can be associated with:

Permission sets that grant access to AWS accounts and resources
AWS applications and third-party SAML applications
AWS account assignments for cross-account access
Custom access policies and roles

AWS IAM Identity Center Group Attributes

Property

Required

Type

Description

Workflow Examples

Employee Onboarding

Automate the onboarding process for new employees:

Identity Creation: Create AWS IAM Identity Center user account with attributes synchronized from HR system
Group Assignment: Add user to department-specific groups based on their role and location
Permission Sets: Automatically assign appropriate permission sets for AWS resource access
Account Access: Grant access to specific AWS accounts based on job function

Role Change Management

Handle internal role changes and departmental transfers:

Attribute Update: Synchronize updated employee information from HR system
Group Reassignment: Remove user from previous department groups and add to new ones
Permission Adjustment: Update permission set assignments to match new role requirements

Employee Offboarding

Securely remove access when employees leave:

Account Deprovisioning: Disable the user account in AWS IAM Identity Center
Group Removal: Remove all group memberships and permission set assignments
Access Revocation: Ensure all AWS account access is immediately revoked
Audit Trail: Maintain complete record of access removal for compliance purposes

Coupa Contingent Workforce

Configuring the Coupa Contingent Workforce integration for Veza Lifecycle Management.

Overview

The Veza integration for Coupa Contingent Workforce (CCW) enables automated identity synchronization as a source of truth for contingent worker lifecycle management. Coupa CCW serves as an authoritative source for contingent worker information that can be synchronized with other systems in your environment.

This document includes steps to enable the Coupa CCW integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Coupa CCW

Prerequisites

You will need administrative access in Veza to configure the integration and Customer Integration Admin privileges in Coupa CCW.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your Coupa CCW integration has completed at least one successful extraction
The Coupa CCW integration will need the required API scope:
- ccw.contingent_workers - For accessing contingent worker data

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a Coupa CCW integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Coupa CCW data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Coupa CCW in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Coupa CCW can serve as a source for identity information in Lifecycle Management . Contingent worker identity details are synchronized from Coupa CCW with changes propagated to connected target systems.

Important: Coupa CCW is a source-only integration for Lifecycle Management. It provides authoritative identity information but cannot be used as a provisioning target.

The integration supports the following lifecycle management :

Source of Identity

As a source-only system, Coupa CCW provides:

Contingent worker identity information synchronized to downstream systems
Organizational structure data (Account Segments, Cost Centers, Departments)
Employment status and contract details for lifecycle decisions
Manager relationships for approval workflows

Workflow Examples

Contingent Worker Onboarding

When a new contingent worker is added to Coupa CCW:

Identity Sync: Coupa CCW provides worker details to Veza Lifecycle Management
Access Provisioning: Based on department, cost center, and role, appropriate access is granted in target systems
Manager Assignment: Hiring manager relationships are established for approval workflows
Group Assignment: Worker is added to relevant organizational groups based on Account Segment and Department

Contingent Worker Status Changes

When a contingent worker's status changes (contract end, role change):

Status Detection: Coupa CCW reflects updated employment status
Access Review: Lifecycle policies evaluate continued access needs
De-provisioning: If terminated, appropriate access removal is triggered in target systems
Audit Trail: All changes are tracked for compliance reporting

Contract-to-Hire Conversion

When a contingent worker transitions to full-time employee:

Status Update: Employment type change is detected in Coupa CCW
Access Migration: Existing access is evaluated and potentially expanded
System Updates: Worker identity is updated across all connected systems
Process Completion: Manager and HR notifications confirm successful transition

Exchange Server

This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Supported Capabilities

Lifecycle Actions Supported

Create Email

Supports the creation of email accounts for users within Exchange Server.

Entity Type: Exchange Server Users
Attributes Available for Configuration:
- Identity (Required)
- Alias (Optional)

Example Use Cases:

Create email accounts for new employees joining the organization
Assign email aliases to users to facilitate communication

Configuration Steps

1. Locate Exchange Management Shell Paths

Find the Exchange Management Shell shortcut in the Start Menu
Right-click > More > Open File Location
Locate "Exchange Management Shell shortcut
Right-click the shortcut icon > Properties
View shortcut properties
Copy the Target field value
Copy shortcut target
Note the two important paths from the target:
- PowerShell Path: (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Remote Exchange Path: (e.g., C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1)

2. Create Application Pool in IIS

Open IIS Manager and create a new application pool
Create Application Pool
Name the application pool
Name Application Pool
Configure the application pool:
- Right-click > Advanced Settings
Configure Application Pool
- Under Process Model, set the Identity
Add Application Pool Identity

3. Configure IIS Application

Add the application to "Default Web Site"
Add Application to Application Pool
Configure the application:
- Set alias to "VezaProvisioner"
- Select the application pool created above
Configure Application
Configure authentication:
Configure Authentication
- Disable Anonymous Authentication
- Enable Basic Authentication
Authentication Settings

4. Install Veza Provisioner

Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.

5. Configure Exchange Server Integration in Veza

Go to Configurations > Integrations
Click Add New and select Exchange Server
Complete the following fields:
Field
Description
Insight Point
Select if using an Insight Point to access Exchange Server
Name
Friendly name for the integration
Instance URL
https://<exchange_server_host>/VezaProvisioner
Username
Domain username with required Exchange permissions
Password
Password for the account
PowerShell Path
Path to PowerShell.exe noted in step 1
Remote Exchange Path
Path to RemoteExchange.ps1 noted in step 1
Enable Lifecycle Management by checking Enable Lifecycle Management
Save the configuration

6. Verify Configuration

After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.

GitHub

Configuring the GitHub integration for Veza Lifecycle Management.

Overview

The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.

Action Type

Description

Supported

This document includes steps to enable the GitHub integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for GitHub

Prerequisites

You will need administrative access in Veza to configure the integration and site administrator privileges in GitHub Enterprise Server.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your GitHub integration has completed at least one successful extraction
The GitHub integration will need the additional required GitHub App permissions:
- Organization permissions - Members (Write) - Required for managing organization memberships
- Organization permissions - Administration (Write) - Required for administrative operations
- Repository permissions - Administration (Write) - Required for managing team memberships

Important: GitHub LCM operations use Admin API endpoints that require site administrator privileges. These operations are typically available in GitHub Enterprise Server environments, not GitHub.com.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a GitHub integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your GitHub data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for GitHub in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

GitHub can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

User login cannot be changed after creation
GitHub usernames must be unique and follow GitHub naming rules (39 characters max, alphanumeric plus hyphens)
Email addresses must be unique across the GitHub instance
Requires site administrator privileges for user creation operations

The following attributes can be synchronized:

GitHub User Attributes

Property

Required

Type

Description

Notes

Manage Relationships

Both adding and removing memberships are supported. Organization and team memberships are automatically removed during deprovisioning.

Add and remove organization memberships with member role
Add and remove team memberships with member role
Synchronize access assignments based on external identity changes
Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned:

User account is suspended in GitHub Enterprise Server
All organization and team memberships are removed automatically
Commit history and attribution are preserved for audit and compliance
Account can be reactivated if needed (unsuspended)
User receives appropriate error messages when attempting to access GitHub

Workflow Examples

New Employee Onboarding

Create GitHub accounts and assign appropriate access for new developers:

Identity Sync: Create user account with basic profile information
Organization Access: Add user to primary GitHub organization
Team Assignment: Assign to development teams based on department
Profile Setup: Configure public email and display name

Role Change Management

Update GitHub access when employees change departments or roles:

Relationship Updates: Remove existing team memberships
New Access: Add memberships for new role requirements
Audit Trail: Track all membership changes for compliance

Employee Offboarding

Securely remove access while preserving development history:

Account Suspension: Suspend GitHub account to prevent access
Membership Removal: Remove all organization and team memberships
History Preservation: Maintain commit attribution and repository history
Compliance: Generate audit trail of all access removal actions

Salesforce

Configuring the Salesforce integration for Veza Lifecycle Management.

Overview

The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).

Key capabilities include:

User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions
Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency
Permission Management: Assign and remove permission sets and roles based on policies
User Deprovisioning: Safely disable access when users leave the organization

The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.

Action Type

Description

Supported

This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.

Prerequisites and Configuration

Before configuring the integration, ensure you have:

Administrative access in Veza to configure the integration
An existing in Veza or add a new one
At least one successful extraction from your Salesforce integration
The appropriate permissions in Salesforce
Salesforce API v40 or later for user provisioning

Required Permissions

The Salesforce integration will need the following permissions:

Assign Permission Sets: Enables assignment and removal of permission sets for users.
Freeze Users: Enables freezing and unfreezing user accounts.
Manage Internal Users: Required for user creation and updates.
Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.
Manage Login Access Policies: Required for configuring login access policies.
Manage Password Policies: Required for setting and resetting passwords during user creation.
Manage Profiles and Permission Sets: Required for permission set and profile assignment.
Manage Roles: Required for role assignments and management.
Manage Sharing: Required for managing sharing rules and access control.
Manage Users: Essential for user lifecycle operations.
Monitor Login History: Required for monitoring user logins.
Reset User Passwords and Unlock Users: Required for account management.
View All Profiles: Required to view profile information for all users.
View All Users: Required to view all user information.

In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.

SCIM Requirements

Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.

The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication
To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission

For additional details about Salesforce's SCIM implementation, refer to the .

Enabling the Integration

To enable the integration:

In Veza, go to the Integrations overview.
Search for or create a integration.
1. Ensure the integration permission set includes the .
Check the box to Enable usage for Lifecycle Management.
Save the configuration.

Configure the extraction schedule to ensure your Salesforce data remains current:

Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for Salesforce in the Active Overrides section.

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.
Search for the integration and click the name to view details.
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.

SCIM Implementation Details

Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:

Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions
The system uses email addresses as the primary key for user lookups
Usernames cannot be changed after creation and must be unique within the Salesforce instance
User profiles are managed through SCIM entitlements
User roles are handled through SCIM roles endpoints
User Deprovisioning is implemented as deactivation (setting active=false)
Permission sets are assigned through Salesforce API calls after user creation

Supported Actions

Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.

Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Usernames cannot be changed after creation.
Email addresses must be unique.
Required attributes must be present (Username, Email, FirstName, LastName).
Passwords are set during user creation.
Division and Department attributes are excluded during updates due to Salesforce API limitations.
Salesforce does not support changing usernames after creation.

The following attributes can be synchronized:

Property

Required

Type

Description

Notes

Manage Relationships

The following relationship types are supported:

Groups: Add and remove group memberships (only for groups with Group Type = Regular).
Permission Sets: Add and remove permission set assignments.
Permission Set Groups: Add and remove permission set group assignments.
Profiles: Manage profile assignments.
User Roles: Synchronize user role assignments.

Notes:

Profile and role assignments are managed via SCIM and Salesforce APIs.
When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.
Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.
Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.
Direct creation of permission sets ("Create Entitlement" action) is not currently supported.

Deprovision Identity

When a user is deprovisioned:

The user account is frozen or deactivated (Salesforce does not allow user deletion).
Permission set assignments are removed.
Attribute history is preserved for audit.
The account can be reactivated if needed.

Snowflake

Configuring the Snowflake integration for Veza Lifecycle Management.

Overview

The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls role assignments for identities

✅

DEPROVISION_IDENTITY

Safely removes or disables access for identities

✅

SOURCE_OF_IDENTITY

Snowflake can act as a target system for identity lifecycle policies from other sources

✅

This document includes steps to enable the Snowflake integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Snowflake

Prerequisites

You will need administrative access in Veza to configure the integration and USERADMIN role or equivalent privileges in Snowflake.
Ensure you have an existing Snowflake integration in Veza or add a new one for use with Lifecycle Management.
Verify your Snowflake integration has completed at least one successful extraction
The Snowflake integration will need the additional required privileges:
- CREATE USER privilege on the account for user provisioning
- GRANT ROLE privilege for role assignments
- OWNERSHIP privilege on target roles for role management
- Access to a warehouse for executing queries during lifecycle operations

Important: The Snowflake user account used for Lifecycle Management operations should have USERADMIN role or higher privileges to ensure proper user and role management capabilities.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a Snowflake integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Snowflake data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Snowflake in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Snowflake can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

User names must be unique and follow Snowflake identifier naming conventions
Login names are used for authentication and must be unique
Passwords are automatically generated and set to require change on first login
Users are created with appropriate default settings for the Snowflake environment

The following attributes can be synchronized:

Snowflake User Attributes

Property

Required

Type

Description

Notes

name

Yes

String

User name identifier

Unique identifier, immutable

login_name

String

Defaults to name if not provided

String

User's email address

Must be valid email format

comment

String

User description or notes

default_role

String

Default role for user sessions

Role must exist in Snowflake

password

String

User password

Auto-generated if not provided

disabled

Boolean

User account status

true = disabled, false = active

Manage Relationships

Role assignment management for users:

Add and remove role assignments for users
Synchronize role memberships from source systems
Support for direct role grants to users
Roles must exist in Snowflake before assignment

Within Snowflake, roles can be associated with:

Database and schema access permissions
Table and view privileges
Warehouse usage rights
Administrative privileges for account management

Deprovision Identity

When a user is deprovisioned:

User account is disabled (set DISABLED = TRUE)
Role assignments are removed to revoke access
User attributes are preserved for audit purposes
Account can be reactivated if needed for compliance requirements

Workflow Examples

Employee Onboarding

Automated provisioning when a new employee joins:

Create User Account: Sync identity attributes from HR system to create Snowflake user with name and login details
Assign Department Role: Grant role based on department attribute (e.g., SALES_ANALYST, DATA_ENGINEER)
Set Default Role: Configure default role for the user's session
Add Email and Comments: Populate user profile with contact information and descriptive notes

Role Change Management

Managing access when employees change roles:

Update User Attributes: Sync changed attributes like email or comments
Remove Old Roles: Revoke previous role assignments that are no longer appropriate
Grant New Roles: Assign roles appropriate for the new position
Update Default Role: Change the user's default role for new sessions

Employee Offboarding

Secure access removal when employees leave:

Disable Account: Set user account to disabled status
Revoke All Roles: Remove all role assignments to eliminate data access
Preserve Audit Trail: Maintain user record and history for compliance
Optional Cleanup: Remove user completely with DROP USER if no audit trail is needed

Workday

This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Overview

Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:

Automated security group assignments for new employees
Dynamic group membership updates during role changes
Access removal during offboarding
Email synchronization between Workday and downstream systems

Supported Capabilities

Source of Identity

Workday serves as an authoritative source for employee identity information:

Entity Type: Workday Worker
Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes

Lifecycle Actions

Manage Relationships

Controls access to Workday security groups.

Entity Types: Workday Security Group
Assignee Types: Workday Account
Supports Relationship Removal: Yes

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems.

Entity Type: Workday Worker
Purpose: Ensures Workday remains the single source of truth for employee email addresses

Custom Properties

The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.

Configuration Steps

1. Create Business Process Security Policy

Log into Workday and search for Edit Business process security policy
Under Business Process Type, select Work Contact Change
Work Contact Change
Find "Initiating Action: Change Work Contact Information (REST Service)"
Create a Segment-Based Security Group
Create security group
Configure the security group:
- Add the security group created for Veza integration
- Add "Worker" scope to Access Rights
Edit security group
Verify the security group appears in Initiating Action Security groups
Pending changes
Click OK and Done to save changes

2. Activate Security Policy Changes

Search for Activate Pending Security Policy Changes
Review changes, add a comment, and click OK
Apply changes
Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

Access

Policy

View and Modify

Workday Query Language

View and Modify

Person Data: Work Email

View and Modify

Person Data: Work Contact Information

View and Modify

Worker Data: Staffing

View and Modify

Worker Data: Public Worker Reports

Get Only

Security Configuration

Get Only

Business Process Administration

View and Modify

Security Administration

View and Modify

Workday accounts

View and Modify

Special OX Web Services

Get and Put

User-Based Security Group Administration

4. Update API Client Configuration

Open Edit API Client
Add required scopes:
- Staffing
- Contact Information
- System
- Tenant Non-Configurable
- Organizations and Roles
  Edit Workday API client

5. Configure Workday Integration in Veza

Navigate to Configurations > Integrations
Either:
- Create a new Workday integration
- Edit an existing Workday integration
Enable Lifecycle Management:
- Check Enable Lifecycle Management
If using custom attributes, configure them in the Custom Properties section

API Access Notes

The integration uses these API endpoints for email write-back:

%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges

For general metadata discovery, WQL queries access:

allWorkdayAccounts
allWorkers
securityGroups
domainSecurityPolicies
businessProcessTypes

Implementation Notes

Workday Workers are the primary entity for identity information
Bidirectional management of Account-Security Group relationships is supported
Email write-back operates on Worker entities, not Account entities
Custom attribute availability depends on your Workday configuration
The Sync Identities action is not currently supported for Workday

Lifecycle Management with Workday, Okta, and Active Directory

Guide for implementing automated user lifecycle management across Workday, Okta, and Active Directory

A well-designed identity Lifecycle Management solution automates the provisioning, synchronization of attributes and metadata, and deprovisioning of user accounts across your application and systems ecosystem.

This guide demonstrates how to implement a worker (employees and contractors) Lifecycle Management solution using Workday as the source of identity with downstream user account provisioning and synchronization platforms of Okta and Active Directory (AD). This represents a common enterprise architecture where worker records originate in an HR system and are provisioned to identity and access management systems, while maintaining a seamless, secure, and compliant user lifecycle process.

System Architecture

The following diagram shows the complete identity provisioning and synchronization architecture from Workday, a human capital management platform, to Okta and Active Directory, which are identity management systems:

The "Joiner Mover Leaver" (JML) process is a framework for managing users' employment lifecycle access within an organization. Provisioning access begins with onboarding new employees (Joiners), then managing internal transitions (Movers), and finally offboarding departing employees (Leavers).

Lifecycle Management is based on the JML paradigm, where Workday is the authoritative source of identity, which is monitored for the status of the worker based on attributes in their record to determine whether the user is a joiner, mover, or leaver.

JML Process Flow

The joiner, mover, leaver (JML) process flows through the systems as follows:

Prerequisites

Before starting this implementation, ensure you have:

Configured Workday for Lifecycle Management
Configured Okta for Lifecycle Management
Configured Active Directory for Lifecycle Management
Completed at least one successful extraction for each integration
Note: An extraction is the metadata ingestion process that pulls identity and permission data from target systems into Veza, enabling it to act across access policies, governance, and provisioning workflows.
Administrative access to Veza to create Lifecycle Management policies

Implementation Steps

Step 1: Define Access Profiles

First, create Access Profiles that define which application entitlements a group of users will be assigned:

Go to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure a profile for each department or role:

Example: Engineering Department Profile

Name: Engineering Department Access
Profile Type: Application Entitlements 
Description: Standard access for Engineering department employees
Label: Developers

Entitlements:
- Active Directory Group: Engineering
- Okta Group: Engineering

Example: Marketing Department Profile

Name: Marketing Department Access
Profile Type: Application Entitlements
Description: Standard access for Marketing department employees

Entitlements:
- Active Directory Group: Marketing
- Okta Group: Marketing

Create additional profiles as needed based on your organizational structure.

Step 2: Create a Lifecycle Management Policy associated with Workday

Next, create a Lifecycle Management policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy:
- Name: Workday Employee Lifecycle
- Source of Identity: Workday
- Data Source: Your Workday integration
- Entity Type: Workday Worker
Click Create Policy to save the basic configuration

Step 3: Configure Joiner Workflow

Now add a workflow for new employee onboarding:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Active Employee
- Condition: is_active eq true AND hire_date eq "2025-08-04T00:00:00" This condition is triggered when, in Workday, the employee is active and a defined hiring date is "2025-08-04T00:00:00". Therefore, any active employee hired on or after the specified date is considered a joiner.
- Continuous Sync: Enabled Continuous Sync is enabled, allowing updates to a user's source attributes—such as email, department, manager, or role—to be automatically synchronized to the target application on an ongoing basis after the user is provisioned.
Add actions to the workflow as detailed in the Configuration Reference section.

Step 4: Configure Mover Workflow

Add a workflow for handling employee role changes:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Mover Workflow - Regional Sales Manager
- Condition: is_active eq true AND first_name eq “Sarah” AND last_name eq “Johnson” AND position eq “Regional Sales Manager”
- Continuous Sync: Enabled
Add actions similar to the Joiner workflow, but ensure Remove Existing Relationships is enabled in the Manage Relationships actions to update group memberships when departments change When a user’s role changes (mover), you often need to revoke existing entitlements—like group memberships, role assignments, and permission set grants—not just avoid adding new ones. Enabling Remove Existing Relationships ensures that previously granted relationships are actively removed to prevent privilege creep or orphaned access.

Step 5: Configure Leaver Workflow

Finally, add a workflow for employee termination:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Employee Termination
- Condition: is_active eq false OR termination_date eq "2025-08-08T00:00:00" This condition is triggered when the employee is no longer active and a defined termination date is "2025-08-08T00:00:00". Therefore, any non-active employee terminated on or after the specified date is considered a leaver.
Add deprovisioning actions, such as Deprovision Okta Identities and Deprovision AD Identities

Step 6: Enable and Test the Policy

After configuring your workflows for joiners, movers, and leavers, you can test your policy using Simulated Dry Runs to check the expected actions when executed.

Another approach to test your policy is to create draft versions. You can make changes to your policy as an iterative draft until you are satisfied with the results. You can then publish the final version and enable it.

As a final verification, make modifications to the Workday application to test your policy's expected performance. Ensure that the downstream applications, Okta and Active Directory, are correct with the modifications.

Test using Simulation Dry Run

Select Workday Employee Lifecycle policy.
Click the overflow menu (three dots icon) at the top of the page.
Select Perform Dry Run.
In the Identity field, select an employee name from the dropdown menu.
The Dry Run takes seconds to execute. Click Show results.
Ensure that Okta and Active Directory contain the correct identity information for the employee.

Test using Draft Versioning

Select Workday Employee Lifecycle policy.
Click Create Draft.
Select Edit Workflow.
Modify any workflow in your policy.
Click Save Workflow. The workflow is now a draft version.
Continue to iterate on changes to the workflow until it is ready.
Click Publish when the policy performs satisfactorily.
Click Settings at the top of the page.
Click Policy Settings.
Enable the Enable Policy Draft Mode radio button.
In the Policy page, select your policy and click Actions.
In the Actions menu, select Start.

Make changes to the Workday application to test your policy

In your Workday application, update the source of identity to test your policy. The following is a list of suggested changes:

Change the employee’s employee type (ie, from regular to contractor)
Verify account creation in Okta and Active Directory
Change the employee's department and verify group membership updates
Terminate the employee and verify account deprovisioning

Identity Synchronization Configuration Reference

Identity Synchronization is implemented during Lifecycle Management provisioning workflows. It is used to prevent provisioning errors due to duplication of username and/or email address. It supports robust identity sync across downstream applications (Okta and Active Directory) with different naming constraints or enforces unique identifiers.

Use Identity Synchronization if your target system already has an identity with a given attribute (e.g., a username or email is already in use).

Enable Identity Synchronization

In the Policy page, select your policy, Workday Employee Lifecycle policy.
Select Policy Settings.
Scroll down to Advanced Settings.
Under Identity Syncing, enable Sync on changes only or Always sync.

Sync Okta Identities

Synchronizes employee records to Okta user accounts, creating and updating user profiles with mapped worker attributes from Workday.

Configuration:

Description: Synchronizes identities to Okta
Target: OktaUser
Create Allowed: Yes
Continuous Sync: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

{username}@sigmacorpx.com

Yes

first_name

{first_name}

Yes

last_name

{last_name}

Yes

country_code

{work_location}

Yes

{username}@sigmacorpx.com

Common transformer

Conditional Actions

All Employees

Assigns "All Okta Employee Access" profile
Does not remove existing relationships

US Developers

Condition: wd_location eq "US" and department eq "developer"
Assigns developer-specific access profiles
Does not remove existing relationships

Sync Active Directory Identities

Creates and updates on-premises Active Directory accounts with location-specific group assignments and standardized naming conventions for different employee categories.

Configuration:

Description: Synchronizes identities to Active Directory
Target: ActiveDirectoryUser
Create Allowed: Yes
Continuous Sync: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

distinguished_name

CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local

Yes

See for more information on distinguished_name.

user_principal_name

{username}@evergreentrucks.com

Yes

{username}@evergreentrucks.com

Yes

display_name

{display_full_name}

Yes

given_name

{first_name}

Yes

sur_name

{last_name}

Yes

country_code

{work_location}

Yes

job_title

{job_title}

Yes

primary_group_dn

CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local

Yes

account_name

{display_full_name}

Common transformer

Conditional Actions

US Location

Condition: work_location eq "US"
Assigns US Groups
Removes existing relationships

Executive Group

Condition: employee_group eq "Executive"
Assigns the Executive Employee group
Removes existing relationships

China Location

Condition: work_location eq "China"
Assigns China Groups
Removes existing relationships

Deprovisioning Configuration Reference

Defines the procedures for safely removing access when employees leave the organization, including specific handling for each identity provider.

Deprovision Okta Identities

Handles employee offboarding in Okta by disabling accounts while preserving access history and configurations.

Configuration:

Description: Disables identities in Okta
Target: OktaUser
Remove Relationships: No
Deprovisioning Method: Disabled
Logout User: No
Remove Personal Devices: No

Deprovision Active Directory Identities

Controls the offboarding process for on-premises Active Directory, including moving accounts to a terminated user's organizational unit.

Configuration:

Description: Disables identities in Active Directory
Target: ActiveDirectoryUser
Remove Relationships: No
Deprovisioning Method: Disabled

Attribute Transformations

Destination Attribute

Value

Continuous Sync

distinguished_name

CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local

primary_group_dn

CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local

Expanded Joiner/Mover/Leaver Scenarios

Below are more detailed examples of joiner, mover, and leaver scenarios that you can implement using Veza's Lifecycle Management.

Joiner Scenarios

Example 1: Full-Time Employee Onboarding

Trigger: New employee record created in Workday with status="Active" and worker_type="Full_Time"
Actions:
1. Create Okta user with attributes from Workday transformer
2. Assign to department-specific groups in Okta
3. Create AD user with attributes from Workday transformer
4. Add to appropriate security groups in AD based on job role
5. Send welcome email with account information

Example 2: Contractor Onboarding

Trigger: New worker record created in Workday with status="Active" and worker_type="Contractor"
Actions:
1. Create Okta user with limited attribute set and "Contractor-" prefix in username
2. Assign to contractor-specific groups in Okta
3. Create time-limited AD account with expiration date set to contract end date
4. Add to contractor security groups with restricted access
5. Send welcome email with temporary password and access instructions

Mover Scenarios

Example 1: Department Change

Trigger: Employee department changed in Workday
Actions:
1. Update department attribute in Okta and AD
2. Remove previous department group memberships in both systems
3. Add new department group memberships in both systems
4. Update OU placement in AD
5. Send notification to new manager

Example 2: Promotion to Manager

Trigger: Employee job level changed to include management flag
Actions:
1. Update job title in all systems
2. Add to manager-specific groups in Okta and AD
3. Add to approval workflows in relevant systems
4. Send manager training notification

Leaver Scenarios

Example 1: Standard Termination

Trigger: Employee status changed to "Terminated" in Workday
Actions:
1. Disable user in Okta and AD (do not delete)
2. Remove all group memberships
3. Revoke all application access
4. Move AD account to "Terminated Users" OU
5. Generate access termination report for compliance

Example 2: Involuntary Termination (Security Risk)

Trigger: Employee terminated with reason="Security Risk"
Actions:
1. Immediately disable all accounts (high priority)
2. Force logout from all active sessions
3. Reset all passwords
4. Remove all access rights and group memberships
5. Generate security incident report

Advanced Attribute Transformer Examples

Workday to Okta Transformer (Enhanced)

# Okta User Attributes
login: {worker_id}@company.com
email: {work_email | DEFAULT, "{worker_id}@company.com"}
first_name: {first_name}
last_name: {last_name}
display_name: {first_name} {last_name}
department: {department_name}
title: {job_title}
manager_id: {manager_worker_id}@company.com
# Handle different user types
user_type: {worker_type | LOWERCASE | REPLACE, "full_time", "Employee" | REPLACE, "contractor", "Contractor" | DEFAULT, "Employee"}
employee_id: {employee_id}
# Custom attributes
customField1: {location_code}
customField2: {hire_date | DATE_FORMAT, "yyyy-MM-dd"}
customField3: {termination_date | DATE_FORMAT, "yyyy-MM-dd" | DEFAULT, ""}

Workday to Active Directory Transformer (Enhanced)

# AD User Attributes
account_name: {worker_id}
# Build distinguished name based on employment type and department
distinguished_name: {worker_type | EQUALS, "contractor" | IF_TRUE, "CN={first_name} {last_name},OU=Contractors,OU={department_name},DC=company,DC=local" | IF_FALSE, "CN={first_name} {last_name},OU=Employees,OU={department_name},DC=company,DC=local"}
user_principal_name: {worker_id}@company.local
email: {work_email | DEFAULT, "{worker_id}@company.com"}
display_name: {first_name} {last_name}
given_name: {first_name}
sur_name: {last_name}
department: {department_name}
job_title: {job_title}
description: {job_title} - {department_name}
company: Company Inc.
# Set account expiration for contractors
account_expires: {worker_type | EQUALS, "contractor" | IF_TRUE, {contract_end_date} | IF_FALSE, ""}
# Custom attributes
extension_attribute_1: {cost_center}
extension_attribute_2: {business_unit}
extension_attribute_3: {hire_date | DATE_FORMAT, "yyyy-MM-dd"}
extension_attribute_4: {employee_id}

Advanced Configuration

Using Attribute Overrides

To handle edge cases where standard attribute formatting is not effective, use Identity Override Attributes to define special exceptions. For example:

Contractors vs. Employees: Use different username formats based on employment type
Username Conflicts: Configure fallback formatters for handling duplicate usernames
Location-Specific Naming: Apply different naming conventions based on location or region

Email Write-Back to Workday

Ensure your email addresses remain consistent by configuring email write-back to Workday:

In your Joiner workflow, after the Sync Identities actions, add:
- Add Action > Create Email
- Configure for your email system
Then add:
- Add Action > Write Back Email
- Integration: Your Workday integration
- Entity Type: Workday Worker

This ensures the email created in your systems is written back to Workday as the source of truth.

Conditional Logic Best Practices

When implementing conditional actions, consider these patterns for robust lifecycle management:

Location-Based Conditions

# US-based employees
work_location eq "US"

# International employees requiring different treatment
work_location eq "China" OR work_location eq "EMEA"

# Remote workers
work_location eq "Remote" OR office_location contains "Remote"

Role-Based Conditions

# Technical roles requiring elevated access
department eq "Engineering" OR department eq "DevOps" OR job_title contains "Developer"

# Management roles
job_level eq "Manager" OR job_level eq "Director" OR job_level eq "VP"

# Sensitive roles requiring additional security
department eq "Finance" OR department eq "Legal" OR department eq "HR"

Employment Type Conditions

# Full-time employees
worker_type eq "Full_Time" AND status eq "Active"

# Contractors with time-limited access
worker_type eq "Contractor" AND contract_end_date is not null

# Temporary workers
worker_type eq "Temporary" OR employment_status eq "Temp"

Monitoring and Troubleshooting

Activity Log Monitoring

Monitor your lifecycle management workflows using the Activity Log:

Navigate to Lifecycle Management > Activity Log
Filter by policy name to see all actions for your Workday policy
Look for failed actions and investigate error messages
Use the activity details to verify that transformations are working correctly

Common Issues and Solutions

Username Conflicts

If usernames are already taken in target systems:

Configure Fallback Formatters to handle conflicts
Use employee ID or other unique identifiers as backup username formats

Missing Attributes

If required attributes are missing from Workday:

Use DEFAULT transformers to provide fallback values
Configure conditional logic to handle missing data gracefully

Group Assignment Failures

If group assignments fail:

Verify that referenced groups exist in target systems
Check that service accounts have sufficient permissions
Use conditional logic to assign groups only when they exist

Attribute Sync and Transformers

Configure how user attributes from a source of identity are transformed and synchronized for target user accounts

When creating workflows in Lifecycle Management policies to create, sync, or deprovision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured. The target attributes to create or update are typically mapped and optionally transformed from user metadata from the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept in continuous sync as changes occur over the user’s employment lifecycle.

For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:

Joiner: Set new Azure AD User Principal Name to {source username}@your-email-domain.com. This is an example of mapping multiple attributes and performing a transformation. More specifically, you use the attribute transformer to generate an email address for new joiners. Use the source username (user_principal_name) from the source of identity (Azure AD UPN) for the first part (user attribute), while your-email-domain.com is used for the last part (target attribute).
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.
Leaver: Move a user’s Active Directory account to an Organizational Unit (OU) reserved for terminated accounts.

When synchronizing a user’s attributes, Veza may apply many transformations to convert the source attribute values into a more suitable format intended for the target application as a user account attribute.

For example, a transformer might remove the domain from an email address, replace special characters, or convert a string with uppercase letters to lowercase letters.

See the following sections for more information about formatting destination attributes and possible transformations:

Continuous Sync

Continuous Sync ensures that identity attributes in target systems remain up-to-date with the corresponding attributes residing at the source of truth. It has three configuration levels that work together to determine how attributes are synchronized:

Workflow Level

The workflow's continuous sync setting controls change detection:

When enabled: The workflow monitors for any changes in the source system
When disabled: The workflow only runs during initial provisioning

Action Level

For Sync Identity actions, this controls whether existing entities can be updated:

When enabled: The action can update existing entities
When disabled: The action only sets attributes during initial creation

Attribute Level

Individual attributes can be configured for continuous sync:

When enabled: The attribute will be updated when changes are detected
When disabled: The attribute is only set during initial creation

You may not want to enable continuous sync at the Attribute level when there is a change in the user principal name, such as a change in marital status or legal name correction.

All three levels must be enabled for an attribute to be continuously synchronized. For example, if you want to keep an employee's department updated:

Enable continuous sync on the workflow to monitor for changes
Enable continuous sync on the sync action to allow updates
Enable continuous sync on the department attribute transformer

Recommended Settings

Enable continuous sync for attributes that change during employment:

First Name Surname
Department
Title
Manager
Cost Center
AD Distinguished Name (DN)
AD User Principal Name (UPN)
AD Email

Disable continuous sync for stable identifiers:

Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)

This configuration ensures that dynamic attributes stay updated while preserving stable identifiers.

Adding transformers

Common transformers define one or more rules to apply when synchronizing the attributes of a target identity. Use them at the Policy level where you want to create or update attributes using the same conventions across multiple sync or deprovision actions. When you need to configure a one-time individual action in a workflow, such as a specific attribute, then you use the transformer at the Action level.

At the Policy level, you configure a transformer with basic details, including how to source the value of each attribute:

Assign a name and description to the transformer, and specify the data source to which it applies.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.
- Destination Attribute: Choose the attribute that Veza will create or update for the target entity.
- Formatter: Choose how the destination attribute should be formatted. Specify the value, a {source\_attribute}, or apply Transformation Functions.
- Pipeline Functions: Combines a series of attribute formatters with the pipe ( | ) character that runs the value of an attribute in sequential order, where the output of one formatter becomes the input of the following formatter, thus the name, pipeline.
See Pipeline Functions for more examples.
- Continuous Sync: Enabling this option ensures that the attribute is always synced, while applying any defined transformations. By default, attributes will not be synced if the target identity already exists.

After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab. Remember that “Sync Identity” and “De-Provision Identity” actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.

Formatters

Formatters specify the actual value of the attribute to synchronize. The target attribute can be set to a specific value, synchronized with a source attribute, transformed using a function, or a combination of these.

Some formatters should enable continuous synchronization for the attribute, while others should not. For example, the value of "Created By" should be immutable once a user account is provisioned. Other attributes that represent a state or status should be synchronized throughout the user's or account's lifecycle.

Simple Value Setting

To create a destination attribute with a fixed value, enter the desired value when configuring the formatter. For setting the creator attribute:

Destination Attribute

Formatter

Continuous Sync

created_by

“Veza”

Disabled

For activating a re-hired employee:

Destination Attribute

Formatter

Continuous Sync

isActive

true

Enabled

Empty Values

To set empty values (common for de-provisioning flows):

Destination Attribute

Formatter

Continuous Sync

manager_id

" "

Enabled

isActive

false

Enabled

Source of Identity Formatters

Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute, use the format {\<source\_attribute\_name>}. Examples:

Destination Attribute

Formatter Example

Continuous Sync

first_name

{first\_name}

Enabled

last_name

{last\_name}

Enabled

{first_name}.{last_name}@domain.com {first_name}_{last_name}@domain.com {last_name}@domain.com {firstname_initial}{last_name}@domain.com {firstname_initial}-{last_name}@domain.com {firstname_initial}{middlename_initial}{last_name}@domain.com {firstname_initial}-{last_name} {last_name}-{firstname_initial}@domain.com

Transformation functions

Based on the user metadata available from your source of identity (SOI), you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. Suppose an attribute value needs to be altered for compatibility with the target system. In that case, you can transform the value of a source attribute or apply a range of other functions to generate the target value.

Formatter expressions use the following syntax: {\<source\_attribute\_name> | \<FUNCTION\_NAME>,\<param1>,\<param2>} For example:

Destination Attribute

Formatter

Description

Example

username

`{email | REMOVE_DOMAIN}`

Removes the domain from the email to create username

"jsmith" is the output derived from [email protected]

user_id

`f{id | UPPER}`

Converts ID to uppercase

JSMITH" is the output derived from the userid, "jsmith"

Table of transformation functions

Refer to the Transformer Reference page for a comprehensive list of all supported functions and parameters. Contact Veza if you require additional transformations for your use case. Some commonly used transformation functions include:

Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, camel, or snake case
Using a substring from the original value
Generating random values (e.g., RANDOM_INTEGER for numeric ranges)

Using the ASCII Transformer

The ASCII transformer is particularly useful when working with localized user data and legacy systems that have strict character set limitations (such as Active Directory sAMAccountName restrictions). This transformer performs two primary operations:

Removes all non-printable ASCII characters (including control codes, zero-width spaces, tabs, and newlines)
Converts non-ASCII characters to their closest ASCII equivalents

Whereas the REMOVE_DIACRITICS transformer only removes accent marks while preserving the basic character, the ASCII transformer performs a more comprehensive conversion, replacing characters like “Ł” with “L” and handling a wider range of non-ASCII characters, including the following:

Accented Letters: Letters with diacritics like é, à, ö, ñ, ç, etc., commonly used in languages like French, Spanish, German, and Portuguese. Non-Latin Alphabets: Characters from various alphabets such as Cyrillic (e.g., ж, б), Greek (e.g., α, β), Arabic (e.g., ح, ص), Hebrew, and Chinese (e.g., 汉, 字). Mathematical and Technical Symbols: Symbols like infinity (∞), integral (∫), summation (∑), Ohm (Ω), degree (°). Currency Symbols: Symbols like €, £, ¥. Emoji: Various emoticons like 😊, 😞, etc. Other Symbols: Symbols like ©, ®, ™, etc.

DATE_FORMAT Transformer using Date Strings

The DATE_FORMAT transformer formats date strings using Go time package layout syntax. This transformer helps convert between different date formats, such as transforming dates for LDAP integration or standardizing date formats across systems.

Go Time Layout Syntax

Go time layouts use a specific reference time: Monday, January 2, 15:04:05 MST 2006, which is Unix time 1136239445. All layout strings must use the exact digits and format from this reference time. For more information about Go time layouts, refer to the official Go time package documentation. Date Components:

2006 = 4-digit year
06 = 2-digit year
01 = 2-digit month (01-12)
1 = 1-digit month (1-12)
Jan = 3-letter month abbreviation
January = full month name
02 = 2-digit day (01-31)
2 = 1-digit day (1-31)
_2 = space-padded day
DateTime = “2006-01-02 15:04:05”
DateOnly = “2006-01-02”

Time Components:

15 = 24-hour format hour (00-23)
03 = 12-hour format hour (01-12)
3 = 12-hour format hour without leading zero (1-12)
04 = minute (00-59)
4 = minute without leading zero (0-59)
05 = second (00-59)
5 = second without leading zero (0-59)
PM = AM/PM indicator
pm = am/pm indicator (lowercase)
TimeOnly = “15:04:05”

Weekday Components:

Mon = 3-letter weekday abbreviation
Monday = full weekday name

Time Zone Components:

MST = time zone abbreviation
Z0700 = RFC3339 time zone format
Z07:00 = RFC3339 time zone format with colon

RFC Components:

RFC822 = “02 Jan 06 15:04 MST”
RFC822Z = “02 Jan 06 15:04 -0700” // RFC822 with numeric zone
RFC850 = “Monday, 02-Jan-06 15:04:05 MST”
RFC1123 = “Mon, 02 Jan 2006 15:04:05 MST”
RFC1123Z = “Mon, 02 Jan 2006 15:04:05 -0700” // RFC1123 with numeric zone
RFC3339 = “2006-01-02T15:04:05Z07:00”
RFC3339Nano = “2006-01-02T15:04:05.999999999Z07:00”

Other Constant Components:

Layout = “01/02 03:04:05PM '06 -0700” // The reference time, in numerical order.
ANSIC = “Mon Jan _2 15:04:05 2006”
UnixDate = “Mon Jan _2 15:04:05 MST 2006”
RubyDate = “Mon Jan 02 15:04:05 -0700 2006”
Kitchen = “3:04PM” // Handy time stamps.
Stamp = “Jan _2 15:04:05”
StampMilli = “Jan _2 15:04:05.000”
StampMicro = “Jan _2 15:04:05.000000”
StampNano = “Jan _2 15:04:05.000000000”

Common Layout Examples

Layout String

Format

Example Output

01/02/2006

MM/DD/YYYY

03/15/2023

2006-01-02

YYYY-MM-DD

2023-03-15

02-Jan-2006

DD-MMM-YYYY

15-Mar-2023

Jan 2, 2006

MMM D, YYYY

Mar 15, 2023

Monday, January 2, 2006

Full date

Wednesday, March 15, 2023

2006-01-02 15:04:05

Full timestamp

2023-03-15 14:30:25

03:04:05 PM

12-hour time

02:30:25 PM

15:04

24-hour time

14:30

20060102150405Z

LDAP Z time format

20230315143025Z

Usage Examples

Basic Date Formatting:

`{start_date | DATE_FORMAT, "01/02/2006"}`

Formats any recognized date input into MM/DD/YYYY format.

Converting Between Specific Formats:

`{hire_date | DATE_FORMAT, "2006-01-02", "01/02/2006"}`

Parses input in MM/DD/YYYY format and outputs in YYYY-MM-DD format.

LDAP Integration Example: The DATE_FORMAT transformer was specifically enhanced to support LDAP Z and Win32 time format requirements.

The Z time format (20060102150405Z) is commonly used in LDAP directories and represents timestamps in UTC with a ‘Z’ suffix indicating zero UTC offset.

`{timestamp | DATE_FORMAT, "20060102150405Z"}`

Converts a date to LDAP Z time format for directory integration. Example for LDAP account expiration:

`{account_expires | DATE_FORMAT, "20060102150405Z"}`

Human-Readable Format:

`{event_date | DATE_FORMAT, "Monday, January 2, 2006"}`

Outputs a full, human-readable date format. Time Zone Handling:

{utc_time | DATE_FORMAT, "2006-01-02 15:04:05 MST"}

Includes time zone information in the output.

Additionally, the DATE_FORMAT transformer supports LDAP time format requirements using the format Win32 in LDAP directories:

{timestamp | DATE_FORMAT, "Win32"}

Converts a date to LDAP time format for directory integration.

Notes on DATE_FORMAT Transformers

Input Format: When the second parameter (input layout) is omitted, the transformer attempts to parse the input using common date formats automatically
Case Sensitivity: Layout components are case-sensitive (e.g., PM vs pm)
Leading Zeros: Use 01, 02, etc. for zero-padded values, and 1, 2, etc. for non-padded values
Reference Time: All layouts must use the exact reference time digits: Mon Jan 2 15:04:05 MST 2006

DATE_FORMAT Transformer using Time String (Generalized-Time)

The DATE_FORMAT transformer is used for formatting time using a time string to store time values in Generalized-Time format, which is required for Active Directory and other Microsoft-based target applications.

The Generalized-Time syntax is “YYYYMMDDHHMMSS.0Z”. Time String Format Example:

{date | DATE_FORMAT, "20010928060000.0Z"}

The “Z” indicates no time differential. Active Directory stores date/time as Greenwich Mean Time (GMT). If no time differential is specified, GMT is the default.

If the time is specified in a time zone other than GMT, the differential between the time zone and GMT is appended to the string instead of “Z” in the form “YYYYMMDDHHMMSS.0[+/-]HHMM”. Time Zone Format Example:

{date | DATE_FORMAT, "20010928060000.0+0200"}

The differential is based on the formula: GMT = Local + Differential.

String Manipulation Transformers

These transformers enable the cleaning, formatting, and standardization of string data from your source systems.

REMOVE_CHARS

The REMOVE_CHARS transformer removes all instances of specified characters from a string. This is useful for cleaning up data by removing unwanted punctuation, special characters, or formatting elements. Use Cases:

User ID creation: {email | REMOVE_CHARS, “-”}
- If email is "[email protected]", the result is “johndoe@examplecom”
Phone number formatting: {phone_number | REMOVE_CHARS, "()- "}
- If phone_number is “(123) 456-7890”, the result is “1234567890”
Cleaning account names: {account_name | REMOVE_CHARS, “!@#$%”}
- Removes special characters that might cause issues in target systems

REMOVE_WHITESPACE

The REMOVE_WHITESPACE transformer removes all whitespace characters (spaces, tabs, newlines) from a string. It can help create compact identifiers or ensure data consistency. Use Cases:

Username generation: {display_name | REMOVE_WHITESPACE}
- If display_name is “John A. Doe”, the result is “JohnA.Doe”
Tag creation: {department | REMOVE_WHITESPACE | LOWER}
- If the department is “Human Resources”, the result is “humanresources”
Creating system identifiers: {cost_center | REMOVE_WHITESPACE}
- Ensures cost center codes have no embedded spaces

TRIM, TRIM_CHARS, TRIM_CHARS_LEFT, and TRIM_CHARS_RIGHT

These transformers help clean up strings by removing unwanted characters from the beginning and/or end of strings. This is essential for data hygiene and ensuring consistent formatting. TRIM: Removes leading and trailing whitespace

Basic cleanup: {display_name | TRIM}
- If display_name is " John Doe ", the result is “John Doe”

TRIM_CHARS: Removes specified characters from both ends

Cleaning employee IDs: {employee_id | TRIM_CHARS, “0.”}
- If employee_id is “000.123.000”, the result is “123”
Removing padding characters: {code | TRIM_CHARS, “-_”}
- If code is “—ABC123___”, the result is “ABC123”

TRIM_CHARS_LEFT: Removes specified characters from the beginning only

Removing leading zeros: {cost_center | TRIM_CHARS_LEFT, “0”}
- If cost_center is “00012345”, the result is “12345”
Cleaning prefixes: {identifier | TRIM_CHARS_LEFT, “x”}
- If identifier is “xxxABC123”, the result is “ABC123”

TRIM_CHARS_RIGHT: Removes specified characters from the end only

Removing trailing characters: {office_code | TRIM_CHARS_RIGHT, “0”}
- If office_code is “ABC12300”, the result is “ABC123”
Cleaning suffixes: {code | TRIM_CHARS_RIGHT, “temp”}
- If code is “ABC123temp”, the result is “ABC123”

Advanced Conditional Logic with NEXT_NUMBER

The NEXT_NUMBER transformer can be combined with IF/ELSE conditional logic to create intelligent username generation with automatic fallback strategies. This is particularly useful for handling length constraints and ensuring unique usernames in Lifecycle Management attribute transformers.

Only one NEXT_NUMBER transformer can be used per transformation expression
The first alternative uses an empty string (""), followed by numbered alternatives (“2”, “3”, etc.)
Alternative values are automatically generated to ensure username uniqueness

Username Generation with Length-Based Fallbacks

This example creates usernames that adapt based on length constraints, using the sys_attr__would_be_value_len system attribute to evaluate the length of the generated value:

IF sys_attr__would_be_value_len le 20
  {first_name | LOWER}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
ELSE IF sys_attr__would_be_value_len le 30
  {first_name | LOWER}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}
ELSE
  {first_name | LOWER | FIRST_N, 1}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}

Example outputs: For a user named “John Whitaker” (short enough for the first condition):

Base value: john.whitaker
Alternatives: john.whitaker2, john.whitaker3, john.whitaker4

For a user named “Leonevenkataramanathan Foster” (requires truncation to meet length limits):

Base value: l.f
Alternatives: l.f2, l.f3, l.f4

This approach ensures that username generation adapts to different name lengths while maintaining consistency and uniqueness across your identity management system.

Pipeline Functions {#pipeline-functions}

You can pipeline multiple transformation functions together, separated by a vertical bar (|). Each will apply in sequence, allowing for complex attribute formatters that use the output of one function as the input of another.

Example Pipeline Functions

{name | UPPER}
- If name = Smith, the result is SMITH.
{first\_name | SUB\_STRING,0,1 | LOWER}.{last\_name | LOWER}
- If first_name = John and last_name = Smith, the result is j.smith.
{email | REMOVE\_DOMAIN}
- If email = [email protected], the result is john.smith.
{email | REPLACE\_ALL, " ", "."}
- If email = john [email protected], the result is [email protected].
{location | LOOKUP locationTable, location\_code, city}
- If location = IL001, the result is Chicago (using a lookup table named locationTable).
{start\_date | DATE\_FORMAT, "01/02/2006" | UPPER}
- If start_date = 2023-03-15, the result is 03/15/2023 (DATE_FORMAT doesn't typically need UPPER, but shows pipeline capability).
{hire\_date | DATE\_FORMAT, "Jan 2, 2006" | REPLACE\_ALL, " ", "\_"}
- If hire_date = 2023-03-15, the result is Mar_15,_2023.
{office\_code | TRIM\_CHARS\_LEFT, ".0" | TRIM\_CHARS\_RIGHT, ".USCA"}
- If office_code = 000.8675309.USCA, the result is 8675309.
{username | REMOVE\_CHARS, ".-\_" | TRIM | UPPER}
- If username = "–john.doe_–", the result is JOHNDOE.
{employee\_id | REMOVE\_CHARS, "#" | TRIM\_CHARS, "0" | LEFT\_PAD, 6, "0"}
- If employee_id = "##001234##", the result is 001234.
{department | REMOVE\_WHITESPACE | LOWER | REPLACE\_ALL, "&", "and"}
- If department = "Sales & Marketing", the result is salesandmarketing.
TEST{| RANDOM_INTEGER, 1000, 9999}
- Generates test IDs like TEST4827, TEST8391 (see RANDOM_INTEGER for details).

Common Transformers

As part of implementing Lifecycle Management (LCM) processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID are sourced for each LCM Policy. These transformers can then be reused across all identity sync and deprovision policy workflows. As part of implementing Lifecycle Management (LCM) processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID are sourced for each LCM Policy. These transformers can then be reused across all identity sync and deprovision policy workflows.

Create common transformers to consistently form attributes for specific entity types, and reuse them to avoid errors and save time when creating actions for that entity type. The order of common transformers matters when multiple transformers set the same destination attribute. Drag-and-drop to reorder common transformers and control precedence.

For example, defining a common synced attribute to describe how to format Azure AD account names {username}@evergreentrucks.com enables reuse across multiple workflow actions. You can also define synced attributes at the action level when they are used only once within a policy, such as setting the primary group DN and OU of de-provisioned identities to a group reserved for terminated accounts.

Common Transformer Examples:

Transformer & Entity Type

Attribute

Value Format

Continuous Sync

Description

ADAccountTransformer ActiveDirectoryUser

account_name

{display_full_name}

Basic account name

distinguished_name

CN={first_name} {last_name},OU={department},OU={location},DC=company,DC=local

Yes

Full AD path

user_principal_name

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}.{last_name

{first_name}{last_name}@company.com

Yes

Email address

OktaAccountTransformer OktaUser

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

{first_name}{last_name}@company.com

Yes

Email address

username_prefix

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

AzureADTransformer AzureADUser

principal_name

{first_name}{last_name}

Primary identifier

mail_nickname

{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

display_name

{first_name} {last_name}

Yes

Display name

GoogleAccountTransformer GoogleWorkspaceUser

{first_name}{last_name}@company.com

Primary email

email_addresses

{username}@company.com

Email list

recovery_email

{personal_email}

Yes

Backup email

ContractorTransformer ActiveDirectoryUser

account_name

c-{username}

Contractor prefix

distinguished_name

CN={first_name} {last_name},OU=Contractors,OU={department},DC=company,DC=local

Yes

Contractor OU

description

Contractor - {vendor_company} - Start Date: {start_date}

Yes

Metadata

RegionalEmailTransformer ExchangeUser

email_address

{username}@{region}.company.com

Regional email

alias

{first_name}.{last_name}@{region}.company.com

Yes

Regional alias

$Target Attribute Transformer Function

The $Target attribute transformer function is used when a value consists of one or more attributes that require an operation(s), making it too complex to transform, but it needs to be reused.

Important: The $Target function can only be used within the same Action.

For example, an email address consists of [email protected]. However, you are required to use the format, [email protected]. By using the $Target function, you reuse only one attribute, username, while not changing the other two attributes (firstname_lastname).

Example:

Destination Attribute

username

Formatter

`{firstname}{lastname}`

Formatter

`{$Target.username}@sample.com`

Custom Attribute Transformer Function

The Custom Attribute Transformer function allows you to define a custom transformer that acts as an alias for applying one or more transformer functions.

For example, you can define a custom function named $CLEAN, which is used as {first_name | $CLEAN}. This function can consist of a series of transformer functions such as | ASCII | LOWER | REMOVE_CHAR |.

To define a custom attribute transformer, use the following guidelines:

Policy Version Definitions

Custom functions must be defined as part of the policy version.
These definitions are structured similarly to hard-coded definitions and are returned in the same format, allowing the Veza UI to handle them without modification.
The API for updating and retrieving a policy version must also support these custom function definitions.

Naming Convention: Custom functions must be in ALL CAPS and prefixed with a $ to avoid conflicts with built-in functions.

Custom Attribute Transformer Limitations

The following custom definitions are not supported:

Transformer functions with included transformer parameters
Nested transformer functions
Transformer functions with parameters

Notification Templates for Lifecycle Management

Customizing email notifications for Lifecycle Management events and Access Requests.

Overview

Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.

Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.

Template Management: Currently, notification templates can only be managed via the Notification Templates API. Template management through the Veza UI is not yet available.

Access Reviews Notification Templates: For access review workflow notifications, see Access Reviews Notification Templates.

Managing notification templates

Default Templates

The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.

Generic Failure Template

When specific event templates aren't available or when events fail, the system uses a generic failure template:

Subject: Lifecycle job {{EVENT_TYPE}} has failed

Body:

<html><body>
<br>
<br> Here is the notification that lifecycle job has failed. <br>
Error message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
For reference:
<br> job_id: {{JOB_ID}}<br>
<br> identity_id: {{EVENT_IDENTITY_ID}}
<br> identity_name: {{EVENT_IDENTITY_NAME}}
<br> entity_type: {{ENTITY_TYPE}}
<br> entity_name: {{ENTITY_NAME}}
</body></html>

See Default Template Content for all default messages.

Lifecycle Management Events

Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:

Identity Management Events

Event Type

API Usage Value

Description

Create Identity

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY

Sent when a new identity/account is created

Create Identity Failed

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY_FAILED

Sent when identity creation fails

Sync Identity

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY

Sent when an identity is synchronized

Sync Identity Failed

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY_FAILED

Sent when identity sync fails

Delete Identity

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY

Sent when an identity is deleted

Delete Identity Failed

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY_FAILED

Sent when identity deletion fails

Disable Identity

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY

Sent when an identity is disabled

Disable Identity Failed

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY_FAILED

Sent when identity disabling fails

Create Guest Account

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT

Sent when a guest account is created

Create Guest Account Failed

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT_FAILED

Sent when guest account creation fails

Relationship Management Events

Event Type

API Usage Value

Description

Add Relationship

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP

Sent when a relationship is added

Add Relationship Failed

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP_FAILED

Sent when adding relationship fails

Remove Relationship

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP

Sent when a relationship is removed

Remove Relationship Failed

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP_FAILED

Sent when removing relationship fails

Email Management Events

Event Type

API Usage Value

Description

Create Email

LIFECYCLE_MANAGEMENT_CREATE_EMAIL

Sent when an email is created

Create Email Failed

LIFECYCLE_MANAGEMENT_CREATE_EMAIL_FAILED

Sent when email creation fails

Write Back Email

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL

Sent when email is synced back

Write Back Email Failed

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL_FAILED

Sent when email sync back fails

Password Management Events

Event Type

API Usage Value

Description

Change Password

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD

Sent when a password is changed

Change Password Failed

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD_FAILED

Sent when password change fails

Reset Password

LIFECYCLE_MANAGEMENT_RESET_PASSWORD

Sent when a password is reset

Reset Password Failed

LIFECYCLE_MANAGEMENT_RESET_PASSWORD_FAILED

Sent when password reset fails

Entitlement Management Events

Event Type

API Usage Value

Description

Create Entitlement

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT

Sent when an entitlement is created

Create Entitlement Failed

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT_FAILED

Sent when entitlement creation fails

Rename Entitlement

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT

Sent when an entitlement is renamed

Rename Entitlement Failed

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT_FAILED

Sent when entitlement renaming fails

Sync Entitlement

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT

Sent when an entitlement is synced

Sync Entitlement Failed

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT_FAILED

Sent when entitlement sync fails

Actions and Workflows Events

Event Type

API Usage Value

Description

Custom Action

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION

Sent when a custom action is performed

Custom Action Failed

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION_FAILED

Sent when custom action fails

Action Succeed

LIFECYCLE_MANAGEMENT_ACTION_SUCCEED

Sent when an action succeeds

Action Failed

LIFECYCLE_MANAGEMENT_ACTION_FAILED

Sent when an action fails

Workflow Task Failed

LIFECYCLE_MANAGEMENT_WORKFLOW_TASK_FAILED

Sent when a workflow task fails

Extraction Event Failed

LIFECYCLE_MANAGEMENT_EXTRACTION_EVENT_FAILED

Sent when extraction processing fails

Access Reviews Events

Event Type

API Usage Value

Description

Create Access Review Queued

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW_QUEUED

Sent when access review is queued

Create Access Review

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW

Sent when access review is created

Safety Events

Event Type

API Usage Value

Description

Safety Limit Reached

LIFECYCLE_MANAGEMENT_SAFETY_LIMIT_REACHED

Sent when safety limits are reached

Access Request Events

Event Type

API Usage Value

Description

Access Request Created

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_CREATED

Sent when an Access Request is created

Access Request Action Run

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_ACTION_RUN

Sent when Access Request actions start running

Access Request State Changed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_STATE_CHANGED

Sent when Access Request state changes

Access Request Approver Assigned

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_APPROVER_ASSIGNED

Sent when new approvers are assigned

Access Request Succeed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_SUCCEED

Sent when Access Request succeeds

Access Request Failed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_FAILED

Sent when Access Request fails

Default Template Content

Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.

Identity Management Templates

CREATE_IDENTITY

Subject: New Hire Notification: {{ENTITY_TYPE}} account created
Body:

<html><body>
Hello,<br>
<br>
Here is the information for your new-hire: {{ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
<br>
</body></html>

CREATE_GUEST_ACCOUNT

Subject: New {{ENTITY_TYPE}} Guest Account Created: {{ENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
New {{ENTITY_TYPE}} Guest Account Created <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Name: {{ENTITY_NAME}} <br>
Login Name: {{LOGIN_NAME}} <br>
Invite Sent: {{SENT_INVITE}} <br>
<br>
</body></html>

SYNC_IDENTITY

Subject: Sync Identity Notification: {{ENTITY_TYPE}} account synced
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} attributes have been synced <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

DELETE_IDENTITY

Subject: Identity Deleted Notification: {{ENTITY_TYPE}} has an account deleted
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been deleted <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

DISABLE_IDENTITY

Subject: Identity Disabled Notification: {{ENTITY_TYPE}} has an account disabled
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been disabled <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

Relationship Management Templates

ADD_RELATIONSHIP

Subject: New Relationship Added Notification: {{ENTITY_TYPE}} has an account with new relationship to a {{RELATIONSHIP_ENTITY_TYPE}}
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new relationship to {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>

REMOVE_RELATIONSHIP

Subject: Relationship Removed Notification: {{ENTITY_TYPE}} has an account whose relationship was remove from a {{RELATIONSHIP_ENTITY_TYPE}}
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a relationship removed from {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>

Email Management Templates

CREATE_EMAIL

Subject: New Email Notification: {{ENTITY_TYPE}} has an account with new email
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new email address <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>

WRITE_BACK_EMAIL

Subject: New Write Back Email Notification: {{ENTITY_TYPE}} has had an email sync to it
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has the newly created email synced back to it <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>

Password Management Templates

CHANGE_PASSWORD

Subject: Password Change Notification: {{ENTITY_TYPE}} has an account with a new password
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a password <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
New Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>

RESET_PASSWORD

Subject: Reset Password Notification: {{ENTITY_TYPE}} has had their password reset
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has had their password reset <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
Temporary Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>

Entitlement Management Templates

CREATE_ENTITLEMENT

Subject: Create entitlement notification: an entry of {{ENTITY_TYPE}} is created
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is created: {{ENTITY_NAME}} <br>
<br>
</body></html>

RENAME_ENTITLEMENT

Subject: Rename entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is renamed with new name: {{ENTITY_NAME}} <br>
<br>
</body></html>

SYNC_ENTITLEMENT

Subject: Sync entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} has been re-synced with the target system: {{ENTITY_NAME}} <br>
<br>
</body></html>

Access Request Templates

ACCESS_REQUEST_COMPLETE

Subject: Access Request {{ACCESS_REQUEST_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} has {{SUCCEED_OR_FAILED}}
Body:

<html><body>
Hello,<br>
<br>
{{ACCESS_REQUEST_ENTITY_NAME}} has been {{ACCESS_REQUEST_TYPE}} with: {{ACCESS_REQUEST_TARGET_NAME}}.<br>
<br>
User Type: {{ACCESS_REQUEST_ENTITY_TYPE}} <br>
Target Type: {{ACCESS_REQUEST_TARGET_TYPE}} <br>
<br>
</body></html>

ACCESS_REQUEST_CREATED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:

<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_FAILED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is failed
Body:

<html><body>
Hello,<br>
<br>
The request is failed, with an error message: {{EVENT_ERROR_MESSAGE}}
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_STATE_CHANGED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:

<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_APPROVER_ASSIGNED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} in {{ACCESS_REQUEST_STATE}} as new assigned approvers
Body:

<html><body>
Hello,<br>
<br>
The request currently in {{ACCESS_REQUEST_STATE}} state has new been assigned new approvers.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

Error and Failure Templates

ACTION_FAILED

Subject: Action Failed: {{ACTION_NAME}} for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
Action has failed.<br>
<br>
Identity: {{IDENTITY_NAME}}<br>
Action Name: {{ACTION_NAME}}<br>
Action Type: {{ACTION_TYPE}}<br>
Workflow Name: {{WORKFLOW_NAME}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

WORKFLOW_TASK_FAILED

Subject: Workflow Failed: {{WORKFLOW_NAME}} for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
Workflow has failed.<br>
<br>
Identity: {{IDENTITY_NAME}}<br>
Workflow Name: {{WORKFLOW_NAME}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

EXTRACTION_EVENT_FAILED

Subject: Lifecycle Management extraction processing failed for {{DATASOURCE_ID}}
Body:

<html><body>
Hello,<br>
<br>
Extraction processing has failed.<br>
<br>
Datasource: {{DATASOURCE_ID}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

Access Review Templates

CREATE_ACCESS_REVIEW_QUEUED

Subject: Create Access Review Queued Notification: for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
An access review has been queued for {{IDENTITY_NAME}} <br>
<br>
</body></html>

CREATE_ACCESS_REVIEW

Subject: Create Access Review Notification: for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
An access review has been created for {{IDENTITY_NAME}} <br>
<br>
</body></html>

Safety and Custom Action Templates

SAFETY_LIMIT_REACHED

Subject: Safety Limit Reached Notification: Policy {{POLICY_NAME}} has stopped processing identity changes
Body:

<html><body>
Hello,<br>
<br>
The safety limit for policy {{POLICY_NAME}} has been reached. No further identity changes were processed.<br>
</body></html>

CUSTOM_ACTION

Subject: New Custom Action Notification: {{ENTITY_TYPE}} has performed a custom action
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has performed a custom action <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Message: {{EVENT_ERROR_MESSAGE}} <br>
<br>
</body></html>

Image Attachments

From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.

Image Requirements: For API-based template management, small images under 64kb can be attached when configuring a template. The image must be base64-encoded and specified in the attachments field of the API request.

To use an attachment you have uploaded in a template, specify it by attachment.name, for example:

<img src="cid:<name_of_attachment>"

To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.

Placeholders

Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.

Identity and Entity Information

Placeholder

Description

{{ENTITY_TYPE}}

The type of entity (e.g., "ActiveDirectoryUser", "OktaUser")

{{ENTITY_NAME}}

The name of the entity/identity

{{LOGIN_NAME}}

The login/username for the account

{{LOGIN_PASSWORD}}

The password (for password-related notifications)

{{EMAIL}}

Email address associated with the identity

Relationship Information

Placeholder

Description

{{RELATIONSHIP_ENTITY_TYPE}}

Type of the related entity

{{RELATIONSHIP_ENTITY_NAME}}

Name of the related entity

Action and Job Information

Placeholder

Description

{{ACTION_NAME}}

Name of the action being performed

{{ACTION_TYPE}}

Type of action

{{ACTION_JOB_ID}}

Unique identifier for the action job

{{SUCCEED_OR_FAILED}}

Status indicator ("succeeded" or "failed")

{{SENT_INVITE}}

Whether an invite was sent (for guest accounts)

Access Request Information

Placeholder

Description

{{ACCESS_REQUEST_TYPE}}

Type of Access Request

{{ACCESS_REQUEST_ENTITY_NAME}}

Name of the entity requesting access

{{ACCESS_REQUEST_ENTITY_TYPE}}

Type of the requesting entity

{{ACCESS_REQUEST_TARGET_TYPE}}

Type of the target resource

{{ACCESS_REQUEST_TARGET_NAME}}

Name of the target resource

{{ACCESS_REQUEST_URL}}

URL to view the Access Request details

{{ACCESS_REQUEST_STATE}}

Current state of the Access Request

{{ACCESS_REQUEST_SOURCE_TYPE}}

Source type of the Access Request

Event and Error Information

Placeholder

Description

{{EVENT_TYPE}}

Type of lifecycle event

{{JOB_ID}}

Job identifier

{{EVENT_ERROR_MESSAGE}}

Error message for failed events

{{EVENT_IDENTITY_ID}}

Identity ID associated with the event

{{EVENT_IDENTITY_NAME}}

Identity name associated with the event

Policy and Workflow Information

Placeholder

Description

{{POLICY_NAME}}

Name of the lifecycle policy

{{WORKFLOW_NAME}}

Name of the workflow

{{ACTION_ID}}

Action identifier

{{WORKFLOW_ID}}

Workflow identifier

{{DATASOURCE_ID}}

Datasource identifier

Lifecycle Management

Key Features

Core Concepts

Policies

Workflows

Access Profiles

Actions

Attribute Transformers

Notification Templates

Getting Started

Lifecycle Management Dashboard

Dashboard Overview

Dashboard Actions

Policies

Access Profiles

Identities

Integrations

Access Requests

Errors

Recent Activity

Next Steps

Activity Log

Overview

Activity Log Tabs

Events Tab

Jobs Tab

Actions Tab

Workflow Tasks Tab

Workflow Execution Process

Using the Activity Log

Log Retention and Security

Identities

Identities

Identity Synchronization

Identities Table

Filter and Search an Identity

Identity Actions

View User Details

Attribute Overrides

Performing Actions on an Identity

Trigger Workflow

Request Access for an Identity

Show in Graph

Access Profiles

Example Profiles

Access Profile Types

Profiles

Business Roles

Best Practices for Access Profile Types

Configuring Access Profiles

See Also

Access Profile Types

Overview

Common Access Profile Type Categories

Managing Access Profile Types

Creating a New Profile Type

Best Practices for Access Profile Types

Policies

Overview

Add a Lifecycle Management Policy

Edit a Lifecycle Management Policy

Enabling and Monitoring Lifecycle Management Policies

Adding Workflows to Policies

Create a Workflow in a Policy

Common Transformers

Notifications

Events and Actions

Notification Configuration

Fallback Formatters

Overview

Understanding Fallback Formatters

Use Case: Username Conflicts

Configuring Fallback Formatters

Transformer Options for Fallback Formatters

Using the NEXT_NUMBER Transformer

Other Useful Transformers for Fallbacks

Implementation Example

Common Fallback Patterns

How Fallback Resolution Works

Lookup Tables

`sys_attr__is_mover`

`sys_attr__would_be_value`

`sys_attr__would_be_value_len`

Integration with `NEXT_NUMBER`