1 of 36

Lifecycle Management

Introduction to Lifecycle Management with Veza

Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.

Key Features

Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template

Core Concepts

Policies

Policies define the rules and actions for managing identities throughout their lifecycle. They specify what actions should occur when there are changes in a source of identity, such as when a user is created or their attributes change.

After configuring a policy for a source of identity in your organization, Veza Lifecycle Management tracks the source for changes. When employee records are added or changed, actions will trigger based on the workflows and actions specified in the policy.

Learn more about Policies

Workflows

Workflows are sequences of actions within a policy that execute based on specific conditions. They enable automation of lifecycle management processes such as onboarding, role changes, and offboarding.

Workflows only execute actions on users that meet specific conditions, and Policies can contain more than one Workflow. This enables you to create a single policy for your source of identity that contains multiple workflows, with one applying to new hires, another applying to terminated employees, and so on for the different JML scenarios you want to automate.

Learn more about Workflows

Access Profiles

Access Profiles define sets of entitlements (such as group memberships or role assignments within a target application) that should be granted to users based on their role within the organization (or another distinguishing attribute). You can use Access Profiles to define both Business Roles – segments of employees, and Profiles – collections of entitlements in a target application.

Assigning Business Roles to the Profiles they should inherit enables you to define the birthright entitlements for different types of employees in your organization. You can then assign those Business Roles when configuring workflows that add or remove access to an application.

Learn more about Access Profiles

Actions

Lifecycle Management Actions are tasks performed within a workflow, such as creating a user account, assigning group memberships, or disabling an account. Actions can be combined to trigger in sequence when there are changes in the source of identity. Actions can run for any identity that meets the workflow conditions, or only apply when action-level conditions are met.

Learn more about available Actions

Attribute Transformers

Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.

Lifecycle Management will provision new users with these attributes and can keep their accounts up-to-date when there are changes in the source of identity. Target entity attributes can be set to specific values or use metadata from the source of identity, and support a range of transformation functions.

Learn about Transformers

Notification Templates

Customize email notifications sent during Lifecycle Management events and Access Request workflows. You can personalize messaging, add branding, and include event-specific information through placeholders.

Learn more about Notification Templates

Getting Started

Enable Integrations: Configure your data sources and enable them for Lifecycle Management. Lifecycle Management Integrations
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements. Creating Access Profiles
Create Policies: Add policies to automate identity management processes. Building Lifecycle Management Policies
Configure Workflows: Design workflows within policies to handle specific lifecycle events. Configuring Workflows

For an overview of Lifecycle Management configuration using Okta, Workday, and Active Directory, see Lifecycle Management with Workday, Okta, and Active Directory.

For API documentation, see Lifecycle Management APIs.

Lifecycle Management Dashboard

Managing and monitoring Lifecycle Management from a central dashboard

The Lifecycle Management Dashboard provides a centralized interface for monitoring automatic provisioning and deprovisioning of user access - both birthright access granted by Veza Lifecycle Management and just-in-time access granted by Veza Access Reviews. This dashboard gives you an at-a-glance view of your configuration, status, and recent activity.

The dashboard is the primary landing page for Lifecycle Management and Access Requests and can help with routine monitoring, error resolution, policy validation, activity review, and integration health checks.

Dashboard Overview

The dashboard is organized into several key sections:

Policies: Displays your most recently updated Lifecycle Management Policies and their status
Access Profiles: Shows configured Access Profiles and usage metrics
Identities: Provides a visualization of managed identities
Integrations: Top Integrations enabled for Lifecycle Management and Access Requests along with any error statuses
Access Requests: Tracks pending and completed access requests
Errors: Displays recent Lifecycle Management and Access Requests errors requiring attention (past day, week, or month)
Recent Activity: Shows the most recent Lifecycle Management and Access Requests Events

To navigate to more detailed information, click on any section heading to open the related overview. Click on specific items (such as a policy or integration) to view or edit configuration details.

Dashboard Actions

From the dashboard, you can perform common tasks including:

Create a new policy: Click the "Create Policy" button in the Policies section
Configure Access Profiles: Click the "Create Access Profile" button in the Access Profiles section
Set up a new integration: Click the "Set up Integration" button in the Integrations section
Monitor system health: Review the Errors section for any issues
Track recent changes: Review the Recent Activity section for a log of recent events
Filter activity by time period: Use the time period dropdown (e.g., "Past day") to adjust the view

Policies

The Policies section displays all configured Lifecycle Management policies with their current status. Each policy shows its name, associated identity source, number of identities managed, and current status (Running/Stopped).

You can view all policies at a glance, create new ones with the "Create Policy" button, see which policies are actively running, access detailed configuration by clicking on a specific policy, and verify that policies in "Running" status should be active. Learn more about creating and managing policies.

Access Profiles

The Access Profiles section shows the total number of configured access profiles and provides a visual representation of profile activity. Access profiles define sets of entitlements granted to users based on their roles.

You can see the total number of configured profiles, create new ones using the "Create Access Profile" button, view profile activity and utilization, and access detailed configuration by clicking into the section. Learn more about Configuring Access Profiles.

Identities

The Identities section provides a visual representation of all identities managed through Lifecycle Management and Access Requests. The chart displays the distribution of identities by type or status, giving you an immediate understanding of your identity landscape.

This visualization helps you understand the overall composition of your managed identities, identify distribution patterns across different categories, and track changes in identity distribution over time.

Integrations

The Integrations section lists all systems connected to Lifecycle Management and Access Requests, displaying the total number of integrations, error status and counts, recently created integrations, and last update timestamps. For each integration, you can see its name and type, current status (including error indicators), and last update timestamp. You can set up new integrations using the "Set up Integration" button, identify and troubleshoot integration errors, and view all integrations by clicking "View all." Review this section regularly to identify any integrations with error states. See Lifecycle Management integrations for more information.

Access Requests

The Access Requests section tracks pending access requests, recently completed requests, and request status (Pending, Completed, Rejected, Cancelled). This section provides visibility into the access request process, allowing you to monitor request volume and status, track completion rates, and identify potential bottlenecks in the access request workflow.

Errors

The Errors section displays any Lifecycle Management and Access Requests errors that require attention. When functioning normally with no issues, this section will display "No issues found." If errors occur, this section will list the specific errors, provide context about when and where they occurred, and offer guidance on troubleshooting and resolution. Check this section regularly for any reported issues.

Recent Activity

The Recent Activity section shows a chronological log of Lifecycle Management and Access Requests events, including event type, timestamp, affected identity, and entity name. Examine this section to identify any unusual patterns or failed operations. This activity log helps you track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management or Access Requests implementation.

Next Steps

After familiarizing yourself with the dashboard:

Learn about creating Lifecycle Management policies
Configure access profiles for your organization
Set up integrations with identity sources
Understand available Lifecycle Management actions

Implementation and Core Concepts

Before you begin creating draft for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.

Implementing Veza Lifecycle Management will require:

Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.
Assigning Profiles to Business Roles to enable business rules.

The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.

Key considerations and requirements

Is a lifecycle management process defined for your organization?
- If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
- If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.
Do you have one, or even multiple sources of truth for employee identity metadata?
- At least one source of identity is required to trigger Lifecycle Management actions when there are changes in the data source. This data source could be an HRIS system, identity provider, directory service, or an exported report.
- Veza supports importing employee records from built-in , OAA integrations using the , and .
- For example, you may have different sources of identity for full-time and employees and contractors.
What scenarios will be automated?
- A range of applications can be sources of identity and targets for Lifecycle Management, with different actions supported for each integration. See and for the current capabilities.

Define Segmentation Criteria (Business Roles)

Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .

This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:

Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations
Define and list the different populations of employees with different levels of access in your organization (such as by roles, regions, and teams).
Organize the populations hierarchically, each inheriting the access granted to its parent population. For example, you might have a structure "All Employees" > "Sales Team" > "Sales Managers," with each inheriting the access granted to the parent.
Create a in Veza to model each segment.

Example Business Roles:

Sales
Developers
Executive Employees
US Employees
China Employees

Define Role Conditions

Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.

For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.

Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza authorization graph.
Document how employee populations correspond to the attribute values contained in the source of identity.

Examples: Source attributes for role conditions

The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.

OAA HRIS Built-In Attributes

Attribute

Description

Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:

Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"
Work Location equals "US"
Cost Center equals "R&D"
Start Date on or after "2025-01-01"

Define Profiles

A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.

Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Create Lifecycle Management mapped to those entitlements.

Examples: Access Profiles

Profile Name

Target

Relationship

When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.

Map Business Roles to Profiles

Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.

Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.

Examples: Map Business Roles to Profiles

Asia Employees

US Employees

Developers

Define synced attributes

Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.

For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.

Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .

For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in Continuous Sync, and which should only be created (and never modified after creating an entity).

Examples: Synced Attributes

Sync Active Directory Accounts for Active Employees (Joiners/Movers)

When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.

Active Directory Attribute

Source Attributes

Transformer Value

Sync Active Directory Attributes for Withdrawn Employees (Leavers)

When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:

Active Directory Attribute

Source Attributes

Transformer Value

Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.

Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Overview

Access Profile Types determine the behavior of for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:

Whether the profile can inherit entitlements from other profiles
If the profile can grant entitlements in one or more target applications
The maximum number of entitlements the profile can grant
The specific integrations where entitlements can be granted

Veza provides built-in profile types, such as Profiles and Business Roles, for hierarchical management of birthright entitlements by employee population. You can also create new profile types to meet your organization's Access Requests and Lifecycle Management needs.

Common Access Profile Type Categories

Access Profiles define collections of entitlements within one or more target applications that can be assigned to an identity. Depending on the profile type, an access profile can include certain groups or roles, or inherit entitlements from another profile.

For example, you can create different types to organize profiles by:

Applications: Granting access to an application without specific entitlements, such as access to Zoom
Single Entitlements: Defining a single entitlement within a single application, such as a user being added to the DNS Admin group in Active Directory or the Domain Name Administrator role in Entra ID
Application Entitlements: Defining multiple entitlements within a single application, such as access to several Okta Groups
Multi-Application Entitlements: Defining multiple entitlements across different applications, such as for site reliability engineers who need access to GitHub, AWS, Jira, and Snowflake, along with one or more roles and group memberships within each of those applications
Business Roles: Inheriting combinations of other profile types to model sophisticated access privileges, such as all US Call Center employees inheriting US Employee access

Managing Access Profile Types

Use Access Profile Types to set rules for all profiles using that type. You can create new profile types to implement Lifecycle Management and Access Requests based on how and what access you will grant to employees.

Creating a New Profile Type

Open Lifecycle Management > Settings
In the Profile Types section, click New Profile Type
In the sidebar, configure the new type:
- Basic Information shown when creating Access Profiles:
  - Name: Display name for the profile type, shown when creating new Access Profiles
  - Description: Extended description to document the purpose of the profile type
  - Instructions: Optional custom instructions for using the profile type, shown when creating new profiles. Note that this is useful if allowing self-service Access Profile creation.
- On Create Behavior: Set the default policy state for Access Profiles created with this profile type:
  - Default: Uses Veza's default behavior (currently sets the profile to Initial state, but this may change in future releases)
  - Initial: The Access Profile is created but remains inactive/non-functional until a user explicitly starts it to move it to Running state
  - Running: The Access Profile starts in an active state and is immediately functional with no additional action required
  - Initial Start By Admin: The Access Profile starts in Initial state but requires an administrator (not a regular user) to explicitly start it to move it to Running state
- Relationship Options:
  - Allow Inheritance from Other Access Profiles: When enabled, profiles with this type can use another access profile to specify the exact entitlements.
  - Allow Direct Relationships: When enabled, you will specify the exact entitlements when creating a profile with this type. When disabled, profiles with this type can only inherit entitlements from another profile
- Access Request Policy: Choose the default Access Request Policy to apply access duration controls and approval workflow.
  - Allow overwrite of Access Request Policy: Enable selection of an alternative policy when Access Profile creators and owners create Access Profiles of this type.
- Integrations: Choose if the Access Profile of this type supports multiple integrations, integrations of a single type, or a single instance of a single integration:
  - Allow multiple integration types: Profiles can have specific entitlements in more than one target integration type (such as one or more entitlements from any Active Directory or Okta integration)
  - Limit to a single integration type: Entitlements must be within integrations of a specific type (such as one or more entitlements from any Okta integration)
  - Limit to a single integration: Profiles are limited to a single integration (such as one or more entitlements from a specific Okta integration)
  - Create a local user account only (if limited to a single integration): Create a local user account without specific entitlements.
- Entitlements: Set the maximum number of entitlements that can be added to profiles with this type (0 for unlimited entitlements).
  - Access Profile creators and owners can choose specific entitlements when editing the profile.
  - Create New Entitlement if None Exists: Configure the CREATE_ENTITLEMENT action to run when the policy is applied, including:
    The target integration and entity type to create
    Any member conditions (ANY to apply to all identities, or restricted by a condition string)
    Attributes for the created entities using the specified .
    Enabling Continuous Sync to periodically recreate and reapply entitlements if removed within the target system.
Click Create Profile Type to save the changes

After saving a profile type, you can edit or delete it on the Lifecycle Management Settings > Profile Types tab.

To manage the users or groups allowed to create profiles of that type, click Actions > Manage Permissions.
To view profiles with a specific type, choose a profile type and click Show Access Profiles.

Best Practices for Access Profile Types

When working with Access Profile Types, consider the following best practices:

Consistent Naming: Use clear, descriptive names for profile types that indicate their purpose and scope
Appropriate Granularity: Create profile types with the right level of granularity for your organization's needs
Documentation: Add thorough descriptions and instructions to help others understand when to use each profile type
Inheritance Planning: Carefully plan which profile types should inherit from others to create a logical hierarchy
Regular Review: Periodically review profile types to ensure they continue to meet your organization's needs
Good Hygiene: Eliminate profile types that are no longer in use (when the count of Access Profiles with that type equals zero)

Fallback Formatters

Configure fallback formatters for uniquely identifying attributes during identity synchronization

Overview

Fallback formatters can help resolve conflicts when provisioning identities with unique attributes. This is particularly useful when automated provisioning requires unique identifiers, but the standard generated values are already in use.

Understanding Fallback Formatters

When provisioning new identities through Lifecycle Management, unique attributes like usernames, login IDs, or email addresses must not conflict with existing values. Fallback formatters provide an automated way to generate alternative values when conflicts arise, ensuring provisioning can proceed without manual intervention.

You can configure fallback formatters when configuring a to ensure new users can be onboarded efficiently, regardless of naming conflicts.

Use Case: Username Conflicts

The most common use case for fallback formatters is handling username conflicts. For example:

Your organization uses a standard username format of first initial + last name (e.g., jsmith for John Smith).

When multiple employees have similar names, this can lead to conflicts:

John Smith already has jsmith
Jane Smith already has jsmith1
James Smith already has jsmith2

When Jennifer Smith joins, the fallback formatter automatically assigns jsmith3, maintaining your naming convention while ensuring uniqueness.

Configuring Fallback Formatters

Fallback formatters can be configured as part of the "Sync Identities" action within a Lifecycle Management workflow:

Edit or create a Lifecycle Management policy
Edit the workflow containing the Sync Identities action
In the Sync Identities action configuration, click Add Fallback
Configure the to use as a fallback pattern for the unique attribute that might experience conflicts
Close the action sidebar and save your changes to the policy.

Transformer Options for Fallback Formatters

Several transformers can be used for implementing fallback formatters depending on your specific use case.

Using the NEXT_NUMBER Transformer

A typical approach is to use the NEXT_NUMBER transformer, which is specifically designed to generate sequential numerical alternatives when naming conflicts occur.

The NEXT_NUMBER transformer:

Generates a set of sequential integers as strings
Takes two parameters: BeginInteger (starting number) and Length (how many numbers to generate)
Is unique among transformers in that it returns multiple values, making it ideal for fallback scenarios

Other Useful Transformers for Fallbacks

In addition to NEXT_NUMBER, other transformers can be valuable for creating fallback formatters:

Using Random Alphanumeric for Unique Usernames:

This could generate usernames like jsmith8f3d instead of sequential jsmith1, jsmith2, etc.

Using UUID for Guaranteed Uniqueness:

This would append the first 8 characters of a UUID, creating identifiers like jsmith-a7f3e9c2.

Implementation Example

When configuring a fallback formatter with the NEXT_NUMBER transformer:

Select the attribute that requires uniqueness (e.g., username, email)
Configure the primary pattern (e.g., {first_initial}{last_name})
Add a fallback using the NEXT_NUMBER transformer to generate sequential alternatives:

This will generate up to 10 alternatives: jsmith1, jsmith2, ... jsmith10

Common Fallback Patterns

Here are some commonly used fallback patterns:

Primary Format

Fallback Pattern

Examples

How Fallback Resolution Works

When Lifecycle Management attempts to provision a new identity with a unique attribute value that already exists:

The system first tries the primary format (e.g., jsmith)
If a conflict is detected, it automatically tries the first alternative using the NEXT_NUMBER transformer (e.g., jsmith1)
If that value also exists, it tries the next alternative (e.g., jsmith2)
This process continues until either:
- A unique value is found
- All alternatives from the NEXT_NUMBER range are exhausted (in which case an error would be reported)

This automated conflict resolution ensures provisioning can proceed without manual intervention, even when your standard naming conventions result in conflicts.

Attribute Mapping

How source system properties become Veza attributes

Overview

When connecting to integrated systems (see Veza Integrations), Veza ingests properties from the source systems (e.g., Workday, Okta, Active Directory) and normalizes them into standardized attributes that appear when configuring Workflow trigger conditions, configuring Actions, and in Identities views.

While these standardized attributes are intended to ensure consistent naming across different systems, it is important to understand that some attributes may appear differently than their original names in the source system.

You can retrieve the original attribute names for enabled Lifecycle Management integrations using the ListLifecycleManagerDatasources API.

Attribute Naming Conventions

Veza normalizes all property names for consistency:

Original Format

Veza Format

Rule Applied

Employee ID

employee_id

Spaces → underscores

BusinessTitle

business_title

CamelCase → snake_case

Cost-Center

cost_center

Special chars removed

Department Code

customprop_department_code

Custom fields prefixed

The following normalization rules typically apply:

Source properties are converted to lowercase
Any spaces and hyphens become underscores
Special characters removed
CamelCase converted to snake_case
Custom fields are identified with a customprop_ prefix
System-computed fields are identified with the sys_attr__ prefix

Attribute Types and Mappings

The following sections include some examples of how Veza handles attributes from common integrations.

Standard Attributes

Veza recognizes and standardizes many common attributes across source systems:

Attribute

Type

Description

Example Value

employee_id

string

Employee identifier

E-98765

email

string

Primary email

department

string

Department name

Engineering

title

string

Job title

Senior Engineer

business_title

string

Business position

Senior Engineer

manager

string

Manager reference

managers

list

List of managers

[John Smith]

is_active

boolean

Active status

true

hire_date

date

Employment start date

2024-01-15

cost_center

string

Financial allocation

CC-1000

Source-Specific Mappings

Veza will make conversions to some attribute names from the source integration. For example, sAMAccountName in Microsoft Active Directory is shown as account_name for Active Directory Users in Veza Access Graph.

Workday → Veza

Workday Property

Veza Attribute

Notes

Worker ID

workday_id

Unique worker identifier

Employee ID

employee_id

Employee number

Business Title

business_title

Job position

Cost Center

cost_center

Financial allocation

Employee Type

employee_types

List (e.g., Full Time)

Manager

managers

List of manager names

Okta → Veza

Okta Property

Veza Attribute

Notes

login

Username

email

Primary email

status

status

ACTIVE, SUSPENDED, etc.

department

department

Department name

manager

manager

Manager's email/ID

Active Directory → Veza

AD Property

Veza Attribute

Notes

sAMAccountName

account_name

Pre-Windows 2000 login

distinguishedName

distinguished_name

Full LDAP path

userPrincipalName

user_principal_name

user@domain format

memberOf

member_of

List of group DNs

department

department

Department name

title

title

Job title

Custom Properties

Some integrations support custom property extraction for organization-specific fields from custom reports or extended schemas:

Always prefixed with customprop_
Automatically discovered during extraction once enabled
Follow standard normalization rules (lowercase, underscores)

Examples:

customprop_department_code - Custom department identifier
customprop_employeeou - Organizational unit
customprop_region - Geographic region
customprop_project_code - Project allocation

System Attributes

Some entity attributes are computed by Veza, and not derived from source data:

sys_attr__is_mover - Identity has changed monitored properties
sys_attr__would_be_value - Preview value in conditional transformers
sys_attr__would_be_value_len - Preview value length in conditional transformers

See System Attributes for details.

Using Attributes in Workflows

When configuring a Workflow trigger condition or an action that syncs attributes, you can choose from available attributes using a dropdown menu.

Primary vs Secondary Sources

Primary Source - Attributes from the main identity source appear without prefixes:

workday_id
employee_id
business_title
hire_date
email
customprop_department_code

Secondary Sources - Attributes from additional sources are prefixed with the entity type:

OktaUser.login
OktaUser.department
AzureADUser.job_title
ActiveDirectoryUser.distinguished_name

Example Usage

In Workflow Conditions:

employee_types co "Full Time" and department eq "Engineering"

In Transformers:

{first_name}.{last_name}@{customprop_domain}.com

With Secondary Sources:

OktaUser.status eq "ACTIVE" and WorkdayWorker.is_active eq true

System Attributes

Computed properties for advanced workflow triggering and conditional transformations in Lifecycle Management

Overview

System attributes are computed properties that Lifecycle Management automatically generates during identity processing. These attributes enable advanced automation scenarios by providing runtime information about identity changes and transformation results.

All system attributes follow the sys_attr__ prefix convention and cannot be manually set or modified.

Available System Attributes

`sys_attr__is_mover`

A persistent boolean attribute that indicates whether an identity has undergone changes to monitored properties.

Type: Boolean Persistence: Stored with identity record Available in: Workflow triggers, conditions, and transformers

Configuration: Define monitored properties in the policy configuration:

{
  "mover_properties": ["department", "manager_id", "title", "location"]
}

Workflow Trigger Example:

sys_attr__is_mover eq true

Combined Condition Example:

sys_attr__is_mover eq true and department eq "Engineering" and active eq true

The attribute is automatically set to true when any property in mover_properties changes during identity update. It is cleared when the identity is unchanged in an extraction cycle, and excluded from change detection to prevent recursive updates.

System attribute names are case-sensitive and must be lowercase in all expressions.

`sys_attr__would_be_value`

A transient attribute that provides a preview of the transformation result during conditional evaluation.

Type: String Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Conditional Domain Addition:

IF sys_attr__would_be_value co "@"
  {email | LOWER}
ELSE
  {email | LOWER}@company.com

The above transformer will check if the transformed email already contains "@", preserve existing email addresses, and add domain only when needed.

`sys_attr__would_be_value_len`

A transient attribute that provides the character length of the transformation result during conditional evaluation.

Type: Number Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Progressive Username Truncation:

IF sys_attr__would_be_value_len le 30
  {first_name | LOWER}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
ELSE IF sys_attr__would_be_value_len le 20
  {first_name | LOWER | FIRST_N, 10}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
ELSE
  {first_name | LOWER | FIRST_N, 1}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}

For "Leonevenkataramanathan Foster":

First check (≤30 chars): leonevenkataramanathan.foster (30 chars - passes first condition)
If >30 chars, second check (≤20 chars): leonevenkataramana.foster (25 chars - fails second condition)
If >20 chars, fallback: l.f (3 chars - always succeeds)
Alternatives with NEXT_NUMBER: l.f2, l.f3, l.f4

Integration with `NEXT_NUMBER`

Preview attributes work with the NEXT_NUMBER transformer for generating unique alternatives:

IF sys_attr__would_be_value_len le 15
  {username | NEXT_NUMBER, 2, 5}
ELSE IF sys_attr__would_be_value_len le 15
  {username | FIRST_N, 13 | NEXT_NUMBER, 2, 5}

This evaluates the base value length before applying numbering, ensuring the final result (including numbers) meets constraints.

Only one NEXT_NUMBER transformer is allowed per conditional branch.

Workflow Trigger Properties

The sys_attr__is_mover attribute supports additional trigger properties for fine-grained control:

{
  "trigger_properties": ["department", "location"],
  "trigger_string": "sys_attr__is_mover eq true and active eq true"
}

This workflow triggers only when:

The identity is marked as a mover (department or location changed)
The identity is active
At least one of the trigger_properties has changed since last extraction

Performance Notes
Mover Detection: Comparison occurs for all properties in mover_properties during each extraction
Preview Evaluation: Each IF branch with preview attributes requires transformation execution
Optimization: Place most common conditions first to minimize preview evaluations
Caching: Preview values are calculated once per condition branch and reused

Active Directory

This guide describes how to enable and configure Active Directory for Lifecycle Management in Veza, including supported capabilities and required configuration steps.

Overview

Active Directory integration with Lifecycle Management enables automated user provisioning, access management, and de-provisioning capabilities. This includes creating and managing AD users, group memberships, and disabling accounts when employees leave the organization.

Supported Capabilities

Identity Provider Status

Active Directory serves as an Identity Provider in Lifecycle Management workflows and supports custom properties defined in the integration configuration.

Supported Actions

Manage Relationships

Controls relationships between users and Active Directory groups.

Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes

Example Use Cases:

Add users to specific Active Directory groups to manage access
Remove users from groups when access requirements change

Sync Identities

Synchronizes identity attributes between Active Directory and downstream systems.

Create Allowed: Yes (New user identities can be created if not found)
Supported Attributes:
- Required (Unique Identifiers):
  - AccountName (No Continuous Sync)
  - DistinguishedName
  - UserPrincipalName
- Optional:
  - Email, GivenName, DisplayName, SurName, Title
  - Description, ManagerID, PrimaryGroupDN
  - StreetAddress, City, StateOrProvinceName
  - CountryCode, PostalCode, Company
  - PhysicalDeliveryOfficeName, JobTitle
  - Department, CountryOrRegion, Office

Example Use Cases:

Create new user accounts when users are added
Keep user information synchronized across integrated systems

De-provision Identity

Safely removes or disables access when users leave or no longer need access.

Entity Type: Active Directory Users
Remove All Relationships: Yes (Removes existing group memberships)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)

Example Use Cases:

Disable accounts when employees leave
Remove group memberships while retaining audit information

Configuration Steps

1. Create a Service Account

Create a dedicated AD user with minimum required permissions:

Using Active Directory Users and Computers:

Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User
Complete the new user details form
- Recommended name: "Veza AD Lifecycle Manager"
- Set a strong password
- Uncheck "User must change password at next logon"

Using PowerShell:

New-ADUser -Name "Veza AD Lifecycle Manager" `
    -Path "OU=<your_OU>,DC=<domain>,DC=<tld>" `
    -GivenName "Veza" `
    -Surname "AD Lifecycle Manager" `
    -SamAccountName "veza-ad-lcm" `
    -AccountPassword (ConvertTo-SecureString -AsPlainText "<password>" -Force) `
    -ChangePasswordAtLogon $False `
    -DisplayName "Veza AD Lifecycle Manager" `
    -Enabled $True

2. Configure Required Permissions

Grant the service account permissions to manage users in the target OUs:

Using Active Directory Users and Computers:

Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name
Select these delegated tasks:
- Create, delete, and manage user accounts
- Reset user passwords and force password change
- Read all user information
- Modify group membership

Using PowerShell:

Import-Module ActiveDirectory
$OrganizationalUnit = "OU=<your_OU>,DC=<domain>,DC=<tld>"
$Users = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
Set-Location AD:

$User = Get-ADUser -Identity "veza-ad-lcm"
$UserSID = [System.Security.Principal.SecurityIdentifier] $User.SID
$Identity = [System.Security.Principal.IdentityReference] $UserSID

# Create permission for managing users
$RuleCreateDeleteUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, "CreateChild, DeleteChild", "Allow", $Users, "All"

# Create permission for password resets
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Users)

# Apply permissions
$ACL = Get-Acl -Path $OrganizationalUnit
$ACL.AddAccessRule($RuleCreateDeleteUsers)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

3. Configure the Integration in Veza

Navigate to Configurations > Integrations
Either:
- Create a new Active Directory integration
- Edit an existing Active Directory integration
Enable Lifecycle Management:
- Check Enable Lifecycle Management
- Enter the Lifecycle Management Username (service account created above)
- Enter the Lifecycle Management Password
Save the configuration

Note: The AD User created for lifecycle management can be the same as the primary AD User created for extraction, provided that the user has all required permissions listed above.

GitHub

Configuring the GitHub integration for Veza Lifecycle Management.

Overview

The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as organization and team memberships for identities

✅

DEPROVISION_IDENTITY

Safely removes or disables access for identities by suspending accounts

✅

SOURCE_OF_IDENTITY

GitHub can act as a source system for identity lifecycle policies

❌

This document includes steps to enable the GitHub integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for GitHub

Prerequisites

You will need administrative access in Veza to configure the integration and site administrator privileges in GitHub Enterprise Server.
Ensure you have an existing GitHub integration in Veza or add a new one for use with Lifecycle Management.
Verify your GitHub integration has completed at least one successful extraction
The GitHub integration will need the additional required GitHub App permissions:
- Organization permissions - Members (Write) - Required for managing organization memberships
- Organization permissions - Administration (Write) - Required for administrative operations
- Repository permissions - Administration (Write) - Required for managing team memberships

Important: GitHub LCM operations use Admin API endpoints that require site administrator privileges. These operations are typically available in GitHub Enterprise Server environments, not GitHub.com.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a GitHub integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your GitHub data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for GitHub in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

GitHub can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

User login cannot be changed after creation
GitHub usernames must be unique and follow GitHub naming rules (39 characters max, alphanumeric plus hyphens)
Email addresses must be unique across the GitHub instance
Requires site administrator privileges for user creation operations

The following attributes can be synchronized:

GitHub User Attributes

Property

Required

Type

Description

Notes

Yes

String

GitHub username

Unique identifier, immutable

emails

Yes

Array

List of email addresses

Primary email required

active

Boolean

User account status

true=active, false=suspended

public_email

String

Public email for profile

Must be in emails list

display_name

String

User's display name

Shown on GitHub profile

is_site_admin

Boolean

Site administrator privileges

GitHub Enterprise only

Manage Relationships

Both adding and removing memberships are supported. Organization and team memberships are automatically removed during deprovisioning.

Add and remove organization memberships with member role
Add and remove team memberships with member role
Synchronize access assignments based on external identity changes
Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned:

User account is suspended in GitHub Enterprise Server
All organization and team memberships are removed automatically
Commit history and attribution are preserved for audit and compliance
Account can be reactivated if needed (unsuspended)
User receives appropriate error messages when attempting to access GitHub

Workflow Examples

New Employee Onboarding

Create GitHub accounts and assign appropriate access for new developers:

Identity Sync: Create user account with basic profile information
Organization Access: Add user to primary GitHub organization
Team Assignment: Assign to development teams based on department
Profile Setup: Configure public email and display name

Role Change Management

Update GitHub access when employees change departments or roles:

Relationship Updates: Remove existing team memberships
New Access: Add memberships for new role requirements
Audit Trail: Track all membership changes for compliance

Employee Offboarding

Securely remove access while preserving development history:

Account Suspension: Suspend GitHub account to prevent access
Membership Removal: Remove all organization and team memberships
History Preservation: Maintain commit attribution and repository history
Compliance: Generate audit trail of all access removal actions

Oracle Database

Configuring the Oracle Database integration for Veza Lifecycle Management

Overview

The Veza integration for Oracle DB enables automated user provisioning, access management, and deprovisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

This document outlines the steps to enable Oracle DB integration for use in Lifecycle Management, including supported actions and relevant notes. See for more details.

Enabling Lifecycle Management for Oracle DB

Prerequisites

You will need administrative access in Veza to configure the integration.
Ensure you have an existing integration in Veza or add a new one for use with Lifecycle Management.
Verify your Oracle DB integration has completed at least one successful extraction.
Database administrator privileges in Oracle DB (ability to create common users and grant privileges)
For multi-tenant configurations: access to CDB$ROOT container
Supported Oracle Database versions: 19c, 21c, or 23ai

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Oracle DB integration
Check the box, Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Oracle DB data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Oracle DB in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Oracle DB can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Oracle DB, with changes propagated to connected systems.

Oracle DB can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following Lifecycle Management :

Sync Identities

The following attributes can be synchronized:

Property

Required

Type

Description

Notes

SYNC_IDENTITIES

Entity Type: OracleDB User
Create Allowed: Yes
Method: SQL CREATE USER / ALTER USER

MANAGE_RELATIONSHIPS

Entity Types: OracleDB Role
Assignee Types: OracleDB User
Supports Remove: Yes
Method: SQL GRANT ROLE / REVOKE ROLE

DEPROVISION_IDENTITY

Entity Type: OracleDB User
Method: DISABLED (account lock via ALTER USER ... ACCOUNT LOCK)
Removes Relationships: Yes

DELETE_IDENTITY

Entity Type: OracleDB User
Method: Permanent deletion via DROP USER

Workflow Examples

Employee Onboarding

Create an Oracle DB user account with the Sync Identities action
Assign default role based on department with Manage Relationships
Set password (requires change on first login)
Configure profiles and tablespaces

Role Change Management

Update user attributes (profile, tablespaces) with Sync Identities
Remove old role assignments with Manage Relationships
Grant new roles appropriate for the new position

Employee Offboarding

Lock user account with Deprovision Identity (ACCOUNT LOCK)
Remove all role assignments
Preserve the user record for audit purposes
Optional: Delete user permanently with Delete Identity (DROP USER)

Snowflake

Configuring the Snowflake integration for Veza Lifecycle Management.

Overview

The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.

Action Type

Description

Supported

This document includes steps to enable the Snowflake integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Snowflake

Prerequisites

You will need administrative access in Veza to configure the integration and USERADMIN role or equivalent privileges in Snowflake.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your Snowflake integration has completed at least one successful extraction
The Snowflake integration will need the additional required privileges:
- CREATE USER privilege on the account for user provisioning
- GRANT ROLE privilege for role assignments
- OWNERSHIP privilege on target roles for role management
- Access to a warehouse for executing queries during lifecycle operations

Important: The Snowflake user account used for Lifecycle Management operations should have USERADMIN role or higher privileges to ensure proper user and role management capabilities.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a Snowflake integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Snowflake data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Snowflake in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Snowflake can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

User names must be unique and follow Snowflake identifier naming conventions
Login names are used for authentication and must be unique
Passwords are automatically generated and set to require change on first login
Users are created with appropriate default settings for the Snowflake environment

The following attributes can be synchronized:

Snowflake User Attributes

Property

Required

Type

Description

Notes

Manage Relationships

Role assignment management for users:

Add and remove role assignments for users
Synchronize role memberships from source systems
Support for direct role grants to users
Roles must exist in Snowflake before assignment

Within Snowflake, roles can be associated with:

Database and schema access permissions
Table and view privileges
Warehouse usage rights
Administrative privileges for account management

Deprovision Identity

When a user is deprovisioned:

User account is disabled (set DISABLED = TRUE)
Role assignments are removed to revoke access
User attributes are preserved for audit purposes
Account can be reactivated if needed for compliance requirements

Workflow Examples

Employee Onboarding

Automated provisioning when a new employee joins:

Create User Account: Sync identity attributes from HR system to create Snowflake user with name and login details
Assign Department Role: Grant role based on department attribute (e.g., SALES_ANALYST, DATA_ENGINEER)
Set Default Role: Configure default role for the user's session
Add Email and Comments: Populate user profile with contact information and descriptive notes

Role Change Management

Managing access when employees change roles:

Update User Attributes: Sync changed attributes like email or comments
Remove Old Roles: Revoke previous role assignments that are no longer appropriate
Grant New Roles: Assign roles appropriate for the new position
Update Default Role: Change the user's default role for new sessions

Employee Offboarding

Secure access removal when employees leave:

Disable Account: Set user account to disabled status
Revoke All Roles: Remove all role assignments to eliminate data access
Preserve Audit Trail: Maintain user record and history for compliance
Optional Cleanup: Remove user completely with DROP USER if no audit trail is needed

Workday

This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.

Overview

Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:

Automated security group assignments for new employees
Dynamic group membership updates during role changes
Access removal during offboarding
Email synchronization between Workday and downstream systems

Supported Capabilities

Source of Identity

Workday serves as an authoritative source for employee identity information:

Entity Type: Workday Worker
Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes

Lifecycle Actions

Manage Relationships

Controls access to Workday security groups.

Entity Types: Workday Security Group
Assignee Types: Workday Account
Supports Relationship Removal: Yes

Write Back Email

Updates email addresses in Workday worker records to maintain consistency with other systems.

Entity Type: Workday Worker
Purpose: Ensures Workday remains the single source of truth for employee email addresses

Custom Properties

The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.

Configuration Steps

1. Create Business Process Security Policy

Log into Workday and search for Edit Business process security policy
Under Business Process Type, select Work Contact Change
Work Contact Change
Find "Initiating Action: Change Work Contact Information (REST Service)"
Create a Segment-Based Security Group
Create security group
Configure the security group:
- Add the security group created for Veza integration
- Add "Worker" scope to Access Rights
Edit security group
Verify the security group appears in Initiating Action Security groups
Pending changes
Click OK and Done to save changes

2. Activate Security Policy Changes

Search for Activate Pending Security Policy Changes
Review changes, add a comment, and click OK
Apply changes
Verify changes in Business Process Security Policy

3. Configure Security Group Permissions

Add these Domain Permissions to the security group:

Access

Policy

View and Modify

Workday Query Language

View and Modify

Person Data: Work Email

View and Modify

Person Data: Work Contact Information

View and Modify

Worker Data: Staffing

View and Modify

Worker Data: Public Worker Reports

Get Only

Security Configuration

Get Only

Business Process Administration

View and Modify

Security Administration

View and Modify

Workday accounts

View and Modify

Special OX Web Services

Get and Put

User-Based Security Group Administration

4. Update API Client Configuration

Open Edit API Client
Add required scopes:
- Staffing
- Contact Information
- System
- Tenant Non-Configurable
- Organizations and Roles
  Edit Workday API client

5. Configure Workday Integration in Veza

Navigate to Configurations > Integrations
Either:
- Create a new Workday integration
- Edit an existing Workday integration
Enable Lifecycle Management:
- Check Enable Lifecycle Management
If using custom attributes, configure them in the Custom Properties section

API Access Notes

The integration uses these API endpoints for email write-back:

%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges

For general metadata discovery, WQL queries access:

allWorkdayAccounts
allWorkers
securityGroups
domainSecurityPolicies
businessProcessTypes

Implementation Notes

Workday Workers are the primary entity for identity information
Bidirectional management of Account-Security Group relationships is supported
Email write-back operates on Worker entities, not Account entities
Custom attribute availability depends on your Workday configuration
The Sync Identities action is not currently supported for Workday

Oracle HCM

Configuring the Oracle HCM integration for Veza Lifecycle Management.

Overview

Early Access: Oracle HCM integration is currently in Early Access. Please contact our customer success team to enable the INTEG_ORACLE_HCM_HRIS feature flag for your environment.

The Veza integration for Oracle HCM enables automated identity lifecycle management with support for identity synchronization and email write-back capabilities. Oracle HCM is designed to serve as a source of identity for Lifecycle Management workflows.

Action Type

Description

Supported

SOURCE_OF_IDENTITY

Oracle HCM provides worker data as input for identity lifecycle policies

✅

EMAIL_WRITE_BACK

Writes email addresses from target systems back to Oracle HCM worker records

✅

SYNC_IDENTITIES

Synchronizes identity attributes to Oracle HCM (as target)

❌

CREATE_IDENTITY

Creates new user accounts or worker records

❌

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments

❌

DEPROVISION_IDENTITY

Safely removes or disables access for identities

❌

CREATE_ENTITLEMENT

Creates entitlements such as groups or roles

❌

This document includes steps to enable the Oracle HCM integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Oracle HCM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate access in Oracle HCM.
Ensure you have an existing Oracle HCM integration in Veza or add a new one for use with Lifecycle Management.
Verify your Oracle HCM integration has completed at least one successful extraction
The Oracle HCM service account requires specific permissions for different operations:
REST API Permissions (Read-only):
- /hcmRestApi/resources/11.13.18.05/workers - View worker records
- /hcmRestApi/resources/11.13.18.05/jobs - View job information
- /hcmRestApi/resources/11.13.18.05/actionsLOV - View available actions
SCIM API Permissions:
- /hcmRestApi/scim/Users - User management endpoint
  - GET: Read user by ID, person number, or username
  - PATCH: Update user email addresses only (write-back functionality)
  - Note: Only email updates are performed; full user creation/deletion not used
BI Publisher Permissions:
- Execute reports via the QueryDM interface
- Access to custom report path (must start with /Custom and end with .xdo)
- Retrieve CSV-formatted report output
- Uses same BI Publisher infrastructure as Oracle Fusion Cloud integration.

Important: Oracle HCM integration requires specific report configurations and API access. Ensure your Oracle HCM user account has sufficient privileges to read worker data and update email addresses.

Technical Requirements:

Oracle HCM REST API version: 11.13.18.05
REST Framework version: 4
SCIM 2.0 support for user operations
HTTP Basic Authentication
Concurrent request limit: 8 (for optimal performance)

Configuration Parameters:

url: Oracle HCM instance URL (required)
username: Service account username (required)
password: Service account password (required)
report_path: BI Publisher report path starting with /Custom (required)
additional_columns: Comma-separated list of additional CSV columns to extract (optional)
identity_mapping: Custom identity mapping configuration (optional)

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Oracle HCM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Oracle HCM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Oracle HCM in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

BI Publisher Report Configuration

Oracle HCM integration relies on BI Publisher reports to extract worker data. The report must be properly configured with specific requirements:

Report Path Requirements

Must be an absolute path starting with /Custom
Must end with .xdo extension
Example: /Custom/HCM/WorkerDataReport.xdo

Required CSV Column Headers

The BI Publisher report must output CSV data with these exact column headers:

Core Required Columns:

CORRELATION_ID - Unique worker identifier (required)
EMPLOYEE_ID - Employee number/ID (required)
FIRST_NAME - Worker's first name (required)
LAST_NAME - Worker's last name (required)
STATUS - Employment status (must be "ACTIVE" for active workers)
START_DATE - Employment start date in YYYY-MM-DD format

Additional Standard Columns:

NAME - Full name
COMPANY_NAME - Company name
PREFERRED_FIRST_NAME - Preferred first name
DISPLAY_NAME - Display name
CANONICAL_NAME - Canonical name
USER_NAME - Username
EMAIL - Primary email address
PERSONAL_EMAIL - Personal email
HOME_LOCATION - Home location
LOCATION - Work location
COST_CENTER - Cost center code
DEPARTMENT_NAME - Department name
MANAGER - Manager's correlation ID
ACTIVE - Active flag (Y/N)
TERM_DATE - Termination date in YYYY-MM-DD format
TITLE - Job title
EMPLOYEE_TYPE - Employment type (full time, part time, contractor)

Data Format Requirements

Date Format: All dates must use YYYY-MM-DD format
Employment Status: Must be exactly "ACTIVE" for active workers (case-sensitive)
Boolean Values: Use "Y" or "N" for the ACTIVE column
Duplicate Records: System handles duplicates by keeping the most recent active record

Supported Actions

Oracle HCM serves as a source for identity information in Lifecycle Management Policies. Based on the implementation configuration, Oracle HCM supports only two specific actions:

Source of Identity

Oracle HCM provides authoritative worker information for identity lifecycle policies:

Data Flow: FROM Oracle HCM TO target systems (unidirectional)
Purpose: Serves as the authoritative source for worker identity data
Scope: Worker records from BI Publisher reports are made available to lifecycle policies
Usage: Target systems can query Oracle HCM worker data for provisioning decisions

Available Worker Attributes for Lifecycle Management:

Oracle HCM uses a multi-layer attribute system:

BI Publisher Report Fields: Over 20 fields available for reading worker data (see BI Publisher Report Configuration)
Lifecycle Management Attributes: Only 3 attributes are available for synchronization:

Property

Required

Type

SCIM Mapping

Description

Notes

user_name

Yes

String

userName

Worker username

Primary identifier, required for all operations

String

emails[0].value

Worker's email address

Can be updated via write-back, single email only

display_name

String

displayName

Worker's display name

May experience update delays

Important: The SCIM API only supports these three attributes for write operations. All other worker data from BI Publisher reports is read-only.

Worker Identification Methods

Workers can be identified using multiple approaches:

Person Number (Preferred): Extracted from entity ID for most operations
Entity ID: Used for direct operations and testing scenarios
SCIM User ID: Used specifically for email write-back operations

Email Write-Back

Oracle HCM supports writing email addresses from target systems back to worker records:

Direction: Unidirectional - writes email addresses FROM provisioned target systems TO Oracle HCM worker records
Method: Uses SCIM PATCH operation to update worker email addresses
Worker Identification: Supports both entity ID-based and person number-based worker identification
Limitation: Oracle HCM SCIM API supports only one email address per worker record
Logic: Only updates if the new email address differs from the existing value

When an email address is created in a target system (such as Exchange or Google Workspace), the write-back action updates the corresponding Oracle HCM worker record with the new email address via the /hcmRestApi/scim/Users endpoint.

Workflow Examples

New Hire Onboarding

Oracle HCM can serve as the source of truth for new hire provisioning workflows:

Worker Added in Oracle HCM: New worker record is created with basic information
Identity Sync: Worker attributes are synchronized to target systems (Active Directory, Okta, etc.)
Email Creation: Corporate email account is created in the target email system
Email Write-Back: The newly created email address is written back to the Oracle HCM worker record

Employee Information Updates

When worker information changes in Oracle HCM:

Attribute Changes: Worker attributes are updated in Oracle HCM (department, title, etc.)
Continuous Sync: Changes are automatically propagated to connected target systems
Consistency Maintenance: All systems maintain consistent worker information

Email Address Provisioning

For workers who need new email addresses:

Email Creation: Target email system creates a new email account
Write-Back Process: Oracle HCM worker record is updated with the new email address via SCIM API
Identity Sync: Updated email information is synchronized across all connected systems

Troubleshooting

Common Configuration Issues

Report Path Errors:

Ensure report path starts with /Custom and ends with .xdo
Verify the report exists and is accessible
Check BI Publisher permissions

Column Mapping Issues:

Verify all required column headers are present in CSV output
Check column name spelling (case-sensitive)
Ensure date columns use YYYY-MM-DD format

Authentication Failures:

Verify HTTP Basic Authentication credentials
Check user has access to required API endpoints
Confirm SCIM permissions for email write-back

Data Processing Problems:

STATUS column must contain "ACTIVE" for active workers
CORRELATION_ID must be unique for each worker
Handle duplicate records appropriately

Email Write-Back Issues:

Verify worker exists and is identifiable by person number or entity ID
Check SCIM endpoint permissions
Only one email address per worker is supported

Transformer Reference

Reference guide for supported transformation functions and parameters for attribute transformers

This page includes a comprehensive list of all supported transformer functions and parameters. Some commonly used transformation functions include:

Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, camel, or snake case
Using a substring from the original value

See for more information about using attribute transformers to update or create attributes in downstream systems based on changes in your source of identity.

APPEND

This transformer enables string concatenation by appending text to the end of attribute values during identity provisioning workflows.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{john | APPEND, "." | APPEND, "{smith}"}@company.com

Output:

[email protected]

ASCII

Removes non-printable characters and replaces non-ASCII characters with their closest ASCII equivalents.

Note: The ASCII transformer performs operations on the base level, not the extended set.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"Łukasz Gruba" | ASCII}

Output:

Lukasz Gruba

ASSUME_TIME_ZONE

Interprets the incoming time string as if it were in the specified time zone, then converts it to a UTC time. (example: if the input is "1/2/2025 11pm" and the defined time zone is "America/Los_Angeles" the function will treat "1/2/2025 11pm" as local time in Los Angeles and output the corresponding UTC time "1/3/2025 7am")

Parameter Format

String - Time Zone String (Optional) - Format

Usage Example

Input:

{activation_date | ASSUME_TIME_ZONE, "America/Los_Angeles"}

{activation_date | ASSUME_TIME_ZONE, "America/Los_Angeles", "RFC3339"}

{activation_date | ASSUME_TIME_ZONE, "-07:00"}

{activation_date | ASSUME_TIME_ZONE, "-07:00", "RFC3339"}

COUNTRY_CODE_ISO3166

Transforms country code to ISO 3166 format.

defines codes for the representation of country names, dependent territories, and their subdivisions

Parameter Format

Format (STRING, optional): [alpha2, alpha3, numeric], defaults to alpha2

Usage Example

Input:

{"US" | COUNTRY_CODE_ISO3166, "alpha3"}

Output:

USA

DATE_ADJUST

Adjusts date value based on date and day.

Parameter Format

Integer - date

Integer - day

Usage Example

Input:

{activation_date | DATE_ADJUST_DAY, +1}

{activation_date | DATE_ADJUST_DAY, +1, "RFC3339"}

{activation_date | DATE_ADJUST_DAY, +1, "2006-01-02T15:04:05Z07:00"}

DATE_ADJUST_DAY

Adjusts date value based on hour, day, month, year inputs provided (example: 2021-01-01 00:00:00 with a DATE_ADJUST of "+1,2,3,-1" becomes "2020-04-03 01:00:00").

Parameter Format

Integer - date

Integer - hour

Integer - day

Integer - month

Integer-year

String (Optional) - Format

Usage Example

Input:

{activation_date | DATE_ADJUST, +1, 2, 3, -1}

{activation_date | DATE_ADJUST, +1, 2, 3, -1, "RFC3339"}

{activation_date | DATE_ADJUST, +1, 2, 3, -1, "2006-01-02T15:04:05Z07:00"}

DATE_FORMAT

Transforms dates to a different format using Go time layout syntax.

Parameter Format

Output Layout (STRING, required): Go time layout for output format. Input Layout (STRING, optional): Go time layout for input format

Usage Example

Input:

{start_date | DATE_FORMAT, "01/02/2006"}

Output:

01/02/2006 (This transformer formats date as MM/DD/YYYY)

FIRST_N

Picks the first N characters of a string.

Parameter Format

Characters (STRING, required)

Length (NUMBER, required): Number of characters to return

Usage Example

Input:

{"world" | FIRST_N, 4}

Output:

worl (This transformer takes the first four characters of the string.)

FROM_ENTITY_ATTRIBUTE

Transforms a string from an attribute of another entity in the graph.

Parameter Format

EntityType (STRING, required)

SourceAttribute (STRING, required),

TargetAttribute (STRING, required)

Usage Example

Input:

{Employee:ID | FROM_ENTITY_ATTRIBUTE, "ManagerID"}

Output:

Manager ID (for the employee)

LANGUAGE_RFC5646

Transforms language to RFC 5646 format.

defines "Tags for Identifying Languages." It does not contain a fixed, exhaustive list of language codes within the RFC itself. Instead, it specifies the structure and rules for constructing language tags, which are then built using codes from various external standards and registries.

Parameter Format

Characters (STRING, required): String of a language name

Usage Example

Input:

{"Spanish" | LANGUAGE_RFC5646}

Output:

es

LAST_N

Picks the last N characters of a string, where N is the number of characters to return.

Parameter Format

Length (NUMBER, required)

Usage Example

Input:

{"helloworld" | LAST_N, 5}

Output:

world

LEFT_PAD

Left pads a string with a character.

Parameter Format

Length (NUMBER, required), Pad (CHARACTER, optional): Default is space

Usage Example

Input:

{"123" | LEFT_PAD, 5, "0"}

Output:

00123

LOOKUP

Transforms a value using a lookup table.

Parameter Format

Table Name (STRING, required),

Column Name (STRING, required), Return Column Name (STRING, required)

Usage Example

Input:

{"IL001" | LOOKUP, "locationTable", "location_code", "city"}

Output:

Chicago

LOWER

Transforms all uppercase characters in a string to lower-case characters.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"HELLO" | LOWER}

Output:

hello

LOWER_SNAKE_CASE

Transforms string to lowercase with underscores.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"Hello World" | LOWER_SNAKE_CASE}

Output:

hello_world

NEXT_NUMBER

Generates a set of integers as strings.

Parameter Format

Integer (NUMBER, required), Length (NUMBER, required)

Usage Example

Input:

{| NEXT_NUMBER, 2, 3}

Output:

"", "2", "3", "4"

Note: This transformer can also be used within an IF/ELSE conditional transformer for intelligent username generation with automatic fallback strategies.

NEXT_NUMBER Max Length

This transformer supports an optional maximum length parameter to simplify complex username generation workflows. It automatically evaluates combined strings (such as {first_name}_{last_name}) and truncates to specified character limits before appending numerical suffixes.

Generates a set of integers as strings.

Parameter Format

Integer (NUMBER, required), Length (NUMBER, required)

Usage Example

Input:

{"foobar" | NEXT_NUMBER, 1, 12, 4}

Output:

foob foo1 foo2 foo3 foo4 foo5 foo6 foo7 foo8 foo9 fo10 fo11 fo12

NOW

Returns the current time in UTC. An optional argument indicates the outgoing time format; by default, the RFC3339 format.

Parameter Format

String (Optional) - Format

Usage Example

Input:

{NOW}

{| NOW, "RFC3339"}

{NOW, "RFC3339"}

{NOW, "2006-01-02T15:04:05Z07:00"}

PHONE_NUMBER_E164

Transforms a phone number into the E.164 format.

E. 164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits. Parameter Format

Region (STRING, optional): ISO 3166-1 alpha-2 format

Usage Example

Input:

{"+1-800-555-1212" | PHONE_NUMBER_E164}

Output:

+18005551212

PREPEND

This transformer enables string concatenation by prepending text to the beginning of attribute values during identity provisioning workflows.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"NYC" | PREPEND, "CORP_"}

Output:

CORP_NYC

RANDOM_ALPHANUMERIC_GENERATOR

Generates a random alphanumeric string.

Parameter Format

Length (NUMBER, required)

Usage Example

Input:

{| RANDOM_ALPHANUMERIC_GENERATOR, 8}

Output:

a1B2c3D4

Note: This transformer generated an alphanumeric string with eight characters.

RANDOM_INTEGER

Generates a random integer value between specified minimum and maximum values (inclusive).

Parameter Format

Min (NUMBER, required): The minimum value of the random integer

Max (NUMBER, required): The maximum value of the random integer

Usage Example

Input:

{| RANDOM_INTEGER, 1, 100}

Output:

42

Input:

Veza{| RANDOM_INTEGER, 3, 5}

Output:

Veza4

Note: This transformer does not require an input value but generates a random integer within the specified range. The generated value is appended to any existing string value. The range is inclusive, meaning both min and max values can be generated.

RANDOM_NUMBER_GENERATOR

Generates a random number string.

Parameter Format

Length (NUMBER, required)

Usage Example

Input:

{| RANDOM_NUMBER_GENERATOR, 4}

Output:

4829

Note: This transformer generated a random numeric string with four characters.

RANDOM_STRING_GENERATOR

Generates a random string.

Parameter Format

Length (NUMBER, required)

Usage Example

Input:

{| RANDOM_STRING_GENERATOR, 6}

Output:

uFkLxw

Note: This transformer generated a random alpha string with six characters.

REMOVE_CHARS

Removes all instances of specified characters from a string.

Parameter Format

Characters (STRING, required): Characters to be removed

Usage Example

Input:

{"[email protected]" | REMOVE_CHARS, "@."}

Output:

FirstLastexamplecom

REMOVE_DIACRITICS

Removes diacritics (accents, etc.) from input string.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"José" | REMOVE_DIACRITICS}

Output:

Jose

REMOVE_DOMAIN

Removes the domain from an email address.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"[email protected]" | REMOVE_DOMAIN}

Output:

pennylane

REMOVE_WHITESPACE

Removes all whitespace characters from a string.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{"First Last" | REMOVE_WHITESPACE}

Output:

FirstLast

REPLACE_ALL

Replaces all instances of one string with another.

Parameter Format

Original (STRING, required),

New (STRING, required)

Usage Example

Input:

{"hello world" | REPLACE_ALL, " ", "_"}

Output:

hello_world

RIGHT_PAD

Right pads a string with a character.

Parameter Format

Length (NUMBER, required),

Pad (CHARACTER, optional): Default is space

Usage Example

Input:

{"123" | RIGHT_PAD, 5, "0"}

Output:

12300

SPLIT

Splits a string and returns the string at the given index.

Parameter Format

Split String (STRING, required), Index (NUMBER, required)

Usage Example

Input:

{"[email protected]" | SPLIT, "@", 0}

Output:

first.last

Note: This transformer generated the results where the index starts at zero (0).

SUB_STRING

Picks a substring from the original value.

Parameter Format

Offset (NUMBER, required), Length (NUMBER, required)

Usage Example

Input:

{"hello" | SUB_STRING, 0, 3}

Output:

hel

TRIM

Removes any white spaces before and after a string.

Parameter Format

Characters (STRING, required)

Usage Example

Input:

{" hello " | TRIM}

Output:

hello

TRIM_CHARS

Removes all specified characters from the beginning and end of a string.

Parameter Format

Characters (STRING, required): Characters to be trimmed

Usage Example

Input:

{"....first.last----" | TRIM_CHARS, ".-"}

Output:

first.last

TRIM_CHARS_LEFT

Removes all specified characters from the beginning of a string.

Parameter Format

Characters (STRING, required): Characters to be trimmed from the left

Usage Example

Input:

{"....first.last----" | TRIM_CHARS_LEFT, ".-"}

Output:

first.last----

TRIM_CHARS_RIGHT

Removes all specified characters from the end of a string.

Parameter Format

Characters (STRING, required): Characters to be trimmed from the right

Usage Example

Input:

{"....first.last----" | TRIM_CHARS_RIGHT, ".-"}

Output:

....first.last

UPPER

Transforms string to uppercase.

Parameter Format

Characters (STRING, required):

All lowercase characters to be converted to upper-case characters

Usage Example

Input:

{"hello" | UPPER}

Output:

HELLO

UPPER_CAMEL_CASE

Transforms a string to upper camel case.

Parameter Format

Characters (STRING, required):

First characters of a string to be converted to upper-case characters for camel case

Usage Example

Input:

{"hello world" | UPPER_CAMEL_CASE}

Output:

HelloWorld

UPPER_SNAKE_CASE

Transforms string to uppercase with underscores.

Parameter Format

Characters (STRING, required):

All lower-case characters to be converted to uppercase characters with an underscore between strings

Usage Example

Input:

{"hello world" | UPPER_SNAKE_CASE}

Output:

HELLO_WORLD

UTC_TO_TIME_ZONE

Interprets the incoming time string as if it were in UTC and then converts it to the specified time zone. (example: if the input is "1/2/2025 11pm" and the specified time zone is "America/Los_Angeles" the function will treat "1/2/2025 11pm" as the UTC time zone and output the corresponding "America/Los_Angeles" time "1/2/2025 3pm") Note: When using the time zone parameter, a named time zone ("America/Los_Angeles") accounts for daylight saving time, whereas a time zone offset ("-07:00") is always calculated from UTC, ignoring daylight saving time.

Parameter Format

String - Time Zone String (Optional) - Format

Usage Example

Input:

{activation_date | UTC_TO_TIME_ZONE, "America/Los_Angeles"}

{activation_date | UTC_TO_TIME_ZONE, "America/Los_Angeles", "RFC3339"}

{activation_date | UTC_TO_TIME_ZONE, "-07:00"}

{activation_date | UTC_TO_TIME_ZONE, "-07:00", "RFC3339"}

UUID_GENERATOR

Generates a UUID.

A UUID (Universally Unique Identifier) is a 128-bit identifier used to uniquely identify information in computer systems.

Parameter Format

NONE

Usage Example

Input:

{| UUID_GENERATOR}

Output:

123e4567-e89b-12d3-a456-426614174000

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate. This might include hiring a new employee, terminating an existing employee, transferring an existing employee to another department, or other actions triggered by changes in status.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might be applied when employees enter an "Active" state (for Joiner/Rehire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also be triggered when an employee's hire date falls within a certain threshold, such as being less than 4 days away, or when it is related to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
- Another for inactive users to cover Leaver scenarios

Add a Lifecycle Management Policy

To create a policy for a source of identity:

Go to Policies.
Click Create Policy.
Enter a policy name and description.
- The policy name is used to identify it on the Policies list and event logs
- The name should indicate the source of identity that the policy applies to
Select a Primary Identity Source using the arrows to display a list of available data source integrations.
- The selected identity source will trigger workflows in the policy
- For the identity source to appear in the menu list, the integration must have Lifecycle Management enabled and be available as a source of identity (SOI).
See Integrations for a list of supported providers and the steps to enable a Lifecycle Management data source.
Note: A Lifecycle Management data source can only be used to trigger workflows in one policy at a time. However, you can assign multiple Lifecycle Management data sources to a single policy as Primary Identity Sources. For example, Company A merges with Company B using Active Directory as its Primary Identity Source. The Primary Identity Source can be comprised of two integrations: Company A AD (from a CSV Upload integration) and Company B Employee Directory (from an OAA integration).
(Optional) Use the Additional Identity Source to add more data sources and correlating attributes.
- Click Add Source.
- Use the arrows to search for an Identity Source.
- In Primary Attributes, select a primary attribute from the dropdown menu.
- In Additional Attributes, select another attribute from the dropdown menu.
- Click Add to add more Primary Attributes and/or Additional Attributes.
- The Only enrich identity if existing in Primary Identity Source option controls identity creation:
  - Enabled: Only adds data to existing identities from the Primary Identity Source. Does not create new LCM identities.
  - Disabled: Creates new LCM identities when users exist in the Additional Identity Source but not in the Primary Identity Source.
Click Save. The policy is automatically set to the Initial state.

Simulation Dry Run on Policy

The Dry Run allows you to simulate and preview how a Policy would process an identity, without making actual changes to target systems. This testing tool helps you validate workflow conditions, preview potential changes, and understand what actions would be triggered for specific identities.

How Dry Run Works

The Dry Run evaluates workflow logic but does not interact with target integrations. Verify integration health to ensure target systems are accessible before running actual policies. Dry Run takes a policy and an identity to simulate:

The workflows triggered
All actions that would run
What Access Profiles would be assigned
Any potential changes to entities and attributes

You can test how policies would respond to identity attribute changes for different scenarios during a Dry Run simulation without impacting the actual identity attribute values.

Starting a Dry Run

You can initiate a Dry Run in two ways:

From a Lifecycle Management Policy

When editing a policy, open the Dry Run tool to preview changes for any identity:

Go to Policies.
Click a policy to view its details.
Click Dry Run Policy at the top right.
Choose the identity and policy to test workflows.
Select one or more attributes to sync. You can modify attributes to simulate potential changes.
Click Show Results.
Review the results:
- Check the Workflows Run section to see which workflows were triggered.
- Check the Potential Changes section to see all job requests that would be generated (e.g., edits to user attributes, adding/removing access profiles).

From Identity Details

You can start a Dry Run when viewing details for any account on the Identities page:

Go to Identities.
Search for an identity and click to view its details.
Expand the Actions menu at the top right and click Policy Dry Run.
Select a policy, customize entity attributes, and click Show Results.

Dry Run Notes:

Result: 0 Changes

When a dry run returns "0 changes", it means:

The selected identity does not meet any of the trigger conditions defined in your policy's workflows
No actions would be executed for this identity when the policy runs
This is not an error - it simply means the identity doesn't qualify for any of the configured workflows

Limitations

Dry Run has several important limitations:

Dry Run evaluates whether workflow conditions are met, not whether actions would succeed
It does not check whether integrations are functioning properly and whether target systems are accessible
It does not validate that changes could be successfully applied
A broken integration might cause workflow-defined changes not to be applied to an identity

Dry Run does not test integration connectivity. Issues like API timeouts, authentication failures, or LDAP attribute mapping errors will not be detected during simulation.

Best Practices

Use Dry Run to validate that policies and their workflows are working as intended before enabling them in a live environment.

Test with Representative Identities: Select identities that represent different scenarios (new hires, role changes, terminations) to validate all workflows in your policy.
Simulate Different Scenarios: Modify identity attributes during Dry Run to test trigger conditions such as:
- Department changes
- Employment status updates
- Location transfers
- Role modifications
Test Edge Cases: Use Dry Run to test unusual scenarios or edge cases that might not occur frequently in your environment.
A Dry Run executes the workflow logic end-to-end, making no external changes. It evaluates conditions, decides which actions would run, and logs the decisions and payloads. That makes it ideal for probing unusual or risky situations without touching real accounts or entitlements. Here are some edge case examples:

Handling long names or names with special characters
Department and location change at once
Same-day rehire after termination

Policy Version

Policies can be version-controlled, allowing for a method to refine and test changes in your automation workflows. You can create draft versions to test changes and validate updates before deployment while maintaining a history of previous configurations. Each policy can have only one active version and one draft version at a time, with automatic archival of retired versions.

Policy State vs Workflow Versioning State

Policies have a current state that is based on their workflow operations.

The Policy state includes:

Initial - Initially created before the first workflow version is published
Running - Actively processing with one or more workflows
Paused - Temporarily disabled
Pending - Waiting for activation
Dry Run - In test mode

Note: In the Policies page, click on the Action overflow icon (three dots) to Start the policy in the Initial state, and Pause or Unpause at the Running state.

The Workflow Version state includes:

Draft - In draft mode for editing and modification
Published - Functional and active
Retired - No longer active or usable

Policy Draft Mode

The Policy Draft Mode is a state where a policy is saved but not yet active. In Policy Draft Mode, you can create, edit, and test policy configurations (such as workflows, actions, or mappings) without affecting real users, identities, or access profiles. Once you are satisfied, you can publish the policy, which moves it from the work-in-progress state to an operational state.

To enable the Policy Draft Mode, perform the following:

On the Lifecycle Management Dashboard page, click Settings in the top menu.
The Lifecycle Management Settings page appears. Click Policy Settings.
Switch ON the Enable Policy Draft Mode button.

Test Policy Workflows using Draft Versioning

You can test and refine your policy workflows to ensure that it is working as expected through a series of draft versions with Dry Run simulations. Once the workflow’s result is satisfactory, publishing the version will change the policy status to ‘active’.

Perform the following steps to test your policy workflow:

Create and save a new policy.
Create a new workflow and Save.
After creating a new workflow, click Publish.
By publishing your workflow, it is ready for activation by going to the Actions menu (three dots icon) and clicking Start. The Create Draft button is enabled.
Click the overflow menu (three dots) and select Perform Dry Run to test your workflow.
If you are not satisfied with the results of the Dry Run simulation, then click Create Draft. Your workflow will be labeled with a new version number.
Click Edit Workflow to make changes to your workflow.
Continue to modify your workflow using the previous steps until your workflow displays the expected results. Click Publish.
You can view the history of your workflow versions and rollback any draft version for use.

Published Policy

A published policy is activated and deployed with the following characteristics:

Enforces the defined rules in your environments, including:
- Creating, modifying, or removing user access.
- Synchronizing identity attributes.
- Triggering workflows or notifications.
Becomes visible in reporting, monitoring, and compliance views.
It can still be updated by moving it back into Policy Draft Mode first.

Enabling and Monitoring Lifecycle Management Policies

Use the Policies page for an overview of initial, running, and paused policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name
- Filter to show all providers by their current state
Click the three dots icon ⋮ in the rightmost column to expand the Actions menu
- View Details - Displays the date (or timeframe) the policy was last updated and its integrations. Use this view to create a workflow, transformer, property, password complexity rules, or transformer functions.
- Pause - Pause the Running state of the policy.
- Delete - Deletes the policy.

Add Workflows to Policies

Policies contain one or more workflows. Typically, workflows correspond to Active and Inactive user states, but not always. More specifically, workflows define a sequence of actions to run when a condition is met, based on events and identity changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, internal employee mobility changes (e.g., promotions, transfers, new managers), or employee departures.

Workflows comprise a tree-like sequence of conditions designed to meet the specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

Workflows and Trigger Conditions

Trigger Conditions refer to rules or filters that initiate (or delay) provisioning and deprovisioning workflows based on certain events, criteria within identity data sources, or lifecycle workflows.

They are often tied to HR events, such as employee hiring (joiner), role changes (mover), or termination (leaver). For instance, provisioning flows can be triggered when an employee is hired or deprovisioned when terminated.
Trigger Conditions can be time-based, such as “create the Active Directory account 15 days prior to a new employee’s start date”.
Advanced implementations also support relationship-based triggers (e.g., launching workflows when a worker is added to a specific department). Note: Trigger conditions can also encompass transformer functions embedded in SCIM filter conditions, which enable more complex or refined triggering logic within workflows (e.g., matching specific attribute filters to drive provisioning).

Create a Workflow

To add a workflow, perform the following:

Select a policy.
Click Create Workflow.
In Details, enter the workflow name and description.
In the Priority field, use the dropdown menu to select:
- Not set
- Low
- Normal
- Medium
- High
- Critical
The levels dictate the order/priority in which the workflows are run. The higher-priority setting will be processed first. A fairness algorithm is built in to prevent lower-priority workflow tasks from being starved.
In the New Workflow pane, click the trigger attribute. The Edit Workflow pane appears.
Enable Continuous Sync to set controls change detection:
- When enabled, the workflow monitors for any changes in the source of identity
- When disabled, the workflow only runs during initial provisioning
See Attribute Sync and Transformers for more information on Continuous Sync.
In the Trigger Condition field, select a conditional string from the dropdown menu to create a logical syntax that automatically starts the workflow. Once a condition has been set, another conditional string can follow, or an action can be taken.
In the Trigger Details field, select the Attribute to Get the Execute Date from the dropdown menu to specify when the workflow actions should run.
In the Date Formatters, click Add Date Formatter.
Click the Formatter field to display a dropdown menu of operator functions, the Conditional Express function, and attributes.
Click the Pipeline Functions field to display a dropdown menu of operator functions. The Pipeline Functions combine a series of attribute formatters with the pipe (|) character, which runs the value of an attribute in sequential order. The output of one formatter becomes the input of the following formatter.
In the Local Time Zone Diff From UTC field, use the arrows to set your UTC offset:
- Eastern Standard Time (EST): -5
- Pacific Standard Time (PST): -8
- Note: US UTC offset varies during Daylight Saving Time
In the Trigger At Local Time Hour field, use the arrows to set execution time in 1-hour intervals (e.g., 6, 12, 24)
In the Delay before triggering actions field, set the delay timeframe based on hours, minutes, and seconds.
Click Save Workflow. Note: All errors in the workflow must be resolved before it can be saved.

Clone or Delete a Workflow

Once an LCM Policy workflow is saved, the clone and delete options appear alongside the workflow name:

Click on the copy icon to clone the workflow.
Click on the trash bin icon to delete the workflow.

Create a Transformer

A transformer is a rule or function that takes incoming identity or attribute data and modifies it into the format or value that the target system requires.

They’re used when the data source system and target system represent or store information differently. For example, transformers can:

Converting a username from “First.Last” format into all lowercase.
Mapping a department value like “HR” in the source to “Human_Resources” in the target.
Adding a prefix or suffix to attributes (e.g., appending a domain name to create an email).

Transformers act as data processors inside a policy, ensuring that the right values are sent when provisioning, updating, or deprovisioning identities and entitlements.

To add a transformer, perform the following:

Select a policy.
Click Transformers.
Click Add Transformer.
In the New Transformer window, enter a transformer name and description.
Click the Integration field to display a dropdown menu of integrations of a target system.
Click the Entity Type field to display target entity types based on the integration that was previously selected.
In Attributes, click Add Attribute.
In Unique Identifier, click the Destination Attribute field to display a list of attributes.
Click the Formatter field to display a dropdown menu of operator functions, the Conditional Express function, and attributes.
Click the Pipeline Functions field to display a dropdown menu of operator functions. The Pipeline Functions combine a series of attribute formatters with the pipe (|) character, which runs the value of an attribute in sequential order. The output of one formatter becomes the input of the following formatter.
Optionally, click Add Attribute to add more attributes and repeat the attribute steps.
The Fallback Formatters option appears. Click this option to provide an alternative formatter when a conflict occurs if the primary formatter generates a value that is already in use.
Optionally, enable the Continuous Sync function to keep the target entity up-to-date with values from the source of truth.
Click Save.

See Transformer Reference for available transformation functions.

Create a Lookup Table

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

This example is a location mapping table, which is a typical format for a Lookup Table:

location_code,state_code,state,city
MN001,MN,Minnesota,Minneapolis
CA001,CA,California,Los Angeles
TX001,TX,Texas,Houston
TX002,TX,Texas,Austin

Once a Lookup Table has been uploaded, it can be processed with the Lookup Transformers. The Lookup transformers convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

Use Lookup Table Transformers to:

Map source attribute values to different values in target systems
Standardized reference data that must be consistent across applications
Extract different pieces of information from a single attribute value
Have complex mapping requirements that built-in transformers cannot support

See Lookup Table Transformers for detailed information.

To add a Lookup Table, perform the following:

Select a policy.
Click Lookup Table.
Click Add Lookup Table.
In the New Lookup Table window, enter a name and description for the Lookup table.
Drag and drop a CSV file or navigate to a CSV file to upload. The CSV file must be 10MB or less.
After uploading the file, you can preview it.
Click Save.

Create Properties

Properties are the attributes that describe identities, accounts, and entitlements. They serve as the data points a policy can use to determine when and how to take action. Properties can come from:

Built-in properties – default attributes that LCM provides out-of-the-box (for example: username, email, status, created_at).
Custom properties – attributes defined by your organization to capture unique metadata (for example: cost_center, employee_type, manager_id).

Use Properties to:

Properties are referenced in policy conditions (e.g., disable account if status = inactive).
Help with transformers and lookup tables, allowing you to map or reformat values.
Used in identity overrides when syncing accounts from different providers.

To add Properties, perform the following:

Select a policy.
Click Properties.
The Mover Properties appear. Click Edit Properties.
In the Properties window, click the Edit Properties field to display a dropdown menu of attributes.
Select one or more attributes for your property.
Click Save.

Create Password Complexity Rules

Password Complexity Rules in a policy ensure that generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows. You can define reusable password complexity rules to enforce requirements for password length, mandatory character types (uppercase letters, lowercase letters, numbers, and special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, Deprovision Identity, and Reset Password actions when working with integrations that support complex password requirements.

To add Password Complexity Rules, perform the following:

Select a policy.
Click Password Complexity Rules.
Click Create Password Complexity Rule.
In the New Password Complexity Rule window, enter a name and the length of the password (default is 6).
Enable the buttons for:
- Allow lowercase characters
- Allow uppercase characters
- Allow numeric characters
- Allow special characters
Note: At least numbers, lowercase, or uppercase characters must be allowed.
In the Disallow Character field, enter one or more characters that are not allowed in the password.
Select one or more attributes for your property.
Click Save.

Create Transformer Functions

Custom Transformer Functions allow you to programmatically modify or enrich identity attributes as they are synced from identity sources to target systems. These transformations ensure that data formats align across systems and support more dynamic provisioning logic. Such transformers can:

Convert dates into required formats or perform date-based calculations (e.g., adding days to a hire date).
Normalize or transform string values (e.g., case conversion, trimming, substrings).
Apply conditional logic via functions directly within provisioning rules.
Chain multiple transformations into pipelines for complex workflows.
Be tailored per integration or scenario using custom configurations.

To add Transformer Functions, perform the following:

Select a policy.
Click Transformer Functions.
Click Create Custom Transformer Function.
In the New Custom Transformer Function window, enter a name and description of the transformer. Note: The name of the transformer must start with the dollar sign symbol, $, with snake case and no spaces. For example, $CLEAN_TEXT.
Click the Function Express field to display a dropdown menu of operator functions.
Click Save.

Policy Settings

The Policy Settings page provides information about a specific policy and allows for additional configuration, including:

Modify the primary identity source
Define an additional data source to the primary identity source
Configure email notifications or a webhook for action-related events
Enable continuous synchronization to ensure identities are up-to-date
Set a number of actions for a policy to prevent unexpected issues

Making changes in the Policy Settings page will impact all versions (Draft, Published, and Retired) of the policy.

**Policy JSON Viewer**: When enabled, a "Show Raw JSON" button appears in policy header actions to export complete policy configurations for debugging and technical support. See [LCM FAQ](lcm-faq.md#how-can-i-export-or-view-the-complete-json-configuration-of-a-policy) for details.

Details

The Details pane displays the Policy Name and Description fields. These fields are editable for name change or description refinement, if required.

Primary Identity Source

The Primary Identity Source pane displays the integration name of the data source. The Integration field displays all available data sources, where you can add or remove, if required.

You can add multiple Primary Identity Sources if they are the same type of integration. If a different type of integration is required, use the Additional Identity Source.

A Primary Identity Source is the authoritative system that serves as the source of truth for user identities (e.g., HR system, Active Directory, identity provider like Okta/Entra ID). Typically, one type of source of identity is associated with one integration.

The role of the Primary Identity Source includes:

Acts as the authoritative record for user information (emails, roles, statuses).
Lifecycle rules such as provisioning, updates, or deprovisioning are typically triggered based on changes detected in this data source.
Ensures consistency and accuracy across target systems where access is granted or revoked.

Additional Identity Sources

As an option, the Additional Identity Sources pane is typically used to add a different type of integration from the Primary Identity Source, which requires that the additional data source be already configured into Lifecycle Management. You can also correlate primary attributes and additional attributes to be associated with the data source. The added data source will sync for authentication, user updates, or provisioning.

To add an Additional Identity Source, perform the following:

Click Add Source.
In the Select Identity Source field, select a data source. Note: If you enable the 'These types are not related' option, then you cannot correlate any attributes.
In the Correlating Attributes pane, select a Primary Attribute from the dropdown menu.
Select an Additional Attribute from the dropdown menu. Note: The Only enrich identity if existing in Primary Identity Source option:
- Enabled: Only enriches existing identities from the Primary Identity Source. Does not create new identities.
- Disabled: Creates new LCM identities for users found in the Additional Identity Source but not in the Primary Identity Source.

Notifications

When events occur during the execution of a policy’s workflow, notifications can be triggered upon execution of actions in workflows as a means to inform stakeholders or integrate with external systems. These notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed. Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure its Active Employee policy to send an email to the manager of each new hire after the employee's email address is provisioned. Additionally, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned, following a successful Sync Identity operation.

Use the Notifications to add and manage notifications:

In the Notifications pane, click Add Notification.
Choose the notification type (Email or Webhook).
Choose the event to trigger notifications:
- Create Identity
- Sync Identity
- Add Relationship
- Remove Relationship
- Create Email
- Change Password
- Delete Identity
- Disable Identity
- Manage Relationships
- Write Back Email
- Access Request Complete
- Custom Action
- Action Failed
- Workflow Task Failed
- Extraction Event Failed
- Create Entitlement
- Create Guest Account
- Rename Entitlement
- Create Access Review
- Reset Password
- Create Access Review Queued
- Safety Limit Reached
- Sync Entitlement
Choose the status to trigger notifications (when an event is Successful, or On Failure).
Select an Existing Veza Action. A Veza Action is an integration with functionality for sending data to external systems, enabling downstream processes around Veza alerts, and access to reviewer actions. Use a Veza Action to configure generic webhooks or enable email notifications.
See Veza Actions on how to create and deploy a Veza Action.
To customize the Webhook setting, perform the following:
- In the Webhook URL field, enter the endpoint configured to receive the webhook payload.
- In the Webhook Auth Header field, enter the authorization header if the webhook endpoint requires authentication (e.g., Bearer token123 or API-Key abc456).
To customize the Email setting, perform the following:
- In the Recipients field, add a recipient name. Use a comma when adding additional names.
- In the Recipients From User’s Attributes field, use the arrows to display a list of user attributes. Select one or more attributes that contain email addresses for the email notification.
Click Save.

See Notifications Templates for customizing email notifications.

Advanced Settings

Identity Syncing Option

Identity Syncing at the policy level defines how identities from the authoritative source are synchronized into the target system, including provisioning user accounts or updating existing identities.

The Identity Syncing option controls the behavior of the Sync Identities Actions in a policy workflow, which has Continuous Sync functionality enabled.

Select either:

Sync on changes only - to skip identity syncing when no data source changes are detected
Always sync - to sync, no matter if changes are detected or not

Safety Limits Option

Safety Limits allows you to select the number of actions that can be allowed to run a policy before Lifecycle Management stops the process. This functionality works like a circuit breaker, where the circuit is tripped when a problem occurs. Typically, a number of identities will be updated during the lifecycle process (joiner, mover, leaver); however, if the number of updates seems extremely high compared to expected, then a problem has occurred, and the Safety Limits option prevents further updates to identities.

To set the number of affected identities in Safety Limits, perform the following:

Enable the Safety Limits button.
In the Maximum Number of affected Identities field, use the arrows to set the number of affected identities to the maximum number of changes.

Lifecycle Management with Workday, Okta, and Active Directory

Guide for implementing automated user lifecycle management across Workday, Okta, and Active Directory

A well-designed identity Lifecycle Management solution automates the provisioning, synchronization of attributes and metadata, and deprovisioning of user accounts across your application and systems ecosystem.

This guide demonstrates how to implement a worker (employees and contractors) Lifecycle Management solution using Workday as the source of identity with downstream user account provisioning and synchronization platforms of Okta and Active Directory (AD). This represents a common enterprise architecture where worker records originate in an HR system and are provisioned to identity and access management systems, while maintaining a seamless, secure, and compliant user lifecycle process.

System Architecture

The following diagram shows the complete identity provisioning and synchronization architecture from Workday, a human capital management platform, to Okta and Active Directory, which are identity management systems:

The "Joiner Mover Leaver" (JML) process is a framework for managing users' employment lifecycle access within an organization. Provisioning access begins with onboarding new employees (Joiners), then managing internal transitions (Movers), and finally offboarding departing employees (Leavers).

Lifecycle Management is based on the JML paradigm, where Workday is the authoritative source of identity, which is monitored for the status of the worker based on attributes in their record to determine whether the user is a joiner, mover, or leaver.

JML Process Flow

The joiner, mover, leaver (JML) process flows through the systems as follows:

Prerequisites

Before starting this implementation, ensure you have:

Configured Workday for Lifecycle Management
Configured Okta for Lifecycle Management
Configured Active Directory for Lifecycle Management
Completed at least one successful extraction for each integration
Note: An extraction is the metadata ingestion process that pulls identity and permission data from target systems into Veza, enabling it to act across access policies, governance, and provisioning workflows.
Administrative access to Veza to create Lifecycle Management policies

Implementation Steps

Step 1: Define Access Profiles

First, create Access Profiles that define which application entitlements a group of users will be assigned:

Go to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure a profile for each department or role:

Example: Engineering Department Profile

Name: Engineering Department Access
Profile Type: Application Entitlements 
Description: Standard access for Engineering department employees
Label: Developers

Entitlements:
- Active Directory Group: Engineering
- Okta Group: Engineering

Example: Marketing Department Profile

Name: Marketing Department Access
Profile Type: Application Entitlements
Description: Standard access for Marketing department employees

Entitlements:
- Active Directory Group: Marketing
- Okta Group: Marketing

Create additional profiles as needed based on your organizational structure.

Step 2: Create a Lifecycle Management Policy associated with Workday

Next, create a Lifecycle Management policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy:
- Name: Workday Employee Lifecycle
- Source of Identity: Workday
- Data Source: Your Workday integration
- Entity Type: Workday Worker
Click Create Policy to save the basic configuration

Step 3: Configure Joiner Workflow

Now add a workflow for new employee onboarding:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Active Employee
- Condition: is_active eq true AND hire_date eq "2025-08-04T00:00:00" This condition is triggered when, in Workday, the employee is active and a defined hiring date is "2025-08-04T00:00:00". Therefore, any active employee hired on or after the specified date is considered a joiner.
- Continuous Sync: Enabled Continuous Sync is enabled, allowing updates to a user's source attributes—such as email, department, manager, or role—to be automatically synchronized to the target application on an ongoing basis after the user is provisioned.
Add actions to the workflow as detailed in the Configuration Reference section.

Step 4: Configure Mover Workflow

Add a workflow for handling employee role changes:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Mover Workflow - Regional Sales Manager
- Condition: is_active eq true AND first_name eq “Sarah” AND last_name eq “Johnson” AND position eq “Regional Sales Manager”
- Continuous Sync: Enabled
Add actions similar to the Joiner workflow, but ensure Remove Existing Relationships is enabled in the Manage Relationships actions to update group memberships when departments change When a user’s role changes (mover), you often need to revoke existing entitlements—like group memberships, role assignments, and permission set grants—not just avoid adding new ones. Enabling Remove Existing Relationships ensures that previously granted relationships are actively removed to prevent privilege creep or orphaned access.

Step 5: Configure Leaver Workflow

Finally, add a workflow for employee termination:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:
- Workflow Name: Employee Termination
- Condition: is_active eq false OR termination_date eq "2025-08-08T00:00:00" This condition is triggered when the employee is no longer active and a defined termination date is "2025-08-08T00:00:00". Therefore, any non-active employee terminated on or after the specified date is considered a leaver.
Add deprovisioning actions, such as Deprovision Okta Identities and Deprovision AD Identities

Step 6: Enable and Test the Policy

After configuring your workflows for joiners, movers, and leavers, you can test your policy using Simulated Dry Runs to check the expected actions when executed.

Another approach to test your policy is to create draft versions. You can make changes to your policy as an iterative draft until you are satisfied with the results. You can then publish the final version and enable it.

As a final verification, make modifications to the Workday application to test your policy's expected performance. Ensure that the downstream applications, Okta and Active Directory, are correct with the modifications.

Test using Simulation Dry Run

Select Workday Employee Lifecycle policy.
Click the overflow menu (three dots icon) at the top of the page.
Select Perform Dry Run.
In the Identity field, select an employee name from the dropdown menu.
The Dry Run takes seconds to execute. Click Show results.
Ensure that Okta and Active Directory contain the correct identity information for the employee.

Test using Draft Versioning

Select Workday Employee Lifecycle policy.
Click Create Draft.
Select Edit Workflow.
Modify any workflow in your policy.
Click Save Workflow. The workflow is now a draft version.
Continue to iterate on changes to the workflow until it is ready.
Click Publish when the policy performs satisfactorily.
Click Settings at the top of the page.
Click Policy Settings.
Enable the Enable Policy Draft Mode radio button.
In the Policy page, select your policy and click Actions.
In the Actions menu, select Start.

Make changes to the Workday application to test your policy

In your Workday application, update the source of identity to test your policy. The following is a list of suggested changes:

Change the employee’s employee type (ie, from regular to contractor)
Verify account creation in Okta and Active Directory
Change the employee's department and verify group membership updates
Terminate the employee and verify account deprovisioning

Identity Synchronization Configuration Reference

Identity Synchronization is implemented during Lifecycle Management provisioning workflows. It is used to prevent provisioning errors due to duplication of username and/or email address. It supports robust identity sync across downstream applications (Okta and Active Directory) with different naming constraints or enforces unique identifiers.

Use Identity Synchronization if your target system already has an identity with a given attribute (e.g., a username or email is already in use).

Enable Identity Synchronization

In the Policy page, select your policy, Workday Employee Lifecycle policy.
Select Policy Settings.
Scroll down to Advanced Settings.
Under Identity Syncing, enable Sync on changes only or Always sync.

Sync Okta Identities

Synchronizes employee records to Okta user accounts, creating and updating user profiles with mapped worker attributes from Workday.

Configuration:

Description: Synchronizes identities to Okta
Target: OktaUser
Create Allowed: Yes
Continuous Sync: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

{username}@sigmacorpx.com

Yes

first_name

{first_name}

Yes

last_name

{last_name}

Yes

country_code

{work_location}

Yes

{username}@sigmacorpx.com

Common transformer

Conditional Actions

All Employees

Assigns "All Okta Employee Access" profile
Does not remove existing relationships

US Developers

Condition: wd_location eq "US" and department eq "developer"
Assigns developer-specific access profiles
Does not remove existing relationships

Sync Active Directory Identities

Creates and updates on-premises Active Directory accounts with location-specific group assignments and standardized naming conventions for different employee categories.

Configuration:

Description: Synchronizes identities to Active Directory
Target: ActiveDirectoryUser
Create Allowed: Yes
Continuous Sync: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

distinguished_name

CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local

Yes

See for more information on distinguished_name.

user_principal_name

{username}@evergreentrucks.com

Yes

{username}@evergreentrucks.com

Yes

display_name

{display_full_name}

Yes

given_name

{first_name}

Yes

sur_name

{last_name}

Yes

country_code

{work_location}

Yes

job_title

{job_title}

Yes

primary_group_dn

CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local

Yes

account_name

{display_full_name}

Common transformer

Conditional Actions

US Location

Condition: work_location eq "US"
Assigns US Groups
Removes existing relationships

Executive Group

Condition: employee_group eq "Executive"
Assigns the Executive Employee group
Removes existing relationships

China Location

Condition: work_location eq "China"
Assigns China Groups
Removes existing relationships

Deprovisioning Configuration Reference

Defines the procedures for safely removing access when employees leave the organization, including specific handling for each identity provider.

Deprovision Okta Identities

Handles employee offboarding in Okta by disabling accounts while preserving access history and configurations.

Configuration:

Description: Disables identities in Okta
Target: OktaUser
Remove Relationships: No
Deprovisioning Method: Disabled
Logout User: No
Remove Personal Devices: No

Deprovision Active Directory Identities

Controls the offboarding process for on-premises Active Directory, including moving accounts to a terminated user's organizational unit.

Configuration:

Description: Disables identities in Active Directory
Target: ActiveDirectoryUser
Remove Relationships: No
Deprovisioning Method: Disabled

Attribute Transformations

Destination Attribute

Value

Continuous Sync

distinguished_name

CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local

primary_group_dn

CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local

Expanded Joiner/Mover/Leaver Scenarios

Below are more detailed examples of joiner, mover, and leaver scenarios that you can implement using Veza's Lifecycle Management.

Joiner Scenarios

Example 1: Full-Time Employee Onboarding

Trigger: New employee record created in Workday with status="Active" and worker_type="Full_Time"
Actions:
1. Create Okta user with attributes from Workday transformer
2. Assign to department-specific groups in Okta
3. Create AD user with attributes from Workday transformer
4. Add to appropriate security groups in AD based on job role
5. Send welcome email with account information

Example 2: Contractor Onboarding

Trigger: New worker record created in Workday with status="Active" and worker_type="Contractor"
Actions:
1. Create Okta user with limited attribute set and "Contractor-" prefix in username
2. Assign to contractor-specific groups in Okta
3. Create time-limited AD account with expiration date set to contract end date
4. Add to contractor security groups with restricted access
5. Send welcome email with temporary password and access instructions

Mover Scenarios

Example 1: Department Change

Trigger: Employee department changed in Workday
Actions:
1. Update department attribute in Okta and AD
2. Remove previous department group memberships in both systems
3. Add new department group memberships in both systems
4. Update OU placement in AD
5. Send notification to new manager

Example 2: Promotion to Manager

Trigger: Employee job level changed to include management flag
Actions:
1. Update job title in all systems
2. Add to manager-specific groups in Okta and AD
3. Add to approval workflows in relevant systems
4. Send manager training notification

Leaver Scenarios

Example 1: Standard Termination

Trigger: Employee status changed to "Terminated" in Workday
Actions:
1. Disable user in Okta and AD (do not delete)
2. Remove all group memberships
3. Revoke all application access
4. Move AD account to "Terminated Users" OU
5. Generate access termination report for compliance

Example 2: Involuntary Termination (Security Risk)

Trigger: Employee terminated with reason="Security Risk"
Actions:
1. Immediately disable all accounts (high priority)
2. Force logout from all active sessions
3. Reset all passwords
4. Remove all access rights and group memberships
5. Generate security incident report

Advanced Attribute Transformer Examples

Workday to Okta Transformer (Enhanced)

# Okta User Attributes
login: {worker_id}@company.com
email: {work_email | DEFAULT, "{worker_id}@company.com"}
first_name: {first_name}
last_name: {last_name}
display_name: {first_name} {last_name}
department: {department_name}
title: {job_title}
manager_id: {manager_worker_id}@company.com
# Handle different user types
user_type: {worker_type | LOWERCASE | REPLACE, "full_time", "Employee" | REPLACE, "contractor", "Contractor" | DEFAULT, "Employee"}
employee_id: {employee_id}
# Custom attributes
customField1: {location_code}
customField2: {hire_date | DATE_FORMAT, "yyyy-MM-dd"}
customField3: {termination_date | DATE_FORMAT, "yyyy-MM-dd" | DEFAULT, ""}

Workday to Active Directory Transformer (Enhanced)

# AD User Attributes
account_name: {worker_id}
# Build distinguished name based on employment type and department
distinguished_name: {worker_type | EQUALS, "contractor" | IF_TRUE, "CN={first_name} {last_name},OU=Contractors,OU={department_name},DC=company,DC=local" | IF_FALSE, "CN={first_name} {last_name},OU=Employees,OU={department_name},DC=company,DC=local"}
user_principal_name: {worker_id}@company.local
email: {work_email | DEFAULT, "{worker_id}@company.com"}
display_name: {first_name} {last_name}
given_name: {first_name}
sur_name: {last_name}
department: {department_name}
job_title: {job_title}
description: {job_title} - {department_name}
company: Company Inc.
# Set account expiration for contractors
account_expires: {worker_type | EQUALS, "contractor" | IF_TRUE, {contract_end_date} | IF_FALSE, ""}
# Custom attributes
extension_attribute_1: {cost_center}
extension_attribute_2: {business_unit}
extension_attribute_3: {hire_date | DATE_FORMAT, "yyyy-MM-dd"}
extension_attribute_4: {employee_id}

Advanced Configuration

Using Attribute Overrides

To handle edge cases where standard attribute formatting is not effective, use Identity Override Attributes to define special exceptions. For example:

Contractors vs. Employees: Use different username formats based on employment type
Username Conflicts: Configure fallback formatters for handling duplicate usernames
Location-Specific Naming: Apply different naming conventions based on location or region

Email Write-Back to Workday

Ensure your email addresses remain consistent by configuring email write-back to Workday:

In your Joiner workflow, after the Sync Identities actions, add:
- Add Action > Create Email
- Configure for your email system
Then add:
- Add Action > Write Back Email
- Integration: Your Workday integration
- Entity Type: Workday Worker

This ensures the email created in your systems is written back to Workday as the source of truth.

Conditional Logic Best Practices

When implementing conditional actions, consider these patterns for robust lifecycle management:

Location-Based Conditions

# US-based employees
work_location eq "US"

# International employees requiring different treatment
work_location eq "China" OR work_location eq "EMEA"

# Remote workers
work_location eq "Remote" OR office_location contains "Remote"

Role-Based Conditions

# Technical roles requiring elevated access
department eq "Engineering" OR department eq "DevOps" OR job_title contains "Developer"

# Management roles
job_level eq "Manager" OR job_level eq "Director" OR job_level eq "VP"

# Sensitive roles requiring additional security
department eq "Finance" OR department eq "Legal" OR department eq "HR"

Employment Type Conditions

# Full-time employees
worker_type eq "Full_Time" AND status eq "Active"

# Contractors with time-limited access
worker_type eq "Contractor" AND contract_end_date is not null

# Temporary workers
worker_type eq "Temporary" OR employment_status eq "Temp"

Monitoring and Troubleshooting

Activity Log Monitoring

Monitor your lifecycle management workflows using the Activity Log:

Navigate to Lifecycle Management > Activity Log
Filter by policy name to see all actions for your Workday policy
Look for failed actions and investigate error messages
Use the activity details to verify that transformations are working correctly

Common Issues and Solutions

Username Conflicts

If usernames are already taken in target systems:

Configure Fallback Formatters to handle conflicts
Use employee ID or other unique identifiers as backup username formats

Missing Attributes

If required attributes are missing from Workday:

Use DEFAULT transformers to provide fallback values
Configure conditional logic to handle missing data gracefully

Group Assignment Failures

If group assignments fail:

Verify that referenced groups exist in target systems
Check that service accounts have sufficient permissions
Use conditional logic to assign groups only when they exist

Attribute Sync and Transformers

Configure how user attributes from a source of identity are transformed and synchronized for target user accounts

When creating workflows in Lifecycle Management policies to create, sync, or deprovision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured. The target attributes to create or update are typically mapped and optionally transformed from user metadata from the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept in continuous sync as changes occur over the user’s employment lifecycle.

For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:

Joiner: Set new Azure AD User Principal Name to {source username}@your-email-domain.com. This is an example of mapping multiple attributes and performing a transformation. More specifically, you use the attribute transformer to generate an email address for new joiners. Use the source username (user_principal_name) from the source of identity (Azure AD UPN) for the first part (user attribute), while your-email-domain.com is used for the last part (target attribute).
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.
Leaver: Move a user’s Active Directory account to an Organizational Unit (OU) reserved for terminated accounts.

When synchronizing a user’s attributes, Veza may apply many transformations to convert the source attribute values into a more suitable format intended for the target application as a user account attribute.

For example, a transformer might remove the domain from an email address, replace special characters, or convert a string with uppercase letters to lowercase letters.

See the following sections for more information about formatting destination attributes and possible transformations:

Continuous Sync

Continuous Sync ensures that identity attributes in target systems remain up-to-date with the corresponding attributes residing at the source of truth. It has three configuration levels that work together to determine how attributes are synchronized:

Workflow Level

The workflow's continuous sync setting controls change detection:

When enabled: The workflow monitors for any changes in the source system
When disabled: The workflow only runs during initial provisioning

Action Level

For Sync Identity actions, this controls whether existing entities can be updated:

When enabled: The action can update existing entities
When disabled: The action only sets attributes during initial creation

Attribute Level

Individual attributes can be configured for continuous sync:

When enabled: The attribute will be updated when changes are detected
When disabled: The attribute is only set during initial creation

You may not want to enable continuous sync at the Attribute level when there is a change in the user principal name, such as a change in marital status or legal name correction.

All three levels must be enabled for an attribute to be continuously synchronized. For example, if you want to keep an employee's department updated:

Enable continuous sync on the workflow to monitor for changes
Enable continuous sync on the sync action to allow updates
Enable continuous sync on the department attribute transformer

Recommended Settings

Enable continuous sync for attributes that change during employment:

First Name Surname
Department
Title
Manager
Cost Center
AD Distinguished Name (DN)
AD User Principal Name (UPN)
AD Email

Disable continuous sync for stable identifiers:

Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)

This configuration ensures that dynamic attributes stay updated while preserving stable identifiers.

Adding transformers

Common transformers define one or more rules to apply when synchronizing the attributes of a target identity. Use them at the Policy level where you want to create or update attributes using the same conventions across multiple sync or deprovision actions. When you need to configure a one-time individual action in a workflow, such as a specific attribute, then you use the transformer at the Action level.

At the Policy level, you configure a transformer with basic details, including how to source the value of each attribute:

Assign a name and description to the transformer, and specify the data source to which it applies.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.
- Destination Attribute: Choose the attribute that Veza will create or update for the target entity.
- Formatter: Choose how the destination attribute should be formatted. Specify the value, a {source\_attribute}, or apply Transformation Functions.
- Pipeline Functions: Combines a series of attribute formatters with the pipe ( | ) character that runs the value of an attribute in sequential order, where the output of one formatter becomes the input of the following formatter, thus the name, pipeline.
See Pipeline Functions for more examples.
- Continuous Sync: Enabling this option ensures that the attribute is always synced, while applying any defined transformations. By default, attributes will not be synced if the target identity already exists.

After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab. Remember that “Sync Identity” and “De-Provision Identity” actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.

Formatters

Formatters specify the actual value of the attribute to synchronize. The target attribute can be set to a specific value, synchronized with a source attribute, transformed using a function, or a combination of these.

Some formatters should enable continuous synchronization for the attribute, while others should not. For example, the value of "Created By" should be immutable once a user account is provisioned. Other attributes that represent a state or status should be synchronized throughout the user's or account's lifecycle.

Simple Value Setting

To create a destination attribute with a fixed value, enter the desired value when configuring the formatter. For setting the creator attribute:

Destination Attribute

Formatter

Continuous Sync

created_by

“Veza”

Disabled

For activating a re-hired employee:

Destination Attribute

Formatter

Continuous Sync

isActive

true

Enabled

Empty Values

To set empty values (common for de-provisioning flows):

Destination Attribute

Formatter

Continuous Sync

manager_id

" "

Enabled

isActive

false

Enabled

Source of Identity Formatters

Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute, use the format {\<source\_attribute\_name>}. Examples:

Destination Attribute

Formatter Example

Continuous Sync

first_name

{first\_name}

Enabled

last_name

{last\_name}

Enabled

{first_name}.{last_name}@domain.com {first_name}_{last_name}@domain.com {last_name}@domain.com {firstname_initial}{last_name}@domain.com {firstname_initial}-{last_name}@domain.com {firstname_initial}{middlename_initial}{last_name}@domain.com {firstname_initial}-{last_name} {last_name}-{firstname_initial}@domain.com

Transformation functions

Based on the user metadata available from your source of identity (SOI), you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. Suppose an attribute value needs to be altered for compatibility with the target system. In that case, you can transform the value of a source attribute or apply a range of other functions to generate the target value.

Formatter expressions use the following syntax: {\<source\_attribute\_name> | \<FUNCTION\_NAME>,\<param1>,\<param2>} For example:

Destination Attribute

Formatter

Description

Example

username

`{email | REMOVE_DOMAIN}`

Removes the domain from the email to create username

"jsmith" is the output derived from [email protected]

user_id

`f{id | UPPER}`

Converts ID to uppercase

JSMITH" is the output derived from the userid, "jsmith"

Table of transformation functions

Refer to the Transformer Reference page for a comprehensive list of all supported functions and parameters. Contact Veza if you require additional transformations for your use case. Some commonly used transformation functions include:

Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, camel, or snake case
Using a substring from the original value
Generating random values (e.g., RANDOM_INTEGER for numeric ranges)

Using the ASCII Transformer

The ASCII transformer is particularly useful when working with localized user data and legacy systems that have strict character set limitations (such as Active Directory sAMAccountName restrictions). This transformer performs two primary operations:

Removes all non-printable ASCII characters (including control codes, zero-width spaces, tabs, and newlines)
Converts non-ASCII characters to their closest ASCII equivalents

Whereas the REMOVE_DIACRITICS transformer only removes accent marks while preserving the basic character, the ASCII transformer performs a more comprehensive conversion, replacing characters like “Ł” with “L” and handling a wider range of non-ASCII characters, including the following:

Accented Letters: Letters with diacritics like é, à, ö, ñ, ç, etc., commonly used in languages like French, Spanish, German, and Portuguese. Non-Latin Alphabets: Characters from various alphabets such as Cyrillic (e.g., ж, б), Greek (e.g., α, β), Arabic (e.g., ح, ص), Hebrew, and Chinese (e.g., 汉, 字). Mathematical and Technical Symbols: Symbols like infinity (∞), integral (∫), summation (∑), Ohm (Ω), degree (°). Currency Symbols: Symbols like €, £, ¥. Emoji: Various emoticons like 😊, 😞, etc. Other Symbols: Symbols like ©, ®, ™, etc.

DATE_FORMAT Transformer using Date Strings

The DATE_FORMAT transformer formats date strings using Go time package layout syntax. This transformer helps convert between different date formats, such as transforming dates for LDAP integration or standardizing date formats across systems.

Go Time Layout Syntax

Go time layouts use a specific reference time: Monday, January 2, 15:04:05 MST 2006, which is Unix time 1136239445. All layout strings must use the exact digits and format from this reference time. For more information about Go time layouts, refer to the official Go time package documentation. Date Components:

2006 = 4-digit year
06 = 2-digit year
01 = 2-digit month (01-12)
1 = 1-digit month (1-12)
Jan = 3-letter month abbreviation
January = full month name
02 = 2-digit day (01-31)
2 = 1-digit day (1-31)
_2 = space-padded day
DateTime = “2006-01-02 15:04:05”
DateOnly = “2006-01-02”

Time Components:

15 = 24-hour format hour (00-23)
03 = 12-hour format hour (01-12)
3 = 12-hour format hour without leading zero (1-12)
04 = minute (00-59)
4 = minute without leading zero (0-59)
05 = second (00-59)
5 = second without leading zero (0-59)
PM = AM/PM indicator
pm = am/pm indicator (lowercase)
TimeOnly = “15:04:05”

Weekday Components:

Mon = 3-letter weekday abbreviation
Monday = full weekday name

Time Zone Components:

MST = time zone abbreviation
Z0700 = RFC3339 time zone format
Z07:00 = RFC3339 time zone format with colon

RFC Components:

RFC822 = “02 Jan 06 15:04 MST”
RFC822Z = “02 Jan 06 15:04 -0700” // RFC822 with numeric zone
RFC850 = “Monday, 02-Jan-06 15:04:05 MST”
RFC1123 = “Mon, 02 Jan 2006 15:04:05 MST”
RFC1123Z = “Mon, 02 Jan 2006 15:04:05 -0700” // RFC1123 with numeric zone
RFC3339 = “2006-01-02T15:04:05Z07:00”
RFC3339Nano = “2006-01-02T15:04:05.999999999Z07:00”

Other Constant Components:

Layout = “01/02 03:04:05PM '06 -0700” // The reference time, in numerical order.
ANSIC = “Mon Jan _2 15:04:05 2006”
UnixDate = “Mon Jan _2 15:04:05 MST 2006”
RubyDate = “Mon Jan 02 15:04:05 -0700 2006”
Kitchen = “3:04PM” // Handy time stamps.
Stamp = “Jan _2 15:04:05”
StampMilli = “Jan _2 15:04:05.000”
StampMicro = “Jan _2 15:04:05.000000”
StampNano = “Jan _2 15:04:05.000000000”

Common Layout Examples

Layout String

Format

Example Output

01/02/2006

MM/DD/YYYY

03/15/2023

2006-01-02

YYYY-MM-DD

2023-03-15

02-Jan-2006

DD-MMM-YYYY

15-Mar-2023

Jan 2, 2006

MMM D, YYYY

Mar 15, 2023

Monday, January 2, 2006

Full date

Wednesday, March 15, 2023

2006-01-02 15:04:05

Full timestamp

2023-03-15 14:30:25

03:04:05 PM

12-hour time

02:30:25 PM

15:04

24-hour time

14:30

20060102150405Z

LDAP Z time format

20230315143025Z

Usage Examples

Basic Date Formatting:

`{start_date | DATE_FORMAT, "01/02/2006"}`

Formats any recognized date input into MM/DD/YYYY format.

Converting Between Specific Formats:

`{hire_date | DATE_FORMAT, "2006-01-02", "01/02/2006"}`

Parses input in MM/DD/YYYY format and outputs in YYYY-MM-DD format.

LDAP Integration Example: The DATE_FORMAT transformer was specifically enhanced to support LDAP Z and Win32 time format requirements.

The Z time format (20060102150405Z) is commonly used in LDAP directories and represents timestamps in UTC with a ‘Z’ suffix indicating zero UTC offset.

`{timestamp | DATE_FORMAT, "20060102150405Z"}`

Converts a date to LDAP Z time format for directory integration. Example for LDAP account expiration:

`{account_expires | DATE_FORMAT, "20060102150405Z"}`

Human-Readable Format:

`{event_date | DATE_FORMAT, "Monday, January 2, 2006"}`

Outputs a full, human-readable date format. Time Zone Handling:

{utc_time | DATE_FORMAT, "2006-01-02 15:04:05 MST"}

Includes time zone information in the output.

Additionally, the DATE_FORMAT transformer supports LDAP time format requirements using the format Win32 in LDAP directories:

{timestamp | DATE_FORMAT, "Win32"}

Converts a date to LDAP time format for directory integration.

Notes on DATE_FORMAT Transformers

Input Format: When the second parameter (input layout) is omitted, the transformer attempts to parse the input using common date formats automatically
Case Sensitivity: Layout components are case-sensitive (e.g., PM vs pm)
Leading Zeros: Use 01, 02, etc. for zero-padded values, and 1, 2, etc. for non-padded values
Reference Time: All layouts must use the exact reference time digits: Mon Jan 2 15:04:05 MST 2006

DATE_FORMAT Transformer using Time String (Generalized-Time)

The DATE_FORMAT transformer is used for formatting time using a time string to store time values in Generalized-Time format, which is required for Active Directory and other Microsoft-based target applications.

The Generalized-Time syntax is “YYYYMMDDHHMMSS.0Z”. Time String Format Example:

{date | DATE_FORMAT, "20010928060000.0Z"}

The “Z” indicates no time differential. Active Directory stores date/time as Greenwich Mean Time (GMT). If no time differential is specified, GMT is the default.

If the time is specified in a time zone other than GMT, the differential between the time zone and GMT is appended to the string instead of “Z” in the form “YYYYMMDDHHMMSS.0[+/-]HHMM”. Time Zone Format Example:

{date | DATE_FORMAT, "20010928060000.0+0200"}

The differential is based on the formula: GMT = Local + Differential.

String Manipulation Transformers

These transformers enable the cleaning, formatting, and standardization of string data from your source systems.

REMOVE_CHARS

The REMOVE_CHARS transformer removes all instances of specified characters from a string. This is useful for cleaning up data by removing unwanted punctuation, special characters, or formatting elements. Use Cases:

User ID creation: {email | REMOVE_CHARS, “-”}
- If email is "[email protected]", the result is “johndoe@examplecom”
Phone number formatting: {phone_number | REMOVE_CHARS, "()- "}
- If phone_number is “(123) 456-7890”, the result is “1234567890”
Cleaning account names: {account_name | REMOVE_CHARS, “!@#$%”}
- Removes special characters that might cause issues in target systems

REMOVE_WHITESPACE

The REMOVE_WHITESPACE transformer removes all whitespace characters (spaces, tabs, newlines) from a string. It can help create compact identifiers or ensure data consistency. Use Cases:

Username generation: {display_name | REMOVE_WHITESPACE}
- If display_name is “John A. Doe”, the result is “JohnA.Doe”
Tag creation: {department | REMOVE_WHITESPACE | LOWER}
- If the department is “Human Resources”, the result is “humanresources”
Creating system identifiers: {cost_center | REMOVE_WHITESPACE}
- Ensures cost center codes have no embedded spaces

TRIM, TRIM_CHARS, TRIM_CHARS_LEFT, and TRIM_CHARS_RIGHT

These transformers help clean up strings by removing unwanted characters from the beginning and/or end of strings. This is essential for data hygiene and ensuring consistent formatting. TRIM: Removes leading and trailing whitespace

Basic cleanup: {display_name | TRIM}
- If display_name is " John Doe ", the result is “John Doe”

TRIM_CHARS: Removes specified characters from both ends

Cleaning employee IDs: {employee_id | TRIM_CHARS, “0.”}
- If employee_id is “000.123.000”, the result is “123”
Removing padding characters: {code | TRIM_CHARS, “-_”}
- If code is “—ABC123___”, the result is “ABC123”

TRIM_CHARS_LEFT: Removes specified characters from the beginning only

Removing leading zeros: {cost_center | TRIM_CHARS_LEFT, “0”}
- If cost_center is “00012345”, the result is “12345”
Cleaning prefixes: {identifier | TRIM_CHARS_LEFT, “x”}
- If identifier is “xxxABC123”, the result is “ABC123”

TRIM_CHARS_RIGHT: Removes specified characters from the end only

Removing trailing characters: {office_code | TRIM_CHARS_RIGHT, “0”}
- If office_code is “ABC12300”, the result is “ABC123”
Cleaning suffixes: {code | TRIM_CHARS_RIGHT, “temp”}
- If code is “ABC123temp”, the result is “ABC123”

Advanced Conditional Logic with NEXT_NUMBER

The NEXT_NUMBER transformer can be combined with IF/ELSE conditional logic to create intelligent username generation with automatic fallback strategies. This is particularly useful for handling length constraints and ensuring unique usernames in Lifecycle Management attribute transformers.

Only one NEXT_NUMBER transformer can be used per transformation expression
The first alternative uses an empty string (""), followed by numbered alternatives (“2”, “3”, etc.)
Alternative values are automatically generated to ensure username uniqueness

Username Generation with Length-Based Fallbacks

This example creates usernames that adapt based on length constraints, using the sys_attr__would_be_value_len system attribute to evaluate the length of the generated value:

IF sys_attr__would_be_value_len le 20
  {first_name | LOWER}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
ELSE IF sys_attr__would_be_value_len le 30
  {first_name | LOWER}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}
ELSE
  {first_name | LOWER | FIRST_N, 1}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}

Example outputs: For a user named “John Whitaker” (short enough for the first condition):

Base value: john.whitaker
Alternatives: john.whitaker2, john.whitaker3, john.whitaker4

For a user named “Leonevenkataramanathan Foster” (requires truncation to meet length limits):

Base value: l.f
Alternatives: l.f2, l.f3, l.f4

This approach ensures that username generation adapts to different name lengths while maintaining consistency and uniqueness across your identity management system.

Pipeline Functions {#pipeline-functions}

You can pipeline multiple transformation functions together, separated by a vertical bar (|). Each will apply in sequence, allowing for complex attribute formatters that use the output of one function as the input of another.

Example Pipeline Functions

{name | UPPER}
- If name = Smith, the result is SMITH.
{first\_name | SUB\_STRING,0,1 | LOWER}.{last\_name | LOWER}
- If first_name = John and last_name = Smith, the result is j.smith.
{email | REMOVE\_DOMAIN}
- If email = [email protected], the result is john.smith.
{email | REPLACE\_ALL, " ", "."}
- If email = john [email protected], the result is [email protected].
{location | LOOKUP locationTable, location\_code, city}
- If location = IL001, the result is Chicago (using a lookup table named locationTable).
{start\_date | DATE\_FORMAT, "01/02/2006" | UPPER}
- If start_date = 2023-03-15, the result is 03/15/2023 (DATE_FORMAT doesn't typically need UPPER, but shows pipeline capability).
{hire\_date | DATE\_FORMAT, "Jan 2, 2006" | REPLACE\_ALL, " ", "\_"}
- If hire_date = 2023-03-15, the result is Mar_15,_2023.
{office\_code | TRIM\_CHARS\_LEFT, ".0" | TRIM\_CHARS\_RIGHT, ".USCA"}
- If office_code = 000.8675309.USCA, the result is 8675309.
{username | REMOVE\_CHARS, ".-\_" | TRIM | UPPER}
- If username = "–john.doe_–", the result is JOHNDOE.
{employee\_id | REMOVE\_CHARS, "#" | TRIM\_CHARS, "0" | LEFT\_PAD, 6, "0"}
- If employee_id = "##001234##", the result is 001234.
{department | REMOVE\_WHITESPACE | LOWER | REPLACE\_ALL, "&", "and"}
- If department = "Sales & Marketing", the result is salesandmarketing.
TEST{| RANDOM_INTEGER, 1000, 9999}
- Generates test IDs like TEST4827, TEST8391 (see RANDOM_INTEGER for details).

Common Transformers

As part of implementing Lifecycle Management (LCM) processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID are sourced for each LCM Policy. These transformers can then be reused across all identity sync and deprovision policy workflows.

Create common transformers to consistently form attributes for specific entity types, and reuse them to avoid errors and save time when creating actions for that entity type. The order of common transformers matters when multiple transformers set the same destination attribute. Drag-and-drop to reorder common transformers and control precedence.

For example, defining a common synced attribute to describe how to format Azure AD account names {username}@evergreentrucks.com enables reuse across multiple workflow actions. You can also define synced attributes at the action level when they are used only once within a policy, such as setting the primary group DN and OU of de-provisioned identities to a group reserved for terminated accounts.

Common Transformer Examples:

Transformer & Entity Type

Attribute

Value Format

Continuous Sync

Description

ADAccountTransformer ActiveDirectoryUser

account_name

{display_full_name}

Basic account name

distinguished_name

CN={first_name} {last_name},OU={department},OU={location},DC=company,DC=local

Yes

Full AD path

user_principal_name

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}.{last_name

{first_name}{last_name}@company.com

Yes

Email address

OktaAccountTransformer OktaUser

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

{first_name}{last_name}@company.com

Yes

Email address

username_prefix

{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

AzureADTransformer AzureADUser

principal_name

{first_name}{last_name}

Primary identifier

mail_nickname

{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}

SUB_STRING,0,1

LOWER}{last_name

display_name

{first_name} {last_name}

Yes

Display name

GoogleAccountTransformer GoogleWorkspaceUser

{first_name}{last_name}@company.com

Primary email

email_addresses

{username}@company.com

Email list

recovery_email

{personal_email}

Yes

Backup email

ContractorTransformer ActiveDirectoryUser

account_name

c-{username}

Contractor prefix

distinguished_name

CN={first_name} {last_name},OU=Contractors,OU={department},DC=company,DC=local

Yes

Contractor OU

description

Contractor - {vendor_company} - Start Date: {start_date}

Yes

Metadata

RegionalEmailTransformer ExchangeUser

email_address

{username}@{region}.company.com

Regional email

alias

{first_name}.{last_name}@{region}.company.com

Yes

Regional alias

$target Attribute Transformer Function

The $target attribute transformer function is used when a value consists of one or more attributes that require an operation(s), making it too complex to transform, but it needs to be reused.

Important: The $target function can only be used within the same Action.

For example, an email address consists of [email protected]. However, you are required to use the format [email protected]. By using the $target function, you reuse only one attribute, username, while not changing the other two attributes (firstname_lastname).

Example:

Destination Attribute

username

Formatter

`{firstname}{lastname}`

Formatter

`{$target.username}@sample.com`

Custom Attribute Transformer Function

The Custom Attribute Transformer function allows you to define a custom transformer that acts as an alias for applying one or more transformer functions.

For example, you can define a custom function named $CLEAN, which is used as {first_name | $CLEAN}. This function can consist of a series of transformer functions such as | ASCII | LOWER | REMOVE_CHAR |.

To define a custom attribute transformer, use the following guidelines:

Policy Version Definitions

Custom functions must be defined as part of the policy version.
These definitions are structured similarly to hard-coded definitions and are returned in the same format, allowing the Veza UI to handle them without modification.
The API for updating and retrieving a policy version must also support these custom function definitions.

Naming Convention: Custom functions must be in ALL CAPS and prefixed with a $ to avoid conflicts with built-in functions.

Custom Attribute Transformer Limitations

The following custom definitions are not supported:

Transformer functions with included transformer parameters
Nested transformer functions
Transformer functions with parameters

Lifecycle Management FAQ

Frequently asked questions about Veza's Lifecycle Management for automated identity and access governance

This document addresses common questions about Lifecycle Management (LCM) for automated identity and birthright access governance across systems and applications.

Overview

The questions in this document are designed to introduce key concepts and address common questions that often arise during deployments. Please contact your support team with additional questions and feedback. Note that specific functionality may depend on the features and integrations enabled in your environment.

Learning more

Your Lifecycle Management configuration can be straightforward or complex, depending on your organization's needs. To learn more about general implementation patterns, see Lifecycle Management with Workday, Okta, and Active Directory and Implementation and Core Concepts.

Dry Run Testing

Can I test policy changes before making them live?

Yes, you can test policy changes safely using Dry Run simulations before deployment. Testing best practices include:

Draft Version Testing: Creating a draft version of your policy enables dry runs against the contained workflows and trigger conditions.
Policy DRY_RUN State: Setting the entire policy to DRY_RUN state enables simulations during regular processing cycles.
Sample Identity Testing: You can create representative identities to validate behavior across different user types before running workflows in production environments.

Best practices for dry run testing:

Test with identities representing each employee type (contractors, FTEs, managers)
Validate both positive cases (access granted) and negative cases (access denied)
Review the complete dry-run messages to understand workflow logic (via API or GUI)
Document expected vs. actual results before full deployment

Always run tests before changing a policy from DRY_RUN to RUNNING state.

Can Dry Run simulations be performed against an identity, a workflow, or all workflows in a policy?

Dry Runs are performed at the identity level and automatically evaluate against all workflows in the selected policy.

Dry Runs test how workflows within a policy will apply to individuals in your sources of identity. The test includes:

Testing specific users (existing or hypothetical) against configured conditions and actions
Evaluating the identity against every workflow within the LCM Policy version

Starting a Dry Run

You can initiate a dry run in two ways:

From a Lifecycle Management Policy: When editing a policy, open the Dry Run tool to preview changes for any identity:

Go to Lifecycle Management > Policies
Click a Policy to view its details
Click Dry Run Policy at the top right
Choose the identity and policy to test workflows
Select one or more attributes to sync. You can modify attributes to simulate potential changes
Click Show Results
Review the results:
- Check the Workflows Run section to see which workflows were triggered
- Check the Potential Changes section to see all job requests that would be generated (e.g., edits to user attributes, adding/removing access profiles)

From Identity Details: You can start a Dry Run when viewing details for any account on the Identities page:

Go to Lifecycle Management > Identities
Search for an identity and click to view its details.
Expand the Actions menu at the top right and click Policy Dry Run.
Select a policy, customize entity attributes, and click Show Results.

This simulates lifecycle events (new hire, modification, termination) modeled by workflows in the policy. The response includes:

Matched Workflows: Which workflows triggered and why
Planned Actions: What provisioning/deprovisioning would occur
Access Profiles: Which access profiles would be assigned or removed

For API documentation, see Run Dry Run on Identity. The API endpoint is PolicyIdentityDryRun in the lifecycle management service.

What happens during a Dry Run simulation?

During a Dry Run test, LCM simulates the complete policy execution without making actual changes. The Dry Run process includes steps for:

Identity Evaluation: The specified identity is evaluated against all policy conditions
Workflow Matching: Each workflow's trigger conditions are checked
Action Simulation: Actions that would execute are identified, but not performed
Access Profile Assignment: Determines which access profiles would be assigned
Result Generation: Comprehensive report generated with no system changes

Use this option for safe testing without making changes and troubleshooting when certain actions aren't triggering for specific users.

Policy Configuration

What is the "Skip if action has already been run" option, and when should I use it?

The "Skip if action has already been run" option (also called "Run Once") is a safety mechanism that prevents the same action from being executed multiple times for the same identity, even if the workflow triggers again.

When enabled for an action:

LCM tracks whether the action has already been successfully executed for each identity
Before executing, it checks the identity's action history
If already completed successfully, the action is skipped
The rest of the workflow continues normally

Enable "Run Once" for one-time actions that should not be repeated once successful. Common examples include:

Create Email actions to prevent creating duplicate email accounts
Welcome Emails to avoid multiple messages on user creation
Initial Password Setup to ensure a password is generated only once
One-time Provisioning Actions that create resources that shouldn't be duplicated
Notifications to prevent duplicate notifications for the same event

You can disable the “Run Once” option for naturally repeatable actions:

Sync Identity: Typically safe to update attributes multiple times
Manage Relationships: Adding/removing group memberships handles duplicates
Deprovision Identity: Safe to remove access multiple times

For example, when a user changes departments, the desired outcome when triggering a workflow will be:

First run: "Send manager notification" action executes
User's location changes (triggering the same workflow)
Second run: "Send manager notification" is skipped (already ran once)
Other actions like "Update group membership" still execute

The "Run Once" option is ideal for actions that could cause problems if repeated, such as sending notifications or creating unique resources. Each identity's history is tracked separately, and only successful completions prevent re-execution. Failed actions will retry on the next workflow run regardless of any system restarts.

Troubleshooting "Skip if action has already been run" Actions

If an action with "Skip if action has already been run" enabled needs to be re-executed (e.g., after fixing an error):

The action history must be cleared via API
Failed attempts don't count as "run once" - they will retry
Check the identity's action history in the audit log

Workflows within a policy can have different priority levels. Higher priority workflows execute first when multiple workflows trigger for the same identity.

How do I enable a new lifecycle management policy?

Creating a policy involves configuring your source(s) of identity, workflows, and actions to automate lifecycle events:

Create Policy: Go to Lifecycle Management > Policies > Create Policy
Configure Source: Select your HR system or IDP as the data source
Add Workflows: Define triggers for Joiner, Mover, and Leaver scenarios
Configure Actions: Set up provisioning, deprovisioning, and access assignments
Test and Activate:
- Run dry-runs to test the policy configuration
- Click Publish to save the policy (it will be in Initial state)
- Click the Actions menu (⋮) and select Start to activate the policy (Running state)

For detailed step-by-step instructions, see Lifecycle Management Policies

What is the Continuous Sync option, and why should I use it?

Continuous Sync keeps a provisioned user's source attributes automatically updated in target systems after initial provisioning. In an LCM Policy, Continuous Sync is the ongoing synchronization of user attributes (email, department, manager, role, etc.) from identity sources into the target provisioning system, rather than just syncing once at provisioning time.

Use Continuous Sync for the following reasons:

Keeps downstream systems current - If a user's details change (e.g., title, manager assignment), the updated values propagate automatically.
Reduces drift - Avoids stale, inconsistent, or obsolete attribute values that could block access governance or impact compliance.
Supports policy logic - Sync-updated attributes can be used in dynamic policy conditions—e.g., triggering access revocation when department switches.

Configuration Levels

Continuous Sync has three configuration levels that work together to determine how attributes are synchronized:

Workflow Level

The workflow's Continuous Sync setting controls change detection:

When enabled: The workflow monitors for any changes in the source system
When disabled: The workflow only runs during initial provisioning

Action Level

For Sync Identity actions, this controls whether existing entities can be updated:

When enabled: The action can update existing entities
When disabled: The action only sets attributes during initial creation

Attribute Level

Individual attributes can be configured for Continuous Sync:

When enabled: The attribute will be updated when changes are detected
When disabled: The attribute is only set during initial creation

You may not want to enable Continuous Sync at the Attribute level when there is a change in the user principal name, such as a change in marital status or legal name correction.

All three levels must be enabled for an attribute to be continuously synchronized. For example, if you want to keep an employee's department updated:

Enable Continuous Sync on the workflow to monitor for changes
Enable Continuous Sync on the sync action to allow updates
Enable Continuous Sync on the department attribute transformer

Recommended Settings

Enable Continuous Sync for attributes that change during employment:

First Name/Surname
Department
Title
Manager
Cost Center
AD Distinguished Name (DN)
AD User Principal Name (UPN)
AD Email

Disable Continuous Sync for stable identifiers:

Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)

This configuration ensures that dynamic attributes stay updated while preserving stable identifiers.

Why are secondary sources of identity optional if an admin can add multiple primary sources?

Secondary sources of identity are not redundant, despite the availability of multiple primary sources. They serve fundamentally different purposes:

Primary Sources of Identity (SOI):

Must all be of the same entity type (e.g., all Worker entities from Workday).
Create the core identity records that drive lifecycle management workflows.
All primary sources are treated as authoritative for identity creation.
Changes in any primary source trigger lifecycle workflows.

Secondary Sources of Identity:

Can be of different entity types than the primary source (e.g., HRIS Employee records enriching Workday Workers).
Primarily used for enrichment rather than identity creation.
Support two distinct operational modes via the only_enrich_existing flag:
- Enrichment mode (only_enrich_existing = true): Only adds attributes to existing identities created from primary sources.
- Hybrid mode (only_enrich_existing = false): Can create new Policy Identities if they don't exist in primary sources.

Secondary sources of identity provide flexibility in scenarios that require:

Data Enrichment from Non-Identity Sources: Organizations may need data from systems that shouldn't be authoritative for the identity lifecycle. Secondary sources support scenarios where core identities originate from HR (primary), and additional attributes come from departmental systems (secondary). Not all employees may exist in all systems. For instance:

HRIS system (primary) defines who exists in the organization.
A secondary system provides office location or manager metadata.
The secondary system shouldn't create/delete identities but should enrich them.

Cross-System Correlation: Secondary sources create attribute mappings to link records across systems using custom correlation logic. This supports multiple matching strategies:

Exact match on identifier (e.g., employee_id = worker_id)
Email-based correlation
Composite key matching (multiple attributes)
Custom correlation expressions
For example, correlating employee_id from an HRIS system with a worker_id in Workday, or matching users across systems based on email addresses.

Access Profiles

What are Access Profiles, and how do they work with LCM?

Access Profiles are collections of entitlements (including groups, roles, or permissions) that can be automatically assigned to users based on their attributes, like department, role, or location. Access Profiles serve two key functions in Lifecycle Management:

Birthright Access: Automatically assigned through policy workflows during joiner/mover/leaver events
Just-in-Time (JIT) Access: Available for request through Access Requests, with approvals handled by Access Requests and provisioning managed by LCM policy

The Access Profile Type determines its behavior and capabilities. When using the DEFAULT template, Veza provides five out-of-the-box (OOTB) Access Profile Types:

Business Role: Models your organizational structure (e.g., "Sales Team", "Engineering Managers") and inherits access from other profiles without direct entitlements
Entitlement: Manages single entitlements within a specific datasource (e.g., a specific AD group or Okta role)
Application: Grants application-level access without specific entitlements (e.g., basic app login rights)
Application Entitlements: Bundles multiple entitlements from a single application (e.g., multiple Salesforce profiles and permission sets)
Multi Application Entitlements: Combines entitlements across multiple applications (e.g., a developer bundle with GitHub, Jira, and AWS access)

Organizations can also create custom Access Profile Types to meet specific requirements or use alternative templates like SAILPOINT (which creates Profile and Business Role types) or HIERARCHICAL (which creates a single flexible type supporting both direct and inherited access).

How Access Profiles Work in Different Scenarios

Birthright Provisioning: Access Profiles are assigned through the Manage Relationships action in policy workflows, automatically granting appropriate access when users join, move within, or leave the organization.

Access Requests (Non-Birthright): Users can request Access Profiles through the Access Request system. While the request and approval process is handled by Access Requests, the actual provisioning and lifecycle of granted access is managed through LCM policy, ensuring consistent governance across all access types.

For configuration and best practices, see Access Profiles and Access Profile Types

Safety and Limits

What safety mechanisms prevent unintended mass changes?

Lifecycle Management supports safety limits to prevent accidental mass changes to identities. Policies can be configured to halt if the changes would impact more than a configured threshold of identities. When enabled, Veza calculates potential impact before processing the policy. If limits are exceeded, processing stops, a warning notification appears, and manual intervention is required.

Safety limits use count-based thresholds (e.g., no more than 100 identities) to control the maximum number of identities that can be affected in a single processing cycle.

For example, if you have 1,000 users in your organization and set a safety limit of 100 identities:

Veza will halt processing if more than 100 users would be affected
You will receive a warning notification, prompting review of the changes
You must then either adjust the policy or explicitly allow processing to continue

Safety limits are critical for production environments. Never proceed in re-enabling a policy without careful consideration. Safety Limits can be overridden with explicit API parameters.

Recovery Options

When a safety limit is triggered:

Review the warning details in the policy event log
Run dry-runs to understand the impact on affected identities
If changes are expected (e.g., bulk onboarding):
- Temporarily increase limits via API
- Process with disregard_change_limit=true parameter
- Reset limits after processing
If changes are unexpected:
- Check source system for data quality issues
- Review recent policy configuration changes
- Validate workflow trigger conditions

Notifications

When should I use policy-level notifications vs action-level notifications?

Lifecycle Management supports notifications at two distinct levels: policy-level (event-based) and action-level (per-action).

The key difference is the amount of context available. Policy-level notifications provide rich entity details suitable for stakeholder communications, while action-level notifications offer only basic action metadata for operational monitoring.

The levels of notifications you configure should be based on who needs to be informed and what information they require.

Feature

Policy-Level

Action-Level

Triggers on

Lifecycle events (CREATE_IDENTITY, ADD_RELATIONSHIP, etc.)

Individual action success or failure

Available data

Entity details (names, emails, attributes)

Action metadata (name, type, status) only

Configuration

Policy Settings > Notifications

Edit Action > Action Notification Settings

Scope

All workflows in the policy

Specific action instance

Best for

User and stakeholder communications

Simple operational confirmations

Policy-Level Notifications

Policy-level notifications trigger when specific lifecycle events occur, such as creating an identity, syncing attributes, or managing access relationships.

Because these notifications are tied to events rather than individual actions, they have access to full entity context including user attributes, relationship details, and outcome information. This makes them ideal for communications where recipients need to understand what changed and for whom.

These notifications support dynamic recipient selection based on user attributes (such as sending to a user's personal email or their manager's email) and include rich placeholder data. Entity information like {{ENTITY_NAME}}, {{LOGIN_NAME}}, and {{EMAIL}} allow you to personalize messages with specific details about the identity being managed. For relationship events, placeholders like {{RELATIONSHIP_ENTITY_NAME}} provide context about access grants or revocations. The full list of available placeholders is documented in Notification Templates.

Common scenarios for policy-level notifications:

When notifying end-users about account provisioning, policy-level notifications can inform users their account is ready and provide their username for first login. For example: "Hello {{ENTITY_NAME}}, your Active Directory account has been created. Your username is {{LOGIN_NAME}}."

For access change communications, these notifications can explain what access was granted or revoked with full context. For instance, you might notify a user: "You have been added to the {{RELATIONSHIP_ENTITY_NAME}} group" when relationships are managed.

IT operations teams benefit from policy-level notifications that aggregate activity across all workflows, providing visibility into identity lifecycle events with complete context for audit and troubleshooting purposes.

See Policy Notifications for configuration instructions.

Action-Level Notifications

Action-level notifications trigger when a specific workflow action completes, whether successfully or with errors. Unlike policy-level notifications, these provide only basic action metadata—the action name, type (such as SYNC_IDENTITIES or MANAGE_RELATIONSHIPS), success/failure status, and an internal job identifier. They do not include any information about the entities being acted upon, making them unsuitable for communications requiring user-specific details.

The primary use case for action-level notifications is operational monitoring where you need simple confirmation that a particular action completed. For example, alerting an operations team that a high-risk provisioning action finished, or confirming a critical workflow step succeeded before proceeding to dependent processes. These notifications work well when different actions in various workflows require different handling, and you need granular control over which specific action executions trigger alerts.

See Send Notification Action for configuration details.

Example: Notifying Users When AD Accounts Are Created

Scenario: As an admin, you want to notify end-users when their Active Directory account is created during onboarding.

Recommended approach: Use policy-level notifications configured for the CREATE_IDENTITY or SYNC_IDENTITY event. Navigate to Policy Settings > Notifications and create a notification with:

Event Type: Sync Identity (or Create Identity)
Status: Successful
Recipients From User's Attributes: Select the user's email field (such as personal_email)
Custom Template: "Hello {{ENTITY_NAME}}, your Active Directory account has been created. Your username is {{LOGIN_NAME}}. Please log in at your earliest convenience."

This configuration ensures users receive personalized notifications with their specific account details immediately upon provisioning.

Understanding Notification Limitations

Password placeholder availability: The {{LOGIN_PASSWORD}} placeholder is only available for CHANGE_PASSWORD and RESET_PASSWORD event types, not for CREATE_IDENTITY or SYNC_IDENTITY events. If you need to communicate passwords during initial account creation, configure a separate Reset Password action in your workflow after the account is created, then notify users via the RESET_PASSWORD event.

Action-level data constraints: Action-level notifications cannot access entity-specific information such as usernames, email addresses, departments, or any user attributes. They only provide action metadata (name, type, success/failure status). For any communication requiring user details or context, use policy-level event notifications instead.

Event types and placeholders: Different event types support different placeholder sets. For example, relationship events include {{RELATIONSHIP_ENTITY_NAME}} while identity creation events include {{LOGIN_NAME}}. Review the complete placeholder reference in Notification Templates when designing your notification templates.

Choosing the Right Level

For user-facing notifications and stakeholder communications where context matters, use policy-level notifications. These provide the entity details and user attributes needed for meaningful, personalized alerts that help users understand what changed and why.

For simple operational confirmations where you only need to know an action completed (without needing details about which user or entity was involved), use action-level notifications. These are appropriate for workflow orchestration or basic monitoring where action metadata suffices.

When in doubt, start with policy-level notifications—they provide more information and flexibility for most common notification scenarios.

Access Request Notifications

Do administrators need to configure notifications for Access Request events?

Yes, administrators must explicitly configure notifications for Access Request events. There are no automatic default notifications; each notification must be set up according to your organization's requirements.

Configurable Event Types

Access Request notifications can be configured for these events:

ACCESS_REQUEST_CREATED - When a new access request is submitted
ACCESS_REQUEST_ACTION_RUN - When actions are executed for the request
ACCESS_REQUEST_SUCCEED - When the request is fully processed successfully
ACCESS_REQUEST_FAILED - When the request encounters errors
ACCESS_REQUEST_STATE_CHANGED - When approval status changes
ACCESS_REQUEST_APPROVER_ASSIGNED - When approvers are assigned to the request

Notification Recipients

For each event type, you can configure notifications to be sent to:

Approvers - Those responsible for approving the request
Creator - The person who submitted the request
Beneficiary - The person who will receive the access
Watchers - Users monitoring the request
Other Emails - Additional specific email addresses

Configuration Options

Email Notifications: Built-in email templates with customizable recipients
Webhook Notifications: Send structured data to external systems
Per-Event Control: Each event type can have different notification settings
Granular Recipients: Choose exactly who receives each type of notification

How to Configure

Access Request notifications are managed through:

API: Use the Access Request settings endpoints to configure notifications
UI: Access Request settings in the LCM configuration section

Without notification configuration, users and approvers won't receive any alerts about access request activities.

Does the notification body support rich text HTML?

Yes, notification templates fully support HTML and CSS. You can use standard HTML markup, inline styles, images, and links in all Lifecycle Management and Access Request notification templates.

Key Capabilities

Standard HTML tags (<html>, <body>, <br>, <div>, <p>, etc.)
CSS styling (inline or embedded)
Images (embedded attachments or external URLs)
Links and formatting
Custom branding and layouts

Template Management

Templates are currently managed via the Notification Templates API
All built-in templates use HTML structure
Support for small image attachments (under 64kb, base64-encoded)
External image linking for high-resolution content

For complete setup instructions, HTML examples, default templates, placeholder reference, and detailed formatting guidance, see Notification Templates for Lifecycle Management

Data Processing and Extraction

When does LCM evaluate identities for CSV/OAA data sources?

LCM processes identities from CSV and OAA-based data sources only when specific events occur, unlike native integrations that can pull data on demand.

Trigger Events for Identity Processing

For CSV and OAA data sources, extraction and identity evaluation occur when:

New Data Push - A new CSV file is uploaded or an OAA payload is pushed
Policy Configuration Changes - Any policy update forces a re-extraction
Manual Extraction - LCM explicitly queues an extraction job

Key Behaviors

No Automatic Refresh: CSV/OAA sources don't automatically fetch new data - they only process what was last pushed
Re-extraction Uses Same Data: If extraction is triggered without a new push, it re-processes the same payload
Policy Updates Trigger Processing: Changes to policy configuration (e.g., UID mapping, workflow conditions) will force re-extraction of existing data

CSV-Specific Details

CSV files are converted to OAA payloads upon upload
The original CSV is not stored; only the OAA transformation is retained
Re-extraction processes the stored OAA payload, not the original CSV

Common scenarios when working with CSV Uploads:

Daily CSV Upload:

New file uploaded → Extraction triggered → Identities processed
Workflows evaluate all identities based on the "Sync on changes only" setting

No New Upload for 7 Days:

No extraction occurs automatically
Existing data is NOT re-evaluated unless:
- Policy is modified
- Manual extraction is triggered

Policy Configuration Modified:

Policy change → Forced extraction of existing data
All identities re-evaluated with a new configuration
Can trigger workflows even without data changes

Important Considerations

Unexpected Re-processing: If workflows unexpectedly re-trigger for all users without a new CSV upload, check if:

Someone modified the policy configuration
UID mapping was changed
Workflow conditions were updated

These changes trigger re-extraction of the datasource and can cause all identities to be re-evaluated.

"Sync on changes only" Setting: When enabled, only identities with changed attributes or newly matching trigger conditions will have workflows executed, even during re-extraction.

CSV Upload and Transformations

Can I transform CSV data during upload for LCM?

Yes, Veza supports data transformations when uploading CSV files for HRIS and application data sources. This allows you to manipulate and format data during the upload process without preprocessing.

Supported Transformations

Transformations can be applied to CSV columns during mapping configuration:

String Operations: Concatenation, splitting, case conversion
Data Formatting: Date formatting, number formatting
Conditional Logic: If/then conditions based on column values
Template Mappings: Create complex attribute values from multiple columns

Use Cases

Combine Multiple Columns: Create full names from first/last name columns
Extract Data: Gather domains from email address values
Format Dates: Convert date formats to match target system requirements
Apply Business Logic: Set department codes based on location values
Generate IDs: Create unique identifiers from existing data

Example Transformations

Concatenate columns:

{{FirstName}} {{LastName}}

Extract email domain:

SPLIT(Email, "@")[1]

Pad employee ID with zeros:

LEFT_PAD({{employee_id}}, "0", 6)

Important notes:

Conditional logic is not supported: CSV transformations do not support IF statements or conditional expressions
CSV headers are automatically converted to lowercase, with underscores (e.g., "First Name" becomes "first_name")
Use {{column_name}} syntax to reference CSV columns in attribute transformations within a Lifecycle Management Policy.

Technical Implementation Note

When you upload a CSV file:

The CSV is immediately converted to OAA (Open Authorization API) format
Only the OAA payload is stored, not the original CSV
Any re-extraction uses this stored OAA payload
This ensures consistent data processing across all extraction cycles

Transformations are applied during the data extraction process and don't modify your original CSV file. The transformed values are what LCM uses for identity processing and provisioning.

CSV transformations have different capabilities than full LCM transformers - they support basic string operations and functions but not conditional logic or complex expressions.

Integrations

For details on configuring LCM integrations, including setup instructions, extraction requirements, and supported capabilities, see Lifecycle Management Integrations overview.

What Source of Identity (SOI) systems are supported?

Veza LCM supports a variety of Source of Identity systems to serve as authoritative sources for user identity information.

Built-in SOI Systems include:

Beeline - Shift-based workforce management system
Coupa CCW - Cloud-based business spend management platform
Custom IDP - Generic identity provider integration for custom authentication systems
Custom HRIS (OAA) - Custom HR systems using Open Authorization API (OAA) templates
HiBob - Modern HR platform for businesses
Ivanti Neurons HR - HR platform for onboarding/offboarding and self-service
Okta - Cloud-based identity and access management service
Oracle HCM - Human Capital Management cloud solution
Workday - Cloud-based human capital management platform

CSV Upload and Open Authorization API templates provide an extensible framework for adding custom identity providers or HRIS platforms.

Custom OAA Integration - Any system can be configured as an SOI through the Open Authorization API
Custom Principal - Support for non-traditional identity sources

For integration setup for each target system, see the LCM Integrations Guide

Which SOI systems support email writeback?

Email writeback capability allows LCM to update the Source of Identity with newly created email addresses during provisioning workflows.

Systems Supporting Email Writeback

Currently, only a limited subset of integrations support email writeback actions:

Oracle HCM
Workday

How Email Writeback Works

LCM creates an email account in the target system (e.g., Exchange, Azure)
The newly created email address is written back to the user's record in the SOI
This ensures the SOI remains the authoritative source with current email information

Email writeback requires write permissions to the Source of Identity system, which may require additional configuration and security considerations. Refer to the specific integration documentation for setup requirements.

For detailed configuration instructions, see the integration-specific documentation in the LCM Integrations.

What target systems are supported natively and via SCIM?

Veza LCM supports provisioning across target systems through native integrations and SCIM protocol compatibility.

Supported Categories

Native Integrations (Full lifecycle support):

Identity Providers: Okta, Azure AD, Active Directory, AWS SSO
Collaboration: Google Workspace, GitHub, Exchange
Business Apps: Salesforce, ServiceNow, Workday, SAP ECC
Data Platforms: Snowflake, Veza Platform

SCIM 2.0 Support:

Generic SCIM (any compliant system)
Includes Atlassian Cloud, Oracle Fusion Cloud, and SwiftConnect

The entire Veza application catalog can potentially be LCM-enabled. Contact your Customer Success Manager to discuss enabling specific applications.

For all validated integrations and their capabilities, see LCM Integrations.

Advanced Configuration

What optional features can be enabled for LCM?

Lifecycle Management includes core workflow capabilities, with additional features available depending on your configuration needs. Some features that were previously gated are now available by default, while others require configuration or enablement.

Capability

What It Enables

Availability

Password Reset Workflows

Automatically reset passwords during user lifecycle events (termination, role changes)

Available by default

Automated Access Reviews

Trigger compliance access reviews automatically based on user changes

Available by default

Multiple Identity Sources

Use multiple HR systems or identity providers with priority handling

Available by default

Access Request & Approvals

Enables users to request access with automated approval workflows and provisioning

Requires configuration - contact your Customer Success Manager

Enhanced Dashboard View

Consolidated overview dashboard showing policies, activity, and integration status at a glance

Available upon request

Policy JSON Viewer

View and export full policy configurations in JSON format for debugging and technical support

Available upon request for advanced users

Features marked "Available by default" should appear automatically in LCM configurations. Other features may require additional setup or enablement. Contact your Customer Success Manager to discuss configuration options.

Are password reset and access review actions available by default?

Yes, the Reset Password and Create Access Review workflow actions are now generally available as standard LCM functionality. These action types appear as available options when configuring workflow actions in LCM policies.

Additionally, Secondary Sources of Identity are also now generally available, allowing you to configure secondary identity sources in policies without requiring special enablement.

These features were previously gated behind feature flags (LCM_RESET_PASSWORD_ACTION, LCM_CREATE_ACCESS_REVIEW_ACTION, and UI_LCM_POLICY_SECONDARY) but are now standard functionality available to all tenants.

How does Veza decide which identity source attributes to display when both primary and secondary sources exist?

When a policy identity has both primary and secondary sources, Veza determines which source's attributes to display in the Identities table based on the active status of each source. The "active" status is determined by the is_active field in each source of identity, which typically represents employment or account status (e.g., an active employee in Workday, an active contractor in a secondary system).

Default behavior (without feature flag):

Always displays the primary source attributes if a primary source exists
Only displays secondary source attributes if no primary source exists

Enhanced behavior (with LCM_PREFER_ACTIVE_SOI_IN_IDENTITY_TABLE feature flag):

Primary Source Status

Secondary Source Status

Displayed Attributes Source

Active

Any

Primary source

Inactive

Active

Secondary source

Active

Primary source (default)

Inactive

Primary source (default)

This prioritization ensures the Identities table reflects the most current source of truth, which is particularly useful in scenarios where:

A user's primary identity becomes inactive (e.g., employee terminated in Workday, is_active=false)
The secondary identity source remains active (e.g., contractor account still active in secondary system, is_active=true)
You need visibility into which system currently maintains active identity information

Example scenario: An employee terminates from their full-time position (primary Workday identity becomes is_active=false) but continues as a contractor (secondary source remains is_active=true). With the feature flag enabled, the Identities table displays attributes from the contractor system, reflecting their current active status.

This feature requires the LCM_PREFER_ACTIVE_SOI_IN_IDENTITY_TABLE feature flag enabled in your environment. Contact your Customer Success Manager to enable this feature.

Lifecycle Management Troubleshooting

How can I export or view the complete JSON configuration of a policy?

The Show Raw JSON optional feature allows you to view and export the complete JSON representation of a Lifecycle Management policy for debugging and troubleshooting purposes.

Accessing Raw JSON

To view the raw JSON configuration:

Go to Lifecycle Management > Policies
Select a policy to view its details
Click Show Raw JSON in the policy header actions (if enabled for your tenant)
The complete policy configuration displays in a modal window
Use the Copy JSON button to copy the configuration to your clipboard

What's Included

The raw JSON export includes the complete policy structure:

Policy metadata (name, description, state, version information)
Workflow configurations and trigger conditions
Action definitions and parameters
Transformer mappings and attribute configurations
Data source associations and identity mappings
Access profile assignments and permissions
Safety limit configurations
Notification templates and settings
Secondary identity source configurations

The raw JSON feature is useful for providing complete policy configurations when working with support teams, and understanding the underlying policy structure. Use this option for creating backups of complex policy configurations and debugging complex policy behaviors.

This feature may require enablement for your tenant. Contact your Customer Success Manager if the "Show Raw JSON" button does not appear in your policy header actions.

The raw JSON contains sensitive configuration information. Only share policy JSON with authorized personnel and avoid exposing credentials or other sensitive data when sharing configurations.

For more information, see Policy Settings in the Policies documentation.

What roles can access Lifecycle Management and Access Profiles?

Access to Lifecycle Management and Access Profiles is managed through Veza's role-based permission system. User permissions can vary based on their assigned roles and team membership, enabling separation of duties and security controls across the platform.

Only Administrator roles have full management capabilities for LCM policies and Access Profiles. All other roles provide various levels of read-only access, with some specialized roles offering additional functionality like integration management or review assignment.

Role Categories and Access Levels

Veza roles fall into two availability tiers that determine their LCM access capabilities. Generally Available roles can be assigned without additional configuration, while Early Access roles require enablement by Veza support before assignment.

Role

Availability

Team Support

LCM Policies & Workflows

Access Profiles

Special Capabilities

Administrator

Generally Available

Root only

Full access: Create, edit, delete policies and workflows

Full access: Create, edit, delete Access Profiles and types

System configuration, user management

Operator

Generally Available

Root, Non-root

Read-only access to policies and workflows

Read-only access to Access Profiles

Can create Access Reviews (Root team only)

Access Reviewer

Generally Available

Root only

Read-only access for assigned review purposes only

Limited to assigned review contexts

SCIM Provisioner

Generally Available

Root only

Read-only access to policies and workflows

Read-only access to Access Profiles

SCIM 2.0 user lifecycle management

Integrations Manager

Generally Available

Root, Non-root

Read-only access to policies and workflows

Read-only access to Access Profiles

Integration configuration and management

Integration Owner

Generally Available

Root, Non-root

Read-only access to understand integration impacts

Read-only access to profile assignments

Specific integration ownership and monitoring

Access Reviews Monitor

Generally Available

Root only

Limited read-only access for monitoring review activities

Limited read-only access for monitoring purposes

Access Review progress monitoring without modification

Viewer

Early Access

Root, Non-root

Read-only access for monitoring

Requires ROOT_TEAM_VIEWER feature for Root team access

Watcher

Early Access

Root only

Read-only access for monitoring (cannot make changes)

Read-only access for monitoring

View Review Configurations without modification capability

Auditor

Early Access

Root only

Read-only access for audit and compliance purposes

Read-only access for audit purposes

Export audit logs and compliance reporting

Re-assigner

Early Access

Root only

Read-only access with ability to re-assign review results

Read-only access with review result re-assignment

Can reassign Access Review results to different reviewers

OAA Push

Early Access

Root, Non-root

Read-only access for monitoring

Upload Open Authorization API (OAA) payloads

Programmatic Key Manager

Early Access

Root, Non-root

Read-only access for monitoring

Programmatic API key lifecycle management

OAA CSV Manager

Early Access

Root, Non-root

Limited access for CSV integration management

Limited access related to CSV integrations

Required for CSV Upload integration management

NHI Security Admin

Early Access

Root only

Read-only access with focus on non-human identity security features

Read-only access with NHI focus

Non-Human Identity security dashboards and risk assessments

Understanding Team-Based Access Control

Team assignments determine the scope of data and integrations that users can access within their assigned roles. The Root team provides unrestricted access to all integrated data providers, while custom teams limit access to specific team-assigned integrations.

Root Team Access grants users visibility into all LCM policies across every integrated provider, the ability to create Access Reviews and manage system-wide configuration, and access to administrative roles that require platform-wide permissions. This team is essential for users who need comprehensive oversight of lifecycle management operations.

Non-Root Team Access restricts users to viewing only LCM policies relevant to integrations within their team's scope. These users cannot create Access Reviews or access system-wide administrative features, but they can effectively manage policies and profiles within their designated integration boundaries. Non-root teams are recommended for departmental teams or application-specific access control scenarios.

Multi-Team Membership allows users to belong to multiple teams simultaneously, with potentially different roles in each team. Users can switch their "active team" context to access different sets of policies, profiles, and data based on each team's integration scope. This supports organizational structures where users need varied access levels across different systems.

Automated Role Assignment Through SSO

Organizations using Single Sign-On can streamline user management by automatically assigning Veza roles based on Identity Provider (IdP) group membership. This integration uses SAML/OIDC claims to map IdP groups to specific Veza team and role combinations using the format Team SSO Alias:role name (where Team SSO Alias and role name are placeholders—do not include curly braces).

For example, the following IdP group-to-role mappings are valid:

Root:admin → assigns the "admin" role in the "Root" team
Engineering Team:operator → assigns the "operator" role in the "Engineering Team"
Finance:viewer → assigns the "viewer" role in the "Finance" team

Single IdP groups can map to multiple team/role combinations, and administrators can configure default fallback assignments for users without specific group mappings.

This approach reduces manual user management overhead while ensuring consistent role assignments based on organizational structure. For SSO configuration guidance, see Role Mapping for Single Sign-On.

Implementation Considerations

When planning role assignments, consider that policy and Access Profile management requires Administrator privileges, which are restricted to Root team members. The Veza interface automatically adjusts to user permissions—non-administrator users won't see create, edit, or delete options for resources they cannot modify.

All permissions are enforced consistently across both the web interface and API endpoints, ensuring security regardless of access method. Organizations should carefully plan team structures and role assignments to balance operational efficiency with security requirements, particularly when implementing SSO-based automated role assignment.

For role descriptions, team management guidance, and SSO integration details, see User Roles and Permissions, Team Management, and User and Team Management APIs.

Why isn't my workflow triggering for certain users?

Several factors can prevent workflows from triggering. Here are some recommended diagnostic steps:

Attempt a Dry Run Simulation
- View details for the specific identity in question
- Review the messages field for workflow evaluation details
- Check which conditions passed/failed
Check for Common Issues
- Condition Mismatch: Identity attributes don't match workflow conditions
- Policy State: Policy might be in PAUSED or PENDING state
- Source Data: Identity might not exist in the configured data source
- Safety Limits: Changes blocked due to safety threshold
Validate Identity Attributes
- Verify the identity has the expected attribute values
- Ensure attribute mappings are configured correctly
- Check for data quality issues in the source system

Policy States

Policies can be in the following states:

INITIAL - Newly created, not yet running
RUNNING - Active and processing identities
DRY_RUN - Testing mode without making changes
PAUSED - Temporarily stopped
PENDING - Awaiting configuration or approval

The Dry Run messages will explicitly state why each workflow did or didn't match.

Notifications: Email Templates and Webhooks

Customizing email notifications and Webhook configuration for Lifecycle Management events and Access Requests.

Email Templates Overview

Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.

Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.

Template Management: Currently, notification templates can only be managed via the Notification Templates API. Template management through the Veza UI is not yet available.

Access Reviews Notification Templates: For access review workflow notifications, see Access Reviews Notification Templates.

Managing notification templates

Custom Email Templates

In addition to event-specific templates, you can create custom email templates that are not tied to specific lifecycle events. These reusable templates allow you to define notification content once and use it across Send Notification actions and action notification settings. Custom email templates are:

Reusable: Single template for multiple workflows and actions
Event-independent: Not associated with a specific lifecycle event type
Flexible: Can be used in both Send Notification actions and action notification settings (on_success/on_failure)
Standard placeholder support: Supports all the same placeholders as event-based templates

To create a custom email template:

Navigate to Lifecycle Management > Settings > Notifications
Click Create Template
Select For Custom Email (as opposed to "For Event")
Define your template name, subject, and body using HTML and placeholders
Save the template

To use a custom template, select it when configuring the Send Notification action, or in Action Notification Settings:

Send Notification action: Choose from the "Select Email Template" dropdown when configuring the action
Action Notification Settings: Select the template for on_success or on_failure email notifications on any action

When you select "Default template" in these dropdowns, the system uses the event-based template appropriate for the event. When you select a custom template, that template is used regardless of the specific event being processed.

Custom templates support all standard placeholders documented in the Placeholders section. The available values depend on the context in which the template is used (e.g., action notifications have action-related placeholders, event notifications have event-related placeholders).

Default Templates

The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.

Generic Failure Template

When specific event templates aren't available or when events fail, the system uses a generic failure template:

Subject: Lifecycle job {{EVENT_TYPE}} has failed

Body:

<html><body>
<br>
<br> Here is the notification that lifecycle job has failed. <br>
Error message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
For reference:
<br> job_id: {{JOB_ID}}<br>
<br> identity_id: {{EVENT_IDENTITY_ID}}
<br> identity_name: {{EVENT_IDENTITY_NAME}}
<br> entity_type: {{ENTITY_TYPE}}
<br> entity_name: {{ENTITY_NAME}}
</body></html>

See Default Template Content for all default messages.

Lifecycle Management Events

Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:

Identity Management Events

Event Type

API Usage Value

Description

Create Identity

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY

Sent when a new identity/account is created

Create Identity Failed

LIFECYCLE_MANAGEMENT_CREATE_IDENTITY_FAILED

Sent when identity creation fails

Sync Identity

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY

Sent when an identity is synchronized

Sync Identity Failed

LIFECYCLE_MANAGEMENT_SYNC_IDENTITY_FAILED

Sent when identity sync fails

Delete Identity

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY

Sent when an identity is deleted

Delete Identity Failed

LIFECYCLE_MANAGEMENT_DELETE_IDENTITY_FAILED

Sent when identity deletion fails

Disable Identity

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY

Sent when an identity is disabled

Disable Identity Failed

LIFECYCLE_MANAGEMENT_DISABLE_IDENTITY_FAILED

Sent when identity disabling fails

Create Guest Account

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT

Sent when a guest account is created

Create Guest Account Failed

LIFECYCLE_MANAGEMENT_CREATE_GUEST_ACCOUNT_FAILED

Sent when guest account creation fails

Relationship Management Events

Event Type

API Usage Value

Description

Add Relationship

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP

Sent when a relationship is added

Add Relationship Failed

LIFECYCLE_MANAGEMENT_ADD_RELATIONSHIP_FAILED

Sent when adding relationship fails

Remove Relationship

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP

Sent when a relationship is removed

Remove Relationship Failed

LIFECYCLE_MANAGEMENT_REMOVE_RELATIONSHIP_FAILED

Sent when removing relationship fails

Email Management Events

Event Type

API Usage Value

Description

Create Email

LIFECYCLE_MANAGEMENT_CREATE_EMAIL

Sent when an email is created

Create Email Failed

LIFECYCLE_MANAGEMENT_CREATE_EMAIL_FAILED

Sent when email creation fails

Write Back Email

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL

Sent when email is synced back

Write Back Email Failed

LIFECYCLE_MANAGEMENT_WRITE_BACK_EMAIL_FAILED

Sent when email sync back fails

Password Management Events

Event Type

API Usage Value

Description

Change Password

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD

Sent when a password is changed

Change Password Failed

LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD_FAILED

Sent when password change fails

Reset Password

LIFECYCLE_MANAGEMENT_RESET_PASSWORD

Sent when a password is reset

Reset Password Failed

LIFECYCLE_MANAGEMENT_RESET_PASSWORD_FAILED

Sent when password reset fails

Entitlement Management Events

Event Type

API Usage Value

Description

Create Entitlement

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT

Sent when an entitlement is created

Create Entitlement Failed

LIFECYCLE_MANAGEMENT_CREATE_ENTITLEMENT_FAILED

Sent when entitlement creation fails

Rename Entitlement

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT

Sent when an entitlement is renamed

Rename Entitlement Failed

LIFECYCLE_MANAGEMENT_RENAME_ENTITLEMENT_FAILED

Sent when entitlement renaming fails

Sync Entitlement

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT

Sent when an entitlement is synced

Sync Entitlement Failed

LIFECYCLE_MANAGEMENT_SYNC_ENTITLEMENT_FAILED

Sent when entitlement sync fails

Actions and Workflows Events

Event Type

API Usage Value

Description

Custom Action

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION

Sent when a custom action is performed

Custom Action Failed

LIFECYCLE_MANAGEMENT_CUSTOM_ACTION_FAILED

Sent when custom action fails

Action Succeed

LIFECYCLE_MANAGEMENT_ACTION_SUCCEED

Sent when an action succeeds

Action Failed

LIFECYCLE_MANAGEMENT_ACTION_FAILED

Sent when an action fails

Workflow Task Failed

LIFECYCLE_MANAGEMENT_WORKFLOW_TASK_FAILED

Sent when a workflow task fails

Extraction Event Failed

LIFECYCLE_MANAGEMENT_EXTRACTION_EVENT_FAILED

Sent when extraction processing fails

Access Reviews Events

Event Type

API Usage Value

Description

Create Access Review Queued

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW_QUEUED

Sent when access review is queued

Create Access Review

LIFECYCLE_MANAGEMENT_CREATE_ACCESS_REVIEW

Sent when access review is created

Safety Events

Event Type

API Usage Value

Description

Safety Limit Reached

LIFECYCLE_MANAGEMENT_SAFETY_LIMIT_REACHED

Sent when safety limits are reached

Access Request Events

Event Type

API Usage Value

Description

Access Request Created

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_CREATED

Sent when an Access Request is created

Access Request Action Run

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_ACTION_RUN

Sent when Access Request actions start running

Access Request State Changed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_STATE_CHANGED

Sent when Access Request state changes

Access Request Approver Assigned

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_APPROVER_ASSIGNED

Sent when new approvers are assigned

Access Request Succeed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_SUCCEED

Sent when Access Request succeeds

Access Request Failed

LIFECYCLE_MANAGEMENT_ACCESS_REQUEST_FAILED

Sent when Access Request fails

Default Template Content

Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.

Identity Management Templates

CREATE_IDENTITY

Subject: New Hire Notification: {{ENTITY_TYPE}} account created
Body:

<html><body>
Hello,<br>
<br>
Here is the information for your new-hire: {{ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
<br>
</body></html>

CREATE_GUEST_ACCOUNT

Subject: New {{ENTITY_TYPE}} Guest Account Created: {{ENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
New {{ENTITY_TYPE}} Guest Account Created <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Name: {{ENTITY_NAME}} <br>
Login Name: {{LOGIN_NAME}} <br>
Invite Sent: {{SENT_INVITE}} <br>
<br>
</body></html>

SYNC_IDENTITY

Subject: Sync Identity Notification: {{ENTITY_TYPE}} account synced
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} attributes have been synced <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

DELETE_IDENTITY

Subject: Identity Deleted Notification: {{ENTITY_TYPE}} has an account deleted
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been deleted <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

DISABLE_IDENTITY

Subject: Identity Disabled Notification: {{ENTITY_TYPE}} has an account disabled
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has been disabled <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
<br>
</body></html>

Relationship Management Templates

ADD_RELATIONSHIP

Subject: New Relationship Added Notification: {{ENTITY_TYPE}} has an account with new relationship to a {{RELATIONSHIP_ENTITY_TYPE}}
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new relationship to {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>

REMOVE_RELATIONSHIP

Subject: Relationship Removed Notification: {{ENTITY_TYPE}} has an account whose relationship was remove from a {{RELATIONSHIP_ENTITY_TYPE}}
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a relationship removed from {{RELATIONSHIP_ENTITY_NAME}} <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Relationship Type: {{RELATIONSHIP_ENTITY_TYPE}} <br>
<br>
</body></html>

Email Management Templates

CREATE_EMAIL

Subject: New Email Notification: {{ENTITY_TYPE}} has an account with new email
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a new email address <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>

WRITE_BACK_EMAIL

Subject: New Write Back Email Notification: {{ENTITY_TYPE}} has had an email sync to it
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has the newly created email synced back to it <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Email: {{EMAIL}} <br>
<br>
</body></html>

Password Management Templates

CHANGE_PASSWORD

Subject: Password Change Notification: {{ENTITY_TYPE}} has an account with a new password
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has a password <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
New Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>

RESET_PASSWORD

Subject: Reset Password Notification: {{ENTITY_TYPE}} has had their password reset
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has had their password reset <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Login Name: {{LOGIN_NAME}} <br>
Temporary Password: {{LOGIN_PASSWORD}} <br>
<br>
</body></html>

Entitlement Management Templates

CREATE_ENTITLEMENT

Subject: Create entitlement notification: an entry of {{ENTITY_TYPE}} is created
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is created: {{ENTITY_NAME}} <br>
<br>
</body></html>

RENAME_ENTITLEMENT

Subject: Rename entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} is renamed with new name: {{ENTITY_NAME}} <br>
<br>
</body></html>

SYNC_ENTITLEMENT

Subject: Sync entitlement notification: an entry of {{ENTITY_TYPE}} is renamed
Body:

<html><body>
Hello,<br>
<br>
An entry of {{ENTITY_TYPE}} has been re-synced with the target system: {{ENTITY_NAME}} <br>
<br>
</body></html>

Access Request Templates

ACCESS_REQUEST_COMPLETE

Subject: Access Request {{ACCESS_REQUEST_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} has {{SUCCEED_OR_FAILED}}
Body:

<html><body>
Hello,<br>
<br>
{{ACCESS_REQUEST_ENTITY_NAME}} has been {{ACCESS_REQUEST_TYPE}} with: {{ACCESS_REQUEST_TARGET_NAME}}.<br>
<br>
User Type: {{ACCESS_REQUEST_ENTITY_TYPE}} <br>
Target Type: {{ACCESS_REQUEST_TARGET_TYPE}} <br>
<br>
</body></html>

ACCESS_REQUEST_CREATED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:

<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_FAILED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is failed
Body:

<html><body>
Hello,<br>
<br>
The request is failed, with an error message: {{EVENT_ERROR_MESSAGE}}
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_STATE_CHANGED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} is {{ACCESS_REQUEST_STATE}}
Body:

<html><body>
Hello,<br>
<br>
The request is currently in {{ACCESS_REQUEST_STATE}} state.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

ACCESS_REQUEST_APPROVER_ASSIGNED

Subject: {{ACCESS_REQUEST_SOURCE_TYPE}} for {{ACCESS_REQUEST_ENTITY_NAME}} in {{ACCESS_REQUEST_STATE}} as new assigned approvers
Body:

<html><body>
Hello,<br>
<br>
The request currently in {{ACCESS_REQUEST_STATE}} state has new been assigned new approvers.
<br>
For details: {{ACCESS_REQUEST_URL}}
<br>
</body></html>

Error and Failure Templates

ACTION_FAILED

Subject: Action Failed: {{ACTION_NAME}} for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
Action has failed.<br>
<br>
Identity: {{IDENTITY_NAME}}<br>
Action Name: {{ACTION_NAME}}<br>
Action Type: {{ACTION_TYPE}}<br>
Workflow Name: {{WORKFLOW_NAME}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

WORKFLOW_TASK_FAILED

Subject: Workflow Failed: {{WORKFLOW_NAME}} for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
Workflow has failed.<br>
<br>
Identity: {{IDENTITY_NAME}}<br>
Workflow Name: {{WORKFLOW_NAME}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

EXTRACTION_EVENT_FAILED

Subject: Lifecycle Management extraction processing failed for {{DATASOURCE_ID}}
Body:

<html><body>
Hello,<br>
<br>
Extraction processing has failed.<br>
<br>
Datasource: {{DATASOURCE_ID}}<br>
Error Message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
</body></html>

Access Review Templates

CREATE_ACCESS_REVIEW_QUEUED

Subject: Create Access Review Queued Notification: for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
An access review has been queued for {{IDENTITY_NAME}} <br>
<br>
</body></html>

CREATE_ACCESS_REVIEW

Subject: Create Access Review Notification: for identity {{IDENTITY_NAME}}
Body:

<html><body>
Hello,<br>
<br>
An access review has been created for {{IDENTITY_NAME}} <br>
<br>
</body></html>

Safety and Custom Action Templates

SAFETY_LIMIT_REACHED

Subject: Safety Limit Reached Notification: Policy {{POLICY_NAME}} has stopped processing identity changes
Body:

<html><body>
Hello,<br>
<br>
The safety limit for policy {{POLICY_NAME}} has been reached. No further identity changes were processed.<br>
</body></html>

CUSTOM_ACTION

Subject: New Custom Action Notification: {{ENTITY_TYPE}} has performed a custom action
Body:

<html><body>
Hello,<br>
<br>
{{ENTITY_NAME}} has performed a custom action <br>
<br>
Account Type: {{ENTITY_TYPE}} <br>
Message: {{EVENT_ERROR_MESSAGE}} <br>
<br>
</body></html>

Image Attachments

From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.

Image Requirements: For API-based template management, small images under 64kb can be attached when configuring a template. The image must be base64-encoded and specified in the attachments field of the API request.

To use an attachment you have uploaded in a template, specify it by attachment.name, for example:

<img src="cid:<name_of_attachment>"

To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.

Placeholders

Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.

Identity and Entity Information

Placeholder

Description

{{ENTITY_TYPE}}

The type of entity (e.g., "ActiveDirectoryUser", "OktaUser")

{{ENTITY_NAME}}

The name of the entity/identity

{{LOGIN_NAME}}

The login/username for the account

{{LOGIN_PASSWORD}}

The password (for password-related notifications)

{{EMAIL}}

Email address associated with the identity

Relationship Information

Placeholder

Description

{{RELATIONSHIP_ENTITY_TYPE}}

Type of the related entity

{{RELATIONSHIP_ENTITY_NAME}}

Name of the related entity

Action and Job Information

Placeholder

Description

{{ACTION_NAME}}

Name of the action being performed

{{ACTION_TYPE}}

Type of action

{{ACTION_JOB_ID}}

Unique identifier for the action job

{{SUCCEED_OR_FAILED}}

Status indicator ("succeeded" or "failed")

{{SENT_INVITE}}

Whether an invite was sent (for guest accounts)

Access Request Information

Placeholder

Description

{{ACCESS_REQUEST_TYPE}}

Type of Access Request

{{ACCESS_REQUEST_ENTITY_NAME}}

Name of the entity requesting access

{{ACCESS_REQUEST_ENTITY_TYPE}}

Type of the requesting entity

{{ACCESS_REQUEST_TARGET_TYPE}}

Type of the target resource

{{ACCESS_REQUEST_TARGET_NAME}}

Name of the target resource

{{ACCESS_REQUEST_URL}}

URL to view the Access Request details

{{ACCESS_REQUEST_STATE}}

Current state of the Access Request

{{ACCESS_REQUEST_SOURCE_TYPE}}

Source type of the Access Request

Event and Error Information

Placeholder

Description

{{EVENT_TYPE}}

Type of lifecycle event

{{JOB_ID}}

Job identifier

{{EVENT_ERROR_MESSAGE}}

Error message for failed events

{{EVENT_IDENTITY_ID}}

Identity ID associated with the event

{{EVENT_IDENTITY_NAME}}

Identity name associated with the event

Policy and Workflow Information

Placeholder

Description

{{POLICY_NAME}}

Name of the lifecycle policy

{{WORKFLOW_NAME}}

Name of the workflow

{{ACTION_ID}}

Action identifier

{{WORKFLOW_ID}}

Workflow identifier

{{DATASOURCE_ID}}

Datasource identifier

Webhook Configuration Overview

Webhook notifications are triggered upon execution of actions during the LCM Policy workflow process. Webhooks inform stakeholders or integrate with external systems of events that are processed within the workflow. Webhook notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed.

For example, a webhook is sent to the company's learning management system to initiate online onboarding training once each new hire's Active Directory account is provisioned, following a successful Sync Identity operation.

Create a Webhook

To create and manage a webhook, perform the following:

Go to Policies and select a policy.
Click Edit Policy.
Click Policy Settings.
Scroll down to Notifications and click Add Notification.
Choose the Webhook notification type.
Choose an event to trigger notifications:
- Create Identity
- Sync Identity
- Add Relationship
- Remove Relationship
- Create Email
- Change Password
- Delete Identity
- Disable Identity
- Manage Relationships
- Write Back Email
- Access Request Complete
- Custom Action
- Action Failed
- Workflow Task Failed
- Extraction Event Failed
- Create Entitlement
- Create Guest Account
- Rename Entitlement
- Create Access Review
- Reset Password
- Create Access Review Queued
- Safety Limit Reached
- Sync Entitlement
Choose the status to trigger notifications (when an event is Successful, or On Failure).
Select an Existing Veza Action.
A Veza Action is an integration with functionality for sending data to external systems, enabling downstream processes around Veza alerts, and access to reviewer actions. Use a Veza Action to configure generic webhooks or enable email notifications.
See Veza Actions Webhooks on how to create and deploy a webhook.
To customize the Webhook setting, perform the following:
- In the Webhook URL field, enter the endpoint configured to receive the webhook payload.
- In the Webhook Auth Header field, enter the Auth Header if the webhook listener requires authentication.
When configured, webhook requests include an Authorization header containing the credentials specified in the Webhook Auth Header field. This allows the receiving endpoint to authenticate the request using Bearer tokens, API keys, or other authentication schemes.
Click Save.

Lifecycle Management

Key Features

Core Concepts

Policies

Workflows

Access Profiles

Actions

Attribute Transformers

Notification Templates

Getting Started

Lifecycle Management Dashboard

Dashboard Overview

Dashboard Actions

Policies

Access Profiles

Identities

Integrations

Access Requests

Errors

Recent Activity

Next Steps

Implementation and Core Concepts

Define Segmentation Criteria (Business Roles)

Define Role Conditions

OAA HRIS Built-In Attributes

Define Profiles

Map Business Roles to Profiles

Define synced attributes

Access Profile Types

Overview

Common Access Profile Type Categories

Managing Access Profile Types

Creating a New Profile Type

Best Practices for Access Profile Types

Fallback Formatters

Overview

Understanding Fallback Formatters

Use Case: Username Conflicts

Configuring Fallback Formatters

Transformer Options for Fallback Formatters

Using the NEXT_NUMBER Transformer

Other Useful Transformers for Fallbacks

Implementation Example

Common Fallback Patterns

How Fallback Resolution Works

Attribute Mapping

Overview

Attribute Naming Conventions

Attribute Types and Mappings

Standard Attributes

Source-Specific Mappings

Custom Properties

System Attributes

Using Attributes in Workflows

Primary vs Secondary Sources

Example Usage

See Also

System Attributes

Overview

Available System Attributes

sys_attr__is_mover

sys_attr__would_be_value

sys_attr__would_be_value_len

Integration with NEXT_NUMBER

Workflow Trigger Properties

See Also

Active Directory

Overview

Supported Capabilities

Identity Provider Status

Supported Actions

Manage Relationships

Sync Identities

De-provision Identity

Configuration Steps

1. Create a Service Account

Using Active Directory Users and Computers:

Using PowerShell:

2. Configure Required Permissions

Using Active Directory Users and Computers:

`sys_attr__is_mover`

`sys_attr__would_be_value`

`sys_attr__would_be_value_len`

Integration with `NEXT_NUMBER`