1 of 55

Lifecycle Management

Introduction to Lifecycle Management with Veza

Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.

Key features

Automated Provisioning and De-provisioning

Getting Started

Introduction to Lifecycle Management implementation, dashboard, and activity monitoring in Veza

Start here to understand Lifecycle Management fundamentals, monitor your LCM environment, and track workflow execution.

In this section

Topic

Description

Where to go next

After reviewing the getting started materials:

Configure Integrations: Enable your identity sources and target applications for LCM. See .
Set Up Identities: View and manage identities from your configured sources. See .
Create Access Profiles: Define birthright entitlements for user segments. See .

For an end-to-end walkthrough using Workday, Okta, and Active Directory, see .

Lifecycle Management Dashboard

Managing and monitoring Lifecycle Management from a central dashboard

The Lifecycle Management Dashboard provides a centralized interface for monitoring automatic provisioning and deprovisioning of user access - both birthright access granted by Veza Lifecycle Management and just-in-time access granted by Veza Access Reviews. This dashboard gives you an at-a-glance view of your configuration, status, and recent activity.

The dashboard is the primary landing page for Lifecycle Management and Access Requests and can help with routine monitoring, error resolution, policy validation, activity review, and integration health checks.

Dashboard Overview

The dashboard is organized into several key sections:

Policies: Displays your most recently updated Lifecycle Management and their status
Access Profiles: Shows configured and usage metrics
Identities: Provides a visualization of managed identities

To navigate to more detailed information, click on any section heading to open the related overview. Click on specific items (such as a policy or integration) to view or edit configuration details.

Dashboard Actions

From the dashboard, you can perform common tasks including:

Create a new policy: Click the "Create Policy" button in the Policies section
Configure Access Profiles: Click the "Create Access Profile" button in the Access Profiles section
Set up a new integration: Click the "Set up Integration" button in the Integrations section

Policies

The Policies section displays all configured Lifecycle Management policies with their current status. Each policy shows its name, associated identity source, number of identities managed, and current status (Running/Stopped).

You can view all policies at a glance, create new ones with the "Create Policy" button, see which policies are actively running, access detailed configuration by clicking on a specific policy, and verify that policies in "Running" status should be active. Learn more about .

Access Profiles

The Access Profiles section shows the total number of configured access profiles and provides a visual representation of profile activity. Access profiles define sets of entitlements granted to users based on their roles.

You can see the total number of configured profiles, create new ones using the "Create Access Profile" button, view profile activity and utilization, and access detailed configuration by clicking into the section. Learn more about .

Identities

The Identities section provides a visual representation of all identities managed through Lifecycle Management and Access Requests. The chart displays the distribution of identities by type or status, giving you an immediate understanding of your identity landscape.

This visualization helps you understand the overall composition of your managed identities, identify distribution patterns across different categories, and track changes in identity distribution over time.

Integrations

The Integrations section lists all systems connected to Lifecycle Management and Access Requests, displaying the total number of integrations, error status and counts, recently created integrations, and last update timestamps. For each integration, you can see its name and type, current status (including error indicators), and last update timestamp. You can set up new integrations using the "Set up Integration" button, identify and troubleshoot integration errors, and view all integrations by clicking "View all." Review this section regularly to identify any integrations with error states. See for more information.

Access Requests

The Access Requests section tracks pending access requests, recently completed requests, and request status (Pending, Completed, Rejected, Cancelled). This section provides visibility into the access request process, allowing you to monitor request volume and status, track completion rates, and identify potential bottlenecks in the access request workflow.

Errors

The Errors section displays any Lifecycle Management and Access Requests errors that require attention. When functioning normally with no issues, this section will display "No issues found." If errors occur, this section will list the specific errors, provide context about when and where they occurred, and offer guidance on troubleshooting and resolution. Check this section regularly for any reported issues.

Recent Activity

The Recent Activity section shows a chronological log of Lifecycle Management and Access Requests events, including event type, timestamp, affected identity, and entity name. Examine this section to identify any unusual patterns or failed operations. This activity log helps you track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management or Access Requests implementation.

Next Steps

After familiarizing yourself with the dashboard:

Activity Log

Understanding the Lifecycle Management Activity Log for tracking provisioning operations

The Lifecycle Management Activity Log provides visibility into all provisioning operations performed by Veza's Lifecycle Management system. It serves as a record of all activities, including successful actions, errors, and failures.

Overview

A Lifecycle Management policy defines automated workflows that execute when changes occur in a source of identity. The Activity Log tracks all aspects of these operations through a hierarchical structure:

Identities

Managing identities and identity override attributes in Veza Lifecycle Management

Identities are the core entities in Lifecycle Management. They represent the people in your organization, sourced from HR systems, identity providers, ITSM platforms, payroll systems, custom OAA applications, or flat files. See Integrations for the full list of supported identity sources.

In this section

Topic

Description

Key concepts

Source of Identity: The authoritative system (such as Workday or Okta) that provides identity data
Identity Attributes: Properties like first name, last name, email, department, and manager
Override Attributes: Custom attributes that can supplement or override source-provided values

- How source attributes map to Veza
- Computed attributes for advanced logic

Identity Override Attributes

Overview

This guide explains how to configure identity override attributes in Lifecycle Management to address scenarios where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment for policy execution.

Identity override attributes allow Lifecycle Management administrators to override the value of any user attribute set at the source of identity. These overrides take precedence over actual values during Lifecycle Management workflows.

Access Profiles

Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.

Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, such as business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.

Profiles can be configured hierarchically to create a fine-grained model for assigning access to different employee groups. Administrators can position child profiles beneath a parent profile, with each child profile inheriting the parent profile's entitlements.

For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.

Example Profiles

Profile Name

Target

Relationship

Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.

The access granted by a Profile can be defined by both:

Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.

The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.

Access Profile Types

Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:

Profiles

Profiles are a type of Access Profile used to define access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.

Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.

Business Roles

Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally, by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."

Best Practices for Access Profile Types

Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").

Create Business Roles that align with your organizational structure, especially considering location, business unit, and functional organization. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.

Configuring Access Profiles

To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.

Click Create Access Profile.
Under Access Profile Details, choose the Profile Type to create:
1. Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.

After saving an Access Profile, you can view its details, edit it, or pause and resume it on the Lifecycle Management > Access Profiles page.

When configuring a policy to include the Manage Relationships action, you can select any active profile for the target data source. You can also use Dynamic Access Profiles to resolve Access Profile names at runtime based on user attributes. See for details.

Access Profile Ownership

Access Profiles can have designated owners who are responsible for managing and maintaining the profile. Owners have elevated permissions to configure the profile, manage its lifecycle, and create additional profiles.

Who Can Be Owners

Both Veza Users and Veza Groups can be assigned as Access Profile owners:

Individual Users: Any Veza platform user with the appropriate permissions
Veza Groups: Both Customer Managed groups (created in Veza) and SCIM Managed groups (provisioned from identity providers). See for details on group types and management

Owner Eligibility Requirements

To be eligible as an Access Profile owner, a user or group must have the Creator permission set for the relevant Access Profile Type. This is a two-step configuration process:

Grant Profile Type Permissions:
- Navigate to Lifecycle Management > Settings
- Select the Profile Types tab

Group Ownership Behavior: When a group is assigned as an owner, all its members inherit the ownership capabilities. Individual group members will also appear as available owners in the interface.

Owner Permissions

When a user or group is designated as an Access Profile owner, they automatically receive three distinct permissions:

Owner permission on the specific Access Profile
- Read: View the profile's configuration, entitlements, and metadata
- Update: Modify the profile's settings, labels, descriptions, and assigned relationships

These permissions enable owners to not only manage their assigned profiles but also create additional profiles of any type they have access to.

Privilege Escalation: Becoming an Access Profile owner grants global Creator permission, allowing the user or group to create Access Profiles of any type (not just the type of the owned profile). Consider this privilege escalation when assigning ownership.

Managing Owners

Access Profile owners are managed through the Access Profiles interface:

Navigate to Lifecycle Management > Access Profiles.
Locate the Access Profile in the list.
Click the Actions button (⋮) for that profile.

Owner Requirements: Every Access Profile must have at least one owner. The system will prevent you from removing the last owner from a profile to ensure ongoing management capability.

Access Profile Creation Permissions (Early Access): By default, only Administrators can create Access Profiles. With Access Controls enabled, you can delegate creation permissions to specific Operators and Groups. See for details.

Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Overview

Access Profile Types determine the behavior of for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:

Whether the profile can inherit entitlements from other profiles

Policies and Workflows

Configure automation policies, workflow triggers, notifications, and access reviews in Lifecycle Management

Policies define the rules and actions for managing identities throughout their lifecycle. Workflows within policies execute based on specific conditions, automating processes such as onboarding, role changes, and offboarding.

In this section

Topic

Description

Key concepts

Policies: Top-level configuration for a source of identity that defines which workflows apply
Workflows: Sequences of actions that execute when specific conditions are met
Trigger Conditions: Boolean expressions using SCIM filter syntax (e.g., is_active eq true)

- Define birthright entitlements for provisioning actions
- Format attributes when provisioning accounts

LCM-Triggered Access Reviews

Integrate Access Reviews with Lifecycle Management workflows

This guide explains how to create Access Reviews from Lifecycle Management workflows and troubleshoot common issues.

Lifecycle Management (LCM) policies can trigger Access Reviews automatically using the CREATE_ACCESS_REVIEW action. When a workflow runs and conditions match, Veza queues and creates an access review campaign based on the configured certification plan.

Overview

Use LCM-triggered access reviews to:

Automatically certify access when employees change roles (movers)
Review permissions before offboarding (leavers)
Validate access grants after onboarding (joiners)
Enforce periodic re-certification based on identity attribute changes

The sections below cover configuration options and troubleshooting for reviews created by LCM workflows.

Troubleshoot missing reviews

Common scenarios:

All results filtered: Veza created the review but then deleted it because all rows already appeared in recent in-progress reviews
Entity type mismatch: The policy identity type does not match the access review query, and no identity graph relationship exists to resolve it. Veza displays this error: "No matching node type found for identity type {type}"
Missing workflow configuration: The Access Review workflow is not configured or not linked to the policy

LCM-triggered reviews always run when a workflow executes, but Veza deletes the review if it has no results after filtering.

Veza compares each row against the last five in-progress reviews (by default) for the same workflow. The system excludes rows that appeared in any of those reviews. If all rows are excluded, Veza deletes the review rather than completing it with zero results. Veza does not send notifications for deleted reviews.

To verify a review was created and deleted:

Check Veza Events for the review creation and deletion
Review Lifecycle Management event logs for the workflow execution
Note: Deleted LCM-triggered reviews do not appear in the Reviews list (unlike manually-created empty reviews, which do appear)

This behavior prevents duplicate review efforts and focuses reviewer attention on changed or new access. The comparison count (default: 5) is configurable by Veza support using the CertificationCountToExcludeUnchanged setting.

Understand unchanged result filtering

LCM and Rule-triggered Access Reviews automatically exclude unchanged results. Veza enables this setting by default, and you cannot disable it for these review types.

When Veza creates a review, it compares each row against the last five in-progress reviews for the same workflow (sorted by start time, newest first). The system excludes rows that appeared in any of those reviews, leaving only new or changed access to review.

This behavior:

Applies automatically to all LCM_TRIGGERED and RULE_TRIGGERED reviews
Compares against the last five in-progress reviews by default (configurable by Veza support)
Cannot be changed through the UI or API

If filtering excludes all rows, Veza deletes the review rather than completing it with zero results. Veza does not send notifications for deleted reviews, but the deletion appears in Veza Events.

The first LCM-triggered review for a workflow includes all results since there are no earlier reviews to compare against. Subsequent reviews only show changes.

Resolve entity type mismatches

LCM-triggered access reviews require the policy identity entity type to match the entity type defined in the access review query. Veza resolves this match in the following order:

Direct match in source node types: The policy identity type matches directly
Direct match in destination node types: The policy identity type matches the destination
Linked nodes through the identity graph: Veza follows graph relationships to find a connection (for example, WorkdayWorker → ActiveDirectoryUser

If none of these resolve, the review creation fails with the error: "No matching node type found for identity type {type}".

Example: If your policy tracks WorkdayWorker identities and your review expects ActiveDirectoryUser entities, Veza still creates the review successfully if there is a defined relationship (for example, WorkdayWorker → ActiveDirectoryUser) in the identity graph. If no such mapping exists, the review creation fails.

Fix missing enriched identity columns

Access Reviews can include enriched columns that display additional identity attributes (such as department or manager from an HRIS system). However, Veza skips enrichment when the identity mapping is ambiguous.

When Veza skips enrichment:

If a single account or entity maps to multiple identity nodes in the graph (for example, one Active Directory account maps to two different WorkdayWorker records), Veza intentionally skips enrichment rather than arbitrarily choosing one.

Result:

Veza still creates the review successfully
Enriched columns appear but remain empty for affected rows
Veza logs a trace-level warning: "Skipping enriching nodes due to finding multiple linked nodes"

Resolution:

Review your identity mappings to ensure each account maps to a single identity. Ambiguous mappings often indicate data quality issues in source systems (such as duplicate employee records).

Customize review names

When creating access reviews through LCM workflows, you can configure a custom review name using attribute transformers. This is useful when a workflow creates multiple reviews and you need to differentiate them.

Common use case (Movers): When employees change roles, a single workflow run can trigger multiple access reviews. Custom names help reviewers identify which review corresponds to which change.

Transformer syntax:

Use curly braces to reference identity attributes:

Review for {name} → "Review for John Smith"
{department} Access Review - {name} → "Engineering Access Review - John Smith"
{job_title} Certification → "Senior Engineer Certification"

See for the complete transformer syntax reference.

Dry Run verification:

Custom review names appear in Dry Run results, allowing you to verify the name format before the workflow runs in production. This helps catch transformer syntax errors or missing attributes early.

: Complete guide to configuring and managing access certification campaigns
: Creating and configuring certification plans
: Configuring the workflow action settings

Fallback Formatters

Configure fallback formatters for uniquely identifying attributes during identity synchronization

Overview

Fallback formatters can help resolve conflicts when provisioning identities with unique attributes. This is particularly useful when automated provisioning requires unique identifiers, but the standard generated values are already in use.

Terminology: A formatter is the template string within an attribute transformer that defines how to construct a value. A fallback formatter is an alternative template used when the primary formatter produces a value that conflicts with an existing record. See for more on these terms.

Understanding Fallback Formatters

When provisioning new identities through Lifecycle Management, unique attributes like usernames, login IDs, or email addresses must not conflict with existing values. Fallback formatters provide an automated way to generate alternative values when conflicts arise, ensuring provisioning can proceed without manual intervention.

You can configure fallback formatters when configuring a to ensure new users can be onboarded efficiently, regardless of naming conflicts.

Use Case: Username Conflicts

The most common use case for fallback formatters is handling username conflicts. For example:

Your organization uses a standard username format of first initial + last name (e.g., jsmith for John Smith).

When multiple employees have similar names, this can lead to conflicts:

John Smith already has jsmith
Jane Smith already has jsmith1
James Smith already has jsmith2

When Jennifer Smith joins, the fallback formatter automatically assigns jsmith3, maintaining your naming convention while ensuring uniqueness.

Configuring Fallback Formatters

Fallback formatters can be configured as part of the "Sync Identities" action within a Lifecycle Management workflow:

Edit or create a Lifecycle Management policy
Edit the workflow containing the Sync Identities action
In the Sync Identities action configuration, click Add Fallback

Transformer Options for Fallback Formatters

Several transformers can be used for implementing fallback formatters depending on your specific use case.

Using the NEXT_NUMBER Transformer

A typical approach is to use the NEXT_NUMBER transformer, which is specifically designed to generate sequential numerical alternatives when naming conflicts occur.

The NEXT_NUMBER transformer:

Generates a set of sequential integers as strings
Takes two parameters: BeginInteger (starting number) and Length (how many numbers to generate)
Is unique among transformers in that it returns multiple values, making it ideal for fallback scenarios

Other Useful Transformers for Fallbacks

In addition to NEXT_NUMBER, other transformers can be valuable for creating fallback formatters:

Using Random Alphanumeric for Unique Usernames:

This could generate usernames like jsmith8f3d instead of sequential jsmith1, jsmith2, etc.

Using UUID for Guaranteed Uniqueness:

This would append the first 8 characters of a UUID, creating identifiers like jsmith-a7f3e9c2.

Implementation Example

When configuring a fallback formatter with the NEXT_NUMBER transformer:

Select the attribute that requires uniqueness (e.g., username, email)
Configure the primary pattern (e.g., {first_initial}{last_name})
Add a fallback using the NEXT_NUMBER transformer to generate sequential alternatives:

This will generate up to 10 alternatives: jsmith1, jsmith2, ... jsmith10

Common Fallback Patterns

Here are some commonly used fallback patterns:

Primary Format

Fallback Pattern

Examples

How Fallback Resolution Works

When Lifecycle Management attempts to provision a new identity with a unique attribute value that already exists:

The system first tries the primary format (e.g., jsmith)
If a conflict is detected, it automatically tries the first alternative using the NEXT_NUMBER transformer (e.g., jsmith1)
If that value also exists, it tries the next alternative (e.g.,

This automated conflict resolution ensures provisioning can proceed without manual intervention, even when your standard naming conventions result in conflicts.

System Attributes

Computed properties for advanced workflow triggering and conditional transformations in Lifecycle Management

Overview

System attributes are computed properties that Lifecycle Management automatically generates during identity processing. These attributes enable advanced automation scenarios by providing runtime information about identity changes and transformation results.

All system attributes follow the sys_attr__ prefix convention and cannot be manually set or modified.

Coupa Contingent Workforce

Configuring the Coupa Contingent Workforce integration for Veza Lifecycle Management.

Overview

The Veza integration for Coupa Contingent Workforce (CCW) enables automated identity synchronization as a source of truth for contingent worker lifecycle management. Coupa CCW serves as an authoritative source for contingent worker information that can be synchronized with other systems in your environment.

This document includes steps to enable the Coupa CCW integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

How-to Guides

Step-by-step guides for common Lifecycle Management tasks and configurations

These guides provide step-by-step instructions for common Lifecycle Management tasks and configurations.

In this section

Guide

Description

Additional resources

- Common questions and troubleshooting
- Architecture overview
- Monitor workflow execution and policy status

Manage Access Profile Creation Permissions

How to delegate Access Profile creation to specific Operators and Groups.

Overview

By default, only Administrators can create Access Profiles in Lifecycle Management. With Access Controls enabled, Administrators can grant Creator permissions to specific Operators and Groups, allowing them to create new profiles. Users who create a profile automatically become its Owner and can edit that profile, but cannot modify profiles created by others. Administrators always retain full access to all profiles.

Users must have the Operator role to use Creator permissions — non-Operator roles (Access Reviewer, Watcher, etc.) cannot create Access Profiles even with explicit permission grants.

Early Access Feature: This feature requires enablement by Veza support. Contact your Veza support team to enable Access Controls for your tenant.

Before you start

You have the Administrator role on the root team
Access Controls are enabled on your tenant (contact Veza support)
The users receiving permissions have the Operator role assigned

Grant Access Profile creation permissions

To assign Access Profile creation permissions to users or groups:

Navigate to Lifecycle Management in the Veza main navigation menu.
Click Settings in the Lifecycle Management sidebar.
On the Settings page, locate the Access Profile Types section.

Result: Users and groups with Creator permissions can now create new Access Profiles from the Lifecycle Management > Access Profiles page.

Verify permissions

To confirm that permissions were assigned correctly:

In the Manage Permissions modal, review the list of assigned users and groups.
Each row shows:
- Principal name (user or group)
- Principal type (User or Group)

Remove Access Profile creation permissions

To revoke Access Profile creation permissions:

Navigate to Lifecycle Management > Settings.
Click Manage Access Profile Creation Permissions.
In the permissions table, locate the user or group to remove.

Result: The user or group can no longer create new Access Profiles. They retain read-only access to view existing profiles.

Important: Removing a user's Creator permissions prevents them from creating new Access Profiles. However, they retain Owner permissions on profiles they previously created, allowing them to continue editing those specific profiles.

To fully revoke a user's access to Access Profiles, you must remove both:

Test Policies with Dry Run

Safely preview policy changes and validate workflow logic before enabling policies in production

Overview

This guide explains how to use dry run simulations to test Lifecycle Management policies before enabling them in production. Dry run evaluates workflow logic and shows what actions would occur without making actual changes to target systems.

Use dry run testing to:

Disable Workflows and Actions

Temporarily pause specific workflows or actions in a policy without removing configuration

Overview

This guide explains how to disable individual workflows or actions within a Lifecycle Management policy. Disabling allows you to temporarily pause specific parts of a policy without deleting or modifying the underlying configuration.

Use this option when developing workflows to support:

Managing gradual rollouts: Enable actions one at a time to verify each step before activating the next
Troubleshooting issues: Isolate problematic actions without removing configuration
Implementing seasonal policies: Temporarily disable workflows that only apply during certain periods
Workflow Testing: Disable production actions while testing new workflow logic

Disable a workflow

Disabling a workflow prevents it from running during policy execution. All conditions and actions within the workflow are also skipped.

Go to Lifecycle Management > Policies.
Select a policy and click Edit Workflow.
Toggle the workflow's Enabled control to disabled.

The policy editor displays disabled workflows and actions with a "Disabled" tag.

Disable an action

You can also disable specific actions within a workflow without disabling the entire workflow. When you disable an action, any nested conditions and actions under the disabled action are also skipped, but other actions in the workflow continue to run normally.

Open the workflow editor.
Select the action you want to disable.
Toggle the Enabled control in the action settings.

Test disabled workflows with dry run

Disabled workflows are evaluated by default during dry run simulations. This allows you to preview what would happen if you re-enabled a disabled workflow and validate trigger conditions and action configurations before making them active.

When you run a dry run simulation, the results show what actions would run if the workflow were enabled.

Re-enable a workflow or action

To re-enable a disabled workflow or action, toggle the Enabled control back to enabled and save.

LCM-Triggered Access Reviews

Integrate Access Reviews with Lifecycle Management workflows

This guide explains how to create Access Reviews from Lifecycle Management workflows and troubleshoot common issues.

Overview

Use LCM-triggered access reviews to:

Automatically certify access when employees change roles (movers)
Review permissions before offboarding (leavers)
Validate access grants after onboarding (joiners)
Enforce periodic re-certification based on identity attribute changes

The sections below cover configuration options and troubleshooting for reviews created by LCM workflows.

Troubleshoot missing reviews

Common scenarios:

All results filtered: Veza created the review but then deleted it because all rows already appeared in recent in-progress reviews
Entity type mismatch: The policy identity type does not match the access review query, and no identity graph relationship exists to resolve it. Veza displays this error: "No matching node type found for identity type {type}"
Missing workflow configuration: The Access Review workflow is not configured or not linked to the policy

LCM-triggered reviews always run when a workflow executes, but Veza deletes the review if it has no results after filtering.

To verify a review was created and deleted:

Check Veza Events for the review creation and deletion
Review Lifecycle Management event logs for the workflow execution
Note: Deleted LCM-triggered reviews do not appear in the Reviews list (unlike manually-created empty reviews, which do appear)

Understand unchanged result filtering

LCM and Rule-triggered Access Reviews automatically exclude unchanged results. Veza enables this setting by default, and you cannot disable it for these review types.

This behavior:

Applies automatically to all LCM_TRIGGERED and RULE_TRIGGERED reviews
Compares against the last five in-progress reviews by default (configurable by Veza support)
Cannot be changed through the UI or API

If filtering excludes all rows, Veza deletes the review rather than completing it with zero results. Veza does not send notifications for deleted reviews, but the deletion appears in Veza Events.

The first LCM-triggered review for a workflow includes all results since there are no earlier reviews to compare against. Subsequent reviews only show changes.

Resolve entity type mismatches

LCM-triggered access reviews require the policy identity entity type to match the entity type defined in the access review query. Veza resolves this match in the following order:

Direct match in source node types: The policy identity type matches directly
Direct match in destination node types: The policy identity type matches the destination
Linked nodes through the identity graph: Veza follows graph relationships to find a connection (for example, WorkdayWorker → ActiveDirectoryUser

If none of these resolve, the review creation fails with the error: "No matching node type found for identity type {type}".

Fix missing enriched identity columns

When Veza skips enrichment:

Result:

Veza still creates the review successfully
Enriched columns appear but remain empty for affected rows
Veza logs a trace-level warning: "Skipping enriching nodes due to finding multiple linked nodes"

Resolution:

Review your identity mappings to ensure each account maps to a single identity. Ambiguous mappings often indicate data quality issues in source systems (such as duplicate employee records).

Customize review names

Common use case (Movers): When employees change roles, a single workflow run can trigger multiple access reviews. Custom names help reviewers identify which review corresponds to which change.

Transformer syntax:

Use curly braces to reference identity attributes:

Review for {name} → "Review for John Smith"
{department} Access Review - {name} → "Engineering Access Review - John Smith"
{job_title} Certification → "Senior Engineer Certification"

See for the complete transformer syntax reference.

Dry Run verification:

Custom review names appear in Dry Run results, allowing you to verify the name format before the workflow runs in production. This helps catch transformer syntax errors or missing attributes early.

: Complete guide to configuring and managing access certification campaigns
: Creating and configuring certification plans
: Configuring the workflow action settings

Managing Identities

Manage user identities and lifecycle automation in Veza, including synchronization, access profiles, and workflow triggers for joiner, mover, and leaver processes.

Identities

Identities in Veza Lifecycle Management represent a top-level view of an individual user, used to automate provisioning and deprovisioning across systems, applications, or services.

This can include birthright access managed throughout the user's lifecycle, triggered by joiner, mover, or leaver events, as well as ad-hoc, just-in-time access granted upon approval of an access request.

Identities can refer to users who may be employees, contractors, or external collaborators (partners). Additionally, Veza supports lifecycle management for Non-Human Identities (NHI), such as service accounts, though with a simplified action set. See for details on NHI-specific capabilities and limitations.

With Lifecycle Management, workflows defined within policies dictate the users’ onboarding, job-function change, and offboarding processes, ensuring that corresponding identities have precisely the access they need as their roles evolve or their status within the organization changes. Similarly, access granted to identities may also change as just-in-time access requests are fulfilled or revoked.

The Lifecycle Management > Identities page serves as a central hub for viewing identities known to Lifecycle Management and Access Requests, as well as performing actions on individual identities.

Identities are populated into Lifecycle Management by first identifying the entire user population by integrating their source of identity (SOI) and creating a policy that uses that data source, into a Veza tenant. This may require enabling a built-in integration for your identity source (e.g., Workday integration), uploading user data in CSV format (CSV Upload integration), or using a custom OAA connector.

See for detailed information on integrating the source of identity.

For Integration management using APIs, see .

Identity Synchronization

Identities are maintained through synchronization with the identity sources. Syncing identities ensures that all systems reflect the most current user state, whether through onboarding, role changes, or attribute updates, keeping access aligned, consistent, and audit-ready.

The Sync Identities action is used for the automatic synchronization of user identities between an authoritative source (such as an HR system or identity provider) and target systems. In the Lifecycle Management workflow, Sync Identities works alongside other key actions:

Manage Relationships (handling group/role memberships)
Deprovision Identity (removing access when users leave the organization)

Synchronization is executed through Lifecycle Management policy workflows. Policy workflows can be defined with triggers and actions to synchronize changes in your identity source with target systems. Additionally, SCIM (System for Cross-domain Identity Management) or OAA (Open Authorization API) can enable identity sync for a wide range of target applications that don't have a built-in Veza integration, but do expose standard user and group management APIs or support bulk data export.

See for more information on usage.
See for detailed information.

Multi-Value Attribute Management

Active Directory supports appending values to multi-value attributes during Identity Sync actions. This allows you to add new values without replacing existing ones.

For detailed information about appending multi-value attributes, including supported attributes, syntax, and examples, see in the Transformers documentation.

Identities Table

Column

Description

Usage

Note: The display name is not the primary unique identifier, as multiple users may share the same first and surname.

Identity attribute display priority

When an identity has multiple sources (primary and secondary), the Identities table displays attributes based on the active status of each source. The "active" status is determined by the is_active field in each source of identity, which typically represents employment or account status (e.g., an active employee in Workday, an active contractor account in a secondary system).

Display Priority:

Primary Source Status

Secondary Source Status

Displayed Attributes Source

This behavior ensures the table reflects the most current and relevant source of identity information. For example, when an employee terminates (primary source becomes inactive) but remains as an active contractor in a secondary source, their attributes are displayed from the contractor system.

Early Access: Enhanced display prioritization may require Veza support to enable. Contact your Customer Success Manager for scenarios where secondary identities should be displayed when primary identities become inactive.

Filter and Search an Identity

To start, you can use filtering options to locate specific identities or analyze a group of identities based on standard criteria. The following filters are available on the Identities overview:

Search by name: Locate specific individuals using a name-based search
Department filter: View identities by organizational unit
Status filter: Filter by Active or Inactive employment status

Identity Actions

For each identity record, administrators can perform actions through the Actions menu:

View Details: Access identity information, attribute history, and related accounts
Trigger Workflow: Manually initiate a workflow in a policy
Request Access: Launch an Access Request for additional access (requires Veza Access Requests).
See for customizing the Request Access Template.

View User Details

Click on your selected identity to open the Identity Details view.

The following fields in the Identity Details view are populated with the current user's information:

Title: The user’s position title.
Email: The user's email address.
Providers: A list of assigned integrations. When you click a specific provider, the Integration page opens, displaying the provider's detailed information, including its Entity Categories distribution.

Attribute Overrides

When executing a policy where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment, you can override the existing attribute with a different value until the issue is corrected. For more information, see .

Here are some examples of incorrect or slow-to-update attributes:

Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system
Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity

To create an Override Value, perform the following:

Select an identity by name.
Click Details.
Click Properties in the Details menu.

Performing Actions on an Identity

Click the overflow icon (three dots) to display options for performing actions on the identity. Next, click on the desired action:

Trigger Workflow
Request Access
Show in Graph

Trigger Workflow

The Trigger Workflow option is a convenient way to test a specific user in a policy workflow. For example, you can test a new employee's identity in a joiner workflow to evaluate whether they have sufficient access to perform their duties.

Use the Trigger Workflow option to manually run a workflow for a specific user.

To trigger a workflow with a specific user, perform the following steps:

Select a workflow in the dropdown menu.
Click Trigger to run the workflow.

Request Access for an Identity

Requests Access allows for additional or temporary access grants, particularly when a user’s current access is insufficient for their duties.

Use the Request Access option in the Identity Details view to grant access to a specific user while reviewing their detailed information. You can grant access to the user through the following:

Access Profiles option

A collection of entitlements that are granted as part of the user’s identity lifecycle requirements. Access Profiles can:

Define reusable collections of entitlements across multiple target systems by business roles, departments, or functions
Automate consistent access provisioning
Manage access profile types and their capabilities

See and for more information.

To grant an Access Profile, perform the following:

Click the Access Profile radio button.
The Choose from Access Profile window appears.
Enter a Reason for granting the Access Profile for the user.

App option

An App refers to a target system, where user access is provisioned or deprovisioned as part of the identity lifecycle process.

To grant an App, perform the following:

Click the Access Profile radio button.
The Request Grant Access window appears.
Enter a Reason for granting the App for the user.

Entitlements option

Granting Entitlements to a user provides specific access permissions (roles, permissions, group memberships) required to perform their responsibilities.

Note: By granting Entitlements to a specific user, you pre-fill an Access Request with the appropriate configuration settings and policy.

To grant an Entitlement, perform the following:

Click the Entitlements radio button.
The Request Grant Access window appears.
Enter a Reason for granting the Entitlement for the user.

Show in Graph

Use the Show in Graph option to display a graph that represents all assigned Access Profiles, Apps, and Entitlements, including all associations.

This is a graphical representation of John Smith’s assigned access and entitlements to roles/groups.

Atlassian Cloud

Configuring the Atlassian Cloud integration for Veza Lifecycle Management.

Overview

The Veza integration for Atlassian Cloud enables automated user lifecycle management, with support for user provisioning and deprovisioning, group membership management, and attribute synchronization across Atlassian Cloud Admin, Jira Cloud, Confluence Cloud, and Bitbucket Cloud.

Action Type

Description

Supported

This document includes steps to enable the Atlassian Cloud integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Atlassian Cloud

Prerequisites

Before enabling Lifecycle Management for Atlassian Cloud, ensure you have the necessary access and configuration in place. You'll need administrative access in both Veza and Atlassian Cloud to complete the setup process.

Veza Requirements:

Administrative access to configure integrations
An existing that has completed at least one successful extraction

Atlassian Cloud Requirements:

Administrative access to manage API keys and SCIM configuration
An active SCIM directory configured in your Atlassian Cloud organization
Proper API permissions for both SCIM and Atlassian Cloud Admin APIs

Required Configuration Parameters

The following parameters are required to enable lifecycle management operations:

Parameter

Description

Purpose

The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.

Optional Parameters: If you're also using the integration for discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories in Veza), you'll need product_token and product_user. These parameters are not required for lifecycle management operations and can be omitted if you're only performing user provisioning and group management.

Configuration Steps

Complete the following steps in Veza to enable and configure Lifecycle Management for your Atlassian Cloud integration.

Enable Lifecycle Management:

Navigate to the Integrations overview in Veza
Locate your Atlassian Cloud integration (or create a new one if needed)
Check the box to Enable usage for Lifecycle Management

Configure Data Synchronization:

Configure the extraction schedule to ensure Atlassian Cloud user and group data remains current. Go to Administration > System Settings, then navigate to Pipeline > Extraction Interval. Set your preferred interval for data synchronization, or create a custom override specifically for Atlassian Cloud in the Active Overrides section if you need more frequent updates than your default schedule.

Verify Configuration:

After enabling Lifecycle Management, verify the integration is functioning correctly by navigating to Lifecycle Management > Integrations (or the main Integrations overview). Locate your Atlassian Cloud integration and click its name to view details. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled to check the health status.

Supported Actions

Atlassian Cloud can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

The Sync Identities action creates new user accounts or updates existing ones in Atlassian Cloud. User provisioning occurs through the SCIM directory API, which ensures that email addresses remain unique across your Atlassian organization. When you create or update a user, Veza automatically establishes cross-service connections between the Cloud Admin user account and their corresponding accounts in Jira, Confluence, and Bitbucket.

Supported User Attributes:

Attribute

Required

Type

Description

SCIM Mapping

Notes

The active status is managed automatically during provisioning and deprovisioning operations and is not available as a sync attribute. When you sync user attributes, Veza translates them to the appropriate SCIM fields shown in the table above before sending them to Atlassian's SCIM API.

Manage Relationships

The Manage Relationships action controls group memberships for users across Atlassian Cloud. You can add users to groups or remove them, with changes synchronized across Atlassian Cloud Admin and all associated products (Jira, Confluence, and Bitbucket). All membership changes are tracked automatically for audit purposes, providing visibility into access modifications over time.

Atlassian Cloud groups can control various types of access, including product-level permissions (such as access to specific Jira projects or Confluence spaces), administrative roles within Atlassian Cloud Admin, site-wide permissions and policies, and integration settings with external identity providers. When you modify a user's group memberships through Veza, these changes apply consistently across all products where the group has assigned permissions.

Important: Groups must already exist in both the SCIM directory and Atlassian Cloud Admin before you can assign users to them. The integration does not support creating or deleting groups. See for more details.

Deprovision Identity

The Deprovision Identity action safely removes user access while preserving audit trails for compliance. When you deprovision a user, their account is deactivated through the SCIM API and all group memberships are automatically removed across Atlassian Cloud Admin, Jira, Confluence, and Bitbucket. While the user can no longer access any Atlassian products, their account information and cross-service connection history are preserved to maintain audit trails and historical visibility for compliance reporting.

Delete Identity

The Delete Identity action permanently removes the user account and associated data from Atlassian Cloud. When you delete a user, their account is permanently deleted through the SCIM API, not just deactivated. Unlike deprovisioning, this operation cannot be reversed and should be used with caution only when permanent removal is required.

Current Limitations

The following operations are not supported in the current implementation:

User Logout: Cannot force user logout from Atlassian products
License Management: Cannot remove specific licenses from users
Device Management: Cannot manage or remove personal devices

Group Management Requirements

Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.

Key requirements and limitations:

Groups must already exist in both systems: You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.
Display name matching: When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.
Automatic ID mapping: The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.

Technical Architecture

The Atlassian Cloud integration uses a dual-API architecture to provide comprehensive lifecycle management capabilities.

User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.

Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. ID Mapping and Coordination:

To maintain consistency across systems, the integration performs complex ID mapping between SCIM identifiers and Atlassian identifiers. SCIM User IDs are mapped to Atlassian Account IDs, and SCIM Group IDs are mapped to Atlassian Group IDs. The integration automatically extracts the directory ID from your SCIM URL and uses your organization ID to coordinate these operations. This ensures that changes made through Veza are reflected accurately in both the SCIM directory and across all Atlassian products.

Workflow Examples

Employee Onboarding

Automate the provisioning of new employees into Atlassian Cloud:

Create User Account: New user account is created via SCIM with basic profile information
Assign Base Groups: User is added to organization-wide groups for general access
Product Access: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role

Role Change Management

Handle employee role changes and access updates:

Update User Attributes: User profile information is updated to reflect new role
Remove Previous Access: User is removed from role-specific groups and permissions
Grant New Access: User is added to groups appropriate for their new role

Employee Offboarding

Safely remove access when employees leave:

Deactivate Account: User account is disabled via SCIM
Remove All Groups: User is removed from all groups and permissions
Revoke Product Access: Access is revoked across Jira, Confluence, and Bitbucket

Custom Application with SCIM (OAA)

Enable SCIM-based provisioning for custom applications with Open Authorization API

Overview

Veza can automate user provisioning and de-provisioning for any application that uses the Open Authorization API (OAA) for data gathering and authorization modeling, and exposes SCIM-compliant endpoints for user and group management.

This enables organizations to:

Use your application's existing SCIM endpoints for automated provisioning operations
Model complex authorization structures using OAA's flexible templates (applications, resources, permissions, custom properties) for Access Graph visibility, Access Reviews, and other Veza features.
Gather authorization metadata using a variety of methods (custom connectors, APIs, manual JSON payloads, CSV files)

Supported Actions

Action Type

Supported

Description

Lifecycle Management and Access Requests with Open Authorization API

There are several potential ways to integrate a custom application for automated lifecycle management and access requests:

External SCIM for Open Authorization API: You may build your OAA integration using the custom application template and leverage dedicated SCIM endpoints for user and group management. This is useful when you need full control over how authorization metadata is represented in the Veza Access Graph:
- Your application supports SCIM, and you want to model a wider range of authorization entities and metadata (e.g., credentials, resources) than the Veza SCIM integration supports.
- You already have a custom OAA integration and want to add provisioning capabilities using SCIM.

Aspect

External OAA with SCIM Write-Back

Built-In SCIM Connector

This document describes how to enable External SCIM for an Open Authorization API integration, and supported actions.

How It Works

Data Gathering (OAA):

You will need to design and build a custom integration to publish information about the application to the Veza Access Graph:

The payload can include local users, groups, permissions, resources, and complex authorization relationships
Data can be gathered from any source: APIs, databases, configuration files, etc.

See the rest of the Open Authorization API documentation for examples and best practices when designing and deploying custom integrations.

Lifecycle Management (SCIM):

You can enable the SCIM connection at the custom provider level:

Setting provisioning: true and external_lifecycle_management_type: SCIM for the custom provider enables Veza to use your application's SCIM endpoints for provisioning
Provide SCIM connection information and credentials (configuration_json)

Important: When configuring a custom application for SCIM integration, the OAA payload structure (Application template) and SCIM configuration serve different purposes:

The OAA Payload (push_application() or API push) defines local users, groups, permissions, and resources used for visibility and authorization modeling in Veza, and can be updated independently.
The SCIM Configuration (configuration_json) for the custom provider defines how to connect to SCIM endpoints (including authentication, URL, and endpoint paths), and is used only for lifecycle management and access request operations.

Both must be consistent (describe and contain the same users and groups), but are configured separately.

Required SCIM 2.0 Endpoints

Your application must expose SCIM 2.0 compliant endpoints with the following operations:

User Management:

GET /Users - List and filter users
GET /Users?filter=userName eq "{username}" - Query users by userName
POST /Users - Create new users

Group Management:

GET /Groups - List groups
GET /Groups/{id} - Retrieve specific group by ID
POST /Groups - Create new groups

Note: If the Users and Groups APIs are not at the standard /Users and /Groups paths, you can specify alternate endpoint paths in the configuration.

Authentication

Your SCIM API must support one of the following authentication methods:

Bearer Token: API token passed in Authorization: Bearer {token} header
Basic HTTP Authentication: Username and password passed in Authorization: Basic {credentials} header

The authentication credentials must have both read and write permissions to the SCIM endpoints.

Optional: Extension Attributes

To synchronize custom attributes beyond the standard SCIM user schema:

Expose a GET /Schemas endpoint that returns SCIM schema definitions
Enable schema fetching in your configuration (see Configuration section)

Configuration

External SCIM for Lifecycle Management is configured via the Veza REST API.

Create Custom Provider with External SCIM

Create a Custom Provider that uses external SCIM endpoints specifically for lifecycle management:

Required Fields

Field

Required

Description

Configuration JSON Parameters

The configuration_json field contains SCIM endpoint connection details used only for provisioning operations. It does not affect your OAA payload structure.

Configuration Key

Required

Description

Example Value

* One of scim_token or the username/password pair is required for authentication.

Example Configuration with Bearer Token:

Example Configuration with Basic Authentication:

Push OAA Payload

Push the OAA Application Payload as normal. See the for details.

Entity Types and Identity Mapping

Veza creates entities in Access Graph based on the OAA payload, which can be targeted in lifecycle management operations:

local_users in your Application template → Users to provision via SCIM
local_groups in your Application template → Groups to manage via SCIM

Entity types are named according to the following pattern:

User Entity Type: OAA.{application_type}.User
Group Entity Type: OAA.{application_type}.Group

Where {application_type} is the value you specify in your OAA Application template when building the payload. For example, if the application is defined:

The resulting entity types are:

OAA.CustomerPortal.User
OAA.CustomerPortal.Group

Attribute Synchronization

Mapping OAA to SCIM

When Veza provisions users via SCIM, transformers can map attributes from your policy source of identity to SCIM properties:

Veza Attribute (in Policy)

SCIM Property

Type

Required

Description

Extension Attributes

If the SCIM service exposes a /Schemas endpoint and you enable scim_extension_schemas: true, Veza can synchronize custom extension attributes beyond the standard SCIM user schema. Extension attributes are mapped using the schema URN as defined by your SCIM implementation.

Provisioning Operations

The following SCIM operations are performed when Lifecycle Management actions execute:

Sync Identities (Create User)

Create a new user in the target application.

SCIM Operation:

The SCIM endpoint creates the user and returns the user object with an assigned id.

Sync Identities (Update User)

Updates an existing user's attributes (one-time or continuously).

SCIM Operations:

Query for existing user:
Update the user:

De-provision Identity

Remove access when a user leaves the organization or changes roles. The user account is deactivated, but data is preserved.

SCIM Operation:

Deprovision sets active=false, which disables login but preserves the user record.

Delete Identity

Permanently remove a user account.

SCIM Operation:

Manage Relationships (Add User to Group)

Grant a user access via group membership.

SCIM Operations:

Retrieve group details:
Add user to group:

Manage Relationships (Remove User from Group)

Revoke a user's access by removing group membership.

SCIM Operation:

Create Entitlement (Create Group)

Creates a new group so that it can be granted as an entitlement.

SCIM Operation:

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate. This might include hiring a new employee, terminating an existing employee, transferring an existing employee to another department, or other actions triggered by changes in status.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might be applied when employees enter an "Active" state (for Joiner/Rehire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also be triggered when an employee's hire date falls within a certain threshold, such as being less than 4 days away, or when it is related to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)

Add a Lifecycle Management Policy

To create a policy for a source of identity:

Go to Policies.
Click Create Policy.
Enter a policy name and description.

Simulation Dry Run on Policy

The Dry Run allows you to simulate and preview how a Policy would process an identity, without making actual changes to target systems. This testing tool helps you validate workflow conditions, preview potential changes, and understand what actions would be triggered for specific identities.

How Dry Run Works

The Dry Run evaluates workflow logic but does not interact with target integrations. Verify integration health to ensure target systems are accessible before running actual policies. Dry Run takes a policy and an identity to simulate:

The workflows triggered
All actions that would run
What Access Profiles would be assigned
Any potential changes to entities and attributes

You can test how policies would respond to identity attribute changes for different scenarios during a Dry Run simulation without impacting the actual identity attribute values.

Starting a Dry Run

You can initiate a Dry Run in two ways:

From a Lifecycle Management Policy

When editing a policy, open the Dry Run tool to preview changes for any identity:

Go to Policies.
Click a policy to view its details.
Click Dry Run Policy at the top right.

From Identity Details

You can start a Dry Run when viewing details for any account on the Identities page:

Go to Identities.
Search for an identity and click to view its details.
Expand the Actions menu at the top right and click Policy Dry Run.

Dry Run Notes:

Result: 0 Changes

When a dry run returns "0 changes", it means:

The selected identity does not meet any of the trigger conditions defined in your policy's workflows
No actions would be executed for this identity when the policy runs
This is not an error - it simply means the identity doesn't qualify for any of the configured workflows

Limitations

Dry Run has several important limitations:

Dry Run evaluates whether workflow conditions are met, not whether actions would succeed
It does not check whether integrations are functioning properly and whether target systems are accessible
It does not validate that changes could be successfully applied

Dry Run does not test integration connectivity. Issues like API timeouts, authentication failures, or LDAP attribute mapping errors will not be detected during simulation.

Best Practices

Use Dry Run to validate that policies and their workflows are working as intended before enabling them in a live environment.

Test with Representative Identities: Select identities that represent different scenarios (new hires, role changes, terminations) to validate all workflows in your policy.
Simulate Different Scenarios: Modify identity attributes during Dry Run to test trigger conditions such as:
- Department changes

Handling long names or names with special characters
Department and location change at once
Same-day rehire after termination

Policy Version

Policies can be version-controlled, allowing for a method to refine and test changes in your automation workflows. You can create draft versions to test changes and validate updates before deployment while maintaining a history of previous configurations. Each policy can have only one active version and one draft version at a time, with automatic archival of retired versions.

Policy State vs Workflow Versioning State

Policies have a current state that is based on their workflow operations.

The Policy state includes:

Initial - Initially created before the first workflow version is published
Running - Actively processing with one or more workflows
Paused - Temporarily disabled

Note: In the Policies page, click on the Action overflow icon (three dots) to Start the policy in the Initial state, and Pause or Unpause at the Running state.

The Workflow Version state includes:

Draft - In draft mode for editing and modification
Published - Functional and active
Retired - No longer active or usable

Policy Draft Mode

The Policy Draft Mode is a state where a policy is saved but not yet active. In Policy Draft Mode, you can create, edit, and test policy configurations (such as workflows, actions, or mappings) without affecting real users, identities, or access profiles. Once you are satisfied, you can publish the policy, which moves it from the work-in-progress state to an operational state.

To enable the Policy Draft Mode, perform the following:

On the Lifecycle Management Dashboard page, click Settings in the top menu.
The Lifecycle Management Settings page appears. Click Policy Settings.
Switch ON the Enable Policy Draft Mode button.

Test Policy Workflows using Draft Versioning

You can test and refine your policy workflows to ensure that it is working as expected through a series of draft versions with Dry Run simulations. Once the workflow’s result is satisfactory, publishing the version will change the policy status to ‘active’.

Perform the following steps to test your policy workflow:

Create and save a new policy.
Create a new workflow and Save.
After creating a new workflow, click Publish.

Published Policy

A published policy is activated and deployed with the following characteristics:

Enforces the defined rules in your environments, including:
- Creating, modifying, or removing user access.
- Synchronizing identity attributes.

Enabling and Monitoring Lifecycle Management Policies

Use the Policies page for an overview of initial, running, and paused policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

Publishing or updating a policy does not automatically trigger an extraction. To apply policy changes immediately, manually trigger an extraction from the Integrations page.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name

Add Workflows to Policies

Policies contain one or more workflows. Typically, workflows correspond to Active and Inactive user states, but not always. More specifically, workflows define a sequence of actions to run when a condition is met, based on events and identity changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, internal employee mobility changes (e.g., promotions, transfers, new managers), or employee departures.

Workflows comprise a tree-like sequence of conditions designed to meet the specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

Example Workflows

The following diagrams illustrate typical joiner and leaver workflow implementations, showing how identity changes in your HR system trigger coordinated provisioning and de-provisioning actions across multiple target applications.

Joiner Workflow

When a new employee is created in Workday, Veza automatically provisions accounts and assigns appropriate access across connected systems based on the employee's role and attributes.

Leaver Workflow

When an employee's status changes to inactive or terminated in Workday, Veza automatically de-provisions accounts and removes access to protect your organization's security posture.

Workflows and Trigger Conditions

Trigger Conditions refer to rules or filters that initiate (or delay) provisioning and deprovisioning workflows based on certain events, criteria within identity data sources, or lifecycle workflows. Trigger conditions use SCIM filter syntax to evaluate whether an identity matches specific criteria.

See for SCIM filter syntax and available operators, or for a comparison with transformer syntax.

Trigger conditions are often tied to HR events, such as employee hiring (joiner), role changes (mover), or termination (leaver). For instance, provisioning flows can be triggered when an employee is hired or deprovisioned when terminated.
Trigger Conditions can be time-based, such as "create the Active Directory account 15 days prior to a new employee's start date".
Advanced implementations also support relationship-based triggers (e.g., launching workflows when a worker is added to a specific department).

Create a Workflow

To add a workflow, perform the following:

Select a policy.
Click Create Workflow.
In Details, enter the workflow name and description.

Not set
Low
Normal
Medium

The levels dictate the order/priority in which the workflows are run. The higher-priority setting will be processed first. A fairness algorithm is built in to prevent lower-priority workflow tasks from being starved.

In the New Workflow pane, click trigger attribute. The Edit Workflow pane appears.
In the Triggering Condition (Condition String) field, select a conditional string from the dropdown menu to create a logical syntax that automatically starts the workflow. Once a condition has been set, another conditional string can follow, or an action can be taken.
In the Options section, select one of the following:

Note: All workflow errors must be resolved before it can be saved.

Clone or Delete a Workflow

Once an LCM Policy workflow is saved, the clone and delete options appear alongside the workflow name:

Click on the copy icon to clone the workflow.
Click on the trash bin icon to delete the workflow.

Create a Transformer

A transformer is a rule or function that takes incoming identity or attribute data and modifies it into the format or value that the target system requires.

They’re used when the data source system and target system represent or store information differently. For example, transformers can:

Converting a username from “First.Last” format into all lowercase.
Mapping a department value like “HR” in the source to “Human_Resources” in the target.
Adding a prefix or suffix to attributes (e.g., appending a domain name to create an email).

Transformers act as data processors inside a policy, ensuring that the right values are sent when provisioning, updating, or deprovisioning identities and entitlements.

To add a transformer, perform the following:

Select a policy.
Click Transformers.
Click Add Transformer.

See for available transformation functions.

Create a Lookup Table

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

This example is a location mapping table, which is a typical format for a Lookup Table:

Once a Lookup Table has been uploaded, it can be processed with the Lookup Transformers. The Lookup transformers convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

Use Lookup Table Transformers to:

Map source attribute values to different values in target systems
Standardized reference data that must be consistent across applications
Extract different pieces of information from a single attribute value

See for detailed information.

To add a Lookup Table, perform the following:

Select a policy.
Click Lookup Table.
Click Add Lookup Table.

Create Properties

Properties are the attributes that describe identities, accounts, and entitlements. They serve as the data points a policy can use to determine when and how to take action. Properties can come from:

Built-in properties – default attributes that LCM provides out-of-the-box (for example: username, email, status, created_at).
Custom properties – attributes defined by your organization to capture unique metadata (for example: cost_center, employee_type, manager_id).

Use Properties to:

Properties are referenced in policy conditions (e.g., disable account if status = inactive).
Help with transformers and lookup tables, allowing you to map or reformat values.
Used in identity overrides when syncing accounts from different providers.

To add Properties, perform the following:

Select a policy.
Click Properties.
The Mover Properties appear. Click Edit Properties.

Create Password Complexity Rules

Password Complexity Rules in a policy ensure that generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows. You can define reusable password complexity rules to enforce requirements for password length, mandatory character types (uppercase letters, lowercase letters, numbers, and special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, Deprovision Identity, and Reset Password actions when working with integrations that support complex password requirements.

To add Password Complexity Rules, perform the following:

Select a policy.
Click Password Complexity Rules.
Click Create Password Complexity Rule.

Create Transformer Functions

Custom Transformer Functions allow you to programmatically modify or enrich identity attributes as they are synced from identity sources to target systems. These transformations ensure that data formats align across systems and support more dynamic provisioning logic. Such transformers can:

Convert dates into required formats or perform date-based calculations (e.g., adding days to a hire date).
Normalize or transform string values (e.g., case conversion, trimming, substrings).
Apply conditional logic via functions directly within provisioning rules.

To add Transformer Functions, perform the following:

Select a policy.
Click Transformer Functions.
Click Create Custom Transformer Function.

Policy Settings

The Policy Settings page provides information about a specific policy and allows for additional configuration, including:

Modify the primary identity source
Define an additional data source to the primary identity source
Configure email notifications or a webhook for action-related events

Making changes in the Policy Settings page will impact all versions (Draft, Published, and Retired) of the policy.

**Policy JSON Viewer**: When enabled, a "Show Raw JSON" button appears in policy header actions to export complete policy configurations for debugging and technical support. See [LCM FAQ](lcm-faq.md) for details.

Details

The Details pane displays the Policy Name and Description fields. These fields are editable for name change or description refinement, if required.

Primary Identity Source

The Primary Identity Source pane displays the integration name of the data source. The Integration field displays all available data sources, where you can add or remove, if required.

You can add multiple Primary Identity Sources if they are the same type of integration. If a different type of integration is required, use the Additional Identity Source.

A Primary Identity Source is the authoritative system that serves as the source of truth for user identities (e.g., HR system, Active Directory, identity provider like Okta/Entra ID). Typically, one type of source of identity is associated with one integration.

The role of the Primary Identity Source includes:

Acts as the authoritative record for user information (emails, roles, statuses).
Lifecycle rules such as provisioning, updates, or deprovisioning are typically triggered based on changes detected in this data source.
Ensures consistency and accuracy across target systems where access is granted or revoked.

Additional Identity Sources

As an option, the Additional Identity Sources pane is typically used to add a different type of integration from the Primary Identity Source, which requires that the additional data source be already configured into Lifecycle Management. You can also correlate primary attributes and additional attributes to be associated with the data source. The added data source will sync for authentication, user updates, or provisioning.

To add an Additional Identity Source, perform the following:

Click Add Source.
In the Select Identity Source field, select a data source. Note: If you enable the 'These types are not related' option, then you cannot correlate any attributes.
In the Correlating Attributes pane, select a Primary Attribute from the dropdown menu.

Notifications

When events occur during the execution of a policy’s workflow, notifications can be triggered upon execution of actions in workflows as a means to inform stakeholders or integrate with external systems. These notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed. Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure its Active Employee policy to send an email to the manager of each new hire after the employee's email address is provisioned. Additionally, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned, following a successful Sync Identity operation.

Use the Notifications to add and manage notifications:

In the Notifications pane, click Add Notification.
Choose the notification type (Email or Webhook).
Choose the event to trigger notifications:

See for customizing email notifications.

Advanced Settings

Identity Syncing Option

Identity Syncing at the policy level defines how identities from the authoritative source are synchronized into the target system, including provisioning user accounts or updating existing identities.

The Identity Syncing option controls the behavior of the Sync Identities Actions in a policy workflow, which has Continuous Sync functionality enabled.

Select either:

Sync on changes only - to skip identity syncing when no data source changes are detected
Always sync - to sync, no matter if changes are detected or not

Safety Limits

Safety Limits prevent unintended mass changes to identities by enforcing configurable thresholds. Two independent mechanisms are available and can be used together for layered protection:

Hard Limit

The Hard Limit (formerly "Safety Limit") is a reactive mechanism that stops processing during execution once the configured number of identity changes has been reached. When the limit is triggered, no further identity changes are processed for the current policy run.

To configure a Hard Limit:

Enable the Hard Limit toggle.
Set the Maximum Number of Affected Identities to define the threshold.

Predictive Safety Limit

The Predictive Safety Limit is a proactive mechanism that blocks all changes before execution begins if the system predicts the number of workflow runs will exceed configured thresholds. This prevents unintended mass processing of identities when upstream attribute changes in a Source of Identity would trigger unnecessary Joiner, Mover, or Leaver workflows.

To configure a Predictive Safety Limit:

Enable the Predictive Safety Limit toggle.
Set the Maximum Number of Workflow Runs to define the threshold.

Workflow-Level Limits

Safety limits can be configured at both the policy level and individual workflow level for granular control. When configured at the workflow level, each workflow enforces its own thresholds independently, enabling different limits for Joiner, Mover, and Leaver workflows within the same policy.

Blocked Tasks

When a Predictive Safety Limit triggers, no changes are processed. A warning appears on the Blocked Tasks page with options to:

Review what would have changed
Run the blocked tasks (manually approve execution)
Abandon the blocked tasks (discard without executing)

Processing of future extractions is paused until the administrator acknowledges the warning and resumes processing. New activity log event types PREDICTED_SAFETY_LIMIT_EXCEEDED and WORKFLOW_PREDICTED_SAFETY_LIMIT_EXCEEDED are recorded when predictive limits trigger.

Active Directory

Configuring the Active Directory integration for Veza Lifecycle Management

Overview

The Veza integration for Active Directory enables automated user lifecycle management, including user provisioning and deprovisioning, group membership management, and attribute synchronization.

Action Type

Description

AD Users

AD Managed Service Accounts

Non-Human Identity (NHI) Support: Active Directory Managed Service Accounts support a simplified action set designed for service account lifecycle needs. See below for details.

This document includes steps to enable the Active Directory integration for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for Active Directory

Prerequisites

You will need administrative access in Veza to configure the integration.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your Active Directory integration has completed at least one successful extraction.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Active Directory integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Active Directory data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Active Directory in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

1. Create a Service Account

Create a dedicated AD user with the minimum required permissions:

Using Active Directory Users and Computers:

Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User

Using PowerShell:

2. Configure Required Permissions

Grant the service account permissions to manage users in the target OUs:

Using Active Directory Users and Computers:

Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name

Using PowerShell:

3. Configure the Integration in Veza

Navigate to Configurations > Integrations
Either:
- Create a new Active Directory integration

The AD user created for lifecycle management can be the same as the primary AD user created for extraction, provided that the user has all the required permissions listed above.

Supported Actions

Active Directory can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Active Directory, with changes propagated to connected systems.

Active Directory can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management :

Sync Identities

Synchronizes identity attributes between systems, with options to:

Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth

Unique Identifiers

Active Directory uses composite unique identifiers to locate users. Only one unique identifier can be specified per action:

account_name (sAMAccountName) - Default unique identifier
distinguished_name - Full LDAP path (e.g., CN=John Doe,OU=Users,DC=company,DC=com)
user_principal_name - Login format (e.g., [email protected])

The following attributes can be synchronized:

Active Directory User Attributes

Property

Required

Type

Description

Notes

Controlling account state with user_account_control

The user_account_control attribute controls the account state during identity synchronization, enabling scenarios like creating pre-staged disabled accounts or setting custom account flags.

Supported flags:

Flag Name

Description

Combine multiple flags with commas. For example, NORMAL_ACCOUNT,ACCOUNTDISABLE creates a disabled account (equivalent to integer value 514).

Input format requirements:

Use flag names only: Enter the exact flag names shown above (e.g., NORMAL_ACCOUNT). Integer values like 512 or 514

Common combinations:

Flags

Equivalent Integer

Use Case

If user_account_control is not specified in your transformer, the default value (512) is used and accounts are created in an enabled state.

Example use cases:

Pre-staged accounts: Create accounts in a disabled state before an employee's start date, then enable them via a separate workflow when the start date arrives
Approval workflows: Create disabled accounts that require manager approval before activation
Service accounts: Set specific flags like "password never expires" for service accounts

Updating existing accounts: The user_account_control attribute can also update existing users, not just new accounts. To enable a previously disabled account, sync user_account_control with NORMAL_ACCOUNT only (omitting ACCOUNTDISABLE). This is useful for workflows that activate pre-staged accounts on an employee's start date.

Graph visibility: Disabled users (accounts with ACCOUNTDISABLE flag set, such as value 514) are filtered out during Active Directory extraction and will not appear in the Veza graph. This is expected behavior—once the account is enabled, it will appear in the graph after the next extraction.

For a complete list of userAccountControl flag values and their meanings, see .

Password policy for new identities

When creating new Active Directory users through Sync Identities, you can configure a password policy to control the initial password and enforce a password change on first login.

Password policy options:

Enforce password change on login: When enabled, the newly created AD account requires the user to change their password at next logon. Veza sets the AD pwdLastSet attribute to 0, which is the standard Active Directory mechanism for forcing a password change.
Password complexity: Configure generated password requirements including minimum length, required character types (uppercase, lowercase, numbers, special characters), and disallowed characters. See for details.

When Sync Identities creates a new user with a password policy configured:

A random password is generated following the configured complexity rules
The password is set on the new AD user account
If "Enforce password change on login" is enabled, the account is flagged to require a password change at next logon

Sending the temporary password: To deliver the generated password to the appropriate recipient, configure an for the LIFECYCLE_MANAGEMENT_CHANGE_PASSWORD event on the Sync Identities action. The default email template includes the {{LOGIN_PASSWORD}} placeholder, which is replaced with the generated password. You can customize the notification template and recipients in the action's event notification settings.

The generated password is included in the notification email in plain text. Ensure that notification recipients are configured appropriately, and that "Enforce password change on login" is enabled so the temporary password is short-lived.

Manage Relationships

Controls relationships between users and Active Directory groups:

Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes

Both adding and removing group memberships are supported. Group memberships can be managed individually or removed in bulk during deprovisioning.

Deprovision Identity

When a user is deprovisioned in Active Directory:

Entity Type: Active Directory User
Method: Account Disabled (sets userAccountControl flags to NORMAL_ACCOUNT,ACCOUNTDISABLE)
Remove All Relationships: Yes (optional - group memberships can be removed)

What is preserved:

User account structure (not deleted)
All user attributes (name, email, title, etc.)

The following unique identifiers can be used to locate the user:

Unique Identifiers for Deprovision

Property

Type

Description

Notes

Create Entitlement

Creates new Active Directory groups:

Entity Type: Active Directory Group
Required Attributes: name
Optional Attributes: description, group_type, is_security_group, member_of, account_name, organizational_unit_dn

Group Creation Attributes

Property

Required

Type

Description

Notes

Reset Password

Resets a user's password in Active Directory:

Entity Type: Active Directory User
Idempotent: No (generates a new password with each execution)
Password Options:

The Reset Password action is non-idempotent. Each execution generates a new password, even if the action is run multiple times.

Password Complexity Options:

Length: Configurable minimum password length
Character Types: Uppercase, lowercase, numbers, special characters
Disallowed Characters: Specify characters to exclude from generated passwords

The following unique identifiers can be used to locate the user:

Unique Identifiers for Password Reset

Property

Type

Description

Notes

Delete Identity

Permanently removes a user from Active Directory:

Entity Type: Active Directory User
Method: Permanent deletion (DROP USER equivalent)
Warning: This action cannot be undone

Delete Identity permanently removes the user account from Active Directory. Use Deprovision Identity instead if you need to preserve the account for audit or potential reactivation.

The following unique identifiers can be used to locate the user:

Unique Identifiers for Delete Identity

Property

Type

Description

Notes

Example Workflows

Employee Onboarding

Automate user creation and group assignment when a new employee joins:

Create a Lifecycle Management policy with your HR system as the source of identity
Configure a workflow triggered when a new identity is detected
Add a Sync Identities action to create the AD user:

Role Change

Update access when an employee changes roles:

Create a policy with your HR system as the source of identity
Configure a workflow triggered when attributes change (department, title, or manager)
Add a Sync Identities action to update user attributes

Employee Offboarding

Disable access when an employee leaves:

Create a policy with your HR system as the source of identity
Configure a workflow triggered when termination date is set or employee status changes
Add a Deprovision Identity action:

Managed Service Accounts

Active Directory Lifecycle Management supports Managed Service Accounts (MSAs) for Non-Human Identity (NHI) provisioning. MSAs have a simplified action set compared to user accounts, reflecting the different lifecycle needs of service accounts.

Current NHI Support: Veza's Managed Service Account provisioning currently supports identity creation, attribute synchronization, and deletion. Group membership management and staged deprovisioning are not yet available for MSA entity types.

Supported Actions for MSAs

Action

Supported

Notes

MSA Attributes

Managed Service Accounts support a limited attribute set compared to user accounts:

Property

Required

Type

Description

Example: Service Account Lifecycle

Automate service account creation and removal:

Create a Lifecycle Management policy with your CMDB or service catalog as the source of identity
Configure a workflow triggered when a new service is registered
Add a Sync Identities action to create the MSA:

Unlike user accounts, Managed Service Accounts do not support the Deprovision Identity action. When an MSA is no longer needed, use Delete Identity to permanently remove it. Plan your MSA lifecycle accordingly.

For more information about NHI governance beyond provisioning, see .

Conditions and Actions

Configure the conditions and actions that execute when workflows run.

When creating Lifecycle Management Policies, you can configure workflows that define actions to execute during different employment lifecycle scenarios, such as when an employee is onboarded, changes function or role, or is withdrawn from the organization. Actions can be executed in sequence based on specific conditions, enabling you to automate onboarding and offboarding actions within Lifecycle Management, across systems in your environment.

Understanding Policies, Workflows, and Actions

Policies and workflows define how Veza automates identity management tasks across your environment by describing conditional actions to execute for different employee populations.

Policies

Define the overall automation framework for managing identities throughout their lifecycle
Specify which source of identity triggers the automation
Can contain multiple workflows to handle different scenarios (joiner, mover, leaver)

Workflows

Define specific sequences of actions that execute based on trigger conditions
Handle different lifecycle scenarios (e.g., new hire onboarding, role changes, terminations)
Support conditional execution based on user attributes (department, location, role, etc.)

Conditions

Define when specific actions should occur within a workflow
Can be based on any attribute from the source of identity
Support SCIM filter expressions for precise targeting

Example Conditions for Lifecycle Management Actions:
Add to engineering groups based on department: department eq "Engineering"
Grant manager access based on role: is_manager eq true

Actions

Represent specific tasks such as creating users, syncing attributes, or managing access
Types of actions include:
- SYNC_IDENTITIES: Create/update user accounts

Example Conditions and Actions: Provisioning to Active Directory

The following workflow configuration for a Lifecycle Management Policy enables provisioning actions for Active Directory users when workers are added in Workday:

Create an Active Directory user, synchronizing attributes with the source Workday Worker
Create email addresses for new employees in Exchange Server
Update the Workday Worker and AD User records to include the new email

Sync Active Directory Accounts for Active Employees (Joiners/Movers)

When provisioning users, Veza synchronizes attributes for active employees and creates them during AD User provisioning. These attributes can be transformed from attributes in the source of identity (Workday):

Active Directory Attribute

Source Attributes

Transformer Value

Sync Active Directory Attributes for Withdrawn Employees (Leavers)

To de-provision users, Veza moves accounts to a terminated users group and adds them to an OU for terminated employees:

Active Directory Attribute

Source Attributes

Transformer Value

Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization
Updating the distinguished_name to place leavers in a specific organizational unit (OU) like "Evergreen Termination" separates active users from inactive ones and enables the application of policies, scripts, and queries that target inactive users without affecting active employees

Action Types

Action Hierarchy Requirement: The Sync Identities action is the only action type that can be declared at the root condition level. All other actions must be defined within sub-conditions after establishing a root condition with Sync Identities. The UI enforces this hierarchy.

Quick Reference

Action

Use When You Need To...

Sync Identities

Synchronizes identity attributes between systems, with options to:

Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth

Example Use Cases:

Create new user accounts in target systems when employees join
Update user attributes when information changes in HR systems
Ensure consistent user information across multiple platforms

Setting

Description

Manage Relationships

Controls entitlements such as group memberships and role assignments for identities.

Example Use Cases:

Add users to appropriate security groups, roles, permission sets, or other access-grant entities
Remove users from groups during role changes
Update entitlements when employees move between departments

Setting

Description

Create Email

Integrates with an email provider to create email addresses for identities. This action is often used in combination with other actions in new hire and temp-to-hire workflows.

Example Use Cases:

Create corporate email accounts for new employees
Establish shared mailboxes for teams or projects

Setting

Description

Deprovision Identity

Safely removes or disables access for identities when they withdraw from the organization.

Example Use Cases:

Disable accounts when employees or contractors leave
Revoke access while maintaining audit records
Transition resources when owners depart

Note for Non-Human Identities: DEPROVISION_IDENTITY is not supported for NHI entity types such as Managed Service Accounts. Use instead to remove NHI accounts.

Setting

Description

Delete Identity

Permanently removes user accounts from target systems. Unlike the DEPROVISION_IDENTITY action which disables or suspends accounts while preserving audit records, DELETE_IDENTITY performs complete account removal.

Warning: DELETE_IDENTITY permanently removes accounts from target systems. Deleted data is typically unrecoverable. Consider using DEPROVISION_IDENTITY instead if you need to preserve audit trails or may need to reactivate accounts in the future.

Example Use Cases:

Database user cleanup after employee offboarding
Compliance with data deletion policies (e.g., GDPR right to be forgotten)
Removing test or temporary accounts

Non-Human Identity (NHI) Lifecycle: For service accounts and other NHI entity types, DELETE_IDENTITY is the primary decommissioning action since DEPROVISION_IDENTITY is not supported. See for details.

Setting

Description

Supported Integrations:

Active Directory (Users and Managed Service Accounts)
Okta
PostgreSQL
MySQL

Custom Action

Executes integration-specific operations that extend beyond standard Lifecycle Management action types. CUSTOM_ACTION enables integrations to define specialized operations with flexible attribute schemas tailored to their unique capabilities.

CUSTOM_ACTION currently supports ServiceNow only. For generic HTTP requests to external APIs, use the action instead.

Example Use Cases:

Insert records into ServiceNow tables when employees join or change roles
Create ServiceNow incidents or requests as part of onboarding workflows
Update ServiceNow CMDB records during employee lifecycle events

Setting

Description

Custom Actions are non-idempotent. Each execution creates a new record. Running the same action multiple times will create duplicate records.

Supported Integrations:

Integration

Custom Action Capability

Documentation

For detailed configuration examples including incident creation and audit logging, see .

Write Back Email

Updates HRIS or other systems with email addresses created in other actions.

Example Use Cases:

Update employee records with newly created email addresses
Sync email information back to master HR systems
Ensure consistent email records across all platforms

Setting

Description

Pause

Introduces a deliberate delay in the workflow execution.

Example Use Cases:

Allow time for system propagation between actions
Implement rate limiting in multi-step workflows
Coordinate timing with external processes

Setting

Description

Send REST Request

Makes HTTP requests to external APIs and services as part of provisioning workflows. This action enables integration with custom applications, webhooks, and REST-based services that support identity management operations.

Early Access: This feature is in Early Access and may require Veza support to enable. Contact your Customer Success Manager for availability.

Example Use Cases:

Notify external systems when users are created or updated in target systems
Trigger custom provisioning workflows in third-party applications
Send identity data to SCIM endpoints for user synchronization

Setting

Description

Variable Substitution:

Both the webhook URL and JSON payload support attribute transformation using curly brace syntax. Identity attributes from the source system can be dynamically inserted into requests:

Available transformations include UPPER, LOWER, TRIM, and accessing nested attributes with dot notation, such as {Manager.email}. See for complete transformation syntax.

Note: If any placeholder in the URL or payload cannot be resolved (e.g., due to missing attributes), the entire transformation is skipped and the original URL is used without any substitution. The system logs a warning for troubleshooting. Ensure all referenced attributes exist in the source of identity to enable proper variable substitution.

Response Handling:

When "Add Response to Output Entities" is enabled, the action parses JSON responses and extracts specified entity data. This enables chaining actions where one API call creates a resource and returns an identifier that subsequent actions can reference.

For example, if a user creation API returns:

Configure the action with:

Response Entity Attribute: result
Response ID Attribute: user_id
Response Name Attribute: display_name

The extracted entity becomes available to downstream workflow actions.

HTTP Method Guidelines:

GET: Query operations, typically without payload; use for checking resource state or retrieving data. Does not set workflow change flags
POST: Create new resources; requires JSON payload; sets both AnyCreated and AnyChanges flags that can trigger downstream actions with "Only Send if Any Upstream Changes" enabled

Workflow Integration: The AnyCreated and AnyChanges flags enable conditional workflow execution. Actions configured with "Only Send if Any Upstream Changes" will only execute when a previous action has set these flags, allowing you to build sophisticated conditional workflows (e.g., only send a notification webhook if a user was actually created, not just updated).

Authentication Patterns:

The authorization header supports common authentication methods:

No Authentication: Leave the authorization header empty when connecting to endpoints that don't require credentials, such as internal services or pre-authenticated URLs
Bearer Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
API Key: X-API-Key: secret-key-123 or

The "No Auth" option is useful for internal microservices, pre-authenticated webhook URLs, or endpoints behind a VPN that handle authentication at the network level.

Limitations:

Only JSON payloads are supported (no XML, form-data, or other formats)
Authentication must be header-based (OAuth flows requiring user interaction are not supported)
Response parsing requires valid JSON if "Add Response to Output Entities" is enabled

Example: Suspend Okta users via REST API

The Send REST Request action can call Okta lifecycle APIs to suspend users, enabling workflows that handle leave of absence (LOA) scenarios before native Suspend action support is available.

Configuration:

Setting

Value

Send Notification

Triggers email notifications and webhooks based on lifecycle events and action success or failure. Notifications can be added to any action type under Edit Action > Action Notification Settings.

Example Use Cases:

Alert IT staff when provisioning is complete
Notify managers of access changes
Create a service desk ticket for any manual steps

Setting

Description

Email Template Selection:

When configuring email notifications (either as a Send Notification action or in Action Notification Settings), you can choose which template to use:

Default template: Uses the built-in event-specific template based on the lifecycle event being processed
Custom template: Uses a reusable custom email template you've created, allowing consistent messaging across multiple workflows

Custom templates support the same placeholders as event-specific templates, enabling dynamic content like identity names, workflow names, and action results. See for placeholder reference and template management.

Reset Password

Resets user passwords in target systems. Configuration options and behavior vary by integration.

Example Use Cases:

Reset passwords for new users who must change on first login
Enforce password rotation policies
Recover from account lockouts

Setting

Description

Password complexity requirements, unique identifier options, and force-change-on-login settings vary by integration. See the integration-specific guides below for configuration details.

Supported Integrations:

Create Access Review

Automatically creates access review campaigns during lifecycle events. This action bridges Lifecycle Management with Veza Access Reviews, enabling automated certification workflows triggered by identity lifecycle changes.

CREATE_ACCESS_REVIEW is a control-plane action that executes within the Veza platform. The action creates review campaigns asynchronously: first queuing the review, then creating it based on the defined certification plan.

Example Use Cases:

Review contractor access 30 days after onboarding to ensure appropriate permissions
Certify elevated permissions after role changes or promotions
Trigger periodic access reviews based on employment anniversaries

Setting

Description

Certification Creation Plan Configuration:

The Certification Creation Plan is the core configuration element for CREATE_ACCESS_REVIEW:

Parameter

Required

Description

Early Access: Multi-level approval (second and third level reviewers) is in Early Access and may require Veza support to enable.

How It Works:

A lifecycle event triggers a workflow containing the CREATE_ACCESS_REVIEW action
The action evaluates the Certification Creation Plan against the identity that triggered the event
A review campaign is queued in Veza Access Reviews

Event Notifications:

CREATE_ACCESS_REVIEW generates two notification events:

Event

Timing

Description

You can configure email notifications or webhooks for both events to track review creation progress. See for configuration details.

LCM-triggered reviews have special behaviors including automatic exclusion of unchanged results and entity type matching requirements. See for complete behavior documentation.

Related Topics:

: Behavior, filtering, entity matching, and troubleshooting
: Configuring certification plans and managing reviews
: Managing birthright entitlements included in reviews

Workday, Okta, and Active Directory

Guide for implementing automated user lifecycle management across Workday, Okta, and Active Directory

A well-designed identity Lifecycle Management solution automates the provisioning, synchronization of attributes and metadata, and deprovisioning of user accounts across your application and systems ecosystem.

This guide demonstrates how to implement a worker (employees and contractors) Lifecycle Management solution using Workday as the source of identity with downstream user account provisioning and synchronization platforms of Okta and Active Directory (AD). This represents a common enterprise architecture where worker records originate in an HR system and are provisioned to identity and access management systems, while maintaining a seamless, secure, and compliant user lifecycle process.

System Architecture

The following diagram shows the complete identity provisioning and synchronization architecture from Workday, a human capital management platform, to Okta and Active Directory, which are identity management systems:

The "Joiner Mover Leaver" (JML) process is a framework for managing users' employment lifecycle access within an organization. Provisioning access begins with onboarding new employees (Joiners), then managing internal transitions (Movers), and finally offboarding departing employees (Leavers).

Lifecycle Management is based on the JML paradigm, where Workday is the authoritative source of identity, which is monitored for the status of the worker based on attributes in their record to determine whether the user is a joiner, mover, or leaver.

JML Process Flow

The joiner, mover, leaver (JML) process flows through the systems as follows:

Prerequisites

Before starting this implementation, ensure you have:

Completed at least one successful extraction for each integration

Implementation Steps

Step 1: Define Access Profiles

First, create Access Profiles that define which application entitlements a group of users will be assigned:

Go to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure a profile for each department or role:

Example: Engineering Department Profile

Example: Marketing Department Profile

Create additional profiles as needed based on your organizational structure.

Step 2: Create a Lifecycle Management Policy associated with Workday

Next, create a Lifecycle Management policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy:

Step 3: Configure Joiner Workflow

Now add a workflow for new employee onboarding:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 4: Configure Mover Workflow

Add a workflow for handling employee role changes:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 5: Configure Leaver Workflow

Finally, add a workflow for employee termination:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 6: Enable and Test the Policy

After configuring your workflows for joiners, movers, and leavers, you can test your policy using Simulated Dry Runs to check the expected actions when executed.

Another approach to test your policy is to create draft versions. You can make changes to your policy as an iterative draft until you are satisfied with the results. You can then publish the final version and enable it.

As a final verification, make modifications to the Workday application to test your policy's expected performance. Ensure that the downstream applications, Okta and Active Directory, are correct with the modifications.

Test using Simulation Dry Run

Select Workday Employee Lifecycle policy.
Click the overflow menu (three dots icon) at the top of the page.
Select Perform Dry Run.

Test using Draft Versioning

Select Workday Employee Lifecycle policy.
Click Create Draft.
Select Edit Workflow.

Make changes to the Workday application to test your policy

In your Workday application, update the source of identity to test your policy. The following is a list of suggested changes:

Change the employee’s employee type (ie, from regular to contractor)
Verify account creation in Okta and Active Directory
Change the employee's department and verify group membership updates

Identity Synchronization Configuration Reference

Identity Synchronization is implemented during Lifecycle Management provisioning workflows. It is used to prevent provisioning errors due to duplication of username and/or email address. It supports robust identity sync across downstream applications (Okta and Active Directory) with different naming constraints or enforces unique identifiers.

Use Identity Synchronization if your target system already has an identity with a given attribute (e.g., a username or email is already in use).

Enable Identity Synchronization

In the Policy page, select your policy, Workday Employee Lifecycle policy.
Select Policy Settings.
Scroll down to Advanced Settings.

Sync Okta Identities

Synchronizes employee records to Okta user accounts, creating and updating user profiles with mapped worker attributes from Workday.

Configuration:

Description: Synchronizes identities to Okta
Target: OktaUser
Create Allowed: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

Conditional Actions

All Employees

Assigns "All Okta Employee Access" profile
Does not remove existing relationships

US Developers

Condition: wd_location eq "US" and department eq "developer"
Assigns developer-specific access profiles
Does not remove existing relationships

Sync Active Directory Identities

Creates and updates on-premises Active Directory accounts with location-specific group assignments and standardized naming conventions for different employee categories.

Configuration:

Description: Synchronizes identities to Active Directory
Target: ActiveDirectoryUser
Create Allowed: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

Conditional Actions

US Location

Condition: work_location eq "US"
Assigns US Groups
Removes existing relationships

Executive Group

Condition: employee_group eq "Executive"
Assigns the Executive Employee group
Removes existing relationships

China Location

Condition: work_location eq "China"
Assigns China Groups
Removes existing relationships

Deprovisioning Configuration Reference

Defines the procedures for safely removing access when employees leave the organization, including specific handling for each identity provider.

Deprovision Okta Identities

Handles employee offboarding in Okta by disabling accounts while preserving access history and configurations.

Configuration:

Description: Disables identities in Okta
Target: OktaUser
Remove Relationships: No

Deprovision Active Directory Identities

Controls the offboarding process for on-premises Active Directory, including moving accounts to a terminated user's organizational unit.

Configuration:

Description: Disables identities in Active Directory
Target: ActiveDirectoryUser
Remove Relationships: No

Attribute Transformations

Destination Attribute

Value

Continuous Sync

Expanded Joiner/Mover/Leaver Scenarios

Below are more detailed examples of joiner, mover, and leaver scenarios that you can implement using Veza's Lifecycle Management.

Joiner Scenarios

Example 1: Full-Time Employee Onboarding

Example 2: Contractor Onboarding

Mover Scenarios

Example 1: Department Change

Example 2: Promotion to Manager

Leaver Scenarios

Example 1: Standard Termination

Example 2: Involuntary Termination (Security Risk)

Advanced Attribute Transformer Examples

Workday to Okta Transformer (Enhanced)

Workday to Active Directory Transformer (Enhanced)

Advanced Configuration

Using Attribute Overrides

To handle edge cases where standard attribute formatting is not effective, use to define special exceptions. For example:

Contractors vs. Employees: Use different username formats based on employment type
Username Conflicts: Configure fallback formatters for handling duplicate usernames
Location-Specific Naming: Apply different naming conventions based on location or region

Email Write-Back to Workday

Ensure your email addresses remain consistent by configuring email write-back to Workday:

In your Joiner workflow, after the Sync Identities actions, add:
- Add Action > Create Email
- Configure for your email system

This ensures the email created in your systems is written back to Workday as the source of truth.

Conditional Logic Best Practices

When implementing conditional actions, consider these patterns for robust lifecycle management:

Location-Based Conditions

Role-Based Conditions

Employment Type Conditions

Monitoring and Troubleshooting

Activity Log Monitoring

Monitor your lifecycle management workflows using the :

Navigate to Lifecycle Management > Activity Log
Filter by policy name to see all actions for your Workday policy
Look for failed actions and investigate error messages

Common Issues and Solutions

Username Conflicts

If usernames are already taken in target systems:

Configure to handle conflicts
Use employee ID or other unique identifiers as backup username formats

Missing Attributes

If required attributes are missing from Workday:

Use DEFAULT transformers to provide fallback values
Configure conditional logic to handle missing data gracefully

Group Assignment Failures

If group assignments fail:

Verify that referenced groups exist in target systems
Check that service accounts have sufficient permissions
Use conditional logic to assign groups only when they exist

SCIM

Configuring SCIM integrations for Veza Lifecycle Management.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and deprovisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

Direct SCIM vs. OAA SCIM Integration

This guide covers direct SCIM integrations where Veza connects directly to an application's SCIM endpoints. For custom applications built with the Open Authorization API (OAA) that expose SCIM endpoints, see .

Use direct SCIM when connecting to standard SaaS applications with native SCIM support, and you only need user and group provisioning without complex entity modeling.

You can use OAA SCIM for integrating custom or home-grown applications via OAA, and need comprehensive visibility beyond users and groups (permissions, resources, etc.)

Action Type

Description

Supported

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management :

Sync Identities

Primary action for user management (creating or updating users):

Username (user_name) is required and serves as the unique identifier
Email addresses are managed through the SCIM emails array
User activation/deactivation is controlled via the active attribute

Veza supports comprehensive SCIM 2.0 user attributes for both read-only data extraction (Access Graph) and bidirectional synchronization (Lifecycle Management). The tables below indicate which attributes support LCM synchronization (✅) versus read-only extraction (📖).

Core User Attributes

Veza supports all standard SCIM 2.0 core user attributes, organized by functional category:

Identity & Authentication

Attribute

Required for LCM

Type

LCM Sync

Description

Enterprise Extension Attributes

Veza supports the SCIM Enterprise User Extension schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) for both extraction and LCM synchronization:

Attribute

Type

LCM Sync

Description

Custom Extension Attributes

Veza automatically discovers and extracts all custom vendor-specific SCIM extension attributes for read-only purposes:

Extraction Capabilities:

Veza calls the SCIM /Schemas endpoint to discover all available schemas (requires SCIM Extension Schemas enabled in integration configuration)

Using Extension Attributes in LCM Workflows

Extension attributes must be referenced by their normalized names in LCM attribute transformers.

Core SCIM attributes use simplified names:

user_name, display_name, email, title, department, division, etc.

Extension attributes require full normalized names:

Example: Enterprise Extension Attributes

Example: Custom Vendor Extensions

Manage Relationships

Group membership management with full add/remove capabilities:

Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows

Deprovision Identity

When a user is deprovisioned:

User account is deactivated (sets active: false)
Group memberships are automatically removed
Account can be reactivated if needed

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

Application-specific permissions and roles
Resource access controls
Team or organizational structures

SCIM Group Attributes

Veza supports all standard SCIM 2.0 group attributes for both extraction and LCM operations:

Attribute

Required for LCM

Type

LCM Sync

Description

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
- SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}
- Full user and group provisioning support

Development & Collaboration Tools

Fivetran
- SCIM Endpoint: https://api.fivetran.com/scim/v2
- User and group provisioning

Security & Infrastructure

Twingate
- SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2
- User provisioning and group assignment

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically

Role Change Management

When an employee changes roles or departments:

Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position

Employee Offboarding

When an employee leaves the organization:

Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance

Bulk User Management

For large-scale provisioning operations:

Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships

Attribute Transformers

Configure how user attributes from a source of identity are transformed for target user accounts

When creating workflows in Lifecycle Management policies to create, sync, or deprovision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured.

Terminology: For definitions of transformer, formatter, pipeline function, and condition, see Understanding Conditions and Transformers.

An attribute transformer is the complete configuration for mapping a source attribute to a destination attribute. It consists of:

Component

Description

Example

The target attributes to create or update are typically mapped and, optionally, transformed from user metadata in the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept continuously in sync as changes occur throughout the user's employment lifecycle.

Attribute transformers are also available when mapping columns in . This enables you to combine columns, reformat dates, standardize case, and apply other transformations during CSV import—without requiring Lifecycle Management workflows.

For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:

Joiner: Set new Azure AD User Principal Name to {source username}@your-email-domain.com. This is an example of mapping multiple attributes and performing a transformation. More specifically, you use the attribute transformer to generate an email address for new joiners. Use the source username (user_principal_name) from the source of identity (Azure AD UPN) for the first part (user attribute), while your-email-domain.com is used for the last part (target attribute).
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.

When synchronizing a user’s attributes, Veza may apply many transformations to convert the source attribute values into a more suitable format intended for the target application as a user account attribute.

For example, a transformer might remove the domain from an email address, replace special characters, or convert a string with uppercase letters to lowercase letters.

See for detailed information.

Key Terminology

Term

Description

Examples

Adding transformers

Common transformers define one or more rules to apply when synchronizing the attributes of a target identity. Use them at the Policy level where you want to create or update attributes using the same conventions across multiple sync or deprovision actions. When you need to configure a one-time individual action in a workflow, such as a specific attribute, then you use the transformer at the Action level.

At the Policy level, you configure a transformer with basic details, including how to source the value of each attribute:

Assign a name and description to the transformer, and specify the data source to which it applies.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.

After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab. Remember that “Sync Identity” and “De-Provision Identity” actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.

Formatter syntax

The Formatter field in a transformer specifies how to construct the attribute value. It can be set to a specific value, synchronized with a source attribute, transformed using a function, or a combination of these.

Some formatters should enable continuous synchronization for the attribute, while others should not. For example, the value of "Created By" should be immutable once a user account is provisioned. Other attributes that represent a state or status should be synchronized throughout the user's or account's lifecycle.

Simple Value Setting

To create a destination attribute with a fixed value, enter the desired value when configuring the formatter. For setting the creator attribute:

Destination Attribute

Formatter

Continuous Sync

For activating a re-hired employee:

Destination Attribute

Formatter

Continuous Sync

Empty Values

To set empty values (common for de-provisioning flows):

Destination Attribute

Formatter

Continuous Sync

Attribute references

Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute in your formatter, use the format {<source_attribute_name>}.

Examples:

Destination Attribute

Formatter Example

Continuous Sync

Alias Definitions

Early Access: Alias Definitions is currently in early access. Contact your Veza representative to enable this feature for your tenant.

When to use aliases

By default, when you reference an attribute such as {department} in a formatter, the system searches through your configured identity sources in order (primary first, then secondary sources). This works well for simple policies with a single source of identity.

Aliases become useful when:

Multiple integrations share the same entity type (e.g., two Active Directory instances, or when your source of identity and sync target use the same entity type)
A policy involves multiple integrations that have attributes with the same name
You need to explicitly control which system's attribute value is used

Alias Naming: The system automatically adds a $ prefix to all alias names. For example, if you create an alias named workday in the UI, it becomes $workday when used in formatters and conditions.

Example: HR System to Directory Sync

A policy syncs identities from an HR system (Workday) to a directory (Active Directory). Both have a department attribute. Without aliases, {department} resolves from whichever system appears first in the search order. With configured aliases hr and directory (which become $hr and $directory), you can explicitly reference {$hr.department} to ensure you're using the authoritative HR value.

Aliases can be used in:

Attribute formatters
Workflow trigger conditions
Action conditions
Mover property definitions

Configuring aliases

Aliases provide shorthand references to specific integrations and entity types, making transformers and conditions more readable in complex policies.

To configure aliases, open a Lifecycle Management policy, click Edit, and navigate to the Alias Definitions tab. Each alias requires:

Alias Name: Must start with $ followed by at least one lowercase letter, number, or underscore. Additional $ characters can appear after the first character. The $ prefix is added automatically if omitted. Valid examples: $workday, $hr_system, $ad$corp. Invalid examples: $, $AD (uppercase), $$double (multiple leading

Validation Rules: Alias names allow only lowercase alphanumeric characters, underscores, and $. They must start with exactly one $ (not zero, not multiple), and cannot be $target (reserved for action-level attribute references).

Testing and Validation: Aliases work in test formatters, allowing you to validate your formatter expressions before deployment. Additionally, alias-resolved attribute values appear in dry run results, so you can preview exactly which values will be synced.

Input and output resolution

Aliases can resolve attributes from two contexts:

Input: Values from the source system before any sync action runs (the authoritative data)
Output: Values currently in the target system (what's already provisioned)

By default, the system checks output first, then falls back to input. Use suffixes to explicitly control resolution:

Suffix

Resolves From

Example

Use Case

When to Use Suffixes: Use $in when you need the authoritative value from the source system (e.g., HR system). Use $out when you need to compare against what's currently provisioned in the target. Without a suffix, the system checks the target first—useful when you want the most recent value regardless of source.

Comparison operators

Use these operators in IF conditions to compare attribute values:

Operator

Meaning

Supported Types

Combine conditions with and, or, or negate with not.

String List Attributes: For multi-value attributes (string lists), only the co (contains) operator is supported. Use it to check if the list includes a specific value, for example: IF $workday.roles co "Manager".

Examples

In attribute formatters:

In LCM Workflow Conditions (comparing source and target values):

Multiple integrations with the same entity type:

For organizations with multiple Active Directory domains (e.g., corporate employees and contractors), you can create distinct aliases to control which AD integration is used:

Configure alias corp_ad → Integration: AD_Corporate, Entity Type: ActiveDirectoryUser
Configure alias contractor_ad → Integration: AD_Contractors, Entity Type: ActiveDirectoryUser

Then explicitly reference the correct domain in your formatters:

This ensures you're using the department attribute from the corporate AD integration rather than the contractor AD integration, even though both use the same ActiveDirectoryUser entity type.

Transformation functions

Based on the user metadata available from your source of identity (SOI), you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. Suppose an attribute value needs to be altered to be compatible with the target system. In that case, you can transform the value of a source attribute or apply a range of other functions to generate the target value.

Formatter expressions use the following syntax: {<source_attribute_name> | <FUNCTION_NAME>,<param1>,<param2>}

For example:

Destination Attribute

Formatter

Description

Example

Transformation function categories

Refer to the page for complete documentation of all supported functions, parameters, and usage examples. The reference includes:

Pipeline Functions {#pipeline-functions}

You can pipeline multiple transformation functions together, separated by a vertical bar (|). Each will apply in sequence, allowing for complex attribute formatters that use the output of one function as the input of another.

Example Pipeline Functions

{name | UPPER}
- If name = Smith, the result is SMITH.
{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}

Testing Transformers Inline

Before deploying transformers in production policies, you can validate formatter expressions directly in the Veza UI. This allows you to verify that your transformation logic produces the expected output without affecting live data.

Using the Test Interface

When adding or editing a transformer in a policy, look for the Test Formatter button next to the transformer field. Clicking it opens a test dialog:

Enter your transformer expression in the Attribute Transformer field
Click the Test Formatter button to open the test dialog
The dialog shows input fields for each attribute referenced in your expression (e.g., {first_name}, {email})

The test dialog is available wherever transformers are configured, including:

Action synced attributes
Unique identifiers
Common transformers
Date formatters

Testing Examples

Expression

Test Input

Expected Output

Testing Pipeline Functions

For complex pipelines, test incrementally:

Test the first function alone to verify it handles the input correctly
Add each subsequent pipe and verify intermediate results
Validate the complete pipeline produces the final expected value

This step-by-step approach helps isolate issues when a transformation doesn't produce the expected output.

The test interface uses sample data you provide. Ensure your test values accurately represent the source attribute data types and formats you'll encounter in production.

When to Use Inline Testing vs. Dry Run

Scenario

Use

Use inline testing during transformer development, then validate the complete policy with a dry run before deploying to production.

Common Transformers

As part of implementing Lifecycle Management (LCM) processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID are sourced for each LCM Policy. These transformers can then be reused across all identity sync and deprovision policy workflows.

Create common transformers to consistently form attributes for specific entity types, and reuse them to avoid errors and save time when creating actions for that entity type. The order of common transformers matters when multiple transformers set the same destination attribute. Drag-and-drop to reorder common transformers and control precedence.

For example, defining a common synced attribute to describe how to format Azure AD account names {username}@evergreentrucks.com enables reuse across multiple workflow actions. You can also define synced attributes at the action level when they are used only once within a policy, such as setting the primary group DN and OU of de-provisioned identities to a group reserved for terminated accounts.

Common Transformer Examples:

Transformer & Entity Type

Attribute

Value Format

Continuous Sync

Description

$target Attribute Transformer Function

The $target attribute transformer function is used when a value consists of one or more attributes that require an operation(s), making it too complex to transform, but it needs to be reused.

Important: The $target function can only be used within the same Action.

For example, an email address consists of [email protected]. However, you must use the format . By using the $target function, you reuse only one attribute, username, while not changing the other two attributes (firstname_lastname).

Example:

Destination Attribute

Formatter

Custom Attribute Transformer Function

The Custom Attribute Transformer function allows you to define a custom transformer that acts as an alias for applying one or more transformer functions.

For example, you can define a custom function named $CLEAN, which is used as {first_name | $CLEAN}. This function can consist of a series of transformer functions such as | ASCII | LOWER | REMOVE_CHAR |.

To define a custom attribute transformer, use the following guidelines:

Policy Version Definitions

Custom functions must be defined as part of the policy version.
These definitions are structured similarly to hard-coded definitions and are returned in the same format, allowing the Veza UI to handle them without modification.
The API for updating and retrieving a policy version must also support these custom function definitions.

Naming Convention: Custom functions must be in ALL CAPS and prefixed with a $ to avoid conflicts with built-in functions.

Custom Attribute Transformer Limitations

The following custom definitions are not supported:

Transformer functions with included transformer parameters
Nested transformer functions
Transformer functions with parameters

Appending Multi-Value Attribute (Active Directory only)

As part of the Identity Sync action, you can append values to multi-value Active Directory attributes without replacing existing values. This ensures that existing attribute values are preserved when adding new ones.

This feature is specific to Active Directory and is not available for other integrations.

Supported Multi-Value Attributes:

Active Directory supports appending for the following multi-value attributes:

organizationalStatus, departmentNumber, employeeType
servicePrincipalName, proxyAddresses

Syntax:

Use the >> prefix before the array to append values:

Appending syntax supports two array formats:

With quotes (JSON format): >>[``"Active", "Permanent"]
Without quotes (simple format): >>[Active, Permanent]

When you use this syntax:

New values are added to the end of the existing attribute values
Duplicate values are automatically removed
The order of existing values is preserved

For example, ff an Active Directory user has:

And you apply the transformer:

The resulting value is:

Note that "Employee" was already present and not duplicated.

Setting vs. Appending:

To Replace existing values: Use [value1, value2] (without >>)
To Append to existing values: Use >>[value1, value2] (with >>)

Additional Notes:

The append prefix (>>) only works for multi-value attributes. It is ignored for single-value attributes
If the attribute has no existing values, the values are simply set (no difference from non-append behavior)
Both the appending syntax and the standard array syntax support arrays with or without quotes around values

Lifecycle Management FAQ

Frequently asked questions about Veza's Lifecycle Management for automated identity and access governance

This document addresses common questions about Lifecycle Management (LCM) for automated identity and birthright access governance across systems and applications.

Overview

The questions in this document are designed to introduce key concepts and address common questions that often arise during deployments. Please contact your support team with additional questions and feedback. Note that specific functionality may depend on the features and integrations enabled in your environment.

Learning more

Your Lifecycle Management configuration can be straightforward or complex, depending on your organization's needs. To learn more about general implementation patterns, see and .

Dry Run Testing

Can I test policy changes before making them live?

Yes, dry run simulations let you safely preview policy changes before deployment. Dry run evaluates workflow logic and shows what actions would occur without making actual changes to target systems. You can test a single identity or run bulk dry runs against multiple identities with filtering options.

For step-by-step instructions, see .

What does a dry run test?

Dry run evaluates the selected identity against all workflows in a policy and shows:

Matched workflows: Which workflows triggered and why
Planned actions

Policy Configuration

What happens when an action fails in a workflow?

When an action fails, the entire workflow retries on the next policy run—not just the failed action. All actions (including previously successful ones) re-execute unless configured with "Skip if action has already been run".

Retry configuration (API only):

Property

Description

Default

What is the "Skip if action has already been run" option?

This safety mechanism prevents the same action from executing multiple times for the same identity, even if the workflow re-triggers. LCM tracks successful completions per identity and skips the action if already completed.

Enable for one-time actions:

Create Email, Welcome notifications, Initial Password Setup, One-time provisioning

How do I enable a new lifecycle management policy?

Creating a policy involves configuring your source(s) of identity, workflows, and actions to automate lifecycle events:

Create Policy: Go to Lifecycle Management > Policies > Create Policy

How do I temporarily disable workflows or actions?

You can pause or disable specific workflows and actions within a policy for safer testing and gradual rollouts, without deleting or modifying the underlying configuration. Disabled workflows and actions are skipped during policy execution, and the policy editor displays them with a "Disabled" tag.

Disabled workflows are still evaluated during Dry Run simulations by default, so you can test workflow logic before enabling it in production.

What is the Continuous Sync option, and why should I use it?

Continuous Sync keeps a provisioned user's source attributes automatically updated in target systems after initial provisioning, rather than syncing only once at creation time.

Why use Continuous Sync:

Keeps downstream systems current - Attribute changes (title, manager, department) propagate automatically

Why are secondary sources of identity optional if an admin can add multiple primary sources?

Secondary sources of identity are not redundant, despite the availability of multiple primary sources. They serve fundamentally different purposes:

Primary Sources of Identity (SOI):

Must all be of the same entity type (e.g., all Worker entities from Workday).

Access Profiles

What are Access Profiles, and how do they work with LCM?

Access Profiles are collections of entitlements (groups, roles, or permissions) that can be automatically assigned to users based on their attributes. They serve two key functions:

Birthright Access: Automatically assigned through policy workflows during joiner/mover/leaver events via the Manage Relationships action

Safety and Limits

What safety mechanisms prevent unintended mass changes?

Lifecycle Management provides two independent safety limit mechanisms that can be used individually or together for layered protection:

Hard Limit (formerly "Safety Limit") — A reactive mechanism that halts processing during execution after the configured number of identity changes has been reached. When triggered, no further identity changes are processed for the current policy run.

Configured with max_identities_affected_count

How do I configure parallel execution settings?

Lifecycle Management supports parallel workflow processing, allowing multiple workflows to run concurrently. Configure parallel execution using the private API endpoint at /api/private/lifecycle_management/parallel_execution_settings.

Key settings include:

jobs: Maximum concurrent policy jobs

Notifications

When should I use policy-level notifications vs action-level notifications?

Lifecycle Management supports notifications at two levels with different capabilities:

Feature

Policy-Level

Action-Level

Access Request Notifications

Do administrators need to configure notifications for Access Request events?

Yes, administrators must explicitly configure notifications for Access Request events. Notifications can be configured for six event types (created, action run, completed, failed, state changed, approver assigned), with recipients selected from five categories: Approvers, Creator, Beneficiary, Watchers, or specific email addresses.

Behavior Change (August 2025): Previously, notifications were automatically sent to all recipient types for all events. The default was removed for better control. Existing customers had settings automatically migrated to match the old behavior.

How do I control or stop Access Request notifications?

Access Request notifications are sent to five recipient categories: Approvers, Creator, Beneficiary, Watchers, and other_emails (specific addresses). Administrators receive notifications only when explicitly configured in one of these roles—there is no "all admins" setting.

Common issue: If you're receiving unwanted notifications, you're likely configured as a default approver for Access Requests with to_approvers=true enabled. For customers migrated from pre-August 2025, all recipient types are enabled by default.

Does the notification body support rich text HTML?

Yes, notification templates fully support HTML and CSS. You can use standard HTML markup, inline styles, images, and links in all Lifecycle Management and Access Request notification templates.

Key Capabilities

Standard HTML tags (<html>, <body>

Data Processing and Extraction

When does LCM evaluate identities for CSV/OAA data sources?

LCM processes identities from CSV and OAA-based data sources only when specific events occur, unlike native integrations that can pull data on demand.

Trigger Events for Identity Processing

For CSV and OAA data sources, extraction and identity evaluation occur when:

What happens when an extraction takes longer than the scheduled interval?

Veza has built-in guardrails to prevent overlapping extraction jobs for the same data source. A new extraction job is enqueued only if there is no pending or in-progress job for that data source.

Job Scheduling Behavior

When an extraction is scheduled to run every hour but takes longer than one hour to complete:

CSV Upload and Transformations

Can I transform CSV data during upload for LCM?

Yes, Veza supports data transformations when uploading CSV files for HRIS and application data sources. This allows you to manipulate and format data during the upload process without preprocessing.

Supported Transformations

Transformations can be applied to CSV columns during mapping configuration:

Integrations

Does Veza support custom Active Directory attributes and moving users between organizational units (OU)?

Yes, Lifecycle Management fully supports both custom Active Directory attributes and moving users between organizational units.

Custom Attributes: You can synchronize custom AD attributes (like hrdivisionID, cost center, or other organizational data) from your source of identity. First, add custom properties in your AD integration configuration (in the Custom Properties step of the integration wizard), then map them in your LCM policy's Sync Identity action using attribute transformers. After enabling custom attributes for the integration, they can be set for new and existing users just as standard AD attributes.

Moving Between OUs: You can move users between organizational units by modifying the user's

For details on configuring LCM integrations, including setup instructions, extraction requirements, and supported capabilities, see .

What is the difference between sources of identity and target applications in Veza Lifecycle Management?

There are two different types of integrations supported by Lifecycle Management:

Source of Identity (SOI): These are authoritative systems that provide definitive information about user identities and their status within an organization. Common examples include Human Resource Information Systems (HRIS), corporate directories, and Identity Providers (IdPs). While Veza typically does not require write permissions to these sources, some can also serve as provisioning targets and support write-back of newly created user attributes, such as an email address.

Do target applications have special integration requirements?

Veza provides comprehensive coverage for target applications through a multi-faceted approach:

Native Integrations: Veza offers native, full CRUD-based provisioning and deprovisioning for numerous applications and platforms, including IdPs, directories, cloud platforms, business and productivity applications, databases, developer platforms, and more. These integrations typically provide deeper control over entitlement management and support user lifecycle actions (onboarding/offboarding) beyond basic account creation.

What Source of Identity (SOI) systems are supported?

Veza LCM supports a variety of Source of Identity systems to serve as authoritative sources for user identity information.

Built-in SOI Systems include:

Beeline - Shift-based workforce management system

What SCIM attributes does Veza support?

Veza supports SCIM 2.0 attributes for both read-only data extraction and Lifecycle Management synchronization. The specific attributes available depend on whether you're extracting data for the Access Graph or synchronizing user/group information through LCM.

Core User Attributes

For LCM Synchronization, Veza supports the standard SCIM user attributes including:

Which SOI systems support email writeback?

Email writeback capability allows LCM to update the Source of Identity with newly created email addresses during provisioning workflows.

Systems Supporting Email Writeback

Currently, only a limited subset of integrations support email writeback actions:

What target systems are supported natively and via SCIM?

Veza LCM supports provisioning across target systems through native integrations and SCIM protocol compatibility.

Supported Categories

Native Integrations (Full lifecycle support):

Advanced Configuration

What optional features can be enabled for LCM?

Lifecycle Management includes core workflow capabilities, with additional features available depending on your configuration needs. Some features that were previously gated are now available by default, while others require configuration or enablement.

Are password reset and access review actions available by default?

Yes, the Reset Password and Create Access Review workflow actions are now generally available as standard LCM functionality. These action types appear as available options when configuring workflow actions in LCM policies.

Additionally, Secondary Sources of Identity are also now generally available, allowing you to configure secondary identity sources in policies without requiring special enablement.

How does Veza determine the active state and other attributes when an identity has both primary and secondary sources?

When a policy identity has both primary and secondary sources, Veza determines which source's attributes to display in the Identities table—including the identity's active state—based on the is_active field from each source. The is_active field typically represents employment or account status (e.g., an active employee in Workday, an active contractor in a secondary system).

Default behavior:

Lifecycle Management Troubleshooting

How can I export or view the complete JSON configuration of a policy?

The Show Raw JSON optional feature allows you to view and export the complete JSON representation of a Lifecycle Management policy for debugging and troubleshooting purposes.

Accessing Raw JSON

To view the raw JSON configuration:

What roles can access Lifecycle Management and Access Profiles?

Access to Lifecycle Management and Access Profiles is managed through Veza's role-based permission system. User permissions can vary based on their assigned roles and team membership, enabling separation of duties and security controls across the platform.

Only Administrator roles have full management capabilities for LCM policies and Access Profiles. All other roles provide various levels of read-only access, with some specialized roles offering additional functionality like integration management or review assignment.

Role Categories and Access Levels

Veza roles fall into two availability tiers that determine their LCM access capabilities. Generally Available roles

Why isn't my workflow triggering for certain users?

Several factors can prevent workflows from triggering. Here are some recommended diagnostic steps:

Attempt a Dry Run Simulation

Transformer Reference

Reference guide for supported transformation functions and parameters for attribute transformers

This page includes a comprehensive list of all supported transformer functions and parameters. Some commonly used transformation functions include:

Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, title, sentence, camel, or snake case
Using a substring from the original value

See for configuration details, or for terminology definitions.

Reading the Examples

Each transformer below includes three types of examples:

Basic Usage: Shows the transformer used alone with a simple source attribute
In a Pipeline: Demonstrates chaining multiple transformers together
Example: Provides practical context from Lifecycle Management scenarios

Copy-paste these examples directly into your attribute transformer configuration, adjusting attribute names to match your source of identity.

APPEND

This transformer enables string concatenation by appending text to the end of attribute values during identity provisioning workflows.

Parameter Format

ASCII

Removes non-printable characters and replaces non-ASCII characters with their closest ASCII equivalents. Particularly useful for Active Directory sAMAccountName and other legacy systems with strict character requirements.

Note: The ASCII transformer performs operations on the base level, not the extended set.

ASSUME_TIME_ZONE

Interprets the incoming time string as if it were in the specified time zone, then converts it to a UTC time. (example: if the input is "1/2/2025 11pm" and the defined time zone is America/Los_Angeles the function will treat "1/2/2025 11pm" as local time in Los Angeles and output the corresponding UTC time "1/3/2025 7am")

COUNTRY_CODE_ISO3166

Transforms country code to ISO 3166 format.

defines codes for the representation of country names, dependent territories, and their subdivisions

DATE_ADJUST

Adjusts date values based on hour, day, month, and year inputs. Provides full control over all time components for complex date manipulation.

Parameter Format

DATE_ADJUST_DAY

A convenience transformer that adjusts date values by a specified number of days only. Use this for simple day-based calculations; use DATE_ADJUST for more complex adjustments involving hours, months, or years.

DATE_FORMAT

Description: Converts a timestamp to a formatted date string using Go time layout syntax.

Syntax: {attribute | DATE_FORMAT, "layout"} or {attribute | DATE_FORMAT, "output_layout", "input_layout"}

Parameters:

Parameter

Required

Type

Description

Returns: String — the formatted date/time string

Examples:

Input

Expression

Output

Go Time Layout Syntax: Unlike most date formatting systems that use patterns like YYYY-MM-DD, Go uses a reference date: Mon Jan 2 15:04:05 MST 2006. Each component of this specific date represents a format element.

Go date format reference

The reference date Mon Jan 2 15:04:05 MST 2006 breaks down as:

Component

Reference Value

Meaning

Common format patterns

Output Format

Go Layout String

Example Output

Named format aliases

Instead of Go layout strings, you can use these named aliases (case-insensitive):

Alias

Equivalent Layout

Example Output

For the full list of named aliases (including kitchen, rfc822, rfc1123, stamp, and others), see Go's standard .

The win32 format outputs the Windows FILETIME format used by Active Directory for attributes like accountExpires. This represents 100-nanosecond intervals since January 1, 1601 UTC.

Notes:

Input must be a valid timestamp
Use with or for timezone handling
When parsing non-standard input dates, provide both output and input layouts

FIRST_N

Picks the first N characters of a string. Useful for creating shortened identifiers or initials.

Parameter Format

FROM_ENTITY_ATTRIBUTE

Looks up an entity in the Veza graph by matching an attribute value, then returns a different attribute from that entity. This is useful for cross-referencing related entities, such as finding a manager's email from an employee ID.

Parameter Format

FROM_MANY_ENTITIES_ATTRIBUTE

Looks up multiple entities in the Veza graph by matching an attribute value, then returns a specified attribute from all matching entities as a combined string. Use this when an input value may match multiple entities and you need all their values.

Parameter Format

LANGUAGE_RFC5646

Transforms language to RFC 5646 format.

defines "Tags for Identifying Languages." It does not contain a fixed, exhaustive list of language codes within the RFC itself. Instead, it specifies the structure and rules for constructing language tags, which are then built using codes from various external standards and registries.

LAST_N

Picks the last N characters of a string, where N is the number of characters to return.

Parameter Format

LEFT_PAD

Adds padding characters to the left side of a string until it reaches the specified length. Useful for creating fixed-width identifiers.

Parameter Format

LOOKUP

Transforms a value using a lookup table defined in your Lifecycle Management policy. Essential for mapping codes to descriptive values or standardizing data across systems.

Parameter Format

LOWER

Description: Converts all characters in a string to lowercase.

Syntax: {attribute | LOWER}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input value with all characters converted to lowercase

Examples:

Input

Expression

Output

Notes: Only affects alphabetic characters. Numbers and special characters pass through unchanged.

LOWER_SNAKE_CASE

Transforms string to lowercase with underscores.

Parameter Format

LOWER_CAMEL_CASE

Transforms a string to lower camel case (also known as dromedaryCase). The first word is lowercase, and subsequent words are capitalized with no separators.

Parameter Format

NEXT_NUMBER

Generates a set of alternative values by appending sequential numbers. Essential for handling unique constraint conflicts during user provisioning. Returns an empty string first, then "2", "3", "4", etc.

Parameter Format

NEXT_NUMBER Max Length

This transformer supports an optional maximum length parameter to simplify complex username generation workflows. It automatically evaluates combined strings (such as {first_name}_{last_name}) and truncates to specified character limits before appending numerical suffixes.

NOW

Returns the current time in UTC. An optional argument indicates the outgoing time format; by default, the RFC3339 format.

Parameter Format

PHONE_NUMBER_E164

Transforms a phone number into the E.164 format.

E. 164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits. Parameter Format

PREPEND

Adds text to the beginning of attribute values. Useful for adding prefixes like organization codes or type indicators.

Parameter Format

RANDOM_ALPHANUMERIC_GENERATOR

Generates a random alphanumeric string.

Parameter Format

RANDOM_INTEGER

Generates a random integer value between specified minimum and maximum values (inclusive). Useful for creating unique test IDs or temporary identifiers. Does not require an input value.

Parameter Format

RANDOM_NUMBER_GENERATOR

Generates a random number string.

Parameter Format

RANDOM_STRING_GENERATOR

Generates a random string.

Parameter Format

REMOVE_CHARS

Removes all instances of specified characters from a string. Useful for cleaning up data and removing unwanted punctuation or special characters.

Parameter Format

REMOVE_DIACRITICS

Removes diacritics (accents, etc.) from input string.

Parameter Format

REMOVE_DOMAIN

Removes the domain portion from an email address, leaving only the username. One of the most frequently used transformers for generating usernames from email addresses.

Parameter Format

REMOVE_WHITESPACE

Removes all whitespace characters (spaces, tabs, newlines) from a string. Useful for creating compact identifiers and ensuring data consistency.

Parameter Format

REPLACE_ALL

Description: Replaces all occurrences of a substring with a replacement string.

Syntax: {attribute | REPLACE_ALL, "search", "replacement"}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input with all occurrences of search replaced by replacement

Examples:

Input

Expression

Output

Notes:

Case-sensitive matching
To remove characters, use an empty string as the replacement: REPLACE_ALL, "x", ""
For removing multiple different characters, consider instead

RIGHT_PAD

Right pads a string with a character.

Parameter Format

SENTENCE_CASE

Capitalizes only the first non-whitespace character of a string and lowercases the rest. Preserves any leading whitespace. Useful for standardizing sentence-formatted text fields.

Parameter Format

SPLIT

Splits a string and returns the string at the given index.

Parameter Format

SUB_STRING

Description: Extracts a portion of a string starting at a specified position.

Syntax: {attribute | SUB_STRING, offset, length}

Parameters:

Parameter

Required

Type

Description

Returns: String — the extracted substring

Examples:

Input

Expression

Output

Notes:

Index is 0-based (first character is position 0)
If offset + length exceeds the string length, returns characters up to the end
For extracting just the first N characters, consider as a simpler alternative

TITLE_CASE

Capitalizes the first letter of each word and lowercases the rest. Also handles dot-separated values by capitalizing the first letter of each segment. Useful for formatting names and titles.

Parameter Format

TRIM

Removes leading and trailing whitespace from a string. Essential for cleaning up data from external systems.

Parameter Format

TRIM_CHARS

Removes all specified characters from both the beginning and end of a string. Useful for removing padding characters or cleaning up formatted data.

Parameter Format

TRIM_CHARS_LEFT

Removes all specified characters from the beginning of a string only. Useful for removing leading zeros or prefixes.

Parameter Format

TRIM_CHARS_RIGHT

Removes all specified characters from the end of a string only. Useful for removing trailing characters or suffixes.

Parameter Format

UPPER

Description: Converts all characters in a string to uppercase.

Syntax: {attribute | UPPER}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input value with all characters converted to uppercase

Examples:

Input

Expression

Output

Notes: Only affects alphabetic characters. Numbers and special characters pass through unchanged.

UPPER_CAMEL_CASE

Transforms a string to upper camel case.

Parameter Format

UPPER_SNAKE_CASE

Transforms string to uppercase with underscores.

Parameter Format

UTC_TO_TIME_ZONE

Interprets the incoming time string as if it were in UTC and then converts it to the specified time zone. (example: if the input is "1/2/2025 11pm" and the specified time zone is America/Los_Angeles the function will treat "1/2/2025 11pm" as the UTC time zone and output the corresponding America/Los_Angeles

UUID_GENERATOR

Generates a UUID.

A UUID (Universally Unique Identifier) is a 128-bit identifier used to uniquely identify information in computer systems.

ZERO_PAD

Adds left zero-padding to numerical string values until they reach the specified length. If the input is non-numeric, it passes through unchanged. If the numeric value is already longer than the specified length, it remains unchanged.

Parameter Format

Lifecycle Management

hashtagKey features

Getting Started

hashtagIn this section

hashtagWhere to go next

Lifecycle Management Dashboard

hashtagDashboard Overview

hashtagDashboard Actions

hashtagPolicies

hashtagAccess Profiles

hashtagIdentities

hashtagIntegrations

hashtagAccess Requests

hashtagErrors

hashtagRecent Activity

hashtagNext Steps

Activity Log

hashtagOverview

Identities

hashtagIn this section

hashtagKey concepts

hashtagRelated topics

Identity Override Attributes

hashtagOverview

Access Profiles

hashtagExample Profiles

hashtagAccess Profile Types

hashtagProfiles

hashtagBusiness Roles

hashtagBest Practices for Access Profile Types

hashtagConfiguring Access Profiles

hashtagAccess Profile Ownership

hashtagWho Can Be Owners

hashtagOwner Eligibility Requirements

hashtagOwner Permissions

hashtagManaging Owners

hashtagSee Also

Access Profile Types

hashtagOverview

Policies and Workflows

hashtagIn this section

hashtagKey concepts

hashtagRelated topics

LCM-Triggered Access Reviews

hashtagOverview

hashtagTroubleshoot missing reviews

hashtagUnderstand unchanged result filtering

hashtagResolve entity type mismatches

hashtagFix missing enriched identity columns

hashtagCustomize review names

hashtagRelated topics

Fallback Formatters

hashtagOverview

hashtagUnderstanding Fallback Formatters

hashtagUse Case: Username Conflicts

hashtagConfiguring Fallback Formatters

hashtagTransformer Options for Fallback Formatters

hashtagUsing the NEXT_NUMBER Transformer

hashtagOther Useful Transformers for Fallbacks

hashtagImplementation Example

hashtagCommon Fallback Patterns

hashtagHow Fallback Resolution Works

System Attributes

hashtagOverview

Coupa Contingent Workforce

hashtagOverview

How-to Guides

hashtagIn this section

hashtagAdditional resources

Manage Access Profile Creation Permissions

hashtagOverview

hashtagBefore you start

hashtagGrant Access Profile creation permissions

hashtagVerify permissions

hashtagRemove Access Profile creation permissions

hashtagSee also

Test Policies with Dry Run

hashtagOverview

Disable Workflows and Actions

hashtagOverview

Key features

In this section

Where to go next

Dashboard Overview

Dashboard Actions

Policies

Access Profiles

Identities

Integrations

Access Requests

Errors

Recent Activity

Next Steps

Overview

In this section

Key concepts

Related topics

Overview

Example Profiles

Access Profile Types

Profiles

Business Roles

Best Practices for Access Profile Types

Configuring Access Profiles

Access Profile Ownership

Who Can Be Owners

Owner Eligibility Requirements

Owner Permissions

Managing Owners

See Also

Overview

In this section

Key concepts

Related topics

Overview

Troubleshoot missing reviews

Understand unchanged result filtering

Resolve entity type mismatches

Fix missing enriched identity columns

Customize review names

Related topics

Overview

Understanding Fallback Formatters

Use Case: Username Conflicts

Configuring Fallback Formatters

Transformer Options for Fallback Formatters

Using the NEXT_NUMBER Transformer

Other Useful Transformers for Fallbacks

Implementation Example

Common Fallback Patterns

How Fallback Resolution Works

Overview

Overview

In this section

Additional resources

Overview

Before you start

Grant Access Profile creation permissions

Verify permissions

Remove Access Profile creation permissions

See also

Overview

Overview

Disable a workflow

Disable an action

Test disabled workflows with dry run

Re-enable a workflow or action

See also

In this section

Where to go next

In this section

Key concepts

Related topics

In this section

Key concepts

Related topics

Overview

Key features

`sys_attr__is_mover`

`sys_attr__would_be_value`