Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Implementing Veza Lifecycle Management will require:
Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.
Assigning Profiles to Business Roles to enable business rules.
The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.
Key considerations and requirements
Is a lifecycle management process defined for your organization?
If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.
Do you have one, or even multiple sources of truth for employee identity metadata?
At least one source of identity is required to trigger Lifecycle Management actions when there are changes in the data source. This data source could be an HRIS system, identity provider, directory service, or an exported report.
For example, you may have different sources of identity for full-time and employees and contractors.
What scenarios will be automated?
This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:
Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations
Define and list the different populations of employees with different levels of access in your organization (such as by roles, regions, and teams).
Organize the populations hierarchically, each inheriting the access granted to its parent population. For example, you might have a structure "All Employees" > "Sales Team" > "Sales Managers," with each inheriting the access granted to the parent.
Example Business Roles:
Sales
Developers
Executive Employees
US Employees
China Employees
Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.
For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.
Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza authorization graph.
Document how employee populations correspond to the attribute values contained in the source of identity.
Examples: Source attributes for role conditions
Employee Number
Unique identifier for the employee.
Company
The company or subsidiary the employee works for.
First Name
Employee's first name.
Last Name
Employee's last name.
Preferred Name
Employee's preferred first name.
Display Full Name
Full name for display; includes preferred first name if available.
Canonical Name
Employee's canonical name.
Username
Username as shown in the integration UI.
Employee's work email (unique).
IDP ID
ID for connecting to the destination IDP provider.
Personal Email
Employee's personal email.
Home Location
Employee's home location.
Work Location
Employee's work location.
Cost Center
Cost center ID associated with the employee.
Department
Department ID (Group ID) of the employee.
Managers
List of employee IDs of the employee's managers.
Groups
List of group IDs the employee is associated with.
Employment Status
Employment status, e.g., ACTIVE, PENDING, or INACTIVE.
Is Active
Indicates if the employee is active.
Start Date
The date the employee started working.
Termination Date
Employee's termination date, if applicable.
Job Title
Employee's job title.
Employment Types
Type of employment, e.g., FULL_TIME, PART_TIME, INTERN, CONTRACTOR, or FREELANCE.
Primary Time Zone
Employee's primary time zone.
Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:
Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"
Work Location equals "US"
Cost Center equals "R&D"
Start Date on or after "2025-01-01"
A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.
Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Examples: Access Profiles
AD Executive Employees
Active Directory
Executive Employee - Manager US (Active Directory Group)
AD Engineering Managers
Active Directory
Engineering - Manager US (Active Directory Group)
Azure Helpdesk Role
Azure
Helpdesk Administrator (Azure AD Role)
Google China Employees
Google Cloud
Google China Employees (Google Group)
Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.
Examples: Map Business Roles to Profiles
Asia Employees
US Employees
Developers
Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.
For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.
For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Examples: Synced Attributes
Sync Active Directory Accounts for Active Employees (Joiners/Movers)
When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local
user_principal_name
username
{username}@evergreentrucks.com
username
{username}@evergreentrucks.com
display_name
display_full_name
{display_full_name}
given_name
first_name
{first_name}
sur_name
last_name
{last_name}
country_code
work_location
{work_location}
job_title
job_title
{job_title}
primary_group_dn
-
CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local
Sync Active Directory Attributes for Withdrawn Employees (Leavers)
When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local
primary_group_dn
-
CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local
Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.
Before you begin creating draft for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.
Veza supports importing employee records from built-in , OAA integrations using the , and .
A range of applications can be sources of identity and targets for Lifecycle Management, with different actions supported for each integration. See and for the current capabilities.
Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .
Create a in Veza to model each segment.
The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.
Create Lifecycle Management mapped to those entitlements.
When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.
Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.
Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in , and which should only be created (and never modified after creating an entity).
Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.
Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, which could include business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.
Profiles can be configured hierarchically to create a fine-grained model of how access should be assigned to different groups of employees. Administrators can position child profiles underneath a parent profile, with each child profile inheriting the entitlements from the parent profile.
For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.
Executive Employees
Active Directory
Executive Employee - Manager US (Active Directory Group)
US Engineering Managers
Active Directory
Engineering - Manager US (Active Directory Group)
Azure Helpdesk Role
Azure
Helpdesk Administrator (Azure AD Role)
Google Asia Employees
Google Cloud
Google Asia Employees (Google Group)
Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.
The access granted by a Profile can be defined by both:
Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.
The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.
Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:
Profiles are a type of Access Profile for defining access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.
Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.
Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."
Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").
Create Business Roles that align with your organizational structure, especially taking location, business unit, and functional organization into consideration. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.
To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.
Click Create Access Profile
Under Access Profile Details, choose the Profile Type to create:
Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.
Profile: Profiles define entitlements that can be assigned to users in target applications, such as groups, roles, or permission sets assigned to users as birthright entitlements. Profiles cannot be inherited from other Access Profiles, but can be inherited by Business Roles. Use this profile type to define the birthright entitlements within one or more applications (such as group memberships or role assignments).
Profile Name and Description: You should follow a standard naming convention for all profiles to help identify them, describing the employee segment or applications the Access Profile applies to.
Profile Labels: Labels are available for quickly finding access profiles when configuring actions in a policy. Apply and create labels as needed to organize your Access Profiles by the employee segments and applications they apply to.
Assigned Relationships:
Click Add Relationship
Choose the type of relationship to add:
Access Profile: Use the Relationship menu to pick one or more Access Profiles to grant those business roles or entitlements. This option is not available for Access Profiles with the "Profile" type.
Relationship: Choose the target data source and specific entities the Profile will govern access to (such as Google Cloud Platform > Google Group). This option is not available for Access Profiles with the "Business Role" type.
Click Assign to save the changes.
After saving an Access Profile, you can view details, edit, or pause and resume it on the Lifecycle Management > Access Profiles page.
When configuring a policy to include the Manage Relationships action, you can choose from any active profiles for the target data source.
Configure how user attributes from a source of identity are transformed and synchronized for target user accounts
When creating workflows in Lifecycle Management policies to create, sync, or de-provision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured. The target attributes to create or update are typically mapped and optionally transformed from user metadata from the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept in continuous sync as changes occur over the user’s lifetime.
For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:
Joiner: Set new Azure AD User Principal Name to {source username}@{your-email-domain.com}. This is an example of mapping multiple attributes and performing a transformation.
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.
Leaver: Mote a user’s Active Directory account to an OU reserved for terminated accounts.
When synchronizing a user’s attributes, Veza can apply one (or more) transformations to convert the source attribute values to a more suitable format, and apply the result within the target application as user account attribute.
For example, a transformer might remove the domain from an email address, replace special characters, or convert a string from upper case to lower case. Transformers can apply to any attribute on the target user account with the complexity varying depending on your business requirements.
See the following sections for more information about formatting destination attributes and possible transformations:
Continuous Sync keeps identity attributes in target systems up to date with your source of truth. It has three configuration levels that work together to determine how attributes are synchronized:
Workflow Level
The workflow's continuous sync setting controls change detection:
When enabled: The workflow monitors for any changes in the source system
When disabled: The workflow only runs during initial provisioning
Action Level
For Sync Identity actions, this controls whether existing entities can be updated:
When enabled: The action can update existing entities
When disabled: The action only sets attributes during initial creation
Attribute Level
Individual attributes can be configured for continuous sync:
When enabled: The attribute will be updated when changes are detected
When disabled: The attribute is only set during initial creation
All three levels must be enabled for an attribute to be continuously synchronized. For example, if you want to keep an employee's department updated:
Enable continuous sync on the workflow to monitor for changes
Enable continuous sync on the sync action to allow updates
Enable continuous sync on the department attribute transformer
Recommended Settings
Enable continuous sync for attributes that change during employment:
Employee name
Department
Title
Manager
Cost Center
AD Distinguished Name (DN)
AD User Principal Name (UPN)
AD Email
Disable continuous sync for stable identifiers:
Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)
This configuration ensures that dynamic attributes stay updated while preserving stable identifiers.
As part of implementing lifecycle management processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID should be sourced for each target application. These transformers can then be reused across all identity sync and de-provision workflows involving those targets. Create common transformers to consistently form attributes for specific entity types, and re-use them to avoid errors and save time when creating actions for that entity type.
For instance, defining a common synced attribute to describe how to format Azure AD account names {username}@evergreentrucks.com enables reuse across multiple workflow actions. You can also define synced attributes at the action level when they are used only once within a policy, such as setting the primary group DN and OU of de-provisioned identities to a group reserved for terminated accounts.
Common Transformer Examples:
ADAccountTransformer ActiveDirectoryUser
account_name
{display_full_name}
No
Basic account name
distinguished_name
CN={first_name} {last_name},OU={department},OU={location},DC=company,DC=local
Yes
Full AD path
user_principal_name
{username}@company.com
Yes
UPN format
{username}@company.com
Yes
Email address
OktaAccountTransformer OktaUser
login
{username}@company.com
No
Primary login
{username}@company.com
Yes
Email address
username_prefix
{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}
No
Username creation
AzureADTransformer AzureADUser
principal_name
{username}@company.com
No
Primary identifier
mail_nickname
{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}
No
Email alias
display_name
{first_name} {last_name}
Yes
Display name
GoogleAccountTransformer GoogleWorkspaceUser
{username}@company.com
No
Primary email
email_addresses
{username}@company.com
No
Email list
recovery_email
{personal_email}
Yes
Backup email
ContractorTransformer ActiveDirectoryUser
account_name
c-{username}
No
Contractor prefix
distinguished_name
CN={first_name} {last_name},OU=Contractors,OU={department},DC=company,DC=local
Yes
Contractor OU
description
Contractor - {vendor_company} - Start Date: {start_date}
Yes
Metadata
RegionalEmailTransformer ExchangeUser
email_address
{username}@{region}.company.com
No
Regional email
alias
{first_name}.{last_name}@{region}.company.com
Yes
Regional alias
Transformers can be defined at the policy level or when configuring an individual action in a workflow. To configure a transformer, add basic details as well as how to source the value of each attribute:
Give the transformer a name and description, and specify the data source it applies to.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.
Destination Attribute: Choose the attribute that Veza will create or update for the target entity.
Continuous Sync: Enabling this option always syncs the attribute, whilst applying any defined transformations. By default, attributes will not sync if the target identity is already created.
After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab.
Remember that “Sync Identity” and “De-Provision Identity” actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.
Formatters specify the actual value of the attribute to synchronize. The target attribute can be set to a specific value, synchronized with a source attribute, transformed according to a function, or some combination of the three.
Note that some formatters should enable continuous synchronization for the attribute, while others should not. For example, the value of “Created By” should be immutable once a user account is provisioned. Other attributes that represent a state or status should be synchronized over the user or account lifecycle.
To create a destination attribute with a fixed value, enter the desired value when configuring the formatter.
For setting the creator attribute:
created_by
"Veza"
Disabled
For activating a re-hired employee:
active
true
Enabled
To set empty values (common for de-provisioning flows):
manager_id
" "
Enabled
active
false
Enabled
Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute, use the format {<source_attribute_name>}.
Examples:
first_name
{first_name}
Enabled
last_name
{last_name}
Enabled
{first_name}.{last_name}@domain.com
-
Based on the user metadata that is available from your source of identity, you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. If an attribute value needs to be altered for compatibility with the target system, you can transform the value of a source attribute, or apply a range of other functions to generate the target value.
Formatter expressions use the following syntax: {<source_attribute_name> | <FUNCTION_NAME>,<param1>,<param2>}
For example:
username
{email | REMOVE_DOMAIN}
Removes domain from email to create username
user_id
{id | UPPER}
Converts ID to uppercase
Table of transformation functions
See the table below for all supported functions and parameters. Some commonly used transformation functions include:
Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, camel, or snake case
Using a substring from the original value
Please contact Veza if additional transformations are required for your use case.
COUNTRY_CODE_ISO3166
Transforms country code to ISO 3166 format.
Format (STRING, optional): [alpha2, alpha3, numeric], defaults to alpha2
Yes
No
COUNTRY_CODE_ISO3166("US", alpha3) results in USA
DATE_FORMAT
Transforms dates to a different format.
Output (STRING, required): Format of returned value. Input (STRING, optional): Format of input
Yes
No
DATE_FORMAT("2021-01-01", "MM/DD/YYYY") results in 01/01/2021
FIRST_N
Picks the first N characters of a string.
Length (NUMBER, required): Number of characters to return
Yes
No
FIRST_N("first_name", 4) results in firs
FROM_ENTITY_ATTRIBUTE
Transforms a string from an attribute of another entity in the graph.
EntityType (STRING, required), SourceAttribute (STRING, required), TargetAttribute (STRING, required)
Yes
No
FROM_ENTITY_ATTRIBUTE("Employee", "ID", "ManagerID") results in the Manager ID for the employee
LANGUAGE_RFC5646
Transforms language to RFC 5646 format.
None
Yes
No
LANGUAGE_RFC5646("Spanish") results in es
LAST_N
Picks the last N characters of a string.
Length (NUMBER, required): Number of characters to return
Yes
No
LAST_N("last_name", 5) results in name
LEFT_PAD
Left pads a string with a character.
Length (NUMBER, required), Pad (CHARACTER, optional): Default is space
Yes
No
LEFT_PAD("123", 5, "0") results in 00123
LOWER
Transforms string to lowercase.
None
Yes
No
LOWER("HELLO") results in hello
LOWER_CAMEL_CASE
Transforms string to lower camel case.
None
Yes
No
LOWER_CAMEL_CASE("hello world") results in helloWorld
LOWER_SNAKE_CASE
Transforms string to lowercase with underscores.
None
Yes
No
LOWER_SNAKE_CASE("Hello World") results in hello_world
NEXT_NUMBER
Generates a set of integers as strings.
BeginInteger (NUMBER, required), Length (NUMBER, required)
No
Yes
NEXT_NUMBER(5, 3) results in 5, 6, 7
PHONE_NUMBER_E164
Transforms phone number to E.164 format.
Region (STRING, optional): ISO 3166-1 alpha-2 format
Yes
No
PHONE_NUMBER_E164("+1-800-555-1212") results in +18005551212
RANDOM_ALPHANUMERIC_GENERATOR
Generates a random alphanumeric string.
Length (NUMBER, required)
No
No
RANDOM_ALPHANUMERIC_GENERATOR(8) results in a1B2c3D4
RANDOM_NUMBER_GENERATOR
Generates a random number string.
Length (NUMBER, required)
No
No
RANDOM_NUMBER_GENERATOR(4) results in 4829
RANDOM_STRING_GENERATOR
Generates a random string.
Length (NUMBER, required)
No
No
RANDOM_STRING_GENERATOR(6) results in uFkLxw
REMOVE_DIACRITICS
Removes diacritics (accents, etc.) from input string.
None
Yes
No
REMOVE_DIACRITICS("José") results in Jose
ASCII
Removes non-printable characters and replaces non-ASCII characters with their closest ASCII equivalents.
None
Yes
No
ASCII("Łukasz Gruba") results in Lukasz Gruba
REMOVE_DOMAIN
Removes the domain from an email.
None
Yes
No
REMOVE_DOMAIN("user@domain.com") results in user
REPLACE_ALL
Replaces all instances of one string with another.
Original (STRING, required), New (STRING, required)
Yes
No
REPLACE_ALL("hello world", " ", "_") results in hello_world
RIGHT_PAD
Right pads a string with a character.
Length (NUMBER, required), Pad (CHARACTER, optional): Default is space
Yes
No
RIGHT_PAD("123", 5, "0") results in 12300
SPLIT
Splits a string and returns the string at the given index.
Split String (STRING, required), Index (NUMBER, required)
Yes
No
SPLIT("first.last@domain.com", "@", 0) results in first.last
SUB_STRING
Picks a substring from the original value.
Offset (NUMBER, required), Length (NUMBER, required)
Yes
No
SUB_STRING("hello", 0, 3) results in hel
TRIM
Removes spaces before and after a string.
None
Yes
No
TRIM(" hello ") results in hello
UPPER
Transforms string to uppercase.
None
Yes
No
UPPER("hello") results in HELLO
UPPER_CAMEL_CASE
Transforms string to upper camel case.
None
Yes
No
UPPER_CAMEL_CASE("hello world") results in HelloWorld
UPPER_SNAKE_CASE
Transforms string to uppercase with underscores.
None
Yes
No
UPPER_SNAKE_CASE("hello world") results in HELLO_WORLD
UUID_GENERATOR
Generates a UUID.
None
No
No
UUID_GENERATOR() results in 123e4567-e89b-12d3-a456-426614174000
LOOKUP
Transforms a value using a lookup table.
Table Name (STRING, required), Column Name (STRING, required), Return Column Name (STRING, required)
Yes
No
LOOKUP("IL001", "locationTable", "location_code", "city") results in Chicago
The ASCII transformer is particularly useful when working with international user data or systems that have strict character limitations. This transformer performs two main operations:
Removes all non-printable characters (including control codes, zero-width spaces, tabs, and newlines)
Converts non-ASCII characters to their closest ASCII equivalents
Whereas the REMOVE_DIACRITICS transformer only removes accent marks while preserving the basic character, the ASCII transformer performs a more comprehensive conversion, replacing characters like "Ł" with "L" and handling a wider range of non-ASCII characters.
You can pipeline multiple transformation functions together, separated by a |. Each will apply in sequence, allowing for complex attribute formatters that use the output of one function as the input of another.
Example Pipeline Functions
{name | UPPER}
If name = Smith, the result is SMITH.
{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}
If first_name = John and last_name = Smith, the result is j.smith.
{email | REMOVE_DOMAIN}
If email = john.smith@domain.com, the result is john.smith.
{email | REPLACE_ALL, " ", "."}
If email = john smith@domain.com, the result is john.smith@domain.com.
{location | LOOKUP locationTable, location_code, city}
If location = IL001, the result is Chicago (using a lookup table named locationTable).
Use lookup tables to transform identity attributes for target systems
You can use Lookup transformers to convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.
For example, you might need to transform a "Location" attribute from Workday (which might be stored as location codes like "MN001") into corresponding values for country, country code, or city names in a target system.
Use Table Lookup Transformers when:
You need to map source attribute values to different values in target systems
You have standardized reference data that must be consistent across applications
You need to extract different pieces of information from a single attribute value
You have complex mapping requirements that built-in transformers cannot support
Geographic Information:
Transform location codes to country, region, city, or timezone information
Map office codes to physical addresses or facility types
Organizational Mapping:
Convert department codes to department names or business units
Map cost centers to budget codes or accounting categories
System-Specific Configurations:
Transform job titles to role designations in target systems
Convert skill codes to certification requirements or training needs
The Table Lookup Transformer references CSV-based mappings between source and destination values. When synchronizing user attributes, Veza:
Takes the source attribute value
Looks up this value in the specified lookup table
Returns the corresponding value from the designated return column
Applies this value to the target attribute
Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.
For example, a location mapping table might look like:
To create a new lookup table:
Navigate to the Lookup Tables tab within your policy configuration
Click Edit mode to enable policy changes
Click Add New to create a new lookup table
Provide a Name and optional Description for the lookup table
Drag a CSV file or click Browse to upload your reference data
Review the automatically detected column names
Click Save to store the lookup table
From the Lookup Tables tab, you can:
Edit table descriptions or upload a new CSV
Delete tables that are no longer needed
To use a Table Lookup Transformer in a common or action-synced attribute:
In Destination Attribute, choose the attribute on the target entity that will be updated
In Formatter, choose the source attribute to transform
In Pipeline Functions, specify the lookup table name, the column to match against, and the column containing values to return.
The full syntax for using lookup table transformers is:
Where:
<value> is the source attribute to transform (e.g., {location})
<table_name> is the name of the lookup table to use
<column_name> is the column in the table to match against
<return_column_name> is the column containing the value to return
Assuming a user has "location": "IL001" and a lookup table named locationTable structured as shown earlier:
You can combine lookup transformations with other transformation functions in a pipeline:
This would look up the state_code corresponding to the location value and convert it to lowercase.
If you need to handle cases where a lookup value is not found in the table, you can implement this by including a "wildcard" or default row in your lookup table:
This enables any unmatched values to return a default mapping instead of failing.
Lookup tables are immutable and automatically deleted when no longer referenced by any policy version
Multiple policy versions can reference the same lookup table (e.g., an active version and a draft version)
Lookup tables are defined at the policy level and can be referenced by any transformer within the policy
Lookup tables can have multiple columns to support different transformations from the same reference data
Standardize Naming: To use a lookup-based transformer, you will reference the table by file name. Apply consistent conventions for both the table and columns.
Document Mappings: Add descriptions for each lookup table to explain its purpose
Validate Data: Ensure lookup tables are complete and accurate before using them in transformers. Consider how lookup tables will be maintained over time, especially for values expected to change.
Configuring the Okta integration for Veza Lifecycle Management.
The Veza integration for Okta enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization.
You will need administrative access in Veza to configure the integration and grant API scopes in Okta.
Verify your Okta integration has completed at least one successful extraction
The Okta integration will need the additional required API scopes:
okta.users.manage - For user lifecycle operations
okta.groups.manage - For group membership management
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Okta integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Okta data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Okta in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Okta can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow:
Primary action for user management (creating or updating users):
Login ID cannot be changed after creation
Email addresses must be unique
Required attributes must be present (login, email, first_name, last_name)
The following attributes can be synchronized:
Both adding and removing memberships are supported. Group memberships are removed in deprovisioning.
Add and remove group memberships
Synchronize group assignments
Track membership changes
When a user is deprovisioned:
User account is disabled
Group memberships are removed
Attribute history is preserved for audit
Account can be reactivated if needed
Entity Types: Okta Groups
Assignee Types: Okta Users
Supports Relationship Removal: Yes
Within Okta, groups can be associated with:
Application group assignments controlling SSO access
Permissions to resources within specific applications
Synchronized AWS SSO groups
Role-based access controls within Okta
Allows password reset operations for Okta users:
Requires the login attribute as a unique identifier
Non-idempotent action (each execution creates a new password reset event)
Will trigger Okta's standard password reset flow for the specified user
Configure the conditions and actions that execute when workflows run.
When creating Lifecycle Management Policies, you can configure workflows that define actions to execute during different employment lifecycle scenarios, such as when an employee is onboarded, changes function or role, or is withdrawn from the organization. Actions can be executed in sequence based on specific conditions, enabling you to automate onboarding and offboarding actions within Lifecycle Management, across systems in your environment.
Policies and workflows define how Veza automates identity management tasks across your environment by describing conditional actions to execute for different employee populations.
Define the overall automation framework for managing identities throughout their lifecycle
Specify which source of identity triggers the automation
Can contain multiple workflows to handle different scenarios (joiner, mover, leaver)
Support continuous synchronization to keep identities up-to-date
Enable email notifications and webhooks for action-related events
Define specific sequences of actions that execute based on trigger conditions
Handle different lifecycle scenarios (e.g., new hire onboarding, role changes, terminations)
Support conditional execution based on user attributes (department, location, role, etc.)
Allow for complex decision trees through nested conditions
Execute actions in a defined order when conditions are met
Define when specific actions should occur within a workflow
Can be based on any attribute from the source of identity
Support SCIM filter expressions for precise targeting
Can be nested to create sophisticated logic trees
Can trigger multiple actions when met
Can spawn additional conditions after successful action completion
Example Conditions for Lifecycle Management Actions:
Add to engineering groups based on department:
department eq "Engineering"Grant manager access based on role:
is_manager eq trueAssign cost center groups:
cost_center eq "IT-1234"Add to contractor AD groups:
employment_type eq "CONTRACTOR"
Represent specific tasks such as creating users, syncing attributes, or managing access
Types of actions include:
SYNC_IDENTITIES: Create/update user accounts
MANAGE_RELATIONSHIPS: Grant/revoke access
CREATE_EMAIL: Generate email addresses
DEPROVISION_IDENTITY: Disable/remove access
WRITE_BACK_EMAIL: Update source system
PAUSE: Add workflow delays
SEND_NOTIFICATION: Trigger alerts
The following workflow configuration for a Lifecycle Management Policy enables provisioning actions for Active Directory users when workers are added in Workday:
Create an Active Directory user, synchronizing attributes with the source Workday Worker
Create email addresses for new employees in Exchange Server
Update the Workday Worker and AD User records to include the new email
Grant entitlements by assigning Access Profiles according to the Worker's department
When provisioning users, Veza synchronizes attributes for active employees and creates them when provisioning AD Users. These attributes can be transformed from attributes in the source of identity (Workday):
To de-provision users, Veza moves accounts to a terminated users group and adds them to an OU for terminated employees:
Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization
Updating the distinguished_name to place leavers in a specific organizational unit (OU) like "Evergreen Termination" separates active users from inactive ones and enables the application of policies, scripts, and queries that target inactive users without affecting active employees
Note on Action Hierarchy: The "Sync Identities" action is the only action type that can be declared at the root condition level. All other actions (such as Manage Relationships, Create Email, etc.) must be defined within sub-conditions after a establishing a root condition with "Sync Identities". The UI enforces this hierarchy and will show a warning when adding non-Sync actions at the root level.
Synchronizes identity attributes between systems, with options to:
Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth
Example Use Cases:
Create new user accounts in target systems when employees join
Update user attributes when information changes in HR systems
Ensure consistent user information across multiple platforms
Controls entitlements such as group memberships and role assignments for identities.
Example Use Cases:
Add users to appropriate security groups, roles, permission sets, or other access-grant entities
Remove users from groups during role changes
Update entitlements when employees move between departments
Integrates with an email provider to create email addresses for identities. This action is often used in combination with other actions in new hire and temp-to-hire workflows.
Example Use Cases:
Create corporate email accounts for new employees
Establish shared mailboxes for teams or projects
Safely removes or disables access for identities when they withdraw from the organization.
Example Use Cases:
Disable accounts when employees or contractors leave
Revoke access while maintaining audit records
Transition resources and non-human identities when owners depart
Updates HRIS or other systems with email addresses created in other actions.
Example Use Cases:
Update employee records with newly created email addresses
Sync email information back to master HR systems
Ensure consistent email records across all platforms
Introduces a deliberate delay in the workflow execution.
Example Use Cases:
Allow time for system propagation between actions
Implement rate limiting in multi-step workflows
Coordinate timing with external processes
Triggers email notifications and webhooks based on lifecycle events and action success or failure. Notifications can be added to any action type under Edit Action > Action Notification Settings.
Example Use Cases:
Alert IT staff when provisioning is complete
Notify managers of access changes
Create a service desk ticket for any manual steps
Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings.
Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. This might include hiring a new employee, terminating an existing employee, or other status changes. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate.
A policy can contain one or more workflows that run under different conditions. For example, one workflow might apply when employees enter an "Active" state (for Joiner/Re-hire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also trigger when an employee hire date is within a certain threshold, such as less than 4 days away, or relative to any other employee property within the source of identity.
For most enterprise deployments, Veza recommends:
One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
Another for inactive users to cover Leaver scenarios
To create a policy for a source of identity:
Go to Lifecycle Management > Policies
Click Create Policy
Give the policy a name and description
The policy name is used to identify it on the Policies list and appears in event logs
The name should indicate the source of identity the policy applies to
Choose the Data Sources the policy will apply to
Use the dropdown menu to select the source of identity that will trigger workflows in the policy
To appear on this list, the integration must have Lifecycle Management enabled and be available as a source of identity
Save the policy
To edit a policy:
Go to Lifecycle Management > Policies
Choose a policy from the list and click Edit
Configure the policy summary, details, and identity source.
Click on a tab in the policy builder to configure its settings:
Workflows: Configure the actions that trigger when there are changes in a source of identity
Common Transformers: Define shared rules for creating or updating target attributes when provisioning, syncing, or de-provisioning identities
Notifications: Configure email notifications or webhooks for the policy's workflows, with different notification rules for different types of events (e.g., "Create Identity" or "Delete Identity")
Save the policy
Use the Policies page for an overview of initial, running, and paused Policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.
To manage policies on the main Policies overview:
Go to Lifecycle Management > Policies
Find the policy you want to manage
Search for a specific policy by name
Filter to show all providers by their current state
Click the ⋮ icon in the rightmost column to expand the Actions menu
Choose to Edit, Pause, View Details, or Delete the policy
Policies contain one or more workflows that typically correspond to Active and Inactive user states. Workflows define a sequence of actions to run when a condition is met, based on events and user changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, department changes, or employee departures.
Workflows contain a tree-like sequence of conditions to meet specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.
Workflows can trigger:
As soon as an identity is detected with a matching attribute
Relative to an attribute containing a date (such as before or after a hire_date or termination_date)
Based on any attribute available from the source of identity
To add a workflow to a policy:
Edit a policy and open the Workflows tab
Click Add Workflow to open the sidebar for adding details and conditions
Use the General tab to configure workflow settings:
Workflow Details:
Name and Description: Identify the workflow's purpose
Continuous Sync: Enable to update target entities when source identity changes occur
Condition:
Workflow Condition: Specify the trigger attribute and value
Supports SCIM query syntax for filter expressions
Examples:
employment_status eq "WITHDRAWN" for terminated employees
employment_status eq "ACTIVE" for new hires and movers
Workflow Trigger Details:
Attribute to Get Execute Date: Specify when workflow actions should run
Local Time Zone Diff From UTC: Set your UTC offset
Eastern Standard Time (EST): -5
Pacific Standard Time (PST): -8
Note: US UTC offset varies during Daylight Savings Time
Trigger At Local Time Hour: Set execution time in 1-hour intervals (e.g., 6, 12, 24)
Use the Conditions tab to configure action sequences:
a. Click Add Condition to configure settings:
Condition Name: Use descriptive names (e.g., "Sync Okta Identities" or "Azure Helpdesk Role")
Continue Actions if Any Error: Enable to continue workflow despite failures
Condition Type: Choose between immediate execution or SCIM filter-based conditions
b. Configure Actions:
Choose Action Type:
New: Create an action with custom settings
Existing: Select a previously created action
Use Edit Action > Conditions for nested conditions
c. Add additional conditions as needed
Save changes:
Click Save in the left sidebar for workflow changes
Click Save on the policy details page to commit all changes
Common transformers define one or more rules to apply when synchronizing a target identity's attributes. Use them in situations where you want to create or update attributes using the same conventions across multiple sync or de-de-provision actions.
To add a common transformer:
Edit a policy and open the Common Transformers tab
Give the transformer a name and description, and specify the data source it applies to.
Choose the target Entity Type.
Click Add Attribute to specify an attribute and the value format.
Optionally, enable Continuous Sync to keep the target entity up-to-date with values from the source of truth.
Save the transformer.
Events and Actions: Lifecycle Management Actions can result in multiple events, each associated with a specific operation in a target application. An action might cause more than one event. For example, the "De-provision Identity" action for Active Directory leaver flows could result in a combination of events:
"Disable Identity" (set account to inactive)
"Sync Identity" (update DN and primary group DN)
"Remove Relationship" (remove existing profiles) events. You can review individual events and their status using the Activity Log.
Monitor individual events and their status using the Activity Log.
When events occur during the execution of a policy’s workflow, notifications can be triggered by Lifecycle Management as a means to inform stakeholders or integrate with external systems, such as triggering external automation. These notifications are configured in policies and Lifecycle Management supports email- and webhook-based notifications.
Use the Notifications tab when editing a policy to add and manage notifications at the policy level:
Choose the notification type (Email or Webhook)
Choose the event to trigger notifications:
Create Identity
Sync Identity
Add Relationship
Remove Relationship
Create Email
Change Password
Delete Identity
Disable Identity
Manage Relationships
Write Back Email
Choose the status to trigger notifications (when an event is successful, or it fails).
Customize the email or webhook settings:
Webhook:
Webhook URL: The endpoint configured to receive the webhook payload.
Webhook Auth Header: if the webhook listener requires authentication, provide it here.
Email:
Emails: Recipients added to the to field.
Extra Email Fields (Optional): Recipients added to the cc field.
Save the changes.
Note that emails and webhooks can also be configured on a per-action basis.
Introduction to Lifecycle Management with Veza
Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.
Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template
Policies define the rules and actions for managing identities throughout their lifecycle. They specify what actions should occur when there are changes in a source of identity, such as when a user is created or their attributes change.
After configuring a policy for a source of identity in your organization, Veza Lifecycle Management tracks the source for changes. When employee records are added or changed, actions will trigger based on the workflows and actions specified in the policy.
Workflows are sequences of actions within a policy that execute based on specific conditions. They enable automation of lifecycle management processes such as onboarding, role changes, and offboarding.
Workflows only execute actions on users that meet specific conditions, and Policies can contain more than one Workflow. This enables you to create a single policy for your source of identity that contains multiple workflows, with one applying to new hires, another applying to terminated employees, and so on for the different JML scenarios you want to automate.
Access Profiles define sets of entitlements (such as group memberships or role assignments within a target application) that should be granted to users based on their role within the organization (or another distinguishing attribute). You can use Access Profiles to define both Business Roles – segments of employees, and Profiles – collections of entitlements in a target application.
Assigning Business Roles to the Profiles they should inherit enables you to define the birthright entitlements for different types of employees in your organization. You can then assign those Business Roles when configuring workflows that add or remove access to an application.
Lifecycle Management Actions are tasks performed within a workflow, such as creating a user account, assigning group memberships, or disabling an account. Actions can be combined to trigger in sequence when there are changes in the source of identity. Actions can run for any identity that meets the workflow conditions, or only apply when action-level conditions are met.
Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.
Lifecycle Management will provision new users with these attributes and can keep their accounts up-to-date when there are changes in the source of identity. Target entity attributes can be set to specific values or use metadata from the source of identity, and support a range of transformation functions.
This guide describes how to enable and configure Active Directory for Lifecycle Management in Veza, including supported capabilities and required configuration steps.
Active Directory integration with Lifecycle Management enables automated user provisioning, access management, and de-provisioning capabilities. This includes creating and managing AD users, group memberships, and disabling accounts when employees leave the organization.
Active Directory serves as an Identity Provider in Lifecycle Management workflows and supports custom properties defined in the integration configuration.
Controls relationships between users and Active Directory groups.
Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes
Example Use Cases:
Add users to specific Active Directory groups to manage access
Remove users from groups when access requirements change
Synchronizes identity attributes between Active Directory and downstream systems.
Create Allowed: Yes (New user identities can be created if not found)
Supported Attributes:
Required (Unique Identifiers):
AccountName (No Continuous Sync)
DistinguishedName
UserPrincipalName
Optional:
Email, GivenName, DisplayName, SurName, Title
Description, ManagerID, PrimaryGroupDN
StreetAddress, City, StateOrProvinceName
CountryCode, PostalCode, Company
PhysicalDeliveryOfficeName, JobTitle
Department, CountryOrRegion, Office
Example Use Cases:
Create new user accounts when users are added
Keep user information synchronized across integrated systems
Safely removes or disables access when users leave or no longer need access.
Entity Type: Active Directory Users
Remove All Relationships: Yes (Removes existing group memberships)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Example Use Cases:
Disable accounts when employees leave
Remove group memberships while retaining audit information
Create a dedicated AD user with minimum required permissions:
Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User
Complete the new user details form
Recommended name: "Veza AD Lifecycle Manager"
Set a strong password
Uncheck "User must change password at next logon"
Grant the service account permissions to manage users in the target OUs:
Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name
Select these delegated tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change
Read all user information
Modify group membership
Navigate to Configurations > Integrations
Either:
Create a new Active Directory integration
Edit an existing Active Directory integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
Enter the Lifecycle Management Username (service account created above)
Enter the Lifecycle Management Password
Save the configuration
Note: The AD User created for lifecycle management can be the same as the primary AD User created for extraction, provided that the user has all required permissions listed above.
Overview of supported Lifecycle Management integrations in Veza, with capabilities and supported actions for target applications and sources of identity.
This document provides an introduction to integrations supported by Veza Lifecycle Management (LCM), including their capabilities and supported actions. These integrations enable you to automate identity and access management workflows across your identity sources and target applications.
Veza's Open Authorization API (OAA) can support provisioning and deprovisioning for applications not natively supported by the Veza platform. With OAA, Veza or customers can build integrations to any application that has a suitable and accessible API or integration interface.
Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.
Veza currently supports the following as sources of identity for Lifecycle Management workflows:
The entire catalog of Veza application integrations is Lifecycle Management-ready. Target application support in Lifecycle Management leverages Veza's existing native- and OAA-based integrations plus an intelligent shim layer in order to provide support for provisioning and de-provisioning.
As such, target application support in Lifecycle Management can be enabled for nearly every Veza-supported integration.
Validated Integrations
The following table lists the out-of-the-box, Veza-validated target application integrations for Lifecycle Management.
Other Suppported Integrations
For any Veza-supported application not listed above, please reach out to your Customer Success Manager for more details and instructions on how to enable the specific Veza integration for use with Lifecycle Management as a target application for provisioning and de-provisioning.
An Insight Point is required to enable Lifecycle Management operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for LCM tasks.
A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and LCM job execution. This ensures secure communication between your environment and Veza.
You can configure extraction intervals for your integrations to ensure data is regularly updated for Lifecycle Management processes.
Go to Veza Administration > System Settings
In the Pipeline > Extraction Interval section, set the global extraction interval
To override the global setting for specific integrations, use the Active Overrides section
Available extraction intervals are:
Auto (hourly, but may take longer when the extraction pipeline is full)
15 Minutes
1 Hour
6 Hours
12 Hours
1 Day
2 Days
3 Days
7 Days
30 Days
To manually trigger an extraction:
Go to Integrations > All Data Sources
Search for the desired data source
Select Actions > Start Extraction
Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.
To enable Lifecycle Management for a specific integration:
Browse to the main Veza Integrations page, or go to Lifecycle Management > Integrations
Search for the integration you want to enable
Toggle the Lifecycle Management option to Enabled
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
For more information:
Refer to individual integration documentation for detailed LCM capabilities
Consult the Lifecycle Management user guide for troubleshooting and best practices
Contact Veza support for assistance with enabling or configuring LCM for your integrations
Formatter: Choose how the destination attribute should be formatted. Specify the value, a {source_attribute}, or apply .
Pipeline Functions: Combine attribute formatters with the | character to apply more complex transformations, such as combining the first letter of a first_name and the first four characters of a last_name to generate a local username. See for more examples
This document includes steps to enable the Okta integration for use in Lifecycle Management, along with supported actions and notes. See for more details.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Okta can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Okta with changes propagated to connected systems
The integration supports the following lifecycle management :
See for supported providers and steps to enable a Lifecycle Management data source
See for available transformation functions.
Learn more about
Learn more about
Learn more about available
Learn about
Enable Integrations: Configure your data sources and enable them for Lifecycle Management.
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements.
Create Policies: Add policies to automate identity management processes.
Configure Workflows: Design workflows within policies to handle specific lifecycle events.
For deployment instructions, refer to the .
{location} | LOOKUP locationTable, location_code, city
"Chicago"
{location} | LOOKUP locationTable, location_code, state
"Illinois"
{location} | LOOKUP locationTable, location_code, state_code
"IL"
Value not found in lookup table
Add the missing mapping to the lookup table or add a default/wildcard entry
Incorrect column name referenced
Check the column names in your lookup table (they are case-sensitive)
Unexpected transformation results
Verify the lookup table content and ensure the correct columns are specified
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Okta groups
✅
RESET_PASSWORD
Allows password reset operations for Okta users
✅
SOURCE_OF_IDENTITY
Okta can act as a source system for identity lifecycle policies
✅
login
Yes
String
Primary login identifier
Unique identifier
Yes
String
User's email address
Unique
first_name
Yes
String
Given name
last_name
Yes
String
Family name
display_name
No
String
User's display name
user_type
No
String
User type
department
No
String
Organizational department
title
No
String
Job title
manager
No
String
Manager's name
manager_id
No
String
Manager's identifier
employee_id
No
String
Employee identifier
division
No
String
Business division
organization
No
String
Organization name
cost_center
No
String
Cost center
country_code
No
String
Country code
second_email
No
String
Secondary email address
nickname
No
String
User's nickname
unique_id
Yes
String
Group identifier
description
No
String
Group description
type
No
String
Group type
source
No
String
Group source
last_membership_updated_at
No
Timestamp
Last membership update time
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local
user_principal_name
username
{username}@evergreentrucks.com
username
{username}@evergreentrucks.com
display_name
display_full_name
{display_full_name}
given_name
first_name
{first_name}
sur_name
last_name
{last_name}
country_code
work_location
{work_location}
job_title
job_title
{job_title}
primary_group_dn
-
CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local
primary_group_dn
-
CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local
Entity Type
The data source and target entity type to disable, delete, or lock
Remove All Relationships
Whether to remove existing group memberships and role assignments
Relationships to Create
Access Profile to apply after de-provisioning (e.g., move to specific groups)
Common Synced Attributes
Shared transformation rules across multiple de-provisioning actions
Action Synced Attributes
Target attributes to create, format, and modify for de-provisioned entities
Entity Type
The type of entity to update with email information
Duration in seconds
Number of seconds to pause the workflow
Notification Settings
Configure email alerts on action success and/or failure for the specified recipients
Webhook Configuration
Configure webhooks to trigger on success and/or failure by specifying the URL to send the payload and optional auth header for the POST request
Active Directory
✅
✅
✅
-
Groups, Direct Assignments
AWS IAM Identity Center
✅
✅
✅
-
Groups, Permission Sets
Microsoft Azure AD (Microsoft Entra ID)
✅
✅
✅
-
Groups, App Roles, Directory Roles
Custom Application (OAA Template)
✅
✅
✅
-
Application Groups
Custom Principal
✅
✅
✅
-
Principal Groups
Exchange Server
❌
❌
❌
Create Email
-
Exchange Online
✅
❌
❌
Create Email, Create Distribution Group
Distribution Groups
GitHub
✅
✅
❌
-
Teams, Repositories
Google Workspace (Google Cloud)
✅
✅
✅
-
Groups, IAM Roles
Okta
✅
✅
✅
-
Groups, Application Assignments
Oracle Fusion Cloud
✅
✅
✅
-
Roles, Responsibilities
PTC Windchill
✅
❌
✅
-
Groups, Roles
Salesforce
✅
✅
✅
-
Permission Sets, Profiles, Groups
SAP ECC
✅
✅
✅
-
Roles, Profiles
SCIM
✅
✅
✅
-
Groups, Roles
ServiceNow
❌
❌
❌
Custom Table Updates
-
Snowflake
✅
✅
✅
-
Roles, Warehouses
Veza
✅
✅
❌
-
Groups, Roles
Workday
✅
❌
❌
Security Groups, Business Process Security Policies
Entity Type
The data source and type of identity to sync (e.g., Okta User, Azure AD User)
Create Allowed
Whether new identities can be created if not found
Continuous Sync
Keep attributes in sync even after initial creation
Common Synced Attributes
Shared transformation rules across multiple sync actions
Action Synced Attributes
Access Profiles
Remove Existing Relationships
Whether to remove current relationships created during other Lifecycle Management actions before adding new ones
Entity Type
The type of identity to create email for
Action Synced Attributes
Sync Action Name
Reference to sync action for conflict resolution
Cloud-based identity management service
Cloud-based CRM and business application platform
Cloud-based human capital management platform
Yes
HR platform for modern businesses
Extended workforce solution
HR, payroll, and workforce management
Oracle HCM
Human capital management cloud
Yes
Neurons IT asset and service management platform
Custom human resource information system integration using OAA templates
Yes
Generic identity provider integration via OAA templates
This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.
Supports the creation of email accounts for users within Exchange Server.
Entity Type: Exchange Server Users
Attributes Available for Configuration:
Identity (Required)
Alias (Optional)
Example Use Cases:
Create email accounts for new employees joining the organization
Assign email aliases to users to facilitate communication
Find the Exchange Management Shell shortcut in the Start Menu
Right-click > More > Open File Location
Right-click the shortcut icon > Properties
Copy the Target field value
Note the two important paths from the target:
PowerShell Path: (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Remote Exchange Path: (e.g., C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1)
Open IIS Manager and create a new application pool
Name the application pool
Configure the application pool:
Right-click > Advanced Settings
Under Process Model, set the Identity
Add the application to "Default Web Site"
Configure the application:
Set alias to "VezaProvisioner"
Select the application pool created above
Configure authentication:
Disable Anonymous Authentication
Enable Basic Authentication
Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.
Go to Configurations > Integrations
Click Add New and select Exchange Server
Complete the following fields:
Insight Point
Select if using an Insight Point to access Exchange Server
Name
Friendly name for the integration
Instance URL
https://<exchange_server_host>/VezaProvisioner
Username
Domain username with required Exchange permissions
Password
Password for the account
PowerShell Path
Path to PowerShell.exe noted in step 1
Remote Exchange Path
Path to RemoteExchange.ps1 noted in step 1
Enable Lifecycle Management by checking Enable Lifecycle Management
Save the configuration
After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.
This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.
Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:
Automated security group assignments for new employees
Dynamic group membership updates during role changes
Access removal during offboarding
Email synchronization between Workday and downstream systems
Workday serves as an authoritative source for employee identity information:
Entity Type: Workday Worker
Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes
Controls access to Workday security groups.
Entity Types: Workday Security Group
Assignee Types: Workday Account
Supports Relationship Removal: Yes
Updates email addresses in Workday worker records to maintain consistency with other systems.
Entity Type: Workday Worker
Purpose: Ensures Workday remains the single source of truth for employee email addresses
The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.
Log into Workday and search for Edit Business process security policy
Under Business Process Type, select Work Contact Change
Find "Initiating Action: Change Work Contact Information (REST Service)"
Create a Segment-Based Security Group
Configure the security group:
Add the security group created for Veza integration
Add "Worker" scope to Access Rights
Verify the security group appears in Initiating Action Security groups
Click OK and Done to save changes
Search for Activate Pending Security Policy Changes
Review changes, add a comment, and click OK
Verify changes in Business Process Security Policy
Add these Domain Permissions to the security group:
View and Modify
Workday Query Language
View and Modify
Person Data: Work Email
View and Modify
Person Data: Work Contact Information
View and Modify
Worker Data: Staffing
View and Modify
Worker Data: Public Worker Reports
Get Only
Security Configuration
Get Only
Business Process Administration
View and Modify
Security Administration
View and Modify
Workday accounts
View and Modify
Special OX Web Services
Get and Put
User-Based Security Group Administration
Open Edit API Client
Add required scopes:
Staffing
Contact Information
System
Tenant Non-Configurable
Organizations and Roles
Navigate to Configurations > Integrations
Either:
Create a new Workday integration
Edit an existing Workday integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
The integration uses these API endpoints for email write-back:
For general metadata discovery, WQL queries access:
allWorkdayAccounts
allWorkers
securityGroups
domainSecurityPolicies
businessProcessTypes
Workday Workers are the primary entity for identity information
Bidirectional management of Account-Security Group relationships is supported
Email write-back operates on Worker entities, not Account entities
Custom attribute availability depends on your Workday configuration
The Sync Identities action is not currently supported for Workday
Configuring the Salesforce integration for Veza Lifecycle Management.
The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).
Key capabilities include:
User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions
Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency
Permission Management: Assign and remove permission sets and roles based on policies
User Deprovisioning: Safely disable access when users leave the organization
The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as permission set assignments, role assignments, and profile assignments for identities
✅
DEPROVISION_IDENTITY
Safely freezes or disables access for identities, includes user deactivation support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Salesforce permission sets
❌
SOURCE_OF_IDENTITY
Salesforce can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.
Before configuring the integration, ensure you have:
Administrative access in Veza to configure the integration
At least one successful extraction from your Salesforce integration
The appropriate permissions in Salesforce
Salesforce API v40 or later for user provisioning
The Salesforce integration will need the following permissions:
Assign Permission Sets: Enables assignment and removal of permission sets for users.
Freeze Users: Enables freezing and unfreezing user accounts.
Manage Internal Users: Required for user creation and updates.
Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.
Manage Login Access Policies: Required for configuring login access policies.
Manage Password Policies: Required for setting and resetting passwords during user creation.
Manage Profiles and Permission Sets: Required for permission set and profile assignment.
Manage Roles: Required for role assignments and management.
Manage Sharing: Required for managing sharing rules and access control.
Manage Users: Essential for user lifecycle operations.
Monitor Login History: Required for monitoring user logins.
Reset User Passwords and Unlock Users: Required for account management.
View All Profiles: Required to view profile information for all users.
View All Users: Required to view all user information.
In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.
Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.
The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication
To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission
To enable the integration:
In Veza, go to the Integrations overview.
Check the box to Enable usage for Lifecycle Management.
Save the configuration.
Configure the extraction schedule to ensure your Salesforce data remains current:
Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for Salesforce in the Active Overrides section.
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.
Search for the integration and click the name to view details.
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.
Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:
Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions
The system uses email addresses as the primary key for user lookups
Usernames cannot be changed after creation and must be unique within the Salesforce instance
User profiles are managed through SCIM entitlements
User roles are handled through SCIM roles endpoints
User Deprovisioning is implemented as deactivation (setting active=false)
Permission sets are assigned through Salesforce API calls after user creation
Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.
Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:
Primary action for user management (creating or updating users):
Usernames cannot be changed after creation.
Email addresses must be unique.
Required attributes must be present (Username, Email, FirstName, LastName).
Passwords are set during user creation.
Division and Department attributes are excluded during updates due to Salesforce API limitations.
Salesforce does not support changing usernames after creation.
The following attributes can be synchronized:
username
Yes
String
Primary login identifier
Unique identifier
emails
Yes
String List
User's email addresses
first_name
Yes
String
Given name
last_name
Yes
String
Family name
profile_id
Yes
String
User's profile ID
is_active
No
Boolean
Account status
department
No
String
Organizational department
user_role_id
No
String
User's role ID
The following relationship types are supported:
Groups: Add and remove group memberships (only for groups with Group Type = Regular).
Permission Sets: Add and remove permission set assignments.
Permission Set Groups: Add and remove permission set group assignments.
Profiles: Manage profile assignments.
User Roles: Synchronize user role assignments.
Notes:
Profile and role assignments are managed via SCIM and Salesforce APIs.
When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.
Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.
Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.
Direct creation of permission sets ("Create Entitlement" action) is not currently supported.
When a user is deprovisioned:
The user account is frozen or deactivated (Salesforce does not allow user deletion).
Permission set assignments are removed.
Attribute history is preserved for audit.
The account can be reactivated if needed.
Create, format, and modify the specified target attributes. See for more details
Groups or roles to add the identity to. See for more details about managing birthright entitlements
Define how email attributes should be formatted. See for more details
If using custom attributes, configure them in the section
An existing in Veza or add a new one
For additional details about Salesforce's SCIM implementation, refer to the .
Search for or create a integration.
Ensure the integration permission set includes the .
The integration supports the following lifecycle management :
