1 of 53

Lifecycle Management

Introduction to Lifecycle Management with Veza

Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.

Key features

Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template

In this section

Topic

Description

Reference documentation:

- Conceptual guide to the different evaluation systems
- SCIM filter syntax for workflow conditions
- Complete list of transformation functions

Core concepts

Policies

Policies define the rules and actions for managing identities throughout their lifecycle. They specify what actions should occur when there are changes in a source of identity, such as when a user is created or their attributes change.

After configuring a policy for a source of identity in your organization, Veza Lifecycle Management tracks the source for changes. When employee records are added or changed, actions will trigger based on the workflows and actions specified in the policy. Learn more about .

Workflows

Workflows are sequences of actions within a policy that execute based on specific conditions. They enable automation of lifecycle management processes such as onboarding, role changes, and offboarding.

Workflows only execute actions on users that meet specific conditions, and Policies can contain more than one Workflow. This enables you to create a single policy for your source of identity that contains multiple workflows, with one applying to new hires, another applying to terminated employees, and so on for the different JML scenarios you want to automate. Learn more about .

Access Profiles

Access Profiles define sets of entitlements (such as group memberships or role assignments within a target application) that should be granted to users based on their role within the organization (or another distinguishing attribute). You can use Access Profiles to define both Business Roles – segments of employees, and Profiles – collections of entitlements in a target application.

Assigning Business Roles to the Profiles they should inherit enables you to define the birthright entitlements for different types of employees in your organization. You can then assign those Business Roles when configuring workflows that add or remove access to an application. Learn more about .

Actions

Lifecycle Management Actions are tasks performed within a workflow, such as creating a user account, assigning group memberships, or disabling an account. Actions can be combined to trigger in sequence when there are changes in the source of identity. Actions can run for any identity that meets the workflow conditions, or only apply when action-level conditions are met. Learn more about available .

Attribute transformers

Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.

Lifecycle Management will provision new users with these attributes and can keep their accounts up-to-date when there are changes in the source of identity. Target entity attributes can be set to specific values or use metadata from the source of identity, and support a range of transformation functions. Learn about .

Conditions and transformers

Lifecycle Management uses several systems that evaluate identity attributes, each serving a distinct purpose:

Workflow Conditions: SCIM filter expressions that determine whether workflows and actions execute (e.g., is_active eq true). Output is boolean.
Attribute Transformers: Formatter expressions that determine what value an attribute should have (e.g., {first_name | UPPER}). Output is a string.

These systems can work together. For example, workflow conditions can embed transformer syntax for dynamic date comparisons. For a guide to when and how to use each, see .

Notifications

Customize email notifications sent during Lifecycle Management events and Access Request workflows. You can personalize messaging, add branding, and include event-specific information through placeholders. Learn more about .

Getting started

Enable Integrations: Configure your data sources and enable them for Lifecycle Management.
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements.
Create Policies: Add policies to automate identity management processes.

For an overview of Lifecycle Management configuration using Okta, Workday, and Active Directory, see .

For API documentation, see .

Policies and Workflows

Configure automation policies, workflow triggers, notifications, and access reviews in Lifecycle Management

Policies define the rules and actions for managing identities throughout their lifecycle. Workflows within policies execute based on specific conditions, automating processes such as onboarding, role changes, and offboarding.

In this section

Topic

Description

Deprovision Identity

Disable or suspend user accounts while preserving audit trails.

Disables or suspends user accounts in target systems when employees or contractors leave the organization. Unlike , which permanently removes accounts, Deprovision Identity preserves the account and its audit history while revoking access — allowing for potential reactivation if needed.

Example Use Cases:

Disable Active Directory accounts and move leavers to a terminated users OU
Suspend Okta accounts while preserving group membership history for audit

Custom Action

Execute integration-specific operations such as ServiceNow table inserts.

Executes integration-specific operations that extend beyond standard Lifecycle Management action types. CUSTOM_ACTION enables integrations to define specialized operations with flexible attribute schemas tailored to their unique capabilities.

CUSTOM_ACTION currently supports ServiceNow only. For generic HTTP requests to external APIs, use the action instead.

Example Use Cases:

Insert records into ServiceNow tables when employees join or change roles
Create ServiceNow incidents or requests as part of onboarding workflows
Update ServiceNow CMDB records during employee lifecycle events
Log audit records for compliance tracking

Setting

Description

Supported Integrations:

Integration

Custom Action Capability

Documentation

For detailed configuration examples including incident creation and audit logging, see .

Write Back Email

Update HRIS systems with email addresses created during onboarding workflows.

Updates HRIS or identity source systems with email addresses created by previous Create Email actions in the same workflow. This ensures the source of identity (such as Workday) has the employee's new corporate email address, keeping records consistent across systems.

Example Use Cases:

After creating an Exchange Server mailbox during onboarding, write the new email address back to the Workday Worker record
Update an OAA-based HRIS source with email addresses generated by provisioning workflows

Setting

Description

Supported Integrations:

Integration

Notes

Example: Exchange Server onboarding with email write-back

In a typical Workday-to-Active Directory onboarding workflow, Write Back Email is the third step:

Sync Identities — creates the AD user account from the Workday Worker
Create Email — creates an Exchange Server mailbox (generates the email address)
Write Back Email — writes the new email address back to the Workday Worker record

This ensures that the Workday record reflects the employee's corporate email immediately after onboarding, without manual HR data entry.

For the full workflow configuration, see the in the Actions overview. For Exchange Server setup, see .

Send REST Request

Make HTTP requests to external APIs and services as part of provisioning workflows.

Makes HTTP requests to external APIs and services as part of provisioning workflows. This action enables integration with custom applications, webhooks, and REST-based services that support identity management operations.

Example Use Cases:

Notify external systems when users are created or updated in target systems
Trigger custom provisioning workflows in third-party applications
Send identity data to SCIM endpoints for user synchronization
Create service desk tickets for manual provisioning steps
Execute webhooks to coordinate multi-system workflows
Extract response data (like user IDs) from external systems for use in downstream actions

Setting

Description

Variable Substitution

When constructing the webhook URL and JSON payload, you can reference identity attributes using curly brace syntax. Two sources of attributes are available specifically for this URL and payload context:

Source-of-identity (SOI) attributes: Attributes from the identity source triggering the workflow (e.g., Workday worker fields, Okta user attributes).
Sync Identities output entity attributes: When a Sync Identities action precedes this action in the same workflow, attributes from the provisioned or updated target user (such as Active Directory user attributes) are also available. See below.

Available transformations include UPPER, LOWER, TRIM, and accessing nested attributes with dot notation, such as {Manager.email}. See for complete transformation syntax.

Note: If any placeholder in the URL or payload cannot be resolved (e.g., due to missing attributes), the entire transformation is skipped and the original URL is used without any substitution. The system logs a warning for troubleshooting. Ensure all referenced attributes exist in the source of identity to enable proper variable substitution.

Form field substitution (Access Requests only)

When a Send REST Request action is configured as part of an Access Request , the JSON payload can reference form field values submitted by the requester. This enables dynamic payloads where the requester provides values (such as a role name or resource ID) at request time, and those values are injected into the API call.

Use the {$form_field.field_name} syntax in the JSON payload, where field_name matches a field defined in the catalog definition's form fields.

To configure form field substitution:

Create a Send REST Request action in a provisioning policy with placeholders in the JSON payload:
Create a Send REST Payload and add form fields with names that match the placeholders (e.g., role_name, role_id).
When a user submits an access request using this catalog definition, they fill in the form fields. The submitted values replace the corresponding {$form_field.*}

Form field substitution applies to the JSON payload only. It does not apply to the webhook URL or authorization header. Field names must contain only letters, numbers, and underscores (role_name is valid, role-name is not). If a placeholder references a field that was not provided in the access request, the placeholder is left unchanged in the payload.

Standard Active Directory attributes available for substitution

The following attributes are populated on the sync_identities output entity for Active Directory integrations and can be used in variable substitutions:

Attribute key

Description

Custom properties defined in the integration configuration are also available, using the key customprop_<property_name> (where <property_name> is the property's format name as configured).

Response Handling

When "Add Response to Output Entities" is enabled, the action parses JSON responses and extracts specified entity data. This enables chaining actions where one API call creates a resource and returns an identifier that subsequent actions can reference.

For example, if a user creation API returns:

Configure the action with:

Response Entity Attribute: result
Response ID Attribute: user_id
Response Name Attribute: display_name

The extracted entity becomes available to downstream workflow actions.

HTTP Method Guidelines

GET: Query operations, typically without payload; use for checking resource state or retrieving data. Does not set workflow change flags
POST: Create new resources; requires JSON payload; sets both AnyCreated and AnyChanges flags that can trigger downstream actions with "Only Send if Any Upstream Changes" enabled
PUT

Workflow Integration: The AnyCreated and AnyChanges flags enable conditional workflow execution. Actions configured with "Only Send if Any Upstream Changes" will only execute when a previous action has set these flags, allowing you to build sophisticated conditional workflows (e.g., only send a notification webhook if a user was actually created, not just updated).

Authentication Patterns

The authorization header supports common authentication methods:

No Authentication: Leave the authorization header empty when connecting to endpoints that don't require credentials, such as internal services or pre-authenticated URLs
Bearer Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
API Key: X-API-Key: secret-key-123 or Authorization: ApiKey sk-prod-xyz

Limitations

Only JSON payloads are supported (no XML, form-data, or other formats)
Authentication must be header-based (OAuth flows requiring user interaction are not supported)
Response parsing requires valid JSON if "Add Response to Output Entities" is enabled

Example: Suspend Okta users via REST API

The Send REST Request action can call Okta lifecycle APIs to suspend users, enabling workflows that handle leave of absence (LOA) scenarios before native Suspend action support is available.

Configuration:

Setting

Value

Send Notification

Trigger email notifications and webhooks based on lifecycle events and action outcomes.

Triggers email notifications and webhooks based on lifecycle events and action success or failure. Notifications can be added to any action type under Edit Action > Action Notification Settings.

Example Use Cases:

Alert IT staff when provisioning is complete
Notify managers of access changes

Create Access Review

Automatically create access review campaigns during lifecycle events.

Automatically creates access review campaigns during lifecycle events. This action bridges Lifecycle Management with Veza Access Reviews, enabling automated certification workflows triggered by identity lifecycle changes.

Example Use Cases:

Review contractor access 30 days after onboarding to ensure appropriate permissions
Certify elevated permissions after role changes or promotions

Get Node From Graph

Query the Veza Access Graph for entities during workflow execution.

Queries the Veza Access Graph for entities during workflow execution. This is a read-only lookup that does not create or modify entities. Retrieved nodes are available to subsequent actions and conditions in the workflow.

Example Use Cases:

Verify a user exists and is active in a target system before submitting a provisioning request (e.g., check that a JiraUser is active before creating a Jira ticket)
Look up entity attributes from the graph to use in downstream transformer expressions
Check if a role or group exists before attempting to assign it

Setting

Description

The SCIM filter supports dynamic template variables (e.g., {attribute_name}) that resolve at runtime using values from previous actions. See for details on template syntax.

Example: Verify Jira User Before Provisioning

This example shows a workflow that checks if a user exists and is active in Jira before submitting a provisioning request:

Trigger condition: employment_status eq "ACTIVE" — fires for new hires or active employees
Get Node From Graph action: Query for JiraUser with filter email eq {email} — looks up the user by their email address in the Jira integration

Output and Downstream Usage

Each retrieved node is an entity from the Access Graph with the following data:

Field

Description

Retrieved nodes are added to the workflow context and can be used in three ways:

1. Condition branching

Use to check whether the action returned any nodes of a given type, or to check the graph directly. These conditions control which subsequent actions execute.

2. Filter template variables in subsequent actions

Subsequent Get Node From Graph or actions can reference retrieved node attributes in their SCIM filters and payloads using transformer template variables. The transformer service resolves {EntityType.attribute} expressions against the accumulated nodes.

For example, if a Get Node From Graph action retrieved an OktaUser node with login = "[email protected]", a subsequent action's filter could reference {OktaUser.login} to use that value.

Note: The entity type prefix is case-sensitive and must match the graph type exactly (e.g., OktaUser, not oktauser). Attribute names are case-insensitive.

3. Chaining multiple graph lookups

Multiple Get Node From Graph actions can run in sequence. Each action's results accumulate in the workflow context, so later actions and conditions can reference nodes from any earlier action. This enables multi-step lookups — for example, first look up a user, then look up their manager.

Test Policies with Dry Run

Safely preview policy changes and validate workflow logic before enabling policies in production

Overview

This guide explains how to use dry run simulations to test Lifecycle Management policies before enabling them in production. Dry run evaluates workflow logic and shows what actions would occur without making actual changes to target systems.

Use dry run testing to:

Disable Workflows and Actions

Temporarily pause specific workflows or actions in a policy without removing configuration

Overview

This guide explains how to disable individual workflows or actions within a Lifecycle Management policy. Disabling allows you to temporarily pause specific parts of a policy without deleting or modifying the underlying configuration.

Use this option when developing workflows to support:

Managing gradual rollouts: Enable actions one at a time to verify each step before activating the next
Troubleshooting issues: Isolate problematic actions without removing configuration
Implementing seasonal policies: Temporarily disable workflows that only apply during certain periods
Workflow Testing: Disable production actions while testing new workflow logic

Disable a workflow

Disabling a workflow prevents it from running during policy execution. All conditions and actions within the workflow are also skipped.

Go to Lifecycle Management > Policies.
Select a policy and click Edit Workflow.
Toggle the workflow's Enabled control to disabled.

The policy editor displays disabled workflows and actions with a "Disabled" tag.

Disable an action

You can also disable specific actions within a workflow without disabling the entire workflow. When you disable an action, any nested conditions and actions under the disabled action are also skipped, but other actions in the workflow continue to run normally.

Open the workflow editor.
Select the action you want to disable.
Toggle the Enabled control in the action settings.
Click Save

Test disabled workflows with dry run

Disabled workflows are evaluated by default during dry run simulations. This allows you to preview what would happen if you re-enabled a disabled workflow and validate trigger conditions and action configurations before making them active.

When you run a dry run simulation, the results show what actions would run if the workflow were enabled.

Re-enable a workflow or action

To re-enable a disabled workflow or action, toggle the Enabled control back to enabled and save.

Lifecycle Management

Introduction to Lifecycle Management with Veza

Key features

Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template

In this section

Topic

Description

Reference documentation:

- Conceptual guide to the different evaluation systems
- SCIM filter syntax for workflow conditions
- Complete list of transformation functions

Core concepts

Policies

Workflows

Access Profiles

Actions

Attribute transformers

Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.

Conditions and transformers

Lifecycle Management uses several systems that evaluate identity attributes, each serving a distinct purpose:

Workflow Conditions: SCIM filter expressions that determine whether workflows and actions execute (e.g., is_active eq true). Output is boolean.
Attribute Transformers: Formatter expressions that determine what value an attribute should have (e.g., {first_name | UPPER}). Output is a string.

These systems can work together. For example, workflow conditions can embed transformer syntax for dynamic date comparisons. For a guide to when and how to use each, see .

Notifications

Getting started

Enable Integrations: Configure your data sources and enable them for Lifecycle Management.
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements.
Create Policies: Add policies to automate identity management processes.

For an overview of Lifecycle Management configuration using Okta, Workday, and Active Directory, see .

For API documentation, see .

Send REST Request

Make HTTP requests to external APIs and services as part of provisioning workflows.

Example Use Cases:

Notify external systems when users are created or updated in target systems
Trigger custom provisioning workflows in third-party applications
Send identity data to SCIM endpoints for user synchronization
Create service desk tickets for manual provisioning steps
Execute webhooks to coordinate multi-system workflows
Extract response data (like user IDs) from external systems for use in downstream actions

Setting

Description

Variable Substitution

Source-of-identity (SOI) attributes: Attributes from the identity source triggering the workflow (e.g., Workday worker fields, Okta user attributes).
Sync Identities output entity attributes: When a Sync Identities action precedes this action in the same workflow, attributes from the provisioned or updated target user (such as Active Directory user attributes) are also available. See below.

Available transformations include UPPER, LOWER, TRIM, and accessing nested attributes with dot notation, such as {Manager.email}. See for complete transformation syntax.

Note: If any placeholder in the URL or payload cannot be resolved (e.g., due to missing attributes), the entire transformation is skipped and the original URL is used without any substitution. The system logs a warning for troubleshooting. Ensure all referenced attributes exist in the source of identity to enable proper variable substitution.

Form field substitution (Access Requests only)

Use the {$form_field.field_name} syntax in the JSON payload, where field_name matches a field defined in the catalog definition's form fields.

To configure form field substitution:

Create a Send REST Request action in a provisioning policy with placeholders in the JSON payload:
Create a Send REST Payload and add form fields with names that match the placeholders (e.g., role_name, role_id).
When a user submits an access request using this catalog definition, they fill in the form fields. The submitted values replace the corresponding {$form_field.*}

Standard Active Directory attributes available for substitution

The following attributes are populated on the sync_identities output entity for Active Directory integrations and can be used in variable substitutions:

Attribute key

Description

Custom properties defined in the integration configuration are also available, using the key customprop_<property_name> (where <property_name> is the property's format name as configured).

Response Handling

For example, if a user creation API returns:

Configure the action with:

Response Entity Attribute: result
Response ID Attribute: user_id
Response Name Attribute: display_name

The extracted entity becomes available to downstream workflow actions.

HTTP Method Guidelines

GET: Query operations, typically without payload; use for checking resource state or retrieving data. Does not set workflow change flags
POST: Create new resources; requires JSON payload; sets both AnyCreated and AnyChanges flags that can trigger downstream actions with "Only Send if Any Upstream Changes" enabled
PUT

Workflow Integration: The AnyCreated and AnyChanges flags enable conditional workflow execution. Actions configured with "Only Send if Any Upstream Changes" will only execute when a previous action has set these flags, allowing you to build sophisticated conditional workflows (e.g., only send a notification webhook if a user was actually created, not just updated).

Authentication Patterns

The authorization header supports common authentication methods:

No Authentication: Leave the authorization header empty when connecting to endpoints that don't require credentials, such as internal services or pre-authenticated URLs
Bearer Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
API Key: X-API-Key: secret-key-123 or Authorization: ApiKey sk-prod-xyz

Limitations

Only JSON payloads are supported (no XML, form-data, or other formats)
Authentication must be header-based (OAuth flows requiring user interaction are not supported)
Response parsing requires valid JSON if "Add Response to Output Entities" is enabled

Example: Suspend Okta users via REST API

The Send REST Request action can call Okta lifecycle APIs to suspend users, enabling workflows that handle leave of absence (LOA) scenarios before native Suspend action support is available.

Configuration:

Setting

Value

Identity Override Attributes

Overview

This guide explains how to configure identity override attributes in Lifecycle Management to address scenarios where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment for policy execution.

Identity override attributes allow Lifecycle Management administrators to override the value of any user attribute set at the source of identity. These overrides take precedence over actual values during Lifecycle Management workflows.

Problem scenarios for attribute overrides

Identity override attributes address operational challenges where the source of identity doesn't immediately reflect ground truth:

Incorrect or slow-to-update attributes:
- Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
- Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system

Before you start

Before you configure identity override attributes, verify that override values comply with organizational policies and data standards, and assess the downstream impact of attribute changes. Ensure:

You have administrative access to Veza Lifecycle Management
You understand which source identity attributes need to be overridden
You have identified the specific identities requiring attribute overrides
You understand that overrides only affect Lifecycle Management workflows, not Access Visibility

Configure identity override attributes

Veza supports overrides for various property types from the source of identity:

Text properties (e.g., Department, Manager, Job Title)
Date properties (e.g., Activated At, Hire Date, End Date)
Numeric properties (e.g., Employee ID)

Create attribute overrides for individual identities

You can view, create, edit, and delete overrides from the identity details view.

Click Lifecycle Management in the navigation sidebar, then select the Identities tab.
Locate the identity requiring an attribute override.
2.1. Use the Search by name field to find the specific user
2.2. Click on the identity name to show more information in the sidebar
2.3 Click Details to open the expanded details view

The identity details view provides visibility into both original and overridden values. A visual indicator will highlight any attributes with overrides:

Properties: Use this tab to show side-by-side comparisons of actual values from the source of identity and override values
Overview: This tab includes a consolidated view of all active overrides for an identity

Update existing overrides

To change the value of an attribute override:

Navigate to the identity's Properties tab. Access the same identity detail view where you created the override.
Locate the attribute with an active override. Find the attribute showing "yes" in the Override column.
Edit the override value.
3.1. Click the Actions menu (three dots) for the overridden attribute

3.3. Modify the Override Value in the dialog 3.4. Click Save to apply the changes

Cancel attribute value overrides

To remove an override:

Access the identity's Properties tab. Navigate to the identity detail view with active overrides.
Identify the override to remove. Locate the attribute with "yes" in the Override column.
Clear the override.
3.1. Click the Actions menu (three dots) for the overridden attribute

The attribute will revert to using the source of identity value, and the Override column will show "no".

Important considerations

Override scope and limitations

The current implementation supports overrides at the individual identity level. Note that any attribute overrides are not reflected in the Veza Access Graph.

Lifecycle Management only: Attribute overrides affect only Lifecycle Management workflows and policy execution
Access Visibility unchanged: The Access Graph and Access Visibility features continue to use the actual source of identity values
Source system independence: Overrides do not modify data in the originating identity providers or HR systems

Operational best practices

You should typically use overrides as temporary measures while addressing root causes in source systems. Maintain clear records of why each override was implemented and the business justification.

Consider the following best practices when implementing attribute overrides:

Regular review process: Establish periodic audits of active overrides to ensure they're still necessary
Monitor policy impact: Review workflow execution logs to confirm that overrides produce expected policy outcomes. You can review the identity details Activity tab and Lifecycle Management Activity Logs to ensure that override values are applied as expected during provisioning, deprovisioning, and other lifecycle actions.
Emergency response procedures: Establish clear protocols for when and how to use overrides in approved scenarios.

Custom Application with SCIM (OAA)

Enable SCIM-based provisioning for custom applications with Open Authorization API

Overview

Veza can automate user provisioning and de-provisioning for any application that uses the Open Authorization API (OAA) for data gathering and authorization modeling, and exposes SCIM-compliant endpoints for user and group management.

This enables organizations to:

Use your application's existing SCIM endpoints for automated provisioning operations
Model complex authorization structures using OAA's flexible templates (applications, resources, permissions, custom properties) for Access Graph visibility, Access Reviews, and other Veza features.
Gather authorization metadata using a variety of methods (custom connectors, APIs, manual JSON payloads, CSV files)

Supported Actions

Action Type

Supported

Description

See for details on each action type.

Enabling Lifecycle Management for Custom Applications (OAA SCIM)

Prerequisites

Administrative access in Veza to configure the integration
An existing integration in Veza with at least one successful extraction
Your custom application must expose SCIM 2.0-compliant endpoints; see below

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for your custom OAA application integration
Check the box to Enable usage for Lifecycle Management

To verify the configuration:

Open Lifecycle Management > Integrations
Search for the integration and click to view details
In the Properties panel, verify Lifecycle Management Enabled is active

Lifecycle Management and Access Requests with Open Authorization API

There are several potential ways to integrate a custom application for automated lifecycle management and access requests:

External SCIM for Open Authorization API: You may build your OAA integration using the custom application template and leverage dedicated SCIM endpoints for user and group management. This is useful when you need full control over how authorization metadata is represented in the Veza Access Graph:
- Your application supports SCIM, and you want to model a wider range of authorization entities and metadata (e.g., credentials, resources) than the Veza SCIM integration supports.
- You already have a custom OAA integration and want to add provisioning capabilities using SCIM.

Aspect

External OAA with SCIM Write-Back

Built-In SCIM Connector

This document describes how to enable External SCIM for an Open Authorization API integration, and supported actions.

How It Works

Data Gathering (OAA):

You will need to design and build a custom integration to publish information about the application to the Veza Access Graph:

The payload can include local users, groups, permissions, resources, and complex authorization relationships
Data can be gathered from any source: APIs, databases, configuration files, etc.

See the rest of the Open Authorization API documentation for examples and best practices when designing and deploying custom integrations.

Lifecycle Management (SCIM):

You can enable the SCIM connection at the custom provider level:

Setting provisioning: true and external_lifecycle_management_type: SCIM for the custom provider enables Veza to use your application's SCIM endpoints for provisioning
Provide SCIM connection information and credentials (configuration_json)
Veza maps lifecycle actions to SCIM operations (

Important: When configuring a custom application for SCIM integration, the OAA payload structure (Application template) and SCIM configuration serve different purposes:

The OAA Payload (push_application() or API push) defines local users, groups, permissions, and resources used for visibility and authorization modeling in Veza, and can be updated independently.
The SCIM Configuration (configuration_json) for the custom provider defines how to connect to SCIM endpoints (including authentication, URL, and endpoint paths), and is used only for lifecycle management and access request operations.

Both must be consistent (describe and contain the same users and groups), but are configured separately.

Required SCIM 2.0 Endpoints

Your application must expose SCIM 2.0 compliant endpoints with the following operations:

User Management:

GET /Users - List and filter users
GET /Users?filter=userName eq "{username}" - Query users by userName
POST /Users - Create new users

Group Management:

GET /Groups - List groups
GET /Groups/{id} - Retrieve specific group by ID
POST /Groups - Create new groups

Note: If the Users and Groups APIs are not at the standard /Users and /Groups paths, you can specify alternate endpoint paths in the configuration.

Authentication

Your SCIM API must support one of the following authentication methods:

Bearer Token: API token passed in Authorization: Bearer {token} header
Basic HTTP Authentication: Username and password passed in Authorization: Basic {credentials} header

The authentication credentials must have both read and write permissions to the SCIM endpoints.

Optional: Extension Attributes

To synchronize custom attributes beyond the standard SCIM user schema:

Expose a GET /Schemas endpoint that returns SCIM schema definitions
Enable schema fetching in your configuration (see Configuration section)

Configuration

External SCIM for Lifecycle Management is configured via the Veza REST API.

Create Custom Provider with External SCIM

Create a Custom Provider that uses external SCIM endpoints specifically for lifecycle management:

Required Fields

Field

Required

Description

Configuration JSON Parameters

The configuration_json field contains SCIM endpoint connection details used only for provisioning operations. It does not affect your OAA payload structure.

Configuration Key

Required

Description

Example Value

* One of scim_token or the username/password pair is required for authentication.

Example Configuration with Bearer Token:

Example Configuration with Basic Authentication:

Push OAA Payload

Push the OAA Application Payload as normal. See the for details.

Entity Types and Identity Mapping

Veza creates entities in Access Graph based on the OAA payload, which can be targeted in lifecycle management operations:

local_users in your Application template → Users to provision via SCIM
local_groups in your Application template → Groups to manage via SCIM

Entity types are named according to the following pattern:

User Entity Type: OAA.{application_type}.User
Group Entity Type: OAA.{application_type}.Group

Where {application_type} is the value you specify in your OAA Application template when building the payload. For example, if the application is defined:

The resulting entity types are:

OAA.CustomerPortal.User
OAA.CustomerPortal.Group

Attribute Synchronization

Mapping OAA to SCIM

When Veza provisions users via SCIM, transformers can map attributes from your policy source of identity to SCIM properties:

Veza Attribute (in Policy)

SCIM Property

Type

Required

Description

Extension Attributes

If the SCIM service exposes a /Schemas endpoint and you enable scim_extension_schemas: true, Veza can synchronize custom extension attributes beyond the standard SCIM user schema. Extension attributes are mapped using the schema URN as defined by your SCIM implementation.

Provisioning Operations

The following SCIM operations are performed when Lifecycle Management actions execute:

Sync Identities (Create User)

Create a new user in the target application.

SCIM Operation:

The SCIM endpoint creates the user and returns the user object with an assigned id.

Sync Identities (Update User)

Updates an existing user's attributes (one-time or continuously).

SCIM Operations:

Query for existing user:
Update the user:

De-provision Identity

Remove access when a user leaves the organization or changes roles. The user account is deactivated, but data is preserved.

SCIM Operation:

Deprovision sets active=false, which disables login but preserves the user record.

Delete Identity

Permanently remove a user account.

SCIM Operation:

Manage Relationships (Add User to Group)

Grant a user access via group membership.

SCIM Operations:

Retrieve group details:
Add user to group:

Manage Relationships (Remove User from Group)

Revoke a user's access by removing group membership.

SCIM Operation:

Create Entitlement (Create Group)

Creates a new group so that it can be granted as an entitlement.

SCIM Operation:

Lookup Tables

Use lookup tables to transform identity attributes for target systems

Overview

You can use Lookup transformers to convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

For example, you might need to transform a "Location" attribute from Workday (which might be stored as location codes like "MN001") into corresponding values for country, country code, or city names in a target system.

Use Table Lookup Transformers when:

You need to map source attribute values to different values in target systems
You have standardized reference data that must be consistent across applications
You need to extract different pieces of information from a single attribute value
You have complex mapping requirements that built-in transformers cannot support

Examples

Geographic Information:
- Transform location codes to country, region, city, or timezone information
- Map office codes to physical addresses or facility types

How It Works

The Table Lookup Transformer references CSV-based mappings between source and destination values. When synchronizing user attributes, Veza:

Takes the source attribute value
Looks up this value in the specified lookup table
Returns the corresponding value from the designated return column
Applies this value to the target attribute

Lookup Table Structure

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

For example, a location mapping table might look like:

Creating and Managing Lookup Tables

Creating a Lookup Table

To create a new lookup table:

Navigate to the Lookup Tables tab within your policy configuration
Click Edit mode to enable policy changes
Click Add New to create a new lookup table

Managing Lookup Tables

From the Lookup Tables tab, you can:

Edit table descriptions or upload a new CSV
Delete tables that are no longer needed

Updating a lookup table

To update an existing lookup table:

Create a new policy draft version.
Delete the CSV from the existing lookup table (do not delete the table itself).
Upload the updated CSV.
Publish the draft.

Using Table Lookup Transformers

Basic Syntax

To use a Table Lookup Transformer in a common or action-synced attribute:

In Destination Attribute, choose the attribute on the target entity that will be updated
In Formatter, choose the source attribute to transform
In Then Apply, specify the lookup table name, the column to match against, and the column containing values to return.

The full syntax for using lookup table transformers is:

Where:

<value> is the source attribute to transform (e.g., {location})
<table_name> is the name of the lookup table to use
<column_name>

Examples

Assuming a user has "location": "IL001" and a lookup table named locationTable structured as shown earlier:

Formatter

Result

Advanced Features

Pipeline Transformations

You can combine lookup transformations with other transformation functions in a pipeline:

This would look up the state_code corresponding to the location value and convert it to lowercase.

Handling Missing Values

When a lookup value is not found in the table, the transformation will fail for that specific attribute.

For full coverage, ensure your lookup table includes entries for all possible source values that may be encountered during provisioning.

To ensure robust provisioning workflows, it's important to include all expected values in your lookup table, validate source data before implementing lookup transformations, and test transformations with representative data sets.

Technical Details

Implementation Notes

Lookup tables are immutable and automatically deleted when no longer referenced by any policy version
Multiple policy versions can reference the same lookup table (e.g., an active version and a draft version)
Lookup tables are defined at the policy level and can be referenced by any transformer within the policy

Best Practices

Standardize Naming: To use a lookup-based transformer, you will reference the table by file name. Apply consistent conventions for both the table and columns.
Document Mappings: Add descriptions for each lookup table to explain its purpose
Validate Data: Ensure lookup tables are complete and accurate before using them in transformers. Consider how lookup tables will be maintained over time, especially for values expected to change.

Troubleshooting

Common Issues

Issue

Resolution

Duplicate Resolution Rules

Consolidate multiple records for the same person in a single source of identity into a single authoritative record before policy workflows act on them.

A Duplicate Resolution Rule consolidates multiple records for the same person within a single source of identity into one authoritative record. The rule applies during workflow processing, so policy workflows act on a single resolved identity rather than firing once per duplicate.

This is useful for upstream systems that briefly emit more than one record for the same individual. The most common case is a contractor-to-employee conversion in an HRIS, where the legacy contractor record and the new employee record can coexist for a short period before the contractor record is closed.

Duplicate Resolution Rules are currently configurable via the only. The Policy Settings UI does not yet expose this option.

When to use a rule

Apply a Duplicate Resolution Rule when a single source of identity can produce more than one identity record for the same person, and you want a policy to act on only one. Typical situations:

Contractor-to-employee conversion: an HRIS keeps the open contractor record while creating a new employee record for the same person.
System-generated duplicates: a SOI emits a placeholder record alongside the real one during onboarding.
Merged data sources: a CSV upload or custom OAA connector merges feeds that share individuals.

A rule resolves duplicates within one source of identity at a time. It does not match a person across two different sources. That correlation is handled by the policy's primary and secondary source configuration. See for cross-source behavior.

How resolution works

For each extraction of the source of identity:

Veza groups candidate identities that share the same values for the configured deduplication key properties.
For each group, Veza applies the ranking rules to choose the authoritative record. If no ranking rules are defined, the record with the smallest entity ID wins as a tie-breaker.
The non-authoritative records in the group are permanently deleted (hard-deleted, not soft-deleted) before workflows evaluate the resulting identity. Each deletion emits an IDENTITY_DELETED_FROM_SOURCES event, so event consumers and notification templates see one event per dropped record on the first extraction after a rule is enabled or changed. Unlike a record removed by normal LCM offboarding, a duplicate loser cannot be restored on rehire — it is gone from Veza entirely on the next extraction.

Groups larger than the configured max_duplicate_group_size are skipped and logged. A group with many members almost always means the deduplication key points at a non-unique field; review the rule configuration if you see skipped groups.

Rule configuration

The rule lives on the policy:

primary_duplicate_resolution_rule on the Policy for the primary source of identity.
duplicate_resolution_rule on each entry in secondary_source_of_identities for secondary sources.

An empty {} is a no-op. Validation rejects rules that set ranking_rules or max_duplicate_group_size without dedup_key_properties.

Fields

Field

Type

Description

RankingRule

Field

Type

Description

Matching behavior

Property matching for dedup_key_properties is exact and type-aware:

Strings compared byte-for-byte (case- and whitespace-sensitive).
Type mismatches do not match. The string "1" and the number 1 are treated as different values.
List and struct element order matters. [1, 2] does not match [2, 1]

Examples

Match on a single field, prefer active records

Group identities that share an email. Within each group, prefer records where is_active is true; among equally active records, prefer the most recently hired.

Stack multiple ranking criteria

Group identities that share an employee_id. Within each group, prefer active records; among active records, prefer employees over contractors; among active employees, prefer the most recently hired. Each ranking rule applies only to ties from the previous rule.

Match on a composite of two fields

Group identities that share both employee_id and country. Use the default ranking (smallest entity ID wins on ties).

Clear an existing rule

PATCH cannot send null for this field (a null is treated as "field not in mask"). To clear an existing rule, send an empty object:

API reference

: PATCH or PUT the policy version, including primary_duplicate_resolution_rule and per-secondary duplicate_resolution_rule.
: policy structure and lifecycle.
: identity behavior, including primary and secondary source of identity reconciliation.

Trigger Conditions Reference

Complete reference for SCIM filter syntax used in Lifecycle Management workflow trigger conditions

This page provides a comprehensive reference for the SCIM filter syntax used in Lifecycle Management workflow trigger conditions. Trigger conditions determine when a workflow action should execute based on identity attributes.

SCIM Filter Syntax Overview

SCIM (System for Cross-domain Identity Management) filter syntax provides a standardized way to express conditions. The basic structure is:

<attribute> <operator> <value>

For example:

department eq "Engineering"

This condition evaluates to true when the identity's department attribute equals "Engineering".

Comparison Operators

String Operators

Operator

Name

Description

Example

Numeric Operators

Operator

Name

Description

Example

Boolean Operators

Operator

Name

Description

Example

Timestamp Operators

Timestamp comparisons use ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ).

Operator

Name

Description

Example

String List Operators

For attributes that contain multiple values (arrays), the following operators are supported:

Operator

Name

Description

Example

Logical Operators

Combine multiple conditions using logical operators.

Operator

Description

Example

Precedence

not has the highest precedence
and has higher precedence than or
Use parentheses ()

Example combining operators:

Common Trigger Condition Patterns

Joiner Scenarios

Mover Scenarios

Two system attributes support mover detection:

sys_attr__is_mover: Set to true when any property in the policy's Mover Properties list changes. Indicates that the identity changed, but does not identify which property changed.
sys_attr_changed__<property>: Set to true for each specific property that changed in the most recent extraction. These attributes are transient and are cleared at the start of each extraction cycle.

Use sys_attr__is_mover when you want to trigger on any mover event. Use sys_attr_changed__<property> when you need to trigger only on specific property changes or combinations.

Broad mover detection with sys_attr__is_mover:

Targeted mover detection with sys_attr_changed__:

See for the full sys_attr_changed__ reference.

Leaver Scenarios

Attribute-Based Access Control

System Attributes in Conditions

Lifecycle Management provides two families of computed system attributes for use in trigger conditions:

sys_attr__ prefix: Persistent boolean flags such as sys_attr__is_mover (any monitored property changed) and sys_attr__is_new_identity (first appearance of an identity).
sys_attr_changed__ prefix: Per-property change detection attributes, transient per extraction cycle. sys_attr_changed__department eq true means department changed in the most recent extraction.

See for the complete reference.

Dynamic Value Comparisons with Embedded Transformers

For time-sensitive workflows, you can embed transformer functions directly in condition values. This enables comparisons against dynamically-computed dates and times rather than static values.

Syntax

Embedded transformers use the {| FUNCTION | ...} syntax. The pipe (|) immediately after the opening brace indicates there is no source attribute—the expression starts directly with a function:

This differs from attribute transformers where you reference an attribute first:

Attribute transformer: {hire_date | DATE_FORMAT, "DateOnly"} (starts with attribute)
Embedded in condition: {| NOW | DATE_FORMAT, "DateOnly"} (starts with function)

Common Functions for Dynamic Conditions

Function

Purpose

Example

See for all available functions.

Example: 2-Day Leaver Window

Trigger a leaver workflow when an employee's last day of work falls within a 2-day window around today (Eastern Standard Time):

Breaking down the embedded transformer:

Step

Function

Input

Output

Result: The workflow triggers when:

The employee is active (is_active eq true)
Their last day is today or earlier (le today)
Their last day is after 2 days ago (gt 2 days ago)

This creates a 2-day processing window for departing employees.

Example: Pre-Hire Provisioning

Trigger a joiner workflow 7 days before an employee's start date:

This triggers for employees whose hire date is within the next 7 days, enabling pre-provisioning of accounts before their start date.

Example: Post-Termination Cleanup

Trigger a cleanup workflow for employees terminated more than 30 days ago:

For a conceptual overview of how conditions and transformers work together, see .

Best Practices

Use Specific Conditions

Test with Dry Run

Before enabling a policy, use the Dry Run feature to preview which identities match your trigger conditions. This helps catch overly broad or restrictive conditions before they affect real accounts.

Combine Conditions Thoughtfully

Handle Edge Cases

Consider what happens when attributes are null or empty:

Troubleshooting

Condition Not Matching Expected Users

Check attribute names: Ensure the attribute name exactly matches the source attribute (case-sensitive)
Verify data types: String values need quotes, booleans don't
Review operator choice: co for contains vs. eq for exact match

Condition Matching Too Many Users

Add specificity: Combine multiple conditions with and
Check for broad patterns: co "" matches all non-null values
Verify logical grouping: Ensure and

Timestamp Issues

Use ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ
Include timezone: Always use Z suffix for UTC
Check attribute type: Ensure the source attribute is a timestamp, not a string

- Conceptual overview of conditions vs. transformers
- Create and configure Lifecycle Management policies
- Configure workflow actions and their triggers

Access Profiles

Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.

Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, such as business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.

Profiles can be configured hierarchically to create a fine-grained model for assigning access to different employee groups. Administrators can position child profiles beneath a parent profile, with each child profile inheriting the parent profile's entitlements.

For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.

Example Profiles

Profile Name

Target

Relationship

Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.

The access granted by a Profile can be defined by both:

Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.

The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.

Access Profile Types

Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:

Profiles

Profiles are a type of Access Profile used to define access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.

Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.

Business Roles

Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally, by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."

Best Practices for Access Profile Types

Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").

Create Business Roles that align with your organizational structure, especially considering location, business unit, and functional organization. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.

Configuring Access Profiles

To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.

Click Create Access Profile.
Under Access Profile Details, choose the Profile Type to create:
1. Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.

After saving an Access Profile, you can view its details, edit it, or pause and resume it on the Lifecycle Management > Access Profiles page.

When configuring a policy to include the Manage Relationships action, you can select any active profile for the target data source. You can also use Dynamic Access Profiles to resolve Access Profile names at runtime based on user attributes. See for details.

Access Profile Ownership

Access Profiles can have designated owners who are responsible for managing and maintaining the profile. Owners have elevated permissions to configure the profile, manage its lifecycle, and create additional profiles.

Who Can Be Owners

Both Veza Users and Veza Groups can be assigned as Access Profile owners:

Individual Users: Any Veza platform user with the appropriate permissions
Veza Groups: Both Customer Managed groups (created in Veza) and SCIM Managed groups (provisioned from identity providers). See for details on group types and management

Owner Eligibility Requirements

To be eligible as an Access Profile owner, a user or group must have the Creator permission set for the relevant Access Profile Type. This is a two-step configuration process:

Grant Profile Type Permissions:
- Navigate to Lifecycle Management > Settings
- Select the Profile Types tab

Owner Permissions

When a user or group is designated as an Access Profile owner, they automatically receive three distinct permissions:

Owner permission on the specific Access Profile
- Read: View the profile's configuration, entitlements, and metadata
- Update: Modify the profile's settings, labels, descriptions, and assigned relationships

These permissions enable owners to not only manage their assigned profiles but also create additional profiles of any type they have access to.

Managing Owners

Access Profile owners are managed through the Access Profiles interface:

Navigate to Lifecycle Management > Access Profiles.
Locate the Access Profile in the list.
Click the Actions button (⋮) for that profile.

Custom Properties

Custom Attributes are admin-defined metadata fields that can be set on individual Access Profiles. You can use them to tag profiles with organizational context such as cost center, team, compliance classification, or region.

These custom property values are available as parameters during dynamic approval rule evaluation, and support Access Requests approval routing driven by profile metadata. For example, this can enable tagging Access Profiles with a specific cost center and routing them to the appropriate approver group. See for configuration details.

Defining custom attribute schemas

Before custom properties can be set on individual profiles, an administrator must define the allowed attributes:

Navigate to Lifecycle Management > Access Profiles.
Click Settings in the page header.
In the settings sidebar, select Custom Attribute Definitions.

Custom attribute schemas are applied across all Access Profiles in the tenant. Definitions cannot be set on individual profile types.

Setting custom property values on a profile

Once schemas are defined, a Custom Properties section appears when creating or editing any Access Profile:

In the Access Profile create or edit form, scroll to the Custom Properties section.
Click Add Custom Property.
In the dialog, select the Property (attribute name) and enter or select an Attribute Value.

To edit custom properties for an existing profile, select it from the Profiles list to view details. In the header, locate the Custom Properties section and click to add or remove properties.

Custom property values are validated against the current definitions. Property names must match a defined attribute, and values must come from the predefined list when one is configured.

Custom property values are included in the API response when retrieving or listing Access Profiles via the custom_properties field (private API).

Implementation and Core Concepts

The IAM challenge

Without automated lifecycle management, organizations face a fragmented identity and access management landscape. Multiple systems require manual coordination, leading to delays in provisioning, security gaps from orphaned accounts, and compliance risks.

How Veza streamlines IAM

Veza Lifecycle Management provides a unified platform that automates identity provisioning and de-provisioning across your entire technology stack. Changes in your HR system automatically trigger coordinated workflows across all connected applications, ensuring consistent access management throughout the employee lifecycle.

Before you begin creating draft for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.

Implementing Veza Lifecycle Management will require:

Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.

The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.

Planning Your Implementation

Key considerations and requirements

Is a lifecycle management process defined for your organization?
- If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
- If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.

Security considerations

Implementing Lifecycle Management requires careful attention to access control, API key management, and credential handling to maintain security throughout your deployment.

Access control

Limit administrative access: Reduce standing administrator roles to those who need them. Best practice is no more than 5 administrators with standing access.

Use operator role for monitoring: Users with Operator roles can view LCM policies without editing them. Use this role for monitoring and troubleshooting.

Temporary support access: When working with Veza support on LCM issues, grant temporary administrator privileges using Administration > Support User Access rather than creating permanent accounts.

API key management

Monitor Veza API keys and disable unauthorized keys. API calls made with keys that have administrator privileges can modify LCM policies.

Key rotation best practices:

Review API keys quarterly
Revoke keys that are no longer in use
Document the purpose of each active key
Use separate keys for different automation purposes

Integration credentials

Credential lifecycle:

Track credential expiration dates and renew before expiry
Avoid editing integration credentials except when renewing them
Test credential changes in a sandbox environment before applying to production

Critical system protection: Identity source extractions are the most critical step in the LCM process. Handle integration configuration changes with care:

Schedule credential updates during maintenance windows
Verify extraction success immediately after credential changes
Have rollback procedures ready if extraction fails

Define Segmentation Criteria (Business Roles)

Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .

This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:

Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations

Example Business Roles:

Sales
Developers
Executive Employees
US Employees

Define Role Conditions

Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.

For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.

Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza Access Graph.
Document how employee populations correspond to the attribute values contained in the source of identity.

Examples: Source attributes for role conditions

The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.

OAA HRIS Built-In Attributes

Attribute

Description

Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:

Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"

Define Profiles

A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.

Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Create Lifecycle Management mapped to those entitlements.

Examples: Access Profiles

Profile Name

Target

Relationship

When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.

Map Business Roles to Profiles

Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.

Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.

Examples: Map Business Roles to Profiles

Asia Employees

US Employees

Developers

Define synced attributes

Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.

For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.

Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .

For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in Continuous Sync, and which should only be created (and never modified after creating an entity).

Examples: Synced Attributes

Sync Active Directory Accounts for Active Employees (Joiners/Movers)

When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.

Active Directory Attribute

Source Attributes

Transformer Value

Sync Active Directory Attributes for Withdrawn Employees (Leavers)

When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:

Active Directory Attribute

Source Attributes

Transformer Value

Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.

Send REST Payload (Insight Point Routing)

Route Send REST Payload actions through Insight Points for custom OAA integrations

Overview

Lifecycle Management supports three integration pathways for custom applications. This document covers configuring the OAA Write Framework pathway with Insight Point routing for Send REST Payload actions.

When using the Send REST Request action in Lifecycle Management workflows, requests execute from the Veza control plane by default. For target APIs that are on-premises or behind a firewall, you can configure a Custom Provider (OAA integration) to route requests through an Insight Point agent instead.

This configuration enables:

On-premises API access: Call internal APIs that aren't accessible from the public internet
Network isolation: Route requests through your own infrastructure for security compliance
Hybrid deployments: Mix cloud-based and on-premises targets in the same workflow

When to Use This Configuration

You DO NOT need this configuration if:

Your target API is publicly accessible
You're calling cloud services (SaaS APIs, webhooks)
Your Send REST Payload actions work without selecting a data source

You NEED this configuration if:

Your target API is on-premises or in a private network
The API is only accessible from specific network locations
You need requests to originate from an Insight Point agent

How It Works

Without Data Source (Default):

With Data Source (Insight Point Routing):

When a Custom Provider is configured with external_lifecycle_management_type: SEND_REST_PAYLOAD:

The provider's data source appears in the Send REST Payload action's Data Source dropdown
Selecting it routes the HTTP request through the associated Insight Point
The Insight Point agent executes the request from within your network

Configuration

This setting is configured via the Veza REST API. It is not currently available in the Veza UI. The provider configuration only sets up Insight Point routing—the actual request URL, HTTP method, payload, and authentication are configured per-action in the .

Create Custom Provider with Send REST Payload Support

Update Existing Custom Provider

Required Fields

Field

Required

Description

Validation Rules

Provisioning required: provisioning must be true when setting external_lifecycle_management_type
No internal app name: Cannot be used with internal_app_name (these are mutually exclusive)

Using in Lifecycle Management Policies

Once configured, the Custom Provider's data source will appear in the Send REST Payload action configuration:

In the policy editor, add a Send REST Payload action
In the Data Source field, select your configured Custom Provider
Configure the URL, method, headers, and payload as needed

Combining with REST Auth Credentials

You can use together with Insight Point routing:

REST Auth Credentials: Handle authentication (OAuth2, Bearer tokens, etc.)
Data Source selection: Routes the request through an Insight Point

When a Data Source is selected, both the token acquisition request and the subsequent REST request execute through the Insight Point. This means Login to Bearer and OAuth2 credential types work correctly against token endpoints that are not publicly accessible—the entire authentication flow remains within your private network.

Troubleshooting

If no data sources appear in the Send REST Payload action's Data Source dropdown:

No providers configured: Verify you have at least one Custom Provider with external_lifecycle_management_type: SEND_REST_PAYLOAD
Provisioning not enabled: Check that provisioning: true is set on the provider
No data source created: Push an OAA payload to create a data source for the provider

Validation Error: "external_lifecycle_management_type requires provisioning to be true"

Include provisioning: true in your API request along with the external_lifecycle_management_type field.

Validation Error: "data_plane_id: Cannot be empty"

The data_plane_id is required when creating a provider with external_lifecycle_management_type: SEND_REST_PAYLOAD. Ensure you have a deployed Insight Point and include its ID in your create request.

Validation Error: "cannot change external_lifecycle_management_type while provider is in use by LCM"

The provider is referenced by one or more Lifecycle Management policies. Remove the provider from all policies before changing its external_lifecycle_management_type.

Request Fails from Insight Point

If requests fail when routed through an Insight Point:

Network connectivity: Verify the Insight Point can reach the target API
Firewall rules: Ensure outbound HTTPS is allowed from the Insight Point to the target
DNS resolution: Confirm the target hostname resolves from the Insight Point's network

Assign O365 Licenses with Workday and Azure AD

Assigning Microsoft 365 licenses to users based on Workday attributes during the onboarding process

This guide explains how to automatically assign Microsoft 365 licenses to users as part of a Workday-triggered onboarding workflow. License assignment is a common requirement when provisioning new employees who need access to Microsoft productivity tools like Outlook, Teams, and SharePoint.

Overview

When a new employee is hired in Workday, you can configure Veza Lifecycle Management to:

Create a user account in Azure AD
Assign the appropriate Microsoft 365 licenses based on employee attributes (department, role, location)
Optionally enable email functionality

This automation ensures consistent license assignment, reduces manual IT work, and helps control licensing costs by assigning only the licenses each employee needs.

System Architecture

The following diagram shows the license assignment flow:

Prerequisites

Before starting this implementation, ensure you have:

Workday Integration: as your source of identity
Azure AD Integration: as a target system with the following permissions:
- Directory.ReadWrite.All

Implementation Steps

Step 1: Identify License Requirements

Before configuring the workflow, map your organization's license requirements to Workday attributes:

Employee Type

Department

License SKU

License Name

Step 2: Create the Lifecycle Management Policy

Create a policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy in the wizard:

Step 3: Configure the Joiner Workflow

Add a workflow that triggers when new employees are hired:

Edit your policy and click Add Workflow
Configure the workflow trigger:
- Workflow Name: New Employee Onboarding

Step 4: Add Sync Identities Action

First, create the user in Azure AD:

In your workflow, click Add Action
Select Sync Identities
Configure the action:

Destination Attribute

Source/Format

Continuous Sync

Converting Date Formats Between Systems

When mapping date attributes between Workday and Azure AD, you may need to convert date formats. Use the DATE_FORMAT transformer with to specify the output format.

Example: Converting hire_date to ISO 8601 format

If Workday provides dates in MM/DD/YYYY format but Azure AD expects YYYY-MM-DD:

Step 5: Create Access Profiles for Licenses

Before adding the license assignment action, create Access Profiles that contain the license entitlements:

Navigate to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure the profile:

Repeat this process to create additional Access Profiles for different license types:

Access Profile Name

License SKU

Use Case

Step 6: Add License Assignment Action

Now add the license assignment using Manage Relationships with your Access Profiles:

Click Add Action
Select Manage Relationships
Configure the action:

Basic License Assignment (All Employees)

For assigning the same license to all employees:

Condition: (leave empty for all users matching workflow)
Access Profiles: Select "Microsoft 365 E3 License"
Remove Existing Relationships: No

Conditional License Assignment (By Department)

For different licenses based on department, add multiple Manage Relationships actions with conditions:

Engineering Department (E5):

Condition: department eq "Engineering"
Access Profiles: Select "Microsoft 365 E5 License"
Remove Existing Relationships: No

All Other Departments (E3):

Condition: department ne "Engineering"
Access Profiles: Select "Microsoft 365 E3 License"
Remove Existing Relationships: No

Conditional License Assignment (By Employee Type)

Full-Time Employees:

Condition: worker_type eq "Full_Time"
Access Profiles: Select "Microsoft 365 E3 License"
Remove Existing Relationships: No

Contractors:

Condition: worker_type eq "Contractor"
Access Profiles: Select "Microsoft 365 Business Basic"
Remove Existing Relationships: No

Step 7: Add Email Creation Action (Optional)

If you want to ensure Exchange Online is configured:

Click Add Action
Select Create Email
Configure the action:

Step 8: Configure Action Order

Ensure your actions execute in the correct order:

Sync Identities - Creates the user account (must run first)
Manage Relationships - Assigns licenses via Access Profiles (requires user to exist)
Create Email (optional) - Enables mailbox (requires user and license)

Use the drag handles in the workflow editor to reorder actions if needed.

Step 9: Test the Configuration

Test with Simulation Dry Run

Select your policy
Click the overflow menu (three dots icon) and select Perform Dry Run
In the Identity field, select an employee from the dropdown

Test with a Single User

Identify a test user in Workday (or create one in a test environment)
Ensure the test user matches your workflow conditions
Enable the policy and trigger a sync
Verify in Azure AD:

Advanced Configuration

Multiple License Assignments

To assign multiple licenses to a single user, you can either:

Option 1: Create an Access Profile with multiple entitlements

Create a single Access Profile containing multiple license entitlements, then reference it in one Manage Relationships action.

Option 2: Add multiple Manage Relationships actions with different Access Profiles

License Removal on Role Change (Mover Workflow)

When employees change roles, you may need to update their licenses:

Create a Mover Workflow with the condition: department changed
Add a Manage Relationships action with:
- Remove Existing Relationships: Yes (removes old licenses)

License Removal on Termination (Leaver Workflow)

To remove licenses when employees leave:

In your Leaver Workflow, add Deprovision Identity action:
- Remove All Licenses: Yes
- De-provisioning Method: Disabled

Alternatively, use Manage Relationships with Remove Existing Relationships enabled before deprovisioning.

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate. This might include hiring a new employee, terminating an existing employee, transferring an existing employee to another department, or other actions triggered by changes in status.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might be applied when employees enter an "Active" state (for Joiner/Rehire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also be triggered when an employee's hire date falls within a certain threshold, such as being less than 4 days away, or when it is related to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)

Add a Lifecycle Management Policy

To create a policy for a source of identity:

Go to Policies.
Click Create Policy.
Enter a policy name and description.

Simulation Dry Run on Policy

The Dry Run allows you to simulate and preview how a Policy would process an identity, without making actual changes to target systems. This testing tool helps you validate workflow conditions, preview potential changes, and understand what actions would be triggered for specific identities.

How Dry Run Works

The Dry Run evaluates workflow logic but does not interact with target integrations. Verify integration health to ensure target systems are accessible before running actual policies. Dry Run takes a policy and an identity to simulate:

The workflows triggered
All actions that would run
What Access Profiles would be assigned
Any potential changes to entities and attributes

You can test how policies would respond to identity attribute changes for different scenarios during a Dry Run simulation without impacting the actual identity attribute values.

Starting a Dry Run

You can initiate a Dry Run in two ways:

From a Lifecycle Management Policy

When editing a policy, open the Dry Run tool to preview changes for any identity:

Go to Policies.
Click a policy to view its details.
Click Dry Run Policy at the top right.
Choose the identity and policy to test workflows.

From Identity Details

You can start a Dry Run when viewing details for any account on the Identities page:

Go to Identities.
Search for an identity and click to view its details.
Expand the Actions menu at the top right and click Policy Dry Run.

Dry Run Notes:

Result: 0 Changes

When a dry run returns "0 changes", it means:

The selected identity does not meet any of the trigger conditions defined in your policy's workflows
No actions would be executed for this identity when the policy runs
This is not an error - it simply means the identity doesn't qualify for any of the configured workflows

Limitations

Dry Run has several important limitations:

Dry Run evaluates whether workflow conditions are met, not whether actions would succeed
It does not check whether integrations are functioning properly and whether target systems are accessible
It does not validate that changes could be successfully applied

Best Practices

Use Dry Run to validate that policies and their workflows are working as intended before enabling them in a live environment.

Test with Representative Identities: Select identities that represent different scenarios (new hires, role changes, terminations) to validate all workflows in your policy.
Simulate Different Scenarios: Modify identity attributes during Dry Run to test trigger conditions such as:
- Department changes

Handling long names or names with special characters
Department and location change at once
Same-day rehire after termination

Workflow execution behavior

Understanding how workflows execute helps with troubleshooting and policy design.

Execution order

When identity source data changes, Veza processes it in this order:

Extraction completes: Data is pulled from the identity source.
Duplicate resolution (optional): If the policy has a Duplicate Resolution Rule configured, Veza consolidates duplicate records for the same person into a single authoritative identity before triggers evaluate. See .
Workflow triggers evaluate: Veza begins evaluating trigger conditions within approximately 1 second of extraction completing. Actual evaluation time scales with the number of managed identities. Policies with thousands of identities can take several minutes to process. For policies with multiple identity sources, evaluation waits until all configured sources have completed extraction.

Trigger behavior

"First time only" triggers

Most workflows (except sync workflows) are configured to trigger "only when trigger condition is first met." This means:

The workflow triggers the first time an identity matches the condition.
If the condition clears (identity no longer matches) and then matches again, the workflow triggers again as if it were the first time.
This behavior handles rehire scenarios where a previously terminated employee returns.

Sync workflows

Sync workflows track specific properties for changes. When adding new properties that require syncing:

Update the tracked property list in the workflow configuration.
Update sync-related common transformers to include the new attributes.

For more information on workflow triggers, see .

SCIM condition limitations

Trigger conditions use SCIM filter syntax. When comparing values, only the variable on the right side of the comparison can be transformed. The left side must be an attribute reference without transformation. See for syntax details.

Policy Version

Policies can be version-controlled, allowing for a method to refine and test changes in your automation workflows. You can create draft versions to test changes and validate updates before deployment while maintaining a history of previous configurations. Each policy can have only one active version and one draft version at a time, with automatic archival of retired versions.

Policy State vs Workflow Versioning State

Policies have a current state that is based on their workflow operations.

The Policy state includes:

Initial - Initially created before the first workflow version is published
Running - Actively processing with one or more workflows
Paused - Temporarily disabled
Pending - Waiting for activation

Note: In the Policies page, click on the Action overflow icon (three dots) to Start the policy in the Initial state, and Pause or Unpause at the Running state.

The Workflow Version state includes:

Draft - In draft mode for editing and modification
Published - Functional and active
Retired - No longer active or usable

Policy Draft Mode

The Policy Draft Mode is a state where a policy is saved but not yet active. In Policy Draft Mode, you can create, edit, and test policy configurations (such as workflows, actions, or mappings) without affecting real users, identities, or access profiles. Once you are satisfied, you can publish the policy, which moves it from the work-in-progress state to an operational state.

To enable the Policy Draft Mode, perform the following:

On the Lifecycle Management Dashboard page, click Settings in the top menu.
The Lifecycle Management Settings page appears. Click Policy Settings.
Switch ON the Enable Policy Draft Mode button.

Test Policy Workflows using Draft Versioning

You can test and refine your policy workflows to ensure that it is working as expected through a series of draft versions with Dry Run simulations. Once the workflow’s result is satisfactory, publishing the version will change the policy status to ‘active’.

Perform the following steps to test your policy workflow:

Create and save a new policy.
Create a new workflow and Save.
After creating a new workflow, click Publish.
By publishing your workflow, it is ready for activation by going to the

Published Policy

A published policy is activated and deployed with the following characteristics:

Enforces the defined rules in your environments, including:
- Creating, modifying, or removing user access.
- Synchronizing identity attributes.

Migrating policies between environments

For organizations using multiple Veza tenants (such as sandbox and production), policies can be migrated between environments using migration scripts provided by Veza support.

When to use migration scripts

Use the migration script approach for:

Large policies with many workflows and complex transformers
Repeated migrations between the same environments (sandbox → production)
Policies where manual reconstruction would be time-consuming

For simple policies or one-time migrations, manual reconstruction may be faster than setting up the migration toolkit.

Environment setup (one-time)

In both sandbox and production tenants, log in as an Integration Manager or Administrator and create API keys (Integrations > API Key).
Store each key in a password manager or secrets vault.
Set environment variables for the migration script:

Migration procedure

In the target tenant, create a new draft version of the policy and note the version number.
If any of the following changed since the last migration, update the lookup table CSV (provided by support) with new IDs:
- Access Profiles

Extraction scheduling and policy control

Extraction schedules

Extraction schedules for identity sources are configured via the Veza API. To modify extraction frequency or timing, contact for assistance with API configuration.

Workflow parallelism

The maximum number of concurrent workflows is configured at the tenant level via API. This setting controls how many workflow jobs can run simultaneously across all policies. Contact to adjust concurrency limits for your deployment.

Policy pause behavior

Disabling a policy pauses any running workflows. Re-enabling the policy does not resume paused workflows—they restart on the next extraction cycle.

Enabling and Monitoring Lifecycle Management Policies

Use the Policies page for an overview of initial, running, and paused policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name

Add Workflows to Policies

Policies contain one or more workflows. Typically, workflows correspond to Active and Inactive user states, but not always. More specifically, workflows define a sequence of actions to run when a condition is met, based on events and identity changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, internal employee mobility changes (e.g., promotions, transfers, new managers), or employee departures.

Workflows comprise a tree-like sequence of conditions designed to meet the specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

Example Workflows

The following diagrams illustrate typical joiner and leaver workflow implementations, showing how identity changes in your HR system trigger coordinated provisioning and de-provisioning actions across multiple target applications.

Joiner Workflow

When a new employee is created in Workday, Veza automatically provisions accounts and assigns appropriate access across connected systems based on the employee's role and attributes.

Leaver Workflow

When an employee's status changes to inactive or terminated in Workday, Veza automatically de-provisions accounts and removes access to protect your organization's security posture.

Workflows and Trigger Conditions

Trigger Conditions refer to rules or filters that initiate (or delay) provisioning and deprovisioning workflows based on certain events, criteria within identity data sources, or lifecycle workflows. Trigger conditions use SCIM filter syntax to evaluate whether an identity matches specific criteria.

See for SCIM filter syntax and available operators, or for a comparison with transformer syntax.

Trigger conditions are often tied to HR events, such as employee hiring (joiner), role changes (mover), or termination (leaver). For instance, provisioning flows can be triggered when an employee is hired or deprovisioned when terminated.
Trigger Conditions can be time-based, such as "create the Active Directory account 15 days prior to a new employee's start date".
Advanced implementations also support relationship-based triggers (e.g., launching workflows when a worker is added to a specific department). Note: Trigger conditions can also encompass

Create a Workflow

To add a workflow, perform the following:

Select a policy.
Click Create Workflow.
In Details, enter the workflow name and description.
In the

Not set
Low
Normal
Medium

The levels dictate the order/priority in which the workflows are run. The higher-priority setting will be processed first. A fairness algorithm is built in to prevent lower-priority workflow tasks from being starved.

In the New Workflow pane, click trigger attribute. The Edit Workflow pane appears.
In the Triggering Condition (Condition String) field, select a conditional string from the dropdown menu to create a logical syntax that automatically starts the workflow. Once a condition has been set, another conditional string can follow, or an action can be taken.
In the Options section, select one of the following:

Note: All workflow errors must be resolved before it can be saved.

Clone or Delete a Workflow

Once an LCM Policy workflow is saved, the clone and delete options appear alongside the workflow name:

Click on the copy icon to clone the workflow.
Click on the trash bin icon to delete the workflow.

Common workflow patterns

Webhook notifications after Sync Identity

For ITSM integrations that need to receive all attributes after a Sync Identity action completes:

Place the webhook action under a condition that follows the Sync Identity action in the workflow tree.
Add a pause action before the webhook if needed to allow time for attribute propagation.
Use clear naming conventions for conditions (for example, "FTE New Hire AD Notification") to indicate their purpose.

Create a Transformer

A transformer is a rule or function that takes incoming identity or attribute data and modifies it into the format or value that the target system requires.

They’re used when the data source system and target system represent or store information differently. For example, transformers can:

Converting a username from “First.Last” format into all lowercase.
Mapping a department value like “HR” in the source to “Human_Resources” in the target.
Adding a prefix or suffix to attributes (e.g., appending a domain name to create an email).

Transformers act as data processors inside a policy, ensuring that the right values are sent when provisioning, updating, or deprovisioning identities and entitlements.

To add a transformer, perform the following:

Select a policy.
Click Transformers.
Click Add Transformer.
In the New Transformer

See for available transformation functions.

Create a Lookup Table

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

This example is a location mapping table, which is a typical format for a Lookup Table:

Once a Lookup Table has been uploaded, it can be processed with the Lookup Transformers. The Lookup transformers convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

Use Lookup Table Transformers to:

Map source attribute values to different values in target systems
Standardized reference data that must be consistent across applications
Extract different pieces of information from a single attribute value
Have complex mapping requirements that built-in transformers cannot support

See for detailed information.

To add a Lookup Table, perform the following:

Select a policy.
Click Lookup Table.
Click Add Lookup Table.
In the New Lookup Table

Create Properties

Properties are the attributes that describe identities, accounts, and entitlements. They serve as the data points a policy can use to determine when and how to take action. Properties can come from:

Built-in properties – default attributes that LCM provides out-of-the-box (for example: username, email, status, created_at).
Custom properties – attributes defined by your organization to capture unique metadata (for example: cost_center, employee_type, manager_id).

Use Properties to:

Properties are referenced in policy conditions (e.g., disable account if status = inactive).
Help with transformers and lookup tables, allowing you to map or reformat values.
Used in identity overrides when syncing accounts from different providers.

To add Properties, perform the following:

Select a policy.
Click Properties.
The Mover Properties appear. Click Edit Properties.

Create Password Complexity Rules

Password Complexity Rules in a policy ensure that generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows. You can define reusable password complexity rules to enforce requirements for password length, mandatory character types (uppercase letters, lowercase letters, numbers, and special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, Deprovision Identity, and Reset Password actions when working with integrations that support complex password requirements.

To add Password Complexity Rules, perform the following:

Select a policy.
Click Password Complexity Rules.
Click Create Password Complexity Rule.
In the

Create Transformer Functions

Custom Transformer Functions allow you to programmatically modify or enrich identity attributes as they are synced from identity sources to target systems. These transformations ensure that data formats align across systems and support more dynamic provisioning logic. Such transformers can:

Convert dates into required formats or perform date-based calculations (e.g., adding days to a hire date).
Normalize or transform string values (e.g., case conversion, trimming, substrings).
Apply conditional logic via functions directly within provisioning rules.

To add Transformer Functions, perform the following:

Select a policy.
Click Transformer Functions.
Click Create Custom Transformer Function.
In the

Policy Settings

The Policy Settings page provides information about a specific policy and allows for additional configuration, including:

Modify the primary identity source
Define an additional data source to the primary identity source
Configure email notifications or a webhook for action-related events
Enable continuous synchronization to ensure identities are up-to-date

Details

The Details view shows the Policy Name and Description fields. These fields are editable for name change or description refinement, if required.

Primary Identity Source

The Primary Identity Source pane displays the integration name of the data source. The Integration field displays all available data sources, where you can add or remove, if required.

A Primary Identity Source is the authoritative system that serves as the source of truth for user identities (e.g., HR system, Active Directory, identity provider like Okta/Entra ID). Typically, one type of source of identity is associated with one integration.

The role of the Primary Identity Source includes:

Acts as the authoritative record for user information (emails, roles, statuses).
Lifecycle rules such as provisioning, updates, or deprovisioning are typically triggered based on changes detected in this data source.
Ensures consistency and accuracy across target systems where access is granted or revoked.

Additional Identity Sources

As an option, the Additional Identity Sources pane is typically used to add a different type of integration from the Primary Identity Source, which requires that the additional data source be already configured into Lifecycle Management. You can also correlate primary attributes and additional attributes to be associated with the data source. The added data source will sync for authentication, user updates, or provisioning.

To add an Additional Identity Source, perform the following:

Click Add Source.
In the Select Identity Source field, select a data source. Note: If you enable the 'These types are not related' option, then you cannot correlate any attributes.
In the Correlating Attributes pane, select a Primary Attribute from the dropdown menu.

Notifications

When events occur during the execution of a policy’s workflow, notifications can be triggered upon execution of actions in workflows as a means to inform stakeholders or integrate with external systems. These notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed. Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure its Active Employee policy to send an email to the manager of each new hire after the employee's email address is provisioned. Additionally, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned, following a successful Sync Identity operation.

Use the Notifications to add and manage notifications:

In the Notifications pane, click Add Notification.
Choose the notification type (Email or Webhook).
Choose the event to trigger notifications:

See for customizing email notifications.

Advanced Settings

Identity Syncing Option

The Identity Syncing option controls how often the Sync Identities action runs in workflows that have Continuous Sync enabled. It has no effect on workflows without Continuous Sync.

The setting is configured at the policy level and applies to all of its workflows by default. Individual workflows can override it from the workflow's own settings.

Mode

When the workflow syncs

Use when

To configure:

Open the policy and go to Advanced Settings.
Under Identity Syncing, select Sync on changes only or Always sync.
If you selected Always sync, set the Sync Interval (default: 1 hour).

To override at the workflow level, open the workflow, expand its sync settings, and choose a different mode.

Safety Limits

Safety Limits prevent unintended mass changes to identities by enforcing configurable thresholds. Two independent mechanisms are available and can be used together for layered protection:

Hard Limit

The Hard Limit (formerly "Safety Limit") is a reactive mechanism that stops processing during execution once the configured number of identity changes has been reached. When the limit is triggered, no further identity changes are processed for the current policy run.

To configure a Hard Limit:

Enable the Hard Limit toggle.
Set the Maximum Number of Affected Identities to define the threshold.

Predictive Safety Limit

The Predictive Safety Limit is a proactive mechanism that blocks all changes before execution begins if the system predicts the number of workflow runs will exceed configured thresholds. This prevents unintended mass processing of identities when upstream attribute changes in a Source of Identity would trigger unnecessary Joiner, Mover, or Leaver workflows.

To configure a Predictive Safety Limit:

Enable the Predictive Safety Limit toggle.
Set the Maximum Number of Workflow Runs to define the threshold.

Workflow-Level Limits

Safety limits can be configured at both the policy level and individual workflow level for granular control. When configured at the workflow level, each workflow enforces its own thresholds independently, enabling different limits for Joiner, Mover, and Leaver workflows within the same policy.

Blocked Tasks

When a Predictive Safety Limit triggers, no changes are processed. A warning appears on the Blocked Tasks page with options to:

Review what would have changed
Run the blocked tasks (manually approve execution)
Abandon the blocked tasks (discard without executing)

Processing of future extractions is paused until the administrator acknowledges the warning and resumes processing. New activity log event types PREDICTED_SAFETY_LIMIT_EXCEEDED and WORKFLOW_PREDICTED_SAFETY_LIMIT_EXCEEDED are recorded when predictive limits trigger.

Dynamic Access Profiles

Use attribute formatters to dynamically select Access Profiles at runtime based on user attributes

Overview

Dynamic Access Profiles enable context-aware provisioning by enabling the Manage Relationships action to resolve Access Profile names at runtime using user attributes.

Instead of explicitly selecting static Access Profiles when configuring a workflow, you can use attribute formatter expressions that evaluate to Access Profile names dynamically when the workflow executes. This is particularly valuable for organizations with complex access patterns based on attributes like department, location, role, or business unit.

This feature eliminates the need for separate workflow conditions for each profile combination, supporting configurations where a single workflow provisions users to different Access Profiles based on their identity attributes.

How It Works

Runtime Resolution Process

When a Lifecycle Management workflow runs with dynamic Access Profiles configured:

Attribute Evaluation: The system evaluates each dynamic Access Profile formatter expression using the identity's attributes. For example, if the expression is dept-{department | LOWER} and the user's department attribute is Engineering, the system evaluates this to dept-engineering.
Name Resolution: The evaluated expression produces an Access Profile name.
Access Profiles must be named using a predictable, consistent pattern to facilitate resolution. Without consistent naming conventions, dynamic profile resolution will fail to match existing profiles.

Key Characteristics

Name-based Lookup: Dynamic Access Profiles resolve to profile NAMES, not IDs
Naming Convention Critical: Access Profiles must be named using a predictable, consistent pattern
Profile Inheritance Support: Dynamically resolved profiles can inherit entitlements from other profiles

Dynamic and static Access Profiles can be used together in the same action.

Comparison: Static vs. Dynamic Access Profiles

Aspect

Static Access Profiles

Dynamic Access Profiles

Configuration

Prerequisites

Before configuring Dynamic Access Profiles:

Create Access Profiles following a consistent naming convention that includes attribute values
Identify User Attributes that will drive profile selection (e.g., department, location, role)
Plan Naming Pattern that incorporates these attributes predictably

Configuring Dynamic Access Profiles

Navigate to Lifecycle Management > Policies
Create or edit a policy
Add or edit a Manage Relationships action

Formatter Expression Syntax

Dynamic Access Profile expressions use the syntax:

Common Patterns include:

{department} - Direct attribute value
{department | LOWER} - Convert attribute value to lowercase
{OAA.Secondary.Employee.department} - Attribute from a secondary source of identity

You can configure multiple dynamic Access Profile expressions in a single action by clicking Add Profile Name for each additional expression. Each expression is evaluated independently.

Conditional Profile Selection with IF/ELSE

You can use IF/ELSE conditional logic within a Dynamic Access Profile expression to select different profile names based on user attributes. This allows a single expression to evaluate to different Access Profile names depending on the identity's properties.

Syntax:

You can use multiple ELSE IF branches to check several conditions in sequence:

Supported Comparison Operators:

Operator

Meaning

Example

Combine conditions with and, or, or negate with not. Use parentheses to group complex conditions.

Access Profile Name (Field 1)

Access Profile Name (Field 2)

Example: Complex Conditions with Logical Operators

This expression assigns the SalesforceAdmins profile to users who meet the complex department/role criteria, and No_Profile_Selected (a placeholder that resolves to no profile) for everyone else.

Using No_Profile_Selected as a Fallback

When using IF/ELSE logic, the ELSE branch must provide a value. If you don't want to assign a profile when conditions aren't met, use a placeholder name like No_Profile_Selected that doesn't match any actual Access Profile. The system will log that the profile wasn't found and continue processing other profiles gracefully.

Example: Configuring three dynamic profiles for department, location, and role-based access:

Access Profile Name

In this configuration, the user receives entitlements from up to three Access Profiles based on their attributes. Each expression is added as a separate profile in the UI.

Examples

Example 1: Department-Based Access Profiles

Scenario: Provision users to department-specific Access Profiles based on their department attribute.

Access Profile Setup:

Create Access Profiles named: access-profile-engineering,

Example 2: Multi-Attribute Profile Selection

Scenario: Provision users based on both department and business unit for more granular access control.

Access Profile Setup: Create Access Profiles with names combining department and business unit:

TEAM-Engineering-12345

Example 3: Location and Role Combination

Scenario: Provision users based on geographic location and job role.

Access Profile Setup:

US-manager

Example 4: Combining Static and Dynamic Profiles

Scenario: All employees get a base access profile, plus department-specific access.

Manage Relationships Action Configuration:

Access Profiles (static): all-employees-base-access

Example 5: Secondary Node Attributes

Scenario: Use attributes from a secondary identity source.

Setup:

Primary identity: Okta User

Example 6: Multi-Branch Department Selection (Single Field)

Scenario: Assign different Access Profiles based on which department a user belongs to. Since this is one criterion with multiple possible outcomes, use a single expression with ELSE IF branches.

Access Profile Setup:

Legal Department - For Legal department users

Example 7: Independent Criteria (Multiple Fields Required)

Scenario: Assign profiles based on TWO independent criteria—department membership AND user-specific overrides for testing. Since these are unrelated conditions that could both apply simultaneously, use separate fields.

Access Profile Setup:

SalesforceAdmins - For finance/sales department users with Account Manager role

Best Practices

Naming Conventions

Success with Dynamic Access Profiles depends on establishing consistent naming patterns for your Access Profiles:

Use clear delimiters: Choose hyphens or underscores consistently (e.g., dept-engineering for department-based profiles or TEAM-dept-bu for multi-attribute combinations)
Add prefixes to organize: Group profiles by category (e.g., dept-{department}, loc-{location}, TEAM-{dept}-{bu})

Using IF/ELSE Conditionals

Use ELSE IF for related conditions: When selecting one profile from multiple options based on the same attribute (e.g., department), use a single IF/ELSE IF/ELSE expression with multiple branches—this keeps your configuration simple and readable
Use multiple fields for independent criteria: Only add separate Access Profile Name fields when you need to evaluate completely independent conditions (e.g., one profile based on department AND another based on location)
Use fallback placeholders: When a condition shouldn't assign a profile, use a non-existent name like No_Profile_Selected

Timing and Order

Create profiles before processing: Always create Access Profiles before running workflows that reference them
The system performs name lookups at runtime: If a profile doesn't exist, it will be skipped
Plan for new attribute values: When adding new departments, locations, or roles to your organization, remember to create their corresponding Access Profiles first to avoid provisioning gaps

Validation and Monitoring

Before deploying to production, validate your configuration using dry-run mode to confirm profiles resolve correctly and attribute values match profile names exactly. Monitor your Lifecycle Management logs for "Dynamic access profile not found" messages, which indicate naming mismatches or missing profiles.

Troubleshooting

Issue

Cause

Solution

Managing Identities

Manage user identities and lifecycle automation in Veza, including synchronization, access profiles, and workflow triggers for joiner, mover, and leaver processes.

Identities

Identities in Veza Lifecycle Management represent a top-level view of an individual user, used to automate provisioning and deprovisioning across systems, applications, or services.

This can include birthright access managed throughout the user's lifecycle, triggered by joiner, mover, or leaver events, as well as ad-hoc, just-in-time access granted upon approval of an access request.

Identities can refer to users who may be employees, contractors, or external collaborators (partners). Additionally, Veza supports lifecycle management for Non-Human Identities (NHI), such as service accounts, though with a simplified action set. See for details on NHI-specific capabilities and limitations.

With Lifecycle Management, workflows defined within policies dictate the users’ onboarding, job-function change, and offboarding processes, ensuring that corresponding identities have precisely the access they need as their roles evolve or their status within the organization changes. Similarly, access granted to identities may also change as just-in-time access requests are fulfilled or revoked.

The Lifecycle Management > Identities page serves as a central hub for viewing identities known to Lifecycle Management and Access Requests, as well as performing actions on individual identities.

Identities are populated into Lifecycle Management by first identifying the entire user population by integrating their source of identity (SOI) and creating and enabling a policy that uses that data source. A policy does not require configured workflows to begin populating identity data. Enabling a policy against an identity source is sufficient to start the Identities table. This may require enabling a built-in integration for your identity source (e.g., Workday integration), uploading user data in CSV format (CSV Upload integration), or using a custom OAA connector.

See for detailed information on integrating the source of identity.

For Integration management using APIs, see .

Identity Synchronization

Identities are maintained through synchronization with the identity sources. Syncing identities ensures that all systems reflect the most current user state, whether through onboarding, role changes, or attribute updates, keeping access aligned, consistent, and audit-ready.

The Sync Identities action is used for the automatic synchronization of user identities between an authoritative source (such as an HR system or identity provider) and target systems. In the Lifecycle Management workflow, Sync Identities works alongside other key actions:

Manage Relationships (handling group/role memberships)
Deprovision Identity (removing access when users leave the organization)

Synchronization is executed through Lifecycle Management policy workflows. Policy workflows can be defined with triggers and actions to synchronize changes in your identity source with target systems. Additionally, SCIM (System for Cross-domain Identity Management) or OAA (Open Authorization API) can enable identity sync for a wide range of target applications that don't have a built-in Veza integration, but do expose standard user and group management APIs or support bulk data export.

See for more information on usage.
See for detailed information.

Multi-Value Attribute Management

Active Directory supports appending values to multi-value attributes during Identity Sync actions. This allows you to add new values without replacing existing ones.

For detailed information about appending multi-value attributes, including supported attributes, syntax, and examples, see in the Transformers documentation.

Identities Table

Column

Description

Usage

Note: The display name is not the primary unique identifier, as multiple users may share the same first and surname.

Identity attribute display priority

When an identity has multiple sources (primary and secondary), the Identities table displays attributes based on the active status of each source. The "active" status is determined by the is_active field in each source of identity, which typically represents employment or account status (e.g., an active employee in Workday, an active contractor account in a secondary system).

Display Priority:

Primary Source Status

Secondary Source Status

Displayed Attributes Source

This behavior ensures the table reflects the most current and relevant source of identity information. For example, when an employee terminates (primary source becomes inactive) but remains as an active contractor in a secondary source, their attributes are displayed from the contractor system.

Filter and Search an Identity

To start, you can use filtering options to locate specific identities or analyze a group of identities based on standard criteria. The following filters are available on the Identities overview:

Search by name: Locate specific individuals using a name-based search
Department filter: View identities by organizational unit
Status filter: Filter by Active or Inactive employment status

Identity Actions

For each identity record, administrators can perform actions through the Actions menu:

View Details: Access identity information, attribute history, and related accounts
Trigger Workflow: Manually initiate a workflow in a policy
Request Access: Launch an Access Request for additional access (requires Veza Access Requests).
See for customizing the Request Access Template.

View User Details

Click on your selected identity to open the Identity Details view.

The following fields in the Identity Details view are populated with the current user's information:

Title: The user’s position title.
Email: The user's email address.
Providers: A list of assigned integrations. When you click a specific provider, the Integration page opens, displaying the provider's detailed information, including its Entity Categories distribution.

Attribute Overrides

When executing a policy where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment, you can override the existing attribute with a different value until the issue is corrected. For more information, see .

Here are some examples of incorrect or slow-to-update attributes:

Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system
Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity

To create an Override Value, perform the following:

Select an identity by name.
Click Details.
Click Properties in the Details menu.
Click

Internal metadata

The Internal Metadata tab on the Identity details view exposes Lifecycle Management's internal sync state for an identity. This is useful when troubleshooting stuck syncs, correcting identity mismatches, or forcing a resync after source-of-identity corrections.

For example, if an HR system initially created an employee with the wrong employee ID and the identity was already synced to a target system, Lifecycle Management retains the original mapping in its internal metadata. Correcting the employee ID at the source alone does not clear the stale mapping. The Internal Metadata tab allows administrators to clear the stuck mapping directly, so the next sync cycle picks up the corrected identity.

Enabling the tab

The Internal Metadata tab is hidden by default. To enable it:

Go to Lifecycle Management > Settings > Identity Settings.
Under Display Settings, enable the Show internal metadata toggle.
Click Save.

Enabling this setting requires the administrator role. Once enabled, the Internal Metadata tab appears as the last tab on all Identity detail views.

Metadata sections

The tab displays the following categories of internal state. Use the dropdown to select which sections to display. By default, Synced Entities, Action Run Info, and Workflow Failures are shown. Synced Relationships is available but not displayed by default.

Section

Description

Clearing metadata

Action Run Info, Workflow Failures, and Synced Relationships each have a section-level Clear button that removes all stored metadata for that category. For Synced Entities, clear buttons appear on each individual entity mapping, allowing you to remove specific mappings without affecting others.

Clearing metadata does not modify the target system. It removes Lifecycle Management's record of the prior sync, so the next sync cycle treats the identity as if it has not been synced before and performs a full sync from the identity source.

A confirmation dialog appears before any clear operation. Clearing metadata should be done infrequently and only when the stored state is known to be incorrect.

Audit logging

All metadata edits are recorded as IDENTITY_METADATA_EDIT events in the . Each event includes the identity, the fields that changed, and the previous and new values.

Performing Actions on an Identity

Click the overflow icon (three dots) to display options for performing actions on the identity. Next, click on the desired action:

Trigger Workflow
Request Access
Show in Graph

Trigger Workflow

The Trigger Workflow option is a convenient way to test a specific user in a policy workflow. For example, you can test a new employee's identity in a joiner workflow to evaluate whether they have sufficient access to perform their duties.

Use the Trigger Workflow option to manually run a workflow for a specific user.

To trigger a workflow with a specific user, perform the following steps:

Select a workflow in the dropdown menu.
Click Trigger to run the workflow.

Request Access for an Identity

Requests Access allows for additional or temporary access grants, particularly when a user’s current access is insufficient for their duties.

Use the Request Access option in the Identity Details view to grant access to a specific user while reviewing their detailed information. You can grant access to the user through the following:

Access Profiles option

A collection of entitlements that are granted as part of the user’s identity lifecycle requirements. Access Profiles can:

Define reusable collections of entitlements across multiple target systems by business roles, departments, or functions
Automate consistent access provisioning
Manage access profile types and their capabilities

See and for more information.

To grant an Access Profile, perform the following:

Click the Access Profile radio button.
The Choose from Access Profile window appears.
Enter a Reason for granting the Access Profile for the user.

App option

An App refers to a target system, where user access is provisioned or deprovisioned as part of the identity lifecycle process.

To grant an App, perform the following:

Click the Access Profile radio button.
The Request Grant Access window appears.
Enter a Reason for granting the App for the user.

Entitlements option

Granting Entitlements to a user provides specific access permissions (roles, permissions, group memberships) required to perform their responsibilities.

Note: By granting Entitlements to a specific user, you pre-fill an Access Request with the appropriate configuration settings and policy.

To grant an Entitlement, perform the following:

Click the Entitlements radio button.
The Request Grant Access window appears.
Enter a Reason for granting the Entitlement for the user.

Show in Graph

Use the Show in Graph option to display a graph that represents all assigned Access Profiles, Apps, and Entitlements, including all associations.

This is a graphical representation of John Smith’s assigned access and entitlements to roles/groups.

Workday, Okta, and Active Directory

Guide for implementing automated user lifecycle management across Workday, Okta, and Active Directory

A well-designed identity Lifecycle Management solution automates the provisioning, synchronization of attributes and metadata, and deprovisioning of user accounts across your application and systems ecosystem.

This guide demonstrates how to implement a worker (employees and contractors) Lifecycle Management solution using Workday as the source of identity with downstream user account provisioning and synchronization platforms of Okta and Active Directory (AD). This represents a common enterprise architecture where worker records originate in an HR system and are provisioned to identity and access management systems, while maintaining a seamless, secure, and compliant user lifecycle process.

This guide uses Okta as the Identity Provider example, but the same architecture applies to any Veza-integrated IdP. You can substitute Azure AD, OneLogin, PingOne, or any other supported IdP in place of Okta throughout this guide.

System Architecture

The following diagram shows the complete identity provisioning and synchronization architecture from Workday, a human capital management platform, to Okta and Active Directory, which are identity management systems:

The "Joiner Mover Leaver" (JML) process is a framework for managing users' employment lifecycle access within an organization. Provisioning access begins with onboarding new employees (Joiners), then managing internal transitions (Movers), and finally offboarding departing employees (Leavers).

Lifecycle Management is based on the JML paradigm, where Workday is the authoritative source of identity, which is monitored for the status of the worker based on attributes in their record to determine whether the user is a joiner, mover, or leaver.

JML Process Flow

The joiner, mover, leaver (JML) process flows through the systems as follows:

Prerequisites

Before starting this implementation, ensure you have:

Completed at least one successful extraction for each integration

Implementation Steps

Step 1: Define Access Profiles

First, create Access Profiles that define which application entitlements a group of users will be assigned:

Go to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure a profile for each department or role:

Example: Engineering Department Profile

Example: Marketing Department Profile

Create additional profiles as needed based on your organizational structure.

Step 2: Create a Lifecycle Management Policy associated with Workday

Next, create a Lifecycle Management policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy:

Step 3: Configure Joiner Workflow

Now add a workflow for new employee onboarding:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 4: Configure Mover Workflow

Add a workflow for handling employee role changes:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 5: Configure Leaver Workflow

Finally, add a workflow for employee termination:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Step 6: Enable and Test the Policy

After configuring your workflows for joiners, movers, and leavers, you can test your policy using Simulated Dry Runs to check the expected actions when executed.

Another approach to test your policy is to create draft versions. You can make changes to your policy as an iterative draft until you are satisfied with the results. You can then publish the final version and enable it.

As a final verification, make modifications to the Workday application to test your policy's expected performance. Ensure that the downstream applications, Okta and Active Directory, are correct with the modifications.

Test using Simulation Dry Run

Select Workday Employee Lifecycle policy.
Click the overflow menu (three dots icon) at the top of the page.
Select Perform Dry Run.

Test using Draft Versioning

Select Workday Employee Lifecycle policy.
Click Create Draft.
Select Edit Workflow.
Modify any workflow in your policy.

Make changes to the Workday application to test your policy

In your Workday application, update the source of identity to test your policy. The following is a list of suggested changes:

Change the employee’s employee type (ie, from regular to contractor)
Verify account creation in Okta and Active Directory
Change the employee's department and verify group membership updates
Terminate the employee and verify account deprovisioning

Identity Synchronization Configuration Reference

Identity Synchronization is implemented during Lifecycle Management provisioning workflows. It is used to prevent provisioning errors due to duplication of username and/or email address. It supports robust identity sync across downstream applications (Okta and Active Directory) with different naming constraints or enforces unique identifiers.

Use Identity Synchronization if your target system already has an identity with a given attribute (e.g., a username or email is already in use).

Enable Identity Synchronization

Configure the Identity Syncing mode in the policy's . For the Workday to Okta and Active Directory pattern, Sync on changes only is typical: Workday emits reliable change events, so the periodic timer of "Always sync" is usually unnecessary.

Sync Okta Identities

Synchronizes employee records to Okta user accounts, creating and updating user profiles with mapped worker attributes from Workday.

Configuration:

Description: Synchronizes identities to Okta
Target: OktaUser
Create Allowed: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

Conditional Actions

All Employees

Assigns "All Okta Employee Access" profile
Does not remove existing relationships

US Developers

Condition: wd_location eq "US" and department eq "developer"
Assigns developer-specific access profiles
Does not remove existing relationships

Sync Active Directory Identities

Creates and updates on-premises Active Directory accounts with location-specific group assignments and standardized naming conventions for different employee categories.

Configuration:

Description: Synchronizes identities to Active Directory
Target: ActiveDirectoryUser
Create Allowed: Yes

Attribute Mappings

Destination Attribute

Source/Format

Continuous Sync

Notes

Conditional Actions

US Location

Condition: work_location eq "US"
Assigns US Groups
Removes existing relationships

Executive Group

Condition: employee_group eq "Executive"
Assigns the Executive Employee group
Removes existing relationships

China Location

Condition: work_location eq "China"
Assigns China Groups
Removes existing relationships

Deprovisioning Configuration Reference

Defines the procedures for safely removing access when employees leave the organization, including specific handling for each identity provider.

Deprovision Okta Identities

Handles employee offboarding in Okta by disabling accounts while preserving access history and configurations.

Configuration:

Description: Disables identities in Okta
Target: OktaUser
Remove Relationships: No

Deprovision Active Directory Identities

Controls the offboarding process for on-premises Active Directory, including moving accounts to a terminated user's organizational unit.

Configuration:

Description: Disables identities in Active Directory
Target: ActiveDirectoryUser
Remove Relationships: No

Attribute Transformations

Destination Attribute

Value

Continuous Sync

Expanded Joiner/Mover/Leaver Scenarios

Below are more detailed examples of joiner, mover, and leaver scenarios that you can implement using Veza's Lifecycle Management.

Joiner Scenarios

Example 1: Full-Time Employee Onboarding

Example 2: Contractor Onboarding

Mover Scenarios

Example 1: Department Change

Example 2: Promotion to Manager

Leaver Scenarios

Example 1: Standard Termination

Example 2: Involuntary Termination (Security Risk)

Advanced Attribute Transformer Examples

Workday to Okta Transformer (Enhanced)

Workday to Active Directory Transformer (Enhanced)

Advanced Configuration

Using Attribute Overrides

To handle edge cases where standard attribute formatting is not effective, use to define special exceptions. For example:

Contractors vs. Employees: Use different username formats based on employment type
Username Conflicts: Configure fallback formatters for handling duplicate usernames
Location-Specific Naming: Apply different naming conventions based on location or region

Email Write-Back to Workday

Ensure your email addresses remain consistent by configuring email write-back to Workday:

In your Joiner workflow, after the Sync Identities actions, add:
- Add Action > Create Email
- Configure for your email system

This ensures the email created in your systems is written back to Workday as the source of truth.

Conditional Logic Best Practices

When implementing conditional actions, consider these patterns for robust lifecycle management:

Location-Based Conditions

Role-Based Conditions

Employment Type Conditions

Monitoring and Troubleshooting

Activity Log Monitoring

Monitor your lifecycle management workflows using the :

Navigate to Lifecycle Management > Activity Log
Filter by policy name to see all actions for your Workday policy
Look for failed actions and investigate error messages

Common Issues and Solutions

Username Conflicts

If usernames are already taken in target systems:

Configure to handle conflicts
Use employee ID or other unique identifiers as backup username formats

Missing Attributes

If required attributes are missing from Workday:

Use DEFAULT transformers to provide fallback values
Configure conditional logic to handle missing data gracefully

Group Assignment Failures

If group assignments fail:

Verify that referenced groups exist in target systems
Check that service accounts have sufficient permissions
Use conditional logic to assign groups only when they exist

Transformer Reference

Reference guide for supported transformation functions and parameters for attribute transformers

This page includes a comprehensive list of all supported transformer functions and parameters. Some commonly used transformation functions include:

Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, title, sentence, camel, or snake case
Using a substring from the original value

See for configuration details, or for terminology definitions.

Reading the Examples

Each transformer below includes three types of examples:

Basic Usage: Shows the transformer used alone with a simple source attribute
In a Pipeline: Demonstrates chaining multiple transformers together
Example: Provides practical context from Lifecycle Management scenarios

Copy-paste these examples directly into your attribute transformer configuration, adjusting attribute names to match your source of identity.

APPEND

This transformer enables string concatenation by appending text to the end of attribute values during identity provisioning workflows.

Parameter Format

Characters (STRING, required)

ASCII

Removes non-printable characters and replaces non-ASCII characters with their closest ASCII equivalents. Particularly useful for Active Directory sAMAccountName and other legacy systems with strict character requirements.

Note: The ASCII transformer performs operations on the base level, not the extended set.

ASSUME_TIME_ZONE

Interprets the incoming time string as if it were in the specified time zone, then converts it to a UTC time. (example: if the input is "1/2/2025 11pm" and the defined time zone is America/Los_Angeles the function will treat "1/2/2025 11pm" as local time in Los Angeles and output the corresponding UTC time "1/3/2025 7am")

COUNTRY_CODE_ISO3166

Transforms country code to ISO 3166 format.

defines codes for the representation of country names, dependent territories, and their subdivisions

DATE_ADJUST

Adjusts date values based on hour, day, month, and year inputs. Provides full control over all time components for complex date manipulation.

Parameter Format

DATE_ADJUST_DAY

A convenience transformer that adjusts date values by a specified number of days only. Use this for simple day-based calculations; use DATE_ADJUST for more complex adjustments involving hours, months, or years.

Parameter Format

DATE_FORMAT

Description: Converts a timestamp to a formatted date string using Go time layout syntax.

Syntax: {attribute | DATE_FORMAT, "layout"} or {attribute | DATE_FORMAT, "output_layout", "input_layout"}

Parameters:

Parameter

Required

Type

Description

Returns: String — the formatted date/time string

Examples:

Input

Expression

Output

Go date format reference

The reference date Mon Jan 2 15:04:05 MST 2006 breaks down as:

Component

Reference Value

Meaning

Common format patterns

Output Format

Go Layout String

Example Output

Named format aliases

Instead of Go layout strings, you can use these named aliases (case-insensitive):

Alias

Equivalent Layout

Example Output

For the full list of named aliases (including kitchen, rfc822, rfc1123, stamp, and others), see Go's standard .

Notes:

Input must be a valid timestamp
Use with or for timezone handling
When parsing non-standard input dates, provide both output and input layouts

FIRST_N

Picks the first N characters of a string. Useful for creating shortened identifiers or initials.

Parameter Format

Length (NUMBER, required): Number of characters to return

FROM_ENTITY_ATTRIBUTE

Looks up an entity in the Veza graph by matching an attribute value, then returns a different attribute from that entity. This is useful for cross-referencing related entities, such as finding a manager's email from an employee ID.

Parameter Format

FROM_MANY_ENTITIES_ATTRIBUTE

Looks up multiple entities in the Veza graph by matching an attribute value, then returns a specified attribute from all matching entities as a combined string. Use this when an input value may match multiple entities and you need all their values.

Parameter Format

LANGUAGE_RFC5646

Transforms language to RFC 5646 format.

defines "Tags for Identifying Languages." It does not contain a fixed, exhaustive list of language codes within the RFC itself. Instead, it specifies the structure and rules for constructing language tags, which are then built using codes from various external standards and registries.

LAST_N

Picks the last N characters of a string, where N is the number of characters to return.

Parameter Format

Length (NUMBER, required)

LEFT_PAD

Adds padding characters to the left side of a string until it reaches the specified length. Useful for creating fixed-width identifiers.

Parameter Format

Length (NUMBER, required): Target string length Pad (CHARACTER, optional): Character to use for padding (default is space)

LOOKUP

Transforms a value using a lookup table defined in your Lifecycle Management policy. Essential for mapping codes to descriptive values or standardizing data across systems.

Parameter Format

LOWER

Description: Converts all characters in a string to lowercase.

Syntax: {attribute | LOWER}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input value with all characters converted to lowercase

Examples:

Input

Expression

Output

Notes: Only affects alphabetic characters. Numbers and special characters pass through unchanged.

LOWER_SNAKE_CASE

Transforms string to lowercase with underscores.

Parameter Format

None (no parameters required)

LOWER_CAMEL_CASE

Transforms a string to lower camel case (also known as dromedaryCase). The first word is lowercase, and subsequent words are capitalized with no separators.

Parameter Format

NEXT_NUMBER

Generates a set of alternative values by appending sequential numbers. Essential for handling unique constraint conflicts during user provisioning. Returns an empty string first, then "2", "3", "4", etc.

Parameter Format

NEXT_NUMBER Max Length

This transformer supports an optional maximum length parameter to simplify complex username generation workflows. It automatically evaluates combined strings (such as {first_name}_{last_name}) and truncates to specified character limits before appending numerical suffixes.

NOW

Returns the current time in UTC. An optional argument indicates the outgoing time format; by default, the RFC3339 format.

Parameter Format

String (Optional) - Format

PHONE_NUMBER_E164

Transforms a phone number into the E.164 format.

E. 164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits. Parameter Format

PREPEND

Adds text to the beginning of attribute values. Useful for adding prefixes like organization codes or type indicators.

Parameter Format

Characters (STRING, required): Text to add at the beginning

RANDOM_ALPHANUMERIC_GENERATOR

Generates a random alphanumeric string.

Parameter Format

RANDOM_INTEGER

Generates a random integer value between specified minimum and maximum values (inclusive). Useful for creating unique test IDs or temporary identifiers. Does not require an input value.

Parameter Format

RANDOM_NUMBER_GENERATOR

Generates a random number string.

Parameter Format

Length (NUMBER, required)

RANDOM_STRING_GENERATOR

Generates a random string.

Parameter Format

Length (NUMBER, required)

REMOVE_CHARS

Removes all instances of specified characters from a string. Useful for cleaning up data and removing unwanted punctuation or special characters.

Parameter Format

REMOVE_DIACRITICS

Removes diacritics (accents, etc.) from input string.

Parameter Format

None (no parameters required)

REMOVE_DOMAIN

Removes the domain portion from an email address, leaving only the username. One of the most frequently used transformers for generating usernames from email addresses.

Parameter Format

REMOVE_WHITESPACE

Removes all whitespace characters (spaces, tabs, newlines) from a string. Useful for creating compact identifiers and ensuring data consistency.

Parameter Format

REPLACE_ALL

Description: Replaces all occurrences of a substring with a replacement string.

Syntax: {attribute | REPLACE_ALL, "search", "replacement"}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input with all occurrences of search replaced by replacement

Examples:

Input

Expression

Output

Notes:

Case-sensitive matching
To remove characters, use an empty string as the replacement: REPLACE_ALL, "x", ""
For removing multiple different characters, consider instead

RIGHT_PAD

Right pads a string with a character.

Parameter Format

Length (NUMBER, required),

SENTENCE_CASE

Capitalizes only the first non-whitespace character of a string and lowercases the rest. Preserves any leading whitespace. Useful for standardizing sentence-formatted text fields.

Parameter Format

SPLIT

Splits a string and returns the string at the given index.

Parameter Format

Split String (STRING, required), Index (NUMBER, required)

SUB_STRING

Description: Extracts a portion of a string starting at a specified position.

Syntax: {attribute | SUB_STRING, offset, length}

Parameters:

Parameter

Required

Type

Description

Returns: String — the extracted substring

Examples:

Input

Expression

Output

Notes:

Index is 0-based (first character is position 0)
If offset + length exceeds the string length, returns characters up to the end
For extracting just the first N characters, consider as a simpler alternative

TITLE_CASE

Capitalizes the first letter of each word and lowercases the rest. Also handles dot-separated values by capitalizing the first letter of each segment. Useful for formatting names and titles.

Parameter Format

TRIM

Removes leading and trailing whitespace from a string. Essential for cleaning up data from external systems.

Parameter Format

None (no parameters required)

TRIM_CHARS

Removes all specified characters from both the beginning and end of a string. Useful for removing padding characters or cleaning up formatted data.

Parameter Format

Characters (STRING, required): String containing all characters to remove from both ends

TRIM_CHARS_LEFT

Removes all specified characters from the beginning of a string only. Useful for removing leading zeros or prefixes.

Parameter Format

Characters (STRING, required): String containing all characters to remove from the beginning

TRIM_CHARS_RIGHT

Removes all specified characters from the end of a string only. Useful for removing trailing characters or suffixes.

Parameter Format

UPPER

Description: Converts all characters in a string to uppercase.

Syntax: {attribute | UPPER}

Parameters:

Parameter

Required

Type

Description

Returns: String — the input value with all characters converted to uppercase

Examples:

Input

Expression

Output

Notes: Only affects alphabetic characters. Numbers and special characters pass through unchanged.

UPPER_CAMEL_CASE

Transforms a string to upper camel case.

Parameter Format

None (no parameters required)

UPPER_SNAKE_CASE

Transforms string to uppercase with underscores.

Parameter Format

None (no parameters required)

UTC_TO_TIME_ZONE

Interprets the incoming time string as if it were in UTC and then converts it to the specified time zone. (example: if the input is "1/2/2025 11pm" and the specified time zone is America/Los_Angeles the function will treat "1/2/2025 11pm" as the UTC time zone and output the corresponding America/Los_Angeles

UUID_GENERATOR

Generates a UUID.

A UUID (Universally Unique Identifier) is a 128-bit identifier used to uniquely identify information in computer systems.

Parameter Format

ZERO_PAD

Adds left zero-padding to numerical string values until they reach the specified length. If the input is non-numeric, it passes through unchanged. If the numeric value is already longer than the specified length, it remains unchanged.

Parameter Format

Lifecycle Management FAQ

Frequently asked questions about Veza's Lifecycle Management for automated identity and access governance

This document addresses common questions about Lifecycle Management (LCM) for automated identity and birthright access governance across systems and applications.

Overview

The questions in this document are designed to introduce key concepts and address common questions that often arise during deployments. Please contact your support team with additional questions and feedback. Note that specific functionality may depend on the features and integrations enabled in your environment.

Learning more

Your Lifecycle Management configuration can be straightforward or complex, depending on your organization's needs. To learn more about general implementation patterns, see and .

Dry Run Testing

Can I test policy changes before making them live?

Yes, dry run simulations let you safely preview policy changes before deployment. Dry run evaluates workflow logic and shows what actions would occur without making actual changes to target systems. You can test a single identity or run bulk dry runs against multiple identities with filtering options.

What does a dry run test?

Dry run evaluates the selected identity against all workflows in a policy and shows:

Matched workflows: Which workflows triggered and why
Planned actions: What provisioning or deprovisioning would occur, including full action configuration details

Policy Configuration

What happens when an action fails in a workflow?

When an action fails, the entire workflow retries on the next policy run—not just the failed action. All actions (including previously successful ones) re-execute unless configured with "Skip if action has already been run".

Retry configuration (API only):

Property

Description

Default

What is the "Skip if action has already been run" option?

This safety mechanism prevents the same action from executing multiple times for the same identity, even if the workflow re-triggers. LCM tracks successful completions per identity and skips the action if already completed.

Enable for one-time actions:

Create Email, Welcome notifications, Initial Password Setup, One-time provisioning

Disable for repeatable actions:

How do I enable a new lifecycle management policy?

Creating a policy involves configuring your source(s) of identity, workflows, and actions to automate lifecycle events:

Create Policy: Go to Lifecycle Management > Policies > Create Policy

How do I temporarily disable workflows or actions?

You can pause or disable specific workflows and actions within a policy for safer testing and gradual rollouts, without deleting or modifying the underlying configuration. Disabled workflows and actions are skipped during policy execution, and the policy editor displays them with a "Disabled" tag.

Disabled workflows are still evaluated during Dry Run simulations by default, so you can test workflow logic before enabling it in production.

What is the Continuous Sync option, and why should I use it?

Continuous Sync keeps a provisioned user's source attributes automatically updated in target systems after initial provisioning, rather than syncing only once at creation time.

Why use Continuous Sync:

Keeps downstream systems current - Attribute changes (title, manager, department) propagate automatically

Why are secondary sources of identity optional if an admin can add multiple primary sources?

Secondary sources of identity are not redundant, despite the availability of multiple primary sources. They serve fundamentally different purposes:

Primary Sources of Identity (SOI):

Must all be of the same entity type (e.g., all Worker entities from Workday).

Access Profiles

What are Access Profiles, and how do they work with LCM?

Access Profiles are collections of entitlements (groups, roles, or permissions) that can be automatically assigned to users based on their attributes. They serve two key functions:

Birthright Access: Automatically assigned through policy workflows during joiner/mover/leaver events via the Manage Relationships action

Safety and Limits

What safety mechanisms prevent unintended mass changes?

Lifecycle Management provides two independent safety limit mechanisms that can be used individually or together for layered protection:

Hard Limit (formerly "Safety Limit") — A reactive mechanism that halts processing during execution after the configured number of identity changes has been reached. When triggered, no further identity changes are processed for the current policy run.

Configured with max_identities_affected_count

How do I configure parallel execution settings?

Lifecycle Management supports parallel workflow processing, allowing multiple workflows to run concurrently. Configure parallel execution using the private API endpoint at /api/private/lifecycle_management/parallel_execution_settings.

Key settings include:

jobs: Maximum concurrent policy jobs

Why does the Hard Limit get exceeded when running tasks in parallel?

When a policy runs with parallel execution enabled, the Hard Limit may be exceeded by a small amount. This happens because multiple tasks that are already running can complete before the system detects that the threshold has been reached. Once the overshoot is detected, all remaining tasks are halted and blocked for manual review.

The amount of overshoot is proportional to the number of tasks allowed to run at the same time. For example, if parallel execution allows 10 concurrent tasks and the Hard Limit is set to 5, up to approximately 10 changes may complete before the remaining tasks are blocked.

This is expected behavior. The Hard Limit still acts as a safeguard by halting all remaining tasks once the overshoot is detected.

To enforce the Hard Limit with no overshoot, set the parallel task count to 1. Each task will finish and report back before the next one begins, giving the system an accurate count at every step. The tradeoff is that tasks will take longer to complete.

Notifications

When should I use policy-level notifications vs action-level notifications?

Lifecycle Management supports notifications at two levels with different capabilities:

Feature

Policy-Level

Action-Level

Access Request Notifications

Do administrators need to configure notifications for Access Request events?

Yes, administrators must explicitly configure notifications for Access Request events. Notifications can be configured for six event types (created, action run, completed, failed, state changed, approver assigned), with recipients selected from five categories: Approvers, Creator, Beneficiary, Watchers, or specific email addresses.

Configure notifications through Lifecycle Management > Settings > Access Request Settings > Notifications, or via the Access Request Settings API. Note that there is no "all admins" option—administrators receive notifications only when explicitly configured as approvers, creators, watchers, or listed in other_emails.

How do I control or stop Access Request notifications?

Access Request notifications are sent to five recipient categories: Approvers, Creator, Beneficiary, Watchers, and other_emails (specific addresses). Administrators receive notifications only when explicitly configured in one of these roles—there is no "all admins" setting.

Common issue: If you're receiving unwanted notifications, you're likely configured as a default approver for Access Requests with to_approvers=true enabled. For customers migrated from pre-August 2025, all recipient types are enabled by default.

Solutions:

Does the notification body support rich text HTML?

Yes, notification templates fully support HTML and CSS. You can use standard HTML markup, inline styles, images, and links in all Lifecycle Management and Access Request notification templates.

Key Capabilities

Standard HTML tags (<html>, <body>

Data Processing and Extraction

When does LCM evaluate identities for CSV/OAA data sources?

LCM processes identities from CSV and OAA-based data sources only when specific events occur, unlike native integrations that can pull data on demand.

Trigger Events for Identity Processing

For CSV and OAA data sources, extraction and identity evaluation occur when:

New Data Push - A new CSV file is uploaded or an OAA payload is pushed

What happens when an extraction takes longer than the scheduled interval?

Veza has built-in guardrails to prevent overlapping extraction jobs for the same data source. A new extraction job is enqueued only if there is no pending or in-progress job for that data source.

Job Scheduling Behavior

When an extraction is scheduled to run every hour but takes longer than one hour to complete:

CSV Upload and Transformations

Can I transform CSV data during upload for LCM?

Yes, Veza supports data transformations when uploading CSV files for HRIS and application data sources. This allows you to manipulate and format data during the upload process without preprocessing.

Supported Transformations

Transformations can be applied to CSV columns during mapping configuration:

String Operations: Concatenation, splitting, case conversion

Integrations

Does Veza support custom Active Directory attributes and moving users between organizational units (OU)?

Yes, Lifecycle Management fully supports both custom Active Directory attributes and moving users between organizational units.

Custom Attributes: You can synchronize custom AD attributes (like hrdivisionID, cost center, or other organizational data) from your source of identity. First, add custom properties in your AD integration configuration (in the Custom Properties step of the integration wizard), then map them in your LCM policy's Sync Identity action using attribute transformers. After enabling custom attributes for the integration, they can be set for new and existing users just as standard AD attributes.

Moving Between OUs: You can move users between organizational units by modifying the user's distinguishedName

What is the difference between sources of identity and target applications in Veza Lifecycle Management?

There are two different types of integrations supported by Lifecycle Management:

Source of Identity (SOI): These are authoritative systems that provide definitive information about user identities and their status within an organization. Common examples include Human Resource Information Systems (HRIS), corporate directories, and Identity Providers (IdPs). While Veza typically does not require write permissions to these sources, some can also serve as provisioning targets and support write-back of newly created user attributes, such as an email address.

Do target applications have special integration requirements?

Veza provides comprehensive coverage for target applications through a multi-faceted approach:

Native Integrations: Veza offers native, full CRUD-based provisioning and deprovisioning for numerous applications and platforms, including IdPs, directories, cloud platforms, business and productivity applications, databases, developer platforms, and more. These integrations typically provide deeper control over entitlement management and support user lifecycle actions (onboarding/offboarding) beyond basic account creation.

What Source of Identity (SOI) systems are supported?

Veza LCM supports a variety of Source of Identity systems to serve as authoritative sources for user identity information.

Built-in SOI Systems include:

Beeline - Shift-based workforce management system

What SCIM attributes does Veza support?

Veza supports SCIM 2.0 attributes for both read-only data extraction and Lifecycle Management synchronization. The specific attributes available depend on whether you're extracting data for the Access Graph or synchronizing user/group information through LCM.

Core User Attributes

For LCM Synchronization, Veza supports the standard SCIM user attributes including:

Identity & Authentication

Which SOI systems support email writeback?

Email writeback capability allows LCM to update the Source of Identity with newly created email addresses during provisioning workflows.

Systems Supporting Email Writeback

Currently, only a limited subset of integrations support email writeback actions:

Oracle HCM

What target systems are supported natively and via SCIM?

Veza LCM supports provisioning across target systems through native integrations and SCIM protocol compatibility.

Supported Categories

Native Integrations (Full lifecycle support):

Identity Providers: Okta, Azure AD, Active Directory, AWS SSO

Advanced Configuration

What optional features can be enabled for LCM?

Lifecycle Management includes core workflow capabilities, with additional features available depending on your configuration needs. Some features that were previously gated are now available by default, while others require configuration or enablement.

Are password reset and access review actions available by default?

Yes, the Reset Password and Create Access Review workflow actions are now generally available as standard LCM functionality. These action types appear as available options when configuring workflow actions in LCM policies.

Additionally, Secondary Sources of Identity are also now generally available, allowing you to configure secondary identity sources in policies without requiring special enablement.

How does Veza determine the active state and other attributes when an identity has both primary and secondary sources?

When a policy identity has both primary and secondary sources, Veza determines which source's attributes to display in the Identities table—including the identity's active state—based on the is_active field from each source. The is_active field typically represents employment or account status (e.g., an active employee in Workday, an active contractor in a secondary system).

Default behavior:

Lifecycle Management Troubleshooting

How can I export or view the complete JSON configuration of a policy?

The Show Raw JSON optional feature allows you to view and export the complete JSON representation of a Lifecycle Management policy for debugging and troubleshooting purposes.

Accessing Raw JSON

To view the raw JSON configuration:

Go to Lifecycle Management

What roles can access Lifecycle Management and Access Profiles?

Access to Lifecycle Management and Access Profiles is managed through Veza's role-based permission system. User permissions can vary based on their assigned roles and team membership, enabling separation of duties and security controls across the platform.

Only Administrator roles have full management capabilities for LCM policies and Access Profiles. All other roles provide various levels of read-only access, with some specialized roles offering additional functionality like integration management or review assignment.

Role Categories and Access Levels

Veza roles fall into two availability tiers that determine their LCM access capabilities. Generally Available roles can be assigned without additional configuration, while Early Access roles

Why isn't my workflow triggering for certain users?

Several factors can prevent workflows from triggering. Here are some recommended diagnostic steps:

Attempt a Dry Run Simulation

Lifecycle Management

Key features

In this section

Core concepts

Policies

Workflows

Access Profiles

Actions

Attribute transformers

Conditions and transformers

Notifications

Getting started

Policies and Workflows

In this section

Deprovision Identity

Custom Action

Write Back Email

Example: Exchange Server onboarding with email write-back

Send REST Request

Variable Substitution

Form field substitution (Access Requests only)

Standard Active Directory attributes available for substitution

Response Handling

HTTP Method Guidelines

Authentication Patterns

Limitations

Send Notification

Create Access Review

Get Node From Graph

Example: Verify Jira User Before Provisioning

Output and Downstream Usage

1. Condition branching

2. Filter template variables in subsequent actions

3. Chaining multiple graph lookups

Test Policies with Dry Run

Overview

Disable Workflows and Actions

Overview

Disable a workflow

Disable an action

Test disabled workflows with dry run

Re-enable a workflow or action

See also

Lifecycle Management

Key features

In this section

Core concepts

Policies

Workflows

Access Profiles

Actions

Attribute transformers

Conditions and transformers

Notifications

Getting started

Policies and Workflows

In this section

Key concepts

Related topics

Disable Workflows and Actions

Overview

Disable a workflow

Disable an action

Test disabled workflows with dry run

Re-enable a workflow or action

See also

Write Back Email

Example: Exchange Server onboarding with email write-back

Custom Action

Send Notification

Deprovision Identity

Email Template Selection

Deprovisioning methods

Get Node From Graph

Example: Verify Jira User Before Provisioning

Output and Downstream Usage

1. Condition branching

2. Filter template variables in subsequent actions

3. Chaining multiple graph lookups

Create Access Review