Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Introduction to Lifecycle Management with Veza
Veza's Lifecycle Management (LCM) solution empowers organizations to automate and streamline the management of user identities and access rights throughout the employee lifecycle. From onboarding to role changes and offboarding, automated LCM workflows ensure that the right people have the correct access at the right time.
Automated Provisioning and De-provisioning: Streamline granting and revoking entitlements as employees join, move within, or leave the organization
Environment-wide Synchronization: Keep user attributes and access rights consistent across applications and platforms
Customizable Workflows: Design tailored processes for different lifecycle events and user segments
Compliance and Audit Support: Maintain detailed records of access changes to support compliance and audit efforts
Integration with Identity Providers: Integrate with identity providers and HR systems, import HR data from CSV, or use a custom OAA template
Policies define the rules and actions for managing identities throughout their lifecycle. They specify what actions should occur when there are changes in a source of identity, such as when a user is created or their attributes change.
After configuring a policy for a source of identity in your organization, Veza Lifecycle Management tracks the source for changes. When employee records are added or changed, actions will trigger based on the workflows and actions specified in the policy.
Workflows are sequences of actions within a policy that execute based on specific conditions. They enable automation of lifecycle management processes such as onboarding, role changes, and offboarding.
Workflows only execute actions on users that meet specific conditions, and Policies can contain more than one Workflow. This enables you to create a single policy for your source of identity that contains multiple workflows, with one applying to new hires, another applying to terminated employees, and so on for the different JML scenarios you want to automate.
Learn more about Workflows
Access Profiles define sets of entitlements (such as group memberships or role assignments within a target application) that should be granted to users based on their role within the organization (or another distinguishing attribute). You can use Access Profiles to define both Business Roles – segments of employees, and Profiles – collections of entitlements in a target application.
Assigning Business Roles to the Profiles they should inherit enables you to define the birthright entitlements for different types of employees in your organization. You can then assign those Business Roles when configuring workflows that add or remove access to an application.
Learn more about Access Profiles
Lifecycle Management Actions are tasks performed within a workflow, such as creating a user account, assigning group memberships, or disabling an account. Actions can be combined to trigger in sequence when there are changes in the source of identity. Actions can run for any identity that meets the workflow conditions, or only apply when action-level conditions are met.
Learn more about available Actions
Transformers allow you to modify and format user attributes when synchronizing data between systems, ensuring consistency and compatibility when creating users across applications.
Lifecycle Management will provision new users with these attributes and can keep their accounts up-to-date when there are changes in the source of identity. Target entity attributes can be set to specific values or use metadata from the source of identity, and support a range of transformation functions.
Learn about Transformers
Customize email notifications sent during Lifecycle Management events and Access Request workflows. You can personalize messaging, add branding, and include event-specific information through placeholders.
Learn more about Notification Templates
Enable Integrations: Configure your data sources and enable them for Lifecycle Management. Lifecycle Management Integrations
Define Access Profiles: Create profiles that map your organizational structure to application-specific entitlements. Creating Access Profiles
Create Policies: Add policies to automate identity management processes. Building Lifecycle Management Policies
Configure Workflows: Design workflows within policies to handle specific lifecycle events. Configuring Workflows
Managing and monitoring Lifecycle Management from a central dashboard
The Lifecycle Management Dashboard provides a centralized interface for monitoring automatic provisioning and deprovisioning of user access - both birthright access granted by Veza Lifecycle Management and just-in-time access granted by Veza Access Reviews. This dashboard gives you an at-a-glance view of your configuration, status, and recent activity.
The dashboard is the primary landing page for Lifecycle Management and Access Requests and can help with routine monitoring, error resolution, policy validation, activity review, and integration health checks.
The dashboard is organized into several key sections:
Policies: Displays your most recently updated Lifecycle Management Policies and their status
Access Profiles: Shows configured Access Profiles and usage metrics
Identities: Provides a visualization of managed identities
Integrations: Top Integrations enabled for Lifecycle Management and Access Requests along with any error statuses
Access Requests: Tracks pending and completed access requests
Errors: Displays recent Lifecycle Management and Access Requests errors requiring attention (past day, week, or month)
Recent Activity: Shows the most recent Lifecycle Management and Access Requests Events
To navigate to more detailed information, click on any section heading to open the related overview. Click on specific items (such as a policy or integration) to view or edit configuration details.
From the dashboard, you can perform common tasks including:
Create a new policy: Click the "Create Policy" button in the Policies section
Configure Access Profiles: Click the "Create Access Profile" button in the Access Profiles section
Set up a new integration: Click the "Set up Integration" button in the Integrations section
Monitor system health: Review the Errors section for any issues
Track recent changes: Review the Recent Activity section for a log of recent events
Filter activity by time period: Use the time period dropdown (e.g., "Past day") to adjust the view
The Policies section displays all configured Lifecycle Management policies with their current status. Each policy shows its name, associated identity source, number of identities managed, and current status (Running/Stopped).
You can view all policies at a glance, create new ones with the "Create Policy" button, see which policies are actively running, access detailed configuration by clicking on a specific policy, and verify that policies in "Running" status should be active. Learn more about creating and managing policies.
The Access Profiles section shows the total number of configured access profiles and provides a visual representation of profile activity. Access profiles define sets of entitlements granted to users based on their roles.
You can see the total number of configured profiles, create new ones using the "Create Access Profile" button, view profile activity and utilization, and access detailed configuration by clicking into the section. Learn more about Configuring Access Profiles.
The Identities section provides a visual representation of all identities managed through Lifecycle Management and Access Requests. The chart displays the distribution of identities by type or status, giving you an immediate understanding of your identity landscape.
This visualization helps you understand the overall composition of your managed identities, identify distribution patterns across different categories, and track changes in identity distribution over time.
The Integrations section lists all systems connected to Lifecycle Management and Access Requests, displaying the total number of integrations, error status and counts, recently created integrations, and last update timestamps. For each integration, you can see its name and type, current status (including error indicators), and last update timestamp. You can set up new integrations using the "Set up Integration" button, identify and troubleshoot integration errors, and view all integrations by clicking "View all." Review this section regularly to identify any integrations with error states. See Lifecycle Management integrations for more information.
The Access Requests section tracks pending access requests, recently completed requests, and request status (Pending, Completed, Rejected, Cancelled). This section provides visibility into the access request process, allowing you to monitor request volume and status, track completion rates, and identify potential bottlenecks in the access request workflow.
The Errors section displays any Lifecycle Management and Access Requests errors that require attention. When functioning normally with no issues, this section will display "No issues found." If errors occur, this section will list the specific errors, provide context about when and where they occurred, and offer guidance on troubleshooting and resolution. Check this section regularly for any reported issues.
The Recent Activity section shows a chronological log of Lifecycle Management and Access Requests events, including event type, timestamp, affected identity, and entity name. Examine this section to identify any unusual patterns or failed operations. This activity log helps you track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management or Access Requests implementation.
After familiarizing yourself with the dashboard:
Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.
Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, which could include business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.
Profiles can be configured hierarchically to create a fine-grained model of how access should be assigned to different groups of employees. Administrators can position child profiles underneath a parent profile, with each child profile inheriting the entitlements from the parent profile.
For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.
Executive Employees
Active Directory
Executive Employee - Manager US (Active Directory Group)
US Engineering Managers
Active Directory
Engineering - Manager US (Active Directory Group)
Azure Helpdesk Role
Azure
Helpdesk Administrator (Azure AD Role)
Google Asia Employees
Google Cloud
Google Asia Employees (Google Group)
Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.
The access granted by a Profile can be defined by both:
Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.
The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.
Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:
Profiles are a type of Access Profile for defining access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.
Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.
Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."
Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").
Create Business Roles that align with your organizational structure, especially taking location, business unit, and functional organization into consideration. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.
To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.
Click Create Access Profile
Under Access Profile Details, choose the Profile Type to create:
Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.
Profile: Profiles define entitlements that can be assigned to users in target applications, such as groups, roles, or permission sets assigned to users as birthright entitlements. Profiles cannot be inherited from other Access Profiles, but can be inherited by Business Roles. Use this profile type to define the birthright entitlements within one or more applications (such as group memberships or role assignments).
Profile Name and Description: You should follow a standard naming convention for all profiles to help identify them, describing the employee segment or applications the Access Profile applies to.
Profile Labels: Labels are available for quickly finding access profiles when configuring actions in a policy. Apply and create labels as needed to organize your Access Profiles by the employee segments and applications they apply to.
Assigned Relationships:
Click Add Relationship
Choose the type of relationship to add:
Access Profile: Use the Relationship menu to pick one or more Access Profiles to grant those business roles or entitlements. This option is not available for Access Profiles with the "Profile" type.
Relationship: Choose the target data source and specific entities the Profile will govern access to (such as Google Cloud Platform > Google Group). This option is not available for Access Profiles with the "Business Role" type.
Click Assign to save the changes.
After saving an Access Profile, you can view details, edit, or pause and resume it on the Lifecycle Management > Access Profiles page.
When configuring a policy to include the Manage Relationships action, you can choose from any active profiles for the target data source.
Understanding the Lifecycle Management Activity Log for tracking provisioning operations
The Lifecycle Management Activity Log provides visibility into all provisioning operations performed by Veza's Lifecycle Management system. It serves as a record of all activities, including successful actions, errors, and failures.
A Lifecycle Management policy defines automated workflows that execute when changes occur in a source of identity. The Activity Log tracks all aspects of these operations through a hierarchical structure:
Policies define the overall automation framework for managing identities
Workflows determine which actions should be executed for specific identities
Actions represent specific operations to be performed on target systems
Jobs are individual tasks executed as part of actions
Events record atomic changes resulting from successful jobs
The Activity Log provides four views of this activity across different tabs: Events, Jobs, Actions, and Workflow Tasks.
Each tab can help track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management implementation.
The Events tab shows individual changes made to entities and relationships within the system. Each event represents an atomic change resulting from a successful action.
The Jobs tab displays individual jobs executed as part of actions. Jobs represent specific tasks performed on target systems, such as creating a user account or updating attributes. Use this tab to review whether individual jobs executed successfully or encountered an error and could not be completed.
The Actions tab shows high-level operations triggered by workflows. Actions typically involve one or more jobs that work together to accomplish a specific goal.
See for more details on supported actions and configuration options.
The Workflow Tasks tab displays workflows executed for specific identities. Workflows represent a sequence of actions executed as part of a Lifecycle Management .
For each identity, Lifecycle Management follows this process:
Validation: The system validates the identity against workflow trigger conditions
Execution Determination: The system determines whether execution is needed based on:
Identity state (e.g., CREATED, CHANGED, UNCHANGED)
Continuous sync settings
Last execution time (for unchanged identities)
Task Creation: If execution is needed, a workflow task is created
Action Execution: The system executes conditions and actions via the task runner
Result Storage: The result is stored as an event in the Activity Log
The Activity Log provides filtering and search options to help locate particular events:
Filter by time period: Use the date range filters to focus on date ranges
Search by identity or entity: Use the search fields to find activities related to unique identities or entities
Filter by event type or state: Use the dropdown filters to focus on event type or state
View error messages: Review issues by checking for error messages in the Message column
Veza maintains all Lifecycle Management activity logs for audit purposes. These logs are retained even if the associated integration is removed, maintaining a full historical record of all provisioning operations.
Note: Events shown in the Activity Log are distinct from the system-wide Event Logs found in the Veza Administration section.
This guide describes how to enable and configure Exchange Server for Lifecycle Management in Veza, including supported capabilities and configuration steps.
Supports the creation of email accounts for users within Exchange Server.
Entity Type: Exchange Server Users
Attributes Available for Configuration:
Identity (Required)
Alias (Optional)
Example Use Cases:
Create email accounts for new employees joining the organization
Assign email aliases to users to facilitate communication
Find the Exchange Management Shell shortcut in the Start Menu
Right-click > More > Open File Location
Right-click the shortcut icon > Properties
Copy the Target field value
Note the two important paths from the target:
PowerShell Path: (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Remote Exchange Path: (e.g., C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1)
Open IIS Manager and create a new application pool
Name the application pool
Configure the application pool:
Right-click > Advanced Settings
Under Process Model, set the Identity
Add the application to "Default Web Site"
Configure the application:
Set alias to "VezaProvisioner"
Select the application pool created above
Configure authentication:
Disable Anonymous Authentication
Enable Basic Authentication
Install the VezaProvisioner.msi installer provided by Veza support on the Exchange Server. This component handles email address creation for users provisioned in Active Directory.
Go to Configurations > Integrations
Click Add New and select Exchange Server
Complete the following fields:
Enable Lifecycle Management by checking Enable Lifecycle Management
Save the configuration
After configuration, the Exchange Server integration will be available for use in Lifecycle Management policies, specifically for the Create Email action. This action can be used in workflows for new employee onboarding or other scenarios requiring email account creation.
Event Type
The type of event that occurred (e.g., REMOVE_RELATIONSHIP, ADD_RELATIONSHIP, SYNC_IDENTITY)
Timestamp
When the event occurred
Success
Whether the event completed successfully (True/False)
Identity
The identity associated with the event
Entity Name
The name of the entity affected by the event
Entitlement Entity
The entitlement entity involved in the event, if applicable
Message
Additional details or error messages related to the event
Started At
When the job started
Completed At
When the job completed
Action Name
The name of the action that initiated the job
Action Type
The type of action (e.g., SYNC_IDENTITIES, MANAGE_RELATIONSHIPS)
Identity
The identity associated with the job
State
The current state of the job (Completed, Errored)
Any Changes
Whether the job resulted in changes to the system
Error Message
Detailed error information if the job failed
Started At
When the action started
Completed At
When the action completed
Action Name
The name of the action
Action Type
The type of action (e.g., SYNC_IDENTITIES, MANAGE_RELATIONSHIPS)
State
The current state of the action (Completed, Errored)
Jobs Started
Number of jobs initiated by this action
Any Changes
Whether the action resulted in changes to the system
Workflow
The name of the workflow
Identity
The identity for which the workflow was executed
Scheduled For
When the workflow was scheduled to run, if applicable
Started At
When the workflow started
Completed At
When the workflow completed
Entity Type
The type of entity processed by the workflow
State
The current state of the workflow (Completed, Errored)
Messages
Additional details or error messages related to the workflow
Insight Point
Select if using an Insight Point to access Exchange Server
Name
Friendly name for the integration
Instance URL
https://<exchange_server_host>/VezaProvisioner
Username
Domain username with required Exchange permissions
Password
Password for the account
PowerShell Path
Path to PowerShell.exe noted in step 1
Remote Exchange Path
Path to RemoteExchange.ps1 noted in step 1
Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests
Access Profile Types determine the behavior of Access Profiles for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:
Whether the profile can inherit entitlements from other profiles
If the profile can grant entitlements in one or more target applications
The maximum number of entitlements the profile can grant
The specific integrations where entitlements can be granted
Veza provides built-in profile types, such as Profiles and Business Roles, for hierarchical management of birthright entitlements by employee population. You can also create new profile types to meet your organization's Access Requests and Lifecycle Management needs.
Access Profiles define collections of entitlements within one or more target applications that can be assigned to an identity. Depending on the profile type, an access profile can include certain groups or roles, or inherit entitlements from another profile.
For example, you can create different types to organize profiles by:
Applications: Granting access to an application without specific entitlements, such as access to Zoom
Single Entitlements: Defining a single entitlement within a single application, such as a user being added to the DNS Admin group in Active Directory or the Domain Name Administrator role in Entra ID
Application Entitlements: Defining multiple entitlements within a single application, such as access to several Okta Groups
Multi-Application Entitlements: Defining multiple entitlements across different applications, such as for site reliability engineers who need access to GitHub, AWS, Jira, and Snowflake, along with one or more roles and group memberships within each of those applications
Business Roles: Inheriting combinations of other profile types to model sophisticated access privileges, such as all US Call Center employees inheriting US Employee access
Use Access Profile Types to set rules for all profiles using that type. You can create new profile types to implement Lifecycle Management and Access Requests based on how and what access you will grant to employees.
Open Lifecycle Management > Settings
In the Profile Types section, click New Profile Type
In the sidebar, configure the new type:
Basic Information shown when creating Access Profiles:
Name: Display name for the profile type, shown when creating new Access Profiles
Description: Extended description to document the purpose of the profile type
Instructions: Optional custom instructions for using the profile type, shown when creating new profiles. Note that this is useful if allowing self-service Access Profile creation.
On Create Behavior: Set the default policy state for Access Profiles created with this profile type:
Default: Uses Veza's default behavior (currently sets the profile to Initial state, but this may change in future releases)
Initial: The Access Profile is created but remains inactive/non-functional until a user explicitly starts it to move it to Running state
Running: The Access Profile starts in an active state and is immediately functional with no additional action required
Initial Start By Admin: The Access Profile starts in Initial state but requires an administrator (not a regular user) to explicitly start it to move it to Running state
Relationship Options:
Allow Inheritance from Other Access Profiles: When enabled, profiles with this type can use another access profile to specify the exact entitlements.
Allow Direct Relationships: When enabled, you will specify the exact entitlements when creating a profile with this type. When disabled, profiles with this type can only inherit entitlements from another profile
Access Request Policy: Choose the default Access Request Policy to apply access duration controls and approval workflow.
Allow overwrite of Access Request Policy: Enable selection of an alternative policy when Access Profile creators and owners create Access Profiles of this type.
Integrations: Choose if the Access Profile of this type supports multiple integrations, integrations of a single type, or a single instance of a single integration:
Allow multiple integration types: Profiles can have specific entitlements in more than one target integration type (such as one or more entitlements from any Active Directory or Okta integration)
Limit to a single integration type: Entitlements must be within integrations of a specific type (such as one or more entitlements from any Okta integration)
Limit to a single integration: Profiles are limited to a single integration (such as one or more entitlements from a specific Okta integration)
Create a local user account only (if limited to a single integration): Create a local user account without specific entitlements.
Entitlements: Set the maximum number of entitlements that can be added to profiles with this type (0 for unlimited entitlements).
Access Profile creators and owners can choose specific entitlements when editing the profile.
Create New Entitlement if None Exists: Configure the CREATE_ENTITLEMENT action to run when the policy is applied, including:
The target integration and entity type to create
Any member conditions (ANY to apply to all identities, or restricted by a condition string)
Attributes for the created entities using the specified formatters.
Enabling Continuous Sync to periodically recreate and reapply entitlements if removed within the target system.
Click Create Profile Type to save the changes
After saving a profile type, you can edit or delete it on the Lifecycle Management Settings > Profile Types tab.
To manage the users or groups allowed to create profiles of that type, click Actions > Manage Permissions.
To view profiles with a specific type, choose a profile type and click Show Access Profiles.
When working with Access Profile Types, consider the following best practices:
Consistent Naming: Use clear, descriptive names for profile types that indicate their purpose and scope
Appropriate Granularity: Create profile types with the right level of granularity for your organization's needs
Documentation: Add thorough descriptions and instructions to help others understand when to use each profile type
Inheritance Planning: Carefully plan which profile types should inherit from others to create a logical hierarchy
Regular Review: Periodically review profile types to ensure they continue to meet your organization's needs
Good Hygiene: Eliminate profile types that are no longer in use (when the count of Access Profiles with that type equals zero)
Configure fallback formatters for uniquely identifying attributes during identity synchronization
Fallback formatters can help resolve conflicts when provisioning identities with unique attributes. This is particularly useful when automated provisioning requires unique identifiers, but the standard generated values are already in use.
When provisioning new identities through Lifecycle Management, unique attributes like usernames, login IDs, or email addresses must not conflict with existing values. Fallback formatters provide an automated way to generate alternative values when conflicts arise, ensuring provisioning can proceed without manual intervention.
You can configure fallback formatters when configuring a to ensure new users can be onboarded efficiently, regardless of naming conflicts.
The most common use case for fallback formatters is handling username conflicts. For example:
Your organization uses a standard username format of first initial + last name (e.g., jsmith for John Smith).
When multiple employees have similar names, this can lead to conflicts:
John Smith already has jsmith
Jane Smith already has jsmith1
James Smith already has jsmith2
When Jennifer Smith joins, the fallback formatter automatically assigns jsmith3, maintaining your naming convention while ensuring uniqueness.
Fallback formatters can be configured as part of the "Sync Identities" action within a Lifecycle Management workflow:
Edit or create a Lifecycle Management policy
Edit the workflow containing the Sync Identities action
In the Sync Identities action configuration, click Add Fallback
Configure the to use as a fallback pattern for the unique attribute that might experience conflicts
Close the action sidebar and save your changes to the policy.
Several transformers can be used for implementing fallback formatters depending on your specific use case.
A typical approach is to use the NEXT_NUMBER transformer, which is specifically designed to generate sequential numerical alternatives when naming conflicts occur.
The NEXT_NUMBER transformer:
Generates a set of sequential integers as strings
Takes two parameters: BeginInteger (starting number) and Length (how many numbers to generate)
Is unique among transformers in that it returns multiple values, making it ideal for fallback scenarios
In addition to NEXT_NUMBER, other transformers can be valuable for creating fallback formatters:
Using Random Alphanumeric for Unique Usernames:
This could generate usernames like jsmith8f3d instead of sequential jsmith1, jsmith2, etc.
Using UUID for Guaranteed Uniqueness:
This would append the first 8 characters of a UUID, creating identifiers like jsmith-a7f3e9c2.
When configuring a fallback formatter with the NEXT_NUMBER transformer:
Select the attribute that requires uniqueness (e.g., username, email)
Configure the primary pattern (e.g., {first_initial}{last_name})
Add a fallback using the NEXT_NUMBER transformer to generate sequential alternatives:
This will generate up to 10 alternatives: jsmith1, jsmith2, ... jsmith10
Here are some commonly used fallback patterns:
When Lifecycle Management attempts to provision a new identity with a unique attribute value that already exists:
The system first tries the primary format (e.g., jsmith)
If a conflict is detected, it automatically tries the first alternative using the NEXT_NUMBER transformer (e.g., jsmith1)
If that value also exists, it tries the next alternative (e.g., jsmith2)
This process continues until either:
A unique value is found
All alternatives from the NEXT_NUMBER range are exhausted (in which case an error would be reported)
This automated conflict resolution ensures provisioning can proceed without manual intervention, even when your standard naming conventions result in conflicts.
{first_initial}{last_name}{RANDOM_ALPHANUMERIC_GENERATOR(4)}{first_initial}{last_name}-{UUID_GENERATOR() | SUB_STRING,0,8}{first_initial}{last_name}{NEXT_NUMBER(1, 10)}{first_initial}{last_name}
{first_initial}{last_name}{NEXT_NUMBER(1, 10)}
jsmith, jsmith1, jsmith2, etc.
{first_name}.{last_name}
{first_name}.{last_name}{NEXT_NUMBER(1, 10)}
john.smith, john.smith1, john.smith2
{username}@domain.com
{username}{NEXT_NUMBER(1, 10)}@domain.com
{first_name}{last_initial}
{first_name}{last_initial}{NEXT_NUMBER(1, 10)}
johns, johns1, johns2
This guide describes how to enable and configure Active Directory for Lifecycle Management in Veza, including supported capabilities and required configuration steps.
Active Directory integration with Lifecycle Management enables automated user provisioning, access management, and de-provisioning capabilities. This includes creating and managing AD users, group memberships, and disabling accounts when employees leave the organization.
Active Directory serves as an Identity Provider in Lifecycle Management workflows and supports custom properties defined in the integration configuration.
Controls relationships between users and Active Directory groups.
Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes
Example Use Cases:
Add users to specific Active Directory groups to manage access
Remove users from groups when access requirements change
Synchronizes identity attributes between Active Directory and downstream systems.
Create Allowed: Yes (New user identities can be created if not found)
Supported Attributes:
Required (Unique Identifiers):
AccountName (No Continuous Sync)
DistinguishedName
UserPrincipalName
Optional:
Email, GivenName, DisplayName, SurName, Title
Description, ManagerID, PrimaryGroupDN
StreetAddress, City, StateOrProvinceName
CountryCode, PostalCode, Company
PhysicalDeliveryOfficeName, JobTitle
Department, CountryOrRegion, Office
Example Use Cases:
Create new user accounts when users are added
Keep user information synchronized across integrated systems
Safely removes or disables access when users leave or no longer need access.
Entity Type: Active Directory Users
Remove All Relationships: Yes (Removes existing group memberships)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Example Use Cases:
Disable accounts when employees leave
Remove group memberships while retaining audit information
Create a dedicated AD user with minimum required permissions:
Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User
Complete the new user details form
Recommended name: "Veza AD Lifecycle Manager"
Set a strong password
Uncheck "User must change password at next logon"
New-ADUser -Name "Veza AD Lifecycle Manager" `
-Path "OU=<your_OU>,DC=<domain>,DC=<tld>" `
-GivenName "Veza" `
-Surname "AD Lifecycle Manager" `
-SamAccountName "veza-ad-lcm" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "<password>" -Force) `
-ChangePasswordAtLogon $False `
-DisplayName "Veza AD Lifecycle Manager" `
-Enabled $TrueGrant the service account permissions to manage users in the target OUs:
Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name
Select these delegated tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change
Read all user information
Modify group membership
Import-Module ActiveDirectory
$OrganizationalUnit = "OU=<your_OU>,DC=<domain>,DC=<tld>"
$Users = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
Set-Location AD:
$User = Get-ADUser -Identity "veza-ad-lcm"
$UserSID = [System.Security.Principal.SecurityIdentifier] $User.SID
$Identity = [System.Security.Principal.IdentityReference] $UserSID
# Create permission for managing users
$RuleCreateDeleteUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, "CreateChild, DeleteChild", "Allow", $Users, "All"
# Create permission for password resets
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Users)
# Apply permissions
$ACL = Get-Acl -Path $OrganizationalUnit
$ACL.AddAccessRule($RuleCreateDeleteUsers)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OrganizationalUnit -AclObject $ACLNavigate to Configurations > Integrations
Either:
Create a new Active Directory integration
Edit an existing Active Directory integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
Enter the Lifecycle Management Username (service account created above)
Enter the Lifecycle Management Password
Save the configuration
Note: The AD User created for lifecycle management can be the same as the primary AD User created for extraction, provided that the user has all required permissions listed above.
Configuring the Salesforce integration for Veza Lifecycle Management.
The Veza integration for Salesforce enables automated user lifecycle management across your identity ecosystem. This integration allows security and IT teams to automate the provisioning, updating, and deprovisioning of Salesforce user accounts based on changes in an authoritative source (such as an HRIS system or another identity provider).
Key capabilities include:
User Provisioning: Automatically create Salesforce user accounts with appropriate profiles and permissions
Attribute Synchronization: Keep user details in sync across systems, ensuring data consistency
Permission Management: Assign and remove permission sets and roles based on policies
User Deprovisioning: Safely disable access when users leave the organization
The integration leverages the SCIM protocol for standardized identity management operations and uses Salesforce-specific APIs for permission management.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as permission set assignments, role assignments, and profile assignments for identities
✅
DEPROVISION_IDENTITY
Safely freezes or disables access for identities, includes user deactivation support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Salesforce permission sets
❌
SOURCE_OF_IDENTITY
Salesforce can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Salesforce integration for Lifecycle Management, along with details on supported actions and notes.
Before configuring the integration, ensure you have:
Administrative access in Veza to configure the integration
An existing Salesforce integration in Veza or add a new one
At least one successful extraction from your Salesforce integration
The appropriate permissions in Salesforce
Salesforce API v40 or later for user provisioning
The Salesforce integration will need the following permissions:
Assign Permission Sets: Enables assignment and removal of permission sets for users.
Freeze Users: Enables freezing and unfreezing user accounts.
Manage Internal Users: Required for user creation and updates.
Manage IP Addresses: Required for managing trusted IP ranges if IP restrictions are used.
Manage Login Access Policies: Required for configuring login access policies.
Manage Password Policies: Required for setting and resetting passwords during user creation.
Manage Profiles and Permission Sets: Required for permission set and profile assignment.
Manage Roles: Required for role assignments and management.
Manage Sharing: Required for managing sharing rules and access control.
Manage Users: Essential for user lifecycle operations.
Monitor Login History: Required for monitoring user logins.
Reset User Passwords and Unlock Users: Required for account management.
View All Profiles: Required to view profile information for all users.
View All Users: Required to view all user information.
In Salesforce, you can add these permissions for the Veza connected app in the System Permissions section at the bottom of the Permission Set configuration page.
Veza Lifecycle Management uses Salesforce SCIM APIs for identity provisioning operations. The SCIM protocol enables the automated exchange of user identity data between Veza and Salesforce. The permissions listed above provide the necessary access for SCIM functionality.
The Connected App used for the integration must have OAuth scopes that include api and refresh_token permissions and a certificate for JWT-based authentication
To make the required API calls, the integration requires a custom user profile in Salesforce with "API Enabled" permission
For additional details about Salesforce's SCIM implementation, refer to the Salesforce SCIM documentation.
To enable the integration:
In Veza, go to the Integrations overview.
Search for or create a Salesforce integration.
Ensure the integration permission set includes the required permissions.
Check the box to Enable usage for Lifecycle Management.
Save the configuration.
Configure the extraction schedule to ensure your Salesforce data remains current:
Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for Salesforce in the Active Overrides section.
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview.
Search for the integration and click the name to view details.
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled.
Veza's Salesforce integration implements the SCIM 2.0 protocol to standardize identity management operations:
Users are represented with standard SCIM core attributes plus Salesforce-specific Enterprise extensions
The system uses email addresses as the primary key for user lookups
Usernames cannot be changed after creation and must be unique within the Salesforce instance
User profiles are managed through SCIM entitlements
User roles are handled through SCIM roles endpoints
User Deprovisioning is implemented as deactivation (setting active=false)
Permission sets are assigned through Salesforce API calls after user creation
Salesforce can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Salesforce, with changes propagated to connected systems.
Salesforce can also be a target for identity management actions based on changes in another external source of truth or as part of a workflow:
The integration supports the following lifecycle management Actions:
Primary action for user management (creating or updating users):
Usernames cannot be changed after creation.
Email addresses must be unique.
Required attributes must be present (Username, Email, FirstName, LastName).
Passwords are set during user creation.
Division and Department attributes are excluded during updates due to Salesforce API limitations.
Salesforce does not support changing usernames after creation.
The following attributes can be synchronized:
username
Yes
String
Primary login identifier
Unique identifier
emails
Yes
String List
User's email addresses
first_name
Yes
String
Given name
last_name
Yes
String
Family name
profile_id
Yes
String
User's profile ID
is_active
No
Boolean
Account status
department
No
String
Organizational department
user_role_id
No
String
User's role ID
The following relationship types are supported:
Groups: Add and remove group memberships (only for groups with Group Type = Regular).
Permission Sets: Add and remove permission set assignments.
Permission Set Groups: Add and remove permission set group assignments.
Profiles: Manage profile assignments.
User Roles: Synchronize user role assignments.
Notes:
Profile and role assignments are managed via SCIM and Salesforce APIs.
When removing a profile assignment, users are assigned the "Minimum Access - Salesforce" profile by default. This profile must exist in your Salesforce instance for profile changes to work properly.
Only Salesforce groups with the property Group Type = Regular can be used in Manage Relationships configurations.
Groups of type RoleAndSubordinatesInternal are not supported but can be assigned through their corresponding roles.
Direct creation of permission sets ("Create Entitlement" action) is not currently supported.
When a user is deprovisioned:
The user account is frozen or deactivated (Salesforce does not allow user deletion).
Permission set assignments are removed.
Attribute history is preserved for audit.
The account can be reactivated if needed.
Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings.
Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. This might include hiring a new employee, terminating an existing employee, or other status changes. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate.
A policy can contain one or more workflows that run under different conditions. For example, one workflow might apply when employees enter an "Active" state (for Joiner/Re-hire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also trigger when an employee hire date is within a certain threshold, such as less than 4 days away, or relative to any other employee property within the source of identity.
For most enterprise deployments, Veza recommends:
One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
Another for inactive users to cover Leaver scenarios
To create a policy for a source of identity:
Go to Lifecycle Management > Policies
Click Create Policy
Give the policy a name and description
The policy name is used to identify it on the Policies list and appears in event logs
The name should indicate the source of identity the policy applies to
Choose the Data Sources the policy will apply to
Use the dropdown menu to select the source of identity that will trigger workflows in the policy
To appear on this list, the integration must have Lifecycle Management enabled and be available as a source of identity
See for supported providers and steps to enable a Lifecycle Management data source
Save the policy
To edit a policy:
Go to Lifecycle Management > Policies
Choose a policy from the list and click Edit
Configure the policy summary, details, and identity source.
Click on a tab in the policy builder to configure its settings:
Workflows: Configure the actions that trigger when there are changes in a source of identity
Common Transformers: Define shared rules for creating or updating target attributes when provisioning, syncing, or de-provisioning identities
Notifications: Configure email notifications or webhooks for the policy's workflows, with different notification rules for different types of events (e.g., "Create Identity" or "Delete Identity")
Save the policy
Use the Policies page for an overview of initial, running, and paused Policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.
To manage policies on the main Policies overview:
Go to Lifecycle Management > Policies
Find the policy you want to manage
Search for a specific policy by name
Filter to show all providers by their current state
Click the ⋮ icon in the rightmost column to expand the Actions menu
Choose to Edit, Pause, View Details, or Delete the policy
Policies contain one or more workflows that typically correspond to Active and Inactive user states. Workflows define a sequence of actions to run when a condition is met, based on events and user changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, department changes, or employee departures.
Workflows contain a tree-like sequence of conditions to meet specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.
Workflows can trigger:
As soon as an identity is detected with a matching attribute
Relative to an attribute containing a date (such as before or after a hire_date or termination_date)
Based on any attribute available from the source of identity
To add a workflow to a policy:
Edit a policy and open the Workflows tab
Click Add Workflow to open the sidebar for adding details and conditions
Use the General tab to configure workflow settings:
Workflow Details:
Name and Description: Identify the workflow's purpose
Continuous Sync: Enable to update target entities when source identity changes occur
Condition:
Workflow Condition: Specify the trigger attribute and value
Supports SCIM query syntax for filter expressions
Examples:
employment_status eq "WITHDRAWN" for terminated employees
employment_status eq "ACTIVE" for new hires and movers
Workflow Trigger Details:
Attribute to Get Execute Date: Specify when workflow actions should run
Local Time Zone Diff From UTC: Set your UTC offset
Eastern Standard Time (EST): -5
Pacific Standard Time (PST): -8
Note: US UTC offset varies during Daylight Savings Time
Trigger At Local Time Hour: Set execution time in 1-hour intervals (e.g., 6, 12, 24)
Use the Conditions tab to configure action sequences:
a. Click Add Condition to configure settings:
Condition Name: Use descriptive names (e.g., "Sync Okta Identities" or "Azure Helpdesk Role")
Continue Actions if Any Error: Enable to continue workflow despite failures
Condition Type: Choose between immediate execution or SCIM filter-based conditions
b. Configure Actions:
Choose Action Type:
New: Create an action with custom settings
Existing: Select a previously created action
Use Edit Action > Conditions for nested conditions
c. Add additional conditions as needed
Save changes:
Click Save in the left sidebar for workflow changes
Click Save on the policy details page to commit all changes
Common transformers define one or more rules to apply when synchronizing a target identity's attributes. Use them in situations where you want to create or update attributes using the same conventions across multiple sync or de-de-provision actions.
To add a common transformer:
Edit a policy and open the Common Transformers tab
Give the transformer a name and description, and specify the data source it applies to.
Choose the target Entity Type.
Click Add Attribute to specify an attribute and the value format.
Optionally, enable Continuous Sync to keep the target entity up-to-date with values from the source of truth.
Save the transformer.
See for available transformation functions.
Events and Actions: Lifecycle Management Actions can result in multiple events, each associated with a specific operation in a target application. An action might cause more than one event. For example, the "De-provision Identity" action for Active Directory leaver flows could result in a combination of events:
"Disable Identity" (set account to inactive)
"Sync Identity" (update DN and primary group DN)
"Remove Relationship" (remove existing profiles) events. You can review individual events and their status using the Activity Log.
Monitor individual events and their status using the Activity Log.
When events occur during the execution of a policy’s workflow, notifications can be triggered by Lifecycle Management as a means to inform stakeholders or integrate with external systems, such as triggering external automation. These notifications are configured in policies and Lifecycle Management supports email- and webhook-based notifications.
Use the Notifications tab when editing a policy to add and manage notifications at the policy level:
Choose the notification type (Email or Webhook)
Choose the event to trigger notifications:
Create Identity
Sync Identity
Add Relationship
Remove Relationship
Create Email
Change Password
Delete Identity
Disable Identity
Manage Relationships
Write Back Email
Choose the status to trigger notifications (when an event is successful, or it fails).
Customize the email or webhook settings:
Webhook:
Webhook URL: The endpoint configured to receive the webhook payload.
Webhook Auth Header: if the webhook listener requires authentication, provide it here.
Email:
Emails: Recipients added to the to field.
Extra Email Fields (Optional): Recipients added to the cc field.
Save the changes.
Note that emails and webhooks can also be configured on a per-action basis.
Configuring the Okta integration for Veza Lifecycle Management.
The Veza integration for Okta enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Okta groups
✅
RESET_PASSWORD
Allows password reset operations for Okta users
✅
SOURCE_OF_IDENTITY
Okta can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Okta integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
You will need administrative access in Veza to configure the integration and grant API scopes in Okta.
Ensure you have an existing Okta integration in Veza or add a new one for use with Lifecycle Management.
Verify your Okta integration has completed at least one successful extraction
The Okta integration will need the additional required API scopes:
okta.users.manage - For user lifecycle operations
okta.groups.manage - For group membership management
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Okta integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Okta data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Okta in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Okta can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Okta with changes propagated to connected systems
Okta can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow:
The integration supports the following lifecycle management Actions:
Primary action for user management (creating or updating users):
Login ID cannot be changed after creation
Email addresses must be unique
Required attributes must be present (login, email, first_name, last_name)
The following attributes can be synchronized:
Both adding and removing memberships are supported. Group memberships are removed in deprovisioning.
Add and remove group memberships
Synchronize group assignments
Track membership changes
When a user is deprovisioned:
User account is disabled
Group memberships are removed
Attribute history is preserved for audit
Account can be reactivated if needed
Entity Types: Okta Groups
Assignee Types: Okta Users
Supports Relationship Removal: Yes
Within Okta, groups can be associated with:
Application group assignments controlling SSO access
Permissions to resources within specific applications
Synchronized AWS SSO groups
Role-based access controls within Okta
Allows password reset operations for Okta users:
Requires the login attribute as a unique identifier
Non-idempotent action (each execution creates a new password reset event)
Will trigger Okta's standard password reset flow for the specified user
Configuring the Azure integration for Veza Lifecycle Management
The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, assign licenses, and automate the user lifecycle from onboarding to offboarding.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships, role assignments, and license assignments
✅
CREATE_GUEST_USER
Creates guest user accounts by sending invitations
✅
CREATE_ENTITLEMENT
Creates new entitlements in Azure AD, including groups and distribution lists
✅
CREATE_EMAIL
Creates or enables email functionality for users
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
✅
DISABLE_GUEST_ACCOUNT
Specifically handles deprovisioning of guest user accounts
✅
SOURCE_OF_IDENTITY
Azure AD can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
You will need administrative access in Veza to configure the integration.
Ensure you have an existing Azure integration in Veza or add a new one for use with Lifecycle Management.
Verify your Azure integration has completed at least one successful extraction.
The Azure integration will need the following additional Microsoft Graph API permissions:
Directory.ReadWrite.All - Required for creating, updating, and managing directory objects
Group.ReadWrite.All - Required for creating and managing groups
GroupMember.ReadWrite.All - Required for managing group memberships
User.EnableDisableAccount.All - Required for enabling/disabling user accounts
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Azure integration
Check the box to Enable usage for Lifecycle Management
For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the Azure Integration Guide
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Azure AD can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Azure AD with changes propagated to connected systems.
Azure AD can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Primary action for user management (creating or updating users):
Entity Types: Azure AD User
Create Allowed: Yes (New user identities can be created if not found)
The following attributes can be synchronized:
Creates guest user accounts in Azure AD by sending invitations:
Required Attributes:
invited_user_email_address - Email address of the person to invite
invite_redirect_url - URL where the user is redirected after accepting the invitation
Optional Attributes:
principal_name - User principal name (if not provided, generated from email)
display_name - Display name (if not provided, generated from email)
mail_nickname - Mail nickname (if not provided, generated from email)
Other standard user attributes as needed
Controls relationships between users and Azure AD entities:
Supported Relationship Types:
Groups: Add or remove users from Azure AD groups
Roles: Assign or remove Azure AD roles
Licenses: Assign or remove license assignments
Distribution Lists: Manage Exchange Online distribution list memberships
Assignee Types: Azure AD Users
Supports Removing Relationships: Yes
Creates or enables email functionality for users in Azure AD:
Implementation: Assigns Exchange Online license to the user
Requirements: Available Exchange Online license in your tenant
Results: Email-enabled user account with Exchange Online capabilities
Creates new entitlements in Azure AD, including groups and distribution lists:
Azure AD Group Creation:
Required Attributes: name
Optional Attributes:
mail_enabled - Whether the group is mail-enabled
is_security_group - Whether it's a security group
visibility - Privacy setting (Public, Private, HiddenMembership)
description - Group description
Distribution Group Creation:
Required Attributes: name
Optional Attributes:
identity - Unique identifier
alias - Email alias
primary_smtp_address - Primary email address
group_type - Type of distribution group
When a user is deprovisioned:
Entity Type: Azure AD Users
Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Additional Options:
User Logout - Force user to log out from all active sessions
Remove All Licenses - Remove all license assignments
Remove All Personal Devices - Remove device registrations
Specifically handles deprovisioning of guest user accounts:
Required Attributes:
invited_user_email_address - Email address of the guest user
Optional Attributes:
display_name - Display name of the guest user
Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.
Configure the conditions and actions that execute when workflows run.
When creating Lifecycle Management Policies, you can configure workflows that define actions to execute during different employment lifecycle scenarios, such as when an employee is onboarded, changes function or role, or is withdrawn from the organization. Actions can be executed in sequence based on specific conditions, enabling you to automate onboarding and offboarding actions within Lifecycle Management, across systems in your environment.
Policies and workflows define how Veza automates identity management tasks across your environment by describing conditional actions to execute for different employee populations.
Define the overall automation framework for managing identities throughout their lifecycle
Specify which source of identity triggers the automation
Can contain multiple workflows to handle different scenarios (joiner, mover, leaver)
Support continuous synchronization to keep identities up-to-date
Enable email notifications and webhooks for action-related events
Define specific sequences of actions that execute based on trigger conditions
Handle different lifecycle scenarios (e.g., new hire onboarding, role changes, terminations)
Support conditional execution based on user attributes (department, location, role, etc.)
Allow for complex decision trees through nested conditions
Execute actions in a defined order when conditions are met
Define when specific actions should occur within a workflow
Can be based on any attribute from the source of identity
Support SCIM filter expressions for precise targeting
Can be nested to create sophisticated logic trees
Can trigger multiple actions when met
Can spawn additional conditions after successful action completion
Example Conditions for Lifecycle Management Actions:
Add to engineering groups based on department:
department eq "Engineering"Grant manager access based on role:
is_manager eq trueAssign cost center groups:
cost_center eq "IT-1234"Add to contractor AD groups:
employment_type eq "CONTRACTOR"
Represent specific tasks such as creating users, syncing attributes, or managing access
Types of actions include:
SYNC_IDENTITIES: Create/update user accounts
MANAGE_RELATIONSHIPS: Grant/revoke access
CREATE_EMAIL: Generate email addresses
DEPROVISION_IDENTITY: Disable/remove access
WRITE_BACK_EMAIL: Update source system
PAUSE: Add workflow delays
SEND_NOTIFICATION: Trigger alerts
The following workflow configuration for a Lifecycle Management Policy enables provisioning actions for Active Directory users when workers are added in Workday:
Create an Active Directory user, synchronizing attributes with the source Workday Worker
Create email addresses for new employees in Exchange Server
Update the Workday Worker and AD User records to include the new email
Grant entitlements by assigning Access Profiles according to the Worker's department
When provisioning users, Veza synchronizes attributes for active employees and creates them when provisioning AD Users. These attributes can be transformed from attributes in the source of identity (Workday):
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local
user_principal_name
username
{username}@evergreentrucks.com
username
{username}@evergreentrucks.com
display_name
display_full_name
{display_full_name}
given_name
first_name
{first_name}
sur_name
last_name
{last_name}
country_code
work_location
{work_location}
job_title
job_title
{job_title}
primary_group_dn
-
CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local
To de-provision users, Veza moves accounts to a terminated users group and adds them to an OU for terminated employees:
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local
primary_group_dn
-
CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local
Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization
Updating the distinguished_name to place leavers in a specific organizational unit (OU) like "Evergreen Termination" separates active users from inactive ones and enables the application of policies, scripts, and queries that target inactive users without affecting active employees
Note on Action Hierarchy: The "Sync Identities" action is the only action type that can be declared at the root condition level. All other actions (such as Manage Relationships, Create Email, etc.) must be defined within sub-conditions after a establishing a root condition with "Sync Identities". The UI enforces this hierarchy and will show a warning when adding non-Sync actions at the root level.
Synchronizes identity attributes between systems, with options to:
Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth
Example Use Cases:
Create new user accounts in target systems when employees join
Update user attributes when information changes in HR systems
Ensure consistent user information across multiple platforms
Entity Type
The data source and type of identity to sync (e.g., Okta User, Azure AD User)
Create Allowed
Whether new identities can be created if not found
Continuous Sync
Keep attributes in sync even after initial creation
Common Synced Attributes
Shared transformation rules across multiple sync actions
Action Synced Attributes
Create, format, and modify the specified target attributes. See for more details
Controls entitlements such as group memberships and role assignments for identities.
Example Use Cases:
Add users to appropriate security groups, roles, permission sets, or other access-grant entities
Remove users from groups during role changes
Update entitlements when employees move between departments
Access Profiles
Groups or roles to add the identity to. See for more details about managing birthright entitlements
Remove Existing Relationships
Whether to remove current relationships created during other Lifecycle Management actions before adding new ones
Integrates with an email provider to create email addresses for identities. This action is often used in combination with other actions in new hire and temp-to-hire workflows.
Example Use Cases:
Create corporate email accounts for new employees
Establish shared mailboxes for teams or projects
Entity Type
The type of identity to create email for
Action Synced Attributes
Define how email attributes should be formatted. See for more details
Sync Action Name
Reference to sync action for conflict resolution
Safely removes or disables access for identities when they withdraw from the organization.
Example Use Cases:
Disable accounts when employees or contractors leave
Revoke access while maintaining audit records
Transition resources and non-human identities when owners depart
Entity Type
The data source and target entity type to disable, delete, or lock
Remove All Relationships
Whether to remove existing group memberships and role assignments
Relationships to Create
Access Profile to apply after de-provisioning (e.g., move to specific groups)
Common Synced Attributes
Shared transformation rules across multiple de-provisioning actions
Action Synced Attributes
Target attributes to create, format, and modify for de-provisioned entities
Updates HRIS or other systems with email addresses created in other actions.
Example Use Cases:
Update employee records with newly created email addresses
Sync email information back to master HR systems
Ensure consistent email records across all platforms
Entity Type
The type of entity to update with email information
Introduces a deliberate delay in the workflow execution.
Example Use Cases:
Allow time for system propagation between actions
Implement rate limiting in multi-step workflows
Coordinate timing with external processes
Duration in seconds
Number of seconds to pause the workflow
Triggers email notifications and webhooks based on lifecycle events and action success or failure. Notifications can be added to any action type under Edit Action > Action Notification Settings.
Example Use Cases:
Alert IT staff when provisioning is complete
Notify managers of access changes
Create a service desk ticket for any manual steps
Notification Settings
Configure email alerts on action success and/or failure for the specified recipients
Webhook Configuration
Configure webhooks to trigger on success and/or failure by specifying the URL to send the payload and optional auth header for the POST request
Before you begin creating draft for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.
Implementing Veza Lifecycle Management will require:
Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.
Assigning Profiles to Business Roles to enable business rules.
The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.
Key considerations and requirements
Is a lifecycle management process defined for your organization?
If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.
Do you have one, or even multiple sources of truth for employee identity metadata?
At least one source of identity is required to trigger Lifecycle Management actions when there are changes in the data source. This data source could be an HRIS system, identity provider, directory service, or an exported report.
Veza supports importing employee records from built-in , OAA integrations using the , and .
For example, you may have different sources of identity for full-time and employees and contractors.
What scenarios will be automated?
A range of applications can be sources of identity and targets for Lifecycle Management, with different actions supported for each integration. See and for the current capabilities.
Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .
This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:
Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations
Define and list the different populations of employees with different levels of access in your organization (such as by roles, regions, and teams).
Organize the populations hierarchically, each inheriting the access granted to its parent population. For example, you might have a structure "All Employees" > "Sales Team" > "Sales Managers," with each inheriting the access granted to the parent.
Create a in Veza to model each segment.
Example Business Roles:
Sales
Developers
Executive Employees
US Employees
China Employees
Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.
For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.
Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza authorization graph.
Document how employee populations correspond to the attribute values contained in the source of identity.
Examples: Source attributes for role conditions
The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.
Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:
Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"
Work Location equals "US"
Cost Center equals "R&D"
Start Date on or after "2025-01-01"
A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.
Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Create Lifecycle Management mapped to those entitlements.
Examples: Access Profiles
When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.
Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.
Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.
Examples: Map Business Roles to Profiles
Asia Employees
US Employees
Developers
Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.
For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.
Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .
For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in , and which should only be created (and never modified after creating an entity).
Examples: Synced Attributes
Sync Active Directory Accounts for Active Employees (Joiners/Movers)
When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.
Sync Active Directory Attributes for Withdrawn Employees (Leavers)
When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:
Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.
This guide describes how to enable and configure Workday for Lifecycle Management in Veza, including supported capabilities and configuration steps.
Workday integration enables automated Lifecycle Management workflows using Workday as a source of truth for employee identity information, including:
Automated security group assignments for new employees
Dynamic group membership updates during role changes
Access removal during offboarding
Email synchronization between Workday and downstream systems
Workday serves as an authoritative source for employee identity information:
Entity Type: Workday Worker
Purpose: Used as the source of truth to trigger lifecycle management workflows based on worker record changes
Controls access to Workday security groups.
Entity Types: Workday Security Group
Assignee Types: Workday Account
Supports Relationship Removal: Yes
Updates email addresses in Workday worker records to maintain consistency with other systems.
Entity Type: Workday Worker
Purpose: Ensures Workday remains the single source of truth for employee email addresses
The integration supports custom attributes defined in your Workday configuration, which can be used in lifecycle management conditions and transformers.
Log into Workday and search for Edit Business process security policy
Under Business Process Type, select Work Contact Change
Find "Initiating Action: Change Work Contact Information (REST Service)"
Create a Segment-Based Security Group
Configure the security group:
Add the security group created for Veza integration
Add "Worker" scope to Access Rights
Verify the security group appears in Initiating Action Security groups
Click OK and Done to save changes
Search for Activate Pending Security Policy Changes
Review changes, add a comment, and click OK
Verify changes in Business Process Security Policy
Add these Domain Permissions to the security group:
Open Edit API Client
Add required scopes:
Staffing
Contact Information
System
Tenant Non-Configurable
Organizations and Roles
Navigate to Configurations > Integrations
Either:
Create a new Workday integration
Edit an existing Workday integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
If using custom attributes, configure them in the section
The integration uses these API endpoints for email write-back:
For general metadata discovery, WQL queries access:
allWorkdayAccounts
allWorkers
securityGroups
domainSecurityPolicies
businessProcessTypes
Workday Workers are the primary entity for identity information
Bidirectional management of Account-Security Group relationships is supported
Email write-back operates on Worker entities, not Account entities
Custom attribute availability depends on your Workday configuration
The Sync Identities action is not currently supported for Workday
Employee Number
Unique identifier for the employee.
Company
The company or subsidiary the employee works for.
First Name
Employee's first name.
Last Name
Employee's last name.
Preferred Name
Employee's preferred first name.
Display Full Name
Full name for display; includes preferred first name if available.
Canonical Name
Employee's canonical name.
Username
Username as shown in the integration UI.
Employee's work email (unique).
IDP ID
ID for connecting to the destination IDP provider.
Personal Email
Employee's personal email.
Home Location
Employee's home location.
Work Location
Employee's work location.
Cost Center
Cost center ID associated with the employee.
Department
Department ID (Group ID) of the employee.
Managers
List of employee IDs of the employee's managers.
Groups
List of group IDs the employee is associated with.
Employment Status
Employment status, e.g., ACTIVE, PENDING, or INACTIVE.
Is Active
Indicates if the employee is active.
Start Date
The date the employee started working.
Termination Date
Employee's termination date, if applicable.
Job Title
Employee's job title.
Employment Types
Type of employment, e.g., FULL_TIME, PART_TIME, INTERN, CONTRACTOR, or FREELANCE.
Primary Time Zone
Employee's primary time zone.
AD Executive Employees
Active Directory
Executive Employee - Manager US (Active Directory Group)
AD Engineering Managers
Active Directory
Engineering - Manager US (Active Directory Group)
Azure Helpdesk Role
Azure
Helpdesk Administrator (Azure AD Role)
Google China Employees
Google Cloud
Google China Employees (Google Group)
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Minnetonka,OU=US,OU=Evergreen Staff,DC=evergreentrucks,DC=local
user_principal_name
username
{username}@evergreentrucks.com
username
{username}@evergreentrucks.com
display_name
display_full_name
{display_full_name}
given_name
first_name
{first_name}
sur_name
last_name
{last_name}
country_code
work_location
{work_location}
job_title
job_title
{job_title}
primary_group_dn
-
CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local
account_name
display_full_name
{display_full_name}
distinguished_name
first_name, last_name
CN={first_name} {last_name},OU=Evergreen Termination,OU=Evergreen Staff,DC=evergreentrucks,DC=local
primary_group_dn
-
CN=Terminated Users,OU=Evergreen Groups,DC=evergreentrucks,DC=local
View and Modify
Workday Query Language
View and Modify
Person Data: Work Email
View and Modify
Person Data: Work Contact Information
View and Modify
Worker Data: Staffing
View and Modify
Worker Data: Public Worker Reports
Get Only
Security Configuration
Get Only
Business Process Administration
View and Modify
Security Administration
View and Modify
Workday accounts
View and Modify
Special OX Web Services
Get and Put
User-Based Security Group Administration
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/emailAddresses
%s/ccx/api/person/v3/%s/workContactInformationChanges/%s/submit
%s/ccx/api/staffing/v5/%s/workers/%s/workContactInformationChanges
This guide explains how to configure identity override attributes in Lifecycle Management to address scenarios where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment for policy execution.
Identity override attributes allow Lifecycle Management administrators to override the value of any user attribute set at the source of identity. These overrides take precedence over actual values during Lifecycle Management workflows.
Identity override attributes address operational challenges where the source of identity doesn't immediately reflect ground truth:
Incorrect or slow-to-update attributes:
Employee termination: An employee has been terminated and needs immediate deprovisioning, but the termination status is not yet reflected at the source of identity
Role changes: An employee has immediately changed roles and needs new birthright access, but the role change and the new manager haven't been updated in the source system
Contract extensions: A contractor's end date has been extended, but the extension isn't reflected yet at the source of identity
Missing manager data: The source of identity is missing a manager value, but this information is required for downstream application provisioning
Emergency access control:
Security incidents: Immediate access restrictions are needed before HR systems can be updated
Temporary access grants: Providing temporary access while permanent changes are processed
Before you configure identity override attributes, verify that override values comply with organizational policies and data standards, and assess the downstream impact of attribute changes. Ensure:
You have administrative access to Veza Lifecycle Management
You understand which source identity attributes need to be overridden
You have identified the specific identities requiring attribute overrides
You understand that overrides only affect Lifecycle Management workflows, not Access Visibility
You recognize that overrides should be used for exceptional cases, not routine operations
Veza supports overrides for various property types from the source of identity:
Text properties (e.g., Department, Manager, Job Title)
Date properties (e.g., Activated At, Hire Date, End Date)
Numeric properties (e.g., Employee ID)
Boolean properties (e.g., Active status, Enabled flags)
You can view, create, edit, and delete overrides from the identity details view.
Click Lifecycle Management in the main navigation, then select the Identities tab.
Locate the identity requiring an attribute override.
2.1. Use the Search by name field to find the specific user
2.2. Click on the identity name to show more information in the sidebar
2.3 Click Details to open the expanded details view
Open the identity's Properties tab:
3.1 In the identity detail view, click the Properties tab to view all available attributes from the source of identity.
The Properties tab displays both original attribute values and any existing overrides.
Create a new attribute override:
4.1. Find the attribute you want to override in the properties table
4.2. Click the Actions menu (three dots) for that attribute
4.3. Select Create Override from the dropdown menu
Set the override value in the Create Override dialog:
5.1. Enter the desired override value in the Override Value field
5.2. For date attributes, use the calendar picker to select the appropriate date and time
5.3. For text attributes, type the new value directly
5.5. Click Save to apply the override, or Cancel to discard changes
The Create Override modal displays the attribute name and the current actual value for reference.
Verify the attribute override is active:
The Override column now shows "yes" for the modified attribute
The Override Value column displays your custom value
The override count updates in the Property Overrides filter (e.g., "1 Override")
View the override summary in the identity details Overview tab:
7.1. Return to the Overview tab for the identity
7.2. Check the Property Overrides section to see all configured overrides for the identity
7.3. Each override displays the attribute name, override value, and actual value from the source
The identity details view provides visibility into both original and overridden values. A visual indicator will highlight any attributes with overrides:
Properties: Use this tab to show side-by-side comparisons of actual values from the source of identity and override values
Overview: This tab includes a consolidated view of all active overrides for an identity
To change the value of an attribute override:
Navigate to the identity's Properties tab. Access the same identity detail view where you created the override.
Locate the attribute with an active override. Find the attribute showing "yes" in the Override column.
Edit the override value.
3.1. Click the Actions menu (three dots) for the overridden attribute
3.2. Select Edit Override from the dropdown menu
3.3. Modify the Override Value in the dialog 3.4. Click Save to apply the changes
To remove an override:
Access the identity's Properties tab. Navigate to the identity detail view with active overrides.
Identify the override to remove. Locate the attribute with "yes" in the Override column.
Clear the override.
3.1. Click the Actions menu (three dots) for the overridden attribute
3.2. Select Clear Override from the dropdown menu
3.3. Confirm the action when prompted
The attribute will revert to using the source of identity value, and the Override column will show "no".
The current implementation supports overrides at the individual identity level. Note that any attribute overrides are not reflected in the Veza Access Graph.
Lifecycle Management only: Attribute overrides affect only Lifecycle Management workflows and policy execution
Access Visibility unchanged: The authorization graph and Access Visibility features continue to use the actual source of identity values
Source system independence: Overrides do not modify data in the originating identity providers or HR systems
You should typically use overrides as temporary measures while addressing root causes in source systems. Maintain clear records of why each override was implemented and the business justification.
Consider the following best practices when implementing attribute overrides:
Regular review process: Establish periodic audits of active overrides to ensure they're still necessary
Monitor policy impact: Review workflow execution logs to confirm that overrides produce expected policy outcomes. You can review the identity details Activity tab and Lifecycle Management Activity Logs to ensure that override values are applied as expected during provisioning, deprovisioning, and other lifecycle actions.
Emergency response procedures: Establish clear protocols for when and how to use overrides in approved scenarios.
Change management coordination: Communicate with HR and identity provider teams when overrides are needed.
Use lookup tables to transform identity attributes for target systems
You can use Lookup transformers to convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.
For example, you might need to transform a "Location" attribute from Workday (which might be stored as location codes like "MN001") into corresponding values for country, country code, or city names in a target system.
Use Table Lookup Transformers when:
You need to map source attribute values to different values in target systems
You have standardized reference data that must be consistent across applications
You need to extract different pieces of information from a single attribute value
You have complex mapping requirements that built-in transformers cannot support
Geographic Information:
Transform location codes to country, region, city, or timezone information
Map office codes to physical addresses or facility types
Organizational Mapping:
Convert department codes to department names or business units
Map cost centers to budget codes or accounting categories
System-Specific Configurations:
Transform job titles to role designations in target systems
Convert skill codes to certification requirements or training needs
The Table Lookup Transformer references CSV-based mappings between source and destination values. When synchronizing user attributes, Veza:
Takes the source attribute value
Looks up this value in the specified lookup table
Returns the corresponding value from the designated return column
Applies this value to the target attribute
Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.
For example, a location mapping table might look like:
location_code,state_code,state,city
MN001,MN,Minnesota,Minneapolis
CA001,CA,California,Los Angeles
TX001,TX,Texas,Houston
TX002,TX,Texas,AustinTo create a new lookup table:
Navigate to the Lookup Tables tab within your policy configuration
Click Edit mode to enable policy changes
Click Add New to create a new lookup table
Provide a Name and optional Description for the lookup table
Drag a CSV file or click Browse to upload your reference data
Review the automatically detected column names
Click Save to store the lookup table
From the Lookup Tables tab, you can:
Edit table descriptions or upload a new CSV
Delete tables that are no longer needed
To use a Table Lookup Transformer in a common or action-synced attribute:
In Destination Attribute, choose the attribute on the target entity that will be updated
In Formatter, choose the source attribute to transform
In Pipeline Functions, specify the lookup table name, the column to match against, and the column containing values to return.
The full syntax for using lookup table transformers is:
{<value> | LOOKUP <table_name>, <column_name>, <return_column_name>}Where:
<value> is the source attribute to transform (e.g., {location})
<table_name> is the name of the lookup table to use
<column_name> is the column in the table to match against
<return_column_name> is the column containing the value to return
Assuming a user has "location": "IL001" and a lookup table named locationTable structured as shown earlier:
{location} | LOOKUP locationTable, location_code, city
"Chicago"
{location} | LOOKUP locationTable, location_code, state
"Illinois"
{location} | LOOKUP locationTable, location_code, state_code
"IL"
You can combine lookup transformations with other transformation functions in a pipeline:
{location | LOOKUP locationTable, location_code, state_code | LOWER}This would look up the state_code corresponding to the location value and convert it to lowercase.
When a lookup value is not found in the table, the transformation will fail for that specific attribute.
For full coverage, ensure your lookup table includes entries for all possible source values that may be encountered during provisioning.
To ensure robust provisioning workflows, it's important to include all expected values in your lookup table, validate source data before implementing lookup transformations, and test transformations with representative data sets.
Lookup tables are immutable and automatically deleted when no longer referenced by any policy version
Multiple policy versions can reference the same lookup table (e.g., an active version and a draft version)
Lookup tables are defined at the policy level and can be referenced by any transformer within the policy
Lookup tables can have multiple columns to support different transformations from the same reference data
Standardize Naming: To use a lookup-based transformer, you will reference the table by file name. Apply consistent conventions for both the table and columns.
Document Mappings: Add descriptions for each lookup table to explain its purpose
Validate Data: Ensure lookup tables are complete and accurate before using them in transformers. Consider how lookup tables will be maintained over time, especially for values expected to change.
Value not found in lookup table
Add the missing mapping to the lookup table with the correct source value
Incorrect column name referenced
Check the column names in your lookup table (they are case-sensitive)
Unexpected transformation results
Verify the lookup table content and ensure the correct columns are specified
Overview of supported Lifecycle Management integrations in Veza, with capabilities and supported actions for target applications and sources of identity.
This document provides an introduction to integrations supported by Veza Lifecycle Management (LCM), including their capabilities and supported actions. These integrations enable you to automate identity and access management workflows across your identity sources and target applications.
Veza's Open Authorization API (OAA) can support provisioning and deprovisioning for applications not natively supported by the Veza platform. With OAA, Veza or customers can build integrations to any application that has a suitable and accessible API or integration interface.
Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.
Veza currently supports the following as sources of identity for Lifecycle Management workflows:
Cloud-based identity management service
Cloud-based CRM and business application platform
Cloud-based human capital management platform
Yes
HR platform for modern businesses
Extended workforce solution
HR, payroll, and workforce management
Oracle HCM
Human capital management cloud
Yes
Neurons IT asset and service management platform
Custom human resource information system integration using OAA templates
Yes
Generic identity provider integration via OAA templates
The entire catalog of Veza application integrations is Lifecycle Management-ready. Target application support in Lifecycle Management leverages Veza's existing native- and OAA-based integrations plus an intelligent shim layer in order to provide support for provisioning and de-provisioning.
As such, target application support in Lifecycle Management can be enabled for nearly every Veza-supported integration.
Validated Integrations
The following table lists the out-of-the-box, Veza-validated target application integrations for Lifecycle Management.
Active Directory
✅
✅
✅
-
Groups, Direct Assignments
AWS IAM Identity Center
✅
✅
✅
-
Groups, Permission Sets
Microsoft Azure AD (Microsoft Entra ID)
✅
✅
✅
-
Groups, App Roles, Directory Roles
Custom Application (OAA Template)
✅
✅
✅
-
Application Groups
Custom Principal
✅
✅
✅
-
Principal Groups
Exchange Server
❌
❌
❌
Create Email
-
Exchange Online
✅
❌
❌
Create Email, Create Distribution Group
Distribution Groups
GitHub
✅
✅
❌
-
Teams, Repositories
Google Workspace (Google Cloud)
✅
✅
✅
-
Groups, IAM Roles
Okta
✅
✅
✅
-
Groups, Application Assignments
Oracle Fusion Cloud
✅
✅
✅
-
Roles, Responsibilities
PTC Windchill
✅
❌
✅
-
Groups, Roles
Salesforce
✅
✅
✅
-
Permission Sets, Profiles, Groups
SAP ECC
✅
✅
✅
-
Roles, Profiles
SCIM
✅
✅
✅
-
Groups, Roles
ServiceNow
❌
❌
❌
Custom Table Updates
-
Snowflake
✅
✅
✅
-
Roles, Warehouses
Veza
✅
✅
❌
-
Groups, Roles
Workday
✅
❌
❌
Security Groups, Business Process Security Policies
Other Suppported Integrations
For any Veza-supported application not listed above, please reach out to your Customer Success Manager for more details and instructions on how to enable the specific Veza integration for use with Lifecycle Management as a target application for provisioning and de-provisioning.
An Insight Point is required to enable Lifecycle Management operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for LCM tasks.
A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and LCM job execution. This ensures secure communication between your environment and Veza.
For deployment instructions, refer to the Insight Point Documentation.
You can configure extraction intervals for your integrations to ensure data is regularly updated for Lifecycle Management processes.
Go to Veza Administration > System Settings
In the Pipeline > Extraction Interval section, set the global extraction interval
To override the global setting for specific integrations, use the Active Overrides section
Available extraction intervals are:
Auto (hourly, but may take longer when the extraction pipeline is full)
15 Minutes
1 Hour
6 Hours
12 Hours
1 Day
2 Days
3 Days
7 Days
30 Days
To manually trigger an extraction:
Go to Integrations > All Data Sources
Search for the desired data source
Select Actions > Start Extraction
Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.
To enable Lifecycle Management for a specific integration:
Browse to the main Veza Integrations page, or go to Lifecycle Management > Integrations
Search for the integration you want to enable
Toggle the Lifecycle Management option to Enabled
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
For more information:
Refer to individual integration documentation for detailed LCM capabilities
Consult the Lifecycle Management user guide for troubleshooting and best practices
Contact Veza support for assistance with enabling or configuring LCM for your integrations
Customizing email notifications for Lifecycle Management events and Access Requests.
Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.
Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.
Using the API
Administrators can manage notification templates programmatically using the Notification Templates API:
# Create a template
curl -X POST "{your_veza_url}/api/preview/notifications/email_templates" \
-H "Authorization: Bearer {your_token}" \
-H "Content-Type: application/json" \
-d '{
"name": "Custom LCM Template",
"usage": "LIFECYCLE_MANAGEMENT_CREATE_IDENTITY",
"subject_template": "New Account Created: {{ENTITY_TYPE}}",
"body_template": "<html><body>Hello,<br><br>A new {{ENTITY_TYPE}} account has been created for {{ENTITY_NAME}}.<br><br>Login: {{LOGIN_NAME}}</body></html>",
"scope": "ALL"
}'
# List templates
curl -X GET "{your_veza_url}/api/preview/notifications/email_templates" \
-H "Authorization: Bearer {your_token}"
# Update a template
curl -X PUT "{your_veza_url}/api/preview/notifications/email_templates/{template_id}" \
-H "Authorization: Bearer {your_token}" \
-H "Content-Type: application/json" \
-d '{
"value": {
"id": "{template_id}",
"name": "Updated Template Name",
"subject_template": "Updated Subject",
"body_template": "Updated body content"
},
"update_mask": {
"paths": ["name", "subject_template", "body_template"]
}
}'
# Delete a template
curl -X DELETE "{your_veza_url}/api/preview/notifications/email_templates/{template_id}" \
-H "Authorization: Bearer {your_token}"For more information about these operations see Notification Templates API.
Testing notification templates
Use the email_templates:test_template endpoint to send a test email using a template created via API:
curl -X POST "{your_veza_url}/api/preview/notifications/email_templates:test_template" \
-H "Authorization: Bearer {your_token}" \
-H "Content-Type: application/json" \
-d '{
"template": {
"id": "{template_id}"
},
"recipients": {
"to": ["[email protected]"],
"cc": ["[email protected]"],
"bcc": ["[email protected]"]
}
}'The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.
Generic Failure Template
When specific event templates aren't available or when events fail, the system uses a generic failure template:
Subject: Lifecycle job {{EVENT_TYPE}} has failed
Body:
<html><body>
<br>
<br> Here is the notification that lifecycle job has failed. <br>
Error message: {{EVENT_ERROR_MESSAGE}}<br>
<br>
For reference:
<br> job_id: {{JOB_ID}}<br>
<br> identity_id: {{EVENT_IDENTITY_ID}}
<br> identity_name: {{EVENT_IDENTITY_NAME}}
<br> entity_type: {{ENTITY_TYPE}}
<br> entity_name: {{ENTITY_NAME}}
</body></html>See Default Template Content for all default messages.
Lifecycle Management Events
Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:
Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.
From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.
To use an attachment you have uploaded in a template, specify it by attachment.name, for example:
<img src="cid:<name_of_attachment>"To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.
Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.
Configure how user attributes from a source of identity are transformed and synchronized for target user accounts
When creating workflows in Lifecycle Management policies to create, sync, or de-provision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured. The target attributes to create or update are typically mapped and optionally transformed from user metadata from the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept in continuous sync as changes occur over the user’s lifetime.
For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:
Joiner: Set new Azure AD User Principal Name to {source username}@{your-email-domain.com}. This is an example of mapping multiple attributes and performing a transformation.
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.
Leaver: Mote a user’s Active Directory account to an OU reserved for terminated accounts.
When synchronizing a user’s attributes, Veza can apply one (or more) transformations to convert the source attribute values to a more suitable format, and apply the result within the target application as user account attribute.
For example, a transformer might remove the domain from an email address, replace special characters, or convert a string from upper case to lower case. Transformers can apply to any attribute on the target user account with the complexity varying depending on your business requirements.
See the following sections for more information about formatting destination attributes and possible transformations:
Continuous Sync keeps identity attributes in target systems up to date with your source of truth. It has three configuration levels that work together to determine how attributes are synchronized:
Workflow Level
The workflow's continuous sync setting controls change detection:
When enabled: The workflow monitors for any changes in the source system
When disabled: The workflow only runs during initial provisioning
Action Level
For Sync Identity actions, this controls whether existing entities can be updated:
When enabled: The action can update existing entities
When disabled: The action only sets attributes during initial creation
Attribute Level
Individual attributes can be configured for continuous sync:
When enabled: The attribute will be updated when changes are detected
When disabled: The attribute is only set during initial creation
All three levels must be enabled for an attribute to be continuously synchronized. For example, if you want to keep an employee's department updated:
Enable continuous sync on the workflow to monitor for changes
Enable continuous sync on the sync action to allow updates
Enable continuous sync on the department attribute transformer
Recommended Settings
Enable continuous sync for attributes that change during employment:
Employee name
Department
Title
Manager
Cost Center
AD Distinguished Name (DN)
AD User Principal Name (UPN)
AD Email
Disable continuous sync for stable identifiers:
Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)
This configuration ensures that dynamic attributes stay updated while preserving stable identifiers.
As part of implementing lifecycle management processes with Veza, you should create sets of common transformers to define how values such as username, login, or ID should be sourced for each target application. These transformers can then be reused across all identity sync and de-provision workflows involving those targets. Create common transformers to consistently form attributes for specific entity types, and re-use them to avoid errors and save time when creating actions for that entity type.
For instance, defining a common synced attribute to describe how to format Azure AD account names {username}@evergreentrucks.com enables reuse across multiple workflow actions. You can also define synced attributes at the action level when they are used only once within a policy, such as setting the primary group DN and OU of de-provisioned identities to a group reserved for terminated accounts.
Common Transformer Examples:
ADAccountTransformer ActiveDirectoryUser
account_name
{display_full_name}
No
Basic account name
distinguished_name
CN={first_name} {last_name},OU={department},OU={location},DC=company,DC=local
Yes
Full AD path
user_principal_name
{username}@company.com
Yes
UPN format
{username}@company.com
Yes
Email address
OktaAccountTransformer OktaUser
login
{username}@company.com
No
Primary login
{username}@company.com
Yes
Email address
username_prefix
{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}
No
Username creation
AzureADTransformer AzureADUser
principal_name
{username}@company.com
No
Primary identifier
mail_nickname
{first_name | SUB_STRING,0,1 | LOWER}{last_name | LOWER}
No
Email alias
display_name
{first_name} {last_name}
Yes
Display name
GoogleAccountTransformer GoogleWorkspaceUser
{username}@company.com
No
Primary email
email_addresses
{username}@company.com
No
Email list
recovery_email
{personal_email}
Yes
Backup email
ContractorTransformer ActiveDirectoryUser
account_name
c-{username}
No
Contractor prefix
distinguished_name
CN={first_name} {last_name},OU=Contractors,OU={department},DC=company,DC=local
Yes
Contractor OU
description
Contractor - {vendor_company} - Start Date: {start_date}
Yes
Metadata
RegionalEmailTransformer ExchangeUser
email_address
{username}@{region}.company.com
No
Regional email
alias
{first_name}.{last_name}@{region}.company.com
Yes
Regional alias
Transformers can be defined at the policy level or when configuring an individual action in a workflow. To configure a transformer, add basic details as well as how to source the value of each attribute:
Give the transformer a name and description, and specify the data source it applies to.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.
Destination Attribute: Choose the attribute that Veza will create or update for the target entity.
Formatter: Choose how the destination attribute should be formatted. Specify the value, a {source_attribute}, or apply Transformation Functions.
Pipeline Functions: Combine attribute formatters with the | character to apply more complex transformations, such as combining the first letter of a first_name and the first four characters of a last_name to generate a local username. See Pipeline Functions for more examples
Continuous Sync: Enabling this option always syncs the attribute, whilst applying any defined transformations. By default, attributes will not sync if the target identity is already created.
After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab.
Remember that “Sync Identity” and “De-Provision Identity” actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.
Formatters specify the actual value of the attribute to synchronize. The target attribute can be set to a specific value, synchronized with a source attribute, transformed according to a function, or some combination of the three.
Note that some formatters should enable continuous synchronization for the attribute, while others should not. For example, the value of “Created By” should be immutable once a user account is provisioned. Other attributes that represent a state or status should be synchronized over the user or account lifecycle.
To create a destination attribute with a fixed value, enter the desired value when configuring the formatter.
For setting the creator attribute:
created_by
"Veza"
Disabled
For activating a re-hired employee:
active
true
Enabled
To set empty values (common for de-provisioning flows):
manager_id
" "
Enabled
active
false
Enabled
Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute, use the format {<source_attribute_name>}.
Examples:
first_name
{first_name}
Enabled
last_name
{last_name}
Enabled
{first_name}.{last_name}@domain.com
-
Based on the user metadata that is available from your source of identity, you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. If an attribute value needs to be altered for compatibility with the target system, you can transform the value of a source attribute, or apply a range of other functions to generate the target value.
Formatter expressions use the following syntax: {<source_attribute_name> | <FUNCTION_NAME>,<param1>,<param2>}
For example:
username
{email | REMOVE_DOMAIN}
Removes domain from email to create username
user_id
{id | UPPER}
Converts ID to uppercase
Table of transformation functions
See the table below for all supported functions and parameters. Some commonly used transformation functions include:
Replacing a character with a different one
Removing domains from email addresses
Transforming to upper, lower, camel, or snake case
Using a substring from the original value
Please contact Veza if additional transformations are required for your use case.
ASCII
Removes non-printable characters and replaces non-ASCII characters with their closest ASCII equivalents.
None
Yes
No
ASCII("Łukasz Gruba") results in Lukasz Gruba
COUNTRY_CODE_ISO3166
Transforms country code to ISO 3166 format.
Format (STRING, optional): [alpha2, alpha3, numeric], defaults to alpha2
Yes
No
COUNTRY_CODE_ISO3166("US", alpha3) results in USA
DATE_FORMAT
Transforms dates to a different format using Go time layout syntax.
Output Layout (STRING, required): Go time layout for output format. Input Layout (STRING, optional): Go time layout for input format
Yes
No
{start_date | DATE_FORMAT, "01/02/2006"} formats date as MM/DD/YYYY
FIRST_N
Picks the first N characters of a string.
Length (NUMBER, required): Number of characters to return
Yes
No
FIRST_N("first_name", 4) results in firs
FROM_ENTITY_ATTRIBUTE
Transforms a string from an attribute of another entity in the graph.
EntityType (STRING, required), SourceAttribute (STRING, required), TargetAttribute (STRING, required)
Yes
No
FROM_ENTITY_ATTRIBUTE("Employee", "ID", "ManagerID") results in the Manager ID for the employee
LANGUAGE_RFC5646
Transforms language to RFC 5646 format.
None
Yes
No
LANGUAGE_RFC5646("Spanish") results in es
LAST_N
Picks the last N characters of a string.
Length (NUMBER, required): Number of characters to return
Yes
No
LAST_N("last_name", 5) results in name
LEFT_PAD
Left pads a string with a character.
Length (NUMBER, required), Pad (CHARACTER, optional): Default is space
Yes
No
LEFT_PAD("123", 5, "0") results in 00123
LOOKUP
Transforms a value using a lookup table.
Table Name (STRING, required), Column Name (STRING, required), Return Column Name (STRING, required)
Yes
No
LOOKUP("IL001", "locationTable", "location_code", "city") results in Chicago
LOWER
Transforms string to lowercase.
None
Yes
No
LOWER("HELLO") results in hello
LOWER_CAMEL_CASE
Transforms string to lower camel case.
None
Yes
No
LOWER_CAMEL_CASE("hello world") results in helloWorld
LOWER_SNAKE_CASE
Transforms string to lowercase with underscores.
None
Yes
No
LOWER_SNAKE_CASE("Hello World") results in hello_world
NEXT_NUMBER
Generates a set of integers as strings.
BeginInteger (NUMBER, required), Length (NUMBER, required)
No
Yes
NEXT_NUMBER(2, 3) results in "", "2", "3", "4". Note: NEXT_NUMBER can also be used within IF/ELSE conditional transformers for intelligent username generation with automatic fallback strategies.
PHONE_NUMBER_E164
Transforms phone number to E.164 format.
Region (STRING, optional): ISO 3166-1 alpha-2 format
Yes
No
PHONE_NUMBER_E164("+1-800-555-1212") results in +18005551212
RANDOM_ALPHANUMERIC_GENERATOR
Generates a random alphanumeric string.
Length (NUMBER, required)
No
No
RANDOM_ALPHANUMERIC_GENERATOR(8) results in a1B2c3D4
RANDOM_NUMBER_GENERATOR
Generates a random number string.
Length (NUMBER, required)
No
No
RANDOM_NUMBER_GENERATOR(4) results in 4829
RANDOM_STRING_GENERATOR
Generates a random string.
Length (NUMBER, required)
No
No
RANDOM_STRING_GENERATOR(6) results in uFkLxw
REMOVE_CHARS
Removes all instances of specified characters from a string.
Characters (STRING, required): Characters to be removed
Yes
No
REMOVE_CHARS("[email protected]", "@.") results in FirstLastexamplecom
REMOVE_DIACRITICS
Removes diacritics (accents, etc.) from input string.
None
Yes
No
REMOVE_DIACRITICS("José") results in Jose
REMOVE_DOMAIN
Removes the domain from an email.
None
Yes
No
REMOVE_DOMAIN("[email protected]") results in user
REMOVE_WHITESPACE
Removes all whitespace characters from a string.
None
Yes
No
REMOVE_WHITESPACE("First Last") results in FirstLast
REPLACE_ALL
Replaces all instances of one string with another.
Original (STRING, required), New (STRING, required)
Yes
No
REPLACE_ALL("hello world", " ", "_") results in hello_world
RIGHT_PAD
Right pads a string with a character.
Length (NUMBER, required), Pad (CHARACTER, optional): Default is space
Yes
No
RIGHT_PAD("123", 5, "0") results in 12300
SPLIT
Splits a string and returns the string at the given index.
Split String (STRING, required), Index (NUMBER, required)
Yes
No
SPLIT("[email protected]", "@", 0) results in first.last
SUB_STRING
Picks a substring from the original value.
Offset (NUMBER, required), Length (NUMBER, required)
Yes
No
SUB_STRING("hello", 0, 3) results in hel
TRIM
Removes spaces before and after a string.
None
Yes
No
TRIM(" hello ") results in hello
TRIM_CHARS
Removes all specified characters from the beginning and end of a string.
Characters (STRING, required): Characters to be trimmed
Yes
No
TRIM_CHARS("....first.last----", ".-") results in first.last
TRIM_CHARS_LEFT
Removes all specified characters from the beginning of a string.
Characters (STRING, required): Characters to be trimmed from the left
Yes
No
TRIM_CHARS_LEFT("....first.last----", ".-") results in first.last----
TRIM_CHARS_RIGHT
Removes all specified characters from the end of a string.
Characters (STRING, required): Characters to be trimmed from the right
Yes
No
TRIM_CHARS_RIGHT("....first.last----", ".-") results in ....first.last
UPPER
Transforms string to uppercase.
None
Yes
No
UPPER("hello") results in HELLO
UPPER_CAMEL_CASE
Transforms string to upper camel case.
None
Yes
No
UPPER_CAMEL_CASE("hello world") results in HelloWorld
UPPER_SNAKE_CASE
Transforms string to uppercase with underscores.
None
Yes
No
UPPER_SNAKE_CASE("hello world") results in HELLO_WORLD
UUID_GENERATOR
Generates a UUID.
None
No
No
UUID_GENERATOR() results in 123e4567-e89b-12d3-a456-426614174000
The ASCII transformer is particularly useful when working with international user data or systems that have strict character limitations (such as Active Directory sAMAccountName restrictions). This transformer performs two main operations:
Removes all non-printable characters (including control codes, zero-width spaces, tabs, and newlines)
Converts non-ASCII characters to their closest ASCII equivalents
Whereas the REMOVE_DIACRITICS transformer only removes accent marks while preserving the basic character, the ASCII transformer performs a more comprehensive conversion, replacing characters like "Ł" with "L" and handling a wider range of non-ASCII characters.
The DATE_FORMAT transformer formats date strings using Go time package layout syntax. This transformer is useful for converting between different date formats, such as transforming dates for LDAP integration or standardizing date formats across systems.
Go Time Layout Syntax
Go time layouts use a specific reference time: Monday, January 2, 15:04:05 MST 2006, which is Unix time 1136239445. All layout strings must use the exact digits and format from this reference time. For more information about Go time layouts, refer to the official Go time package documentation.
Date Components:
2006 = 4-digit year
06 = 2-digit year
01 = 2-digit month (01-12)
1 = 1-digit month (1-12)
Jan = 3-letter month abbreviation
January = full month name
02 = 2-digit day (01-31)
2 = 1-digit day (1-31)
_2 = space-padded day
Time Components:
15 = 24-hour format hour (00-23)
03 = 12-hour format hour (01-12)
3 = 12-hour format hour without leading zero (1-12)
04 = minute (00-59)
4 = minute without leading zero (0-59)
05 = second (00-59)
5 = second without leading zero (0-59)
PM = AM/PM indicator
pm = am/pm indicator (lowercase)
Weekday Components:
Mon = 3-letter weekday abbreviation
Monday = full weekday name
Time Zone Components:
MST = time zone abbreviation
Z0700 = RFC3339 time zone format
Z07:00 = RFC3339 time zone format with colon
Common Layout Examples
01/02/2006
MM/DD/YYYY
03/15/2023
2006-01-02
YYYY-MM-DD
2023-03-15
02-Jan-2006
DD-MMM-YYYY
15-Mar-2023
Jan 2, 2006
MMM D, YYYY
Mar 15, 2023
Monday, January 2, 2006
Full date
Wednesday, March 15, 2023
2006-01-02 15:04:05
Full timestamp
2023-03-15 14:30:25
03:04:05 PM
12-hour time
02:30:25 PM
15:04
24-hour time
14:30
20060102150405Z
LDAP Z time format
20230315143025Z
Usage Examples
Basic Date Formatting:
{start_date | DATE_FORMAT, "01/02/2006"}Formats any recognized date input into MM/DD/YYYY format.
Converting Between Specific Formats:
{hire_date | DATE_FORMAT, "2006-01-02", "01/02/2006"}Parses input in MM/DD/YYYY format and outputs in YYYY-MM-DD format.
LDAP Integration Example:
The DATE_FORMAT transformer was specifically enhanced to support LDAP Z time format requirements. The Z time format (20060102150405Z) is commonly used in LDAP directories and represents timestamps in UTC with a 'Z' suffix indicating zero UTC offset.
{timestamp | DATE_FORMAT, "20060102150405Z"}Converts a date to LDAP Z time format for directory integration.
Example for LDAP account expiration:
{account_expires | DATE_FORMAT, "20060102150405Z"}Human-Readable Format:
{event_date | DATE_FORMAT, "Monday, January 2, 2006"}Outputs a full, human-readable date format.
Time Zone Handling:
{utc_time | DATE_FORMAT, "2006-01-02 15:04:05 MST"}Includes time zone information in the output.
Notes on DATE_FORMAT Transformers
Input Format: When the second parameter (input layout) is omitted, the transformer attempts to parse the input using common date formats automatically
Case Sensitivity: Layout components are case-sensitive (e.g., PM vs pm)
Leading Zeros: Use 01, 02, etc. for zero-padded values, and 1, 2, etc. for non-padded values
Reference Time: All layouts must use the exact reference time digits: Mon Jan 2 15:04:05 MST 2006
These transformers provide capabilities for cleaning, formatting, and standardizing string data from your source systems.
REMOVE_CHARS
The REMOVE_CHARS transformer removes all instances of specified characters from a string. This is useful for cleaning up data by removing unwanted punctuation, special characters, or formatting elements.
Use Cases:
User ID creation: {email | REMOVE_CHARS, "@._-"}
If email is "[email protected]", the result is "johndoeexamplecom"
Phone number formatting: {phone_number | REMOVE_CHARS, "()- "}
If phone_number is "(123) 456-7890", the result is "1234567890"
Cleaning account names: {account_name | REMOVE_CHARS, "!@#$%"}
Removes special characters that might cause issues in target systems
REMOVE_WHITESPACE
The REMOVE_WHITESPACE transformer removes all whitespace characters (spaces, tabs, newlines) from a string. It can help create compact identifiers or ensuring data consistency.
Use Cases:
Username generation: {display_name | REMOVE_WHITESPACE}
If display_name is "John A. Doe", the result is "JohnA.Doe"
Tag creation: {department | REMOVE_WHITESPACE | LOWER}
If department is "Human Resources", the result is "humanresources"
Creating system identifiers: {cost_center | REMOVE_WHITESPACE}
Ensures cost center codes have no embedded spaces
TRIM, TRIM_CHARS, TRIM_CHARS_LEFT, and TRIM_CHARS_RIGHT
These transformers help clean up strings by removing unwanted characters from the beginning and/or end of strings. This is essential for data hygiene and ensuring consistent formatting.
TRIM: Removes leading and trailing whitespace
Basic cleanup: {display_name | TRIM}
If display_name is " John Doe ", the result is "John Doe"
TRIM_CHARS: Removes specified characters from both ends
Cleaning employee IDs: {employee_id | TRIM_CHARS, "0."}
If employee_id is "000.123.000", the result is "123"
Removing padding characters: {code | TRIM_CHARS, "-_"}
If code is "---ABC123___", the result is "ABC123"
TRIM_CHARS_LEFT: Removes specified characters from the beginning only
Removing leading zeros: {cost_center | TRIM_CHARS_LEFT, "0"}
If cost_center is "00012345", the result is "12345"
Cleaning prefixes: {identifier | TRIM_CHARS_LEFT, "x"}
If identifier is "xxxABC123", the result is "ABC123"
TRIM_CHARS_RIGHT: Removes specified characters from the end only
Removing trailing characters: {office_code | TRIM_CHARS_RIGHT, "0"}
If office_code is "ABC12300", the result is "ABC123"
Cleaning suffixes: {code | TRIM_CHARS_RIGHT, "temp"}
If code is "ABC123temp", the result is "ABC123"
The NEXT_NUMBER transformer can be combined with IF/ELSE conditional logic to create intelligent username generation with automatic fallback strategies. This is particularly useful for handling length constraints and ensuring unique usernames in Lifecycle Management attribute transformers.
Only one NEXT_NUMBER transformer can be used per transformation expression
The first alternative uses an empty string (""), followed by numbered alternatives ("2", "3", etc.)
Alternative values are automatically generated to ensure username uniqueness
Username Generation with Length-Based Fallbacks
This example creates usernames that adapt based on length constraints, using the sys_attr__would_be_value_len system attribute to evaluate the length of the generated value:
IF sys_attr__would_be_value_len le 20
{first_name | LOWER}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
ELSE IF sys_attr__would_be_value_len le 30
{first_name | LOWER}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}
ELSE
{first_name | LOWER | FIRST_N, 1}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}Example outputs:
For a user named "John Whitaker" (short enough for the first condition):
Base value: john.whitaker
Alternatives: john.whitaker2, john.whitaker3, john.whitaker4
For a user named "Leonevenkataramanathan Foster" (requires truncation to meet length limits):
Base value: l.f
Alternatives: l.f2, l.f3, l.f4
This approach ensures that username generation adapts to different name lengths while maintaining consistency and uniqueness across your identity management system.
You can pipeline multiple transformation functions together, separated by a |. Each will apply in sequence, allowing for complex attribute formatters that use the output of one function as the input of another.
Example Pipeline Functions
{name | UPPER}
If name = Smith, the result is SMITH.
{first_name | SUB_STRING,0,1 | LOWER}.{last_name | LOWER}
If first_name = John and last_name = Smith, the result is j.smith.
{email | REMOVE_DOMAIN}
If email = [email protected], the result is john.smith.
{email | REPLACE_ALL, " ", "."}
If email = john [email protected], the result is [email protected].
{location | LOOKUP locationTable, location_code, city}
If location = IL001, the result is Chicago (using a lookup table named locationTable).
{start_date | DATE_FORMAT, "01/02/2006" | UPPER}
If start_date = 2023-03-15, the result is 03/15/2023 (DATE_FORMAT doesn't typically need UPPER, but shows pipeline capability).
{hire_date | DATE_FORMAT, "Jan 2, 2006" | REPLACE_ALL, " ", "_"}
If hire_date = 2023-03-15, the result is Mar_15,_2023.
{office_code | TRIM_CHARS_LEFT, ".0" | TRIM_CHARS_RIGHT, ".USCA"}
If office_code = 000.8675309.USCA, the result is 8675309.
{username | REMOVE_CHARS, ".-_" | TRIM | UPPER}
If username = "--john.doe_--", the result is JOHNDOE.
{employee_id | REMOVE_CHARS, "#" | TRIM_CHARS, "0" | LEFT_PAD, 6, "0"}
If employee_id = "##001234##", the result is 001234.
{department | REMOVE_WHITESPACE | LOWER | REPLACE_ALL, "&", "and"}
If department = "Sales & Marketing", the result is salesandmarketing.