1 of 55

Getting Started

Introduction to Lifecycle Management implementation, dashboard, and activity monitoring in Veza

Start here to understand Lifecycle Management fundamentals, monitor your LCM environment, and track workflow execution.

In this section

Topic

Description

Architecture overview and foundational concepts for deploying Lifecycle Management

After reviewing the getting started materials:

Configure Integrations: Enable your identity sources and target applications for LCM. See .
Set Up Identities: View and manage identities from your configured sources. See .
Create Access Profiles: Define birthright entitlements for user segments. See .

For an end-to-end walkthrough using Workday, Okta, and Active Directory, see .

Lifecycle Management Dashboard

Managing and monitoring Lifecycle Management from a central dashboard

The Lifecycle Management Dashboard provides a centralized interface for monitoring automatic provisioning and deprovisioning of user access - both birthright access granted by Veza Lifecycle Management and just-in-time access granted by Veza Access Reviews. This dashboard gives you an at-a-glance view of your configuration, status, and recent activity.

The dashboard is the primary landing page for Lifecycle Management and Access Requests and can help with routine monitoring, error resolution, policy validation, activity review, and integration health checks.

Dashboard Overview

The dashboard is organized into several key sections:

Policies: Displays your most recently updated Lifecycle Management Policies and their status
Access Profiles: Shows configured and usage metrics
Identities: Provides a visualization of managed identities
Integrations: Top enabled for Lifecycle Management and Access Requests along with any error statuses
Access Requests: Tracks pending and completed access requests
Errors: Displays recent Lifecycle Management and Access Requests errors requiring attention (past day, week, or month)
Recent Activity: Shows the most recent Lifecycle Management and Access Requests

To navigate to more detailed information, click on any section heading to open the related overview. Click on specific items (such as a policy or integration) to view or edit configuration details.

From the dashboard, you can perform common tasks including:

Create a new policy: Click the "Create Policy" button in the Policies section
Configure Access Profiles: Click the "Create Access Profile" button in the Access Profiles section
Set up a new integration: Click the "Set up Integration" button in the Integrations section

The Policies section displays all configured Lifecycle Management policies with their current status. Each policy shows its name, associated identity source, number of identities managed, and current status (Running/Stopped).

You can view all policies at a glance, create new ones with the "Create Policy" button, see which policies are actively running, access detailed configuration by clicking on a specific policy, and verify that policies in "Running" status should be active. Learn more about .

The Access Profiles section shows the total number of configured access profiles and provides a visual representation of profile activity. Access profiles define sets of entitlements granted to users based on their roles.

You can see the total number of configured profiles, create new ones using the "Create Access Profile" button, view profile activity and utilization, and access detailed configuration by clicking into the section. Learn more about .

The Identities section provides a visual representation of all identities managed through Lifecycle Management and Access Requests. The chart displays the distribution of identities by type or status, giving you an immediate understanding of your identity landscape.

This visualization helps you understand the overall composition of your managed identities, identify distribution patterns across different categories, and track changes in identity distribution over time.

The Integrations section lists all systems connected to Lifecycle Management and Access Requests, displaying the total number of integrations, error status and counts, recently created integrations, and last update timestamps. For each integration, you can see its name and type, current status (including error indicators), and last update timestamp. You can set up new integrations using the "Set up Integration" button, identify and troubleshoot integration errors, and view all integrations by clicking "View all." Review this section regularly to identify any integrations with error states. See for more information.

The Access Requests section tracks pending access requests, recently completed requests, and request status (Pending, Completed, Rejected, Cancelled). This section provides visibility into the access request process, allowing you to monitor request volume and status, track completion rates, and identify potential bottlenecks in the access request workflow.

The Errors section displays any Lifecycle Management and Access Requests errors that require attention. When functioning normally with no issues, this section will display "No issues found." If errors occur, this section will list the specific errors, provide context about when and where they occurred, and offer guidance on troubleshooting and resolution. Check this section regularly for any reported issues.

The Recent Activity section shows a chronological log of Lifecycle Management and Access Requests events, including event type, timestamp, affected identity, and entity name. Examine this section to identify any unusual patterns or failed operations. This activity log helps you track recent actions, verify that expected changes have occurred, identify patterns or issues in lifecycle events, and monitor the overall health of your Lifecycle Management or Access Requests implementation.

After familiarizing yourself with the dashboard:

Identities

Managing identities and identity override attributes in Veza Lifecycle Management

Identities are the core entities in Lifecycle Management. They represent the people in your organization, sourced from HR systems, identity providers, ITSM platforms, payroll systems, custom OAA applications, or flat files. See for the full list of supported identity sources.

Topic

Description

Identity Override Attributes

This guide explains how to configure identity override attributes in Lifecycle Management to address scenarios where user attributes at the source of identity are incorrect, slow to update, or temporarily need adjustment for policy execution.

Identity override attributes allow Lifecycle Management administrators to override the value of any user attribute set at the source of identity. These overrides take precedence over actual values during Lifecycle Management workflows.

Identity override attributes address operational challenges where the source of identity doesn't immediately reflect ground truth:

Incorrect or slow-to-update attributes:

Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Overview

Access Profile Types determine the behavior of Access Profiles for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:

Whether the profile can inherit entitlements from other profiles
If the profile can grant entitlements in one or more target applications
The maximum number of entitlements the profile can grant
The specific integrations where entitlements can be granted

Veza provides built-in profile types, such as Profiles and Business Roles, for hierarchical management of birthright entitlements by employee population. You can also create new profile types to meet your organization's Access Requests and Lifecycle Management needs.

Access Profiles define collections of entitlements within one or more target applications that can be assigned to an identity. Depending on the profile type, an access profile can include certain groups or roles, or inherit entitlements from another profile.

For example, you can create different types to organize profiles by:

Applications: Granting access to an application without specific entitlements, such as access to Zoom, a video conference platform
Single Entitlements: Defining a single entitlement within a single application, such as a user being added to the DNS Admin group in Active Directory or the Domain Name Administrator role in Entra ID
Application Entitlements: Defining multiple entitlements within a single application, such as access to several Okta Groups

Use Access Profile Types to set rules for all profiles using that type. You can create new profile types to implement Lifecycle Management and Access Requests based on the access you grant to employees and the conditions under which it is granted.

Open Lifecycle Management > Settings.
In the Profile Types section, click New Profile Type.
In the sidebar, configure the new type:

After saving a profile type, you can edit or delete it on the Lifecycle Management Settings > Profile Types tab.

To manage the users or groups allowed to create profiles of that type, click Actions > Manage Permissions.
To view profiles with a specific type, choose a profile type and click Show Access Profiles.

The Manage Permissions option controls who is eligible to be designated as owners of Access Profiles of a specific type. When you assign the Creator permission set to a user or group for a profile type:

They become eligible to be designated as owners of Access Profiles of that specific type
Once they become an owner of any profile, they automatically receive global Creator permission to create Access Profiles of any type
If a group receives Creator permissions, all group members inherit these capabilities (see for details on group management)

This permission configuration is required to assign Access Profile ownership. See for details on designating owners for individual profiles.

When working with Access Profile Types, consider the following best practices:

Consistent Naming: Use clear, descriptive names for profile types that indicate their purpose and scope
Appropriate Granularity: Create profile types with the right level of granularity for your organization's needs
Documentation: Add thorough descriptions and instructions to help others understand when to use each profile type

Dynamic Approvers

Automatically determine who should approve an access request based on runtime context, access profile metadata, and lookup tables.

Dynamic Approvers is an Access Requests feature that lets Veza automatically determine who should approve an access request based on runtime context, access profile metadata, and external data.

Instead of assigning static approvers in a policy, you will configure a transformer pipeline that processes request attributes, access profile properties, and lookup tables to compute approver email addresses when the request is submitted.

Use Dynamic Approvers when approval routing will depend on metadata that can vary per request. For example, this can enable workflows in which Access Profiles assigned a specific cost center are routed to the appropriate approver group, or to assign managers based on department code.

How it works

When an access request is submitted, Veza evaluates any policy steps configured with a Dynamic Approver:

Veza considers the name of the Access Profile or Catalog Definition being requested, and any custom properties set on that profile.
Each transformer step in the Dynamic Approver pipeline runs in sequence, processing the available attributes to produce an intermediate or final output.
The final transformer step must output one or more approver email addresses.
Veza assigns those email addresses as approvers for that policy step.

The following attributes are available as inputs to transformer expressions:

Attribute

Type

Description

Custom property attributes (access_profile_properties.* and catalog_definition_properties.*) are populated from the custom attribute definitions configured in . The attribute names available in the transformer editor reflect the definitions currently configured in your tenant.

Transformer expressions use the same syntax as Lifecycle Management : {attribute} for a direct reference, or {attribute | FUNCTION, arguments} to apply a function.

The most common function for Dynamic Approvers is LOOKUP, which resolves a value by looking it up in a . Lookup tables are CSV-based reference tables that map values between systems — for example, mapping department codes to approver email addresses. They are uploaded and managed within Lifecycle Management policy configurations.

The LOOKUP syntax is: {value | LOOKUP, "table_name", "match_column", "return_column"}

For example:

This takes the department custom property value from the Access Profile, looks it up in the dept_approvers lookup table by matching the dept_code column, and returns the corresponding approver_email value. See for details on creating and managing lookup tables.

You can chain multiple transformer steps. Use {last_output} in a subsequent step to reference the output of the previous step.

Go to Lifecycle Management > Settings.
Select the Access Request Settings tab.
Scroll to the Dynamic Approvers section and click Create Approver.

This example resolves a department code to approver usernames via a lookup table, then appends a domain to produce email addresses.

Step 1 — Look up approver usernames from department code

Output Type: String List

Step 2 — Convert usernames to email addresses

Output Type: String

Before linking a Dynamic Approver to a policy, use the built-in test configuration to verify it resolves to the expected approver emails.

In the Create or Edit Dynamic Approver dialog, scroll to Test Configuration.
Under Test Source, select Access Profile or Catalog Definition, then choose a specific record to test with.
Optionally, add Policy Properties — key-value pairs that simulate additional request context during testing.

If the test returns no results or an unexpected value, check that the referenced lookup table is populated, the custom property values are set on the selected profile, and the attribute names match your definitions.

Once a Dynamic Approver is configured, link it to an approval step in an Access Request Policy:

Go to Lifecycle Management > Settings > Access Request Policies.
Create or edit a policy.
Under Approver Settings, add or edit an approval step.

When an access request matches this policy, Veza runs the selected Dynamic Approver pipeline at request time to determine the approver(s) for that step.

Sync Identities

Create or update user accounts in target systems by synchronizing identity attributes.

Synchronizes identity attributes between systems, with options to:

Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth

Example Use Cases:

Create new user accounts in target systems when employees join
Update user attributes when information changes in HR systems
Ensure consistent user information across multiple platforms

Setting

Description

Password output (Early Access)

When password output is enabled, the password generated during identity creation is available to subsequent workflow actions via transformer expressions. Use {EntityType.password} syntax to reference it, such as {OktaUser.password} in a Send REST Request payload.

This is useful in joiner workflows where Veza provisions a new account and needs to pass the generated password to a downstream system such as an HR portal or ticketing API.

Manage Relationships

Assign or remove group memberships, roles, and access entitlements for identities.

Controls entitlements such as group memberships and role assignments for identities.

Example Use Cases:

Add users to appropriate security groups, roles, permission sets, or other access-grant entities
Remove users from groups during role changes

Create Email

Create email accounts in Exchange Server or Azure AD as part of onboarding workflows.

Creates email accounts for identities through integrated email providers. This action is typically used in onboarding workflows alongside Sync Identities and Write Back Email to provision a user account, create their email, and update the HR system with the new address.

Example Use Cases:

Create Exchange Server mailboxes for new employees during onboarding
Provision Azure AD email accounts as part of identity lifecycle workflows
Generate email addresses using transformer-based formatting (e.g., {first_name}.{last_name}@company.com)

Setting

Description

Supported Integrations:

Integration

Notes

In a standard onboarding policy, Create Email is used as the second step after creating the user account:

Sync Identities — creates the user account in Active Directory or the target system
Create Email — creates the email account in Exchange Server, generating the email address using attribute transformers
Write Back Email — updates the source of identity (e.g., Workday) with the newly created email address

See the in the Actions overview for a complete workflow.

Deprovision Identity

Disable or suspend user accounts while preserving audit trails.

Disables or suspends user accounts in target systems when employees or contractors leave the organization. Unlike Delete Identity, which permanently removes accounts, Deprovision Identity preserves the account and its audit history while revoking access — allowing for potential reactivation if needed.

Example Use Cases:

Disable Active Directory accounts and move leavers to a terminated users OU
Suspend Okta accounts while preserving group membership history for audit
Revoke access and reassign resources when employees transition out of the organization
Lock accounts during investigations while maintaining forensic records

The exact deprovisioning behavior depends on the target application and the method configured in the action. Integrations may support one or more of the following:

Method

Description

Example

Not all integrations support all methods. The available methods are determined by the integration's DeProvisionIdentityDefinition and are shown in the action configuration dropdown.

Setting

Description

See the in the Actions overview for a complete Active Directory offboarding configuration.

Delete Identity

Permanently remove user accounts from target systems.

Permanently removes user accounts from target systems. Unlike the DEPROVISION_IDENTITY action which disables or suspends accounts while preserving audit records, DELETE_IDENTITY performs complete account removal.

Example Use Cases:

Database user cleanup after employee offboarding
Compliance with data deletion policies (e.g., GDPR right to be forgotten)

Custom Action

Execute integration-specific operations such as ServiceNow table inserts.

Executes integration-specific operations that extend beyond standard Lifecycle Management action types. CUSTOM_ACTION enables integrations to define specialized operations with flexible attribute schemas tailored to their unique capabilities.

Example Use Cases:

Insert records into ServiceNow tables when employees join or change roles
Create ServiceNow incidents or requests as part of onboarding workflows

Write Back Email

Update HRIS systems with email addresses created during onboarding workflows.

Updates HRIS or identity source systems with email addresses created by previous Create Email actions in the same workflow. This ensures the source of identity (such as Workday) has the employee's new corporate email address, keeping records consistent across systems.

Example Use Cases:

After creating an Exchange Server mailbox during onboarding, write the new email address back to the Workday Worker record
Update an OAA-based HRIS source with email addresses generated by provisioning workflows

Setting

Description

Supported Integrations:

Integration

Notes

In a typical Workday-to-Active Directory onboarding workflow, Write Back Email is the third step:

Sync Identities — creates the AD user account from the Workday Worker
Create Email — creates an Exchange Server mailbox (generates the email address)
Write Back Email — writes the new email address back to the Workday Worker record

This ensures that the Workday record reflects the employee's corporate email immediately after onboarding, without manual HR data entry.

For the full workflow configuration, see the in the Actions overview. For Exchange Server setup, see .

Pause

Add deliberate delays between workflow actions.

Introduces a deliberate delay in the workflow execution.

Example Use Cases:

Allow time for system propagation between actions
Implement rate limiting in multi-step workflows

Send Notification

Trigger email notifications and webhooks based on lifecycle events and action outcomes.

Triggers email notifications and webhooks based on lifecycle events and action success or failure. Notifications can be added to any action type under Edit Action > Action Notification Settings.

Example Use Cases:

Alert IT staff when provisioning is complete
Notify managers of access changes
Create a service desk ticket for any manual steps
Send standardized notifications using custom templates across workflows

Setting

Description

When configuring email notifications (either as a Send Notification action or in Action Notification Settings), you can choose which template to use:

Default template: Uses the built-in event-specific template based on the lifecycle event being processed
Custom template: Uses a reusable custom email template you've created, allowing consistent messaging across multiple workflows

Custom templates support the same placeholders as event-specific templates, enabling dynamic content like identity names, workflow names, and action results. See for placeholder reference and template management.

Reset Password

Reset user passwords in target systems.

Resets user passwords in target systems. Configuration options and behavior vary by integration.

Example Use Cases:

Reset passwords for new users who must change on first login
Enforce password rotation policies
Recover from account lockouts

Setting

Description

Supported Integrations:

Password output (Early Access)

When password output is enabled, the new password generated by this action is available to subsequent workflow actions via transformer expressions. Use {EntityType.password} syntax, such as {ActiveDirectoryUser.password} in a Send REST Request payload.

This is useful in workflows where a password reset must be confirmed or forwarded to an external system, such as an employee self-service portal.

Create Access Review

Automatically create access review campaigns during lifecycle events.

Automatically creates access review campaigns during lifecycle events. This action bridges Lifecycle Management with Veza Access Reviews, enabling automated certification workflows triggered by identity lifecycle changes.

Example Use Cases:

Review contractor access 30 days after onboarding to ensure appropriate permissions
Certify elevated permissions after role changes or promotions

Rotate Key

Rotate cryptographic keys in Azure Key Vault.

Rotates cryptographic keys in Azure Key Vault by creating a new key version. The action targets one or more named keys in a specified vault and runs rotations concurrently (up to five keys in parallel). Each key's result is reported individually, so partial success is possible.

NHI feature: ROTATE_KEY is part of Veza's Non-Human Identity (NHI) management capabilities and requires the NHI_ROTATE_KEY feature flag. It does not require an LCM license. For ad-hoc key rotation outside of a scheduled workflow, use the Rotate Key action on a key entity's row in NHI Security → Keys & Secrets.

Example Use Cases:

Rotate Azure Key Vault keys on a scheduled basis to meet compliance requirements
Automatically rotate keys when a service account is offboarded
Trigger key rotation after a security incident

Setting

Description

Supported Integrations:

Integration

Notes

The Veza app registration must have the rotate operation on the target Key Vault. The List permission used for extraction is not sufficient. Grant the rotation permission using the model the vault uses:

RBAC model (recommended): Assign the Key Vault Crypto Officer role to the Veza app registration on the target vault. This role includes the keys/rotate permission.
Access policy model (legacy): Under Key Permissions, add Rotate, Get Rotation Policy, and Set Rotation Policy.

Microsoft recommends RBAC over access policies for new vault deployments. See and the .

Placeholder

Description

Attribute Synchronization

Configure how user attributes from a source of identity are synchronized for target user accounts

Attribute synchronization ensures that identity attributes in target systems remain up to date with the corresponding attributes in the source of truth. Veza Lifecycle Management provides configuration at two levels to control how and when attributes are synchronized.

Action Level

At the action level, there are two distinct options to govern provisioning and user update processes:

Create new users - When enabled, the action will create new user accounts that don't exist in the target system
Update active users - When enabled, the action can update existing user accounts with attribute changes from the source of truth

At the attribute level, there are two explicit choices that define how and when attribute values are applied to user accounts:

Set for new users only - The attribute value is set only when creating new user accounts
Set for new and existing users - The attribute value is set for new accounts and updated for existing accounts when changes are detected

Both levels must be properly configured for an attribute to be continuously synchronized. For example, to keep an employee's department updated:

Enable Update active users on the Sync Identity action
Select Set for new and existing users for the department attribute

Set for new and existing users (continuously sync attributes that change during employment):

First Name, Surname
Department
Title
Manager

Set for new users only (preserve stable identifiers):

Active Directory sAMAccountName
Email Addresses (for Email Write-Back action)

This configuration ensures that dynamic attributes remain up to date while preserving stable identifiers.

How-to Guides

Step-by-step guides for common Lifecycle Management tasks and configurations

These guides provide step-by-step instructions for common Lifecycle Management tasks and configurations.

In this section

Guide

Description

End-to-end example using Workday as source, with Okta and AD as targets

- Common questions and troubleshooting
- Architecture overview
- Monitor workflow execution and policy status

Disable Workflows and Actions

Temporarily pause specific workflows or actions in a policy without removing configuration

Overview

This guide explains how to disable individual workflows or actions within a Lifecycle Management policy. Disabling allows you to temporarily pause specific parts of a policy without deleting or modifying the underlying configuration.

Use this option when developing workflows to support:

Managing gradual rollouts: Enable actions one at a time to verify each step before activating the next
Troubleshooting issues: Isolate problematic actions without removing configuration
Implementing seasonal policies: Temporarily disable workflows that only apply during certain periods
Workflow Testing: Disable production actions while testing new workflow logic

Disabling a workflow prevents it from running during policy execution. All conditions and actions within the workflow are also skipped.

Go to Lifecycle Management > Policies.
Select a policy and click Edit Workflow.
Toggle the workflow's Enabled control to disabled.

The policy editor displays disabled workflows and actions with a "Disabled" tag.

You can also disable specific actions within a workflow without disabling the entire workflow. When you disable an action, any nested conditions and actions under the disabled action are also skipped, but other actions in the workflow continue to run normally.

Open the workflow editor.
Select the action you want to disable.
Toggle the Enabled control in the action settings.
Click Save

Disabled workflows are evaluated by default during dry run simulations. This allows you to preview what would happen if you re-enabled a disabled workflow and validate trigger conditions and action configurations before making them active.

When you run a dry run simulation, the results show what actions would run if the workflow were enabled.

To re-enable a disabled workflow or action, toggle the Enabled control back to enabled and save.

System Attributes

Computed properties for advanced workflow triggering and conditional transformations in Lifecycle Management

Overview

System attributes are computed properties that Lifecycle Management automatically generates during identity processing. These attributes enable advanced automation scenarios by providing runtime information about identity changes and transformation results.

System attributes use two prefix conventions: sys_attr__ for computed boolean flags evaluated each extraction cycle (such as sys_attr__is_mover) and sys_attr_changed__ for per-property change detection attributes that are also re-evaluated each cycle. Neither can be manually set or modified.

Available System Attributes

`sys_attr__is_mover`

A boolean attribute that indicates whether an identity has undergone changes to monitored properties during the most recent extraction.

Type: Boolean Persistence: Transient (re-evaluated each extraction cycle) Available in: Workflow trigger conditions

Configuration: Define monitored properties in the policy configuration:

Workflow Trigger Example:

Combined Condition Example:

The attribute is re-evaluated on every extraction cycle. It is set to true when any property in mover_properties changes, and cleared otherwise. For identities that are unchanged in an extraction, it is explicitly removed from the stored identity record. It is excluded from change detection to prevent recursive updates.

System attribute names are case-sensitive and must be lowercase in all expressions.

A persistent boolean attribute that indicates whether an identity is new in Veza — either appearing for the first time, or returning after being removed from its source system.

Type: Boolean Persistence: Stored with identity record; cleared after the first extraction cycle where the identity appears Available in: Workflow trigger conditions

When this attribute is set:

The identity has no prior record in Veza and appears for the first time in an extraction.
The identity was previously removed from its source system (for example, a terminated employee) and has returned in a new extraction cycle. Veza treats this as a new identity so that joiner workflows fire for re-hires.

When this attribute is not set:

The identity already has an existing active record in Veza from a prior extraction cycle, regardless of any attribute changes.
The identity changed one or more properties but has a continuous record in Veza. Identities with attribute changes are indicated by sys_attr__is_mover or sys_attr_changed__<property>, not sys_attr__is_new_identity.

Trigger condition examples:

A transient attribute that provides a preview of the transformation result during conditional evaluation.

Type: String Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Conditional Domain Addition:

The above transformer will check if the transformed email already contains "@", preserve existing email addresses, and add domain only when needed.

A transient attribute that provides the character length of the transformation result during conditional evaluation.

Type: Number Persistence: Transient (exists only during IF statement evaluation) Available in: Conditional transformers only

Usage Example - Progressive Username Truncation:

For "Leonevenkataramanathan Foster":

First check (≤30 chars): leonevenkataramanathan.foster (30 chars - passes first condition)
If >30 chars, second check (≤20 chars): leonevenkataramana.foster (25 chars - fails second condition)
If >20 chars, fallback: l.f (3 chars - always succeeds)

Preview attributes work with the NEXT_NUMBER transformer for generating unique alternatives:

This evaluates the base value length before applying numbering, ensuring the final result (including numbers) meets constraints.

Only one NEXT_NUMBER transformer is allowed per conditional branch.

A family of dynamic boolean attributes that indicate which specific properties changed on an identity during the most recent extraction.

Type: Boolean Persistence: Transient (reset each extraction cycle) Available in: Workflow trigger conditions

How it works: When Veza processes an extraction event and detects that a property has changed since the previous extraction, it sets sys_attr_changed__<property_name> eq true on that identity's node. All sys_attr_changed__ attributes are cleared at the start of each extraction cycle, so they reflect only the changes in that extraction.

When this attribute is not present: If a property did not change in an extraction, its sys_attr_changed__ attribute is absent from the identity record — it is not set to false. This means the condition sys_attr_changed__department_name eq false will not match identities whose department did not change; it will simply not match at all. To trigger a workflow only when a property has not changed, omit the sys_attr_changed__ check and rely on the attribute value directly.

For new identities, Veza sets sys_attr_changed__<property> eq true for all properties, treating their first appearance as a change from non-existence.

Trigger condition examples:

Please note that sys_attr__is_mover is a persistent flag set when any property in the policy's mover_properties list changes. It does not identify which property changed. sys_attr_changed__ attributes are transient and per-property. They are set for all changed properties regardless of the mover_properties configuration.

Secondary entity attributes: For secondary entity nodes (such as an HRIS record attached to an identity), prefix the attribute name with the entity type followed by a period:

The entity type prefix matches the integration entity type name shown in the policy configuration. Without the prefix, the condition applies to the primary identity node.

The trigger condition editor autocompletes sys_attr_changed__ and then suggests available attribute names. After typing or selecting the prefix, enter the property name to complete the attribute.

- Complete SCIM filter syntax for workflow conditions
- Complete list of transformation functions
- Attribute transformation concepts and examples

Send REST Request

Make HTTP requests to external APIs and services as part of provisioning workflows.

Makes HTTP requests to external APIs and services as part of provisioning workflows. This action enables integration with custom applications, webhooks, and REST-based services that support identity management operations.

Example Use Cases:

Notify external systems when users are created or updated in target systems
Trigger custom provisioning workflows in third-party applications
Send identity data to SCIM endpoints for user synchronization
Create service desk tickets for manual provisioning steps
Execute webhooks to coordinate multi-system workflows
Extract response data (like user IDs) from external systems for use in downstream actions

Setting

Description

When constructing the webhook URL and JSON payload, you can reference identity attributes using curly brace syntax. Two sources of attributes are available specifically for this URL and payload context:

Source-of-identity (SOI) attributes: Attributes from the identity source triggering the workflow (e.g., Workday worker fields, Okta user attributes).
Sync Identities output entity attributes: When a Sync Identities action precedes this action in the same workflow, attributes from the provisioned or updated target user (such as Active Directory user attributes) are also available. See below.
Generated password (Early Access): When a or action precedes this action and password output is enabled, the generated password is available as {EntityType.password}

Available transformations include UPPER, LOWER, TRIM, and accessing nested attributes with dot notation, such as {Manager.email}. See for complete transformation syntax.

Note: If any placeholder in the URL or payload cannot be resolved (e.g., due to missing attributes), the entire transformation is skipped and the original URL is used without any substitution. The system logs a warning for troubleshooting. Ensure all referenced attributes exist in the source of identity to enable proper variable substitution.

When a Send REST Request action is configured as part of an Access Request , the JSON payload can reference form field values submitted by the requester. This enables dynamic payloads where the requester provides values (such as a role name or resource ID) at request time, and those values are injected into the API call.

Use the {$form_field.field_name} syntax in the JSON payload, where field_name matches a field defined in the catalog definition's form fields.

To configure form field substitution:

Create a Send REST Request action in a provisioning policy with placeholders in the JSON payload:
Create a Send REST Payload and add form fields with names that match the placeholders (e.g., role_name, role_id).
When a user submits an access request using this catalog definition, they fill in the form fields. The submitted values replace the corresponding {$form_field.*}

Form field substitution applies to the JSON payload only. It does not apply to the webhook URL or authorization header. Each placeholder must sit inside a JSON string literal (between two " characters), as in "roleName": "{$form_field.role_name}". Placeholders outside string context are left untouched so the resulting JSON fails to parse at execution time rather than silently emitting malformed JSON.

Substituted form-field values are JSON-encoded automatically. Quotes, backslashes, and control characters in the submitted value are escaped, so a value such as alice"bob is emitted as alice\"bob and cannot break out of the surrounding string literal.

Field names must contain only letters, numbers, and underscores (role_name is valid, role-name is not). A field whose name contains an unsupported character might be accepted at catalog-definition save time but is not substituted at execution time, and the literal {$form_field.*} placeholder is emitted in the payload. If a placeholder references a field that was not provided on the access request, the placeholder is likewise left unchanged.

The following attributes are populated on the sync_identities output entity for Active Directory integrations and can be used in variable substitutions:

Attribute key

Description

Custom properties defined in the integration configuration are also available, using the key customprop_<property_name> (where <property_name> is the property's format name as configured).

When a or action precedes this action and password output is enabled, the password it generated is available to the webhook URL and JSON payload as {EntityType.password} — for example, {ActiveDirectoryUser.password}. This supports joiner workflows where Veza provisions an account and forwards the generated credentials to a downstream system such as an HR portal or ticketing API.

When "Add Response to Output Entities" is enabled, the action parses JSON responses and extracts specified entity data. This enables chaining actions where one API call creates a resource and returns an identifier that subsequent actions can reference.

For example, if a user creation API returns:

Configure the action with:

Response Entity Attribute: result
Response ID Attribute: user_id
Response Name Attribute: display_name

The extracted entity becomes available to downstream workflow actions.

GET: Query operations, typically without payload; use for checking resource state or retrieving data. Does not set workflow change flags
POST: Create new resources; requires JSON payload; sets both AnyCreated and AnyChanges flags that can trigger downstream actions with "Only Send if Any Upstream Changes" enabled
PUT

Workflow Integration: The AnyCreated and AnyChanges flags enable conditional workflow execution. Actions configured with "Only Send if Any Upstream Changes" will only execute when a previous action has set these flags, allowing you to build sophisticated conditional workflows (e.g., only send a notification webhook if a user was actually created, not just updated).

The authorization header supports common authentication methods:

No Authentication: Leave the authorization header empty when connecting to endpoints that don't require credentials, such as internal services or pre-authenticated URLs
Bearer Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
API Key: X-API-Key: secret-key-123 or Authorization: ApiKey sk-prod-xyz

Only JSON payloads are supported (no XML, form-data, or other formats)
Authentication must be header-based (OAuth flows requiring user interaction are not supported)
Response parsing requires valid JSON if "Add Response to Output Entities" is enabled

Send XML Payload

Send XML or SOAP payloads to external endpoints as part of a provisioning workflow.

Sends an XML or SOAP-over-HTTP payload to an external endpoint as a workflow step. Use it to integrate with legacy applications that expose XML or SOAP APIs instead of REST or SCIM.

The action reuses the Send REST Request credential model and captures values from the response via XPath for use by downstream actions.

Example use cases:

Provision users in an on-premises application with a SOAP web service
Submit payloads to legacy HR or payroll systems
Trigger an XML webhook in an internal ticketing system
Capture an identifier from a SOAP response and pass it to a downstream action

Setting

Description

Content-Type is hard-coded to text/xml. There is no Content-Type field in the action settings.

To send a different media type, override the header through Webhook Headers. Entries in that map are applied last, so they win over the default. For example, to send SOAP 1.2:

Header key

Header value

The Webhook URL and XML Payload fields accept {attribute_name} placeholders. Sources include the source of identity and any prior action in the workflow (including a preceding action).

Transformer expressions (UPPER, LOWER, TRIM, dot notation for nested attributes) work the same way as in Send REST Request. See .

When a Send XML Payload action is configured as part of an Access Request , the XML Payload can reference values submitted on the request form. The requester provides values (such as a username or role identifier) at request time, and those values are inserted into the payload at execution.

Use the {$form_field.field_name} syntax inside element or attribute content, where field_name matches a field defined on the catalog definition.

To configure form field substitution:

Author the XML Payload with {$form_field.*} placeholders in each element or attribute that takes a requester-supplied value:
On the matching catalog definition, add form fields whose names match the placeholders (email and role_name in the example above).
When a user submits an access request, the value entered for each form field replaces the corresponding

Form field substitution applies to the XML Payload only. It does not apply to the Webhook URL, Authorization Header, or Webhook Headers.

Substituted form-field values are XML-escaped automatically, and the substituted document is re-checked for well-formedness before send. Placeholders inside XML comments or CDATA sections cannot be safely escaped: a value containing -- or ]] can fail the well-formedness recheck, and the action will error.

When Add Response to Output Entities is enabled, the action parses the XML response and runs the configured XPath expressions:

Mapping field

Example

The extracted entity is added to the workflow context. Downstream actions reference it as {LegacyAppUser.id} and similar {EntityType.attribute} expressions.

For SOAP responses wrapped in a standard envelope, traverse the envelope inline and declare namespace prefixes directly in each XPath expression. There is no separate namespace-registration step: prefixes in your XPath must match the prefixes in the response document as-is.

The action uses the credential model. Provide credentials inline via Authorization Header, or reference a stored credential via REST Auth Credentials:

No Authentication: internal services or pre-authenticated URLs.
Header (HEADER): arbitrary inline header value.
Basic (BASIC): username and password, base64-encoded.

Set Datasource to route execution through an Insight Point instead of the control plane. Use this when the target endpoint is unreachable from the Veza control plane.

Setting

Description

The XML payload is checked for well-formedness at save time. Common rejections:

Multiple root elements
Non-whitespace text outside the root
Unbalanced or improperly nested tags

Validation runs again on the substituted payload at execution time, so a body that becomes ill-formed because of a substituted value fails safely instead of being sent.

Add the action through the Policy Editor or the policy update API:

Policy Editor: open the policy, choose Add Action, then select Send XML Payload.
API: include the action in the policy's actions array. The action type identifier is SEND_XML_PAYLOAD. See .

XML only. Use for JSON payloads.
Content-Type is fixed to text/xml; override via Webhook Headers for a different media type.
No separate XML namespace registration: declare prefixes inline in each XPath expression.

Implementation and Core Concepts

The IAM challenge

Without automated lifecycle management, organizations face a fragmented identity and access management landscape. Multiple systems require manual coordination, leading to delays in provisioning, security gaps from orphaned accounts, and compliance risks.

How Veza streamlines IAM

Veza Lifecycle Management provides a unified platform that automates identity provisioning and de-provisioning across your entire technology stack. Changes in your HR system automatically trigger coordinated workflows across all connected applications, ensuring consistent access management throughout the employee lifecycle.

Before you begin creating draft Policies for automating Lifecycle Management workflows, you should establish and document how employees in your organization are mapped to business roles, and corresponding birthright entitlements (default access permissions granted based on an employee's role) such as groups and roles in target applications.

Implementing Veza Lifecycle Management will require:

Defining segmentation criteria in terms of Business Roles for identities in your organization.
Defining Role Conditions used in Lifecycle Management policies that Veza will use to match roles to identities, based on attributes from the source of identity.
Defining Profiles for each target application that will map Business Roles to application-specific entitlements.
Assigning Profiles to Business Roles to enable business rules.

The topics in this document will help you structure your Lifecycle Management implementation, and establish foundations that you can use to simplify access management throughout the employee lifecycle.

Is a lifecycle management process defined for your organization?
- If yes: Begin assessing your current policies for implementation with Veza Lifecycle Management.
- If no: Work with application owners, HR administrators, and other stakeholders to establish protocols for granting and revoking access as employees join, depart, or change roles.

Implementing Lifecycle Management requires careful attention to access control, API key management, and credential handling to maintain security throughout your deployment.

Access control

Limit administrative access: Reduce standing administrator roles to those who need them. Best practice is no more than 5 administrators with standing access.

Use operator role for monitoring: Users with Operator roles can view LCM policies without editing them. Use this role for monitoring and troubleshooting.

Temporary support access: When working with Veza support on LCM issues, grant temporary administrator privileges using Administration > Support User Access rather than creating permanent accounts.

API key management

Monitor Veza API keys and disable unauthorized keys. API calls made with keys that have administrator privileges can modify LCM policies.

Key rotation best practices:

Review API keys quarterly
Revoke keys that are no longer in use
Document the purpose of each active key
Use separate keys for different automation purposes

Integration credentials

Credential lifecycle:

Track credential expiration dates and renew before expiry
Avoid editing integration credentials except when renewing them
Test credential changes in a sandbox environment before applying to production

Critical system protection: Identity source extractions are the most critical step in the LCM process. Handle integration configuration changes with care:

Schedule credential updates during maintenance windows
Verify extraction success immediately after credential changes
Have rollback procedures ready if extraction fails

Begin by identifying and cataloging the different roles that can be assigned to employees and their digital identities within your organization. Users will be granted entitlements within target applications based on these business roles based on your Lifecycle Management .

This list of business roles might be sourced from an organization chart, or a human resources information system (HRIS). These roles can be defined in terms of any discriminating attributes from a source of identity, such as:

Employee or contractor status
Roles and job positions
Business Units (BUs)
Locations

Example Business Roles:

Sales
Developers
Executive Employees
US Employees

Identify the attributes and conditions that will identify the segment each user belongs to. The possible attributes will depend on the employee metadata provided by your HRIS or other source of truth for identity.

For example, you might assign certain Active Directory groups only to US employees, identified by a source Workday Worker's work_location. To define these conditions, you will need to understand what attributes are available within the source of truth, and how the values map to each employee segment.

Consider how employee records are structured in your source of identity, including all the built-in attributes belonging to an identity, and the possible values.
Check if any custom attributes can be used to define role conditions, and ensure these are enabled in the Veza Access Graph.
Document how employee populations correspond to the attribute values contained in the source of identity.

Examples: Source attributes for role conditions

The following standard attributes are available by all HRIS integrations that use an Open Authorization API template, along with any enabled for the integration. You can typically import data from any HRIS system to Veza using this template, sourced from a generated report, API calls, or CSV data.

Attribute

Description

Using this standard identity metadata, a Lifecycle Management workflow runs specific actions for identities where some or all of the conditions are true:

Employment Status equals "Pending"
Employment Types equals "Full Time"
Department equals "Engineering"

A Profile defines a set of entitlements for a specific application that can be assigned to users. For each target application, application owners will need to establish levels of birthright entitlements by defining Profiles mapped to groups, roles, or other entitlements that can be assigned to a user.

Review target applications to validate that the expected entitlements are configured, with the correct scopes and permissions for the Profiles they will be associated with.
Create Lifecycle Management mapped to those entitlements.

Examples: Access Profiles

Profile Name

Target

Relationship

When configuring the action, administrators can grant or revoke access by choosing a Business Role that inherits the desired Profile.

Configure to inherit the corresponding access profiles, mapping entitlements to employee segments.

Create Business Roles for each segment.
For each Business Role, inherit a corresponding access profile.
Assign one or more Profiles to each Business Role as needed to fully define the birthright entitlements for each position.

Examples: Map Business Roles to Profiles

Asia Employees

US Employees

Developers

Attributes from the source of identity can determine the attributes of users in target systems when creating or updating a target entity.

For example, a provisioned Okta User's country_code might be set to a source Workday Worker's work_location. Additionally, the Okta User manager attribute could be continually synchronized to match the Worker’s manager.

Target synced attributes can have fixed values (e.g., always true), can match a source attribute, or contain a combination of source values, transformed as needed to match the required format. Rules for synchronizing attributes are managed with .

For each application, understand the supported attributes for provisioned users.
Assess the identity metadata from your source of truth to decide how source entity attributes will be used to set the values of target entity attributes.
Veza can synchronize attributes during provisioning and de-provisioning workflows, and whenever a change is detected in the source of identity. Decide which attributes should be kept in Continuous Sync, and which should only be created (and never modified after creating an entity).

Examples: Synced Attributes

Sync Active Directory Accounts for Active Employees (Joiners/Movers)

When provisioning AD Users, create user attributes based on values in the source of identity. These attributes can also be kept up-to-date with the source of identity when there are changes, by enabling Continuous Sync.

Active Directory Attribute

Source Attributes

Transformer Value

Sync Active Directory Attributes for Withdrawn Employees (Leavers)

When disabling AD Users, update the DN and Primary Group DN to a group and OU reserved for terminated employees:

Active Directory Attribute

Source Attributes

Transformer Value

Moving leavers into a "Terminated Users" group (via the primary_group_dn attribute) effectively restricts access to systems that rely on Active Directory for authentication and authorization.
Updating the distinguished_name to place leavers in a specific organizational unit (OU), like "Evergreen Termination," separates active users from inactive ones, and enables the application of policies, scripts, and queries that target inactive users without affecting active employees.

Dynamic Access Profiles

Use attribute formatters to dynamically select Access Profiles at runtime based on user attributes

Overview

Dynamic Access Profiles enable context-aware provisioning by enabling the Manage Relationships action to resolve Access Profile names at runtime using user attributes.

Instead of explicitly selecting static Access Profiles when configuring a workflow, you can use attribute formatter expressions that evaluate to Access Profile names dynamically when the workflow executes. This is particularly valuable for organizations with complex access patterns based on attributes like department, location, role, or business unit.

This feature eliminates the need for separate workflow conditions for each profile combination, supporting configurations where a single workflow provisions users to different Access Profiles based on their identity attributes.

Terminology: Dynamic Access Profiles use formatter syntax—the same template syntax used in attribute transformers. A formatter is a template string like {department | LOWER} that constructs a value from identity attributes. See for more context.

How It Works

Runtime Resolution Process

When a Lifecycle Management workflow runs with dynamic Access Profiles configured:

Attribute Evaluation: The system evaluates each dynamic Access Profile formatter expression using the identity's attributes. For example, if the expression is dept-{department | LOWER} and the user's department attribute is Engineering, the system evaluates this to dept-engineering.
Name Resolution: The evaluated expression produces an Access Profile name.
Access Profiles must be named using a predictable, consistent pattern to facilitate resolution. Without consistent naming conventions, dynamic profile resolution will fail to match existing profiles.
Profile Lookup: Veza looks up an Access Profile with that exact name
Profile Application: If the profile exists in the RUNNING state, its entitlements are applied. Resolved profiles can contain entitlements across multiple target integrations, and dynamically resolved profiles can inherit entitlements from other profiles.
Graceful Continuation: If the profile name doesn't resolve or doesn't exist, Veza logs the issue to the Activity Log and continues processing any other Access Profiles. This is the default behavior and ensures missing or non-existent profiles don't cause the entire workflow to fail.

Name-based Lookup: Dynamic Access Profiles resolve to profile NAMES, not IDs
Naming Convention Critical: Access Profiles must be named using a predictable, consistent pattern
Profile Inheritance Support: Dynamically resolved profiles can inherit entitlements from other profiles

Dynamic and static Access Profiles can be used together in the same action.

Aspect

Static Access Profiles

Dynamic Access Profiles

Before configuring Dynamic Access Profiles:

Create Access Profiles following a consistent naming convention that includes attribute values
Identify User Attributes that will drive profile selection (e.g., department, location, role)
Plan Naming Pattern that incorporates these attributes predictably

Navigate to Lifecycle Management > Policies
Create or edit a policy
Add or edit a Manage Relationships action

Dynamic Access Profile expressions use the syntax:

Common Patterns include:

{department} - Direct attribute value
{department | LOWER} - Convert attribute value to lowercase
{OAA.Secondary.Employee.department} - Attribute from a secondary source of identity

You can configure multiple dynamic Access Profile expressions in a single action by clicking Add Profile Name for each additional expression. Each expression is evaluated independently.

You can use IF/ELSE conditional logic within a Dynamic Access Profile expression to select different profile names based on user attributes. This allows a single expression to evaluate to different Access Profile names depending on the identity's properties.

Syntax:

You can use multiple ELSE IF branches to check several conditions in sequence:

Supported Comparison Operators:

Operator

Meaning

Example

Combine conditions with and, or, or negate with not. Use parentheses to group complex conditions.

Access Profile Name (Field 1)

Access Profile Name (Field 2)

Example: Complex Conditions with Logical Operators

This expression assigns the SalesforceAdmins profile to users who meet the complex department/role criteria, and No_Profile_Selected (a placeholder that resolves to no profile) for everyone else.

Using No_Profile_Selected as a Fallback

When using IF/ELSE logic, the ELSE branch must provide a value. If you don't want to assign a profile when conditions aren't met, use a placeholder name like No_Profile_Selected that doesn't match any actual Access Profile. The system will log that the profile wasn't found and continue processing other profiles gracefully.

Example: Configuring three dynamic profiles for department, location, and role-based access:

Access Profile Name

In this configuration, the user receives entitlements from up to three Access Profiles based on their attributes. Each expression is added as a separate profile in the UI.

Success with Dynamic Access Profiles depends on establishing consistent naming patterns for your Access Profiles:

Use clear delimiters: Choose hyphens or underscores consistently (e.g., dept-engineering for department-based profiles or TEAM-dept-bu for multi-attribute combinations)
Add prefixes to organize: Group profiles by category (e.g., dept-{department}, loc-{location}, TEAM-{dept}-{bu})

Use ELSE IF for related conditions: When selecting one profile from multiple options based on the same attribute (e.g., department), use a single IF/ELSE IF/ELSE expression with multiple branches—this keeps your configuration simple and readable
Use multiple fields for independent criteria: Only add separate Access Profile Name fields when you need to evaluate completely independent conditions (e.g., one profile based on department AND another based on location)
Use fallback placeholders: When a condition shouldn't assign a profile, use a non-existent name like No_Profile_Selected

Create profiles before processing: Always create Access Profiles before running workflows that reference them
The system performs name lookups at runtime: If a profile doesn't exist, it will be skipped
Plan for new attribute values: When adding new departments, locations, or roles to your organization, remember to create their corresponding Access Profiles first to avoid provisioning gaps

Before deploying to production, validate your configuration using dry-run mode to confirm profiles resolve correctly and attribute values match profile names exactly. Monitor your Lifecycle Management logs for "Dynamic access profile not found" messages, which indicate naming mismatches or missing profiles.

Issue

Cause

Solution

- Conceptual overview of the different evaluation systems
- Creating and managing Access Profiles
- Configuring the Manage Relationships action

Integrations

Overview of supported provisioning integrations in Veza, with capabilities and supported actions for target applications and sources of identity.

Overview

This page covers the integrations that power Lifecycle Management workflows and can act as identity sources for LCM policies, and target applications that can be provisioned or deprovisioned.

Enabling provisioning on an integration also makes it available to other Veza products that use write-back capabilities, including Access Intelligence (Disable Accounts) and Access Requests. The integration tables below represent the validated, production-ready set for Lifecycle Management specifically.

Veza supports three primary implementation pathways:

Native Integrations: Direct API-based provisioning with out-of-the-box support (see validated integrations below)
SCIM 2.0 Protocol: Standards-based provisioning for any SCIM-compliant application
OAA Write Framework: Veza's Open Authorization API (OAA) extends write-back support to applications not natively integrated with the Veza platform

This architecture means that nearly any existing Veza integration can be enabled for provisioning. The validated integrations listed below represent tested, production-ready configurations. For additional integration support, contact your Customer Success Manager.

Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow.

Veza supports leading HR systems, IDPs and directory services, ITSM platforms, payroll systems, custom applications, and flat files:

Identity Source

Supported Entity Types

Notes

The following integrations are validated as provisioning targets for Lifecycle Management workflows. Enabling provisioning on an integration enables actions (create, sync, deprovision, manage relationships) that can be triggered from LCM policies and from other Veza products.

Validated Integrations

The following table lists the out-of-the-box, Veza-validated target application integrations.

Target Application

Manage Relationships

Sync Identities

Deprovision Identity

Additional Actions

Supported Entitlement Types

Notes

Other Supported Integrations

For any Veza-supported application not listed above, contact your Customer Success Manager for more details on how to enable the specific Veza integration for use with provisioning as a target application for provisioning and de-provisioning.

Custom REST Actions

Veza provisioning supports Custom REST Actions that enable HTTP requests to external APIs and services as part of automated workflows. This action type provides integration with custom applications, webhooks, and any REST-based service that supports identity management operations.

Custom REST Actions extend provisioning support to virtually any system with an accessible API, enabling use cases such as triggering custom workflows, notifying external systems, or coordinating provisioning sequences across multiple downstream applications.

An Insight Point is required to enable provisioning operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for provisioning tasks.

A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and provisioning job execution. This ensures secure communication between your environment and Veza.

For deployment instructions, refer to the .

You can configure extraction intervals for your integrations to ensure data is regularly updated for provisioning workflows.

Go to Veza Administration > System Settings
In the Pipeline > Extraction Interval section, set the global extraction interval
To override the global setting for specific integrations, use the Active Overrides section

Available extraction intervals are:

Auto (hourly, but may take longer when the extraction pipeline is full)
15 Minutes
1 Hour
6 Hours

To manually trigger an extraction:

Go to Integrations > All Data Sources
Search for the desired data source
Select Actions > Start Extraction

Note: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API.

To enable provisioning for a specific integration:

Open the Integrations page (in the Featured section of the navigation sidebar), or Lifecycle Management > Integrations (in the Products section).
Search for the integration you want to enable and open its settings.
Check the Enable usage for Provisioning checkbox, then click Save Configuration.

After saving, the integration shows Enabled in the Lifecycle Management column on the Integrations overview.

To verify the health of the provisioning data source:

Open Lifecycle Management > Integrations (in the Products section of the navigation sidebar), or the main Integrations page (in the Featured section)
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Many identity source systems have API rate limits that can affect extraction timing. Avoid forcing repeated extractions within short time windows (typically 5 minutes) to prevent API errors that delay workflow execution.

For systems using custom or user-defined fields (UDFs), maintain clear documentation of:

Field purpose and mapping
Expected data formats and validation rules
Which fields are used in workflow trigger conditions

This documentation ensures consistency when fields are added or modified.

Understand the data retention policies of your identity sources, particularly for terminated employees or contractors. Some systems retain terminated records for limited periods (e.g., 90 days), which affects leaver workflow design. Plan workflow timing to ensure LCM can process records before they're purged from the source system.

Changes to core identity fields can break LCM workflows. Coordinate with system administrators before modifying:

Unique identifiers (employee ID, username)
Employment status fields
Date fields (hire date, termination date)
Location or department identifiers

Communicate planned changes in advance and test in sandbox environments before applying to production identity sources.

For more information:

Refer to individual integration documentation for detailed provisioning capabilities
Consult the Veza documentation for troubleshooting and best practices
Contact Veza support for assistance with enabling or configuring provisioning for your integrations

Custom Application with SCIM (OAA)

Enable SCIM-based provisioning for custom applications with Open Authorization API

Overview

Veza can automate user provisioning and de-provisioning for any application that uses the Open Authorization API (OAA) for data gathering and authorization modeling, and exposes SCIM-compliant endpoints for user and group management.

This enables organizations to:

Use your application's existing SCIM endpoints for automated provisioning operations
Model complex authorization structures using OAA's flexible templates (applications, resources, permissions, custom properties) for Access Graph visibility, Access Reviews, and other Veza features.
Gather authorization metadata using a variety of methods (custom connectors, APIs, manual JSON payloads, CSV files)

Action Type

Supported

Description

See for details on each action type.

Administrative access in Veza to configure the integration
An existing integration in Veza with at least one successful extraction
Your custom application must expose SCIM 2.0-compliant endpoints; see below

To enable the integration:

In Veza, go to the Integrations overview
Search for your custom OAA application integration
Check the box to Enable usage for Lifecycle Management

To verify the configuration:

Open Lifecycle Management > Integrations
Search for the integration and click to view details
In the Properties panel, verify Lifecycle Management Enabled is active

There are several potential ways to integrate a custom application for automated lifecycle management and access requests:

External SCIM for Open Authorization API: You may build your OAA integration using the custom application template and leverage dedicated SCIM endpoints for user and group management. This is useful when you need full control over how authorization metadata is represented in the Veza Access Graph:
- Your application supports SCIM, and you want to model a wider range of authorization entities and metadata (e.g., credentials, resources) than the Veza SCIM integration supports.
- You already have a custom OAA integration and want to add provisioning capabilities using SCIM.

Aspect

External OAA with SCIM Write-Back

Built-In SCIM Connector

This document describes how to enable External SCIM for an Open Authorization API integration, and supported actions.

Data Gathering (OAA):

You will need to design and build a custom integration to publish information about the application to the Veza Access Graph:

The payload can include local users, groups, permissions, resources, and complex authorization relationships
Data can be gathered from any source: APIs, databases, configuration files, etc.

See the rest of the Open Authorization API documentation for examples and best practices when designing and deploying custom integrations.

Lifecycle Management (SCIM):

You can enable the SCIM connection at the custom provider level:

Setting provisioning: true and external_lifecycle_management_type: SCIM for the custom provider enables Veza to use your application's SCIM endpoints for provisioning
Provide SCIM connection information and credentials (configuration_json)
Veza maps lifecycle actions to SCIM operations (

Important: When configuring a custom application for SCIM integration, the OAA payload structure (Application template) and SCIM configuration serve different purposes:

The OAA Payload (push_application() or API push) defines local users, groups, permissions, and resources used for visibility and authorization modeling in Veza, and can be updated independently.
The SCIM Configuration (configuration_json) for the custom provider defines how to connect to SCIM endpoints (including authentication, URL, and endpoint paths), and is used only for lifecycle management and access request operations.

Both must be consistent (describe and contain the same users and groups), but are configured separately.

Your application must expose SCIM 2.0 compliant endpoints with the following operations:

User Management:

GET /Users - List and filter users
GET /Users?filter=userName eq "{username}" - Query users by userName
POST /Users - Create new users

Group Management:

GET /Groups - List groups
GET /Groups/{id} - Retrieve specific group by ID
POST /Groups - Create new groups

Note: If the Users and Groups APIs are not at the standard /Users and /Groups paths, you can specify alternate endpoint paths in the configuration.

Your SCIM API must support one of the following authentication methods:

Bearer Token: API token passed in Authorization: Bearer {token} header
Basic HTTP Authentication: Username and password passed in Authorization: Basic {credentials} header

The authentication credentials must have both read and write permissions to the SCIM endpoints.

To synchronize custom attributes beyond the standard SCIM user schema:

Expose a GET /Schemas endpoint that returns SCIM schema definitions
Enable schema fetching in your configuration (see Configuration section)

External SCIM for Lifecycle Management is configured via the Veza REST API.

Create a Custom Provider that uses external SCIM endpoints specifically for lifecycle management:

Required Fields

Field

Required

Description

Configuration JSON Parameters

The configuration_json field contains SCIM endpoint connection details used only for provisioning operations. It does not affect your OAA payload structure.

Configuration Key

Required

Description

Example Value

* One of scim_token or the username/password pair is required for authentication.

Example Configuration with Bearer Token:

Example Configuration with Basic Authentication:

Push the OAA Application Payload as normal. See the for details.

Veza creates entities in Access Graph based on the OAA payload, which can be targeted in lifecycle management operations:

local_users in your Application template → Users to provision via SCIM
local_groups in your Application template → Groups to manage via SCIM

Entity types are named according to the following pattern:

User Entity Type: OAA.{application_type}.User
Group Entity Type: OAA.{application_type}.Group

Where {application_type} is the value you specify in your OAA Application template when building the payload. For example, if the application is defined:

The resulting entity types are:

OAA.CustomerPortal.User
OAA.CustomerPortal.Group

When Veza provisions users via SCIM, transformers can map attributes from your policy source of identity to SCIM properties:

Veza Attribute (in Policy)

SCIM Property

Type

Required

Description

If the SCIM service exposes a /Schemas endpoint and you enable scim_extension_schemas: true, Veza can synchronize custom extension attributes beyond the standard SCIM user schema. Extension attributes are mapped using the schema URN as defined by your SCIM implementation.

The following SCIM operations are performed when Lifecycle Management actions execute:

Create a new user in the target application.

SCIM Operation:

The SCIM endpoint creates the user and returns the user object with an assigned id.

Updates an existing user's attributes (one-time or continuously).

SCIM Operations:

Query for existing user:
Update the user:

Remove access when a user leaves the organization or changes roles. The user account is deactivated, but data is preserved.

SCIM Operation:

Deprovision sets active=false, which disables login but preserves the user record.

Permanently remove a user account.

SCIM Operation:

Grant a user access via group membership.

SCIM Operations:

Retrieve group details:
Add user to group:

Revoke a user's access by removing group membership.

SCIM Operation:

Creates a new group so that it can be granted as an entitlement.

SCIM Operation:

Workday, Okta, and Active Directory

Guide for implementing automated user lifecycle management across Workday, Okta, and Active Directory

A well-designed identity Lifecycle Management solution automates the provisioning, synchronization of attributes and metadata, and deprovisioning of user accounts across your application and systems ecosystem.

This guide demonstrates how to implement a worker (employees and contractors) Lifecycle Management solution using Workday as the source of identity with downstream user account provisioning and synchronization platforms of Okta and Active Directory (AD). This represents a common enterprise architecture where worker records originate in an HR system and are provisioned to identity and access management systems, while maintaining a seamless, secure, and compliant user lifecycle process.

This guide uses Okta as the Identity Provider example, but the same architecture applies to any Veza-integrated IdP. You can substitute Azure AD, OneLogin, PingOne, or any other supported IdP in place of Okta throughout this guide.

System Architecture

The following diagram shows the complete identity provisioning and synchronization architecture from Workday, a human capital management platform, to Okta and Active Directory, which are identity management systems:

The "Joiner Mover Leaver" (JML) process is a framework for managing users' employment lifecycle access within an organization. Provisioning access begins with onboarding new employees (Joiners), then managing internal transitions (Movers), and finally offboarding departing employees (Leavers).

Lifecycle Management is based on the JML paradigm, where Workday is the authoritative source of identity, which is monitored for the status of the worker based on attributes in their record to determine whether the user is a joiner, mover, or leaver.

The joiner, mover, leaver (JML) process flows through the systems as follows:

Before starting this implementation, ensure you have:

Completed at least one successful extraction for each integration

First, create Access Profiles that define which application entitlements a group of users will be assigned:

Go to Lifecycle Management > Access Profiles
Click Create Access Profile
Configure a profile for each department or role:

Create additional profiles as needed based on your organizational structure.

Next, create a Lifecycle Management policy using Workday as the source of identity:

Navigate to Lifecycle Management > Policies
Click Create Policy
Configure the policy:

Now add a workflow for new employee onboarding:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Add a workflow for handling employee role changes:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

Finally, add a workflow for employee termination:

Edit your Workday Employee Lifecycle policy
Click Add Workflow
Configure the workflow:

After configuring your workflows for joiners, movers, and leavers, you can test your policy using Simulated Dry Runs to check the expected actions when executed.

Another approach to test your policy is to create draft versions. You can make changes to your policy as an iterative draft until you are satisfied with the results. You can then publish the final version and enable it.

As a final verification, make modifications to the Workday application to test your policy's expected performance. Ensure that the downstream applications, Okta and Active Directory, are correct with the modifications.

Select Workday Employee Lifecycle policy.
Click the overflow menu (three dots icon) at the top of the page.
Select Perform Dry Run.

Select Workday Employee Lifecycle policy.
Click Create Draft.
Select Edit Workflow.
Modify any workflow in your policy.

In your Workday application, update the source of identity to test your policy. The following is a list of suggested changes:

Change the employee’s employee type (ie, from regular to contractor)
Verify account creation in Okta and Active Directory
Change the employee's department and verify group membership updates
Terminate the employee and verify account deprovisioning

Identity Synchronization is implemented during Lifecycle Management provisioning workflows. It is used to prevent provisioning errors due to duplication of username and/or email address. It supports robust identity sync across downstream applications (Okta and Active Directory) with different naming constraints or enforces unique identifiers.

Use Identity Synchronization if your target system already has an identity with a given attribute (e.g., a username or email is already in use).

Configure the Identity Syncing mode in the policy's . For the Workday to Okta and Active Directory pattern, Sync on changes only is typical: Workday emits reliable change events, so the periodic timer of "Always sync" is usually unnecessary.

Synchronizes employee records to Okta user accounts, creating and updating user profiles with mapped worker attributes from Workday.

Configuration:

Description: Synchronizes identities to Okta
Target: OktaUser
Create Allowed: Yes

Destination Attribute

Source/Format

Continuous Sync

Notes

All Employees

Assigns "All Okta Employee Access" profile
Does not remove existing relationships

US Developers

Condition: wd_location eq "US" and department eq "developer"
Assigns developer-specific access profiles
Does not remove existing relationships

Creates and updates on-premises Active Directory accounts with location-specific group assignments and standardized naming conventions for different employee categories.

Configuration:

Description: Synchronizes identities to Active Directory
Target: ActiveDirectoryUser
Create Allowed: Yes

Destination Attribute

Source/Format

Continuous Sync

Notes

US Location

Condition: work_location eq "US"
Assigns US Groups
Removes existing relationships

Executive Group

Condition: employee_group eq "Executive"
Assigns the Executive Employee group
Removes existing relationships

China Location

Condition: work_location eq "China"
Assigns China Groups
Removes existing relationships

Defines the procedures for safely removing access when employees leave the organization, including specific handling for each identity provider.

Handles employee offboarding in Okta by disabling accounts while preserving access history and configurations.

Configuration:

Description: Disables identities in Okta
Target: OktaUser
Remove Relationships: No

Controls the offboarding process for on-premises Active Directory, including moving accounts to a terminated user's organizational unit.

Configuration:

Description: Disables identities in Active Directory
Target: ActiveDirectoryUser
Remove Relationships: No

Destination Attribute

Value

Continuous Sync

Below are more detailed examples of joiner, mover, and leaver scenarios that you can implement using Veza's Lifecycle Management.

To handle edge cases where standard attribute formatting is not effective, use to define special exceptions. For example:

Contractors vs. Employees: Use different username formats based on employment type
Username Conflicts: Configure fallback formatters for handling duplicate usernames
Location-Specific Naming: Apply different naming conventions based on location or region

Ensure your email addresses remain consistent by configuring email write-back to Workday:

In your Joiner workflow, after the Sync Identities actions, add:
- Add Action > Create Email
- Configure for your email system

This ensures the email created in your systems is written back to Workday as the source of truth.

When implementing conditional actions, consider these patterns for robust lifecycle management:

Monitor your lifecycle management workflows using the :

Navigate to Lifecycle Management > Activity Log
Filter by policy name to see all actions for your Workday policy
Look for failed actions and investigate error messages

If usernames are already taken in target systems:

Configure to handle conflicts
Use employee ID or other unique identifiers as backup username formats

If required attributes are missing from Workday:

Use DEFAULT transformers to provide fallback values
Configure conditional logic to handle missing data gracefully

If group assignments fail:

Verify that referenced groups exist in target systems
Check that service accounts have sufficient permissions
Use conditional logic to assign groups only when they exist

Policies

Configure automated workflows for Lifecycle Management actions, including common attribute transformers and event notification settings

Overview

Lifecycle Management policies define the workflows that are triggered when a user is added or other events are detected at a specific source of identity. Workflows contained in a policy describe conditional sequences of actions that can be structured based on the specific joiner, mover, leaver (JML) scenarios that you want to automate. This might include hiring a new employee, terminating an existing employee, transferring an existing employee to another department, or other actions triggered by changes in status.

A policy can contain one or more workflows that run under different conditions. For example, one workflow might be applied when employees enter an "Active" state (for Joiner/Rehire scenarios), and another when an employee becomes "Inactive" (for Leaver scenarios). A workflow could also be triggered when an employee's hire date falls within a certain threshold, such as being less than 4 days away, or when it is related to any other employee property within the source of identity.

For most enterprise deployments, Veza recommends:

One policy for each source of identity integrated with Lifecycle Management
Two workflows within each policy:
- One for active users to cover Joiner and/or Mover scenarios (including Re-hire)
- Another for inactive users to cover Leaver scenarios

To create a policy for a source of identity:

Go to Policies.
Click Create Policy.
Enter a policy name and description.

The Dry Run allows you to simulate and preview how a Policy would process an identity, without making actual changes to target systems. This testing tool helps you validate workflow conditions, preview potential changes, and understand what actions would be triggered for specific identities.

The Dry Run evaluates workflow logic but does not interact with target integrations. Verify integration health to ensure target systems are accessible before running actual policies. Dry Run takes a policy and an identity to simulate:

The workflows triggered
All actions that would run
What Access Profiles would be assigned
Any potential changes to entities and attributes

You can test how policies would respond to identity attribute changes for different scenarios during a Dry Run simulation without impacting the actual identity attribute values.

You can initiate a Dry Run in two ways:

From a Lifecycle Management Policy

When editing a policy, open the Dry Run tool to preview changes for any identity:

Go to Policies.
Click a policy to view its details.
Click Dry Run Policy at the top right.
Choose the identity and policy to test workflows.

From Identity Details

You can start a Dry Run when viewing details for any account on the Identities page:

Go to Identities.
Search for an identity and click to view its details.
Expand the Actions menu at the top right and click Policy Dry Run.

Dry Run Notes:

Result: 0 Changes

When a dry run returns "0 changes", it means:

The selected identity does not meet any of the trigger conditions defined in your policy's workflows
No actions would be executed for this identity when the policy runs
This is not an error - it simply means the identity doesn't qualify for any of the configured workflows

Limitations

Dry Run has several important limitations:

Dry Run evaluates whether workflow conditions are met, not whether actions would succeed
It does not check whether integrations are functioning properly and whether target systems are accessible
It does not validate that changes could be successfully applied

Best Practices

Use Dry Run to validate that policies and their workflows are working as intended before enabling them in a live environment.

Test with Representative Identities: Select identities that represent different scenarios (new hires, role changes, terminations) to validate all workflows in your policy.
Simulate Different Scenarios: Modify identity attributes during Dry Run to test trigger conditions such as:
- Department changes

Handling long names or names with special characters
Department and location change at once
Same-day rehire after termination

Understanding how workflows execute helps with troubleshooting and policy design.

When identity source data changes, Veza processes it in this order:

Extraction completes: Data is pulled from the identity source.
Duplicate resolution (optional): If the policy has a Duplicate Resolution Rule configured, Veza consolidates duplicate records for the same person into a single authoritative identity before triggers evaluate. See .
Workflow triggers evaluate: Veza begins evaluating trigger conditions within approximately 1 second of extraction completing. Actual evaluation time scales with the number of managed identities. Policies with thousands of identities can take several minutes to process. For policies with multiple identity sources, evaluation waits until all configured sources have completed extraction.

"First time only" triggers

Most workflows (except sync workflows) are configured to trigger "only when trigger condition is first met." This means:

The workflow triggers the first time an identity matches the condition.
If the condition clears (identity no longer matches) and then matches again, the workflow triggers again as if it were the first time.
This behavior handles rehire scenarios where a previously terminated employee returns.

Sync workflows

Sync workflows track specific properties for changes. When adding new properties that require syncing:

Update the tracked property list in the workflow configuration.
Update sync-related common transformers to include the new attributes.

For more information on workflow triggers, see .

Trigger conditions use SCIM filter syntax. When comparing values, only the variable on the right side of the comparison can be transformed. The left side must be an attribute reference without transformation. See for syntax details.

Policies can be version-controlled, allowing for a method to refine and test changes in your automation workflows. You can create draft versions to test changes and validate updates before deployment while maintaining a history of previous configurations. Each policy can have only one active version and one draft version at a time, with automatic archival of retired versions.

Policies have a current state that is based on their workflow operations.

The Policy state includes:

Initial - Initially created before the first workflow version is published
Running - Actively processing with one or more workflows
Paused - Temporarily disabled
Pending - Waiting for activation

Note: In the Policies page, click on the Action overflow icon (three dots) to Start the policy in the Initial state, and Pause or Unpause at the Running state.

The Workflow Version state includes:

Draft - In draft mode for editing and modification
Published - Functional and active
Retired - No longer active or usable

The Policy Draft Mode is a state where a policy is saved but not yet active. In Policy Draft Mode, you can create, edit, and test policy configurations (such as workflows, actions, or mappings) without affecting real users, identities, or access profiles. Once you are satisfied, you can publish the policy, which moves it from the work-in-progress state to an operational state.

To enable the Policy Draft Mode, perform the following:

On the Lifecycle Management Dashboard page, click Settings in the top menu.
The Lifecycle Management Settings page appears. Click Policy Settings.
Switch ON the Enable Policy Draft Mode button.

Test Policy Workflows using Draft Versioning

You can test and refine your policy workflows to ensure that it is working as expected through a series of draft versions with Dry Run simulations. Once the workflow’s result is satisfactory, publishing the version will change the policy status to ‘active’.

Perform the following steps to test your policy workflow:

Create and save a new policy.
Create a new workflow and Save.
After creating a new workflow, click Publish.
By publishing your workflow, it is ready for activation by going to the

Published Policy

A published policy is activated and deployed with the following characteristics:

Enforces the defined rules in your environments, including:
- Creating, modifying, or removing user access.
- Synchronizing identity attributes.

For organizations using multiple Veza tenants (such as sandbox and production), policies can be migrated between environments using migration scripts provided by Veza support.

Use the migration script approach for:

Large policies with many workflows and complex transformers
Repeated migrations between the same environments (sandbox → production)
Policies where manual reconstruction would be time-consuming

For simple policies or one-time migrations, manual reconstruction may be faster than setting up the migration toolkit.

In both sandbox and production tenants, log in as an Integration Manager or Administrator and create API keys (Integrations > API Key).
Store each key in a password manager or secrets vault.
Set environment variables for the migration script:

In the target tenant, create a new draft version of the policy and note the version number.
If any of the following changed since the last migration, update the lookup table CSV (provided by support) with new IDs:
- Access Profiles

Extraction schedules for identity sources are configured via the Veza API. To modify extraction frequency or timing, contact for assistance with API configuration.

The maximum number of concurrent workflows is configured at the tenant level via API. This setting controls how many workflow jobs can run simultaneously across all policies. Contact to adjust concurrency limits for your deployment.

Disabling a policy pauses any running workflows. Re-enabling the policy does not resume paused workflows—they restart on the next extraction cycle.

Use the Policies page for an overview of initial, running, and paused policies. New policies are created in the "Initial" state, enabling a review period before activating the policy. Active ("Running") policies will apply the next time the data source is extracted.

To manage policies on the main Policies overview:

Go to Lifecycle Management > Policies
Find the policy you want to manage
- Search for a specific policy by name

Policies contain one or more workflows. Typically, workflows correspond to Active and Inactive user states, but not always. More specifically, workflows define a sequence of actions to run when a condition is met, based on events and identity changes captured at the source of identity. These workflows apply to scenarios such as new employee hiring, internal employee mobility changes (e.g., promotions, transfers, new managers), or employee departures.

Workflows comprise a tree-like sequence of conditions designed to meet the specific requirements of your joiner, mover, and leaver processes. For example, you may want to grant specific entitlements to users with specific roles, locations, or groups.

The following diagrams illustrate typical joiner and leaver workflow implementations, showing how identity changes in your HR system trigger coordinated provisioning and de-provisioning actions across multiple target applications.

Joiner Workflow

When a new employee is created in Workday, Veza automatically provisions accounts and assigns appropriate access across connected systems based on the employee's role and attributes.

Leaver Workflow

When an employee's status changes to inactive or terminated in Workday, Veza automatically de-provisions accounts and removes access to protect your organization's security posture.

Workflows and Trigger Conditions

Trigger Conditions refer to rules or filters that initiate (or delay) provisioning and deprovisioning workflows based on certain events, criteria within identity data sources, or lifecycle workflows. Trigger conditions use SCIM filter syntax to evaluate whether an identity matches specific criteria.

See for SCIM filter syntax and available operators, or for a comparison with transformer syntax.

Trigger conditions are often tied to HR events, such as employee hiring (joiner), role changes (mover), or termination (leaver). For instance, provisioning flows can be triggered when an employee is hired or deprovisioned when terminated.
Trigger Conditions can be time-based, such as "create the Active Directory account 15 days prior to a new employee's start date".
Advanced implementations also support relationship-based triggers (e.g., launching workflows when a worker is added to a specific department). Note: Trigger conditions can also encompass

To add a workflow, perform the following:

Select a policy.
Click Create Workflow.
In Details, enter the workflow name and description.
In the

Not set
Low
Normal
Medium

The levels dictate the order/priority in which the workflows are run. The higher-priority setting will be processed first. A fairness algorithm is built in to prevent lower-priority workflow tasks from being starved.

In the New Workflow pane, click trigger attribute. The Edit Workflow pane appears.
In the Triggering Condition (Condition String) field, select a conditional string from the dropdown menu to create a logical syntax that automatically starts the workflow. Once a condition has been set, another conditional string can follow, or an action can be taken.
In the Options section, select one of the following:

Note: All workflow errors must be resolved before it can be saved.

Clone or Delete a Workflow

Once an LCM Policy workflow is saved, the clone and delete options appear alongside the workflow name:

Click on the copy icon to clone the workflow.
Click on the trash bin icon to delete the workflow.

Webhook notifications after Sync Identity

For ITSM integrations that need to receive all attributes after a Sync Identity action completes:

Place the webhook action under a condition that follows the Sync Identity action in the workflow tree.
Add a pause action before the webhook if needed to allow time for attribute propagation.
Use clear naming conventions for conditions (for example, "FTE New Hire AD Notification") to indicate their purpose.

A transformer is a rule or function that takes incoming identity or attribute data and modifies it into the format or value that the target system requires.

They’re used when the data source system and target system represent or store information differently. For example, transformers can:

Converting a username from “First.Last” format into all lowercase.
Mapping a department value like “HR” in the source to “Human_Resources” in the target.
Adding a prefix or suffix to attributes (e.g., appending a domain name to create an email).

Transformers act as data processors inside a policy, ensuring that the right values are sent when provisioning, updating, or deprovisioning identities and entitlements.

To add a transformer, perform the following:

Select a policy.
Click Transformers.
Click Add Transformer.
In the New Transformer

See for available transformation functions.

Lookup tables are CSV files with columns that map values from a source of identity to destination values. Each row represents a mapping entry. The first row must contain the column headers.

This example is a location mapping table, which is a typical format for a Lookup Table:

Once a Lookup Table has been uploaded, it can be processed with the Lookup Transformers. The Lookup transformers convert identity attributes from a source system into appropriate values for target systems based on CSV reference tables. This is particularly useful when mapping values between systems that use different naming conventions, codes, or formats for the same conceptual data.

Use Lookup Table Transformers to:

Map source attribute values to different values in target systems
Standardized reference data that must be consistent across applications
Extract different pieces of information from a single attribute value
Have complex mapping requirements that built-in transformers cannot support

See for detailed information.

To add a Lookup Table, perform the following:

Select a policy.
Click Lookup Table.
Click Add Lookup Table.
In the New Lookup Table

Properties are the attributes that describe identities, accounts, and entitlements. They serve as the data points a policy can use to determine when and how to take action. Properties can come from:

Built-in properties – default attributes that LCM provides out-of-the-box (for example: username, email, status, created_at).
Custom properties – attributes defined by your organization to capture unique metadata (for example: cost_center, employee_type, manager_id).

Use Properties to:

Properties are referenced in policy conditions (e.g., disable account if status = inactive).
Help with transformers and lookup tables, allowing you to map or reformat values.
Used in identity overrides when syncing accounts from different providers.

To add Properties, perform the following:

Select a policy.
Click Properties.
The Mover Properties appear. Click Edit Properties.

Password Complexity Rules in a policy ensure that generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows. You can define reusable password complexity rules to enforce requirements for password length, mandatory character types (uppercase letters, lowercase letters, numbers, and special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, Deprovision Identity, and Reset Password actions when working with integrations that support complex password requirements.

To add Password Complexity Rules, perform the following:

Select a policy.
Click Password Complexity Rules.
Click Create Password Complexity Rule.
In the

Custom Transformer Functions allow you to programmatically modify or enrich identity attributes as they are synced from identity sources to target systems. These transformations ensure that data formats align across systems and support more dynamic provisioning logic. Such transformers can:

Convert dates into required formats or perform date-based calculations (e.g., adding days to a hire date).
Normalize or transform string values (e.g., case conversion, trimming, substrings).
Apply conditional logic via functions directly within provisioning rules.

To add Transformer Functions, perform the following:

Select a policy.
Click Transformer Functions.
Click Create Custom Transformer Function.
In the

The Policy Settings page provides information about a specific policy and allows for additional configuration, including:

Modify the primary identity source
Define an additional data source to the primary identity source
Configure email notifications or a webhook for action-related events
Enable continuous synchronization to ensure identities are up-to-date

The Details view shows the Policy Name and Description fields. These fields are editable for name change or description refinement, if required.

The Primary Identity Source pane displays the integration name of the data source. The Integration field displays all available data sources, where you can add or remove, if required.

A Primary Identity Source is the authoritative system that serves as the source of truth for user identities (e.g., HR system, Active Directory, identity provider like Okta/Entra ID). Typically, one type of source of identity is associated with one integration.

The role of the Primary Identity Source includes:

Acts as the authoritative record for user information (emails, roles, statuses).
Lifecycle rules such as provisioning, updates, or deprovisioning are typically triggered based on changes detected in this data source.
Ensures consistency and accuracy across target systems where access is granted or revoked.

As an option, the Additional Identity Sources pane is typically used to add a different type of integration from the Primary Identity Source, which requires that the additional data source be already configured into Lifecycle Management. You can also correlate primary attributes and additional attributes to be associated with the data source. The added data source will sync for authentication, user updates, or provisioning.

To add an Additional Identity Source, perform the following:

Click Add Source.
In the Select Identity Source field, select a data source. Note: Leave 'These types are not related' unchecked (the default) when you want Veza to match identities across both sources using the correlating attributes defined below. Enable the option when the additional source has no correlation to the primary — for example, when adding it purely for enrichment and identity matching is not needed. With the option enabled, Veza hides the Correlating Attributes section and skips identity matching between the two sources.
In the Correlating Attributes

When events occur during the execution of a policy’s workflow, notifications can be triggered upon execution of actions in workflows as a means to inform stakeholders or integrate with external systems. These notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed. Lifecycle Management supports email- and webhook-based notifications.

For example, an organization might configure its Active Employee policy to send an email to the manager of each new hire after the employee's email address is provisioned. Additionally, a webhook will be sent to the company's learning management system to initiate online onboarding training once each new hire's Okta account is provisioned, following a successful Sync Identity operation.

Use the Notifications to add and manage notifications:

In the Notifications pane, click Add Notification.
Choose the notification type (Email or Webhook).
Choose the event to trigger notifications:

See for customizing email notifications.

Identity Syncing Option

The Identity Syncing option controls how often the Sync Identities action runs in workflows that have Continuous Sync enabled. It has no effect on workflows without Continuous Sync.

The setting is configured at the policy level and applies to all of its workflows by default. Individual workflows can override it from the workflow's own settings.

Mode

When the workflow syncs

Use when

To configure:

Open the policy and go to Advanced Settings.
Under Identity Syncing, select Sync on changes only or Always sync.
If you selected Always sync, set the Sync Interval (default: 1 hour).

To override at the workflow level, open the workflow, expand its sync settings, and choose a different mode.

Safety Limits

Safety Limits prevent unintended mass changes to identities by enforcing configurable thresholds. Two independent mechanisms are available and can be used together for layered protection:

Hard Limit

The Hard Limit (formerly "Safety Limit") is a reactive mechanism that stops processing during execution once the configured number of identity changes has been reached. When the limit is triggered, no further identity changes are processed for the current policy run.

To configure a Hard Limit:

Enable the Hard Limit toggle.
Set the Maximum Number of Affected Identities to define the threshold.

Predictive Safety Limit

The Predictive Safety Limit is a proactive mechanism that blocks all changes before execution begins if the system predicts the number of workflow runs will exceed configured thresholds. This prevents unintended mass processing of identities when upstream attribute changes in a Source of Identity would trigger unnecessary Joiner, Mover, or Leaver workflows.

To configure a Predictive Safety Limit:

Enable the Predictive Safety Limit toggle.
Set the Maximum Number of Workflow Runs to define the threshold.

Workflow-Level Limits

Safety limits can be configured at both the policy level and individual workflow level for granular control. When configured at the workflow level, each workflow enforces its own thresholds independently, enabling different limits for Joiner, Mover, and Leaver workflows within the same policy.

Blocked Tasks

When a Predictive Safety Limit triggers, no changes are processed. A warning appears on the Blocked Tasks page with options to:

Review what would have changed
Run the blocked tasks (manually approve execution)
Abandon the blocked tasks (discard without executing)

Processing of future extractions is paused until the administrator acknowledges the warning and resumes processing. New activity log event types PREDICTED_SAFETY_LIMIT_EXCEEDED and WORKFLOW_PREDICTED_SAFETY_LIMIT_EXCEEDED are recorded when predictive limits trigger.

Attribute Transformers

Configure how user attributes from a source of identity are transformed for target user accounts

When creating workflows in Lifecycle Management policies to create, sync, or deprovision identities, you will use attribute transformers to specify how user attributes for target accounts should be structured.

Terminology: For definitions of transformer, formatter, pipeline function, and condition, see .

An attribute transformer is the complete configuration for mapping a source attribute to a destination attribute. It consists of:

Component

Description

Example

The target attributes to create or update are typically mapped and, optionally, transformed from user metadata in the source of identity, such as an identity provider, HR system, or CSV upload. Attributes can be synchronized once or kept continuously in sync as changes occur throughout the user's employment lifecycle.

For example, attribute mapping and transformation can be used across Joiner, Mover, and Leaver scenarios:

Joiner: Set new Azure AD User Principal Name to {source username}@your-email-domain.com. This is an example of mapping multiple attributes and performing a transformation. More specifically, you use the attribute transformer to generate an email address for new joiners. Use the source username (user_principal_name) from the source of identity (Azure AD UPN) for the first part (user attribute), while your-email-domain.com is used for the last part (target attribute).
Mover: Always update a user’s “Manager” and “Department” attributes in Okta to match the user’s manager and department in Workday, a source of identity, whenever a department change or other employee mobility event occurs. This is an example of attribute mapping with continuous synchronization.

When synchronizing a user’s attributes, Veza may apply many transformations to convert the source attribute values into a more suitable format intended for the target application as a user account attribute.

For example, a transformer might remove the domain from an email address, replace special characters, or convert a string with uppercase letters to lowercase letters.

See for detailed information.

Term

Description

Examples

Common transformers define one or more rules to apply when synchronizing the attributes of a target identity. Use them at the Policy level where you want to create or update attributes using the same conventions across multiple sync or deprovision actions. When you need to configure a one-time individual action in a workflow, such as a specific attribute, then you use the transformer at the Action level.

At the Policy level, you configure a transformer with basic details, including how to source the value of each attribute:

Assign a name and description to the transformer, and specify the data source to which it applies.
Entity Type: Choose the target entity type in the destination system.
Click Add Attribute. The Destination Attribute dropdown will list available attributes for the chosen entity type.

After creating a common transformer, you can select it when editing a workflow action. You can edit or delete common transformers on the Edit Policy > Common Transformers tab. Remember that "Sync Identity" and "De-Provision Identity" actions can have action-level transformers override common transformers. If the same destination attribute is defined in both, the action-level transformer will take precedence.

Create common transformers when the same transformation logic appears in two or more places within the policy. Common transformers reduce duplication and ensure consistent formatting across actions.

Create transformer functions when the same transformation applies to multiple properties. Functions let you reuse logic without duplicating configuration.

The Formatter field in a transformer specifies how to construct the attribute value. It can be set to a specific value, synchronized with a source attribute, transformed using a function, or a combination of these.

To create a destination attribute with a fixed value, enter the desired value when configuring the formatter. For setting the creator attribute:

Destination Attribute

Formatter

Continuous Sync

For activating a re-hired employee:

Destination Attribute

Formatter

Continuous Sync

To clear an attribute value, leave the formatter field empty. The behavior at the destination depends on system type:

SQL-based destinations (Oracle, MySQL, MSSQL): an empty formatter sends NULL to the database column.
SCIM destinations: an empty formatter sends an empty string to the provider.

For deactivating a user or clearing a manager reference:

Destination Attribute

Formatter

Continuous Sync

Target attributes can be updated based on attributes belonging to the source of identity. To reference the value of a source entity attribute in your formatter, use the format {<source_attribute_name>}.

Examples:

Destination Attribute

Formatter Example

Continuous Sync

By default, when you reference an attribute such as {department} in a formatter, the system searches through your configured identity sources in order (primary first, then secondary sources). This works well for simple policies with a single source of identity.

Aliases become useful when:

Multiple integrations share the same entity type (e.g., two Active Directory instances, or when your source of identity and sync target use the same entity type)
A policy involves multiple integrations that have attributes with the same name
You need to explicitly control which system's attribute value is used

Example: HR System to Directory Sync

A policy syncs identities from an HR system (Workday) to a directory (Active Directory). Both have a department attribute. Without aliases, {department} resolves from whichever system appears first in the search order. With configured aliases hr and directory (which become $hr and $directory), you can explicitly reference {$hr.department} to ensure you're using the authoritative HR value.

Aliases can be used in:

Attribute formatters
Workflow trigger conditions
Action conditions
Mover property definitions

Aliases provide shorthand references to specific integrations and entity types, making transformers and conditions more readable in complex policies.

To configure aliases, open a Lifecycle Management policy, click Edit, and navigate to the Alias Definitions tab. Each alias requires:

Alias Name: Must start with $ followed by at least one lowercase letter, number, or underscore. Additional $ characters can appear after the first character. The $ prefix is added automatically if omitted. Valid examples: $workday, $hr_system, $ad$corp. Invalid examples: $, $AD (uppercase), $$double

Aliases can resolve attributes from two contexts:

Input: Values from the source system before any sync action runs (the authoritative data)
Output: Values currently in the target system (what's already provisioned)

By default, the system checks output first, then falls back to input. Use suffixes to explicitly control resolution:

Suffix

Resolves From

Example

Use Case

Use these operators in IF conditions to compare attribute values:

Operator

Meaning

Supported Types

Combine conditions with and, or, or negate with not.

In attribute formatters:

In LCM Workflow Conditions (comparing source and target values):

Multiple integrations with the same entity type:

For organizations with multiple Active Directory domains (e.g., corporate employees and contractors), you can create distinct aliases to control which AD integration is used:

Configure alias corp_ad → Integration: AD_Corporate, Entity Type: ActiveDirectoryUser
Configure alias contractor_ad → Integration: AD_Contractors, Entity Type: ActiveDirectoryUser

Then explicitly reference the correct domain in your formatters:

This ensures you're using the department attribute from the corporate AD integration rather than the contractor AD integration, even though both use the same ActiveDirectoryUser entity type.

Based on the user metadata available from your source of identity (SOI), you may need to convert a full email address to a valid username, standardize a date, or generate a unique identifier for users provisioned by Veza. Suppose an attribute value needs to be altered to be compatible with the target system. In that case, you can transform the value of a source attribute or apply a range of other functions to generate the target value.

Formatter expressions use the following syntax: {<source_attribute_name> | <FUNCTION_NAME>,<param1>,<param2>}

For example:

Destination Attribute

Formatter

Description

Example

Refer to the page for complete documentation of all supported functions, parameters, and usage examples. The reference includes:

Notifications

Customizing email notifications and Webhook configuration for Lifecycle Management events and Access Requests.

Email Templates Overview

Administrators can customize email notifications sent during Lifecycle Management and Access Request workflows. These emails can include instructions, unique branding, and placeholders for metadata specific to the event (such as entity names, action types, or request details). Each notification type (usage) can have its own customized template.

Notification templates support HTML and CSS. They can include links to external images or you can upload small files to Veza. This document includes steps to configure templates in Veza using the notifications API, and a reference for event types, default templates, and supported placeholders.

Template Management: Currently, notification templates can only be managed via the Notification Templates API. Template management through the Veza UI is not yet available.

Access Reviews Notification Templates: For access review workflow notifications, see .

Managing notification templates

Custom Email Templates

In addition to event-specific templates, you can create custom email templates that are not tied to specific lifecycle events. These reusable templates allow you to define notification content once and use it across Send Notification actions and action notification settings. Custom email templates are:

Reusable: Single template for multiple workflows and actions
Event-independent: Not associated with a specific lifecycle event type
Flexible: Can be used in both Send Notification actions and action notification settings (on_success/on_failure)
Standard placeholder support: Supports all the same placeholders as event-based templates

To create a custom email template:

Navigate to Lifecycle Management > Settings > Notifications
Click Create Template
Select For Custom Email (as opposed to "For Event")

To use a custom template, select it when configuring the Send Notification action, or in Action Notification Settings:

Send Notification action: Choose from the "Select Email Template" dropdown when configuring the action
Action Notification Settings: Select the template for on_success or on_failure email notifications on any action

When you select "Default template" in these dropdowns, the system uses the event-based template appropriate for the event. When you select a custom template, that template is used regardless of the specific event being processed.

The system provides built-in templates for all Lifecycle Management and Access Request events. These templates use placeholders that are automatically replaced with actual values when notifications are sent.

Generic Failure Template

When specific event templates aren't available or when events fail, the system uses a generic failure template:

Subject: Lifecycle job {{EVENT_TYPE}} has failed

Body:

See for all default messages.

Lifecycle Management Events

Each template you create is associated with a specific notification event (referred to as usage in the API). The following event types are available for Lifecycle Management workflows, organized by functional area:

Veza provides built-in email templates for all event types, organized by functional area below. These templates include standard placeholders and can be customized or replaced with your own templates.

From the Veza UI, you can add images directly through the "Add images" option. These will be automatically encoded and included in your template.

To use an attachment you have uploaded in a template, specify it by attachment.name, for example:

To embed high-resolution images in your templates, you should serve the content from a public URL, and use HTML to link and style it.

Use placeholders to include dynamic information in templates, such as entity names, action types, timestamps, and other event metadata. Placeholders are automatically replaced with actual values when notifications are sent.

Veza notification templates support two types of placeholders:

1. Static Placeholders (Predefined)

These are uppercase constants documented in the tables below (e.g., {{ENTITY_TYPE}}, {{ENTITY_NAME}}). They are replaced first during template processing and work with all notification templates.

Example:

2. Dynamic Attribute Placeholders

You can also reference any attribute from the entities being processed using two formats:

Untyped format: {{attribute_name}} - References an attribute by name alone
Typed format: {{EntityType.attribute_name}} - References an attribute from a specific entity type

The attribute name must exactly match the casing used by your integration. For example:

If your integration provides an attribute named email, use {{email}}
If it provides Email, use {{Email}}

Examples:

The following static placeholders are available in all notification templates:

Placeholder Not Being Replaced?

If a placeholder appears in your notification email instead of being replaced with a value, check the following:

Verify exact casing: Placeholders are case-sensitive
- ✅ Correct: {{ENTITY_TYPE}}
- ❌ Wrong: {{entity_type}}, {{EntityType}}

Best Practices:

Start with predefined placeholders: Use the documented static placeholders (uppercase) whenever possible
Test templates: Send test notifications to verify placeholder replacement before deploying to production
Document custom attributes: Keep a reference of the attribute names and casing used by your integrations

Whether a placeholder resolves to a value, and which record that value comes from, depends on two things: the form of the placeholder and the configuration surface the template is attached to. A placeholder that resolves correctly on one surface can fall through unresolved on another. This section describes how resolution works so you can author templates that reference the intended record.

Veza resolves three placeholder forms differently:

Form

Example

Resolves against

For the qualified form, when an entity type appears in both the output entities and the source of identity, the output (target) value is used. This means {{EntityType.attribute}} is the only form that can reference an attribute written to the target system, and the bare form always reads from the source of identity.

A notification template can be attached to three surfaces, and each receives a different set of attributes:

Surface

Source-of-identity attributes

Target (output entity) attributes

Target (output entity) attributes are only available downstream when the action that ran produces output entities:

Action

Populates output entities

When in doubt, confirm the source of an attribute against the producing action rather than assuming it is available everywhere in the workflow.

The qualified form requires the exact entity type string that the integration registered, not a friendly label from the UI. For OAA integrations, that string has the form OAA.<Provider Display Name>.<Entity Type>, and it includes any spaces in the provider's display name.

For example, a Jira Cloud user's email attribute is referenced as:

The space inside Jira Cloud is required. Veza splits the entity type from the attribute on the final period, so spaces inside the provider name are preserved. If the provider display name contains a period, the qualified form cannot address it.

To find the canonical entity type for an integration, inspect an entity of that type in the Veza catalog or query the entity type through the API. Use the registered type string exactly as shown, including capitalization and spaces.

For a given notification, Veza selects the template to render in this order:

A custom template referenced by ID on the action or notification setting, if one is configured.
The template assigned to the matching event usage, if one exists.
The built-in default template for that event.

Selection is evaluated per configuration surface and per outcome (success or failure), so an action can use a custom template on success and fall back to the built-in default on failure.

Veza performs flat text substitution. It replaces each {{key}} token with its value and does not evaluate conditional or block logic. Handlebars-style block syntax such as {{#if}}, {{/if}}, {{else}}, partials ({{>partial}}), and comments ({{!comment}}) is not supported. These tokens never match an attribute, so they remain in the output and are reported as unresolved placeholders in the job's activity log.

If a notification arrives with literal {{...}} text in it, check the activity log for the unresolved-placeholder warning. It lists the exact tokens that did not resolve, which distinguishes a wrong entity type prefix from an attribute that was simply empty.

Beyond the listed above, individual actions populate result-specific placeholders. Availability is context-dependent: each token is only set by the action or event that produces it, so a placeholder valid in one notification may be empty in another.

Webhook notifications are triggered upon execution of actions during the LCM Policy workflow process. Webhooks inform stakeholders or integrate with external systems of events that are processed within the workflow. Webhook notifications can be optionally configured as their own discrete action in a workflow or as an option when another action is executed.

For example, a webhook is sent to the company's learning management system to initiate online onboarding training once each new hire's Active Directory account is provisioned, following a successful Sync Identity operation.

To create and manage a webhook, perform the following:

Go to Policies and select a policy.
Click Edit Policy.
Click Policy Settings.

Getting Started

In this section

Lifecycle Management Dashboard

Dashboard Overview

Identities

Identity Override Attributes

Access Profile Types

Overview

Dynamic Approvers

How it works

Sync Identities

Manage Relationships

Create Email

Deprovision Identity

Delete Identity

Custom Action

Write Back Email

Pause

Send Notification

Reset Password

Create Access Review

Rotate Key

Attribute Synchronization

Action Level

How-to Guides

In this section

Disable Workflows and Actions

Overview

Getting Started

In this section

Identities

Manage Relationships

Custom Action

Pause

Where to go next

In this section

Key concepts

Related topics

Sync Identities

Deprovision Identity

Create Email

Send Notification

Write Back Email

Reset Password

Delete Identity

Deprovisioning methods

Typical workflow

Email Template Selection

Example: Exchange Server onboarding with email write-back

Lifecycle Management Dashboard

Dashboard Overview

Create Access Review

Dashboard Actions

Policies

Access Profiles

Identities

Integrations

Access Requests

Errors

Recent Activity

Next Steps

Certification Creation Plan Configuration

How It Works

Event Notifications

Access Profile Types

Overview

Dynamic Approvers

How it works

Rotate Key

How-to Guides

In this section

Attribute Synchronization

Action Level

Disable Workflows and Actions

Overview

Identity Override Attributes

Attribute Level

Recommended Settings

Required Azure permissions

Result placeholders (for notification templates)