Configuring the GitHub integration for Veza Lifecycle Management.
The Veza integration for GitHub enables automated user lifecycle management, with support for user provisioning, team membership management, and account deprovisioning.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as organization and team memberships for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities by suspending accounts
✅
SOURCE_OF_IDENTITY
GitHub can act as a source system for identity lifecycle policies
❌
This document includes steps to enable the GitHub integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
You will need administrative access in Veza to configure the integration and site administrator privileges in GitHub Enterprise Server.
Ensure you have an existing GitHub integration in Veza or add a new one for use with Lifecycle Management.
Verify your GitHub integration has completed at least one successful extraction
The GitHub integration will need the additional required GitHub App permissions:
Organization permissions - Members (Write) - Required for managing organization memberships
Organization permissions - Administration (Write) - Required for administrative operations
Repository permissions - Administration (Write) - Required for managing team memberships
Important: GitHub LCM operations use Admin API endpoints that require site administrator privileges. These operations are typically available in GitHub Enterprise Server environments, not GitHub.com.
To enable the integration:
In Veza, go to the Integrations overview
Search for or create a GitHub integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your GitHub data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for GitHub in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
GitHub can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Primary action for user management (creating or updating users):
User login cannot be changed after creation
GitHub usernames must be unique and follow GitHub naming rules (39 characters max, alphanumeric plus hyphens)
Email addresses must be unique across the GitHub instance
Requires site administrator privileges for user creation operations
The following attributes can be synchronized:
Both adding and removing memberships are supported. Organization and team memberships are automatically removed during deprovisioning.
Add and remove organization memberships with member role
Add and remove team memberships with member role
Synchronize access assignments based on external identity changes
Track membership changes for audit purposes
When a user is deprovisioned:
User account is suspended in GitHub Enterprise Server
All organization and team memberships are removed automatically
Commit history and attribution are preserved for audit and compliance
Account can be reactivated if needed (unsuspended)
User receives appropriate error messages when attempting to access GitHub
Create GitHub accounts and assign appropriate access for new developers:
Identity Sync: Create user account with basic profile information
Organization Access: Add user to primary GitHub organization
Team Assignment: Assign to development teams based on department
Profile Setup: Configure public email and display name
Update GitHub access when employees change departments or roles:
Relationship Updates: Remove existing team memberships
New Access: Add memberships for new role requirements
Audit Trail: Track all membership changes for compliance
Securely remove access while preserving development history:
Account Suspension: Suspend GitHub account to prevent access
Membership Removal: Remove all organization and team memberships
History Preservation: Maintain commit attribution and repository history
Compliance: Generate audit trail of all access removal actions