Use mappings to feed output from Filters into specific write operations in target systems. Examples include account create, update, delete, enable/disable, etc. Each of these operations is called a mapping function. Each mapping contains a single mapping function.

For example, "Mapping X should create a new user account in system Y for every user returned by filter Z".

To get started, Create a mapping.

A mapping generates the API calls that will be made in the target system for its associated function. These calls are then staged until the mapping is actually executed.


In a production environment, the proper way to execute your mappings is via Jobs. For test purposes, you can Test run a single mapping operation.

A system targeted by a mapping is considered to be in a target context. See Sources and targets.

At minimum, you will typically create 4-6 mappings per target system—and often many more.

Mappings are trigger events of type mapping. See Events.


It is also possible to use mappings to dynamically manage target groups and group memberships, in addition to target accounts. See Roles vs. mappings for group management for more information on whether a mapping or role is the right choice for a given situation.

Mapping functions require you to map fields from Filters to target account attributes.

For example, in an account create function you might map a filter's first_name field to the target account's DisplayName attribute. Or, you might need to map a temporary password to the target account's password attribute.

In cases where a direct mapping is not sufficient, use Name generators and/or Password generators to transform filter output fields as necessary.

For example, the userPrincipalName attribute in target Active Directory systems usually requires a specific suffix. Use a name generator to perform the necessary string manipulation. Or, a password attribute may require a value with certain characteristics. A password generator provides this functionality.

If the mapping doesn't contain the target account attribute you want to map, Create a custom attribute. (If you also want to collect the attribute in a source context, in addition to mapping it in a target context, instead see Customize user account schema.)

Some target systems contain user attributes which comprise entire tables, rather than single values. For example, in a target Google Workspace system, the phones and externalIds attributes of the users table. These attributes correspond to the users_phones and users_externalIds tables, respectively. This allows users to have multiple phone numbers and external IDs, each with multiple associated fields. To handle these cases, Map a sub-mapping.