Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Please contact our Support team if you’d like to try it out or have any feedback.
Attribute push rules let you control which user attributes are synchronized to specific applications and how they’re mapped. You can:
  • Sync ConductorOne attributes to application user profiles
  • Transform attribute values using CEL expressions
  • Target specific users based on conditions
  • Map to both standard and custom attributes (when supported by the connector)

Supported connectors

Attribute push rules are currently available for:
  • Active Directory
  • Microsoft Entra ID
Each connector reports its own supported schema and whether it supports custom attributes.

When to use attribute push rules

Use attribute push rules when you need to:
  • Keep user profile data synchronized across applications
  • Populate custom user fields in connected applications
  • Maintain consistent user attributes for compliance or operational purposes
  • Transform or derive attribute values before syncing

How attribute push works

Attribute push keeps user attributes synchronized between ConductorOne and your connected applications. In broad strokes, here’s how to set up a push rule:
  1. Select the connector you want to push attributes to
  2. Map ConductorOne attributes to the target application’s user attributes
  3. Optionally use CEL expressions to transform values
  4. Choose which users to target (all users or specific users)
  5. Enable the configuration to begin syncing
Once enabled, ConductorOne automatically pushes attributes to the target application whenever:
  • The push configuration is created or updated
  • A user’s attribute values change in ConductorOne

Configure attribute push rules

Prerequisites

  • The Super Admin role in ConductorOne
  • A configured connector for the target application
  • User attribute mappings defined in ConductorOne (Directory > User data sources)

Create a push rule

1
Navigate to Directory > User data sources.
2
Select the Push rule tab.
3
Click Add push rule.
4
Select the connector you want to push attributes to.
5
Under Select users to push to, choose:
  • Everyone: Push attributes for all users in your tenant
  • Users who have: Select required entitlements and profile attributes, or use a CEL expression to target users matching specific criteria
6
For each attribute you want to sync:
  • Choose the target attribute name from the connector’s available attributes
  • Select a ConductorOne attribute to map, or click the Change to expression icon and write a CEL expression for custom logic
  • If the connector supports custom attributes, you can specify a custom name
7
Enable the push rule.
8
Click Save.

Edit or disable a push rule

1
Navigate to Directory > User data sources > Push rule.
2
Find the push rule in the list.
3
Click the (more actions) menu and select:
  • Edit: Modify attribute mappings or user targeting
  • Enable or Disable: Turn the push rule on or off
  • Delete: Remove the push rule completely

Attribute mappings

Direct attribute mapping

Select a ConductorOne attribute from the dropdown to sync its value directly to the target application. Example: Map the Department attribute in ConductorOne to the department field in the target application.

CEL expressions

For more advanced scenarios, use CEL (Common Expression Language) expressions to transform or derive attribute values. Example: Combine first and last name into a display name 
user.first_name + " " + user.last_name
Example: Set a value based on a condition 
user.department == "Engineering" ? "tech@company.com" : "general@company.com"

User targeting

All users

Syncs attributes for all users in your ConductorOne tenant.

Specific users

Use a CEL expression to target specific users based on their attributes. Example: Target only active employees 
user.status == "active" && user.employment_type == "full_time"
Example: Target users in specific departments 
user.department in ["Engineering", "Product", "Design"]

Custom attributes

Some connectors support pushing to custom attributes that aren’t part of the standard user schema. When configuring a push rule for these connectors, you can specify custom attribute names. Check the connector’s documentation to see if custom attributes are supported.