diff --git a/product/admin/push-rules.mdx b/product/admin/push-rules.mdx new file mode 100644 index 0000000..1eb2cbf --- /dev/null +++ b/product/admin/push-rules.mdx @@ -0,0 +1,83 @@ +--- +title: Push rules +og:title: Push rules - ConductorOne docs +og:description: Automatically sync user attributes from ConductorOne to connected systems. +description: Automatically sync user attributes from ConductorOne to connected systems. +sidebarTitle: Push rules +--- +{/* Editor Refresh: 2026-01-29 */} + +# Push rules + +Push rules automatically sync user attributes from ConductorOne to your connected systems, keeping user information consistent across all your apps. + +With push rules, you can control which attributes to sync and how values map to each connector. You can pull values directly from directory attributes or write custom expressions to transform data before syncing. + +## Supported connectors + +Push rules are currently available for: + +- Active Directory +- Microsoft Entra + +Each connector reports its own supported schema and whether it supports custom attributes. + +## Create a push rule + +You can create one push rule per connector to avoid conflicts. + +1. [Navigation path to be added] +2. Select the connector you want to configure +3. [Additional steps to be added] + +After you create a rule, you'll need to save and enable it before it takes effect. + +## Map attributes + +For each supported attribute (like email or name), you can configure values in two ways: + +**Pull from directory attributes** - Map directly from existing user attributes in your directory. + +**Use CEL expressions** - Write Common Expression Language expressions with access to: +- `subject` - The ConductorOne user +- `app_user` - The app user object + +CEL expressions let you map different values for different app users. For example, you could map different email formats for regular accounts versus privileged accounts. + +### Add custom attributes + +Some connectors support custom attributes beyond the standard schema. [Details on which connectors support this to be added] + +## Filter users + +You can configure filters to control which users receive attribute pushes. [Configuration details to be added] + + +Push rules rely on profile type mappings. Users must have the required attributes granted by their profile type for the rule to apply. + + +## How push rules work + +### When attributes sync + +Attribute pushes trigger automatically when: + +- You enable a push rule (syncs to all applicable users) +- A user's attributes change (like a name update) +- You modify a rule's configuration (syncs to all applicable users) + +Push rules don't currently detect when attributes change directly in the downstream system. Manual changes in connected systems won't be overwritten automatically. + +## Use cases + +### Update individual user attributes + +When a single user's attribute changes (for example, a name change), the push rule automatically updates that user's attributes in the connected system. + +### Bulk attribute updates + +When you need to update many users at once (like changing email addresses after a company acquisition), modifying the push rule triggers updates for all applicable users. + +### Manage service users + +[Use case details to be added] \ No newline at end of file