---
title: Creating an outbound rule
description: Create a rule to define which users are provisioned and how attributes are mapped between PingOne and the external identity store.
component: pingone
page_id: pingone:integrations:p1_create_provisioning_rule_outbound
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_provisioning_rule_outbound.html
revdate: June 4, 2025
page_aliases: ["p1_add_attribute_mapping_idp.adoc", "p1_add_provisioning_filter.adoc"]
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result
  p1_example_user_filters: Example user filters
  example-1: Example 1
  example-2: Example 2
  example-3: Example 3
  example-4: Example 4
---

# Creating an outbound rule

Create an outbound rule to define which users are provisioned and how attributes are mapped between PingOne and the external identity store.

If you are creating an outbound rule for a connection through an LDAP gateway, refer to [Creating an outbound rule for a connection through an LDAP gateway](p1_create_outbound_provisioning_rule_gateway.html).

## Before you begin

Make sure you've created a connection.

|   |                                                                                                                                                                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Not all provisioning connection types support this provisioning. Learn more in [Provisioning](p1_provisioning.html).You can add a disabled connection to a source or target of a rule, but it must be enabled. Learn more in [Connections](p1_connections_provisioning.html). |

## Steps

1. In the PingOne admin console, go to **Integrations > Provisioning**.

2. Click **[icon: plus, set=fa]**and then click **New Rule**.

3. For **Sync Direction**, select **PingOne as Source**.

4. For **Available Connections**, click **[icon: plus, set=fa]**next to the appropriate connection to set it as the target and then click **Continue**.

5. In the **Rule Details** panel, enter a **Name** and **Description** for the rule and then click **Next**.

6. In the **Directory Configuration** panel:

   * For **User Filter**, click **Add Condition** and define which users to include in provisioning based on population or user attributes. Learn more in [Example user filters](#p1_example_user_filters).

     * Enter the first condition:

       * Select **All** or **Any** to determine how the linked conditions will be evaluated: Boolean logical AND or OR.

       * **Attribute**: The user attribute on which to filter.

       * **Operator**: Supports operators `sw` (starts with), `ew` (ends with), `co` (contains), and `eq` (equals). You can find a full list of operators and supported attributes in [SCIM operators](https://developer.pingidentity.com/pingone-api/platform/users/users-1.html#users-scim-operators) in the PingOne API documentation.

       * **Value**: Enter the appropriate value.

         |   |                                                                                                                                                                                                                                                      |
         | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
         |   | If you select a group in the filter, updating or deleting the group can cause the provisioning rule to resync. The filter will also include all users with any kind of membership in the group. Learn more in [Groups](../directory/p1_groups.html). |

     * (Optional) Click **Add [icon: plus, set=fa]**to add another condition or condition set.

     * To delete a condition, click the **Delete** icon ([icon: trash, set=fa]).

   * For **Groups**, click **Add Groups** to select an existing group in outbound sync.

     * To search groups, enter a group name in the **Search Group Name** field.

     * To add groups, select a group in **All Groups**.

     * To remove a group, clear the checkbox for the group in **All Groups.**

     * To view provisioned groups, click **Selected Groups**.

     * To accept a merge or overwrite memberships when a group with the same name exists on the target, select the checkbox next to **I understand and want to continue** in the modal.

       |   |                                                                                                                                                                                                                                                                                                                                      |
       | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
       |   | Merging or overwriting memberships applies only to SCIM, Slack, and GitHub EMU provisioning connections. Learn more in [Creating a Slack connection](p1_creating_slack_connection.html), [Creating a SCIM connection](p1_create_scim_connection.html), and [Creating a GitHub EMU connection](p1_create_github_emu_connection.html). |

7. Click **Next**.

8. In the **Attribute Mapping** panel, map attributes between the source and PingOne to ensure users are provisioned correctly.

   |   |                                                                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The default attributes are based on the directory type of the gateway used. For outbound provisioning, the `RDN` attribute defaults to `cn` for Active Directory. |

   * To add an attribute mapping, click **[icon: plus, set=fa]Add** and enter the source and target attributes.

   * To use the expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html).

     You can also use **Expression** list values in the expression builder to create advanced expressions, such as conditional statements. Some attributes have metadata that define potential values.

     For example, for Salesforce attribute mapping, you can see a list of values from Salesforce in the form of an **Expression** list. In the expression builder, enter a single quote to see potential values.

     You can use a switch statement or an if-else statement to evaluate an expression based on a pattern match.

     For example, to match an `accountId` attribute, enter the following in the expression builder:

     ```
     #core.switchExpr(#root.accountId, '0000EXAMPLEID', 'Valid' , 'Invalid')
     ```

     For a switch statement with multiple cases and a match, enter the following in the expression builder:

     ```
     #core.switchExpr(#root.accountId, '0000EXAMPLEID1', 'Full Access', '0000EXAMPLEID2', 'Restricted Access' , '0000EXAMPLEID3', 'Read-only Access', 'No Access')
     ```

     |   |                                                                            |
     | - | -------------------------------------------------------------------------- |
     |   | The email attribute mapping is checked by default and included in updates. |

   * To delete a mapping, click [icon: trash, set=fa].

9. Click **Save**.

10. To enable the rule, click the toggle at the top of the details panel to the right (blue).

    |   |                                                                     |
    | - | ------------------------------------------------------------------- |
    |   | You can disable the rule by clicking the toggle to the left (gray). |

## Result

The **Sync Status** appears and the rule is listed under **Rules**. Learn more in [Sync status](p1_provisioning_sync_status.html).

## Example user filters

This section shows some example user filters to define users for provisioning.

### Example 1

A filter that includes users from the USA and Canada. Include users that match the following:

Country Code Equals **US**

OR

Country Code Equals **CA**

![A screen capture of a user filter that matches users from the US and Canada](_images/eif1676044320679.png)

### Example 2

A filter that includes users from the following populations:

Population Name Equals **Marketing**

OR

Population Name Equals **HR**

![A screen capture of a user filter that matches users from the Marketing and HR populations](_images/cbk1676044354415.png)

### Example 3

A filter that includes enabled users from the following populations:

Population Name Equals **Marketing**

OR

Population Name Equals **HR**

AND

Enabled Equals **true**

![A screen capture of a user filter that matches enabled users from the Marketing and HR populations](_images/xxn1676044395316.png)

### Example 4

A filter that includes users from the Engineering and Marketing groups. Include users that match the following:

Group Names Contains **Engineering**

OR

Group Names Contains **Marketing**

![A screen capture of a user filter that matches users from the Engineering and Marketing groups](_images/fdg1676044441287.png)