Skip to main content

HelloID

Target mappings
2023-12-07_12-13-50.jpg

Mappings in Active Directory target systems connect fields in your persons to fields in target user accounts, such as the sAMAccountName, userPrincipalName, and cn. Target mappings are applied during enforcement.

To get started, Map fields.

Table 1. Fields tab

#

Name

Description

1

Search Fields

Filter the grid based on mapping Names.

2

Filter

Filter the grid based on account lifecycle stage and/or status of Use In Notifications and Store In Account Data toggles.

3

Refresh

Refresh the grid.

4

Import mapping

Import previous saved mapping

5

Export mapping

Export mapping to import it at another target system like Active Directory or PowershellV2 for ease of setup

6

Delete All

Delete all mapped fields (WARNING: use with extreme caution). After deleting all fields, click Default Fields to restore default mappings.

7

Add Field

Add a new mapped field.

8

Preview

Update the Preview Value column, using the currently selected person and lifecycle stage. (Before previewing, you must select a person in Settings.)

9

Settings

Select a person and lifecycle stage to preview mappings for (after selecting these, click the Preview button).

10

Name column

The name of the mapped field.

11

Configured Actions column

The lifecycle stages that the mapping is active for:

Mappings configured for the Delete (account-delete.png Account Revoke) stage are only written into the target system if the Delete The Account When Revoking The Entitlement toggle is disabled.

12

Options column

  • 2023-11-07_14-46-21_-_Copy.png: Use In Notifications toggle is enabled.

  • 2023-11-07_14-46-21.png: Store In Account Data toggle is enabled.

13

Preview Value column

The current value of the mapped field.

14

Edit

Edit the mapped field (see "Individual mappings", below).

15

Number of fields

The total number of mapped fields.



2023-12-07_12-56-08.jpg
Table 2. Individual mappings

#

Name

Description

1

Delete

Delete this mapped field.

2

Close

Stop editing this mapped field and return to the grid. Any changes you made are automatically saved.

3

Name

The name of this mapped field.

4

Type

The type of this mapped field:

  • Text: A string.

  • Array: An array of strings.

5

Description

An optional description of this mapped field, for internal (admin) reference only.

6

Add

Add a new configuration to this mapped field. Configurations let you vary a field's mapping depending on the account lifecycle stage (using the Actions checkboxes).

7

Actions

Specify which account lifecycle stage(s) the current configuration should be active for. Each stage can only be used in a single configuration.

8

Delete

Delete this configuration.

9

Use In Notifications

Make this mapped field available to use as a condition in Notifications (including conditional notifications).

10

Store In Account Data

See Share account fields between target systems.

11

Mapping type

  • None: A target account field that has no mapping, because you plan to set the value in an account script. Sometimes needed in conditional notifications.

  • Fixed: A constant string value (specified by you). All accounts in this target system will receive the same fixed value for this field.

  • Field: A direct mapping of a field from the Person schema, without any further transformations applied.

  • Complex: A string built in JavaScript. See Complex mappings.

12

Person field

The field from the Person schema that will be used as the basis for this mapped field.



Field types

Each mapped field must be one of the following Types:

  • Text (string)

  • Array (array of strings) — only compatible with Complex mappings). The maximum size of an array is approximately 25,000 characters total. Array-type fields are not currently supported in conditional notifications. Array-type fields become ArrayLists in PowerShell, which means you can't use the Add method. Instead, use the += operator to add items to an array. For example: $Account.ProxyAddresses += "test".

Field names cannot begin with a number. All field names are case-insensitive. Any non-string data assigned to a field will be converted into a string. There is no limit to the number of fields you can create.

Note

You can make any field a property of an object instead of a standalone string or array, by using a dot in its Name (.). For example, Department.Code. Then, in your PowerShell scripts, Code will be a property of a PSObject named Department.

Limitations include:

  • An object cannot have the same name as a standalone field

  • Nested objects are not supported

  • Arrays of objects are not supported

Notes
  • Fields are not automatically validated against AD. You need to make sure your AD account schema contains all the fields you're attempting to map. Fields are case-sensitive.

  • Required fields are marked with [Required] in their Description. If you remove required fields, enforcement will fail with an error message.

    2023-12-07_13-36-27.jpg
  • There are several special fields, such as changePasswordOnNextLogon, passwordNeverExpires, and userCannotChangePassword, which aren't attributes in the AD account schema, but rather password options. If you attempt to map mutually incompatible settings for these options, AD will revert to the default handling of those options. Do not change the names of these mappings.