Identity Mesh Logo Identity Mesh
Documentation Policy Rules

Policy Rules

Identity Mesh uses four rule types to control how identity data is correlated, imported, enriched, and exported across your connected systems.

Policy Rules

The Four Rule Types

Each rule type handles a distinct phase of the identity synchronization pipeline. Together they define how objects are matched, how attributes flow in, how the mesh is enriched, and what gets exported.

Join Rules

Anchor-based identity correlation. Match imported connector-space objects to existing mesh objects using attribute comparison.

Flow Rules (Inbound)

Map attributes from management space into mesh objects. Each rule carries a confidence score and an optional transform script.

Projection Rules (Outbound)

Control which mesh objects are exported to target connectors. Filter by attributes, specify the object type and target container.

MeshComposer Rules

Enrich mesh objects with computed values using transform scripts. Generate derived attributes like usernames or display names during composition.

Join Rules

Join rules define how imported objects from a connector are correlated to existing mesh objects. When a connector imports an object, the engine evaluates join rules to find a matching mesh object. If no match is found, a new mesh object is created.

Fields

Connector
The source connector this rule applies to
SourceAttribute
The attribute on the imported connector-space object
TargetAttribute
The attribute on the mesh object to match against
JoinType
The comparison method (ExactMatch)

Example

Join Rule: "Match AD Users by Employee ID"
  Connector:        Corporate AD
  SourceAttribute:  employeeID
  TargetAttribute:  EmployeeId
  JoinType:         ExactMatch

  // When an imported AD user has employeeID = "12345",
  // it joins to the mesh object whose EmployeeId = "12345".
  // If no match is found, a new mesh object is created.

Flow Rules (Inbound)

Flow rules map attributes from connector-space objects into mesh objects during inbound synchronization. Each rule specifies which source attribute feeds which target attribute, along with a confidence score and an optional transform script.

Fields

Connector
The source connector this rule applies to
Direction
Inbound (connector to mesh)
SourceAttribute
The attribute to read from the connector-space object
TargetAttribute
The attribute to write on the mesh object
Confidence
Score from 0 to 100 for conflict resolution
TransformScript
Optional expression using built-in functions

Example

Flow Rule: "Import AD Display Name"
  Connector:        Corporate AD
  Direction:        Inbound
  SourceAttribute:  displayName
  TargetAttribute:  DisplayName
  Confidence:       80
  TransformScript:  Concat(Left(givenName, 1), ". ", sn)

  // Transforms "John Smith" into "J. Smith"
  // Confidence 80 means this value wins over any
  // source contributing the same attribute at lower confidence.

Projection Rules (Outbound)

Projection rules control which mesh objects are exported to target connectors. They define the object type, an optional filter expression, and the target container (such as an OU or database table) where objects are provisioned.

Fields

TargetConnector
The connector to export objects to
ObjectType
The type of object to project (e.g. User, Group)
Filter
Optional expression to limit which objects are projected
Container
The target OU, table, or container for provisioned objects

Example

Projection Rule: "Provision to HR Database"
  TargetConnector:  HR Database
  ObjectType:       User
  Filter:           department != "Contractors"
  Container:        dbo.Employees

  // Only non-contractor users are projected
  // to the HR Database connector's export queue.
  // Container specifies the target table or OU.

MeshComposer Rules

MeshComposer rules enrich mesh objects with computed values during composition. They run after inbound flow rules and allow you to derive new attributes from existing ones using transform scripts.

Fields

TargetAttribute
The mesh attribute to write the computed value to
TransformScript
Expression using built-in functions to compute the value
Confidence
Score from 0 to 100 for conflict resolution

Example

MeshComposer Rule: "Generate SamAccountName"
  TargetAttribute:  SamAccountName
  TransformScript:  ToLower(Concat(Left(FirstName, 1), LastName))
  Confidence:       90

  // Composes "jsmith" from FirstName="John", LastName="Smith"
  // Runs during mesh object composition, enriching
  // the mesh with computed values before export.

Built-in Functions

TransformScript expressions use a whitelisted set of built-in functions. No arbitrary code execution is allowed -- only these safe, deterministic functions are available.

String Functions

  • ToLower - Convert to lowercase
  • ToUpper - Convert to uppercase
  • Trim - Remove leading/trailing whitespace
  • Replace - Replace substring
  • Concat - Concatenate strings
  • Left - Extract N characters from start
  • Right - Extract N characters from end
  • Substring - Extract substring by position
  • Split - Split string by delimiter
  • Join - Join array with delimiter

Date & Utility Functions

  • Now - Current timestamp
  • Format - Format value to string
  • Coalesce - First non-null value

Logical Functions

  • If - Conditional value
  • Switch - Multi-branch selection

Conflict Resolution

When multiple connectors contribute values for the same attribute on a mesh object, Identity Mesh resolves the conflict using confidence-based scoring.

Confidence Score per Rule

Each flow rule and MeshComposer rule assigns a confidence score (0-100) to the attribute value it produces. This score represents how authoritative that source is for the given attribute.

Highest Confidence Wins

When multiple sources contribute a value for the same attribute, the value with the highest confidence score is written to the mesh object. This is evaluated per attribute, not per object.

Practical Example

If Active Directory provides DisplayName at confidence 80 and Workday provides it at confidence 95, the Workday value wins. If a MeshComposer rule generates it at confidence 60, it only takes effect when no higher-confidence source is available.

Per-Object Attribute Override Coming Soon

Override the confidence score for a specific attribute on an individual mesh object. This allows administrators to pin a particular value for edge cases without changing the global rule, giving fine-grained control when the default resolution doesn't fit a specific identity.

Best Practices

Start with join rules

Establish reliable identity correlation before defining flow or projection rules. Poor join logic leads to duplicate mesh objects and mismatched attributes.

Test with small datasets

Always test new rules with a small subset of data before enabling them for production.

Be intentional with confidence scores

Assign confidence scores that reflect the actual authority of each source. Your HR system should typically have the highest confidence for employee attributes, while computed values from MeshComposer rules should have lower scores as fallbacks.

Use descriptive rule names

Give your rules clear, descriptive names that explain their purpose. This helps future maintainers understand the synchronization logic at a glance.

Use projection filters to limit scope

Apply filters on projection rules to avoid exporting unnecessary objects. Only project what the target system actually needs.

Monitor sync results

Regularly review the audit log to catch join mismatches, transform errors, and unexpected attribute values early.

Next Steps

Connector Configuration

Learn how to configure connectors for your identity systems

Read guide →

Projection Pipeline

Understand the full sync pipeline from import to export

Read guide →

Need Help?

Schedule a call with our integration team

Contact us →