When you add an attribute mapping rule there is also an option to add an attribute transform rule.
This is for the situation where the value you need for an attribute is not available from your system, but you can infer it from other values that are - e.g. you have attributes that identify the department and job role of a user, but need a value that tells you the country they're based in.
You set up attribute transform rules in a similar way to how you map permission sets:
You can have multiple transform rules with the same target name so that different rules can supply different values.
If more than one rule with the same target name matches, then the attribute will have more than one value. All values are passed if that attribute is released, and all values are used by statistics if it is reportable. Unfortunately the interface cannot display muliti-valued attributes at the moment.
If a rule is using 'any' condition, or conditions are based on any multi-valued attributes such as memberOf, then your rule can match on any of the multiple values that it sees. Negative matches such as 'does not contain' are best avoided in those cases as they can be very difficult to diagnose if they don't work as expected.
An organisation has offices in 20 cities around the world. The directory they have connected to OpenAthens can pass the name of the office, but not the country. All users have access to the same set of resources and are not separated by sub-organistaion or permission set.
Management want statistics reports by country.
Because we want to use this in reports, we first must set up an attribute in the schema editor. This example will assume one has been set up with a target name of
Next we add some transform rules along the lines of: when any of these match (office contains Edinburgh, office contains Bristol) output value is 'UK':
Save and repeat for each country