Managing Identity Mapper Sets

Updated
  • Updated on Feb 17, 2026
  • Published on Dec 14, 2025
  • 7 minute(s) read
Prev Next

Identity Mapper Sets connect logical Identity Attributes and act as a physical multi-source mapping profile for an Identity Template. Each set defines the Sources and Attributes to create a Mapper Set. It specifies where each Attribute comes from and how values are matched and translated, allowing the same logical model to support different data sources across Scopes.

Mapper Sets are managed in the Identity Workspace Settings. They preserve the logical structure while defining how underlying data is resolved, giving customers flexibility across contexts without duplicating templates.

When creating a new Mapper Set, the JSON Path parameter can be used to define the path from which the Platform can extract Identity Attribute values from the Authorization JWT. For more information, see Authorization APIs.

Check out a walkthrough of the Identity Mapper Sets below for more information:

Prerequisites

Ensure that you have Identity Attribute and Sources set up.

Refer to Managing Identity Attributes and Managing Identity Sources for more information.

Managing Identity Mapper Sets

The following sections describe how to create, edit, link, and manage Mapper Sets. Actionable processes are written as step-by-step sequences.

Creating a New Mapper Set

To create a new Mapper Set within an Identity Workspace:

To create a new Mapper Set:

  1. Hover over an Identity Workspace.
  2. Click the Settings icon.
  3. In Identity Workspace Settings, click Mapper Sets.
  4. Select New Mapper Set.
  5. Enter a Display Name.
  6. Enter a Mapper Set ID, or leave it blank to auto-generate an ID based on the Display Name.
  7. Add a Description (optional).
  8. Click Create.

After you create the Mapper Set, a new section appears allowing you to link data sources. A default PDP Request source is linked automatically and includes the PDP request-level mappings.

Adding a Source to a Mapper Set

Each Mapper Set can include multiple sources depending on your data architecture.

To add a source to a Mapper Set:

  1. Select a Mapper Set from the Mapper Set list. If you do not have one yet, refer to Creating a New Mapper Set.
  2. In the Mapper Set, scroll to Link Sources.
  3. Click Add Source.
  4. Choose an existing Source from the list.
  5. When linking Sources, input the Origin and Target fields to configure correlation rules and mapping definitions based on the Sources:
  • External Sources (used as Main, Aux or Context): Ensure that you input valid JSONPath syntax in the Origin and Target fields. See Understanding Source Uses for more information.
    Note: External Output and Calculated Sources are used as Aux by default.
  • Calculated Sources: Define the calculation function
    • Use valid syntax: a capitalized function name, arguments in parentheses, and Attribute references enclosed in double curly braces, for example {{attributeID}}. Refer to Working with Calculated Attributes for a syntax guide.
  • PDP Request: Property name.
  • Request Mappers: JSONPath
    The PDP Request and Request Mappers are part of base evaluations, and are always prioritized in evaluation.
  • External Output: This Source is generated in Orchestration and can only be viewed.
  1. Save the Source block.

The Mapper Set now uses this Source as part of its Mapping process.

Editing a Source Within a Mapper Set

To edit a Source Mapping:

  1. In the Mapper Set page, select a Mapper Set.
  2. Click Edit next to the relevant Source Mapping.
  3. Modify or delete correlation rules, mapping definitions, or origin properties when applicable.
  4. Save your changes.

Note: In the PDP Request, you can edit Property Name, but not the UserID.

Removing a Source from a Mapper Set

To remove a source:

  1. In the Mapper Set page, select a Mapper Set.
  2. Click the Delete icon next to the relevant Source Mapping.
  3. Confirm the removal.

Removing a source deletes all associated mappings within that Mapper Set. System-required sources such as PDP Request cannot be removed.

Understanding Source Uses

When creating a Source from which Identity data is taken, you have the option of selecting from the following:

  • Base
  • Main
  • Aux
  • Context

About Base Sources

A Base Source represents Identity Attributes that are derived directly from the request Sources rather than from an external identity store. These Attributes originate from JWT claims, HTTP headers, or PDP request parameters, and define the property name sent to the PDP or its corresponding JSONPath. The PDP extracts these values and makes them available for policy evaluation.

Attributes resolved from a Base Source take precedence during PDP calculation. If the same Attribute is also retrieved from a Main or AUX Source, the value provided by the request overrides the external value for that specific authorization decision. This allows request-level claims or dynamic session data to supplement or override persisted identity information when required.

About Main Sources

The Main Source is the primary source from which the Authorization Platform retrieves identity information. The Main Source is usually defined at setup time, although it can be changed later. The Main Source type can only be External.

There can only be one Main Source in a Template. Once this option has been assigned to a Source, it will be disabled for any additional Sources you wish to configure. The Main Source (or Main Store) is the primary Source from which the Platform retrieves Identity information.

About AUX Sources

In addition to the Main Source, you can also configure an Auxiliary Source (AUX). While the Main Source is assumed to contain the main Attributes (for example, UserID, First Name, Last Name, Title, and Department), the AUX Source may contain other relevant information required for the organization's policies.

When configuring the AUX Source, you must set the Correlation Attribute. This is an Attribute that can go from AUX to Main or AUX to AUX/Context (for example, if they both have the same UserID, it is assumed these two references point to the same user).

Consider a case in which an Access Policy is based on whether the employee is working remotely or from the office. The Policy determines that employees working in the QA Department only have access to the QA server when they are physically located in the corporate headquarters. When a user attempts to log into the QA server, using the UserID as the Correlation Attribute, the Authorization Platform checks the Main Identity Store to determine if the user works in QA and the AUX store to determine whether they are logging in from the office.

About Context Sources

In some cases, certain Identity Attributes may have different values (for the same Identity) depending on the context in which the access request is being made. Context Sources enable the Authorization Platform to evaluate the value of the Attribute based on the context.

For example, you may want to provide access for certain users with Employee rights in one Environment, but Manager rights in another. You can set up a Context Source for the Attribute User_Role that will return a value of Employee or Manager depending on the Environment from which the Request was made.

Managing Multiple Mapper Sets

An Identity Template may include multiple Mapper Sets. You can switch between Mapper Sets from the list on the left side of the Mapper Sets screen. Selecting one displays its mappings, sources, and configuration.

Mapper Sets not assigned to a Scope may be marked as incomplete. They can still be configured, but they cannot be used for enforcement until assigned.

Deleting a Mapper Set

To delete a Mapper Set:

  1. Hover over the Mapper Set in the list.
  2. Select the Delete icon.
  3. Confirm the deletion.

A template must retain at least one Mapper Set. The UI prevents deleting the final remaining one.

Using Mapper Sets with Scopes

A Mapper Set becomes active only when associated with a Scope. This association determines which Mapper Set is used for Attribute resolution when a Policy is evaluated in that Scope.

To assign a Mapper Set to a Scope:

  1. In Environment Settings, click Scopes. If you do not have a Scope set, refer to Managing Scopes.
  2. Scroll to Identity Template Usage.
    • If editing an existing Scope, click Edit before continuing.
  3. Select the relevant Identity Mapper Set association from the dropdown.
  4. Save the Scope settings.

Only one Mapper Set may be assigned per Identity Template in a given Scope. During enforcement, the system uses this association to resolve Attributes in real time.

Using Mapper Sets with Orchestration

Identity Mapper Sets can also be used with Authorizers in the Orchestration Workspace. Refer to About the Discovery Process and Object Side Panel for more information.

Identity Mapper Sets unify logical identity structures with real-world data. By centralizing mapping behavior, supporting multiple contextual configurations, and simplifying source management, Mapper Sets deliver consistency and clarity throughout the Identity definition process.

Related articles