Skip to main content

What are CEL expressions and why use them?

CEL (Common Expression Language) expressions are powerful, flexible rules that let you automate decision-making across ConductorOne. Instead of manually configuring each policy, group, or automation, you can write expressions that automatically adapt to your organization’s unique needs.

Why use CEL expressions?

Automate complex logic: Create sophisticated rules that would be impossible with simple dropdowns or checkboxes. Scale with your organization: As your company grows, expressions automatically adapt to new users, departments, and access patterns. Reduce manual work: Eliminate the need to manually update policies when organizational changes occur. Enforce consistent policies: Ensure the same logic is applied across all access decisions, reducing human error. Integrate with your data: Leverage user attributes, directory information, and access patterns to make intelligent decisions.

Where CEL expressions are used in ConductorOne

Policies - Automate access decisions

CEL expressions power two critical parts of policies:
A policy's details view, showing the policy conditionals and expressions.
Policy conditionals determine what action a policy will take (approve, deny, or route for review). These expressions must return a Boolean value. Example: Automatically approve access for employees in the Engineering department, but require manager approval for contractors. Policy expressions determine who will be assigned to review a task. These expressions must return a list of users. Example: Route access requests from contractors to their manager, while employees can self-approve certain low-risk access.

Groups - Create dynamic user collections

Use CEL expressions to define membership for ConductorOne groups:
A group's details view, showing the group expressions.
Group expressions automatically determine group membership based on user attributes and conditions. These expressions must return a list of users. Example: Create a group that automatically includes all Engineering employees who are full-time and active.

Automations - Trigger intelligent workflows

Fine-tune automations with CEL expressions to control when and how they run: Automation triggers determine when an automation should start based on user changes, access events, or other conditions. Automation steps can include conditional logic to skip steps or modify behavior based on user data. Example: Automatically revoke access for users who haven’t logged in for 45 days, but only for non-critical applications.

Campaigns - Precisely target access reviews

Use CEL expressions in access review campaigns to precisely define which users, accounts, or access grants should be reviewed: User selection expressions define which users should be included in the campaign. Account parameters expressions filter which app accounts should be reviewed. Example: Review access for all contractors in the Engineering department who have been granted access to production systems.

Account provisioning - Map user data intelligently

When configuring account provisioning, CEL expressions transform your user data to match the requirements of target applications: Example: Map a user’s full name from your directory to the first name and last name fields required by a target application.

Ready to start writing CEL expressions?