Write conditional policy rules
Need an introduction to conditional policies? Go to Add conditional policy rules in the Create policies documentation.
You can add condition expressions to two places in your policy:
Policy condition expressions determine what action the policy will take. They must return a Boolean.
Reviewer condition expressions determine who will review a task. They must return a list of users.
Pre-built policy condition expressions
To get you started, here are some basic conditional policy use cases and their corresponding condition expressions. You can use these expressions as-is, or adapt them to suit your organization’s needs.
Pre-approve access based on group membership
Use case
If a user has an active account in Okta, and they currently have the Admin role in Jira, they can be automatically approved for the Admin role in Confluence.
Condition expression
c1.user.v1.HasApp(subject, "<APP ID>") &&
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<ENTITLEMENT ID>")
Go to an application or entitlement’s details page to look up its ID, or use Cone.
Pre-approve access for employees who are currently on call
Use case
If a user is currently in a PagerDuty on-call rotation, they can be automatically approved for AWS S3 read access.
Condition expression
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 1 ENTITLEMENT ID") ||
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 2 ENTITLEMENT ID")
Auto-certify low-risk access
Use case
If a user has an active account in Google Workspace, and they are in the Engineering department, their GitHub access is automatically certified.
Condition expression
c1.user.v1.HasApp(subject, "<APP ID>") &&
subject.department == "<DEPARTMENT>"
Custom review flow for contractors
Use case
ccess reviews for contractors (whose email addresses all end in @contract.company.com) are automatically assigned to their current manager, while all full-time employees (whose email addresses all end in @company.com) complete a self-evaluation.
Condition expression
!subject.email.endsWith("@company.com")
Forming condition expressions using CEL
ConductorOne’s conditional policies use the Common Expression Language (CEL) built by Google. As you work with CEL, you might find these references useful:
A basic CEL expression is made up of conditions and function calls, with references to global variables.
Functions
These library functions let you interact with the ConductorOne system to look up whether a user has access to a certain application or entitlement, or to find the user or list of users who should review a task.
| Function | Accepts | Returns |
|---|---|---|
| c1.user.v1.HasApp | user, app ID | Boolean |
| c1.user.v1.HasEntitlement | user, app ID, and entitlement ID | Boolean |
| c1.directory.users.v1.FindByEmail | user | |
| c1.directory.users.v1.GetByID | user ID | user |
| c1.directory.users.v1.GetManagers | user | users |
| c1.directory.groups.v1.FindByName | group name | group |
Objects
When writing a condition expression or an approval step expression, you have the “subject” variable (which refers to the ConductorOne user) in scope.
See the Condition expression examples section for examples of these objects in use in condition expressions.
| Property | Data type | Notes |
|---|---|---|
| subject.id | string | |
| subject.department | string | |
| subject.job_title | string | |
| subject.profile | map[string]interface{} | Profile attributes can have any type, but are usually strings. |
| subject.email | string | |
| subject.email.startsWith | string | |
| subject.email.endsWith | string | |
| subject.status | enum | One of USER_STATUS_ENABLED, USER_STATUS_DISABLED, USER_STATUS_DELETED |
| subject.type | enum | One of USER_STATUS_SYSTEM, USER_STATUS_HUMAN, USER_STATUS_SERVICE |
| subject.directory_status | enum | One of USER_STATUS_ENABLED, USER_STATUS_DISABLED, USER_STATUS_DELETED |
| subject.employment_type | string | |
| subject.employment_status | string | |
| subject.manager | string | |
| subject.profile.< CUSTOM USER ATTRIBUTE > | varies | See explanation below. |
Use custom user attributes. You can write conditional expressions that leverage the custom user attributes you’ve set up in ConductorOne. Any custom user attribute can be passed in to the
subject.profile.<CUSTOM USER ATTRIBUTE>property and used in your conditional expressions.
Operators
CEL supports common Boolean operators, like !, <, >, <=, >=, ||, &&, ==, !=, and in. All operators work as they do in C, and in functions as a “list contains” operator.
CEL allows for basic arithmetic operations, with +, -, *, and \ for adding, subtracting, multiplying, and dividing.
CEL also supports ternary operators, similar to C or JavaScript. These are formed as “If this ? then check this : otherwise check this”.
Policy condition expression examples
These expressions each return a Boolean.
Check that the subject’s email is “cheddar.crackers@company.com”:
subject.email == "cheddar.crackers@company.com"
Check that the user’s email address starts with “engineering”:
subject.email.startsWith("engineering")
Check that the user’s email address ends with “@company.com”:
subject.email.endsWith("@company.com")
Check that the user’s email address doesn’t end with “@company.com”:
!subject.email.endsWith("@company.com")
Check that the subject’s favorite food is macaroni:
subject.profile.favorite_food == "macaroni"
Check that the subject’s favorite foods include sushi:
"Sushi" in subject.profile.favorite_foods
Check if the user is enabled in the directory:
subject.directory_status == USER_STATUS_ENABLED
Check that the user status is enabled and the department is IT:
subject.status == USER_STATUS_ENABLED && subject.department == "IT"
Check that the user’s status is disabled or suspended, and their department is “ENG”:
(subject.status == USER_STATUS_DISABLED || subject.status == USER_STATUS_SUSPENDED)
&& subject.department == "ENG"
Check that the user has access to the app with that ID:
c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud") <APP ID>
Check that the user doesn’t have that app, and their department is engineering:
!c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud")
&& subject.department == "Engineering"
Check if the subject’s employment type is full time:
subject.employment_type == "Full Time"
Check that the user has the entitlement in that app:
c1.user.v1.HasEntitlement(subject, "2SWtmlkdW0dtROVwIN0zYthXIud",
"2SWtwwe5n7AOXhRBRNK1fUakc4F")
If the subject has the director profile attribute, check that the director is Holly. Otherwise, check that their manager is Ivy:
has(subject.profile.director) ? subject.profile.director ==
"holly.berry@company.com" : subject.profile.manager == "ivy.vine@company.com"
If the subject’s employee status is ENABLED, check that their department is Engineering, otherwise check that their last date active was April 1, 2024:
subject.employee_status == EMPLOYEE_STATUS_ENABLED ? subject.profile.department ==
"Engineering" : subject.profile.last_date_active == "04/1/2024"
Reviewer condition expression examples
These expressions each return a specific user.
Return the subject user’s director:
c1.directory.users.v1.FindByEmail(subject.profile.director)
Return the subject user’s manager:
c1.directory.users.v1.FindByEmail(subject.profile.manager)
Return the subject outright, meaning they’ll have to self approve:
subject
If the subject is in the IT department, return themselves, otherwise return their manager:
subject.profile.department == "IT" ? subject : c1.directory.users.v1.FindByEmail(subject.profile.manager)
If the user has the prop_that_only_exists_sometimes, check its value. If the value matches, find the user by email. If it doesn’t match, find a user by ID. If the user doesn’t have that prop, return a separate user:
has(subject.profile.prop_that_only_exists_sometimes) ? subject.profile.prop_that_only_exists_sometimes == "Value That Happens" ? c1.directory.users.v1.FindByEmail("some.email@insulator.one") : c1.directory.users.v1.GetByID("012345678901234567890123456") : c1.directory.users.v1.GetByID("999999999977777777773333333")