Identity is never one size fits all.
Every environment has edge cases. Every organization has unique governance logic. And no matter how flexible an identity platform is, there will always be scenarios where configuration alone is not enough.
Today we’re introducing Functions, a new extensibility capability in ConductorOne that allows teams to write, manage, and run custom code directly inside the platform.
Functions gives security engineers and IT teams the flexibility to implement sophisticated identity workflows tailored to their business, without relying on fragile external scripts or limited configuration logic.
When configuration isn’t enough
Modern identity governance requires automation that reflects real-world complexity. Mapping identities across systems, enforcing cost controls, integrating with custom tooling, or applying nuanced policy logic often goes beyond what UI-based configuration or simple expressions can support.
Until now, teams could enhance configuration options in ConductorOne using CEL expressions or external webhooks and scripts. Those approaches worked, but came with tradeoffs:
- CEL struggles with complex mapping and advanced logic.
- External scripts live outside the governance layer, making them harder to audit, troubleshoot, and maintain.
- Debugging identity workflows across multiple systems slows teams down.
Functions brings code-based customization into ConductorOne itself, where it can be tested, securely executed, and fully observed.
Custom code, securely executed inside your identity platform
Functions allows customers to inject TypeScript code at key points across the platform to extend identity workflows exactly where needed.
Coming down the line, you’ll be able to can build logic that runs during:
- Automations and workflow steps
- Policy execution
- Sync ingestion and data processing
- Provisioning flows
- Event-driven triggers responding to sensitive changes
Instead of stitching together external services, Functions runs directly within ConductorOne’s secure runtime environment. That means built-in execution logging, versioning, secrets management, and error tracking from day one.
For teams that want flexibility without sacrificing governance, this changes what’s possible.
Built for engineers who need precision and control
Functions is designed with developer workflows in mind.
Security engineers can scaffold, develop, test, and deploy custom code in ConductorOne. Functions have direct access to the C1 API and SDK, allowing teams to query users, entitlements, grants, and identity data in real time.
That opens the door to powerful new use cases, such as:
- Generating unique usernames and emails during onboarding workflows
- Labeling accounts as service identities based on custom naming logic
- Creating groups directly in Okta through API calls
- Mapping identities to accounts using advanced matching logic
- Preventing provisioning of cloud resources when project costs exceed thresholds
- Triggering external actions or sending custom third-party notifications
Teams can now fully shape the platform around their workflows.
Extensibility without sacrificing governance
One of the biggest challenges with customization in identity governance has always been safety.
Functions solves this by keeping execution inside the ConductorOne platform:
- Code runs in a secure TypeScript runtime
- Every execution is logged and auditable
- Secrets are managed safely
- Versioning ensures changes are trackable and reversible
This means teams get the power of custom development without losing visibility, control, or auditability.
Build Functions faster with the Functions Author Agent
To help teams move from idea to implementation faster, Functions includes a Functions Author Agent that assists with writing and testing custom code.
The Author Agent can help generate Functions, translate existing non TypeScript code into supported formats, and accelerate development for teams who want to extend identity governance without starting from scratch. Whether you prefer not to write TypeScript or want to quickly adapt existing logic into the platform, the agent helps reduce friction and speed up time to value.
The next step in ConductorOne’s extensibility story
ConductorOne was built on the idea that identity environments are inherently diverse. No two organizations share the same policies, architecture, or operational constraints.
Functions is a natural evolution of that philosophy.
As organizations adopt more automation, more AI-driven workflows, and more non-human identities, governance needs to adapt quickly. Functions gives teams the building blocks to extend identity governance as their environments evolve, unlocking new ways to operationalize identity data and automate complex processes.
For security engineers who have ever thought, “I wish I could just write code to solve this,” Functions is built for you.
Book a demo to see Functions in action, or learn more from our docs.
