Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Please contact our Support team if you’d like to try it out or have any feedback.
What you can do with functions
- Call external systems: Integrate with approved external APIs using a network allowlist
- Run on events: Trigger functions from user lifecycle events, access reviews, or schedules
- Implement custom business logic: Write your organization’s unique workflows in TypeScript
- Access ConductorOne data: Query users, apps, and entitlements through type-safe APIs
Key features
Functions provide a secure, managed environment for running custom code.
TypeScript runtime
- Modern TypeScript with async/await support
- Import external npm packages dynamically using
npm: prefix
@c1/functions-sdk provides pre-authenticated access to ConductorOne APIs
Security and isolation
- Each function runs in isolation in a sandboxed environment
- Network allowlist controls which external domains functions can access
- Secrets management stores API keys securely, accessible via
functions.getConfig()
- Execution logs capture
console.log statements and stream back to the UI
Where functions run
Once you’ve written and published a function, it can be invoked in multiple ways:
Automation steps
Functions can run as steps in automation workflows, triggered by:
- User lifecycle events (created, updated, deactivated)
- Access events (grant created, revoked)
- Review events (completed, decisions made)
- Schedule triggers (daily, weekly, custom)
Manual invocation
You can run functions on-demand from the ConductorOne web UI:
Navigate to Workflows > Functions and select your function.
Click Run. The function executes and returns output JSON.
API invocation
You can also call functions programmatically via the ConductorOne API for administrative tasks, batch processing, or integration with other systems.
Key use cases for functions
Functions unlock powerful automation scenarios that go beyond standard workflows. Here are some examples of what they can do:
Training and compliance verification
Verify users have completed required security training, background checks, or compliance certifications before granting access to sensitive apps. Functions can check external training systems via their APIs and automatically approve or reject access requests based on compliance status.
Dynamic username generation
Generate unique usernames across multiple systems using complex naming conventions. Functions can implement your organization’s username algorithm, check existing usernames for uniqueness, handle edge cases, and return a guaranteed-unique username.
Custom approval routing
Route access requests to the right approver based on complex business rules. Functions can query your org chart, walk up the management chain to find VPs or specific roles, and determine the appropriate approver based on access sensitivity, user location, and app ownership.
Risk scoring and conditional access
Calculate a risk score for access requests based on multiple factors (user role, data sensitivity, recent security incidents, login location) and auto-approve low-risk requests. Functions can aggregate data from multiple sources and implement your organization’s risk-scoring algorithm.
Integration with ticketing systems
Create tickets in Jira, ServiceNow, or other ITSM tools when access is granted, and update them when access is revoked or expires. Functions handle ticket system authentication, API rate limits, and bi-directional communication.
Custom notification and escalation
Send notifications via multiple channels (Slack, Teams, email, SMS) with custom formatting and escalation logic. Functions can format rich notifications with user and access context, implement retry logic, and track delivery.
