ConductorOne Docs

🔐 Write conditional policy rules

Conditional policy rules are constructed using Common Expression Language (CEL) expressions.

🔐 Early access. Conditional policy rules are currently in early access as we gather more feedback from users. Reach out to if you’d like to give this new feature a try.

For an introduction to conditional policies and more information on using them in ConductorOne, see Add conditional policy rules in the Create policies documentation.

Pre-built policy condition expressions

To get you started, here are some basic conditional policy use cases and the corresponding condition expressions to be used in conditional policy rules. You can use these expressions as-is, or adapt them to suit your organization’s needs.

Pre-approve access based on group membership

Use case

If a user has an active account in Okta, and they currently have the Admin role in Jira, they can be automatically approved for the Admin role in Confluence.

Condition expression

c1.user.v1.HasApp(subject, "<APP ID>") && 
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<ENTITLEMENT ID>")

Go to an application or entitlement’s details page to look up its ID, or use Cone.

Pre-approve access for employees who are currently on call

Use case

If a user is currently in a PagerDuty on-call rotation, they can be automatically approved for AWS S3 read access.

Condition expression

c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 1 ENTITLEMENT ID") || 
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 2 ENTITLEMENT ID")

Auto-certify low-risk access

Use case

If a user has an active account in Google Workspace, and they are in the Engineering department, their GitHub access is automatically certified.

Condition expression

c1.user.v1.HasApp(subject, "<APP ID>") && 
subject.department == "<DEPARTMENT>"

Custom review flow for contractors

Use case

Slack access reviews for contractors (whose email addresses all end in are automatically assigned to their current manager, while all full-time employees (whose email addresses all end in complete a self-evaluation.

Condition expression


Forming condition expressions using CEL

ConductorOne’s conditional policies use the Common Expression Language (CEL) built by Google. As you work with CEL, you might find these references useful:

A basic CEL expression is made up of conditions and function calls, with references to global variables.


CEL supports common Boolean operators, like !, <, >, <=, >=, ||, &&, ==, !=, and in. All operators work as they do in C, and in functions as a “list contains” operator.

CEL allows for basic arithmetic operations, with +, -, *, and \ for adding, subtracting, multiplying, and dividing.

CEL also supports ternary operators, similar to C or JavaScript. These are formed as “If this ? then check this : otherwise check this”.

Available objects

Depending on the context in which you’re editing a CEL expression, you may have certain top-level objects available to you, provided by the ConductorOne system at runtime depending on the context of your action. For example, when writing a condition expression, you have the “subject” variable (which refers to the ConductorOne user) in scope.

See the Condition expression examples section for examples of these objects in use in condition expressions.

PropertyData typeNotes
subject.profilemap[string]interface{}Profile attributes can have any type, but are usually strings.
subject.profile.< CUSTOM USER ATTRIBUTE >variesSee explanation below.

Using custom user attributes

You can write conditional expressions that leverage the custom user attributes you’ve set up in ConductorOne. Any custom user attribute can be passed in to the subject.profile.<CUSTOM USER ATTRIBUTE> property and used in your conditional expressions.

Library functions

These library functions let you interact with the ConductorOne system to look up whether a user has access to a certain application or entitlement.

c1.user.v1.HasAppuser, app IDBoolean
c1.user.v1.HasEntitlementuser, app ID, and entitlement IDBoolean

See the next section for examples of these library functions in conditional expressions.

Condition expression examples

These expressions each return a Boolean.

Check that the subject’s email is “”: == ""

Check that the user’s email address starts with “engineering”:"engineering")

Check that the user’s email address ends with “”:"")

Check that the user’s email address doesn’t end with “”:


Check that the subject’s favorite food is macaroni:

subject.profile.favorite_food == "macaroni"

Check that the subject’s favorite foods include sushi:

"Sushi" in subject.profile.favorite_foods

Check if the user is enabled in the directory:

subject.directory_status == USER_STATUS_ENABLED

Check that the user status is enabled and the department is IT:

subject.status == USER_STATUS_ENABLED && subject.department == "IT"

Check that the user’s status is disabled or suspended, and their department is “ENG”:

(subject.status == USER_STATUS_DISABLED || subject.status == USER_STATUS_SUSPENDED) 
&& subject.department == "ENG"

Check that the user has access to the app with that ID:

c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud") <APP ID>

The user doesn’t have that app, and their department is engineering:

!c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud") 
&& subject.department == "Engineering"

Check if the subject’s employment type is full time:

subject.employment_type == "Full Time"

Check that the user has the entitlement in that app:

c1.user.v1.HasEntitlement(subject, "2SWtmlkdW0dtROVwIN0zYthXIud", 

If the subject has the director profile attribute, check that the director is Holly. Otherwise, check that their manager is Ivy:

has(subject.profile.director) ? subject.profile.director == 
"" : subject.profile.manager == ""

If the subject’s employee status is ENABLED, check that their department is Engineering, otherwise check that their last date active was April 1, 2024:

subject.employee_status == EMPLOYEE_STATUS_ENABLED ? subject.profile.department == 
"Engineering" : subject.profile.last_date_active == "04/1/2024"