🔐 Write conditional policy rules
🔐 Early access. Conditional policy rules are currently in early access as we gather more feedback from users. Reach out to support@conductorone.com if you’d like to give this new feature a try.
For an introduction to conditional policies and more information on using them in ConductorOne, see Add conditional policy rules in the Create policies documentation.
Pre-built policy condition expressions
To get you started, here are some basic conditional policy use cases and the corresponding condition expressions to be used in conditional policy rules. You can use these expressions as-is, or adapt them to suit your organization’s needs.
Pre-approve access based on group membership
Use case
If a user has an active account in Okta, and they currently have the Admin role in Jira, they can be automatically approved for the Admin role in Confluence.
Condition expression
c1.user.v1.HasApp(subject, "<APP ID>") &&
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<ENTITLEMENT ID>")
Go to an application or entitlement’s details page to look up its ID, or use Cone.
Pre-approve access for employees who are currently on call
Use case
If a user is currently in a PagerDuty on-call rotation, they can be automatically approved for AWS S3 read access.
Condition expression
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 1 ENTITLEMENT ID") ||
c1.user.v1.HasEntitlement(subject, "<APP ID>", "<SCHEDULE 2 ENTITLEMENT ID")
Auto-certify low-risk access
Use case
If a user has an active account in Google Workspace, and they are in the Engineering department, their GitHub access is automatically certified.
Condition expression
c1.user.v1.HasApp(subject, "<APP ID>") &&
subject.department == "<DEPARTMENT>"
Custom review flow for contractors
Use case
Slack access reviews for contractors (whose email addresses all end in @contract.company.com) are automatically assigned to their current manager, while all full-time employees (whose email addresses all end in @company.com) complete a self-evaluation.
Condition expression
!subject.email.endsWith("@company.com")
Forming condition expressions using CEL
ConductorOne’s conditional policies use the Common Expression Language (CEL) built by Google. As you work with CEL, you might find these references useful:
A basic CEL expression is made up of conditions and function calls, with references to global variables.
Operators
CEL supports common Boolean operators, like !, <, >, <=, >=, ||, &&, ==, !=, and in. All operators work as they do in C, and in functions as a “list contains” operator.
CEL allows for basic arithmetic operations, with +, -, *, and \ for adding, subtracting, multiplying, and dividing.
CEL also supports ternary operators, similar to C or JavaScript. These are formed as “If this ? then check this : otherwise check this”.
Available objects
Depending on the context in which you’re editing a CEL expression, you may have certain top-level objects available to you, provided by the ConductorOne system at runtime depending on the context of your action. For example, when writing a condition expression, you have the “subject” variable (which refers to the ConductorOne user) in scope.
See the Condition expression examples section for examples of these objects in use in condition expressions.
| Property | Data type | Notes |
|---|---|---|
| subject.id | string | |
| subject.department | string | |
| subject.job_title | string | |
| subject.profile | map[string]interface{} | Profile attributes can have any type, but are usually strings. |
| subject.email | string | |
| subject.email.startsWith | string | |
| subject.email.endsWith | string | |
| subject.status | enum | One of USER_STATUS_ENABLED, USER_STATUS_DISABLED, USER_STATUS_DELETED |
| subject.type | enum | One of USER_STATUS_SYSTEM, USER_STATUS_HUMAN, USER_STATUS_SERVICE |
| subject.directory_status | enum | One of USER_STATUS_ENABLED, USER_STATUS_DISABLED, USER_STATUS_DELETED |
| subject.employment_type | string | |
| subject.employment_status | string | |
| subject.manager | string | |
| subject.profile.< CUSTOM USER ATTRIBUTE > | varies | See explanation below. |
Using custom user attributes
You can write conditional expressions that leverage the custom user attributes you’ve set up in ConductorOne. Any custom user attribute can be passed in to the subject.profile.<CUSTOM USER ATTRIBUTE> property and used in your conditional expressions.
Library functions
These library functions let you interact with the ConductorOne system to look up whether a user has access to a certain application or entitlement.
| Function | Accepts | Returns |
|---|---|---|
| c1.user.v1.HasApp | user, app ID | Boolean |
| c1.user.v1.HasEntitlement | user, app ID, and entitlement ID | Boolean |
See the next section for examples of these library functions in conditional expressions.
Condition expression examples
These expressions each return a Boolean.
Check that the subject’s email is “cheddar.crackers@company.com”:
subject.email == "cheddar.crackers@company.com"
Check that the user’s email address starts with “engineering”:
subject.email.startsWith("engineering")
Check that the user’s email address ends with “@company.com”:
subject.email.endsWith("@company.com")
Check that the user’s email address doesn’t end with “@company.com”:
!subject.email.endsWith("@company.com")
Check that the subject’s favorite food is macaroni:
subject.profile.favorite_food == "macaroni"
Check that the subject’s favorite foods include sushi:
"Sushi" in subject.profile.favorite_foods
Check if the user is enabled in the directory:
subject.directory_status == USER_STATUS_ENABLED
Check that the user status is enabled and the department is IT:
subject.status == USER_STATUS_ENABLED && subject.department == "IT"
Check that the user’s status is disabled or suspended, and their department is “ENG”:
(subject.status == USER_STATUS_DISABLED || subject.status == USER_STATUS_SUSPENDED)
&& subject.department == "ENG"
Check that the user has access to the app with that ID:
c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud") <APP ID>
The user doesn’t have that app, and their department is engineering:
!c1.user.v1.HasApp(subject, "2SWtmlkdW0dtROVwIN0zYthXIud")
&& subject.department == "Engineering"
Check if the subject’s employment type is full time:
subject.employment_type == "Full Time"
Check that the user has the entitlement in that app:
c1.user.v1.HasEntitlement(subject, "2SWtmlkdW0dtROVwIN0zYthXIud",
"2SWtwwe5n7AOXhRBRNK1fUakc4F")
If the subject has the director profile attribute, check that the director is Holly. Otherwise, check that their manager is Ivy:
has(subject.profile.director) ? subject.profile.director ==
"holly.berry@company.com" : subject.profile.manager == "ivy.vine@company.com"
If the subject’s employee status is ENABLED, check that their department is Engineering, otherwise check that their last date active was April 1, 2024:
subject.employee_status == EMPLOYEE_STATUS_ENABLED ? subject.profile.department ==
"Engineering" : subject.profile.last_date_active == "04/1/2024"