Skip to main content

Common patterns and examples

Employee vs contractor identification

Department-based access control

User status and type filtering

Account type filtering

Manager-based routing

Manager lookups can return empty results. When GetManagers returns [] in an approver expression, the approval step is silently skipped. Always add fallback approvers - see Approver selection patterns below.

Access conflict detection

Risk-based access control

Time-based access control

Task origin routing

Custom user attributes

Operators

CEL supports common Boolean operators, like !, <, >, <=, >=, ||, &&, ==, !=, and in. All operators work as they do in C, and in functions as a “list contains” operator. CEL allows for basic arithmetic operations, with +, -, *, and \ for adding, subtracting, multiplying, and dividing. CEL also supports ternary operators, similar to C or JavaScript. These are formed as “If this ? then check this : otherwise check this”.

Example condition expressions

Basic syntax examples

These examples show fundamental CEL syntax and operators: Simple comparisons:
Boolean operators:
Function calls:
Ternary operators:

Advanced examples

Complex conditional logic:
Access conflict detection:
Time-based access:
Access profile enrollment:

Expressions that return users

Simple user returns:
Conditional user routing:
Complex nested routing:
For production approver expressions, prefer the patterns in Approver selection patterns which include proper fallbacks.

Real-world policy examples

These examples are based on actual customer requests and common use cases. Use them as starting points for your own policies, adapting the logic to match your organization’s needs.

Access control and security

Proactively check for potential access conflicts

Customer scenario: A financial services company needs to prevent users from having conflicting access that could violate compliance requirements. Business problem: Users requesting access that would create security conflicts need special review by the security team. Expected outcome: Access requests with conflicts are automatically routed to security for manual review. Condition expressions:

Route access requests based on where they were created

Customer scenario: A healthcare company wants to ensure that access requests from external systems (like Slack) receive additional scrutiny. Business problem: Requests from non-web interfaces may be less secure or properly vetted. Expected outcome: External requests are routed to managers for review, while web requests can be auto-approved. Condition expressions:

User management and routing

Custom review flow for contractors

Customer scenario: A technology company has both full-time employees and contractors, and needs different approval workflows for each. Business problem: Contractors require manager approval for all access, while employees can self-approve low-risk access. Expected outcome: Contractors are routed to their manager, employees can self-approve. Condition expression:

Assign a skip-level review

Customer scenario: A large enterprise needs to ensure that high-privilege access requests are reviewed by senior management, not just direct managers. Business problem: Some access requests require approval from higher-level management for security and compliance. Expected outcome: High-privilege requests are routed to the manager’s manager for review. Condition expression:

Automation and efficiency

Pre-approve access based on group membership

Customer scenario: A software company wants to automatically approve access for users who already have similar access in related systems. Business problem: Users with existing access to similar systems can be trusted with related access without manual review. Expected outcome: Users with existing access are automatically approved for related access. Condition expression:

Pre-approve access for employees who are currently on call

Customer scenario: A technology company needs to ensure on-call engineers can quickly access production systems during emergencies. Business problem: On-call engineers need immediate access to production systems without waiting for approval. Expected outcome: Users currently on-call are automatically approved for production access. Condition expression:

Auto-certify low-risk access

Customer scenario: A consulting company wants to automatically certify access for employees who have proven trustworthy with similar access. Business problem: Regular access reviews are time-consuming for low-risk access that employees clearly need. Expected outcome: Low-risk access is automatically certified for trusted employees. Condition expression:

Time-based access control

Approve access based on grant length

Customer scenario: A financial services company needs different approval workflows for temporary vs permanent access. Business problem: Temporary access is lower risk and can be auto-approved, while permanent access requires manual review. Expected outcome: Short-term access is auto-approved, permanent access requires manager review. Condition expressions:

Advanced user assignment

Assign request to users with the same entitlement

Customer scenario: A software company wants to assign access reviews to users who already have the same access, as they understand the requirements best. Business problem: Users with existing access are best qualified to review requests for the same access. Expected outcome: Access requests are assigned to users who already have the same access. Condition expressions:

System account management

Create a group of all system and agent accounts

Customer scenario: A technology company needs to manage all system and service accounts separately from human users. Business problem: System accounts require different management policies than human user accounts. Expected outcome: All system and service accounts are automatically grouped for specialized management. Condition expression:

App user status checks

Filter by app account status

Customer scenario: A company wants to create a dynamic group of users who have active accounts in a critical application, or restrict policy conditions to users whose app account is enabled. Business problem: Users with disabled or deleted accounts in an app should not receive access or be included in certain groups. Expected outcome: Only users with enabled accounts in the target app are matched. Condition expressions:
User attribute mapping expression (Directory Status):
GetAppUserStatus returns one of four string values: "USER_STATUS_ENABLED", "USER_STATUS_DISABLED", "USER_STATUS_DELETED", or "USER_STATUS_UNSPECIFIED". If the user has no account in the specified app, the function returns "USER_STATUS_UNSPECIFIED". When used in a Directory Status user attribute mapping, the expression must return a UserStatus enum value rather than a string.

Time-based access control

Time functions enable sophisticated date and time-based policies. These examples use time functions to implement common temporal access patterns.

Check if user was hired recently

Customer scenario: A tech company wants to automatically grant onboarding access to users hired in the last 7 days. Business problem: New employees need temporary access to onboarding resources during their first week. Expected outcome: Users with hire dates in the last 7 days automatically get access. Condition expression:

Auto-approve during business hours

Customer scenario: A financial services company wants to auto-approve low-risk requests during business hours but require manual review after hours. Business problem: After-hours requests may need additional scrutiny when security teams are not immediately available. Expected outcome: Requests during business hours (9 AM - 5 PM ET) are auto-approved. Condition expression:

Route weekend requests differently

Customer scenario: A healthcare company needs to route weekend access requests to on-call managers instead of regular managers. Business problem: Regular managers may not be available on weekends to approve urgent access requests. Expected outcome: Weekend requests are routed to on-call approvers. Condition expression:

Check if contract end date is approaching

Customer scenario: An enterprise needs to identify contractors whose contracts are ending soon for access review. Business problem: Contractors with expiring contracts should have their access reviewed before their last day. Expected outcome: Contractors with contracts ending in 30 days are included in review group. Condition expression:

Alert on inactive users

Customer scenario: A company wants to automatically flag users who haven’t logged in for 90 days for access review. Business problem: Inactive users with access pose a security risk and should have their access reviewed or revoked. Expected outcome: Users inactive for 90+ days are automatically included in a review group. Condition expression:

Check if it’s end of quarter

Customer scenario: A company wants to trigger special access reviews at the end of each fiscal quarter. Business problem: Quarterly compliance reviews need to happen in Q4 (October-December). Expected outcome: Policy activates during Q4 months. Condition expression:

Validate date fields in profile

Customer scenario: A company stores hire dates in custom profile fields and wants to validate they’re not in the future. Business problem: Invalid hire dates can cause issues with onboarding automations. Expected outcome: Only users with valid past hire dates are processed. Condition expression:

Approver selection patterns

These patterns are for policy step approvers - expressions that return one or more users. The critical rule: always include fallback approvers to prevent steps from being silently skipped.

Why fallbacks matter

When an approver expression returns an empty list [], the approval step is silently skipped rather than failing. This can inadvertently auto-approve requests that should have been reviewed.

Manager with fallback

Skip-level manager with fallback

Entitlement members with fallback

Entitlement owners with fallback

GetEntitlementOwners returns the owners of the specific entitlement being requested — distinct from appOwners, which returns owners of the application. Use this when entitlements have their own ownership separate from app-level ownership.

Conditional approver by department

Multiple approver groups

The appOwners variable is always available in policy step expressions and never returns an empty list - making it the safest fallback option.