Skip to main content

Type definitions

CEL expressions use typed values. Understanding these types helps you write correct expressions and avoid runtime errors.

Primitive types

Time types

Duration format: Use h for hours, m for minutes, s for seconds. Examples: "2h" (2 hours), "30m" (30 minutes), "720h" (30 days). Timestamp arithmetic:

Collection types

List operations:

Enum types

Enums are predefined constants. Always use the full enum name (e.g., UserStatus.ENABLED, not just ENABLED).

UserStatus

UserType

TaskOrigin

AppUserStatus (for triggers)

Used in ctx.trigger.oldAccount.status.status and ctx.trigger.newAccount.status.status:

AppUserType

TimeFormat

Object types

These are complex types returned by functions or available as variables.
User vs AppUser: These are different types. A User is a person in the C1 directory (your identity provider sync). An AppUser is that person’s account within a specific application (their GitHub account, Okta account, etc.). One User can have many AppUsers across different apps.

User

Represents a person in the C1 directory. This is your organization’s user record, typically synced from an identity provider. Returned by: FindByEmail, GetByID, GetManagers, DirectReports, GetEntitlementMembers Available as: subject, elements of appOwners, ctx.trigger.oldUser, ctx.trigger.newUser

Group

Represents a C1 group. Returned by FindByName.

AppUser

Represents a user’s account within a specific connected application (e.g., their GitHub account, Salesforce account, AWS IAM user). Different from User which is the directory-level identity. Returned by: ListAppUsersForUser Available as: ctx.trigger.oldAccount, ctx.trigger.newAccount (in account-change triggers)

Task

Represents an access request or task in C1. See Task object for all fields. Available as: task (in policy expressions)

TaskAnalysis

Analysis data attached to a task, including access conflict information. See Task analysis object for all fields. Available as: task.analysis (in policy expressions)

Entitlement

The entitlement (permission/role) being requested. See Entitlement object for all fields. Available as: entitlement (in policy expressions and entitlement configuration rules; in configuration rules for cloud infrastructure apps, entitlement.role and entitlement.scope are also populated)

IP

Represents an IP address with properties for classification. See IP address object for all fields. Created by: ip("1.2.3.4")

CIDR

Represents a network range for IP matching. See IP CIDR object for all methods. Created by: cidr("10.0.0.0/8")

Context (ctx)

Workflow execution context containing trigger data and step outputs. See Context object for all fields. Available as: ctx (in automation triggers and workflow steps)

Built-in variables

These variables are automatically available in specific contexts.

Functions

These library functions let you interact with the C1 system to look up whether a user has access to a certain application or entitlement, or to find the user or list of users who should review a task.

User library functions

What can go wrong:
  • Invalid app ID or entitlement ID returns false for boolean functions (no error thrown)
  • GetAppUserStatus returns "USER_STATUS_UNSPECIFIED" if the user has no account in the app, the source app hasn’t completed a successful sync, or the source attribute is empty — handle that branch explicitly rather than relying on a default
  • ListAppUsersForUser returns empty list [] if user has no accounts in the app

Directory library functions

What can go wrong:
  • FindByEmail fails if email doesn’t exist in directory - verify emails before deploying
  • FindByName returns the first matching user if multiple users share the same display name - use with caution when names may not be unique
  • GetByID fails if user ID doesn’t exist
  • GetManagers returns empty list [] if user has no manager - this silently skips approval steps
  • DirectReports returns empty list [] if user has no reports
  • GetEntitlementMembers returns empty list [] if entitlement has no members
  • GetEntitlementOwners returns empty list [] if the entitlement has no owners — add a fallback to prevent silently skipping the approval step
Critical: When GetManagers returns an empty list in a policy approver expression, the approval step is silently skipped rather than failing. Always add a fallback approver:
Go to an application or entitlement’s details page to look up its ID, or use Cone.
Function availability varies by context.Note that automation triggers do NOT have access to directory or user library functions - they can only access the ctx.trigger object and basic enums.

Time functions

C1 provides comprehensive time functions for working with dates and times in CEL expressions. These functions are available in all CEL contexts (Policies, Groups, Automations, Account provisioning).

Core time functions

Time units for start_of/end_of:
  • "day" - Start/end of day (midnight)
  • "week" - Start/end of week (Monday/Sunday)
  • "month" - Start/end of month
  • "quarter" - Start/end of quarter (Jan/Apr/Jul/Oct)
  • "year" - Start/end of year

TimeFormat constants

See TimeFormat enum for all constants. You can also use custom Go time layouts like "2006-01-02" or "Monday, January 2, 2006".

Common time patterns

Check if date is recent:
Business hours checking:
Day of week checking:
Parsing profile date fields:
Working with timezones:
Important:The now() function returns the same value throughout a single expression evaluation. All timestamps are stored in UTC internally; timezone parameters only affect parsing and formatting.

External insights functions

These functions are available in policy conditions when external insights are configured. They let you reference security findings and risk scores from connected tools directly in access decisions.

Issue insights

Issue insights are discrete security findings (for example, critical CVEs or misconfigurations) synced from Wiz Insights. Severity values: "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFORMATIONAL". The HasSecurityInsightWithSeverity comparison is case-insensitive; direct field comparisons are not.

Risk scores

Risk scores are normalized values (0–100, higher = more risk) synced from CrowdStrike. The source name must exactly match the connector app’s display name in your tenant (for example, "Wiz Insights" or "CrowdStrike"). The match is case-sensitive. For full examples and best practices, see Use external insights in CEL policy conditions.

Objects

Subject object

The “subject” variable refers to the C1 user.

Most common fields

These fields are used in the majority of condition expressions:

Identity and contact fields

Both subject.manager (email) and subject.manager_id (ID) are available. Use manager for email-based comparisons and manager_id to check existence or for ID-based lookups with GetByID.

Organizational fields

Status and directory fields

Use custom user attributes.You can write condition expressions that leverage the custom user attributes you’ve set up in C1. Any custom user attribute can be passed in to the subject.attributes.<CUSTOM USER ATTRIBUTE> property and used in your condition expressions.

User object

The user object is used when referencing other users in the system (not the current subject).

Task object

The task object is used in policy expressions to reference the current access request or task. See TaskOrigin enum for all possible values.

Task analysis object

The task analysis object provides information about potential access conflicts and other analysis data.

Entitlement object

The entitlement object can only be used in CEL expressions in policies. It does not work when writing CEL expressions to form C1 groups.

IP address object

The IP address object is used for network-based access control and filtering.

IP CIDR object

The IP CIDR object is used for network range-based access control and filtering.

Object usage reference

Understanding where each object can be used helps you write effective CEL expressions for different C1 features.

Quick object reference table

* In Automations, user data is accessed through the ctx object (e.g., ctx.trigger.newUser, ctx.trigger.oldUser)

Subject object

Available in: Policies Groups Automations Campaigns Account provisioning
Description: References the current user in the context
Usage: The most commonly used object across all CEL expression contexts
Context-specific examples: In Policies:
In Groups:
In Automations:
In Campaigns:
In Account provisioning:

User object

Available in: Policies Groups Automations Campaigns ️ Account provisioning
Description: References other users in the system (not the current subject)
Usage: Used when you need to reference or compare against other users
Context-specific examples: In Policies:
In Groups:
In Automations:
In Campaigns:

Task object

Available in: Policies ️ Groups ️ Automations ️ Campaigns ️ Account provisioning
Description: References the current access request or task
Usage: Only available in policy expressions where there’s an active task context
Context-specific examples: In Policies:

Task analysis object

Available in: Policies ️ Groups ️ Automations ️ Campaigns ️ Account provisioning
Description: Provides information about potential access conflicts and other analysis data
Usage: Only available in policy expressions for conflict detection and analysis
Context-specific examples: In Policies:

Entitlement object

Available in: Policies ️ Groups ️ Automations ️ Campaigns ️ Account provisioning
Description: References the entitlement being requested
Usage: Only available in policy expressions where there’s an active entitlement request
Context-specific examples: In Policies:

IP address object

Available in: Policies ️ Groups Automations ️ Campaigns ️ Account provisioning
Description: Used for network-based access control and filtering
Usage: Available in policies and automations for network-based logic
Context-specific examples: In Policies:
In Automations:

IP CIDR object

Available in: Policies ️ Groups Automations ️ Campaigns ️ Account provisioning
Description: Used for network range-based access control and filtering
Usage: Available in policies and automations for network range checking
Context-specific examples: In Policies:
In Automations:

Context object (ctx)

Available in: ️ Policies ️ Groups Automation Triggers Workflow Steps ️ Campaigns ️ Account provisioning
Description: Provides access to workflow execution context and trigger data
Usage: Used in automations to access trigger data and previous step outputs
Available fields: In Automation Triggers:
  • ctx.trigger.oldUser / ctx.trigger.old_user - User state before change
  • ctx.trigger.newUser / ctx.trigger.new_user - User state after change
  • ctx.trigger.oldAccount / ctx.trigger.old_account - Account state before change
  • ctx.trigger.newAccount / ctx.trigger.new_account - Account state after change
  • ctx.trigger.entitlement - Entitlement that triggered the workflow
In Workflow Steps:
  • ctx.trigger - Trigger output data (structure varies by trigger type)
  • ctx.[step_name] - Output from each completed workflow step
Context-specific examples: In automation triggers:
In automation steps:
Important:Automation triggers have limited function access. They do NOT have access to directory functions (c1.directory.*) or user entitlement checking functions (c1.user.v1.HasApp, etc.). Only basic user/account field access and status enums are available.

Important notes

Use camelCase

CEL expressions should be written in camelCase. C1 is moving away from snake_case for consistency and readability. Existing expressions in snake_case will still work, but new ones should follow the camelCase convention.

Null safety with has()

Use the has() macro to check for existence of optional fields, especially in profile maps:

Performance considerations

Directory functions (c1.directory.*) perform I/O operations. Place them after simpler conditions when possible:

Function memoization

Directory function calls are automatically memoized within a single expression evaluation, so calling the same function multiple times is safe and efficient.

Template syntax

Only Workflow Steps support {{ expression }} template syntax for embedding CEL expressions in strings.