Skip to main content
POST
/
policy
/
rules
/
{rule}
/
conditions
Create a Condition
curl --request POST \
  --url https://wks-a1b2c3d4.provisionr.io/api/v1/policy/rules/{rule}/conditions \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "type": "attribute",
  "directory_attribute_id": "<string>",
  "manager_id": "<string>",
  "workspace_integration_id": "<string>",
  "directory_user_id": "<string>",
  "profile_key": "<string>",
  "profile_operator": "equals",
  "profile_value": "<string>"
}
'
{
  "id": "<string>",
  "is_imported": true,
  "type": "attribute",
  "resource_id": "<string>",
  "profile_key": "<string>",
  "profile_operator": "equals",
  "profile_value": "<string>",
  "description": "<string>",
  "timestamp": {
    "created_at": "2023-11-07T05:31:56Z",
    "updated_at": "2023-11-07T05:31:56Z",
    "deleted_at": "2023-11-07T05:31:56Z"
  },
  "count": {
    "workspace_logs_parent": 123,
    "workspace_logs_record": 123,
    "workspace_logs_related": 123
  },
  "included": {
    "policy_ruleset": "<unknown>",
    "policy_rule": "<unknown>",
    "resource": "<unknown>",
    "directory_attribute": "<unknown>",
    "directory_user": "<unknown>",
    "manager_user": "<unknown>",
    "workspace_integration": "<unknown>"
  },
  "links": {
    "self": "<string>",
    "policy_rule": "<string>",
    "policy_ruleset": "<string>",
    "directory_attribute": "<string>",
    "directory_user": "<string>",
    "manager_user": "<string>",
    "workspace_integration": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

rule
string
required

Policy Rule ID

Body

application/json

CreatePolicyConditionData

type
enum<string>
required
attribute
This condition gets all users that are attached to the specific Dimension Attribute. The ID of the Attribute is used so any changes to the name are automatically reflected. Best Practice: You should use Attributes for most conditions since they are a single source of truth for string exact matches (this equals that) that can be easily changed in one place if/when the HRIS data is renamed. You can also create a custom dimension and/or a custom attribute to define a set of rules and conditions that you can reuse by attaching that Attribute to another group or resource.
identity
This condition allows you to perform complex string matching on the profile key value pairs from the vendor API data that is stored in each Directory Identity. This allows you to specify the integration and what profile key to search in and get all identities that match based on the operator and value specified. Best Practice: Each profile key is a Directory Dimension. If attributes are enabled for a dimension, an Attribute already exists for every value that exists across all users. To protect PII, attributes should only be enabled for organizational metadata, not user metadata. You can use Identity conditions to match on PII profile keys (ex. email, phone number, location) that should not be stored in Attributes. You can also use Identity conditions to perform complex or partial string matching (not equal, null, exists, contains, starts with, ends with, etc) that is not possible with Attributes that only support exact match (equals) values.
manager
This condition gets all users that directly report to a specific Manager (Single Source of Truth) Best Practice: When creating attributes for a specific team, a manager condition allows you to ensure only users on a specific team are granted access. A manager condition can be paired with a second condition for specifying a job title or region to provide least privilege granularity.
user
This condition allows you to add a specific user to a ruleset for an attribute, group, or resource. Best Practice: You should only use this if the business justification of granting access is specific to one person. You should avoid using this when an Attribute can be created or used that encapsulates multiple conditions to encapsulate the business justification.
unmanaged
When a group or resource is imported, any pre-existing users that were attached to it are marked as unmanaged. This provides visibility of all group members, even if if they are not managed by a Provisionr policy. While a group or resource ruleset is not authoritative, any users detected during sync jobs are imported as unmanaged users. When a group or resource ruleset is changed to authoritative, unmanaged users are removed, however the Provisionr database maintains a record of them for auditing purposes and ability to restore them later if needed. If an unmanaged user is detected after the ruleset is authoritative, they are imported as unmanaged into Provisionr then removed from the group during the sync to provide an audit trail of a user that was added and suddenly disappeared.
Available options:
attribute,
identity,
manager,
user,
unmanaged
directory_attribute_id
string
Pattern: ^dratr_[0-9a-hjkmnp-tv-z]{26}$
Example:

"dratr_01hq8xyzabc123def456ghi789"

manager_id
string
Pattern: ^drusr_[0-9a-hjkmnp-tv-z]{26}$
Example:

"drusr_01hq8xyzabc123def456ghi789"

workspace_integration_id
string
Pattern: ^wsitg_[0-9a-hjkmnp-tv-z]{26}$
Example:

"wsitg_01hq8xyzabc123def456ghi789"

directory_user_id
string
Pattern: ^drusr_[0-9a-hjkmnp-tv-z]{26}$
Example:

"drusr_01hq8xyzabc123def456ghi789"

profile_key
string

The array key in the Directory Identity profile to check. This is the same as the profile_key for the dimension

Maximum string length: 55
profile_operator
enum<string>

The calculation comparison operator when evaluating the profile_value

equals
Check if the value is equal to the provided string Ex. division == sales
not
Check if the value is not equal to the provided string Ex. division != sales
empty
Check if the value is empty Ex. division == null
exists
Check if the value is not empty Ex. division != null
greater
Check if the value is greater than the provided string Ex. created_at > 2025-01-01
less
Check if the value is less than the provided string Ex. created_at < 2024-12-31
prefix
Check if the value starts with the provided string Ex. title starts with VP
suffix
Check if the value ends with the provided string Ex. email ends with example.com
contains
Check if the value contains the provided string Ex. title contains Senior
Available options:
equals,
not,
empty,
exists,
greater,
less,
prefix,
suffix,
contains
profile_value
string

The array value in the Directory Identity profile to match against

Maximum string length: 255

Response

PolicyConditionDetailedResponseData

id
string
required
Example:

"pocon_01hq8xyzabc123def456ghi789"

is_imported
boolean
required

Whether this condition was created automatically when a Workspace Integration attribute was imported. If false, the condition was created manually by an administrator

type
enum<string>
required

The type of condition that this policy condition represents

attribute
This condition gets all users that are attached to the specific Dimension Attribute. The ID of the Attribute is used so any changes to the name are automatically reflected. Best Practice: You should use Attributes for most conditions since they are a single source of truth for string exact matches (this equals that) that can be easily changed in one place if/when the HRIS data is renamed. You can also create a custom dimension and/or a custom attribute to define a set of rules and conditions that you can reuse by attaching that Attribute to another group or resource.
identity
This condition allows you to perform complex string matching on the profile key value pairs from the vendor API data that is stored in each Directory Identity. This allows you to specify the integration and what profile key to search in and get all identities that match based on the operator and value specified. Best Practice: Each profile key is a Directory Dimension. If attributes are enabled for a dimension, an Attribute already exists for every value that exists across all users. To protect PII, attributes should only be enabled for organizational metadata, not user metadata. You can use Identity conditions to match on PII profile keys (ex. email, phone number, location) that should not be stored in Attributes. You can also use Identity conditions to perform complex or partial string matching (not equal, null, exists, contains, starts with, ends with, etc) that is not possible with Attributes that only support exact match (equals) values.
manager
This condition gets all users that directly report to a specific Manager (Single Source of Truth) Best Practice: When creating attributes for a specific team, a manager condition allows you to ensure only users on a specific team are granted access. A manager condition can be paired with a second condition for specifying a job title or region to provide least privilege granularity.
user
This condition allows you to add a specific user to a ruleset for an attribute, group, or resource. Best Practice: You should only use this if the business justification of granting access is specific to one person. You should avoid using this when an Attribute can be created or used that encapsulates multiple conditions to encapsulate the business justification.
unmanaged
When a group or resource is imported, any pre-existing users that were attached to it are marked as unmanaged. This provides visibility of all group members, even if if they are not managed by a Provisionr policy. While a group or resource ruleset is not authoritative, any users detected during sync jobs are imported as unmanaged users. When a group or resource ruleset is changed to authoritative, unmanaged users are removed, however the Provisionr database maintains a record of them for auditing purposes and ability to restore them later if needed. If an unmanaged user is detected after the ruleset is authoritative, they are imported as unmanaged into Provisionr then removed from the group during the sync to provide an audit trail of a user that was added and suddenly disappeared.
Available options:
attribute,
identity,
manager,
user,
unmanaged
resource_id
string
required

The ID of the resource based on the type of condition

Examples:

"dratr_01hq8xyzabc123def456ghi789"

"drusr_01hq8xyzabc123def456ghi789"

"wsitg_01hq8xyzabc123def456ghi789"

profile_key
string
required

The reference key for the condition based on its type. Except for identity type conditions, condition matching uses database relationships based on the resource ID (not string matching). This value is fetched in real time based on the resource ID for human readability (not stored in condition database table).

  • identity: Identity profile array raw key that is used for string matching. This is usually the same as the profile_key on a dimension.
  • attribute: Name of Directory Dimension that the attribute is associated with.
  • manager: null
  • user: null
Examples:

"department"

"Department"

profile_operator
enum<string> | null
required

The operator for the condition based on its type. All conditions are case insensitive and are converted to lowercase for matching

equals
Check if the value is equal to the provided string Ex. division == sales
not
Check if the value is not equal to the provided string Ex. division != sales
empty
Check if the value is empty Ex. division == null
exists
Check if the value is not empty Ex. division != null
greater
Check if the value is greater than the provided string Ex. created_at > 2025-01-01
less
Check if the value is less than the provided string Ex. created_at < 2024-12-31
prefix
Check if the value starts with the provided string Ex. title starts with VP
suffix
Check if the value ends with the provided string Ex. email ends with example.com
contains
Check if the value contains the provided string Ex. title contains Senior
Available options:
equals,
not,
empty,
exists,
greater,
less,
prefix,
suffix,
contains
Example:

"equals"

profile_value
string | null
required

The reference value for the condition based on its type. Except for identity type conditions, condition matching uses database relationships based on the resource ID (not string matching). This value is fetched in real time based on the resource ID for human readability (not stored in condition database table).

  • identity: Identity profile array raw value that is used for string matching
  • attribute: Name of the Directory Attribute for the respective Dimension
  • manager: Full name of the manager user
  • user: Full name of the user
Examples:

"IT Helpdesk"

"IT Helpdesk"

"Kate Libby"

"Dade Murphy"

description
string | null
required

A human readable description of the condition

timestamp
TimestampBasicData · object
required

The timestamps for the policy condition record

count
object
required

Count of related resources

included
object
required

Included related resources

links
object
required

API hyperlinks related to the policy condition record

Example:
{
  "self": "https://ws-a1b2c3.provisionr.io/api/v1/policy/conditions/pocon_01hq8xyzabc123def456ghi789"
}