Campaign Rules
Campaign rules allow organizations to define automated access review decisions based on specific conditions. Rules are evaluated during campaigns to automatically approve, reject, or flag accounts for review.
Overview
Campaign rules use a Domain-Specific Language (DSL) to define conditions that are evaluated against accounts and owners during access reviews. When conditions match, the rule's decision (approve, reject, or flag) is applied automatically.
Benefits of Campaign Rules
- Reduce reviewer workload - Automatically handle routine decisions
- Ensure consistency - Apply the same criteria across all reviews
- Accelerate campaigns - Complete reviews faster with automation
- Enforce policies - Encode governance requirements into rules
The Campaign Rules Page
Navigate to Settings > Campaign Rules to manage your rules.
The page displays:
- Rule table - All configured rules with key information
- Search - Find rules by name or description
- Create Rule button - Add new rules
- DSL Syntax Help - Reference for writing conditions
Rule Table Columns
| Column | Description |
|---|---|
| Name | Rule name and description |
| Type | Account, Owner, or Role Policy |
| Decision | Approve, Reject, or Evaluate Policies |
| Status | Active or Inactive |
| Actions | Edit, Delete, Toggle status |
Click any row to expand and view the full DSL condition.
Rule Types
| Type | Description | Use Case |
|---|---|---|
| Account | Evaluates account attributes | Flag high-risk accounts, approve standard users |
| Owner | Evaluates owner attributes | Approve accounts owned by trusted managers |
| Role Policy | Evaluates role assignments | Apply role-based access decisions |
Decision Types
| Decision | Description |
|---|---|
| Approve | Automatically approve access |
| Reject | Automatically reject access |
| Evaluate Policies | Defer to policy evaluation for decision |
Creating a Campaign Rule
Step-by-Step Process
- Navigate to Settings and select the Campaign Rules tab.
- Click + Create Rule.
- Enter a Rule Name that describes the rule's purpose.
- Add a Description explaining when and why this rule applies.
- Select the Rule Type (Account, Owner, or Role Policy).
- Choose how to create the DSL condition:
- Generate Rule with AI - Describe in natural language
- Write DSL Manually - Enter DSL syntax directly
- Select the Decision (Approve, Reject, or Evaluate Policies).
- The rule is Active by default. Toggle off if you want to save as inactive.
- Click Save to create the rule.
Using AI to Generate Rules
The AI rule generator converts natural language descriptions into DSL conditions.
- Click Generate Rule with AI.
- Describe your rule in plain language, for example:
- "Review owners with more than 5 highly privileged accounts"
- "Flag accounts with passwords older than 90 days"
- "Approve all service accounts owned by system administrators"
- Click Generate DSL.
- Review the generated DSL condition.
- Adjust if needed or regenerate with a modified description.
AI Generation Tips
Be specific in your descriptions. Include:
- The entity type (account, owner)
- The condition criteria (count, age, status)
- Any thresholds or values
Writing DSL Manually
For precise control, write DSL conditions directly.
- Click Write DSL Manually.
- Toggle Show DSL Syntax Help for reference.
- Enter your DSL condition in the text area.
- Use the syntax help for available functions and operators.
DSL Syntax Reference
Entity Functions
| Function | Description | Example |
|---|---|---|
Account() | Access account attributes | Account().risk_score > 70 |
Owner() | Access owner attributes | Owner().status == "active" |
HasOwner() | Check if account has owner | HasOwner() == true |
HasApplication() | Check application association | HasApplication("app-id") |
CountAccounts() | Count owner's accounts | CountAccounts() > 5 |
Account Attributes
| Attribute | Description |
|---|---|
account_name | Account identifier |
display_name | Human-readable name |
email | Email address |
status | Account status (active, inactive, etc.) |
risk_score | Numeric risk score (0-100) |
risk_level | Risk level (low, medium, high, critical) |
account_type | Type of account |
is_privileged | Boolean privileged flag |
last_login | Last login timestamp |
password_age_days | Days since password change |
mfa_enabled | MFA status |
Owner Attributes
| Attribute | Description |
|---|---|
identity_name | Owner name |
identity_email | Owner email |
department | Department |
title | Job title |
location | Office location |
status | Owner status |
owner_type | Type of owner |
manager | Manager identifier |
Operators
| Operator | Description | Example |
|---|---|---|
== | Equals | status == "active" |
!= | Not equals | status != "terminated" |
> | Greater than | risk_score > 50 |
>= | Greater than or equal | risk_score >= 70 |
< | Less than | password_age_days < 90 |
<= | Less than or equal | CountAccounts() <= 3 |
AND | Logical AND | status == "active" AND risk_score > 70 |
OR | Logical OR | is_privileged == true OR risk_score > 80 |
NOT | Logical NOT | NOT HasOwner() |
IN | Value in list | department IN ["IT", "Security"] |
CONTAINS | String contains | account_name CONTAINS "admin" |
Example Rules
Flag high-risk privileged accounts:
Account().is_privileged == true AND Account().risk_score > 70Approve accounts with active owners:
HasOwner() == true AND Owner().status == "active"Reject orphan accounts (no owner):
HasOwner() == falseFlag accounts with old passwords:
Account().password_age_days > 90Approve service accounts owned by IT:
Account().account_type == "service" AND Owner().department == "IT"Testing Rules
Before activating a rule, test it against your data to verify it matches the expected accounts.
Running a Test
- Create or edit a rule.
- Click Test Rule.
- Select the test type:
- Account - Test against account data
- Owner - Test against owner data
- The test runs asynchronously and shows progress.
- Review the matching results.
Understanding Test Results
Test results show:
- Match count - Number of entities matching the condition
- Sample matches - Example entities that would be affected
- Processing time - How long the evaluation took
Use test results to refine your rule before activation.
System Rules
Some rules are system-generated and marked as read-only. These rules:
- Are created automatically by Hydden.Control
- Cannot be edited or deleted
- Are clearly labeled as system rules
- Provide baseline governance functionality
Managing Rules
Editing a Rule
- Click the Edit icon on the rule row.
- Modify the rule properties.
- Click Save to apply changes.
Active Rule Changes
Changes to active rules take effect immediately and may impact ongoing campaigns.
Deleting a Rule
- Click the Delete icon on the rule row.
- Confirm the deletion.
Before Deleting
Check if the rule is used in any active campaigns. Deleting a rule removes it from future evaluations but does not affect past decisions.
Toggling Rule Status
- Click the status toggle to activate or deactivate a rule
- Inactive rules are saved but not evaluated during campaigns
- Use inactive status to temporarily pause a rule
Using Rules in Campaigns
Campaign rules are applied to campaigns in the Automation & Rules step of campaign creation.
During campaign execution:
- Rules are evaluated for each account in the campaign
- Rules are evaluated in order: Reject rules first, then Approve, then Evaluate Policies
- The first matching rule determines the decision
- Accounts that don't match any rule remain pending for manual review
Best Practices
- Start with reject rules - Create rules that reject obvious violations first
- Test before activating - Always test rules against your data
- Use descriptive names - Make rules easy to identify and understand
- Document the purpose - Add clear descriptions explaining the rule's intent
- Review regularly - Audit rules periodically to ensure they remain appropriate
- Layer rules strategically - Use multiple rules with specific conditions rather than one complex rule
Related Topics
- Campaigns - Creating and managing campaigns
- Access Policies - Policy-based access decisions
- Settings Overview - All Settings options