Help defining Identity Attribute Change trigger (JSONPath) for workflow — multiple “hold” values to/from null

aomololu01 · February 5, 2026, 8:32pm

Hi SailPoint community — I’m trying to configure an Identity Attribute Change trigger to start a workflow when a LitHold-related identity attribute changes.

Use case

Identity attribute: lithold
Values:
- D, C, or G → means user is in LitHold
- null / empty → means user is NOT in LitHold (hold released)

What I need

I want the workflow to trigger on either of these transitions:

Hold released: D|C|G → null/""
Hold applied: null/"" → D|C|G

What I’ve drafted

I’m using a JSONPath-style expression against the change payload:

$.changes[?(@.attribute == “lithold” && (@.oldValue == “G” || @.oldValue == “D” || @.oldValue == “C”) && @.newValue == “”)]

Where I’m stuck

I’m not sure if the trigger engine supports:

|| OR conditions exactly like above
how to properly check null vs "" (empty string) vs missing fields

Questions

What’s the correct way to express:
oldValue is one of {D, C, G}
and newValue is null/empty ?
Is there a recommended pattern to match both directions (hold applied + hold released) in one trigger?
In SailPoint’s trigger evaluation, should I check for null, "", or both?

Example transitions

Release hold: G → null
Apply hold: null → D

If anyone has a working trigger snippet (or knows what operators are supported in this trigger filter), I’d really appreciate it. Thanks!

gmilunich · February 5, 2026, 9:42pm

I would recommend reviewing the documentation found here: Filtering events | SailPoint Developer Community

And testing your JSONPath Expression with the tool that the Dev Rel team provides under the tools menu for the JSON Path Evaluator:

(I modified the Example input found here by using just the part under the input: Workflow Triggers - SailPoint Identity Services )

It does allow for checking Null and empty strings:

$.changes[?(@.attribute == "lithold" && (@.oldValue == "G" || @.oldValue == "D" ) 
                                  && ( @.newValue == "" || @.newValue == null) )]

rpriya · February 6, 2026, 12:03pm

Hi @aomololu01

For your question 1 and 2, try below trigger -

$.changes[?(@.attribute == “lithold” && (@.newValue==null && (@.oldValue==“D” || @.oldValue==“C” || @.oldValue==“G”)) || (@.oldValue==null && (@.newValue==“D” || @.newValue==“C” || || @.newValue==“G”)))]

For your question 3 - If an identity attribute initially has no value and is later updated, the Identity Attribute Changed trigger captures the input as a change from null to the new value and vice versa. Therefore, your condition should explicitly check for null.

You can validate this by updating any test identity’s attribute from no value to a populated value while the Identity Attribute Changed workflow is enabled. Then, review the workflow execution details and check the Workflow Input to confirm that the old value appears as null.

Topic		Replies	Views
JSONPath Expression for Identity Attributes Changed Trigger ISC Discussion and Questions identity-security-cloud	6	96	August 6, 2025
Subscription Filter For Null Check ISC Discussion and Questions identity-security-cloud , event-triggers	2	37	June 22, 2025
Filter in workflow of identity attribute changed ISC Discussion and Questions workflows , identity-security-cloud	8	84	March 22, 2025
Identity Attribute Changed Trigger JSONpath to check if multiple attributes have changed ISC Discussion and Questions workflows , identity-security-cloud	5	586	January 13, 2024
WorkFlow Trigger Condition: JSONpath to check if multiple attributes have changed ISC Discussion and Questions workflows	4	1696	September 15, 2023