Identity Created trigger fires when filter attribute is completely absent from identity: bug or intended?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We have a workflow in SailPoint ISC with an “Identity Created” trigger. The trigger uses a basic filter to only fire for identities with a specific countryCode attribute value. The behavior is correct in two of three cases:

  • Identities with the matching countryCode → workflow triggers ✓

  • Identities with a non-matching countryCode → workflow does not trigger ✓

  • Identities where countryCode is completely absent from the payload → workflow triggers unexpectedly ✗

This third case is our problem. We recently aggregated a source where countryCode was not mapped at all. Our expectation was that the filter comparison would fail and the workflow would not trigger — but it did, resulting in thousands of unwanted emails being sent.

Looking at the step input of one of the affected identities, you can see that countryCode is not present in the attributes at all (not null, not empty — simply missing):

{
  "_meta": {
    "invocationId": "204841c2-0c20-4331-85ea-444558b5bed7",
    "subscriptionId": "52490824-fd2e-40af-8731-03e974f8734f",
    "triggerType": "FIRE_AND_FORGET"
  },
  "attributes": {
    "created": "2026-02-24T05:53:43.582Z",
    "displayName": "Testthree",
    "email": null,
    "employeeNumber": null,
    "firstname": "Testthree",
    "identityState": "ACTIVE",
    "inactive": "true",
    "isManager": false,
    "lastname": "Testthree",
    "manager": null,
    "phone": null,
    "processingDetails": null,
    "uid": "E014820"
  },
  "identity": {
    "id": "68182cf3b4914c3daf6859922bfb0c84",
    "name": "Testthree",
    "type": "IDENTITY"
  }
}

This suggests that the basic filter treats a missing attribute as a match rather than a non-match, which seems like either unintended behavior or at least a very dangerous default.

Our questions for the community:

  1. Is this intended behavior or a bug? Should a basic filter fire when the filtered attribute is completely absent from the identity payload?

  2. Does switching to an advanced filter fix it? For example: $[?($.attributes.countryCode == 'DE')]

  3. Is explicit null/existence checking the correct pattern? Such as: $[?($.attributes.countryCode && $.attributes.countryCode == 'DE')]

  4. What is the recommended approach for handling identities with missing attributes in ISC trigger filters in general?

Any insights from people who have run into this before are appreciated!

2

Hi @vpace

If you download the workflow configuration JSON, view it via API, or open it in VS Code, you will be able to see the exact filter that corresponds to the simple filter configured in the UI.

For example, a simple filter configured in the UI is translated into the following filter structure in JSON.

image
image895×925 36.3 KB

image
image1315×597 49.1 KB

To test and validate filters, you can use the JSON Evaluator tool available in the SailPoint Developer Community : Json Path Evaluator | SailPoint Developer Community

This tool allows you to evaluate filters against input data. There are also many similar JSON evaluation tools available online.

Normally, if an attribute is missing, the workflow should not be triggered. If it is still being triggered, I would recommend: Checking the attribute’s nullability (your option 3), Testing thoroughly and Opening a ticket with SailPoint Support, as this may be a bug.

In general for data manipulation or evaluation it is always recommended to handle potential null or empty value.

Thanks