Trigger Conditions Reference
Complete reference for SCIM filter syntax used in Lifecycle Management workflow trigger conditions
This page provides a comprehensive reference for the SCIM filter syntax used in Lifecycle Management workflow trigger conditions. Trigger conditions determine when a workflow action should execute based on identity attributes.
SCIM Filter Syntax Overview
SCIM (System for Cross-domain Identity Management) filter syntax provides a standardized way to express conditions. The basic structure is:
<attribute> <operator> <value>For example:
department eq "Engineering"This condition evaluates to true when the identity's department attribute equals "Engineering".
Comparison Operators
String Operators
eq
Equal
Exact match (case-sensitive)
department eq "Sales"
ne
Not Equal
Does not match
status ne "Terminated"
co
Contains
Substring match
email co "@company.com"
sw
Starts With
Prefix match
employee_id sw "EMP"
ew
Ends With
Suffix match
email ew "@company.com"
pr
Present
Attribute exists and is not null
manager_id pr
Numeric Operators
eq
Equal
Exact numeric match
department_code eq 100
ne
Not Equal
Does not equal
level ne 0
lt
Less Than
Strictly less than
access_level lt 5
le
Less Than or Equal
Less than or equal to
risk_score le 50
gt
Greater Than
Strictly greater than
tenure_months gt 12
ge
Greater Than or Equal
Greater than or equal to
salary_grade ge 3
pr
Present
Attribute exists and is not null
access_level pr
Boolean Operators
eq
Equal
Boolean match
is_active eq true
ne
Not Equal
Boolean inverse
is_contractor ne true
pr
Present
Attribute exists and is not null
is_contractor pr
Timestamp Operators
Timestamp comparisons use ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ).
eq
Equal
Exact timestamp match
hire_date eq "2024-01-15T00:00:00Z"
lt
Before
Earlier than
termination_date lt "2024-06-01T00:00:00Z"
le
At or Before
At or earlier than
start_date le "2024-12-31T23:59:59Z"
gt
After
Later than
hire_date gt "2023-01-01T00:00:00Z"
ge
At or After
At or later than
last_login ge "2024-01-01T00:00:00Z"
pr
Present
Attribute exists and is not null
termination_date pr
String List Operators
For attributes that contain multiple values (arrays), the following operators are supported:
co
Contains
List contains a specific value
employee_types co "Full Time"
eq
Equal
List exactly matches value(s)
roles eq "Admin"
ne
Not Equal
List does not match value(s)
tags ne "deprecated"
pr
Present
Attribute exists and is not empty
groups pr
The co operator is most commonly used for checking membership in a list. Use eq for exact list matching and pr to verify the attribute has any values.
Logical Operators
Combine multiple conditions using logical operators.
and
Both conditions must be true
is_active eq true and department eq "IT"
or
Either condition must be true
department eq "IT" or department eq "Engineering"
not
Negates a condition
not(status eq "Terminated")
The not() operator uses parenthetical notation. For simple negation of a single value, prefer using ne (not equals) which has broader support across all condition contexts.
Limitation: The not() operator may not be fully supported in all LCM trigger condition contexts. If you encounter unexpected behavior with not(), rewrite the condition using ne or restructure the logic. For example, instead of not(status eq "Active"), use status ne "Active".
Precedence
nothas the highest precedenceandhas higher precedence thanorUse parentheses
()to control evaluation order
Example combining operators:
Common Trigger Condition Patterns
Joiner Scenarios
Mover Scenarios
Mover detection uses the sys_attr__is_mover system attribute, which indicates whether any monitored property has changed. Configure which properties to monitor in the policy's Mover Properties settings.
The sys_attr__is_mover attribute is a boolean flag set when any property in the configured mover properties list changes. To trigger workflows only when specific attributes change, use the Run only if specific properties change workflow option.
Leaver Scenarios
Attribute-Based Access Control
System Attributes in Conditions
Lifecycle Management provides computed system attributes (prefixed with sys_attr__) for use in trigger conditions. The most commonly used is sys_attr__is_mover for detecting changes in monitored properties.
See System Attributes for the complete reference.
Dynamic Value Comparisons with Embedded Transformers
For time-sensitive workflows, you can embed transformer functions directly in condition values. This enables comparisons against dynamically-computed dates and times rather than static values.
Syntax
Embedded transformers use the {| FUNCTION | ...} syntax. The pipe (|) immediately after the opening brace indicates there is no source attribute—the expression starts directly with a function:
This differs from attribute transformers where you reference an attribute first:
Attribute transformer:
{hire_date | DATE_FORMAT, "DateOnly"}(starts with attribute)Embedded in condition:
{| NOW | DATE_FORMAT, "DateOnly"}(starts with function)
Common Functions for Dynamic Conditions
NOW
Current UTC timestamp
`{
UTC_TO_TIME_ZONE
Convert to specific timezone
`{
DATE_ADJUST_DAY
Add/subtract days
`{
DATE_FORMAT
Format for comparison
`{
See Transformer Reference for all available functions.
Example: 2-Day Leaver Window
Trigger a leaver workflow when an employee's last day of work falls within a 2-day window around today (Eastern Standard Time):
Breaking down the embedded transformer:
1
NOW
(none)
Current UTC timestamp
2
UTC_TO_TIME_ZONE, "-05:00"
UTC timestamp
Eastern time timestamp
3
DATE_ADJUST_DAY, 0
EST timestamp
Today (or -2 for 2 days ago)
4
DATE_FORMAT, "DateOnly"
Adjusted timestamp
Date string for comparison
Result: The workflow triggers when:
The employee is active (
is_active eq true)Their last day is today or earlier (
letoday)Their last day is after 2 days ago (
gt2 days ago)
This creates a 2-day processing window for departing employees.
Example: Pre-Hire Provisioning
Trigger a joiner workflow 7 days before an employee's start date:
This triggers for employees whose hire date is within the next 7 days, enabling pre-provisioning of accounts before their start date.
Example: Post-Termination Cleanup
Trigger a cleanup workflow for employees terminated more than 30 days ago:
Escaping quotes: When embedding transformers in conditions, you must escape inner quotes with backslashes. For example: \"-05:00\" and \"DateOnly\".
Timezone consideration: Use UTC_TO_TIME_ZONE to ensure date comparisons align with your organization's business timezone. Without timezone conversion, comparisons use UTC which may cause workflows to trigger at unexpected times.
Related Documentation
For a conceptual overview of how conditions and transformers work together, see Understanding Conditions and Transformers.
Best Practices
Use Specific Conditions
Test with Dry Run
Before enabling a policy, use the Dry Run feature to preview which identities match your trigger conditions. This helps catch overly broad or restrictive conditions before they affect real accounts.
Combine Conditions Thoughtfully
Handle Edge Cases
Consider what happens when attributes are null or empty:
Troubleshooting
Condition Not Matching Expected Users
Check attribute names: Ensure the attribute name exactly matches the source attribute (case-sensitive)
Verify data types: String values need quotes, booleans don't
Review operator choice:
cofor contains vs.eqfor exact matchUse Dry Run: Test the condition against specific identities
Condition Matching Too Many Users
Add specificity: Combine multiple conditions with
andCheck for broad patterns:
co ""matches all non-null valuesVerify logical grouping: Ensure
and/orprecedence is correct
Timestamp Issues
Use ISO 8601 format:
YYYY-MM-DDTHH:MM:SSZInclude timezone: Always use
Zsuffix for UTCCheck attribute type: Ensure the source attribute is a timestamp, not a string
Related Topics
Understanding Conditions and Transformers - Conceptual overview of conditions vs. transformers
Policies - Create and configure Lifecycle Management policies
Conditions and Actions - Configure workflow actions and their triggers
Attribute Transformers - Transform attribute values using formatter syntax
Transformer Reference - Complete list of transformation functions
System Attributes - Available system attributes for conditions
Dynamic Access Profiles - Formatter-based profile assignment
Attribute Mapping - Map source attributes to target attributes
Last updated
Was this helpful?