Good question — the design can work, but the supportable pattern is usually not “IIQ as authoritative for IIQ.”
- Connector choice (Global IIQ → Local IIQ)
Recommended pattern (cleanest):
• Keep SAP HR (or your HR truth) as the true authoritative source.
• Have Global IIQ publish an identity snapshot feed (UID, name, email, lifecycle status, key attributes, lastUpdated).
• Make Local IIQ authoritative source = that feed (File / JDBC / REST).
Why: authoritative sources should be the system-of-record for “person truth.” Chaining IIQ→IIQ as authoritative increases drift risk and makes correlation harder.
If you must connect Local directly to Global IIQ:
• Use Local IIQ Web Services connector to consume a stable endpoint exposed by Global IIQ (or middleware in front of it). The Web Services connector is the generic supported way to read/write via REST/JSON.
What I would avoid:
• Loopback connector for this architecture. It’s not typically used as a general “IIQ→IIQ authoritative feed” pattern and isn’t shipped by default in many installs
- Data segregation (Global clean; Local holds local entitlements/logs)
Yes — that’s a valid split if you define ownership rules:
• Global owns: identity core + lifecycle + immutable global UID.
• Local owns: local account links, local entitlements, access history, and governance for local apps.
Key guardrail: pick a single immutable correlation key (e.g., global employee/person ID) and use it everywhere. Otherwise you’ll create duplicates and messy merges
- Licensing
Licensing is contractual and can vary by EA wording.
Architecturally, you are running governance for the same population in two systems, so confirm with SailPoint Sales/CSM whether identities are counted once or twice for your agreement
- One challenge back to the design (often missed)
If the main driver is latency/connectivity to local AD/apps, consider keeping one global IIQ and placing the connector-side components close to the managed systems (e.g., IQService / local network reachability) instead of duplicating the governance brain.
Briefly
• Best practice: Global publishes a feed → Local consumes it as authoritative.
• If direct: Local uses Web Services connector to a stable Global endpoint.
• Avoid: Loopback-as-mastering pattern.
• Define ownership + immutable correlation key.
• Validate licensing with SailPoint.