Identity with 1.8m entitlements

rohit_jaiswal1 · May 22, 2025, 12:28pm

Which IIQ version are you inquiring about?

8.4p1

Share all details about your problem, including any error messages you may have received.

hello we have an inactive user who has 1.8m entitlements for Active Directory, they are repeated over several thousand times.

issue is i only see this on entitlement section on identity. they are not visible on AD link or identity debug.

Could you please share insights what could have caused this, Also how can this be fixed?

i have already tried deleting AD link and reaggregating , doesn’t work
i have tired refresh identity with entitlement refresh option, it gets errored out with stack overflow error

haideralishaik · May 22, 2025, 12:37pm

hi @rohit_jaiswal1

I would check below:

1. Check and Cancel Stuck Identity Requests

Use the Identity Request object in the debug page to search for requests in an “executing” or “pending” state for the affected user.
Cancel or mark them as “completed” manually or via a script.

2. Clean Up Sticky Entitlements

Use the Remove Unused Attribute Assignments task or a custom rule to remove entitlements that are no longer valid.
You can also write a BeanShell rule to iterate through and remove entitlements from the identity object directly.

Resolving Sticky Entitlements: Common Causes and Solutions - IdentityIQ (IIQ) / IIQ Community Knowledge Base - SailPoint Developer Community

3. Break Down the Refresh Task

Instead of refreshing the entire identity, try refreshing in smaller parts (e.g., one link at a time or specific entitlement types).
Alternatively, use a custom task to batch process entitlements in chunks to avoid stack overflow.

4. Database Cleanup

As a last resort, if the entitlements are not removable via UI or tasks, you may need to work with your DBAs to clean up the spt_identity_entitlement or related tables directly.

pravin_ranjan · May 22, 2025, 1:15pm

@rohit_jaiswal1 you mean in identity entitlement ? if that so you can delete directly from spt_identity_entitlement table where you can add application + identity_id checks or create a rule and pass the identity in list and delete all it’s identity entitlement objects.

Aggregation + Refresh with entitlement will re-create again so you don’t need to worry.

system · July 21, 2025, 1:16pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting Errors in the entitlement tab When users access was removed from Active directory IIQ Discussion and Questions identityiq	4	834	October 15, 2023
Sticky entitlement ISC Discussion and Questions	6	3317	July 19, 2023
Cleanup disconnected entitlements from the account IIQ Discussion and Questions identityiq , provisioning , entitlements	11	1985	January 27, 2024
AD Entitlement Provisioning to Inactive Identities ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	5	882	September 19, 2023
This entitlement does not exist on the account IIQ Discussion and Questions identityiq , entitlements	4	1119	June 18, 2024