Identity with 1.8m entitlements

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4p1

Share all details about your problem, including any error messages you may have received.

hello we have an inactive user who has 1.8m entitlements for Active Directory, they are repeated over several thousand times.

issue is i only see this on entitlement section on identity. they are not visible on AD link or identity debug.

Could you please share insights what could have caused this, Also how can this be fixed?

i have already tried deleting AD link and reaggregating , doesn’t work
i have tired refresh identity with entitlement refresh option, it gets errored out with stack overflow error

2

hi @rohit_jaiswal1

I would check below:

1. Check and Cancel Stuck Identity Requests

  • Use the Identity Request object in the debug page to search for requests in an “executing” or “pending” state for the affected user.
  • Cancel or mark them as “completed” manually or via a script.

2. Clean Up Sticky Entitlements

  • Use the Remove Unused Attribute Assignments task or a custom rule to remove entitlements that are no longer valid.
  • You can also write a BeanShell rule to iterate through and remove entitlements from the identity object directly.

Resolving Sticky Entitlements: Common Causes and Solutions - IdentityIQ (IIQ) / IIQ Community Knowledge Base - SailPoint Developer Community

3. Break Down the Refresh Task

  • Instead of refreshing the entire identity, try refreshing in smaller parts (e.g., one link at a time or specific entitlement types).
  • Alternatively, use a custom task to batch process entitlements in chunks to avoid stack overflow.

4. Database Cleanup

  • As a last resort, if the entitlements are not removable via UI or tasks, you may need to work with your DBAs to clean up the spt_identity_entitlement or related tables directly.
3

@rohit_jaiswal1 you mean in identity entitlement ? if that so you can delete directly from spt_identity_entitlement table where you can add application + identity_id checks or create a rule and pass the identity in list and delete all it’s identity entitlement objects.

Aggregation + Refresh with entitlement will re-create again so you don’t need to worry.