I would check below:
1. Check and Cancel Stuck Identity Requests
- Use the Identity Request object in the debug page to search for requests in an “executing” or “pending” state for the affected user.
- Cancel or mark them as “completed” manually or via a script.
2. Clean Up Sticky Entitlements
- Use the Remove Unused Attribute Assignments task or a custom rule to remove entitlements that are no longer valid.
- You can also write a BeanShell rule to iterate through and remove entitlements from the identity object directly.
3. Break Down the Refresh Task
- Instead of refreshing the entire identity, try refreshing in smaller parts (e.g., one link at a time or specific entitlement types).
- Alternatively, use a custom task to batch process entitlements in chunks to avoid stack overflow.
4. Database Cleanup
- As a last resort, if the entitlements are not removable via UI or tasks, you may need to work with your DBAs to clean up the
spt_identity_entitlementor related tables directly.