Mover workflow: Entitlements are not removed with roles

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4

Setup

I have the following entities in IIQ set up:

  • A business role with automatic assignments based on team membership
    • An IT role that is assigned to the business role
    • An entitlement that is assigned to the IT role
  • An identity in the team the business role requires with the following Links
    • IdentityIQ Loopback
    • Active Directory (standard account)
    • Active Directory (special account)

Situation

If I change the team of the identity and call `Refresh Identity Cube`, by the time it reaches the Mover trigger, the business and it roles will be removed from the identity, but not all of the entitlements related to the role.

I was able to reproduce it only if there were more than one active Active Directory account linked to the identity.

Question

Has anyone faced this problem? Does anyone know how it can be resolved?

Thank you in advance

2

Hey @zoltans, Yes this is a known behavior in IdentityIQ 8.4 when the Mover workflow runs against identities with multiple Active Directory links. During the “Refresh Identity Cube” process, SailPoint sometimes only recalculates entitlements tied to the primary account link.

A few things to check and try:

  1. Verify role-to-entitlement mappings: Make sure the entitlements are directly linked to the IT role, not dynamically inferred from another attribute.
  2. Look at the Mover workflow triggers: In some environments, the refresh event removes the roles before the entitlement cleanup task completes, leaving orphaned assignments. You can modify or extend the workflow to trigger RemoveEntitlement for all linked accounts.
  3. Test with the “Perform Maintenance Tasks” option in debug mode: That can force a recalculation across all linked accounts instead of just the default.
  4. Optional script-based fix: Some admins add a custom rule that loops through all Link objects for the identity and synchronizes entitlements explicitly after team changes.

I’ve faced a similar scenario while working through some SailPoint IdentityIQ Engineer exam practice questions on CertBoosters. It’s a perfect example of how multi-account logic can impact role-to-entitlement cleanup in IdentityIQ.

If you share your specific Mover workflow configuration (especially how the account correlation rule is defined), I can help pinpoint whether it’s missing a post-refresh call.

Hope this helps!