Hi everyone,
When a new user is created in an HRMS source, I want the Joiner lifecycle event to trigger automatically and provision accounts without running the Identity Refresh task.
Is this possible out of the box in IIQ? If not, what is the recommended approach (custom workflows, rules, or real-time triggers) to achieve this behavior?
Thank you.
Hello @vsuddala In IdentityIQ, Joiner events are triggered only after IIQ updates the identity data. You don’t need to run anything manually—by scheduling HRMS aggregation and Identity Refresh tasks, new users will be picked up automatically and provisioning will happen as expected, so please check the scheduled tasks configuration.
You can add refresh options such as processTriggers to the XML of your aggregation task.
Hi @vsuddala
As per understanding the answer is no, this is not possible out of the box through a single HRMS aggregation task alone.
By design, an Aggregation Task is responsible for pulling data and creating/updating the Identity Cube, while the Identity Refresh Task (with “Process Events” enabled) is the engine that evaluates lifecycle states and fires the Joiner event.
Hi @phodgdon
Are you indicating that this process trigger will execute events for each identity?
You have the ability to schedule a Refresh Job, which is an automated process.
The Aggregation Task is specifically structured to obtain data and support the formation or modification of the Identity Cube.
On the other hand, when the “Process Events” feature is enabled for the Identity Refresh Task, it functions as the tool that evaluates lifecycle statuses and initiates the Joiner event.
Therefore, we kindly request that you schedule the refresh job.
I think what Arava has mentioned is correct. Once the aggregation is done from your HRMS source, you need to schedule the refresh task with process events option as enabled, and other option as per the requirement. Without that any JML events can’t be triggered.
For any identity that is updated as part of the aggregation where the data is changing.
Out of the box, a single HRMS aggregation task cannot trigger the Joiner lifecycle event by itself. By design, the aggregation task only pulls data from the source and creates or updates the Identity Cube in IIQ. Lifecycle evaluation (Joiner, Mover, Leaver) does not happen during aggregation. The Identity Refresh task, specifically with “Process Events” enabled, is the component that evaluates lifecycle conditions and fires the Joiner event. Without running Identity Refresh (or an equivalent custom process), Joiner-based provisioning will not be triggered automatically.
Possible ways are:
We have a bunch of the refresh options set in our aggregation tasks. It’s not really documented, but does work.
We don’t normally run identity refresh tasks.
That is typically how we do our implementations with customers.
Hello @vsuddala is it resolved?
This is interesting point @paul_hilchey
From UI, I only see “Refresh assigned and detected roles“ option on aggregation task. But you mean all other option that are available on refresh task can be added to aggregation task from debug? right?
Yes, that’s right. For example:
<entry key="checkPolicies" value="true"/>
<entry key="correlateEntitlements" value="true"/>
<entry key="processTriggers" value="true"/>
<entry key="promoteAttributes" value="true"/>
<entry key="provision" value="true"/>
<entry key="provisionIfChanged" value="true"/>
<entry key="refreshManagerStatus" value="true"/>
<entry key="refreshRoleMetadata" value="true"/>
<entry key="synchronizeAttributes" value="true"/>
Thank you @paul_hilchey
If SailPoint isn’t clearly documented, we’re essentially flying blind, which creates a significant risk. It would be better to assess through rigorous testing—rather than waiting for problems to appear later.
Indeed, but you become accustomed to that after working with IdentityIQ for a while…
@vsuddala You have couple of options here:
If you are going with #2, this will work if your refresh is based on attributes directly. However, if you have any time specific attributes or trigger which you are calculating locally and doesn’t get this detail via aggregation, then you need to run the refresh task or trigger it using a custom rule.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(
, 
, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
@vsuddala LCM events trigger as part of identity refresh process. I would like to understand why do you not want to run Identity refresh task?
you can create a sequential task - add HRMS source aggregation and Identity Refresh task is that. In your refresh task select - “Refresh only identities marked as needing refresh during aggregation” option, so only updated identity cubes will be refreshed.
Hope this helps.