Unexpected Work Items from Expired Mitigated Policy Violations – Seeking Insights

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

IdentityIQ 8.4p2

Please share any images or screenshots

Expired Violation Work Items - 15.08.25
Expired Violation Work Items - 15.08.251413×379 50.9 KB

Good morning,

We’re currently using IdentityIQ Version 8.4p2 and encountering an issue with policy violations that I’d appreciate some community insight on.

We’ve noticed that work items are being generated for policy violations where the “Mitigated Until” date has already expired. In some cases, the associated user profiles have been deleted (e.g., users who left the organisation before the expiry date). Despite this, the Policy Status remains “Open”, while the Active State is “Inactive”, and no corresponding workflow case exists.

This is causing confusion for approvers who receive these work items, even though the violations should no longer be actionable. We would appreciate any input on:

  • Whether others have encountered similar behaviour with expired mitigated violations generating work items.

  • Known causes or misconfigurations that could lead to this.

  • Recommended approaches to prevent such work items from being triggered.

  • Best practices for handling violations linked to deleted user profiles.

Any guidance or shared experiences would be greatly appreciated!

Thanks in advance,
Ashley Sneddon

2

Hey Ashley,

Yeah, we’ve seen something similar on 8.3 and 8.4 – violations still spitting out work items even after the mitigation expired or the user was already terminated. A couple of things we figured out:

  • Status vs. workflow mismatch – once the violation is “Inactive” it shouldn’t create a work item, but if the workflow case was never properly closed (or got cleaned up), IIQ will still flag it. That’s why you see “Open” with no workflow attached.

  • Deleted users – if the identity is gone before the violation closed out, it kind of leaves a “dangling” record that keeps showing up. We ended up adding a nightly cleanup job (script/rule) to clear those.

  • Mitigated Until date – IIQ doesn’t always re-evaluate properly when the date expires, so unless you’ve got a task that re-indexes/recalculates policy violations, it can stay in limbo. Running the Policy Violation Refresh task helped us.

  • Config check – make sure your Policy Refresh task and Violation Remediation settings aren’t leaving expired items hanging around.

What worked for us:

  • Scheduled policy violation refresh + cleanup task.

  • Added a check in the workflow to auto-close if the user is inactive/deleted.

  • Trained approvers to ignore any “inactive” items until we rolled out the cleanup.

Not perfect out of the box, but with some maintenance jobs in place it behaves a lot better.

1 Like