TTechclick ⚡ XP 0% All lessons
SailPoint · Identity Governance · ArchitectureInteractive · L1 / L2 / L3

SailPoint IdentityIQ Architecture — Identity Warehouse, Connectors & IIQ vs ISC

SailPoint IdentityIQ is the leading on-premises identity governance platform. This lesson maps every component — the identity warehouse and Identity Cubes, the connector layer for application onboarding, the Lifecycle Manager provisioning engine, and the Compliance Manager — and shows how one access request flows end-to-end, plus when to stay on IIQ versus migrate to Identity Security Cloud.

📅 2026-06-20 · ⏱ 18 min · 5 infographics · live provisioning demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SailPoint IdentityIQ architecture: the identity warehouse, Identity Cubes, application onboarding, connectors, lifecycle and compliance modules, and the on-prem IIQ vs cloud ISC choice — with a real provisioning flow and interview-ready framing.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What IIQ is

Identity governance platform: warehouse, cubes, connectors.

 2

App onboarding

Authoritative sources, aggregation, connector types.

 3

Lifecycle & Compliance

Provisioning engine, approval workflows, certifications.

 4

Deploy & IIQ vs ISC

Sizing, clustering, VA connectors, cloud migration.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What stores every user's accounts, entitlements and risk score in IIQ?

Answered in What IIQ is.

2. Which IIQ module handles Joiners, Movers and Leavers provisioning?

Answered in Lifecycle & Compliance.

3. Which deployment is better for a bank with strict data-residency and heavy BeanShell customisation?

Answered in Deploy & IIQ vs ISC.

Most engineers think…

Most people describe SailPoint as 'an RBAC tool that runs access reviews'. That answer is too narrow for an interview and too shallow for a real deployment.

SailPoint IdentityIQ is a full identity governance platform: a central identity warehouse where every managed user gets an Identity Cube — a multi-dimensional record of every account, entitlement, role, risk score and policy violation across all connected applications. The connector layer aggregates that data from authoritative sources; the Lifecycle Manager provisions and deprovisions it; and the Compliance Manager certifies it. Understanding that architecture — and when to stay on IIQ versus move to Identity Security Cloud — is what separates a junior implementer from a senior one.

① What SailPoint IdentityIQ is — the identity warehouse and Identity Cubes

The single most important idea in IIQ: every managed user is represented by an Identity Cube. The Cube is not just an LDAP record — it is a consolidated view of everything IIQ knows about that person: which accounts they hold on which systems, which entitlements and roles they carry, their composite risk score, any open policy violations and the full history of access changes.

All Identity Cubes live in the identity warehouse — IIQ's central database (typically MySQL, Oracle or SQL Server). The warehouse is the source of truth for provisioning decisions, policy checks and certification campaigns. Data flows in from authoritative sources (HR systems like Workday or SAP HCM) and managed applications (Active Directory, SAP ERP, Salesforce, etc.) via the connector layer, and the warehouse is refreshed on a schedule or on-demand.

IIQ ships as a Java web application (WAR) deployed on an application server such as Apache Tomcat, backed by a relational database and optionally clustered for HA. The entire platform — governance policies, workflows, certifications, provisioning plans — is driven from this single codebase, customised via BeanShell scripts and XML rules.

Figure 1 — How the IIQ identity warehouse is populated
Data flows from authoritative sources and managed apps through aggregation into the Identity Cube, then drives policy checks and provisioning.How the IIQ identity warehouse is populatedAuth SourceHR feed (Workday)Aggregationconnector pullsaccountsIdentity Cubewarehouse recordPolicy CheckSoD + risk scoreProvisioningplan + workflow
Data flows from authoritative sources and managed apps through aggregation into the Identity Cube, then drives policy checks and provisioning.
Figure 2 — IIQ platform layers
IdentityIQ is a layered Java application — from the database and connector layer up to governance modules and the UI.IIQ platform layersCompliance ManagerCertifications, SoD, audit reports — continuous least privilegeLifecycle ManagerJoiner / Mover / Leaver workflows and provisioning plansIdentity WarehouseIdentity Cubes, risk scores, entitlement data — in SQL DBConnector LayerDirect, Virtual Appliance and custom REST connectors to apps
IdentityIQ is a layered Java application — from the database and connector layer up to governance modules and the UI.
Name the warehouse first in any interview

When asked 'how does IIQ work?', lead with the identity warehouse and Identity Cubes — not with certifications or the UI. The warehouse is the architectural foundation everything else depends on. Aggregation feeds it; Lifecycle Manager reads it to build provisioning plans; Compliance Manager queries it to drive certification campaigns.

Quick check · Q1 of 10 · Understand

What is an Identity Cube in SailPoint IdentityIQ?

Correct: c. An Identity Cube is IIQ's core data model for a single managed user — it consolidates accounts, entitlements, roles, risk score and policy violations from every connected application into one warehouse record.
👉 So far: IIQ = identity warehouse at the centre; every managed user gets an Identity Cube (accounts + entitlements + risk + violations); data flows in via connectors from authoritative sources.

② Application onboarding — connectors, aggregation and authoritative sources

Application onboarding is the process of connecting a source system so IIQ can read accounts and entitlements, and optionally write provisioning changes back. IIQ supports three connector models. Direct connectors (built-in) cover the most common targets: Active Directory, LDAP, JDBC databases, flat files, SAP, and many major SaaS platforms. Virtual Appliance (VA) connectors run as a lightweight on-prem agent so IIQ's cloud or DMZ-hosted engine can reach internal systems without opening inbound firewall ports. Custom / REST connectors use the Connector SDK or the REST Integration Framework for anything else.

Aggregation and authoritative sources

Once an application is onboarded, aggregation pulls all accounts and entitlements into the identity warehouse and links them to Identity Cubes. A designated authoritative source (commonly an HR feed) is the master for identity attributes like name, department and manager — when a record changes there, IIQ detects the change and triggers provisioning via a Joiner, Mover or Leaver event. Non-authoritative sources are managed applications: IIQ reads their accounts but defers to the authoritative source for identity truth.

Figure 3 — IIQ connector model — one warehouse, many apps
The identity warehouse aggregates from all connected applications; the same connector framework writes provisioning changes back.IIQ connector model — one warehouse, many appsIdentity WarehouseIdentity Cubes + rulesActive DirectorySAP ERPWorkday (HR)SalesforceVA connector (on-prem)REST connector (SaaS)
The identity warehouse aggregates from all connected applications; the same connector framework writes provisioning changes back.
🏛️
Identity Warehouse
tap to flip

The central SQL database that stores all Identity Cubes — each user's full picture of accounts, entitlements, roles, risk scores and policy violations across every connected application.

🧊
Identity Cube
tap to flip

A multi-dimensional record for one managed user: accounts, entitlements, roles, risk score, policy violations and access history — the unit IIQ governs against.

🔌
Connector Layer
tap to flip

Direct, Virtual Appliance and REST connectors that pull account/entitlement data in from applications and push provisioning changes out. One framework for all targets.

⚙️
Lifecycle Manager
tap to flip

The provisioning engine for Joiner, Mover and Leaver events — drives approval workflows, builds provisioning plans, and submits them to connectors or manual work queues.

Treating every application as an authoritative source

Only HR (or a master IdM) should be flagged as the authoritative source for identity attributes like name, department and manager. If you mark Active Directory as authoritative, IIQ will trust AD over HR — and when someone's department changes in Workday, IIQ will see a conflict, defer to AD, and the Mover workflow will never fire. One authoritative source per attribute, period.

Quick check · Q2 of 10 · Apply

Your company's IIQ servers sit in a DMZ but the HR system is on a private LAN with no inbound internet access. Which connector approach works?

Correct: b. Virtual Appliance connectors run as lightweight agents inside the private network and relay aggregation and provisioning traffic outbound to IIQ — no inbound firewall hole needed. Direct JDBC from the DMZ cannot reach the private LAN.
👉 So far: Application onboarding = aggregation via direct / Virtual Appliance / REST connectors; one HR application is marked as the authoritative source for identity attributes; all others are managed apps.

③ Lifecycle Manager and Compliance Manager — provisioning and certifications

IIQ's two flagship modules handle the two halves of identity governance. Lifecycle Manager is the provisioning engine for Joiners (new hires), Movers (role changes) and Leavers (terminations). It drives approval workflows, generates provisioning plans (a structured list of account create / modify / delete operations), and submits them to target applications via the connector layer. Plans are executed directly (if the connector supports write-back) or queued as manual work items if the target is unmanaged.

Compliance Manager handles the other half: periodic and triggered access certifications (also called access reviews), Segregation of Duties (SoD) policy enforcement, and audit reporting. Certifiers (managers or application owners) see a campaign workqueue in the IIQ UI and make Approve / Revoke / Delegate decisions; revocations feed directly back into Lifecycle Manager for automated removal.

Together, the two modules enforce the principle of least privilege continuously: Lifecycle Manager grants only the right access at the right time, and Compliance Manager removes excess access that has drifted in.

Figure 4 — Joiner provisioning flow end-to-end
When a new hire record appears in the authoritative source, IIQ detects the change and drives provisioning through the full lifecycle workflow.Joiner provisioning flow end-to-endHR Eventnew hire in WorkdayAggregationidentity cube createdRole Assignbirthright rolesmatchedApprovalmanager approves planProvisionedaccounts created on AD
When a new hire record appears in the authoritative source, IIQ detects the change and drives provisioning through the full lifecycle workflow.

Priya at a Mumbai NBFC faces this

Newly onboarded employees are getting accounts created but with no entitlements, so they cannot log in to any application on day one.

Likely cause

The Joiner workflow provisioning plan is being generated correctly but the birthright role assignments are not triggering because the HR feed is not flagged as the authoritative source for the 'department' attribute.

Diagnosis

Open IIQ ▸ Application Definition ▸ HR Feed ▸ Schema — 'department' attribute is not marked as authoritative. Role selector rules match on department, so no department = no roles assigned.

Application ▸ Schema ▸ authoritative attribute flags
Fix

Mark 'department' (and 'jobCode', 'location') as authoritative in the HR application schema. Re-run aggregation. The role assignment rule will now fire correctly and birthright roles will populate the provisioning plan for all new hires.

Verify

Create a test hire record in the HR feed, trigger aggregation, confirm the Identity Cube shows the correct department and that the Joiner workflow generates a provisioning plan with the expected birthright roles and AD group memberships.

▶ Watch a Joiner event provision a new hire end-to-end

How a new hire record in Workday becomes an active AD account. Press Play for the healthy path, then Break it to see the classic authoritative-source failure.

① HR FeedA new hire record appears in Workday. The IIQ scheduler detects the delta and triggers an HR aggregation run.
② Cube CreatedThe aggregation task reads the record, creates an Identity Cube in the warehouse with name, department, jobCode and manager populated.
③ Role MatchLifecycle Manager evaluates role-assignment rules — the user's department and jobCode match the 'Finance Analyst' birthright role, which includes AD group membership.
④ Approved + ProvisionedAn auto-approve workflow fires (no manual step for birthright), IIQ builds the provisioning plan and the AD connector creates the account and group membership.
Press Play to step through the healthy Joiner flow. Then press Break it.
Quick check · Q3 of 10 · Analyze

A user's manager has just approved an access request in IIQ. What happens next?

Correct: c. After approval, Lifecycle Manager assembles a provisioning plan — the structured set of account operations — and submits it to the appropriate connector. If the connector supports write-back the change is applied immediately; otherwise a manual work item is queued.
👉 So far: Lifecycle Manager = Joiner/Mover/Leaver provisioning through approval workflows and provisioning plans; Compliance Manager = access certifications, SoD policy and audit; revocations feed back to Lifecycle Manager automatically.

④ Deploying IIQ — sizing, clustering, and when to choose ISC instead

A production IIQ deployment has at least two application server nodes behind a load balancer for HA, a clustered database (MySQL or Oracle RAC are common), and a shared file store for documents and log exports. The IIQ application server nodes are stateless (session state in the database), so horizontal scaling is straightforward. Virtual Appliance nodes live inside the corporate network for direct connector reach; the IIQ servers can sit in a DMZ or private cloud.

IIQ vs Identity Security Cloud (ISC)

IIQ is the right choice when: the organisation needs deep BeanShell / Java customisation, has on-prem authoritative sources (HR mainframes, legacy LDAP), or has strict data-residency requirements that prohibit a multi-tenant SaaS. ISC (SailPoint's SaaS platform, built on the Atlas architecture) is the right choice when: the organisation prefers a fully managed, auto-upgraded platform, can express governance logic in declarative configuration rather than custom code, and is willing to trade customisation depth for lower operational overhead. SailPoint itself actively encourages migration from IIQ to ISC, noting typical TCO reductions of 10–30%. Ten to thirty percent of heavily customised IIQ logic may need redesign in ISC because some BeanShell extension points do not exist in the SaaS model.

Figure 5 — IdentityIQ (on-prem) vs Identity Security Cloud (SaaS)
The two platforms share the same identity model and connectors but differ fundamentally in deployment, customisation and operational overhead.IdentityIQ (on-prem) vs Identity Security Cloud (SaaS)IdentityIQ (IIQ)Customer-hosted on Tomcat + SQL DBDeep BeanShell + JavaVirtual Appliances for internalBest for regulated, on-prem-heavyIdentity Security Cloud (ISC)SailPoint-managed SaaS (AtlasDeclarative config + REST APIsAuto-upgraded, no serverBest for cloud-first, lower TCO
The two platforms share the same identity model and connectors but differ fundamentally in deployment, customisation and operational overhead.
Confirm IIQ vs ISC from the requirements, not the vendor deck

Ask two questions before the architecture decision: (1) Does the org have custom BeanShell rules or Java connectors that would not port cleanly? (2) Does a regulator require data to stay inside a specific geography? A 'yes' to either is a strong signal to stay on IIQ. If the answer is 'we mostly use SaaS apps and want auto-upgrades', ISC is the better choice — and SailPoint's own migration path is well-documented.

Quick check · Q4 of 10 · Evaluate

An organisation runs a mainframe-based HR system with strict EU data-residency rules. Which SailPoint platform is the better fit?

Correct: b. IIQ is the right choice for deep BeanShell customisation, on-prem authoritative sources, and strict data-residency. ISC is SaaS multi-tenant, which conflicts with EU data-residency requirements and may not support mainframe connectors natively.
👉 So far: IIQ on-prem suits deep customisation and data-residency; ISC SaaS suits cloud-first orgs willing to use declarative config; they share the same identity model and connectors, making migration feasible but not trivial.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which IIQ module runs Joiner, Mover and Leaver provisioning?

Correct: a. Lifecycle Manager is IIQ's provisioning engine — it handles all JML events, drives approval workflows, builds provisioning plans and submits them to connectors.
Q6 · Understand

Why is one application designated as the 'authoritative source' in IIQ?

Correct: c. The authoritative source (usually HR) is the master for identity attributes. IIQ trusts its data over any managed application, ensuring that role-assignment rules and Mover workflows fire on accurate, HR-driven attributes.
Q7 · Apply

A manager revokes an entitlement during an access certification campaign. What happens next in IIQ?

Correct: d. Certification revocations are automatically converted into removal provisioning plans by Lifecycle Manager — if the connector supports write-back, the entitlement is removed without manual admin intervention.
Q8 · Analyze

IIQ is reporting that a user's department is blank on their Identity Cube despite the HR feed containing the value. Most likely cause?

Correct: b. If an attribute is not flagged as authoritative in the application schema, IIQ will not promote its value to the Identity Cube. Mark the attribute authoritative and re-run aggregation to populate the Cube.
Q9 · Evaluate

An interviewer asks: 'How does IIQ differ from ISC technically?' Best answer?

Correct: c. IIQ is on-prem, customer-hosted, deep BeanShell customisation. ISC is SaaS, auto-managed, declarative. They share the same identity model and connector framework, which is why migration is feasible — but not all BeanShell logic ports cleanly.
Q10 · Evaluate

What is the primary scaling strategy for IIQ to handle more aggregation and provisioning throughput?

Correct: a. IIQ application server nodes are stateless (session state lives in the database), so adding nodes behind a load balancer is the standard horizontal scaling approach. The database is separately clustered for HA.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the identity warehouse and why is it the architectural centre of SailPoint IdentityIQ? Then compare with the expert version.

Expert version: The identity warehouse is IIQ's central relational database — it stores every Identity Cube (one per managed user), each containing all accounts, entitlements, roles, risk scores and policy violations from every connected application. It is the architectural centre because every other function — Lifecycle Manager provisioning, Compliance Manager certifications, SoD policy checks, role-assignment rules, and audit reporting — reads from and writes back to this single warehouse. Without the warehouse there is nothing to govern against.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Identity Warehouse
The central SQL database in IIQ that stores all Identity Cubes — the single source of truth for provisioning decisions, policy checks and certification campaigns.
Identity Cube
A multi-dimensional record for one managed user, aggregating all accounts, entitlements, roles, risk score and policy violations from every connected application.
Authoritative Source
The application (usually HR) whose identity attributes IIQ trusts as the master record — name, department, manager and jobCode all flow from here to drive role assignments and JML events.
Lifecycle Manager
The IIQ module that handles Joiner, Mover and Leaver events — builds approval workflows and provisioning plans, and submits them to connectors for execution.
Compliance Manager
The IIQ module that runs access certification campaigns, enforces SoD policies, and generates audit reports; revocations feed back automatically to Lifecycle Manager.
Virtual Appliance (VA)
A lightweight on-premises agent that relays aggregation and provisioning traffic between IIQ servers (which may be in a DMZ or cloud) and internal target systems, with no inbound firewall exposure.
Provisioning Plan
A structured list of account operations (create, modify, delete, enable/disable) that Lifecycle Manager builds from approved requests and submits to the appropriate connectors.
Segregation of Duties (SoD)
A policy in Compliance Manager that flags or blocks combinations of entitlements a single user should not hold simultaneously — e.g. the ability to create a supplier and approve payments to them.
Identity Security Cloud (ISC)
SailPoint's SaaS identity governance platform built on the Atlas architecture — shares the IIQ identity model and connector framework but uses declarative configuration instead of BeanShell.
Aggregation
The IIQ process of reading all accounts and entitlements from a connected application and linking them to Identity Cubes in the warehouse — the first step in governing any application.

📚 Sources

  1. SailPoint — IdentityIQ product page and documentation. documentation.sailpoint.com/identityiq
  2. SailPoint — Identity Warehouse: Identity Cubes, attributes and risk scores in IdentityIQ. documentation.sailpoint.com/identityiq/help/identity_management/identity_warehouse.html
  3. SailPoint — Why you should migrate from IdentityIQ to SailPoint Identity Security Cloud. sailpoint.com/blog/why-you-should-migrate-from-identityiq-to-sailpoints-identity-security-cloud
  4. Identity Logic Consulting — SailPoint IdentityIQ vs Identity Security Cloud vs Saviynt EIC: A Practitioner's Comparison. identitylogicconsulting.com
  5. EnH iSecure — SailPoint IdentityIQ Production Architectures (2025). enhisecure.com/isecureblog/2025/03/25/sailpoint-identityiq-prod-architectures/
  6. Heptarc — Architecture of SailPoint IdentityIQ: components, connectors and deployment. heptarc.com/architecture-of-sailpoint-identityiq/

What's next?

Got the architecture? Next, go deep on SailPoint access certifications — how the review campaign works, what certifiers see, how decisions flow back to provisioning, and how to cut your remediation time in half.

Next · All interview lessons → Practice on exam.techclick.in →