WedaCon Refresh Plugin

While SailPoint IdentityIQ (IIQ) is a powerful platform for identity and access management, one functionality it lacks out of the box is the ability to refresh or aggregate a single identity on demand. By default, IIQ is optimized for bulk operations, which can be slow or cumbersome when only one identity needs updating.

At WedaCon Informationstechnologien GmbH, we recognized this gap and developed a custom IIQ plugin, enabling tailored, on-demand operations for individual identities. This plugin gives administrators and external systems immediate, precise, and auditable control over identity refresh and aggregation.

The Challenge

SailPoint IIQ provides powerful aggregation and refresh functionality, but by default it’s geared toward bulk operations. For many organizations, this creates friction:

• Delayed updates: Changes to a single user (like manager changes or role updates) may not be reflected immediately.
• Limited integration: External systems like HR or Active Directory cannot easily trigger individual identity updates programmatically.
• Operational overhead: Manual refreshes or ad-hoc scripts are error-prone and hard to audit.

Organizations needed a solution that allows precise, fast, and auditable identity operations for single users, integrated directly into modern workflows and external systems.

The Goal

The RefreshPlugin extends IIQ with REST endpoints for:

1. Refreshing a single identity (attributes, policies, scorecards, entitlements).
2. Aggregating a single identity (roles, entitlements, scope correlation).
3. Combined aggregation and refresh in one call.

Key benefits:

• Immediate updates: Admins or external systems can trigger identity updates on demand.
• Fine-grained control: Boolean flags allow precise control over which operations to execute (e.g., refresh manager status, correlate entitlements, check policies).
• Integration-ready: Works seamlessly with REST calls from other systems or custom frontend applications.
• Auditable and maintainable: Logs and structured Java code ensure traceability and future-proofing.

The Implementation

The plugin is built as a modular IIQ Java plugin:

• REST endpoints: Expose /Refresh, /Aggregate, and /AggregateRefresh for single-identity operations.
• DTO-driven configuration: Frontend or external systems can send a RefreshParamDTO object containing all operation flags.
• Identitizer usage: Leverages SailPoint’s Identitizer API to execute aggregation and refresh operations programmatically.
• Transaction-safe: Changes are saved and committed in the IIQ context, ensuring data integrity.

This approach avoids the limitations of BeanShell scripting, providing a robust, maintainable, and version-controlled solution.

WedaCon’s Expertise

At WedaCon, we help organizations design, develop, and deploy tailored IIQ plugins like our RefreshPlugin. Whether it’s custom workflows, connectors, or identity management enhancements, we ensure every solution:

• Integrates seamlessly with existing IIQ environments.
• Follows best practices for maintainable, high-quality Java code.
• Supports auditability, compliance, and security standards.

Our portfolio of ready-to-use IIQ plugins accelerates deployments, reduces risk, and delivers real business value.

Get in Touch

If you want to unlock real-time control over your identities in SailPoint IIQ, WedaCon is your partner for expert IAM solutions.

Contact us today through one of our channels to learn more about custom IIQ plugin development or checkout our other ready-made tools.