If you’re stepping into the world of SailPoint IdentityIQ, the first challenge isn’t code—it’s the terminology.
Understanding the terms behind IIQ helps you avoid confusion, build smarter solutions, and communicate clearly with your team and stakeholders.
Here’s a plain-English breakdown of the essential vocabulary every IAM professional should know 👇
🧭 Target System: Any external platform like Active Directory, ServiceNow, or Salesforce. It’s where users or access permissions live.
⚙️ Application: Inside IIQ, a Target System is represented as an Application. This object holds all the configuration and schema info needed for IIQ to talk to that system.
🏛️ Authoritative Application: The source of truth. It’s where identity data comes into IIQ. IIQ never updates these—only fetches from them. Identities are created in IIQ based on data from these apps (e.g., HRIS).
🔐 Non-Authoritative Application: Applications where IIQ manages access but doesn’t source identity data from. These are your access targets, not data providers.
🔌 Connector: The bridge (usually a Java BeanShell script) that enables communication between IIQ and the target system. It executes operations like provisioning and aggregation.
👤 Identity vs. Account
• Identity = user inside IIQ
• Account = user in the external system
🔄 Aggregation: The process of pulling data from a target system into IIQ.
• Account Aggregation = importing user data
• Account Group Aggregation = importing roles, permissions, entitlements
🧱 Identity Cube: Every identity in IIQ has a cube—a structured view that contains:
• Attributes (name, department, etc.)
• Entitlements • Application accounts
• Risk info
• Policy violations
• Event history
Think of it as the identity’s full profile.
🎁 Entitlement: A permission or group in a target system. In IIQ, all access types are normalized as entitlements.
🚀 Provisioning: Any change pushed from IIQ to a target system.
• Account Provisioning = Create/update/disable accounts, reset passwords
• Group Provisioning = Create/update access rights (entitlements)
♻️ Refresh Identity Cube: A task that refreshes identities in IIQ based on selected options. It should run daily. You can choose to:
• Refresh just attributes
• Trigger policy evaluations
• Run certifications All configurable automation in IIQ can be tied to this task.
👥 Group: A collection of identities based on a single shared attribute (e.g., department = Finance).
🧑🤝🧑 Population: Like a Group, but based on multiple attributes. Ex: All active employees in Montreal from IT support.
🛠️ Workgroup: A bundle of users with similar capabilities, often used for approval routing. Let’s say a manager is on leave. By creating a Workgroup of team leads or peer managers, any member can act on approval requests—keeping workflows moving without bottlenecks.
💡 Why It Matters
You can’t build or maintain what you don’t understand. Whether you’re provisioning access, troubleshooting aggregations, or optimizing certifications—these terms are your map. And if you’re mentoring junior devs or explaining to leadership, clear language always wins. 👉 Did any of these terms trip you up early in your IIQ journey? Let’s build a glossary together in the comments 👇