Introduction
Ever feel like your IAM platform is this magical box where data goes in and somehow, access gets managed? Yeah — we’ve all been there. But behind the scenes, there’s something called aggregation quietly doing the heavy lifting. If you’re just starting out with SailPoint IdentityIQ (IIQ), or you’re an IAM admin trying to make sense of what “account aggregation” actually means, this article’s for you.
We’re going to walk through:
• What aggregation really is in plain language
• What “account aggregation” and “group aggregation” tasks do
• When you should run them
• Whether they exist in Okta, Saviynt, and others — and what they’re called there.
Let’s clarify this, one task at a time.
What is aggregation in IIQ, anyway?
Imagine your company’s HR system, Active Directory, Salesforce, and other apps are all scattered puzzle pieces. SailPoint’s job is to bring those pieces together and make sense of them.
That’s where aggregation comes in.
Aggregation is the process of fetching data from external systems (called target systems or applications) into IIQ. This data could be:
• Accounts (users in Active Directory, ServiceNow, etc.)
• Groups/roles/permissions (like AD groups or entitlements in SAP)
Think of it like syncing your phone contacts from Google — IIQ connects to an app and pulls in account details so it knows who exists and what access they have.
Without aggregation, IIQ is blind. It won’t know if users exist, if they’ve changed roles, or what they’ve got access to.
What is a “task” in IIQ?
In SailPoint, a task is an automated job you can schedule or run manually to perform a specific action. Think of it like telling IIQ: “Hey, go fetch the latest data from AD.”
There are many task types, but the two most common in aggregation are:
1. Account Aggregation Task
2. Account Group Aggregation Task
Let’s break these down.
Account Aggregation vs. Group Aggregation: What’s the difference?
• Account Aggregation Task
This task pulls in user account data from the target system — usernames, email, status, etc.
Example: If you run this task on your Active Directory application, IIQ will fetch all the users from AD and update its internal identity cubes accordingly.
• Account Group Aggregation Task
This one’s focused on groups, entitlements, or roles in the target system.
It tells IIQ, “Here’s a list of all available access options in this app.”
Think of AD groups, Salesforce roles, or ServiceNow permissions — IIQ needs to know what’s available before it can grant access properly. Real-life analogy?
Imagine your HR system is a school.
• Account aggregation pulls the student list.
• Group aggregation pulls the list of available classes.
Now SailPoint knows who’s enrolled and what they can sign up for.
When should you run these tasks?
Good question — and the answer depends on your environment.
• Account aggregation:
Run it regularly. Daily or multiple times a day, especially if HR or AD is constantly changing. You want IIQ to always have the freshest view of who’s in your org.
• Group aggregation:
Not as frequent. Run this when new entitlements are added in the source system or before setting up access request features.
• During troubleshooting:
If a user isn’t showing up in IIQ or their access seems outdated, running an account aggregation can usually fix it.
• After onboarding new apps:
Anytime you configure a new app, you’ll want to run both tasks to sync things up.
Do these concepts exist in other IAM platforms like Okta or Saviynt?
Yes — but the names (and how you interact with them) vary.
• Okta
In Okta, you don’t have “tasks” in the same way, but the Import function under applications does similar work. It fetches users and groups from external systems like AD or HR platforms and updates the Okta directory. It’s often automatic, but you can also manually trigger imports.
So:
◦ Account aggregation = User Import
◦ Group aggregation = Group Import
• Saviynt
Saviynt is closer to IIQ in terms of complexity. It also has scheduled jobs for importing user and entitlement data from connected apps. In Saviynt:
◦ Account aggregation = Import User Job
◦ Group aggregation = Import Entitlement Job
So yes — the idea of fetching users and roles exists across platforms. The difference is how customizable and granular each system lets you be with that process.
Conclusion
Aggregation might sound technical, but at its core, it’s just SailPoint saying: “Tell me what you’ve got.” Without it, there’s no visibility, no access management, and definitely no compliance.
If you’re new to IIQ, don’t stress — you don’t need to memorize every task type. Just remember:
• Account aggregation = users
• Group aggregation = access options
• Run them when things change — or regularly if your data is dynamic
And yes, whether you’re in SailPoint, Okta, or Saviynt, some form of aggregation exists. It’s the first step to doing IAM right — because you can’t control what you can’t see.
Got any weird stories where aggregation (or the lack of it) caused chaos? Or a time when running a simple task saved the day? I’d love to hear how it went in your environment — drop a comment and let’s swap stories.