Introduction
If SailPoint IdentityIQ were a body, the identity cube would be the heart. It’s what pumps the lifeblood of user data through the system, keeping everything connected, in sync, and secure.
But here’s the thing: most newcomers to IIQ either overcomplicate what an identity cube is… or totally overlook its importance. So let’s break it down like you’re explaining it to a teammate over coffee — not in a 100-slide onboarding deck.
Because once you get the identity cube, everything else in IIQ starts making a lot more sense.
So, what exactly is an identity cube?
Think of the identity cube as a digital profile card for a user — but on steroids. It’s not just a name and email. It’s a full, dynamic snapshot of who that person is across your entire IT ecosystem.
It pulls together:
• Identity attributes (name, department, title, status…)
• Linked application accounts (from AD, ServiceNow, SAP, etc.)
• Group memberships, roles, and entitlements
• Policy violations and risk scores
• Event history and approval trails
Why call it a “cube”? Because it’s multidimensional. It’s not a flat row in a table — it’s a living object SailPoint uses to evaluate access, enforce policies, and trigger workflows.
It’s like giving SailPoint x-ray vision. Instead of seeing just “user123,” it sees everything that user touches, owns, and has access to — and whether they should.
How does SailPoint build the identity cube?
It starts with aggregation — the process of pulling data from connected apps into SailPoint.
Step 1: You hook up an authoritative source (like Workday or SAP).
Step 2: SailPoint fetches identity records — name, job title, manager, location…
Step 3: It checks for matching or duplicate entries, then creates a new identity cube for each unique person.
Then comes account aggregation — pulling in linked accounts from non-authoritative apps like Active Directory, Salesforce, or custom apps. SailPoint maps those accounts to the right identity cubes, merges entitlements and roles, and updates everything in real time (or on schedule).
Synchronization can work both ways, depending on how you configure it:
• From app to SailPoint (for aggregation)
• From SailPoint to app (for provisioning or revoking access)
And the cube updates constantly — if a manager changes, if someone changes departments, or if an account is deactivated somewhere, SailPoint reflects it.
Why is the identity cube so important for lifecycle management?
Here’s where it gets interesting.
Without a solid identity cube, you’re flying blind. You can’t confidently certify access, enforce least privilege, or trigger onboarding/offboarding workflows.
Let’s take a few examples:
• Joiner: New hire data comes into Workday → SailPoint builds a cube → Assigns roles based on department → Provisions accounts in AD, Salesforce, and Jira.
• Mover: User changes departments → Their cube updates → Old access gets removed, new access is assigned.
• Leaver: Employment status changes to “terminated” in the HR system → SailPoint disables all accounts, removes access, and logs it for audit.
Every one of those lifecycle moments relies on the cube being accurate, up-to-date, and complete. If it’s not? You get orphaned accounts, access creep, and angry auditors.
Real-life example: When one cube saved a security review
There were a client prepping for a major audit. The security team was panicking because nobody could confirm who still had access to a legacy finance system that was supposed to be decommissioned.
Enter SailPoint.
Because all account data had been aggregated, and linked to identity cubes, IIQ team we were able to:
• Search for all users with finance system access
• See who had active employment status in HR
• Revoke access for terminated users
• Prove it all happened via policy automation
No panic. No last-minute scripts. Just clear visibility through the cube.
Conclusion
The identity cube in SailPoint isn’t just a backend object — it’s the lens that brings your entire identity program into focus.
It’s what lets you say with confidence:
• Who someone is
• What they have access to
• Whether that access is still valid
• And what to do when something changes
If you’re working with IdentityIQ, get to know the cube like it’s your co-pilot. Because in a world where access risk can cost millions — the cube might just be your best line of defense.
Have you had a “cube moment” where everything clicked (or broke)?
Drop a comment and share your experience. Let’s learn from each other.