Automated Cleanup Strategy for Stuck Tasks in IIQ
Date Posted:
Category:
Security
Author:
Malarvanan
Automated Cleanup Strategy for Stuck Tasks in IIQ
Date Posted:
Category:
Security
Author:
Malarvanan
Automated Cleanup Strategy for Stuck Tasks in IIQ
Date Posted:
Category:
Security
Author:
Malarvanan
Overview
IdentityIQ environments tend to accumulate stale WorkflowCases and TaskResults when workflow is in pending state. Over time, these objects stay in Pending or Active state indefinitely, consuming system resources and negatively affecting overall platform performance. To address this, an automated cleanup strategy is proposed that removes old workflow cases and frees processing capacity.
Problem Description
Large number of pending WorkflowCases remain stuck in the system.
Continuous increase in abandoned tasks results in slowness in UI, delays in Refresh Identity Cube, and delay in provisioning tasks.
Current cleanup processes are manual and tedious, requiring review of each workflow entry individually.
Built-in option terminateOrphans please only terminates orphan threads and does not clear valid WorkflowCase records still marked as active.
Impact to Operations
Performance degradation during peak processing windows.
Higher DB load due to excessive workflow entries.
Approaches Available for Cleanup
Approach 1: Manual Actions
Terminate tasks individually via Task Results UI (or)Use terminateOrphans please from IIQ console.
Useful only for small quantities.
Not scalable or reliable for repeating backlog.
Approach 2: Direct Database Deletion (Not Recommended)
Delete objects directly from TaskResult or WorkflowCase tables.
High risk of corruption if object associations remain.
Not supported by SailPoint.
Approach 3: Automated Rule-based Cleanup
Use Beanshell rule inside IdentityIQ to programmatically:
Search for workflow cases by name prefix
Filter by creation date threshold
Terminate via Terminator API safely
Provide simulation mode for testing
Log details for traceability
Completely removes backlog in batches without DB intervention.
Implemented Proposed Solution
A custom IdentityIQ rule named “Delete Old WorkflowCases” was created. The rule:
Accepts workflow name prefix (e.g. Leaver Snapshot, Joiner, Access Request)
Accepts configurable number of days to keep workflow history
Identifies all WorkflowCases matching the prefix and created before cutoff date
Deletes them using Terminator API (term.deleteObject())
Commits transaction progressively for performance stability
Why This Approach Is Effective
Uses SailPoint internal APIs (Terminator) — safe and supported
Avoids database-level manipulation
Automated, repeatable, scalable
Can be scheduled to prevent future backlog
Provides audit visibility through structured logging
Allows simulation mode to validate scope before execution
Reference
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Security
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Category:
Security
Security
Get your
Tailored Quote for your
Organisation
Get your
Tailored Quote for your
Organisation
Overview
IdentityIQ environments tend to accumulate stale WorkflowCases and TaskResults when workflow is in pending state. Over time, these objects stay in Pending or Active state indefinitely, consuming system resources and negatively affecting overall platform performance. To address this, an automated cleanup strategy is proposed that removes old workflow cases and frees processing capacity.
Problem Description
Large number of pending WorkflowCases remain stuck in the system.
Continuous increase in abandoned tasks results in slowness in UI, delays in Refresh Identity Cube, and delay in provisioning tasks.
Current cleanup processes are manual and tedious, requiring review of each workflow entry individually.
Built-in option terminateOrphans please only terminates orphan threads and does not clear valid WorkflowCase records still marked as active.
Impact to Operations
Performance degradation during peak processing windows.
Higher DB load due to excessive workflow entries.
Approaches Available for Cleanup
Approach 1: Manual Actions
Terminate tasks individually via Task Results UI (or)Use terminateOrphans please from IIQ console.
Useful only for small quantities.
Not scalable or reliable for repeating backlog.
Approach 2: Direct Database Deletion (Not Recommended)
Delete objects directly from TaskResult or WorkflowCase tables.
High risk of corruption if object associations remain.
Not supported by SailPoint.
Approach 3: Automated Rule-based Cleanup
Use Beanshell rule inside IdentityIQ to programmatically:
Search for workflow cases by name prefix
Filter by creation date threshold
Terminate via Terminator API safely
Provide simulation mode for testing
Log details for traceability
Completely removes backlog in batches without DB intervention.
Implemented Proposed Solution
A custom IdentityIQ rule named “Delete Old WorkflowCases” was created. The rule:
Accepts workflow name prefix (e.g. Leaver Snapshot, Joiner, Access Request)
Accepts configurable number of days to keep workflow history
Identifies all WorkflowCases matching the prefix and created before cutoff date
Deletes them using Terminator API (term.deleteObject())
Commits transaction progressively for performance stability
Why This Approach Is Effective
Uses SailPoint internal APIs (Terminator) — safe and supported
Avoids database-level manipulation
Automated, repeatable, scalable
Can be scheduled to prevent future backlog
Provides audit visibility through structured logging
Allows simulation mode to validate scope before execution