L
← IAM Ideas
IAM Ideas 2026-06-15

Iiq Joiner Day1 Readiness Tracker

A single-page operator dashboard that surfaces provisioning completeness for every new hire starting in the next 7 days, so the IAM team knows who is not ready before the employee walks in the door.

Iiq Joiner Day1 Readiness Tracker

IIQ Joiner Day-1 Readiness Tracker

A single-page operator dashboard that surfaces provisioning completeness for every new hire starting in the next 7 days, so the IAM team knows who is not ready before the employee walks in the door.

Date: 2026-06-15 Type: App Theme: UX + Detect Platform: SailPoint IdentityIQ Status: Idea

What it is

A static browser app that aggregates IIQ Joiner lifecycle event data, ProvisioningTransaction results, and open Work Items into a single readiness view. It shows each incoming hire's expected application set (derived from their assigned IIQ Bundles/Roles), which accounts are provisioned, which are still pending, and which have hard failures — ranked by urgency (hours until start date). Operators can click any row to see a per-application breakdown with failure reasons and work item owners.

Who it serves

The IAM operations engineer or IIQ administrator who owns day-1 provisioning quality. They currently have to correlate three separate IIQ surfaces — the Lifecycle Events Status Report, the ProvisioningTransaction grid, and the Work Items queue — to answer "which new hires are not ready?" This app collapses that to one triage screen they can act from in under five minutes.

The IIQ pain it addresses

IIQ's Joiner lifecycle event fires when an authoritative source (typically Workday or an HR JDBC connector) publishes a new hire record during a Refresh Identities task run. The event triggers a BPM workflow that generates a ProvisioningPlan and fans out provisioning requests across every Application that the new hire's assigned Bundles require. In a shop with 500+ connectors, that fan-out can touch 4–10 applications per joiner. Several failure modes compound invisibly:

  • Connector-level provisioning failures (unique constraint violations, null attribute values from a FieldValueRule, connector throttle limits) block one application without surfacing the blockage in the Joiner event status view.
  • Open Work Items from approvals or manual provisioning steps sit unworked in the generic Work Items queue — there is no native view that shows "these work items are for joiners starting today."
  • Joiner event not fired — if the HR aggregation ran late or the Refresh Identities task hasn't executed, lifecycleEventFiredAt is null and the hire is entirely invisible to the provisioning pipeline.

The result: new employees arrive on day 1 without access to core business systems, opening a helpdesk ticket, losing productive time, and eroding trust in the IAM program.

How it works

On load, script.js fetches sample-data.json (in production: two IIQ REST calls — GET /identityiq/rest/identities?filters=lifecycle==Joiner and GET /identityiq/rest/provisioningTransactions?filters=created>={T-7d} — merged client-side) and renders:

  1. KPI bar — five clickable tiles: Total Joiners (7-day window), Fully Ready, Partial, At Risk (start < 8 h, incomplete), Failed. Clicking a tile filters the table to that cohort.
  2. Filter bar — free-text search, department dropdown, status dropdown, reset. Result count updates live.
  3. Sortable table — default sort: Hours Until Start ascending (most urgent first). Rows with start < 4 h and incomplete provisioning show a red URGENT badge; 4–8 h shows amber SOON. The Readiness column shows a colour-coded progress bar (green → amber → red) and a percentage.
  4. Detail drawer — clicking a row slides in a panel showing every expected application with its provisioning status badge, account ID, completion timestamp, failure reason, and work item owner. A console shortcut tells the operator exactly where to go in IIQ to intervene.

No network calls are made in the prototype — the sample data covers 18 synthetic joiners across 7 departments and 14 distinct applications spanning Active Directory, SAP, Workday, Salesforce, GitHub Enterprise, AWS IAM, Splunk, CrowdStrike, and others.

What's in this folder

  • index.html — single-page entry point, opens from file://, no build step
  • style.css — deep-navy/electric-blue design system with status colour coding
  • script.js — vanilla JS: data loading, filter/sort, table rendering, drawer logic, IIQ REST documentation inline
  • sample-data.json — 18 synthetic IIQ-shaped joiner records with realistic per-app provisioning state and failure reasons
  • requirements.md — functional requirements, IIQ data source mapping, and out-of-scope definition
  • cover-image.png — concept art cover (16:10, no text, no logos)
  • metadata.md — generation metadata

How to run / read it

Open index.html in any modern browser (Chrome, Firefox, Edge, Safari). No server, no auth, no build step. The page loads sample-data.json from the same directory. Click any row to open the per-identity provisioning drawer. Click KPI cards to filter. Sort any column by clicking its header.

Estimated impact

In an organisation with 100+ joiners per month, IAM engineers currently spend 2–3 hours on the Monday/Tuesday morning before a start wave chasing down failed provisioning plans across three IIQ screens and a helpdesk ticket queue. This app consolidates that into a 10-minute morning triage check, saving approximately 8–12 engineer-hours per month and eliminating the class of "day-1 no access" helpdesk tickets that stem from provisioning failures the team didn't know about.

Why this fits an IIQ shop with 500+ connectors

At scale, a Joiner event is not one provisioning action — it is a fan-out across dozens of connectors, each with its own retry semantics, rate limits, approval gates, and FieldValueRule dependencies. A single null return from a manager attribute rule blocks Active Directory, which cascades to block every downstream application that depends on an AD account. An operator monitoring the native Lifecycle Events Status Report sees "Completed with warnings" and has no reason to drill in. This app makes the long tail of partial failures visible in a single cohort view at the moment they matter most — before the employee's first meeting.

Sources

Requirements

Requirements — IIQ Joiner Day-1 Readiness Tracker

Functional Requirements

Data Model

  • Load joiner records from sample-data.json (or, in production, from the IIQ REST API: GET /identityiq/rest/identities?filters=lifecycle==Joiner&expand=links,workItems).
  • Each joiner record MUST contain:
    • Identity fields: id, displayName, department, manager, startDate, startTime, hoursUntilStart
    • assignedRoles[] — IIQ Bundles assigned via the Joiner lifecycle event
    • expectedApps[] — names of Applications that should be provisioned from those roles
    • provisioningDetails[] — one entry per expected app with: app, status (Provisioned | Pending | Failed), accountId, completedAt, workItemsOpen, workItemOwner, failureReason
    • readinessScore — 0–100 integer (provisioned app count / expected app count * 100)
    • overallStatus — Ready | Partial | Failed | Pending
    • lifecycleEventFiredAt — ISO timestamp or null if the Joiner lifecycle event has not yet triggered
    • provisioningTransactionId — IIQ ProvisioningTransaction identifier

KPI Cards (header bar)

  • Total Joiners (7 days): count of all identities in the look-ahead window.
  • Fully Ready: count where readinessScore == 100.
  • Partial: count where overallStatus == "Partial" (some apps provisioned, some not).
  • At Risk: count where hoursUntilStart <= 8 AND overallStatus != "Ready".
  • Failed: count where overallStatus == "Failed".
  • Each KPI card is clickable to filter the table to that cohort. Second click clears the filter.

Filter Bar

  • Free-text search against name, department, and manager name (case-insensitive substring).
  • Department dropdown: populated dynamically from loaded data.
  • Status dropdown: Ready | Partial | Pending | Failed.
  • Reset button: clears all three filters and KPI selection.
  • Result count label: "N of M joiners" updated live.

Main Table

  • Columns: Name, Department, Start Date, Hours Until Start, Status, Readiness (progress bar + %), Open Work Items, Joiner Event Fired.
  • All columns sortable by clicking the header (ascending / descending toggle).
  • Default sort: Hours Until Start ascending (most urgent first).
  • Urgency decoration: "URGENT" badge (red) for joiners with hoursUntilStart < 4 and not Ready; "SOON" badge (amber) for 4 ≤ hours < 8 and not Ready.
  • Readiness bar: green fill at 100%, amber 50–99%, red 1–49%, grey at 0%.
  • Open Work Items: show count in amber when > 0, else "—".
  • Row click: opens detail drawer.

Detail Drawer

  • Opens from the right side; overlay dims the main content.
  • Shows: mini KPI row (Provisioned N/M, Open Work Items, Failures).
  • Application provisioning grid: one row per app with status badge, account ID (if provisioned), completion timestamp, failure reason (if failed), work item owner (if pending).
  • Identity details panel: IIQ Identity ID, ProvisioningTransaction ID, Joiner Event Fired timestamp, Readiness %, Overall Status.
  • Assigned Roles: rendered as chips.
  • IIQ operator shortcut: console path and REST endpoint to navigate directly in IIQ.
  • Close: "✕" button or overlay click.

Non-Functional Requirements

  • No build step: index.html MUST open from file:// in any modern browser.
  • No external network requests: all data from sample-data.json in the same folder.
  • No CDN dependencies: vanilla JS + CSS only.
  • No authentication: prototype only — production would gate via IIQ SPRight + scoped service account.
  • Responsive: readable at 1024px wide; optimised for 1440px+ (operator workstation).
  • No hard-coded secrets: sample config URLs use example.invalid domains.

IIQ Data Sources (production)

IIQ endpoint / table Used for
GET /identityiq/rest/identities?filters=lifecycle==Joiner New hire identity list
GET /identityiq/rest/provisioningTransactions?filters=created>={T-7d} ProvisioningTransaction status per app
GET /identityiq/rest/workItems?filters=targetName=={displayName} Open work items blocking provisioning
spt_identity Identity metadata, lifecycle attribute
spt_link Provisioned accounts (one Link per Application per Identity)
spt_provisioning_transaction Provisioning plan result per app per identity
spt_work_item Pending manual provisioning approvals or escalations
spt_bundle Role definitions → expected app/entitlement set

Out of Scope

  • Live IIQ API integration (production concern).
  • Authentication / RBAC.
  • Write-back to IIQ (read-only view).
  • Mobile layout (operator console is desktop-first).
  • Push / real-time refresh (would use Server-Sent Events or polling in production).
  • Cross-IIQ-platform support (IdentityNow / ISC has a different schema).

More from IAM Ideas

Iiq Workflow Health Report
Iiq Workflow Health Report
2026-06-22
Iiq Leaver Sla Pagerduty
Iiq Leaver Sla Pagerduty
2026-06-06
Iiq Request Catalog Linter
Iiq Request Catalog Linter
2026-06-01
Iiq Privileged Entitlement Spread Report
Iiq Privileged Entitlement Spread Report
2026-05-18
Iiq Cmdb Access Bridge
Iiq Cmdb Access Bridge
2026-05-11
Iiq Provisioning Recovery Console
Iiq Provisioning Recovery Console
2026-05-11
Cert Decision Velocity Report
Cert Decision Velocity Report
2026-05-10
Iiq Aggregation Freshness Radar
Iiq Aggregation Freshness Radar
2026-05-10
Iiq Orphan Account Sweeper
Iiq Orphan Account Sweeper
2026-05-10