Converting contractors to employees in SailPoint IdentityIQ (IIQ) involves transitioning a

user's identity attributes, identity lifecycle state, and possibly entitlements and
provisioning logic. This is a common requirement in onboarding/o boarding automation,
especially when contractors get hired full-time.

Here is a detailed, step-by-step guide to implement this in SailPoint IdentityIQ:

Goal:

Convert a user with type contractor to employee in IdentityIQ, updating:

 Identity attributes (e.g., employeeType)

 Lifecycle state

 Access (entitlements, roles, accounts)

 Provisioning behavior

Step-by-Step Implementation

Step 1: Identify the Attribute Driving Identity Type

In IIQ, typically the identity object has an attribute like:

identity.getAttribute("employeeType")

Make sure you know:

 Which attribute defines user classification (e.g., contractor, employee)

 How it's sourced (from authoritative source, HR feed, manual update)

Step 2: Ensure Authoritative Source Sends Updated Value

If you're syncing data from HR/IT systems:

 Ensure the contractor record will be updated to:

o employeeType = employee

o Possibly a new title, startDate, manager, etc.

 This triggers the identity refresh.

If manual: update via Manage Identity > Edit Identity in IIQ UI.
 Step 3: Identity Refresh and Correlation

 After the authoritative source update, IdentityIQ will:

o Run identity refresh

o Update the identity object

o Possibly trigger lifecycle events

You can force this via:

UI:

 Identity > [User] > Identity Refresh

Task:

 Run the Refresh Identity Cube task with:

 <entry key="identityName" value="contractorUser"/>

Step 4: Update Lifecycle State or Identity Status (Optional)

If you're using Lifecycle States (e.g., onboarding, active, terminated):

 Ensure there's a transition rule or workflow that moves the user from contractor to
employee lifecycle state.

How:

 Go to Lifecycle Manager > Lifecycle States

 Define a transition:

o From: contractor

o To: activeEmployee

o Based on condition: identity.employeeType == "employee"

Step 5: Role and Access Changes (Optional)

Typically, employees and contractors are assigned di erent roles/access:

Options:

 Business Role Model: Automatically assign di erent roles based on employeeType.

 Identity Trigger Rule: Add/remove roles or launch LCM provisioning request when user
becomes employee.

Sample logic in a rule:

if ("employee".equals(identity.getAttribute("employeeType"))) {

identity.addRole("FullTimeEmployeeRole");

identity.removeRole("ContractorLimitedAccess");

Step 6: Provisioning (Access Requests or Automatic)

If the application is provisioning-enabled, IdentityIQ will:

 Deprovision any contractor-only entitlements (if configured)

 Provision employee-level accounts

 Update AD attributes (e.g., description, title, group membership)

Make sure:

 Provisioning policies are defined based on employeeType

 Account Templates and Entitlement Catalog use dynamic logic

Step 7: Audit and Certification (Optional)

Trigger:

 Access Review for new employee status

 Policy checks (e.g., SoD violations for elevated access)

Optional: Use Workflow to Automate the Conversion

You can also build a custom workflow:

 Triggered when employeeType = employee

 Transitions lifecycle state

 Assigns/removes roles

 Sends notification

Summary: What to Check/Configure

Item What to Do

Attribute Confirm employeeType or similar drives the identity state

Item What to Do

Source Ensure your HR system updates this field properly

Identity Refresh Must run after attribute change

Lifecycle State Define transition from contractor to employee

Role/Access Assignment Adjust via policies, rules, or workflows

Provisioning Ensure correct provisioning logic for both types

Logging/Audit Use logs, certification, and policy to validate correctness

Would you like:

 A sample Lifecycle rule for this transition?

 A custom workflow XML to automate the conversion?