Driving IdentityIQ workgroup membership from Active Directory or LDAP groups for IdentityIQ 8.1

I have recently upgraded from IIQ 7.0 to IIQ8.1, We used the old LDAP groups to workgroups on our 7.0 installation with no issues. However, since the upgrade to 8.1 both the old version and the new one are not working. 

The Old 7.0 version will work only if there is one LDAP group with a workgroup reference, if another LDAP group get a different workgroup referenced it will fail with the following

Exception running rule: The application script threw an exception: org.hibernate.exception.GenericJDBCException: could not get next iterator result BSF info: 

With the new 8.1 version the rule runs without any errors but nothing happens no users are added or removed from the workgroups. On investigation, I noticed that the rule is not going past the line 

ManagedAttribute ma = it.next();

it appears that there is something wrong in relation to the  "sailpoint.object.ManagedAttribute"  

Both version appear to be having issue with the same module above just in different ways.  Has anyone also seen this issue and how did you get around it?

The problem is related to "IdentityIQ 8.0 and commitTransaction While Using an Iterator"

More details can be found on this link:

https://community.sailpoint.com/t5/IdentityIQ-Wiki/IdentityIQ-8-0-and-commitTransaction-While-Using-...

Removed sailpoint.tools.Util.flushIterator(it) that prevent the rule from processing further

Adding setCloneResults(true) to fix iterator error

Shouldn't we add below filter on the IdentityEntitlement query, so only connected AD groups are considered.

Filter.eq("aggregationState", AggregationState.Connected)

We have a situation where the task is considering disconnected AD groups as well, and not removing the user from the workgroup.