For a user who wants to be able to enable an account for a subordinate or themselves through Manage Accounts, does this configuration need to be performed in Lifecycle Manager (LCM)?
Select the Rehire action under Manage Accounts Options in the LCM Configuration.
Solution: Select the Rehire action under Manage Accounts Options in the LCM Configuration.
- A . Yes
- B . No
B
Explanation:
In SailPoint IdentityIQ, the specific configuration that allows a user to enable an account for themselves or a subordinate through the "Manage Accounts" option does not necessarily need to be configured in Lifecycle Manager (LCM) alone. While LCM does provide extensive capabilities for account management actions like provisioning, rehire, and more, enabling an account is primarily tied to the permissions and entitlements granted to the user through their role, capabilities, and access profiles.
To address the specific functionality described:
Manage Accounts is typically a part of IdentityIQ’s broader account management capabilities, which are not exclusively tied to LCM. The ability to enable or disable accounts can be governed by rules and workflows within IdentityIQ, and these may or may not be linked directly to LCM configurations.
Rehire Action in LCM: The "Rehire" action within LCM Configuration is specific to processes related to reactivating an employee’s identity when they are rehired. This does not directly relate to enabling an account from the "Manage Accounts" screen. Rehire workflows typically involve reinstating the user’s previous access, which could include enabling accounts, but this is a broader process.
Permissions and Roles: The ability to enable accounts is often governed by the permissions assigned to a user’s role within IdentityIQ. These permissions may be granted outside of LCM configurations and handled by IdentityIQ’s access governance framework.
Workflow Configurations: Enabling or disabling an account could also be tied to specific workflows, which can be configured separately from LCM, using IdentityIQ’s workflow engine. These workflows determine the steps and approvals required to perform such actions.
Reference: SailPoint IdentityIQ Configuration Guide: Account Management SailPoint IdentityIQ Lifecycle Manager Configuration Guide
SailPoint IdentityIQ Administration Guide (Sections on Roles and Permissions, Workflow Configurations)
IdentitylQ has been installed and set up with the contents of IdentityExtended.hbm.xml as follows:
Is this a correct statement about the installation?
Solution: There is a limitation in this installation: When defining the identity mappings using Global Settings > Identity Attributes, only 12 additional searchable attributes can be defined. Additional identity attributes and mappings can be defined, but they cannot be searchable.
- A . Yes
- B . No
A
Explanation:
In SailPoint IdentityIQ, the configuration in IdentityExtended.hbm.xml file as shown in the image indeed outlines the use of extended identity attributes. These attributes (extended1, extended2, etc.) are custom attributes that are appended to the standard identity object model to store additional identity-related data.
According to the official SailPoint IdentityIQ documentation, when defining identity mappings under Global Settings > Identity Attributes, only up to 12 additional attributes can be made searchable within the IdentityIQ system. This limitation is crucial because it directly impacts the efficiency of search operations in large environments, where making too many attributes searchable can significantly slow down performance.
Once you define these 12 searchable attributes, any additional attributes can still be added, but they will not be indexed for search operations. This means that while the data in these attributes can be used in workflows, reports, and other operations, they cannot be used in search filters in the IdentityIQ user interface.
This limitation is particularly important when planning the design of the identity schema, as it affects both performance and usability. Therefore, the statement in question is correct and accurately reflects the constraints imposed by SailPoint IdentityIQ in terms of searchable identity attributes.
Reference: This explanation is derived from the SailPoint IdentityIQ Configuration Guide and official documentation on identity attributes and their limitations. Specifically, this is covered in sections related to extended attributes and searchable properties within the system.
Is this statement true about certifications? Solution: The staging period is required.
- A . Yes
- B . No
B
Explanation:
The statement that "the staging period is required" for certifications is not true. In SailPoint IdentityIQ, the staging period is an optional phase during the certification campaign configuration. The staging period is used to pre-generate certifications and allow for any preparatory actions or adjustments before the certifications are officially launched and sent to reviewers. However, it is not a mandatory component for all certification campaigns.
Administrators may choose to bypass the staging period entirely depending on the specific requirements of the certification process or the urgency of the certification campaign. Therefore, while the staging period can be beneficial for managing large or complex certifications, it is not a required step.
Reference: SailPoint IdentityIQ Certification Overview Guide
SailPoint IdentityIQ Administration Guide (Sections on Certification Configuration and Staging Period)
Is this statement true about certifications? Solution: All certifications include generation, the active period, sign-off, and the end period.
- A . Yes
- B . No
A
Explanation:
The statement that "All certifications include generation, the active period, sign-off, and the end period" is true. These stages are fundamental to the certification process in SailPoint IdentityIQ:
Generation: This is the initial stage where the certification campaign is created. During this phase, the system generates the list of items (such as access, roles, or entitlements) that need to be reviewed.
Active Period: Once the certification is generated, it enters the active period. During this time, the designated reviewers are responsible for examining the items in the certification, making decisions (such as approving or revoking access), and providing any necessary comments.
Sign-off: After the active period, the certification moves into the sign-off stage. Here, the final approver(s) review the decisions made during the active period and formally approve or reject the certification outcomes.
End Period: Finally, the end period marks the conclusion of the certification campaign. The certification is closed, and the results are archived. Any necessary actions, such as revoking access or triggering workflows based on the certification decisions, are implemented.
These stages are essential to the structured process that ensures all access rights are properly reviewed and either maintained or adjusted according to the organization’s policies.
Reference: SailPoint IdentityIQ Certification Administrator’s Guide
SailPoint IdentityIQ Certification Process Documentation
SailPoint IdentityIQ Administration Guide (Sections on Certification Lifecycle and Workflow)
Is this a default role type that is available in identitylQ? Solution: Entitlement Role
- A . Yes
- B . No
B
Explanation:
In SailPoint IdentityIQ, the concept of a "role" is fundamental to the identity governance framework. The platform supports several default role types that are pre-configured to help organizations manage access effectively. The default role types include:
Business Role: Represents a collection of entitlements necessary for a specific job function within the organization.
IT Role: Aggregates technical entitlements that are typically assigned together, often linked to specific applications or systems.
Application Role: Tied to a specific application, representing roles within that application’s context.
Composite Role: A combination of other roles, either business or IT, to form a higher-level role.
The term "Entitlement Role" is not recognized as a default role type in SailPoint IdentityIQ. While entitlements can be components of roles, "Entitlement Role" itself is not a predefined role type in the platform. Therefore, the correct answer is B. No.
Reference: This answer is based on the SailPoint IdentityIQ Role Management Guide, which details the standard role types and their usage within the platform. The guide explicitly lists the supported default role types, and "Entitlement Role" is not among them.
Assuming that the policy violation owner has the necessary permissions, is this a valid option for the policy violation owner to use when acting on a policy violation of type ‘Role SOD Policy? Solution: Schedule Policy Composition Certification
- A . Yes
- B . No
B
Explanation:
In SailPoint IdentityIQ, when dealing with a policy violation of the type "Role Separation of Duties (SOD) Policy," there are specific actions that the policy violation owner can take. These options typically include:
Mitigate: Applying a mitigating control to the violation.
Remediate: Addressing the violation by removing or altering access.
Accept: Acknowledging the violation without making changes, which usually requires justification.
Forward: Assigning the violation to another individual or group for resolution.
The option "Schedule Policy Composition Certification" is not a valid action for addressing a Role SOD
Policy violation directly. The concept of scheduling a certification is related to periodic review processes, not immediate policy violation handling. Certification campaigns are scheduled and executed to review roles, entitlements, or policies, but this is not an action taken in response to a specific policy violation.
Thus, "Schedule Policy Composition Certification" is not an appropriate or valid option in this context, and the correct answer is B. No.
Reference: This explanation is corroborated by the SailPoint IdentityIQ Compliance Manager documentation, which outlines the various actions available to policy violation owners when responding to policy violations, including Role SOD policies. The documentation specifies the actions that can be taken, and scheduling a certification is not listed among them in this context.
Is this configuration option required when an engineer sets up a SCIM 2.0 application? Solution: Comment Character
- A . Yes
- B . No
B
Explanation:
The configuration option "Comment Character" is not required when setting up a SCIM 2.0 application in SailPoint IdentityIQ. The "Comment Character" option is generally used for handling comment lines in flat files or CSV file-based connectors. Since SCIM 2.0 is a RESTful API-based protocol designed for managing identities in a standardized way, this option does not apply to SCIM 2.0 integrations. Therefore, it is not a necessary configuration when working with SCIM 2.0 applications.
Reference: SailPoint IdentityIQ SCIM 2.0 Integration Guide
SailPoint IdentityIQ Application Configuration Guide (SCIM and REST API sections)
Is this configuration option required when an engineer sets up a SCIM 2.0 application? Solution: Name
- A . Yes
- B . No
A
Explanation:
The "Name" configuration option is required when setting up a SCIM 2.0 application in SailPoint IdentityIQ. The "Name" field is a mandatory identifier for the application within IdentityIQ. This name is used throughout the system to reference the application and is critical for configuration, management, and integration processes. Without specifying a name, IdentityIQ cannot properly identify and interact with the SCIM 2.0 application.
Reference: SailPoint IdentityIQ SCIM 2.0 Application Configuration Guide
SailPoint IdentityIQ Administration Guide (Application Setup and Naming Conventions)
Is this statement true about the Application, Identity, ManageAttribute, Bundle, and Link objects in IdentitylQ? Solution: An Application object is not required to aggregate external user account information into IdentitylQ.
- A . Yes
- B . No
B
Explanation:
The statement that "An Application object is not required to aggregate external user account information into IdentityIQ" is false. In SailPoint IdentityIQ, an Application object is essential for aggregating (importing) external user account information. The Application object defines the connection settings, schema, and mapping that enable IdentityIQ to connect to external systems and retrieve identity data. Without an Application object, IdentityIQ would not have the necessary configuration to establish a connection and aggregate user data from external sources.
Reference: SailPoint IdentityIQ Administration Guide (Section on Applications and Aggregation)
SailPoint IdentityIQ Integration and Configuration Guide
HOTSPOT
Match the following IdentitylQ console commands To their functions.
Use the drop-down menus to select your answers. Answer options from the drop-down menus may only be used once Some will not be used at all.
Explanation:
Here’s how the SailPoint IdentityIQ console commands correspond to their respective functions:
connectorDebug: debug the connector to identify issues in the connector.
source: authenticate to IdentityIQ as another user.
list: list objects.
provision: evaluate and execute a provisioning plan.
Comprehensive Detailed Explanation with All IdentityIQ Engineer Reference
connectorDebug:
This command is primarily used to debug connectors within IdentityIQ. Connectors facilitate communication between SailPoint and external systems. When an issue arises, you use this function to identify and troubleshoot connector-related problems.
Reference: SailPoint IdentityIQ Console Guide (section on connector troubleshooting).
source:
This command allows you to authenticate as another user within the IdentityIQ system. It’s useful for testing user-specific actions or behaviors without logging out and back in.
Reference: SailPoint IdentityIQ Admin Guide (section on user authentication and delegation).
list:
This function returns a list of objects or entities within the system. In IdentityIQ, objects could include applications, roles, policies, and more.
Reference: SailPoint IdentityIQ Console Reference Guide (list and query commands).
provision:
The provision command evaluates and executes a provisioning plan. This is the actual process that implements changes in user access across connected systems based on the identity lifecycle event.
Reference: SailPoint IdentityIQ Provisioning Guide (execution of provisioning plans).
By matching these commands to their respective functions, the detailed functionalities of IdentityIQ’s console tools are properly understood for administrative and troubleshooting purposes.
The engineer needs to write some ad-hoc BeanShell code to search for GroupDefmition objects owned by Randy.Knight and print their names. Is this BeanShell code correct as written?
Solution:
- A . Yes
- B . No
B
Explanation:
The provided BeanShell code snippet attempts to filter and print the names of GroupDefinition objects owned by "Randy.Knight." However, the code contains a few issues that prevent it from functioning correctly as written:
Class Import: The GroupDefinition class should be imported explicitly at the beginning of the script, which is missing here.
Query Execution: The use of context.getObjectsByNumber(GroupDefinition.class, i) is incorrect. This method does not exist in this context. The correct approach would be to use context.getObjects() to retrieve the list of objects and iterate over them.
Looping Logic: The loop logic also contains a flaw. Instead of using a counter-based loop with context.getObjectsByNumber(), the recommended approach is to use context.search() to retrieve a list of filtered objects and then iterate through the results.
A corrected version of this code would look something like this:
import sailpoint.object.GroupDefinition;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
Filter filter = Filter.eq("owner.name", "Randy.Knight");
QueryOptions qo = new QueryOptions();
qo.addFilter(filter);
List<GroupDefinition> groupDefinitions = context.getObjects(GroupDefinition.class, qo);
for (GroupDefinition group : groupDefinitions) {
System.out.println(group.getName());
}
In this corrected version:
We explicitly import GroupDefinition.
We retrieve the filtered objects with context.getObjects(GroupDefinition.class, qo) instead of getObjectsByNumber.
Thus, the original code is not correct as written.
The correct answer is B. No.
Reference: This correction and explanation are based on SailPoint IdentityIQ’s API documentation, which provides detailed guidance on the proper methods to retrieve and manipulate objects using Beanshell scripting within the platform.
Is this a valid step to take when importing SailPoint XML file objects into IdentitylQ? Solution: Move the XML file into the IIQ_HOME/WEB-INF/database.
- A . Yes
- B . No
B
Explanation:
The statement suggests moving the XML file into IIQ_HOME/WEB-INF/database as part of the process to import SailPoint XML file objects into IdentityIQ. However, this is not a valid step for importing XML objects.
The correct procedure to import SailPoint XML objects typically involves the following steps:
Use the iiq console command-line tool provided by SailPoint to import the XML file.
The command typically looks like: iiq console import <filename>.xml.
The XML file does not need to be moved to any specific directory like WEB-INF/database for the import process.
Moving the XML file into the WEB-INF/database directory does not align with the documented process and does not facilitate the import.
The correct answer is B. No.
Reference: This answer is based on the official SailPoint IdentityIQ documentation regarding object import procedures, which clearly states that imports should be performed using the IdentityIQ console or through the user interface (for smaller imports).
Is this a valid step to take when importing SailPoint XML file objects into IdentitylQ? Solution: Import the XML object through the IdentitylQ console.
- A . Yes
- B . No
A
Explanation:
Yes, this is a valid step to take when importing SailPoint XML file objects into IdentityIQ. The IdentityIQ console (iiq console) is a command-line tool used for various administrative tasks, including importing and exporting XML objects.
To import an XML object through the IdentityIQ console, the general procedure involves:
Navigating to the IdentityIQ installation directory.
Running the console with the import command:
iiq console import <filename>.xml
The console will process the XML file, importing the defined objects (roles, policies, identity mappings, etc.) into the IdentityIQ database.
This method is officially documented and is a common practice for importing configuration and objects into SailPoint IdentityIQ.
Therefore, the answer is A. Yes.
Reference: This explanation is derived from the SailPoint IdentityIQ Administration Guide, which details how to manage XML imports and exports using the IdentityIQ console tool.
An engineer needs to trigger a workflow when a Division attribute changes from /7"to Senior IT, but only when the user is a manager.
Is this a valid process that the engineer could use to launch a workflow for a lifecycle event? Solution: Create a trigger with an event type of rule and return True when the user’s previous value of the division attribute is /7"andthe new value of the division attribute is Senior IT.
- A . Yes
- B . No
B
Explanation:
The scenario describes triggering a workflow when a "Division" attribute changes from a specific value to "Senior IT," but only when the user is a manager. The proposed solution suggests creating a trigger with an event type of "rule" that checks the previous and new values of the "Division" attribute.
However, this approach has a couple of issues:
Trigger Configuration: In SailPoint IdentityIQ, a lifecycle event trigger typically operates on changes in identity attributes, but it’s not standard to define this trigger using a rule that directly inspects the previous and new values. Instead, the lifecycle event would usually be configured in the context of the application or identity to directly listen to specific changes without needing to define the logic in a custom rule.
Condition Validation: The condition of checking if the user is a manager should ideally be integrated within the workflow itself or the lifecycle event configuration, not just as part of a rule in the trigger.
While a rule can be used to define complex conditions, the correct way to implement this in IdentityIQ would involve setting up the lifecycle event trigger specifically for the attribute change and managing any additional conditions (like checking if the user is a manager) within the workflow or using an appropriate script/rule in that context.
Therefore, while partially correct in approach, the described solution is not the best practice or a valid process in IdentityIQ, so the correct answer is B. No.
Reference: This answer is based on the SailPoint IdentityIQ Lifecycle Manager Guide, which provides best practices for configuring lifecycle events and triggers, as well as proper use of rules and workflow triggers in these scenarios.
Can the search type in Syslog be used to accomplish this result? Solution: Identifying the number of employees that report to a specific person
- A . Yes
- B . No
B
Explanation:
Syslog is primarily used for logging system events and not for performing complex searches or queries on hierarchical or organizational data like identifying the number of employees that report to a specific person. Such a query would typically require access to the organizational hierarchy or identity data, which is better achieved through IdentityIQ’s reporting or search capabilities within the application rather than using Syslog. Syslog captures log events related to system operations, errors, and other activity logs but isn’t designed for the type of structured query described in the question.
Reference: SailPoint IdentityIQ Logging and Monitoring Guide
SailPoint IdentityIQ Administration Guide (Sections on Reporting and Search)
Can the search type in Syslog be used to accomplish this result? Solution: Identifying all Link objects from a particular application
- A . Yes
- B . No
B
Explanation:
Syslog is not intended for querying or identifying specific objects, such as all Link objects from a particular application. Syslog is used to record events and log information related to system activities, errors, and operations. To identify all Link objects from a particular application, you would use IdentityIQ’s internal search functionality or reports that allow you to filter and retrieve such objects. These tasks involve querying the database and application-specific data structures rather than examining log files.
Reference: SailPoint IdentityIQ Administration Guide (Section on Objects and Searching)
SailPoint IdentityIQ Configuration Guide (Understanding Link Objects)
Can the search type in Syslog be used to accomplish this result? Solution: Identifying details of a system error presented in the Ul
- A . Yes
- B . No
A
Explanation:
Syslog can be used to identify the details of a system error presented in the UI. When a system error occurs, IdentityIQ typically logs detailed error messages, stack traces, and other relevant information to Syslog or other logging frameworks configured in the environment. By reviewing these logs, an administrator or engineer can identify and diagnose the specific error that was encountered in the UI.
Reference: SailPoint IdentityIQ Logging and Monitoring Guide
SailPoint IdentityIQ Administration Guide (Sections on Error Handling and Troubleshooting)
Can the search type in Syslog be used to accomplish this result? Solution: Launching a certification using the search results
- A . Yes
- B . No
A
Explanation:
Syslog cannot be used to launch a certification using the search results. Launching a certification in IdentityIQ is a process that involves interacting with the application’s certification module, where you define parameters, select users or roles, and initiate the certification campaign. This process requires using the IdentityIQ user interface or APIs, not the Syslog, which is purely for logging purposes.
Reference: SailPoint IdentityIQ Certification Guide
SailPoint IdentityIQ API and UI Guide
Can this be achieved using Rapid Setup user interface configuration options? Solution: Disable an account and remove all its entitlements on a particular application during Leaver events.
- A . Yes
- B . No
A
Explanation:
The Rapid Setup user interface configuration options in IdentityIQ can be used to disable an account and remove all its entitlements on a particular application during Leaver events. Rapid Setup is designed to simplify the configuration of common identity lifecycle processes, including handling leaver (termination) events. When configuring these events, you can specify actions such as disabling accounts and removing entitlements from specific applications as part of the termination process.
Reference: SailPoint IdentityIQ Rapid Setup Guide
SailPoint IdentityIQ Lifecycle Manager Guide (Sections on Lifecycle Event Configuration)
Can this be achieved using Rapid Setup user interface configuration options?
Solution: Disable an account on a particular application for one set of users and delete the account for another set of users during administrative Terminations.
- A . Yes
- B . No
B
Explanation:
The Rapid Setup user interface in SailPoint IdentityIQ is designed to simplify and streamline common configuration tasks, particularly during the initial setup of IdentityIQ environments. However, it has certain limitations in terms of granularity and customization.
In this case, the requirement is to disable an account on a particular application for one set of users and delete the account for another set of users during administrative terminations. The Rapid Setup interface does not provide options to differentiate between user groups for different actions (disable vs. delete) within the same termination event.
This level of specificity―applying different actions based on user group membership―would require a more advanced setup, possibly involving custom rules or workflows rather than using the Rapid Setup options.
Therefore, the correct answer is B. No.
Reference: This answer is based on the SailPoint IdentityIQ Rapid Setup Guide, which describes the capabilities and limitations of the Rapid Setup interface. The guide indicates that more complex scenarios require customization beyond what Rapid Setup can offer.
Can this be achieved using Rapid Setup user interface configuration options? Solution: Disable an account and remove all its entitlements on a particular application during Mover events.
- A . Yes
- B . No
B
Explanation:
The scenario described involves disabling an account and removing all its entitlements on a particular application during Mover events. The Rapid Setup user interface in SailPoint IdentityIQ primarily handles common configurations like enabling or disabling accounts, assigning or unassigning roles, and triggering certifications during lifecycle events.
However, the combination of disabling an account and removing all its entitlements for a Mover event typically involves more detailed configuration that goes beyond the capabilities of the Rapid Setup interface. Achieving this would generally require creating a custom workflow or a specific rule that handles both disabling the account and removing entitlements based on the Mover event triggers.
Thus, the Rapid Setup UI cannot achieve this level of detailed configuration, making the correct answer B. No.
Reference: This conclusion is drawn from the SailPoint IdentityIQ Lifecycle Manager documentation, which specifies the functionalities available through the Rapid Setup interface and the additional configurations possible through custom workflows.
Can this be achieved using Rapid Setup user interface configuration options? Solution: Reassign all object ownership to the user’s manager during Leaver and Termination events.
- A . Yes
- B . No
B
Explanation:
Reassigning all object ownership to a user’s manager during Leaver and Termination events is a complex process that typically involves custom logic or workflows to ensure that all owned objects (like access, certifications, roles, etc.) are correctly reassigned.
The Rapid Setup interface is primarily designed for standard lifecycle management tasks, such as role assignments, account enabling/disabling, and certifications. It does not inherently support the automatic reassignment of object ownership based on lifecycle events such as Leaver and Termination events.
This kind of reassignment would typically require a custom rule or workflow to track and reassign all owned objects, which falls outside the scope of what Rapid Setup can handle directly.
Therefore, the correct answer is B. No.
Reference: This information is supported by the SailPoint IdentityIQ Lifecycle Manager Guide, which outlines what is possible through Rapid Setup and what would require custom development.
Is this a question that an engineer should ask the customer when initially setting up a new IdentitylQ test environment? Solution: Does the customer need a deployment accelerator?"
- A . Yes
- B . No
A
Explanation:
When setting up a new IdentityIQ test environment, it is important to assess the needs of the customer, including whether they would benefit from using a deployment accelerator.
Deployment accelerators are pre-configured sets of rules, policies, and workflows that can significantly reduce the time and effort required to deploy IdentityIQ in a test or production environment. These accelerators are particularly useful for rapidly setting up environments that align with common industry practices or specific compliance requirements.
Asking the customer whether they need a deployment accelerator is a valid and important question during the initial setup phase, as it helps to determine the best approach to configuring the test environment efficiently.
Therefore, the correct answer is A. Yes.
Reference: This answer is based on best practices outlined in the SailPoint IdentityIQ Implementation Guide, which emphasizes the importance of understanding customer needs, including the potential use of deployment accelerators, during the initial setup phases.
Can a Workgroup be used for the following scenario? Solution: Providing a group of users with specific capabilities.
- A . Yes
- B . No
A
Explanation:
In SailPoint IdentityIQ, a Workgroup can indeed be used to provide a group of users with specific capabilities. Workgroups are collections of users that can be assigned roles, tasks, and permissions. By associating capabilities with a Workgroup, all members of that Workgroup will inherit the capabilities defined.
This feature is commonly used to manage teams or departments that need to share specific privileges, such as the ability to approve access requests or manage certifications. Configuring capabilities for a Workgroup is a standard practice within IdentityIQ to simplify permission management and ensure consistent access control across the group.
Therefore, the correct answer is A. Yes.
Reference: This conclusion is drawn from the SailPoint IdentityIQ Administration Guide, which details how Workgroups function and how they can be used to assign capabilities and manage access control within the platform.
Can a Workgroup be used for the following scenario? Solution: Automatically creating multiple groups based on the values of a single identity attribute.
- A . Yes
- B . No
B
Explanation:
A Workgroup in SailPoint IdentityIQ is a collection of users or identities grouped together for the purpose of task assignment, workflow approvals, or certifications. Workgroups are not typically used for automatically creating multiple groups based on the values of a single identity attribute. To achieve automatic grouping based on identity attributes, you would need to use dynamic roles or possibly rule-based population. These methods allow for creating roles or groups dynamically by evaluating identity attributes and assigning memberships accordingly.
Reference: SailPoint IdentityIQ Administration Guide (Sections on Workgroups and Dynamic Roles)
SailPoint IdentityIQ Configuration Guide (Role Management)
The engineer is analyzing on a workflow Transition.
The following variable values are known:
Will the workflow continue to this step?
Solution: Approve
- A . Yes
- B . No
B
Explanation:
The workflow transition condition shown in the image is Transition to="Approve" when="identityName != null". This condition checks whether the identityName variable is not null. In the provided scenario, the identityName variable has a value of "Catherine.Simmons," which is clearly not null. Therefore, the condition for transitioning to the "Approve" step will evaluate as true, meaning the workflow will indeed continue to the "Approve" step.
However, it seems like the question might be worded incorrectly as it asks if the workflow will continue to the "Approve" step when it actually will. If this was an error and the intention was to determine if it should not continue, the answer would have been "No." But based on the logic, the workflow will continue to the "Approve" step.
Reference: SailPoint IdentityIQ Workflow Documentation
SailPoint IdentityIQ Scripting Guide (Conditions and Transitions in Workflows)
Is the following statement true about out-of-the-box reporting?
Solution: In the Reporting user interface, instances of reports are located on the ‘My Reports’ tab, and templates are located on the ‘Reports’ tab.
- A . Yes
- B . No
A
Explanation:
The statement is true. In the SailPoint IdentityIQ Reporting user interface, report templates are located on the "Reports" tab. These templates define the structure and parameters of reports but do not contain actual report data. Instances of reports, which are the actual generated reports containing data based on the templates, are located on the "My Reports" tab. The "My Reports" tab is used for viewing and managing reports that have been generated for a specific user.
Reference: SailPoint IdentityIQ Reporting Guide
SailPoint IdentityIQ Administration Guide (Section on Reporting Interface)
is the following a valid role option that can be configured? Solution: Configure a role to include a set of IdentitylQ capabilities.
- A . Yes
- B . No
A
Explanation:
The statement is true. In SailPoint IdentityIQ, it is possible to configure a role to include a set of IdentityIQ capabilities. Capabilities in IdentityIQ are permissions that grant users access to specific functionalities within the platform, such as managing identities, viewing reports, or administering roles. By associating a role with specific capabilities, you can control what actions users assigned to that role can perform within the IdentityIQ environment.
Reference: SailPoint IdentityIQ Administration Guide (Role Configuration and Capabilities Section)
SailPoint IdentityIQ Configuration Guide (Sections on Roles and Capabilities)
DRAG DROP
An implementation engineer needs to perform an initial installation of identitylQ.
Drag the options from the left into the answer area on the right, and place them in the correct order.
Explanation:
The correct order for performing an initial installation of SailPoint IdentityIQ is:
Ensure all of the application servers are stopped.
Stopping all application servers is crucial to prevent any conflicts or transactional interference during the installation process.
Un-jar the IdentityIQ WAR file in the desired directory of each application server.
Extract the IdentityIQ WAR file in the appropriate location for the application server. This step deploys the IdentityIQ application code.
Configure iiq.properties file with database credentials and datasource.
The iiq.properties file must be updated with correct database credentials and datasource configurations to establish a connection to the IdentityIQ database.
Create the IdentityIQ database.
A new IdentityIQ database must be created for the system. This is the foundation where all IdentityIQ data will be stored.
Generate database schema to include custom attributes by executing ‘iiq schema’.
Use the iiq schema command to generate the necessary database schema. This includes tables, constraints, and other structural components for IdentityIQ.
Initialize default IdentityIQ system objects from ‘iiq console’ using the ‘import’ command.
Import default system objects like roles, policies, and configuration settings using the IdentityIQ console’s import feature. This sets up the base configuration.
Start all of the application servers.
Once everything is configured, start the application servers to make the IdentityIQ application available.
Apply the latest patch.
Finally, apply any patches to ensure the system is up to date with the latest security and feature enhancements.
Comprehensive Detailed Explanation with All IdentityIQ Engineer Reference
Stopping all application servers is necessary to avoid file locks and ensure the WAR deployment and database setup processes can proceed smoothly.
Un-jarring the WAR file deploys IdentityIQ into the server directory structure, making its code
accessible for execution.
Configuring the iiq.properties file connects IdentityIQ to the database, establishing where it will read and write data.
Creating the database is fundamental, as the IdentityIQ system relies on a structured data environment.
Generating the database schema via iiq schema builds out the tables and structures necessary for storing identity, access, and policy data.
Initializing system objects sets up core elements of IdentityIQ (like roles, capabilities, and system configurations) required for its operation.
Starting the application servers activates the IdentityIQ environment, allowing the system to begin processing requests.
Applying the latest patch ensures that the installation is up-to-date with all bug fixes, enhancements, and security updates from SailPoint.
Reference: SailPoint IdentityIQ Installation Guide (steps on fresh installation and post-installation configurations).
A bank is two years into an ongoing project to provide all access through roles. The bank is actively using roles and actively adding to their role model. They need to ensure that all roles include the correct entitlements.
Will this certification type achieve the goal? Solution: Application Owner Certification
- A . Yes
- B . No
B
Explanation:
An Application Owner Certification is primarily used to certify entitlements and roles associated with specific applications. It involves application owners reviewing access within their applications, which is useful for ensuring that access aligns with the intended security policies for that application.
However, in the context of ensuring that roles include the correct entitlements across the entire role model, a more suitable certification type would be a Role Composition Certification. This type specifically focuses on validating the composition of roles, including the entitlements they aggregate.
Therefore, an Application Owner Certification will not fully achieve the goal of ensuring all roles include the correct entitlements. The correct answer is B. No.
Reference: This information is based on SailPoint IdentityIQ’s Certification Guide, which describes the different certification types and their appropriate use cases.
A bank is two years into an ongoing project to provide all access through roles. The bank is actively using roles and actively adding to their role model. They need to ensure that all roles include the correct entitlements.
Will this certification type achieve the goal? Solution: Account Group Membership Certification
- A . Yes
- B . No
B
Explanation:
An Account Group Membership Certification is designed to certify group memberships within accounts, typically focusing on the validation of access within specific account groups (e.g., Active Directory groups).
This type of certification does not directly address the accuracy of role composition or the correctness of entitlements assigned within roles. Since the bank’s goal is to ensure that all roles include the correct entitlements, an Account Group Membership Certification is not suitable for this purpose.
Thus, the correct answer is B. No.
Reference: This conclusion is supported by the SailPoint IdentityIQ Certification Guide, which details the purpose and function of each certification type, highlighting that Account Group Membership Certification is not meant for role entitlement validation.
A bank is two years into an ongoing project to provide all access through roles. The bank is actively using roles and actively adding to their role model. They need to ensure that all roles include the correct entitlements.
Will this certification type achieve the goal? Solution: Role Composition Certification
- A . Yes
- B . No
A
Explanation:
A Role Composition Certification is specifically designed to ensure that roles are composed correctly by reviewing the entitlements and other roles they aggregate. This certification allows reviewers to verify whether the roles include the appropriate entitlements based on business needs and compliance requirements.
Given that the bank’s objective is to ensure that all roles include the correct entitlements, a Role Composition Certification is the most appropriate tool to achieve this goal. It allows for the comprehensive review and validation of roles and their associated entitlements, ensuring alignment with the overall access governance strategy.
Therefore, the correct answer is A. Yes.
Reference: This answer is based on the SailPoint IdentityIQ Certification Guide, which highlights the Role Composition Certification as the recommended approach for validating and maintaining the accuracy of role entitlements within an organization’s identity governance framework.
Is this what should be performed in order to generate the database script to extend Application attributes in the IdentitylQ database on the initial installation? Solution: Run a build with the updated schema placed inside it.
- A . Yes
- B . No
B
Explanation:
Running a build with the updated schema placed inside it is not the correct procedure to generate the database script to extend Application attributes in the IdentityIQ database during the initial installation. To extend the schema, you typically need to define the changes in a specific XML schema file and then generate the corresponding database scripts using IdentityIQ tools designed for schema extension. A build process does not inherently generate the required database scripts for extending attributes.
Reference: SailPoint IdentityIQ Schema Configuration Guide
SailPoint IdentityIQ Installation and Setup Guide
Is this what should be performed in order to generate the database script to extend Application attributes in the IdentitylQ database on the initial installation? Solution: Run the command iiq extendedSchema in the IIQ_Home/WEB-INF/bin directory.
- A . Yes
- B . No
A
Explanation:
Running the command iiq extendedSchema in the IIQ_Home/WEB-INF/bin directory is correct and one of the standard procedures for generating database scripts to extend Application attributes in the IdentityIQ database. This command processes the schema definitions (including any new attributes) and generates the appropriate SQL scripts to update the database schema. These scripts can then be executed against the database to apply the changes.
Reference: SailPoint IdentityIQ Administration Guide (Schema Extension and Database Management Sections)
SailPoint IdentityIQ Configuration Guide (Extended Schema Management)
Is this what should be performed in order to generate the database script to extend Application attributes in the IdentitylQ database on the initial installation? Solution: Add the new object attribute to the Application ObjectConfig in IdentitylQ.
- A . Yes
- B . No
B
Explanation:
Adding a new object attribute to the Application ObjectConfig in IdentityIQ is not sufficient on its own to generate the database script needed to extend Application attributes. This action updates the configuration within IdentityIQ for how the application object is managed, but it does not produce the necessary SQL scripts to modify the underlying database schema. The actual database schema must be extended using specific IdentityIQ tools and commands like iiq extendedSchema.
Reference: SailPoint IdentityIQ Configuration Guide (ObjectConfig and Schema Management)
SailPoint IdentityIQ Administration Guide (Database Schema Extension)
An organization is making a change at the regional level.
Many users of a financial system have incorrect entitlements. Some users are missing entitlements, and some users have excess entitlements. Work needs to be performed to clean up access.
Is this one of the IdentuylQ batch request types that can help meet this goal? Solution: Delete Entitlement
- A . Yes
- B . No
B
Explanation:
The "Delete Entitlement" batch request type is not designed for cleaning up access by correcting or updating entitlements in bulk. Instead, "Delete Entitlement" is used to remove specific entitlements from the system entirely, which may not be what is needed if the goal is to correct incorrect entitlements (e.g., removing excess entitlements while adding missing ones). For the scenario described, where users need their entitlements corrected, other batch processes such as "Update Entitlement," "Revoke Access," or specific role re-assignment processes would be more appropriate.
Reference: SailPoint IdentityIQ Batch Request Types Documentation
SailPoint IdentityIQ Administration Guide (Entitlement Management Sections)
Can the following action be performed using Rapid Setup application onboarding? Solution: Specify account correlation using a rule.
- A . Yes
- B . No
B
Explanation:
Specifying account correlation using a rule cannot be performed using the Rapid Setup application onboarding process. Rapid Setup is designed for straightforward and simplified onboarding processes with a focus on quick configuration, typically using predefined templates and options. However, advanced configurations like custom account correlation rules require more detailed setup, typically done outside of the Rapid Setup UI, involving scripting or detailed configuration within the application definition.
Reference: SailPoint IdentityIQ Rapid Setup Guide
SailPoint IdentityIQ Administration Guide (Account Correlation and Application Onboarding Sections)
Can the following action be performed using Rapid Setup application onboarding? Solution: Specify the account attribute and value filter that identifies a secondary account.
- A . Yes
- B . No
B
Explanation:
Rapid Setup application onboarding is designed to simplify the initial configuration and does not typically provide advanced configuration options like specifying an account attribute and value filter to identify secondary accounts. Such detailed configurations often require custom scripting or detailed adjustments within the standard application setup, outside of the Rapid Setup interface.
Reference: SailPoint IdentityIQ Rapid Setup Guide
SailPoint IdentityIQ Administration Guide (Sections on Application Onboarding and Advanced Account Mapping)
Can the following action be performed using Rapid Setup application onboarding? Solution: Specify account correlation by mapping an identity attribute to an account attribute.
- A . Yes
- B . No
A
Explanation:
Rapid Setup does allow for specifying account correlation by mapping an identity attribute to an account attribute. This is a standard part of the onboarding process where you define how IdentityIQ should correlate accounts to identities. This basic mapping functionality is included in Rapid Setup to facilitate straightforward account correlation during application onboarding.
Reference: SailPoint IdentityIQ Rapid Setup Guide
SailPoint IdentityIQ Administration Guide (Account Correlation and Mapping Sections)
Is this a purpose of an IdentitylQ certification? Solution: to attest to a user’s integrity
- A . Yes
- B . No
B
Explanation:
The purpose of an IdentityIQ certification is not to attest to a user’s integrity. Certifications in IdentityIQ are designed to review and verify user access rights to ensure they are appropriate based on roles, policies, and organizational rules. The focus is on access management rather than personal qualities like integrity.
Reference: SailPoint IdentityIQ Certification Guide
SailPoint IdentityIQ Governance Overview
Is this a purpose of an IdentitylQ certification? Solution: to attest lo a user’s system access
- A . Yes
- B . No
A
Explanation:
Yes, this is indeed one of the primary purposes of an IdentityIQ certification. Certifications are conducted to attest to a user’s system access, ensuring that each user has appropriate and justified access rights to applications, data, and systems within the organization. This is central to IdentityIQ’s access governance and compliance processes.
Reference: SailPoint IdentityIQ Certification Guide
SailPoint IdentityIQ Governance Overview
Is this a purpose of an IdentitylQ certification? Solution: to certify user expense reports
- A . Yes
- B . No
B
Explanation:
Certifying user expense reports is not a purpose of IdentityIQ certification. IdentityIQ certifications are focused on access and identity governance, specifically reviewing and validating user access rights within systems. Expense report certification would be a different process, typically managed by financial or expense management systems, not by IdentityIQ.
Reference: SailPoint IdentityIQ Certification Guide
SailPoint IdentityIQ Governance Overview
Is this a purpose of an IdentitylQ certification? Solution: to review a snapshot of a user’s system access
- A . Yes
- B . No
A
Explanation:
One of the primary purposes of an IdentityIQ certification is to provide reviewers with a snapshot of a user’s system access at a given point in time. This snapshot allows managers, auditors, or other designated reviewers to verify whether the access privileges assigned to a user are appropriate, based on their job responsibilities and compliance requirements. By reviewing this snapshot, organizations can identify and remediate any inappropriate or excessive access, thus maintaining a secure and compliant environment.
Therefore, the correct answer is A. Yes.
Reference: This answer is supported by the SailPoint IdentityIQ Certification Guide, which outlines the goals and use cases for access certifications, including reviewing and verifying user access rights.
DRAG DROP
Which four steps are necessary for turning on Certifications logging at the severity log level of trace? Drag four options from the left into the answer area on the right, and place them in the correct order.
Explanation:
The correct sequence of steps to turn on Certifications logging at the severity log level of trace is as follows:
Edit the file: [IdentityIQ installation] > WEB-INF > classes > log4j.properties.
This step involves accessing the configuration file where logging parameters are managed. The
log4j.properties file is crucial for adjusting logging settings such as the log level for specific modules in SailPoint IdentityIQ.
Uncomment the out-of-the-box logger #log4j.logger.sailpoint.api.Certification=info.
This step enables the logger for Certification by removing the comment from the respective line in the log4j.properties file. This makes the logger active for the certification process.
Change the log level to trace and save.
After uncommenting the logger, change the log level from info to trace. The trace level provides the most detailed logging, capturing comprehensive information about the certification process for troubleshooting.
Restart the application server.
Restarting the application server is necessary for the changes in the log4j.properties file to take effect. SailPoint IdentityIQ reads the updated configuration during the startup process.
Comprehensive Detailed Explanation with All IdentityIQ Engineer Reference
Editing the log4j.properties file is a standard practice in SailPoint IdentityIQ for configuring logging. This file, located in the WEB-INF/classes directory, controls how and what IdentityIQ logs for different components.
Uncommenting the specific logger is needed to ensure that the system is logging the events related to certification. The commented line #log4j.logger.sailpoint.api.Certification=info can be found in the default configuration and needs to be activated for proper logging.
Setting the log level to trace is crucial because trace provides the most detailed logging, which is essential for deep debugging or tracking granular details about the certifications in IdentityIQ.
Restarting the server ensures that the changes to the logging configuration are applied, as the settings in log4j.properties are only read during the startup phase.
Reference: SailPoint IdentityIQ Log Management and Troubleshooting Guide (section on adjusting log levels and configurations).
Is this a correct procedure for testing generated emails in a non-production system? Solution: Change the Email Notification Type to Redirect to file using FTP protocol under Global Settings > Configure IdentitylQ Settings > Mail Settings, run the test scenario, and verify that the email text saved to the redirected file.
- A . Yes
- B . No
B
Explanation:
The proposed solution suggests changing the Email Notification Type to "Redirect to file using FTP protocol" under Global Settings > Configure IdentityIQ Settings > Mail Settings. However, IdentityIQ does not provide an option to redirect emails to a file using the FTP protocol directly through the Global Settings in the application.
Typically, to test generated emails in a non-production environment, you would change the Email Notification Type to "Redirect to File" (if the option is available) or configure an SMTP server with a different setup that captures emails in a file or a specific mailbox designed for testing purposes. The specific steps for testing email generation may vary, but the solution as stated does not align with standard IdentityIQ practices.
Thus, the correct answer is B. No.
Reference: This answer is based on the SailPoint IdentityIQ Administration Guide, which outlines email configuration options and best practices for testing in non-production environments.