Which of the following options support Authentication Mechanisms in Saviynt?
- A . None of the below
- B . REST
- C . LDAP
- D . SAML 2.0
- E . Database
D
Explanation:
Saviynt primarily leverages SAML 2.0 as its core authentication mechanism. SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, in this case, between users and Saviynt. It allows for secure, single sign-on experiences.
While Saviynt can interact with databases, REST APIs, and LDAP directories for various purposes like identity data aggregation or provisioning, these are not its primary authentication methods. Databases: Saviynt can connect to databases to pull identity information, but the platform itself doesn’t authenticate users directly against a database.
REST: REST APIs are used for programmatic interaction with Saviynt, not typically for initial user authentication.
LDAP: While LDAP can be a source of identity data, Saviynt’s core authentication relies on SAML for its standardized and secure approach.
Key Saviynt IGA references supporting this:
Saviynt Documentation: The official Saviynt documentation consistently refers to SAML as the primary authentication mechanism.
Saviynt Connectors: Saviynt provides pre-built connectors for various identity providers (IdPs) that support SAML, further emphasizing its reliance on this standard.
Saviynt Training Materials: Saviynt’s training courses and certifications highlight SAML’s role in the platform’s authentication framework.
In the process of setting up Single Sign-On using SAML 2.0, the "SP Entity ID" acts as a unique identifier for the Saviynt SP. If "SP Entity ID" is set to the value of SaviyntSP, which of the following will be the correct Single Sign-On URL to log in to EIC?
- A . https://myorg.saviyntcloud.com/ECM/saml/SSO/SaviyntSP
- B . https://myorg.saviyntcloud.com/SaviyntSP
- C . https://myorg.saviyntcloud.com/ECM/saml/SSO/alias/SaviyntSP
C
Explanation:
In Saviynt’s SAML 2.0 based Single Sign-On (SSO) configuration, the "SP Entity ID" uniquely identifies Saviynt as the Service Provider (SP) to the Identity Provider (IdP). The correct SSO URL structure incorporates this "SP Entity ID" within a specific path.
Saviynt’s URL Structure: Saviynt’s SSO URLs follow a pattern to ensure proper routing and authentication. The /ECM/saml/SSO/alias/ portion is crucial for directing SAML-based login attempts.
Why the other options are incorrect:
The Max Authentication Session parameter in Single Sign-On settings specifies the maximum duration, in seconds, for which an SSO session will remain valid. The default value is 3600 seconds.
If the session logout value defined in IDP is 10,000 seconds and Max Authentication Session in Saviynt SSO is 5000 seconds, how long will the session last?
- A . 5000 seconds
- B . 10,000 seconds
- C . 3600 seconds
- D . None of the above
A
Explanation:
In Saviynt’s SSO setup, the "Max Authentication Session" parameter determines the maximum duration of an SSO session within Saviynt, overriding any longer durations set by the Identity Provider (IdP).
Session Duration Logic: Saviynt’s internal session timeout setting takes precedence over the IdP’s session timeout. This ensures that Saviynt can enforce its own security policies regarding session lifetimes.
Why other options are incorrect:
B. 10,000 seconds: This is the IdP’s session logout value, but Saviynt’s "Max Authentication Session" setting overrides it.
C. 3600 seconds: This is the default value, but the question specifies a configured value of 5000 seconds.
Saviynt IGA
Reference: Saviynt Documentation: The documentation for configuring SSO settings within Saviynt explains the "Max Authentication Session" parameter and its impact on session duration.
Saviynt Best Practices: Saviynt’s best practices for SSO often recommend aligning session timeouts between the IdP and Saviynt to avoid confusion and potential security gaps.
Single Sign-On is enabled in EIC using Azure Identity Provider.
In this scenario, can the user log in using Azure and EIC native authentication?
- A . True
- B . False
B
Explanation:
When Single Sign-On (SSO) is enabled in Saviynt EIC using an external Identity Provider (IdP) like Azure AD, it generally becomes the exclusive authentication method. This means users cannot use Saviynt’s native authentication (i.e., logging in with a username/password stored directly within Saviynt).
Reasons for this:
Security and Centralized Control: SSO with an IdP enhances security by centralizing authentication and enforcing stronger password policies. Allowing native logins would create a potential bypass of these security measures.
User Experience: SSO provides a seamless login experience, eliminating the need for users to remember multiple credentials. Offering both SSO and native logins could lead to confusion and a less streamlined process.
Administrative Efficiency: SSO simplifies user management by delegating authentication to the IdP. Administrators don’t need to manage separate user accounts and passwords within Saviynt. Saviynt IGA
Reference: Saviynt Documentation: Saviynt’s documentation on SSO configurations emphasizes that enabling SSO typically disables native authentication methods.
Saviynt Best Practices: Saviynt’s best practices for SSO recommend enforcing SSO as the sole authentication method for improved security and user experience.
Saviynt Implementation Guides: Implementation guides for setting up SSO with various IdPs, including Azure AD, often highlight the exclusive nature of SSO authentication.
Which of the following Role types should be selected for a Role containing Entitlements that span across multiple applications?
- A . Application Role
- B . Transactional Role
- C . Enabler Role
- D . Enterprise Role
D
Explanation:
In Saviynt, Enterprise Roles are specifically designed to encompass entitlements that span multiple applications. This is in contrast to Application Roles, which are limited to entitlements within a single application.
Enterprise Roles: Provide a way to group entitlements across different applications, reflecting a user’s overall job function or responsibilities within the organization. This is essential for managing access for users who need permissions in various systems to perform their duties.
Other Role Types:
Application Role: Grants permissions specific to a single application.
Transactional Role: Focuses on granting permissions for specific tasks or transactions within an application.
Enabler Role: Provides supplementary permissions that enhance or support other roles.
Saviynt IGA
Reference: Saviynt Documentation: The section on Role Management within Saviynt’s documentation clearly defines the different role types and their purposes.
Saviynt Training Materials: Saviynt’s training courses emphasize the importance of Enterprise Roles in managing cross-application access.
Which of the following SAV Roles grant users the privilege to edit UI Labels?
- A . UIADMIN ROLE
- B . ROLE_ADMINUI
- C . ADMINULROLE
- D . ROLE.UIADMIN
A
Explanation:
The UIADMIN ROLE in Saviynt grants users the privilege to edit UI (User Interface) labels. This role is crucial for customizing the Saviynt interface to align with an organization’s terminology and branding.
UI Customization: Saviynt allows administrators to modify various UI elements, including labels, to improve user experience and comprehension. The UIADMIN ROLE provides the necessary permissions for these modifications.
Why other options are incorrect:
The other options are not standard Saviynt roles and do not have any associated privileges for UI label editing.
Saviynt IGA
Reference: Saviynt Documentation: The documentation on Saviynt’s administration and configuration settings includes information about UI customization and the associated UIADMIN ROLE.
Saviynt Support: Saviynt’s support resources may contain articles or knowledge base entries related to UI customization and the permissions required.
Which of the following Application types can be associated with the Automated Provisioning configuration turned OFF?
- A . Service Desk Application
- B . Hybrid Application
- C . Connected Application
- D . Disconnected Application
D
Explanation:
Disconnected applications in Saviynt are those that do not have real-time integration with the platform for provisioning and de-provisioning users. Therefore, automated provisioning would be turned OFF for these types of applications.
Disconnected Applications: These applications typically require manual intervention or custom scripts to manage user access. Saviynt can still manage entitlements and access requests for these applications, but it doesn’t directly provision or de-provision accounts.
Other Application Types:
Service Desk Application: Usually integrated with Saviynt for automated request fulfillment. Hybrid Application: May have some level of automated provisioning, depending on the specific configuration.
Connected Application: Fully integrated with Saviynt for real-time, automated provisioning.
Saviynt IGA
Reference: Saviynt Documentation: The section on Application Onboarding in Saviynt’s documentation explains the different application types and their integration capabilities, including the concept of disconnected applications.
________ refers to any type of access that is associated with a managed system or application, such as groups, roles, permissions, or responsibilities.
- A . Entitlements
- B . Endpoints
- C . Workflows
- D . Accounts
A
Explanation:
In Saviynt, "Entitlements" refers to any type of access granted to users within a managed system or application. This broad term encompasses various forms of access controls, including: Groups: Collections of users with shared access permissions.
Roles: Sets of permissions that define a user’s job function or responsibilities.
Permissions: Specific access rights to resources or functionalities.
Responsibilities: Duties or tasks associated with a particular role.
Why other options are incorrect:
Endpoints: Refer to network devices or systems, not access rights.
Workflows: Are automated processes for tasks like approvals, not access itself.
Accounts: Represent user identities, not the specific access they have.
Saviynt IGA
Reference: Saviynt Documentation: Saviynt’s documentation consistently uses the term "Entitlements" to describe the various types of access it manages.
Saviynt User Interface: The Saviynt interface uses "Entitlements" throughout its menus and features related to access management.
Accounts, Entitlement types, and Entitlement data of an application are directly associated with:
- A . Endpoints
- B . Roles
- C . Workflows
- D . Security Systems
A
Explanation:
In Saviynt, Endpoints represent the systems or applications that Saviynt manages. Accounts, entitlement types, and entitlement data are all directly associated with these endpoints because they define how access is structured and granted within those specific systems.
Endpoints as the Foundation: Endpoints are the core objects in Saviynt’s identity governance framework. They provide the context for managing access, as all entitlements and accounts exist within the context of a specific endpoint (application or system).
Why other options are incorrect:
Roles: Roles are collections of entitlements, but they are not the primary object that accounts and entitlements are directly linked to.
Workflows: Workflows are processes, not the systems or applications themselves.
Security Systems: While related to security, this term is too broad and doesn’t specifically refer to the systems being managed.
Saviynt IGA
Reference: Saviynt Documentation: The section on Application Onboarding and Endpoint Management in Saviynt’s documentation clarifies the role of endpoints as the central objects for managing access. Saviynt User Interface: When configuring applications or systems in Saviynt, you define them as endpoints, and all related accounts and entitlements are managed within that endpoint’s context.
Which of the following aspects in EIC is regarded as a unique identity of a person?
- A . Endpoint
- B . Employee
- C . Account
- D . User
D
Explanation:
In Saviynt, a User represents the unique identity of a person. It’s the central object that ties together all the information about an individual, including their accounts, entitlements, roles, and attributes.
Why other options are incorrect:
Endpoint: Represents a system or application, not a person.
Employee: While many users might be employees, the term "user" is more general and can include contractors, partners, etc.
Account: Represents a user’s access to a specific system, not their overall identity.
Saviynt IGA
Reference: Saviynt Documentation: Throughout the documentation, "User" consistently refers to the individual’s identity within the system.
Saviynt User Interface: The User Management section in Saviynt focuses on managing the lifecycle and access of individual users.
Which of the following must be linked to the Active Directory Security System to automatically reconcile Accounts from AD into Saviynt?
- A . AD Control
- B . AD Rule
- C . AD Connection
- D . AD Role
C
Explanation:
An AD Connection in Saviynt is required to establish communication and data exchange with an Active Directory (AD) domain. This connection enables Saviynt to automatically reconcile accounts from AD, ensuring that the identity information in Saviynt stays synchronized with the AD.
Why other options are incorrect:
AD Control, AD Rule, AD Role: These terms are not standard components within Saviynt’s framework
for integrating with Active Directory.
Saviynt IGA
Reference: Saviynt Documentation: The section on integrating with Active Directory clearly outlines the need for an AD Connection and provides step-by-step instructions for configuring it.
Saviynt Connectors: Saviynt offers pre-built connectors for Active Directory that simplify the process of establishing the connection.
Which of the following Connections is used for integrating Saviynt with a ticketing system?
- A . Service Ticket Connection
- B . Ticket Connection
- C . Service Desk Connection
- D . Provisioning Connection
C
Explanation:
A Service Desk Connection in Saviynt is used to integrate with external ticketing systems.
This integration allows Saviynt to:
Automate request fulfillment: Access requests created in Saviynt can automatically generate tickets in the service desk system.
Track request status: Saviynt can update the status of access requests based on the corresponding ticket status in the service desk system.
Improve communication: Integration facilitates seamless communication and collaboration between
Saviynt and the service desk team.
Why other options are incorrect:
Service Ticket Connection, Ticket Connection, Provisioning Connection: These are not standard terms
used in Saviynt for service desk integration.
Saviynt IGA
Reference: Saviynt Documentation: The documentation on integrating with Service Desk systems explains the purpose and configuration of a Service Desk Connection.
Saviynt Connectors: Saviynt provides connectors for popular service desk solutions like ServiceNow, facilitating the integration process.
Which of the following options is part of the Saviynt Identity Repository?
- A . Users, Identity Rules, Workflows, Roles
- B . Users, User Groups, Workflows, SAV Roles
- C . Users, Accounts, Entitlements, Roles
- D . Users, Accounts, Entitlements, Workflows
C
Explanation:
Saviynt’s Identity Repository is the central hub for storing and managing all identity-related information.
It includes:
Users: Representing individuals and their attributes.
Accounts: Representing user access to specific systems or applications.
Entitlements: Representing permissions and access rights within those systems.
Roles: Representing collections of entitlements that define job functions or responsibilities.
Why other options are incorrect:
A, B, and D: These options include elements like Identity Rules, Workflows, and SAV Roles, which are important components of Saviynt but are not core parts of the Identity Repository itself. Saviynt IGA
Reference: Saviynt Documentation: The section on the Identity Repository describes its function and the types of data it stores.
Saviynt User Interface: The Identity Repository is a key section within the Saviynt interface, where you can view and manage users, accounts, entitlements, and roles.
Marty, an Administrator, reconciled Oracle Accounts into Saviynt. During the import, the incoming accounts were required to be mapped to the existing users in Saviynt.
Which of the following Rules should be used to successfully associate Accounts to the correct users?
- A . Account to User Rule
- B . Account Name Rule
- C . Technical Rule
- D . User Account Correlation Rule
D
Explanation:
User Account Correlation Rules in Saviynt are specifically designed to map imported accounts to existing users within the system. These rules define the logic for matching accounts to users based on various attributes, such as employee ID, email address, or username.
Why other options are incorrect:
Account to User Rule: This is not a standard rule type in Saviynt.
Account Name Rule: This might focus on naming conventions for accounts, not correlating them to users.
Technical Rule: This is a broader category of rules and doesn’t specifically address account-user mapping.
Saviynt IGA
Reference: Saviynt Documentation: The section on Account Correlation Rules provides detailed information on how to configure these rules for different scenarios.
Saviynt Use Cases: Saviynt often provides examples and use cases demonstrating how to use User Account Correlation Rules to automate account mapping during imports.
If you want an application to be available for requesting access (self or other), which of the following should be configured?
- A . Proposed Accounts Workflow
- B . Access Remove Workflow
- C . Access Add Workflow
- D . Emergency Access ID Request Workflow
C
Explanation:
To make an application available for access requests (either self-service or requests for others), the Access Add Workflow needs to be configured within Saviynt. This workflow defines the process that governs how access to the application is granted. Here’s a breakdown with Saviynt IGA references: Saviynt’s Access Request System (ARS): This is the module within Saviynt that handles access requests. The ARS relies on defined workflows to manage the approval and provisioning process. Access Add Workflow: This specific type of workflow within Saviynt’s ARS is triggered when a user requests access to an application or entitlement. It dictates the steps involved, such as: Requester Details: Capturing information about who is requesting access.
Application/Entitlement Selection: The user selects the application (and potentially specific roles or entitlements within that application) for which they are requesting access.
Approval Routing: Defining the approval chain (e.g., manager approval, application owner approval, etc.). This is configured within the workflow using various approval activities.
Provisioning: Upon approval, the workflow can trigger automated provisioning of access to the target system (if connected integration is set up).
Saviynt’s Application Onboarding: For an application to be available in the ARS, it needs to be onboarded into Saviynt. During this process, you would typically define the relevant entitlements (access rights) associated with the application.
Workflow Configuration in Saviynt: Saviynt’s admin interface allows administrators to create and customize workflows using a visual designer. This includes setting up conditions, defining approval steps, and configuring actions to be taken at each stage of the workflow.
Other options:
Proposed Accounts Workflow: This is less common, often used to suggest potential accounts during the request or account creation process. It’s not the primary mechanism for making an application available for access requests.
Access Remove Workflow: This workflow is used when access needs to be revoked, not granted. Emergency Access ID Request Workflow: This workflow is specific to requesting temporary, elevated access in emergency situations. It’s not the workflow for general access requests to applications.
Which of the following statuses is applicable for the "Add Access" task type when the task is successfully completed?
- A . Provisioned
- B . Success
- C . Manually Provisioned
- D . Active
A
Explanation:
When an "Add Access" task is successfully completed in Saviynt, the applicable status is typically "Provisioned." Here’s a detailed explanation with Saviynt references:
Saviynt’s Task Management: Saviynt uses tasks to track the progress of various operations, including access provisioning. These tasks are generated as part of workflows, such as the "Access Add Workflow."
"Add Access" Task Type: This specific task type is created when the access request is approved and the system is ready to grant the requested access to the target application.
Task Statuses in Saviynt: Saviynt uses different statuses to indicate the current state of a task.
Common statuses include:
Pending: The task is waiting to be processed.
In Progress: The task is currently being executed.
Provisioned: This status signifies that the requested access has been successfully granted to the user in the target system.
Failed: The task encountered an error and could not be completed.
Manually Provisioned: The task was completed manually by an administrator, rather than through automated provisioning.
Success: While sometimes used, this status is less specific than "Provisioned" in the context of "Add
Access" tasks, since it does not specify that the action completed was a provisioning action.
Active: Typically applies to accounts or users, not tasks.
Saviynt’s Workflow Engine: The workflow engine in Saviynt updates the task status as it progresses through the defined steps. For connected applications, the workflow engine might directly interact
with the target system’s API to provision the access. Once the provisioning is successful, the status is updated to "Provisioned."
Saviynt’s Audit Trails: Saviynt maintains detailed audit trails, and the task status changes are logged.
This provides a clear record of when access was provisioned for a user.
Other Options:
Success: As mentioned above, this is a general status. While technically correct (the task succeeded), "Provisioned" provides more context.
Manually Provisioned: This status is only applicable if an administrator intervened and manually granted the access outside of the automated workflow.
Active: This status typically pertains to a user or account’s overall status, not specifically to the completion of an "Add Access" task.
________ filters the requestable applications under "Request New Access."
- A . Access Add Workflow
- B . Access Query
- C . Provisioning Connection
- D . Whom to Request
B
Explanation:
The component that filters the requestable applications under "Request New Access" in Saviynt is the Access Query.
Here’s a detailed explanation:
Saviynt’s Access Request System (ARS): As the front end for requesting access, the ARS needs a mechanism to determine which applications (and entitlements) should be displayed to a user as requestable.
Access Query: This is a powerful feature within Saviynt that allows administrators to define specific criteria to control the visibility of applications and entitlements in the ARS. Think of it as a filter that determines what a user can see and request.
How Access Queries Work:
Defined on Applications/Entitlements: Access Queries are configured on individual applications or entitlements within Saviynt.
Based on User Attributes: They use user attributes (e.g., department, location, job title, group memberships) and other criteria (e.g., risk level) to determine if a user should see a particular application or entitlement.
Dynamic Filtering: When a user accesses the "Request New Access" section, Saviynt evaluates the Access Queries associated with each application and entitlement in real-time. Based on the user’s attributes, the system dynamically filters the list, showing only the applications and entitlements that match the query conditions.
Saviynt’s Security Model: Access Queries are a fundamental part of Saviynt’s security model. They ensure that users are only presented with access options that are relevant and appropriate for their role and context, preventing accidental over-provisioning and reducing the attack surface.
Other Options:
Access Add Workflow: While essential for processing access requests, the workflow itself doesn’t filter which applications are initially displayed.
Provisioning Connection: This relates to how Saviynt connects to target systems for automated provisioning. It doesn’t control the initial visibility of applications in the ARS.
Whom to Request: This setting might determine the available approvers, but it doesn’t filter the list of requestable applications.
In essence: Access Queries act as a dynamic filter, leveraging user attributes and defined criteria to determine which applications and entitlements are presented to a user within Saviynt’s "Request New Access" interface, ensuring a personalized and secure access request experience.
Which of the following Access Request configurations can be set up as either optional or mandatory, based on business requirements?
- A . Approval comments
- B . Add Attachment
- C . Business justification at Request level
- D . None of the above
A
Explanation:
In Saviynt’s Access Request configurations, the following can be set up as either optional or mandatory based on business requirements:
What is the maximum file attachment limit for a request?
- A . 15
- B . 5
- C . 10
- D . 20
C
Explanation:
The maximum file attachment limit for a request in Saviynt is typically 10.
Here’s an explanation:
Saviynt’s Access Request System (ARS): The ARS allows users to attach files to access requests to provide supporting documentation or justification.
Attachment Limits: To prevent excessive storage usage and potential performance issues, Saviynt imposes limits on the number and size of attachments allowed per request.
Default Limit: The default maximum number of attachments allowed per request in Saviynt is generally 10.
Configuration: While 10 is the common default, it’s worth noting that this limit might be configurable within the ARS settings in some Saviynt deployments. However, significantly increasing this limit could impact performance.
File Size Limit: In addition to the number of attachments, there’s also usually a limit on the individual file size and the total size of all attachments combined. This is also generally configurable. These file size limits are important for maintain system stability and performance.
Error Handling: If a user attempts to exceed the attachment limit, Saviynt will typically display an error message, preventing them from submitting the request until the number of attachments is reduced.
Which of the following configurations on Entitlement Type is used to make an Entitlement request time-bound?
- A . Ask for Start Date while revoking
- B . Allow update of Access End Date
- C . Config JSON for Request Dates
- D . Start Date/End Date while raising a Request
D
Explanation:
To make an Entitlement request time-bound in Saviynt, the configuration used on the Entitlement Type is D. Start Date/End Date while raising a Request.
Here’s a breakdown:
Saviynt’s Entitlement Management: Entitlements represent specific access rights within an application. Saviynt allows fine-grained control over how these entitlements are requested and granted.
Entitlement Type Configuration: Within Saviynt, each Entitlement Type can be configured with various settings that govern its behavior during access requests.
Time-Bound Access: To enforce time-limited access, Saviynt provides the option to require a Start Date and End Date during the request process.
"Start Date/End Date while raising a Request": This configuration setting, when enabled on an Entitlement Type, forces the requester to specify a desired start and end date for the access. This ensures that the granted access will only be valid for a specific period.
Saviynt’s Workflow Engine and Provisioning: When a request with a start and end date is approved,
Saviynt’s workflow engine will typically handle the provisioning and de-provisioning based on these
dates. If connected integration is set up, it may schedule the activation and deactivation of the
access in the target system accordingly.
Other Options: