Applications and Identity Modeling

Question 1

Schemas

Answer 1

Definition of what data to read from the application and how to interpret that data

Question 2

Schema types: Account

Answer 2

Represents individual accounts on a target resource (Active Directory or SAP Accounts, for example)required

Question 3

Schema types: Group

Answer 3

• Represent native account groups from target resource (LDAP Groups or Active Directory
  Groups, for example)
• Certain connectors support multiple group schemas (6.4)
• JDBC, SQL Loader, Delimited File, and Oracle EBS
  optional

Question 4

What are the four different correlation methods?

Answer 4

• Correlation Wizard
• Correlation Rule
• Default Logic
• Manually

Question 5

Correlation Wizard can use which two types of correlation

Answer 5

• Attribute based
  Ex: Correlate account attribute mail with identity attribute email
• Condition based Ex: Correlate accounts where app2_service = true with Admin cube

Question 6

Major thing to remember when using manual correlation.

Answer 6

Correlation permanently retained

Question 7

What do Correlation Rule do?

Answer 7

Build and maintain account correlations

Question 8

What do customization Rule do?

Answer 8

Modify/normalize incoming account data prior to saving to an Identity

Question 9

What do Managed Entitlement Customization Rule do?

Answer 9

Set fields such as owner, requestable, or descriptions on ManagedAttributes (entitlements,
groups)

Question 10

Aggregation and Correlation steps:

Answer 10

1. Non-authoritative application contains accounts
2. Application/Connector defines what to read, how to connect
3. Aggregation task runs
4. Connector reads accounts, tries to correlate to existing
   Identity Cubes
5. Positive Correlation – add account to existing cube
6. Unsuccessful Correlation – add account to new cube (mark
   as un-correlated)

Question 11

Connector Rules:
What is Build Map Rule

Answer 11

• Runs for every line in the file
• Converts incoming data into map

Question 12

Connector Rules:
What is Preiterate Rule

Answer 12

• Runs once for each aggregation
• Can do any pre-processing

Question 13

Connector Rules:
What is Postiterate Rule

Answer 13

• Runs once for each aggregation
• Can do any post-processing

Question 14

Connector Rules:
Map To ResourceObject Rules:

Answer 14

• Runs once for each account or group
• Performs final conversion to Resource Object

Question 15

Connector Rules:
MergeMaps Rules:

Answer 15

• Performs merging processing
• If default merge capabilities aren’t enough, a rule here can control merging

Question 16

Within a schema, what are attribute properties

Answer 16

define how attributes are used and managed, including their data type, allowed values, and whether they can be multi-valued or indexed

Question 17

Properties of Attributes
Entitlement

Answer 17

Marking an attribute as an entitlement indicates that this is an access right you want to track for your identities (for example, to use in certifications).

Question 18

Properties of Attributes
Managed

Answer 18

Attributes designated as Managed can be viewed and managed from the Entitlement Catalog page. Managed attributes can be made requestable, can be assigned an owner (for approvals or entitlement certifications), and can have display names and descriptions that will help users identify and understand them. They can also be used in policies and risk calculations.

Question 19

Properties of Attributes
Multi-valued

Answer 19

For some attributes, multiple values might be returned during aggregation (for example, an attribute indicating group membership). These should be marked as Multi-valued. Values for attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list.

Question 20

Properties of Attributes
Correlation Key

Answer 20

The Correlation Key flag is only used for activity and unstructured data aggregation. If activity aggregation is not being used, Correlation Key should not be selected. This flag specifies attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in Identity Cubes. For information about correlating aggregated accounts to existing identities, see Correlation in Application Concepts.

Question 21

Properties of Attributes
Minable

Answer 21

Attributes that you want to use for role and profile creation should be marked as minable. This allows the Role Mining feature to mine applications for attributes and permissions when creating roles and profiles, rather than requiring manual entry of the values. Only attributes designated as minable are returned by those searches.

Question 22

Properties of Attributes
Remediation Modifiable

Answer 22

Attributes that are remediation modifiable can have their values and permissions modified as part of a certification, for the identity being certified. Options are:

Select – in the certification, display a select list of all possible values or permissions for this attribute.

Free text – in the certification, display a text field in which a certifier can enter any value.

Readonly – the value cannot be modified.

Question 24

What is the term for reading application data into IdentityIQ from external sources?

Answer 24

Aggregation

Aggregation is a key process in IdentityIQ for integrating external data.

Question 25

True or False: A task can interact with a user and is typically activated in response to a user action or data change.

Answer 25

False ## Footnote Workflows are user-interactive while tasks handle batch processes.

Question 26

True or False: Implementers can add their own custom business logic to IdentityIQ using rules.

Answer 26

True ## Footnote Rules allow for customization of business logic in IdentityIQ.

Question 27

What are the main components required for installation?

Answer 27

Java Runtime, Application Server, IdentityIQ Software, Database Server, Other Components ## Footnote Other Components may include items like IQService for provisioning to Active Directory

Question 28

Where does the IdentityIQ Software operate?

Answer 28

Inside the Application Server

Question 29

What is the function of the Database Server in the installation?

Answer 29

Stores data for the IdentityIQ Software

Question 30

Fill in the blank: _______ is required for provisioning to Active Directory.

Answer 30

IQService

Question 31

True or False: The installation components are fixed and do not depend on implementation goals.

Answer 31

False

Question 32

What may be included in the 'Other Components' based on implementation goals?

Answer 32

IQService or other specific tools needed for integration

Question 33

What are the supported application servers?

Answer 33

* Tomcat * WebSphere * WebLogic * JBoss ## Footnote These are platforms that can host Java applications.

Question 34

List the supported databases.

Answer 34

* MySQL * Oracle * MS SQL Server * DB2 ## Footnote These databases can be used in conjunction with the supported application servers.

Question 35

What Java platforms are supported?

Answer 35

* Sun JDK * Oracle JDK * IBM JDK * Oracle JRockit JDK ## Footnote These are different implementations of the Java Development Kit.

Question 36

What does SSB stand for?

Answer 36

Services Standard Build

Question 37

What is the primary function of the Services Standard Build?

Answer 37

Automates packaging and deployment of custom objects and code

Question 38

What is processed by batch hosts?

Answer 38

* Tasks/reports * Workflows * Certification generation * Etcetera ## Footnote Batch hosts are used for processing a variety of tasks that do not require immediate user interaction.

Question 39

What is processed by UI hosts?

Answer 39

* Access Requests * Access Reviews (certifications) * Dynamic Analytics * Etcetera ## Footnote UI hosts are designed for tasks that involve user interaction and immediate responses.

Question 40

Which hosts required the use of load balancer?

Answer 40

UI (User interface) hosts ## Footnote Load balancers help maintain performance and reliability by ensuring no single server becomes overwhelmed.

Question 41

What is the role of a Request Scheduler?

Answer 41

Manages and prioritizes incoming requests to optimize processing ## Footnote Request schedulers help improve the efficiency of resource allocation.

Question 42

What is extremely important for database deployment?

Answer 42

Network Proximity (latency) ## Footnote IIQ requires 3ms or less (0.3ms preferred) round-trip latency between its application server and its Database Server.

Question 43

The critical network performance zone is between the user's browser and IdentityIQ. It requires a round trip latency of 3ms or less.

Answer 43

False. The connection between Application server and database needs to be less than 3ms.

Question 44

The Services Standard Build (SSB) is a deployment process provided by SailPoint that is required when deploying IdentityIQ. True or false

Answer 44

False. It is not required.

Question 45

What is the first step in the Identity Cube Creation Process?

Answer 45

Authoritative resource contains accounts

Question 46

What role does the Application/Connector play in the Identity Cube Creation Process?

Answer 46

Defines schema and how to connect to resource

Question 47

What does the Connector do in the Identity Cube Creation Process?

Answer 47

Reads accounts

Question 48

What defines the creation of Identity Attributes?

Answer 48

Identity Mappings

Question 49

When would you use Manager Correlation Rule?

Answer 49

When simple matching is not enough

Question 50

Identity Mapping #1

Answer 50

Property name for the attribute

Question 51

Identity Mapping #2

Answer 51

Display value can be a message key for localization support

Question 52

Identity Mapping #5

Answer 52

Source of Attribute: application account attribute or RuleProperty name for the attribute

Question 53

True or False: Authoritative Identity Cubes are created for each account read from all applications.

Answer 53

False

Question 54

When an attribute is marked as 'searchable', what does this mean?

Answer 54

The attribute is stored in its own column for more efficient access for searching.

Question 55

True or False: The terms Identity Attributes and Account Attributes refer to the same thing.

Answer 55

False ## Footnote Identity Attributes are in IIQ. Account Attribute are in source applications

Question 56

Benefits of Rapid Setup

Answer 56

* Allows a broad team of people to participate in deployment * Supported by core product data structure * Framework for quick configuration of common scenarios | Available since in 8.1

Question 57

Steps to fix uncorrelated account

Answer 57

* Identify uncorrelated accounts * Manually correlate an account to an Identity Cube * Remove empty Identity Cube

Question 58

Purpose of connector rules

Answer 58

These rules are used to implement pre-processing of data, implement post-processing of data, and manipulate, merge, or otherwise transform the incoming data as it is being read. ## Footnote Connector rules vary by connector type.

Question 59

**Connector Troubleshooting:** Check pass-through Authentication

Answer 59

connectorDebug auth

Question 60

**Connector Troubleshooting:** Connection test

Answer 60

connectorDebug test

Question 61

What is consistent across connectors

Answer 61

* Account and Group schema * Resource Object representation * Application-level rules

Question 62

What varies across connectors?

Answer 62

* Group schema – one vs. multiple * Connectivity details * Connector-specific rules

Question 63

How is an identity's manager determed?

Answer 63

You must: * Define which application attribute defines a user’s manager * Map the application attribute to the manager’s Identity Attribute ## Footnote Manager Correlation Rule will work as well