Saviynt IGA 101 Flashcards
Certification
1
Q
What are the advantages of a microservices based architecture? (chose one or more)
- Automatic scale up & scale down
- Save cost on infrastructure
- No network latency
- None of the above
A
Automatic scale up and scale down
Save cost on infrastructure
2
Q
Saviynt allows end users to interact with a UI that is backed by a
- business layer
- user interface layer
- data layer
- none of the above
A
user interface layer
3
Q
Explain the three levels of disaster recovery available
A
Diamond - Warm DR / continuous replica
Gold - RDS (Relational Database Service) instance provisioned every 24 hours
Platinum - RDS (Relational Database Service) instance provisioned every six hours
4
Q
What compliance can Saviynt meet?
A
FedRAMP moderate
ISO 27001:2013
ISO 27001:2015
PCI-DSS
SOC1 Type II
SOC2 Type II
5
Q
What four types of application security are used?
A
- Data Isolation
- Security at rest - AES 256 bit encryption w/ Azure Key Vault
- Security in transit - HTTPS only, TLS 1.2+
- URL Security - Akamai WAF, MFA & SSO
6
Q
What is SC2.0?
A
Saviynt Connect 2.0
- Provides Secure tunnel from customer’s network to Saviynt Cloud
- Supports forward proxy w/ basic auth & bypass auth
- Routing is handled entirely by SC 2.0 server & routes auto-push to the client
7
Q
Saviynt Architecture / Connectivity Options
A
On-prem:
1. Saviynt Connect 2.0 (default)
2. IPSEC VPN
3. VPC / VNET Peering
SAAS:
1. HTTPS
8
Q
Number of Saviynt regions worldwide
A
27
9
Q
Which of the following options does Saviynt suggest for achieving high availability? (choose one or more)
- Deployment in different availability zones and regions
- Assigning elastic IP addresses
- Clustering
- None of the above
A
- Deployment in different availability zones and regions
- Assigning elastic IP addresses
- Clustering
10
Q
What does Saviynt mean by Account Correlation?
A
Account correlation is the process of mapping to users. This also identifies accounts that are unmapped as orphan accounts.
11
Q
What does EIC stand for?
A
Enteprise Identity Cloud
12
Q
What four types of accounts can be managed with Saviynt?
A
Application accounts
Orphan accounts
Privilege accounts
Service accounts
13
Q
What are entitlements according to Saviynt?
A
Entitlements are privileges that are granted to users. Entitlements can be mapped to accounts.
14
Q
What is a role according to Saviynt?
A
A role is a collection of entitlements that are assigned to a user. Saviynt’s roles lesson the tedious task of manually assigning entitlements (privileges) to users.
15
Q
What are the four types of Saviynt roles that can be assigned to users?
A
Application roles
Enterprise roles
Privileged roles
Other roles
16
Q
What are the three ways can you import roles to Saviynt?
A
- Upload roles from the Saviynt UI, as admin (can use CSV files)
- Upload roles based on schema (can also use SAV & CSV files)
- Upload roles using the database connection
17
Q
How is a 3rd party application represented in Saviynt Enterprise Identity Cloud (EIC)?
A
As an endpoint (AKA target)
18
Q
One or more application endpoints logically grouped together under an appliation category is referred to as this by Saviynt
A
Security System
19
Q
Accounts, entitlements, and other data can be imported from the target application and mapped into this in Saviynt Enterprise Identity Cloud (EIC)
A
an endpoint
20
Q
A endpoint in Saviynt supports these three types of applications
A
connected, disconnected and hybrid applications
21
Q
A Saviynt endpoint (target application) can contain user data such as
A
accounts, entitlements and roles
22
Q
Saviynt Connectors refer to this for connecting enterprise identity cloud (EIC) to target applications
A
Saviynt Connectors refer to the configuration setup for connecting enterprise identity cloud (EIC) to target applications
23
Q
Examples of Saviynt EIC supported out of the box connectors
A
Active Directory, AWS, Azure, Box, Database, LDAP, PeopleSoft, REST, Salesforce, SAP, SOAP
24
Q
For home-grown applications, Saviynt provides support to build custom connectors via this
A
the Saviynt Connector Framework (SCF)
25
Saviynt Connector Framework allows customers to do what?
Build connectors for home-grown applications
26
In the Identity Repository Schema Model, what does the Saviynt schema contain?
The Saviynt schema contains Information about key Saviynt tables used when performing SQL queries, in order to obtain identity details.
27
What does the Saviynt database tables store?
All relevant details pertaining to an object in Enterprise Identity Cloud (EIC)
28
What are the four ways to import users?
API - triggered through an external system via Saviynt's REST interface
Flat files / batch process (Disconnected)
HR Platform sync (Connected)
Manual - user registration / vendor onboarding through a sponsor, or bulk action by an admin in the UI
29
What does a connected user import refer to?
In this type of user import, a direct connection is made to a target appliation to pull user details into Saviynt's EIC database
30
What does a disconnected user import refer to?
Method 1: Batch files sent to the server
Method 2: Batch files uploaded by an admin
31
What are the three ways to manually create a new user?
1. Upload from a CSV
2. Create a user manually in the UI
3. Open a request to create a user in the UI
32
What are the three application types?
Connected, Hybrid, & Disconnected
33
A Security System can be considered as this in Saviynt EIC
an Application Category (notes page 18)
34
Connections created in Saviynt are selected in this. Additionally, Workflows, access approval and removal need to be selected in this as well.
in the Security System
35
An endpoint is an instance of this in Saviynt
an application or target system
36
How does application data import compare for disconnected applications versus connected applications?
For disconnected applications, a CSV file is used to import the data. For connected applications, you can use an out-of-the-box Saviynt connector or a database connector.
37
What job is used to import application data?
Application Data Import Job
38
What Saviynt mechanism is used for rapid application onboarding?
Saiviynt Application Onboarding Workbench.
This is especially relevant for self-serve onboarding for business users and application owners.
39
Why the new application onboarding in Saviynt EIC?
1. Less effort to onboard apps
2. Reduced time to onboard apps
3. Reduce application onboarding time by up to 90%
40
Application Onboarding is via this particular Saviynt role
ROLE_ADMIN SAV role
41
What are three types of application onboarding methods?
Advanced - Use this method to manually configure the enrollment of an application
Assisted - Use a wizard to define app settings.
Quick - Use of default or minimal settings, complete enrolling of the application with a single click
42
What is an identity BOT?
An identity bot allows you to integrate Saviynt Enterprise Identity Cloud with applications that do not expose integration APIs
Identity BOT can perform a set of predefined steps to help in the rapid onboarding of such applications for automating the process of integration.
43
Three application types supported for onboarding by Identity BOT
Command Line
Desktop
Web
44
Saviynt Controls Library Feature does this
The Saviynt Controls Library collects suggestions for common applications & compliance requirements, including HIPAA, HiTRUST, SOX, PCI DSS, CPPA, GDPR, ISO 2000 series, and NIST.
45
What two roles can provide admin privileges to Enterprise Identity Cloud
Role_Admin
Role_UIAdmin
46
Saviynt Roles are used to define this
Saviynt Roles are used to define the privileges granted to users
47
Benefits of Saviynt Roles
Persona-based access control (Sys Admin, Helpdesk, reporting manager, role owner)
Reduced administrative work and IT support
Maximized Operational Efficiency
Improved Compliance
48
What are the recommended naming conventions for Custom Saviynt Roles?
Start with ROLE_
Use UPPERCASE characters
49
What are four ways to assign Saviynt Roles to users?
While setting up a connector (e.g. AD Connector)
When using Technical & User update rules
Via the Access Request System (ARS) module
While setting up Job Request Management (JRM) rules
50
What are some core Saviynt IGA lifecycle & functional capabilities
Providing rules for new users that are distinct form rules for existing users.
Enabling event-based configuration rules
Facilitating automatic revoke of access based on the lifecycle of an identity
51
What are three types of rules in Saviynt?
Event-Based Rules (technical rules, user update rules, entitlement update rules)
Access Request-based Rules
Data Access Governance-based Rules (Scan Rules)
52
What are technical rules in Saviynt?
Technical rules are applied to provision birthrate access to employees joining an organization.
53
What are user update rules in Saviynt?
User update rules are for the mover and leaver scenarios. When a user moves from contractor to permanent employee, the user gets a new manager, or the user is rehire, the user update rule is triggered.
54
What are entitlement update rules in Saviynt?
Entitlement update rules are executed when any property or attribute of an entitlement changes
Entitlement update rules are used in conjunction w/ "non-elastic analytical runtime control of preventative type"
The above phrase might refer to a feature that continuously analyzes user activity and access attempts against predefined security rules. If the analysis detects suspicious activity that violates these rules (e.g., access attempts from unusual locations, excessive privilege escalation attempts), the control mechanism takes preventative actions.
Here's a possible scenario:
1. A user attempts to access a highly sensitive resource from an unrecognized location.
2. Saviynt's analytical runtime control detects this attempt in real-time.
3. The non-elastic control, which might be a pre-configured rule, automatically blocks the access attempt to prevent a potential security breach.
55
What are request rules in Saviynt?
Request rules are used when a single user, multi-user or bulk upload user requests are made from the Access Request System
56
What are scan rules in Saviynt?
Scan rules are used to provide the capability to scan any sensitive or confidential information.
57
Organization Update Rules
Organization Update Rules are used in conjunction with management of Organizations in Enterprise Identity Cloud
58
What is the execution trail?
The execution trail shows you the details for rules that have been run. It contains information about the rules applied, as well as data before and after it was changed.
It also provides the ability to rerun failed rules & actions.
59
What three tabs are on the execution trail page?
Action Trail - provides details of failed actions
Rule Trail - provides details about failed rules
Archived Rule Trail - used to view the line items archived after retrying the rule / rule action execution to successful completion
60
True or false: Technical Rules can be used for zero-day access for new employees
True
61
True of false: Technical Rules can remove birthright access automatically if a birthright condition fails anytime in the future
True
62
What are two ways to trigger technical rules?
Auto-Trigger: User is created in Saviynt or imported from external sources (CSV, HRMS)
User Update Rule: A user update rule can re-run all provisioning rules and technical rules.
63
Where can importing users from a HRMS be accomplished?
This can be done via the Job Control Panel using the drop-down option, Zero-day provisioning
64
A technical rules is made up of a combination of these two parts
A condition (made up of user attributes) and an action.
65
True or false: You can preview the data when you create technical rules, so that you have an understanding of the current users who match that rule.
True
66
How does one create a technical rule?
Go to Policies -> Technical Rules. Then click Actions -> Create Technical Rule.
67
List eight features of technical rules (used to assign access)
1. Preview data capability
2. Rule creation & modification approvals
3. Advanced query options
4. Ability to retry failed rules
5. Rule ownership & approvals Workflow
6. Delegated administration of rules
7. Auto removal of access if condition fails
8. Ability to assign access dynamically
68
For technical rules, what are the birthright checkbox, and detective checkbox for?
The birthright check box is used if you want to evaluate a rule for newly created users.
The detective check box is used if you want to evaluate a rule for existing users.
69
For technical rules, what does the advanced config slider do?
The advanced config slider, when turned on, allows you to write an advanced query for the condition to determine when and for who a technical rule applies.
70
What are user update rules for?
User update rules are for the mover and leaver scenarios. When a user moves from contractor to permanent employee, the user gets a new manager, the user's department changes, the new user is rehire, or a person is terminated, the user update rule is triggered.
71
What are the two ways to trigger a user update rule?
(User update rules are for the mover and leaver scenarios)
1. Auto-Trigger (user is updated in Saviynt, from CSV or HRMS)
2. via Saviynt APIs
72
Where do you find user update rules?
(User update rules are for the mover and leaver scenarios)
Go to Admin module - > Go to policies -> User update rules to see user update rules
73
How do you trigger user updated rules when importing users from a CSV?
(User update rules are for the mover and leaver scenarios)
Go to Users -> Actions -> Upload user -> Check Rules -> Yes
74
How do you trigger user updated rules when importing users from a HRMS?
(User update rules are for the mover and leaver scenarios)
Go to Job Control Panel -> UserImport job -> Check rules drop-down -> Yes
75
List the eight features of User update rules
(User update rules are for the mover and leaver scenarios)
1. Deprovision account
2. Deprovision access
3. Transfer Ownership
4. Launch Microcertification
5. Trigger technical rules
6. Remove failed birthright access
7. Deprovision role
8. Enable user
76
Where do you create user update rules?
(User update rules are for the mover and leaver scenarios)
Admin -> Policies -> User update rules -> Actions -> Create user update rule
77
Where do you find roles?
Admin module -> Identity Repository -> Roles
78
If a user's title and manager changes, what type of rule would handle this?
This mover scenario is handled via a User Update Rule
79
What type of rule would handle a leaver scenario, including offboarding user and transferring any possible role owndersips?
User update rule
80
What can a user request for?
Applications
Roles
Emergency Roles
Emergency IDs
Group Management
Service account management
81
What are the most common requests from a governance perspective?
Role management request & user management request
82
What are the three high-level parts of an access request (assignment) flow?
1. End user submits the access request
2. Approver approves the request
3. The request is fulfilled in the target application
83
How is fulfillment for an approved access request completed for a connected app vs a disconnected app?
For a connected app, the access is automatically provisioned and fulfilled through connectors.
For a disconnected app, Saviynt creates a ticket in an external ITSM, such as ServiceNow
84
What are three types of access requests?
application requests, role requests and bulk requests
85
What can an application request be for?
Application access requests can be for an account, entitlement or application role of an application.
86
What is an enterprise role request?
An enterprise role request is a request for entitlements that span across multiple endpoints (target applications).
87
How does one submit a new access request?
From the home page, click the request new access tile
88
Request history tile shows you what?
The request history tile shows you the status of current requests. If you have permission, you can view others' requests in addition to your own.
89
Where you can see requests that have not yet been handled?
Click the Pending Approvals tile to see pending approvals.
90
What is Saviynt's Smart Review in the context of access requests?
Smart Review gives you a little bit of automation and intelligence on a request. Smart Review automatically identifies all requests that are safe and approves them.
91
Where in Saviynt would you create a job to pick up all pending tasks?
You can create a job in the job control panel to pick up all the pending tasks. You can schedule the job to run daily, hourly, every X number of minutes, or based on a Cron expression.
92
Where does a Saviynt administrator configure settings for an appliation request?
Admin -> Identity Repository -> Security System -> select the application.
Next assign a workflow to the application. You can have separate workflows for access being added and access being removed.
93
How does one make a role requestable?
To make a role requestable, set the request option to something else besides “None”.
94
What is a workflow?
A workflow is the approval/reject process through which a request flows after the request is submitted for approval to the manager or resource owner.
95
What variable is used to check violations for SOX compliance Workflow(s)?
SOXCRITICALCOUNT
96
True of false: A workflow can be reused and assigned to multiple applications.
True
97
What are the steps in the GUI to create an new workflow?
Admin -> Workflows -> Workflow List -> Actions -> Create New Workflow
98
When creating a new workflow, what does a workflow begin with?
A workflow begins with a “start” event.
99
A workflow is only activated once "this" has happened.
A Workflow is only activated once it has been approved.
100
What are two things that should be done when finished creating a workflow?
Click “Send for approval” when you are done constructing a workflow. You can also specify an owner for the workflow.
101
What does “Workflow accepted and loaded” mean?
“Workflow accepted and loaded” means that the workflow is active
102
What does a green check mark for a workflow mean?
A green check mark means a workflow is ready to use and can be assigned to applications.
103
What are four disciplines that governance, risk and compliance spans?
Enterprise risk managment, audit management (Sarbannes Oxley testing), compliance management (e.g. GPDR, NIST), access control
104
True or false: Saviynt provides convergence of IDM and GRC
True
105
Does Saviynt provide coarse-grained or fine-grained visibility into entitlements?
Saviynt provides fine-grained visibility into entitlements
106
Where can Saviynt's segregation of duties (SOD) capabilities be used?
Saviynt's segregation of duties (SOD) capabilities be used used in a preventative manner (e.g. before granting access), or in a detective manner (if violation already exists).
107
What are three Saviynt segregation of duties (SOD) objects?
page 61
Functions, risks, and rulesets
108
What is a ruleset in the context of Separation of Duties for Saviynt?
A ruleset is a list containing all the risk definitions. You can go to rulesets in the SOD module to see the predefined rulesets for various applications.
109
What are the four priority levels you can set for a risk definition in Saviynt SOD rulesets?
You can set the priority of the risk here to low, medium, high or critical.
110
What is preventative SOD analysis in Saviynt?
Preventative SOD analysis is a proactive process that ensures the risks defined in a ruleset are not violated or mitigated while requesting access via Saviynt.
SOD violation can be viewed by the requestor at the time of the request, and by the approver at the approval level.
111
What two user interface settings settings need to be turned on for preventative SOD configuration?
The following two user interface settings settings need to be turned on for preventative SOD configuration for access requests:
"Show SOD in Request"
"Evaluate SODs in Access Request"
112
Where does a risk and compliance team member or Saviynt admin view detected SOD violations.
113
What is detective SOD analysis designed in Saviynt to do?
Detective SOD analysis is designed in Saviynt to identity conflicts or violations after they have occurred according to pre-defined rulesets.
- Any possibly violations can be monitored in SOD Workbench.
- Violations can be remediated by removing the conflicting access, or the violations can be accepted for a limited time by associating mitigating control
114
Where can you go in the Saviynt SOD module to see the results of an SOD evaluation job?
In SOD module, go to SOD Violations to see the results of the SOD Evaluation job (AKA SOD Violation workbench)
115
What do Smart Filters do for SOD in User Access Reviews?
Smart Filters allow you to quickly focus on the riskiest access for User Access Reviews. Saviynt can automatically remove revoked access.
116
What can you do for a detected SOD violation if you want to accept a risk for a period of time?
You can select mitigating controls for detective SOD violation if you want to accept a risk for a period of time. Once the expiration date has passed, the violation is moved to an open state again.
117
What are certifications in Saviynt?
Certification is a process by which a responsible party or certifier insures that people and resources are granted access only when absolutely required for performing a function. Certification requires a primary certifier / owner of the object.
118
What are campaigns in Saviynt?
Campaigns allow you to group similar access reviews together in Saviynt.
119
What are the three parts of a campaign lifecycle?
1. Preview & launch
2. Manage
3. Review Certification
120
Where do you go in the interface to get to a campaign list?
Waffle button at top right - > Certifications -> Campaign List
121
Where can you set up the defaults for campaign settings?
Global Configurations is the central place for managing configurations of all modules, including all default settings for campaigns.
122
What does the Analytics piece of Saviynt Enterprise Identity Cloud all users to do?
Analytics allows users to create reports using custom queries against the Saviynt database.
123
What kind of action could be available from actionable Saviynt reports?
You could revoke access directly from the reports page. You can map orphan accounts to specific users.
124
What is data analyzer?
Data analyzer helps you to analyze the data stored in Saviynt Enterprise Identity Cloud. Data Analyzer accesses the database schema in read-only mode, and provides a SQL builder to write your custom SQL queries if desired. Top 100 results are displayed from the database.
125
What is the Control Center?
The Control Center allows customers to meaningfully organize and visualize controls that are shipped, pre-packaged, or built by them. Three components of Control Center are topics, books & KPIs. KPIs can be positive or negative.
126
