Saviynt IGA 101

Question 1

What are the advantages of a microservices based architecture? (chose one or more)

• Automatic scale up & scale down
• Save cost on infrastructure
• No network latency
• None of the above

Answer 1

Automatic scale up and scale down
Save cost on infrastructure

Question 2

Saviynt allows end users to interact with a UI that is backed by a
- business layer
- user interface layer
- data layer
- none of the above

Answer 2

user interface layer

Question 3

Explain the three levels of disaster recovery available

Answer 3

Diamond - Warm DR / continuous replica

Gold - RDS (Relational Database Service) instance provisioned every 24 hours

Platinum - RDS (Relational Database Service) instance provisioned every six hours

Question 4

What compliance can Saviynt meet?

Answer 4

FedRAMP moderate
ISO 27001:2013
ISO 27001:2015
PCI-DSS
SOC1 Type II
SOC2 Type II

Question 5

What four types of application security are used?

Answer 5

• Data Isolation
• Security at rest - AES 256 bit encryption w/ Azure Key Vault
• Security in transit - HTTPS only, TLS 1.2+
• URL Security - Akamai WAF, MFA & SSO

Question 6

What is SC2.0?

Answer 6

Saviynt Connect 2.0
- Provides Secure tunnel from customer’s network to Saviynt Cloud
- Supports forward proxy w/ basic auth & bypass auth
- Routing is handled entirely by SC 2.0 server & routes auto-push to the client

Question 7

Saviynt Architecture / Connectivity Options

Answer 7

On-prem:
1. Saviynt Connect 2.0 (default)
2. IPSEC VPN
3. VPC / VNET Peering

SAAS:
1. HTTPS

Question 8

Number of Saviynt regions worldwide

Answer 8

27

Question 9

Which of the following options does Saviynt suggest for achieving high availability? (choose one or more)
- Deployment in different availability zones and regions
- Assigning elastic IP addresses
- Clustering
- None of the above

Answer 9

• Deployment in different availability zones and regions
• Assigning elastic IP addresses
• Clustering

Question 10

What does Saviynt mean by Account Correlation?

Answer 10

Account correlation is the process of mapping to users. This also identifies accounts that are unmapped as orphan accounts.

Question 11

What does EIC stand for?

Answer 11

Enteprise Identity Cloud

Question 12

What four types of accounts can be managed with Saviynt?

Answer 12

Application accounts
Orphan accounts
Privilege accounts
Service accounts

Question 13

What are entitlements according to Saviynt?

Answer 13

Entitlements are privileges that are granted to users. Entitlements can be mapped to accounts.

Question 14

What is a role according to Saviynt?

Answer 14

A role is a collection of entitlements that are assigned to a user. Saviynt’s roles lesson the tedious task of manually assigning entitlements (privileges) to users.

Question 15

What are the four types of Saviynt roles that can be assigned to users?

Answer 15

Application roles
Enterprise roles
Privileged roles
Other roles

Question 16

What are the three ways can you import roles to Saviynt?

Answer 16

1. Upload roles from the Saviynt UI, as admin (can use CSV files)
2. Upload roles based on schema (can also use SAV & CSV files)
3. Upload roles using the database connection

Question 17

How is a 3rd party application represented in Saviynt Enterprise Identity Cloud (EIC)?

Answer 17

As an endpoint (AKA target)

Question 18

One or more application endpoints logically grouped together under an appliation category is referred to as this by Saviynt

Answer 18

Security System

Question 19

Accounts, entitlements, and other data can be imported from the target application and mapped into this in Saviynt Enterprise Identity Cloud (EIC)

Answer 19

an endpoint

Question 20

A endpoint in Saviynt supports these three types of applications

Answer 20

connected, disconnected and hybrid applications

Question 21

A Saviynt endpoint (target application) can contain user data such as

Answer 21

accounts, entitlements and roles

Question 22

Saviynt Connectors refer to this for connecting enterprise identity cloud (EIC) to target applications

Answer 22

Saviynt Connectors refer to the configuration setup for connecting enterprise identity cloud (EIC) to target applications

Question 23

Examples of Saviynt EIC supported out of the box connectors

Answer 23

Active Directory, AWS, Azure, Box, Database, LDAP, PeopleSoft, REST, Salesforce, SAP, SOAP

Question 24

For home-grown applications, Saviynt provides support to build custom connectors via this

Answer 24

the Saviynt Connector Framework (SCF)

Question 25

Saviynt Connector Framework allows customers to do what?

Answer 25

Build connectors for home-grown applications

Question 26

In the Identity Repository Schema Model, what does the Saviynt schema contain?

Answer 26

The Saviynt schema contains Information about key Saviynt tables used when performing SQL queries, in order to obtain identity details.

Question 27

What does the Saviynt database tables store?

Answer 27

All relevant details pertaining to an object in Enterprise Identity Cloud (EIC)

Question 28

What are the four ways to import users?

Answer 28

API - triggered through an external system via Saviynt’s REST interface

Flat files / batch process (Disconnected)

HR Platform sync (Connected)

Manual - user registration / vendor onboarding through a sponsor, or bulk action by an admin in the UI

Question 29

What does a connected user import refer to?

Answer 29

In this type of user import, a direct connection is made to a target appliation to pull user details into Saviynt’s EIC database

Question 30

What does a disconnected user import refer to?

Answer 30

Method 1: Batch files sent to the server
Method 2: Batch files uploaded by an admin

Question 31

What are the three ways to manually create a new user?

Answer 31

1. Upload from a CSV
2. Create a user manually in the UI
3. Open a request to create a user in the UI

Question 32

What are the three application types?

Answer 32

Connected, Hybrid, & Disconnected

Question 33

A Security System can be considered as this in Saviynt EIC

Answer 33

an Application Category (notes page 18)

Question 34

Connections created in Saviynt are selected in this. Additionally, Workflows, access approval and removal need to be selected in this as well.

Answer 34

in the Security System

Question 35

An endpoint is an instance of this in Saviynt

Answer 35

an application or target system

Question 36

How does application data import compare for disconnected applications versus connected applications?

Answer 36

For disconnected applications, a CSV file is used to import the data. For connected applications, you can use an out-of-the-box Saviynt connector or a database connector.

Question 37

What job is used to import application data?

Answer 37

Application Data Import Job

Question 38

What Saviynt mechanism is used for rapid application onboarding?

Answer 38

Saiviynt Application Onboarding Workbench.

This is especially relevant for self-serve onboarding for business users and application owners.

Question 39

Why the new application onboarding in Saviynt EIC?

Answer 39

1. Less effort to onboard apps
2. Reduced time to onboard apps
3. Reduce application onboarding time by up to 90%

Question 40

Application Onboarding is via this particular Saviynt role

Answer 40

ROLE_ADMIN SAV role

Question 41

What are three types of application onboarding methods?

Answer 41

Advanced - Use this method to manually configure the enrollment of an application

Assisted - Use a wizard to define app settings.

Quick - Use of default or minimal settings, complete enrolling of the application with a single click

Question 42

What is an identity BOT?

Answer 42

An identity bot allows you to integrate Saviynt Enterprise Identity Cloud with applications that do not expose integration APIs

Identity BOT can perform a set of predefined steps to help in the rapid onboarding of such applications for automating the process of integration.

Question 43

Three application types supported for onboarding by Identity BOT

Answer 43

Command Line
Desktop
Web

Question 44

Saviynt Controls Library Feature does this

Answer 44

The Saviynt Controls Library collects suggestions for common applications & compliance requirements, including HIPAA, HiTRUST, SOX, PCI DSS, CPPA, GDPR, ISO 2000 series, and NIST.

Question 45

What two roles can provide admin privileges to Enterprise Identity Cloud

Answer 45

Role_Admin
Role_UIAdmin

Question 46

Saviynt Roles are used to define this

Answer 46

Saviynt Roles are used to define the privileges granted to users

Question 47

Benefits of Saviynt Roles

Answer 47

Persona-based access control (Sys Admin, Helpdesk, reporting manager, role owner)

Reduced administrative work and IT support

Maximized Operational Efficiency

Improved Compliance

Question 48

What are the recommended naming conventions for Custom Saviynt Roles?

Answer 48

Start with ROLE_

Use UPPERCASE characters

Question 49

What are four ways to assign Saviynt Roles to users?

Answer 49

While setting up a connector (e.g. AD Connector)

When using Technical & User update rules

Via the Access Request System (ARS) module

While setting up Job Request Management (JRM) rules

Question 50

What are some core Saviynt IGA lifecycle & functional capabilities

Answer 50

Providing rules for new users that are distinct form rules for existing users.

Enabling event-based configuration rules

Facilitating automatic revoke of access based on the lifecycle of an identity

Question 51

What are three types of rules in Saviynt?

Answer 51

Event-Based Rules (technical rules, user update rules, entitlement update rules)

Access Request-based Rules

Data Access Governance-based Rules (Scan Rules)

Question 52

What are technical rules in Saviynt?

Answer 52

Technical rules are applied to provision birthrate access to employees joining an organization.

Question 53

What are user update rules in Saviynt?

Answer 53

User update rules are for the mover and leaver scenarios. When a user moves from contractor to permanent employee, the user gets a new manager, or the user is rehire, the user update rule is triggered.

Question 54

What are entitlement update rules in Saviynt?

Answer 54

Entitlement update rules are executed when any property or attribute of an entitlement changes

Entitlement update rules are used in conjunction w/ “non-elastic analytical runtime control of preventative type”

The above phrase might refer to a feature that continuously analyzes user activity and access attempts against predefined security rules. If the analysis detects suspicious activity that violates these rules (e.g., access attempts from unusual locations, excessive privilege escalation attempts), the control mechanism takes preventative actions.

Here’s a possible scenario:

1. A user attempts to access a highly sensitive resource from an unrecognized location.
2. Saviynt’s analytical runtime control detects this attempt in real-time.
3. The non-elastic control, which might be a pre-configured rule, automatically blocks the access attempt to prevent a potential security breach.

Question 55

What are request rules in Saviynt?

Answer 55

Request rules are used when a single user, multi-user or bulk upload user requests are made from the Access Request System

Question 56

What are scan rules in Saviynt?

Answer 56

Scan rules are used to provide the capability to scan any sensitive or confidential information.

Question 57

Organization Update Rules

Answer 57

Organization Update Rules are used in conjunction with management of Organizations in Enterprise Identity Cloud

Question 58

What is the execution trail?

Answer 58

The execution trail shows you the details for rules that have been run. It contains information about the rules applied, as well as data before and after it was changed.

It also provides the ability to rerun failed rules & actions.

Question 59

What three tabs are on the execution trail page?

Answer 59

Action Trail - provides details of failed actions

Rule Trail - provides details about failed rules

Archived Rule Trail - used to view the line items archived after retrying the rule / rule action execution to successful completion

Question 60

True or false: Technical Rules can be used for zero-day access for new employees

Answer 60

True

Question 61

True of false: Technical Rules can remove birthright access automatically if a birthright condition fails anytime in the future

Answer 61

True

Question 62

What are two ways to trigger technical rules?

Answer 62

Auto-Trigger: User is created in Saviynt or imported from external sources (CSV, HRMS)

User Update Rule: A user update rule can re-run all provisioning rules and technical rules.

Question 63

Where can importing users from a HRMS be accomplished?

Answer 63

This can be done via the Job Control Panel using the drop-down option, Zero-day provisioning

Question 64

A technical rules is made up of a combination of these two parts

Answer 64

A condition (made up of user attributes) and an action.

Question 65

True or false: You can preview the data when you create technical rules, so that you have an understanding of the current users who match that rule.

Answer 65

True

Question 66

How does one create a technical rule?

Answer 66

Go to Policies -> Technical Rules. Then click Actions -> Create Technical Rule.

Question 67

List eight features of technical rules (used to assign access)

Answer 67

1. Preview data capability
2. Rule creation & modification approvals
3. Advanced query options
4. Ability to retry failed rules
5. Rule ownership & approvals Workflow
6. Delegated administration of rules
7. Auto removal of access if condition fails
8. Ability to assign access dynamically

Question 68

For technical rules, what are the birthright checkbox, and detective checkbox for?

Answer 68

The birthright check box is used if you want to evaluate a rule for newly created users.

The detective check box is used if you want to evaluate a rule for existing users.

Question 69

For technical rules, what does the advanced config slider do?

Answer 69

The advanced config slider, when turned on, allows you to write an advanced query for the condition to determine when and for who a technical rule applies.

Question 70

What are user update rules for?

Answer 70

User update rules are for the mover and leaver scenarios. When a user moves from contractor to permanent employee, the user gets a new manager, the user’s department changes, the new user is rehire, or a person is terminated, the user update rule is triggered.

Question 71

What are the two ways to trigger a user update rule?

(User update rules are for the mover and leaver scenarios)

Answer 71

1. Auto-Trigger (user is updated in Saviynt, from CSV or HRMS)
2. via Saviynt APIs

Question 72

Where do you find user update rules?

(User update rules are for the mover and leaver scenarios)

Answer 72

Go to Admin module - > Go to policies -> User update rules to see user update rules

Question 73

How do you trigger user updated rules when importing users from a CSV?

(User update rules are for the mover and leaver scenarios)

Answer 73

Go to Users -> Actions -> Upload user -> Check Rules -> Yes

Question 74

How do you trigger user updated rules when importing users from a HRMS?

(User update rules are for the mover and leaver scenarios)

Answer 74

Go to Job Control Panel -> UserImport job -> Check rules drop-down -> Yes

Question 75

List the eight features of User update rules

(User update rules are for the mover and leaver scenarios)

Answer 75

1. Deprovision account
2. Deprovision access
3. Transfer Ownership
4. Launch Microcertification
5. Trigger technical rules
6. Remove failed birthright access
7. Deprovision role
8. Enable user

Question 76

Where do you create user update rules?

(User update rules are for the mover and leaver scenarios)

Answer 76

Admin -> Policies -> User update rules -> Actions -> Create user update rule

Question 77

Where do you find roles?

Answer 77

Admin module -> Identity Repository -> Roles

Question 78

If a user’s title and manager changes, what type of rule would handle this?

Answer 78

This mover scenario is handled via a User Update Rule

Question 79

What type of rule would handle a leaver scenario, including offboarding user and transferring any possible role owndersips?

Answer 79

User update rule

Question 80

What can a user request for?

Answer 80

Applications
Roles
Emergency Roles
Emergency IDs
Group Management
Service account management

Question 81

What are the most common requests from a governance perspective?

Answer 81

Role management request & user management request

Question 82

What are the three high-level parts of an access request (assignment) flow?

Answer 82

1. End user submits the access request
2. Approver approves the request
3. The request is fulfilled in the target application

Question 83

How is fulfillment for an approved access request completed for a connected app vs a disconnected app?

Answer 83

For a connected app, the access is automatically provisioned and fulfilled through connectors.

For a disconnected app, Saviynt creates a ticket in an external ITSM, such as ServiceNow

Question 84

What are three types of access requests?

Answer 84

application requests, role requests and bulk requests

Question 85

What can an application request be for?

Answer 85

Application access requests can be for an account, entitlement or application role of an application.

Question 86

What is an enterprise role request?

Answer 86

An enterprise role request is a request for entitlements that span across multiple endpoints (target applications).

Question 87

How does one submit a new access request?

Answer 87

From the home page, click the request new access tile

Question 88

Request history tile shows you what?

Answer 88

The request history tile shows you the status of current requests. If you have permission, you can view others’ requests in addition to your own.

Question 89

Where you can see requests that have not yet been handled?

Answer 89

Click the Pending Approvals tile to see pending approvals.

Question 90

What is Saviynt’s Smart Review in the context of access requests?

Answer 90

Smart Review gives you a little bit of automation and intelligence on a request. Smart Review automatically identifies all requests that are safe and approves them.

Question 91

Where in Saviynt would you create a job to pick up all pending tasks?

Answer 91

You can create a job in the job control panel to pick up all the pending tasks. You can schedule the job to run daily, hourly, every X number of minutes, or based on a Cron expression.

Question 92

Where does a Saviynt administrator configure settings for an appliation request?

Answer 92

Admin -> Identity Repository -> Security System -> select the application.
Next assign a workflow to the application. You can have separate workflows for access being added and access being removed.

Question 93

How does one make a role requestable?

Answer 93

To make a role requestable, set the request option to something else besides “None”.

Question 94

What is a workflow?

Answer 94

A workflow is the approval/reject process through which a request flows after the request is submitted for approval to the manager or resource owner.

Question 95

What variable is used to check violations for SOX compliance Workflow(s)?

Answer 95

SOXCRITICALCOUNT

Question 96

True of false: A workflow can be reused and assigned to multiple applications.

Answer 96

True

Question 97

What are the steps in the GUI to create an new workflow?

Answer 97

Admin -> Workflows -> Workflow List -> Actions -> Create New Workflow

Question 98

When creating a new workflow, what does a workflow begin with?

Answer 98

A workflow begins with a “start” event.

Question 99

A workflow is only activated once “this” has happened.

Answer 99

A Workflow is only activated once it has been approved.

Question 100

What are two things that should be done when finished creating a workflow?

Answer 100

Click “Send for approval” when you are done constructing a workflow. You can also specify an owner for the workflow.

Question 101

What does “Workflow accepted and loaded” mean?

Answer 101

“Workflow accepted and loaded” means that the workflow is active

Question 102

What does a green check mark for a workflow mean?

Answer 102

A green check mark means a workflow is ready to use and can be assigned to applications.

Question 103

What are four disciplines that governance, risk and compliance spans?

Answer 103

Enterprise risk managment, audit management (Sarbannes Oxley testing), compliance management (e.g. GPDR, NIST), access control

Question 104

True or false: Saviynt provides convergence of IDM and GRC

Answer 104

True

Question 105

Does Saviynt provide coarse-grained or fine-grained visibility into entitlements?

Answer 105

Saviynt provides fine-grained visibility into entitlements

Question 106

Where can Saviynt’s segregation of duties (SOD) capabilities be used?

Answer 106

Saviynt’s segregation of duties (SOD) capabilities be used used in a preventative manner (e.g. before granting access), or in a detective manner (if violation already exists).

Question 107

What are three Saviynt segregation of duties (SOD) objects?
page 61

Answer 107

Functions, risks, and rulesets

Question 108

What is a ruleset in the context of Separation of Duties for Saviynt?

Answer 108

A ruleset is a list containing all the risk definitions. You can go to rulesets in the SOD module to see the predefined rulesets for various applications.

Question 109

What are the four priority levels you can set for a risk definition in Saviynt SOD rulesets?

Answer 109

You can set the priority of the risk here to low, medium, high or critical.

Question 110

What is preventative SOD analysis in Saviynt?

Answer 110

Preventative SOD analysis is a proactive process that ensures the risks defined in a ruleset are not violated or mitigated while requesting access via Saviynt.

SOD violation can be viewed by the requestor at the time of the request, and by the approver at the approval level.

Question 111

What two user interface settings settings need to be turned on for preventative SOD configuration?

Answer 111

The following two user interface settings settings need to be turned on for preventative SOD configuration for access requests:

“Show SOD in Request”
“Evaluate SODs in Access Request”

Question 112

Where does a risk and compliance team member or Saviynt admin view detected SOD violations.

Question 113

What is detective SOD analysis designed in Saviynt to do?

Answer 113

Detective SOD analysis is designed in Saviynt to identity conflicts or violations after they have occurred according to pre-defined rulesets.

• Any possibly violations can be monitored in SOD Workbench.
• Violations can be remediated by removing the conflicting access, or the violations can be accepted for a limited time by associating mitigating control

Question 114

Where can you go in the Saviynt SOD module to see the results of an SOD evaluation job?

Answer 114

In SOD module, go to SOD Violations to see the results of the SOD Evaluation job (AKA SOD Violation workbench)

Question 115

What do Smart Filters do for SOD in User Access Reviews?

Answer 115

Smart Filters allow you to quickly focus on the riskiest access for User Access Reviews. Saviynt can automatically remove revoked access.

Question 116

What can you do for a detected SOD violation if you want to accept a risk for a period of time?

Answer 116

You can select mitigating controls for detective SOD violation if you want to accept a risk for a period of time. Once the expiration date has passed, the violation is moved to an open state again.

Question 117

What are certifications in Saviynt?

Answer 117

Certification is a process by which a responsible party or certifier insures that people and resources are granted access only when absolutely required for performing a function. Certification requires a primary certifier / owner of the object.

Question 118

What are campaigns in Saviynt?

Answer 118

Campaigns allow you to group similar access reviews together in Saviynt.

Question 119

What are the three parts of a campaign lifecycle?

Answer 119

1. Preview & launch
2. Manage
3. Review Certification

Question 120

Where do you go in the interface to get to a campaign list?

Answer 120

Waffle button at top right - > Certifications -> Campaign List

Question 121

Where can you set up the defaults for campaign settings?

Answer 121

Global Configurations is the central place for managing configurations of all modules, including all default settings for campaigns.

Question 122

What does the Analytics piece of Saviynt Enterprise Identity Cloud all users to do?

Answer 122

Analytics allows users to create reports using custom queries against the Saviynt database.

Question 123

What kind of action could be available from actionable Saviynt reports?

Answer 123

You could revoke access directly from the reports page. You can map orphan accounts to specific users.

Question 124

What is data analyzer?

Answer 124

Data analyzer helps you to analyze the data stored in Saviynt Enterprise Identity Cloud. Data Analyzer accesses the database schema in read-only mode, and provides a SQL builder to write your custom SQL queries if desired. Top 100 results are displayed from the database.

Question 125

What is the Control Center?

Answer 125

The Control Center allows customers to meaningfully organize and visualize controls that are shipped, pre-packaged, or built by them. Three components of Control Center are topics, books & KPIs. KPIs can be positive or negative.