Self-Assessment 8.2 Flashcards by James Huggard

Which is NOT a valid method for creating Identity Cubes?

A. Bulk import
B. LCM Create Identity
C. By running aggregation tasks to read user accounts from applications that are systems of record
D. Through the Identity Warehouse

D. Through the Identity Warehouse

How well did you know this?

Not at all

Perfectly

What is the Identity Warehouse Page?

The Identities table contains basic user information for every identity discovered during the latest aggregation process. Identities can include non-human identities, such as service accounts and bot identities, as well as users.

How well did you know this?

Not at all

Perfectly

What is the LCM Create Identity?

Some implementations have the requirement to create new Identities directly in IdentityIQ. One way to create them is by using the Create Identity Quicklink. You can use this Quicklink without a provisioning policy, or you can define a policy that will help your end users define the choices that are made when creating Identities in the system

How well did you know this?

Not at all

Perfectly

When you add extended attributes that are not marked searchable to IdentityIQ, where are these new attributes stored by default?

A. In the application server
B. In a CLOB
C. The WEB-INF directory
D. Their own column in the database

B. In a CLOB

How well did you know this?

Not at all

Perfectly

What is CLOB?

(Character Large Object): This is a database data type designed to store large amounts of text data, up to 4 gigabytes in size.

How well did you know this?

Not at all

Perfectly

What important files are stored under the /WEB-INF directory?

Function: A special subdirectory within a web application that’s not directly accessible through a web browser.
- Purpose: Houses sensitive configuration files, Java class files, and libraries that are crucial for the application’s internal workings.
- Key Contents: School (Classes ,libraries, web)
  - classes: Contains compiled Java class files that implement the application’s core logic.
  - lib: Stores JAR files (libraries) that the application depends on for additional functionality.
  - web.xml: The central configuration file for the web application, defining servlet mappings, security settings, and other parameters.

How well did you know this?

Not at all

Perfectly

What important files are stored under the /identityiq:** directory?

Function: containing the deployed SailPoint IdentityIQ web application.
- Contents: Holds the various files and resources that make up the IdentityIQ application, including:
  JWCS
  - Webpages (HTML, JSP, etc.)
  - Java servlets
  - Configuration files
  - Static assets (images, CSS, JavaScript)

How well did you know this?

Not at all

Perfectly

What important files are stored under the /webapps:** directory?

Function: A standard subdirectory within Tomcat that houses deployed web applications.
- Structure: Each web application is typically contained within its own individual directory, like “identityiq” in this case.

How well did you know this?

Not at all

Perfectly

What important files are stored under the /tomcat:** directory?

Function: Denotes the root directory of the Apache Tomcat installation, a popular open-source web server and servlet container.
- Role: Tomcat is responsible for receiving and processing web requests, executing Java servlets and JSPs, and serving dynamic web content.
- Key Files: Contains essential configuration files like server.xml, web.xml, and context.xml, along with logs and temporary files.

How well did you know this?

Not at all

Perfectly

What does the “-clean” option do when exporting Objects?

A. It creates an empty object of the type being exported.
B. It removes the GUID and creation/modification dates from the Object being exported.
C. It removes the Object completely from the existing IdentityIQ database in preparation for loading it into the next database.
D. It deletes all passwords from the exported object.

B. It removes the GUID and creation/modification dates from the Object being exported.

How well did you know this?

Not at all

Perfectly

Command to Export all applications from IdentityIQ to a file on the Desktop called apps.xml. With clean option.

export -clean /home/spadmin/Desktop/apps.xml application

How well did you know this?

Not at all

Perfectly

A provisioning plan is passed to a workflow to start the provisioning process. What is included in a provisioning plan?

A. One or more requests for multiple identities.
B. One request for multiple identity.
C. One or more requests for one identity.
D. A set of provisioning policies.

C. One or more requests for one identity.

How well did you know this?

Not at all

Perfectly

You have to use a separate provisioning plan for each identity.

True or False?

True

How well did you know this?

Not at all

Perfectly

Rapid Setup Joiner configuration defines the operations that are launched when a user joins a new group within your organization, such as department transfer.

True or False?

False - This is a mover

How well did you know this?

Not at all

Perfectly

Which of these options defines how the account attributes within a provisioning plan are populated?

A. Build Map Rule
B. Provisioning polices
C. Policy definitions
D. Application schemas

B. Provisioning polices

How well did you know this?

Not at all

Perfectly

What do provisioning polices in an application configuration do?

Defines the set of attributes that are needed to complete a provisioning request, whether that request is to create an account, modify an account, add a role to an identity, etc.

How well did you know this?

Not at all

Perfectly

You can use the Edit Identity Quicklink to modify an identity’s attributes and trigger attributes synchronization to other applications.

True or False

True

This only true for attributes that are set to “editable”. Otherwise, you won’t have the option to change it. (Greyed out)

How well did you know this?

Not at all

Perfectly

If an attribute is set to temporary and you change it in IdentityIQ. What happens the next time if the source has a different value, then what is in IdentityIQ?

It will be overwritten be whatever value is listed in the source application.

How well did you know this?

Not at all

Perfectly

If provisioning policy has not been defined. What settings are used and where are they defined?

If a provisioning policy has not been defined, the fields default to what is defined in the Identity Configuration Object, which can be viewed or edited in the Debug pages.

How well did you know this?

Not at all

Perfectly

In the standard IdentityIQ access request workflow (LCM Provisioning), the default approver is the owner.

True or False.

True

How well did you know this?

Not at all

Perfectly

When implementing policies, a best practice is to set the _____________ option to preview what impact they will have on the system.

A. Inactive State
B. Simulate
C. Check active policies
D. Capabilities

C. Check active policies

How well did you know this?

Not at all

Perfectly

Check active policies options:
Keep previous violations

keeps all existing violations, even if they are found to be resolved or do not match any active policy.

How well did you know this?

Not at all

Perfectly

Check active policies options:
A comma separated list of policy names

Entering a list of policies in this field means the task will check only the listed policies that are active;
blank means check all active policiesInactive policies are not checked

How well did you know this?

Not at all

Perfectly

When a serious system error occurs, and an incident code is displayed, where would an admin user go to see details of the error?

A. My Work –> Work Items
B. Setup –> Lifecycle Events
C. Java Standard Out Log
D. Intelligence –> Advanced Analytics –> Syslog Search

D. Intelligence –> Advanced Analytics –> Syslog Search

How well did you know this?

Not at all

Perfectly

When you implement with Rapid Setup, the Rapid Setup Joiner, Mover, and Leaver configurations still require you to write the workflow to execute the process. True or False.

True

Certification Events can be automatically triggered by a wide range of data changes within IdentityIQ, such as manager change. True or False.

True

Sets of identities in IdentitylQ can be used for a number of purposes, and each is created in a different way. Select all statements that are correct. **A.** Populations are used to control or filter Which cubes are being processed (i.e. limit a refresh task to a set of identities). The set of identities are based on a saved search. **B.** Workgroups are used to control or filter which cubes are being processed (i.e. limit a refresh task to a set of identities). The sets of identities are based on a single attribute. **C.** populations are used to assign IdentityIQ responsibilities (i.e. ownership to an application) to a set of identities. Membership is assigned manually or through rules. **D**. Groups are used to control or filter which cubes are being processed (i.e. filter a report on a set of identities). The sets of identities are based on a single attribute. **E.** Groups are used to assign IdentityIQ responsibilities (i.e. ownership of an application) to a set of identities. Membership is assigned manually or through rules. **F.** workgroups are used to assign IdentitYIQ responsibilities (i.e. ownership Of an application) to a set Of identities. Membership is assigned manually or through rules.

A. Populations are used to control or filter Which cubes are being processed (i.e. limit a refresh task to a set of identities). The set of identities are based on a saved search. F. workgroups are used to assign IdentitYIQ responsibilities (i.e. ownership Of an application) to a set Of identities. Membership is assigned manually or through rules.

What is a capability in IdentitylQ? A. The rights a user has within IdentityIQ B. The responsibilities the user has within the organization (for example, accounting) C. What a user can do within the HR system from which IdentityIQ aggregates authoritative accounts D. Quicklinks a user has access to and how the Quicklink is configured

A. The rights a user has within IdentityIQ

How can capabilities be assigned?

Directly under user right tab Identity assigned to workgroups that have capabilities assigned to the workgroup Quicklink Populations can have capabilities has assigned to them Certifications

What is the difference between a task and a workflow? A. A task performs batch processing and it can be scheduled; a workflow can interact with a user and is typically activated in response to a user action or data change. B. A task can interact with a user and is typically activated in response to a user action or data change; a workflow performs batch processing, and it can be scheduled. C. They can be used interchangeably, but a task is pre-compiled, and a workflow is interpreted.

A. A task performs batch processing and it can be scheduled; a workflow can interact with a user and is typically activated in response to a user action or data change.

Having multiple tabs open when working with tasks can cause problems. True or False

True

What is a task?

Task are used to automate the processes which build, update, and maintain the information in IdentityIQ. Tasks perform periodic operations such as aggregating data from applications, refreshing Identity Cubes to update entitlements and roles, running rules, performing system maintenance, and more.

What is a Workflow?

Business Process/workflow is a sequence of operations or steps that are launched to perform work.

Name out of the box workflows/Business processes.

**RAIIIDDA** * Role creation or modification * Account Group creation or modification * Identity update * Identity refresh * Identity correlation * Deferred role assignment, de-assignment * Deferred role activation, deactivation * Any Lifecycle Manager event

___________ define which account attributes to read from an application when aggregating accounts with IdentitylQ. A. Connectors B. Delimited files C. Account schemas D. Group schemas

C. Account schemas

What are an account schemas?

defines which data about accounts to read from the target application and identifies the accounts you want to manage.

What must be designate in all account schemas?

Identity Attribute, which is the unique identifier for the account on the source.

What are Group Schemas?

For many applications, account entitlements are memberships in groups. Many connectors also support the use of group schemas, allowing the application to aggregate additional details about the group structures from the target system.

Through Rapis Setup, you can configure, per application, whether the application's entitlements are created in the Entitlement Catalog as requestable or not. True or False

True Create Entitlements That Cannot Be Requested: Enabled/Disabled

When you view a user's record (identity cube) you can see how a user acquired a role. In the default role model, what is the difference between assigned and detected? A. Assigned means that the role js an IT role and that this user was given that role by someone or through a rule; detected means the role is a business role and IdentityIQ recognized that the user has the access defined in the role. B. Assigned means that the role is an IT role and this user was assigned the role through the authoritative source; detected means that the role is a business role that was requested through Lifecycle Manager C. Assigned means that the role is a business role and that this user was given that role by someone or through a rule; detected means the role is an IT role and IdentitylQ recognized that the user has the access defined in the role. D. Assigned means that the role is a business role and this user was assigned the role through the authoritative source; detected means that the role is an IT role that was requested through Lifecycle Manager

C. Assigned means that the role is a business role and that this user was given that role by someone or through a rule; detected means the role is an IT role and IdentitylQ recognized that the user has the access defined in the role.

What Identity Refresh option are needed to detect for Roles.

Refresh assigned, detected roles and promote additional entitlements option is selected.

Lifecycle Events can be created based on native changes. What is a native change? A. A change detected in identity attributes B. A change detected during application aggregation C. A change detected stemming from a rule

B. A change detected during application aggregation ## Footnote Native change detection is enabled on each application separately.

Which connector requires a provisioning rule to be written when provisioning to applications of this type? A. JDBC B. Delimited File C. LDAP D. Active Directory

A. JDBC

Entitlements and groups that are included in the Entitlement catalog have many uses Within IdentitylQ. Which one of the following is NOT a use of items in the Entitlement Catalog? A. Available for defining risk B. Requestable through Lifecycle Manager C. Available for defining policies D. Available as group factories E. Available to include in roles

D. Available as group factories

Why might someone using IdentityIQ to aggregate accounts set the option "Disable optimization of unchanged accounts = true" on application aggregation tasks? A. It is never a good idea to disable the built-in native aggregation optimization. B. It is a best practice for production systems if IdentityIQ aggregation performance is not a concern. C. It is a best practice during the development phase, because it allows the developer to test the changes made to how the data is being processed.

C. It is a best practice during the development phase, because it allows the developer to test the changes made to how the data is being processed.

From the Administrator console, you can View details for a failed provisioning attempt and send a manual workltem to complete the request. True or False

True ## Footnote The administrator can view failed transactions on the All and Failure pages. To reprocess a failed transaction through a manual work item, click Override in the Actions column.

Which of the following log levels will provide the most detailed information? A. Warn B. Trace C. Info D. Error E. Debug

B. Trace Order: **O FEW IDT** Off Fatal Error Warn Info Debug Trace

In the aggregation/refresh process, lifecycle events can be launched when a data change is detected during aggregation. Which option on the refresh task causes the refresh to trigger the lifecycle event workflows? A. Refresh assigned, detected roles and promote additional entitlements B. Provision assignments C. Process events D. Refresh identity attributes E. Check active policies

C. Process events

Identity Refresh option, what does this option do? **Refresh assigned and detected roles and promote additional entitlements.**

Update any assigned or detected role assignments that have change since the last time this task was run. Any additional entitlements found in this refresh are promoted during this task.

Identity Refresh option, what does this option do. Provision assignments

Provision any assigned roles and entitlements detected since the last time this task was run.

Identity Refresh option, what does this option do. Check active policies

Scan for active policies and apply those policies to the identities included in the task.

Identity Refresh option, what does this option do. **Process Events**

Enable event certifications and uses the snapshots created during aggregation to approximate the previous state of the identities at the beginning of the refresh. ## Footnote This copied identity is compared to the updated identity to determine if event certifications are launched.

Once a workflow has been launched, What is the name of the Object that represents the execution of the workflow? A. IUConfig B. Workflow C. SailPojnt context D. WorkflowCase

D. WorkflowCase

What is a Workflow?

Defines the workflow structure and steps involved in the workflow processing.

What is a WorkflowCase?

Represents a workflow in progress. Contains a workflow element in which the process is put lines and current state data is tracked. Contains identifying information about the workflow target object.

What is a WorkflowContext?

Tracks launchtime information the Workflower maintains as it advances through a workflow case. Passed into rules and scripts and to the registered WorkflowHandler. Contains all the workflow variables, step arguments, current step or approval, workflow definition, libraries, and WorkflowCase

What is the TaskResult?

Records the completion status of a task, or in this case, the workflow. Contained within the WorkflowCase.

There are five important tasks that are shipped pre-scheduled in IdentitylQ. Which task **advances certifications through their phases and restarts backgrounded workflows**? A. Perform maintenance B. Check sunset requests for notifications daily C. Perform Identity Request Maintenance D. Check expired work items daily E. Check expired mitigations daily

A. Perform maintenance ## Footnote Default runs ever 5 minutes

There are five important tasks that are shipped pre-scheduled in IdentitylQ. Which task **Scans for Policy and Certification Exceptions that have Expired.** A. Perform maintenance B. Check sunset requests for notifications daily C. Perform Identity Request Maintenance D. Check expired work items daily E. Check expired mitigations daily

E. Check expired mitigations daily ## Footnote Daily

There are five important tasks that are shipped pre-scheduled in IdentitylQ. Which task **Controls timing of email notifications and sunset reminders of expiring items.** A. Perform maintenance B. Check sunset requests for notifications daily C. Perform Identity Request Maintenance D. Check expired work items daily E. Check expired mitigations daily

B. Check sunset requests for notifications daily ## Footnote Daily

There are five important tasks that are shipped pre-scheduled in IdentitylQ. Which task ** Scans for incomplete work items that have expired. ** A. Perform maintenance B. Check sunset requests for notifications daily C. Perform Identity Request Maintenance D. Check expired work items daily E. Check expired mitigations daily

D. Check expired work items daily ## Footnote Daily

There are five important tasks that are shipped pre-scheduled in IdentitylQ. Which task **Checks for provisioning completeness.** A. Perform maintenance B. Check sunset requests for notifications daily C. Perform Identity Request Maintenance D. Check expired work items daily E. Check expired mitigations daily

C. Perform Identity Request Maintenance

What is the minimum process to fully promote entitlements on the identity cube, for example, to include entitlements in certifications? A. Mark the schema attribute for that entitlement as "Entitlement", aggregate the application, and refresh the Identity cubes. B. Mark the schema attribute for that entitlement as "Managed" and aggregate the application. C. Mark the schema attribute for that entitlement as "Managed", aggregate the application, and refresh the Identity cubes. D. Mark the schema attribute for that entitlement as "Entitlement" and aggregate the application.

C. Mark the schema attribute for that entitlement as "Managed", aggregate the application, and refresh the Identity cubes. ## Footnote Once all aggregations are complete, an identity refresh is required to complete processing of the identity data. Though aggregations result in entitlement attributes appearing on the Identity Cube Application Accounts and Entitlements tabs, one more step (a refresh) is required to fully promote entitlements and make them usable by other processes, such as certification.

Properties of Attributes in Account and Group Schemas: **Entitlement**

Marking an attribute as an entitlement indicates that this is an access right you want to track for your identities (for example, to use in certifications). If you want this attribute to be able to be requested, to have an owner, and to have a description and display name, you must mark also mark it as Managed.

Properties of Attributes in Account and Group Schemas: **Managed**

Attributes designated as Managed can be viewed and managed from the Entitlement Catalog page. Managed attributes can be made requestable, can be assigned an owner (for approvals or entitlement certifications), and can have display names and descriptions that will help users identify and understand them. They can also be used in policies and risk calculations. ## Footnote When you do a group aggregation, all groups read from the aggregation are automatically included in the entitlement catalog as managed attributes.

Properties of Attributes in Account and Group Schemas: **Multi-valued**

For some attributes, multiple values might be returned during aggregation (for example, an attribute indicating group membership). ## Footnote Values for attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list.

The only users who can track an access request are the requesters themselves. **True or False**

False