IdentityIQ-Engineer SailPoint Certified IdentityIQ Engineer Questions and Answers

The statement is true . In SailPoint IdentityIQ, it is possible to configure a role to include a set of IdentityIQ capabilities. Capabilities in IdentityIQ are permissions that grant users access to specific functionalities within the platform, such as managing identities, viewing reports, or administering roles. By associating a role with specific capabilities, you can control what actions users assigned to that role can perform within the IdentityIQ environment.

References :

SailPoint IdentityIQ Administration Guide (Role Configuration and Capabilities Section)

SailPoint IdentityIQ Configuration Guide (Sections on Roles and Capabilities)

IdentityIQ supports localization, allowing custom messages to be retrieved using SailPoint APIs within custom Java or BeanShell code. This capability is useful for creating applications that need to support multiple languages or regional formats. The SailPoint APIs provide methods to retrieve localized messages based on the current user's locale settings or other localization contexts.

Thus, the correct answer is A. Yes .

Placing a QuickLink object directly on a workflow is not a valid step in the development of a custom QuickLink. QuickLinks are used to provide users with easy access to specific tasks or workflows through the IdentityIQ interface, but the QuickLink itself is not embedded within the workflow. Instead, the QuickLink is created as a separate object and associated with the desired workflow or task that it is meant to launch.

The correct approach would involve creating a QuickLink that points to the workflow and then controlling access to the QuickLink by restricting it to a specific QuickLink population (e.g., "Managers"). Therefore, the correct answer is B. No .

Reassigning all object ownership to a user’s manager during Leaver and Termination events is a complex process that typically involves custom logic or workflows to ensure that all owned objects (like access, certifications, roles, etc.) are correctly reassigned.

The Rapid Setup interface is primarily designed for standard lifecycle management tasks, such as role assignments, account enabling/disabling, and certifications. It does not inherently support the automatic reassignment of object ownership based on lifecycle events such as Leaver and Termination events.

This kind of reassignment would typically require a custom rule or workflow to track and reassign all owned objects, which falls outside the scope of what Rapid Setup can handle directly. Therefore, the correct answer is B. No .

Syslog is not intended for querying or identifying specific objects, such as all Link objects from a particular application. Syslog is used to record events and log information related to system activities, errors, and operations. To identify all Link objects from a particular application, you would use IdentityIQ's internal search functionality or reports that allow you to filter and retrieve such objects. These tasks involve querying the database and application-specific data structures rather than examining log files.

References :

SailPoint IdentityIQ Administration Guide (Section on Objects and Searching)

SailPoint IdentityIQ Configuration Guide (Understanding Link Objects)

The "Name" configuration option is required when setting up a SCIM 2.0 application in SailPoint IdentityIQ. The "Name" field is a mandatory identifier for the application within IdentityIQ. This name is used throughout the system to reference the application and is critical for configuration, management, and integration processes. Without specifying a name, IdentityIQ cannot properly identify and interact with the SCIM 2.0 application.

References :

SailPoint IdentityIQ SCIM 2.0 Application Configuration Guide

SailPoint IdentityIQ Administration Guide (Application Setup and Naming Conventions)

A Post-Iterate rule is used in the context of data aggregation or import processes, where it runs after each record has been processed during the iteration of accounts. This type of rule is not appropriate for handling provisioning errors or creating audit records based on provisioning failures. For auditing provisioning errors, you should configure error handling in the provisioning policy or use a custom workflow that logs errors into the audit log. The Post-Iterate rule is irrelevant to provisioning tasks and error logging, making it unsuitable for this purpose. Refer to the SailPoint IdentityIQ documentation on rules and workflows for proper error handling strategies during provisioning.

The statement is incorrect. Email templates in SailPoint IdentityIQ are not restricted to just Identity object attributes or methods. They can access attributes and methods of any object passed to the template through its input arguments, including WorkItems, CertificationItems, and others. The template system allows the use of various objects’ properties as long as they are properly referenced within the script or template context.

References:

SailPoint IdentityIQ Email Templates Guide

SailPoint IdentityIQ API Reference Documentation

The Rapid Setup user interface configuration options in IdentityIQ can be used to disable an account and remove all its entitlements on a particular application during Leaver events. Rapid Setup is designed to simplify the configuration of common identity lifecycle processes, including handling leaver (termination) events. When configuring these events, you can specify actions such as disabling accounts and removing entitlements from specific applications as part of the termination process.

References :

SailPoint IdentityIQ Rapid Setup Guide

SailPoint IdentityIQ Lifecycle Manager Guide (Sections on Lifecycle Event Configuration)

Not all ManagedAttribute objects associated with an Identity are visible on the 'Attributes' tab within the 'View Identity' QuickLink. The 'Attributes' tab typically displays attributes that are specifically configured to be shown in the identity view, which might include certain managed attributes depending on how the system is configured. ManagedAttributes can represent various aspects like roles, entitlements, or even custom attributes, and their visibility on the UI depends on how the IdentityIQ instance is configured. To manage and configure visibility of attributes, consult the SailPoint IdentityIQ User Interface Customization Guide and Managed Attributes documentation.

Top of Form

Bottom of Form

Adding a new object attribute to the Application ObjectConfig in IdentityIQ is not sufficient on its own to generate the database script needed to extend Application attributes. This action updates the configuration within IdentityIQ for how the application object is managed, but it does not produce the necessary SQL scripts to modify the underlying database schema. The actual database schema must be extended using specific IdentityIQ tools and commands like iiq extendedSchema .

References :

SailPoint IdentityIQ Configuration Guide (ObjectConfig and Schema Management)

SailPoint IdentityIQ Administration Guide (Database Schema Extension)

No, the code snippet provided in the image is incorrect for including a rule library named "Common Rules Library" in a Rule. The correct syntax should reference the sailpoint.object.RuleLibrary class if the intent is to include a Rule Library, as seen in the second image. The first image incorrectly references the sailpoint.object.Rule class, which is not suitable for a rule library inclusion.

Correct Syntax (as shown in the second image):

< ReferenceRules >

< Reference class="sailpoint.object.RuleLibrary" name="Common Rules Library"/ >

< /ReferenceRules >

References :

SailPoint IdentityIQ Rule Library Documentation

SailPoint IdentityIQ Configuration Guide (Rule and Rule Library Management)

Specifying account correlation using a rule cannot be performed using the Rapid Setup application onboarding process. Rapid Setup is designed for straightforward and simplified onboarding processes with a focus on quick configuration, typically using predefined templates and options. However, advanced configurations like custom account correlation rules require more detailed setup, typically done outside of the Rapid Setup UI, involving scripting or detailed configuration within the application definition.

References :

SailPoint IdentityIQ Rapid Setup Guide

SailPoint IdentityIQ Administration Guide (Account Correlation and Application Onboarding Sections)

In SailPoint IdentityIQ, when dealing with a policy violation of the type "Role Separation of Duties (SOD) Policy," there are specific actions that the policy violation owner can take. These options typically include:

Mitigate: Applying a mitigating control to the violation.

Remediate: Addressing the violation by removing or altering access.

Accept: Acknowledging the violation without making changes, which usually requires justification.

Forward: Assigning the violation to another individual or group for resolution.

The option "Schedule Policy Composition Certification" is not a valid action for addressing a Role SOD Policy violation directly. The concept of scheduling a certification is related to periodic review processes, not immediate policy violation handling. Certification campaigns are scheduled and executed to review roles, entitlements, or policies, but this is not an action taken in response to a specific policy violation.

Thus, "Schedule Policy Composition Certification" is not an appropriate or valid option in this context, and the correct answer is B. No .

The configuration option "Comment Character" is not required when setting up a SCIM 2.0 application in SailPoint IdentityIQ. The "Comment Character" option is generally used for handling comment lines in flat files or CSV file-based connectors. Since SCIM 2.0 is a RESTful API-based protocol designed for managing identities in a standardized way, this option does not apply to SCIM 2.0 integrations. Therefore, it is not a necessary configuration when working with SCIM 2.0 applications.

References :

SailPoint IdentityIQ SCIM 2.0 Integration Guide

SailPoint IdentityIQ Application Configuration Guide (SCIM and REST API sections)

In SailPoint IdentityIQ, the concept of a "role" is fundamental to the identity governance framework. The platform supports several default role types that are pre-configured to help organizations manage access effectively. The default role types include:

Business Role: Represents a collection of entitlements necessary for a specific job function within the organization.

IT Role: Aggregates technical entitlements that are typically assigned together, often linked to specific applications or systems.

Application Role: Tied to a specific application, representing roles within that application's context.

Composite Role: A combination of other roles, either business or IT, to form a higher-level role.

The term "Entitlement Role" is not recognized as a default role type in SailPoint IdentityIQ. While entitlements can be components of roles, "Entitlement Role" itself is not a predefined role type in the platform. Therefore, the correct answer is B. No .

The statement is false . While it is true that logging and auditing require extra function calls and generate data, the suggestion that this data can be compressed to avoid storage issues and improve performance is misleading. In practice, while compression might save storage space, it does not inherently improve performance, particularly because the overhead of compression and decompression could negate the performance benefits. Effective performance management in IdentityIQ involves more nuanced approaches, such as optimizing the level of detail in logs, managing log rotation, and tuning the system for efficient I/O operations.

References :

SailPoint IdentityIQ Logging and Auditing Guide

SailPoint IdentityIQ Performance Tuning Guide

Inserting the "Managers" QuickLink population as the dynamic scope in the QuickLink object is a valid step when creating a custom QuickLink that should only be accessible by managers. QuickLink populations are used to define which users have access to specific QuickLinks based on criteria like role, department, or other attributes. By assigning the "Managers" population, only users who are members of that population will see and be able to launch the QuickLink.

Therefore, the correct answer is A. Yes .

Yes, the text on the login page of IdentityIQ is set through message keys in the message catalog. The message catalog in IdentityIQ contains localized text strings that are used throughout the user interface, including on the login page. By modifying the appropriate message keys in the catalog, you can customize the text that appears on the login page to match the organization's branding or messaging requirements.

Therefore, the correct answer is A. Yes .

The statement "The Identity object is passed to the rule" is correct. When writing source mapping rules to populate identity attributes, the Identity object is indeed passed to the rule. This allows the rule to access and modify attributes on the Identity object based on the logic defined within the rule.

Therefore, the correct answer is A. Yes .

The purpose of an IdentityIQ certification is not to attest to a user's integrity. Certifications in IdentityIQ are designed to review and verify user access rights to ensure they are appropriate based on roles, policies, and organizational rules. The focus is on access management rather than personal qualities like integrity.

References :

SailPoint IdentityIQ Certification Guide

SailPoint IdentityIQ Governance Overview

Creating a custom audit event and setting up an associated report involves steps such as defining the audit event, modifying the audit configuration, and creating a custom report using the SailPoint IdentityIQ reporting framework. Simply creating a Data Export task does not fulfill these requirements. A Data Export task is used for exporting data from IdentityIQ and is unrelated to the creation of custom audit events or custom reports. Refer to the SailPoint IdentityIQ Reporting Guide and the IdentityIQ Audit Framework documentation for more information on correctly creating and configuring custom audit events and reports.

Yes, the typical input variables for a rule are listed in the BeanShell rule editor in IdentityIQ, based on the rule registry. When you create or edit a rule in IdentityIQ using the BeanShell editor, the available input variables that are relevant to the rule type are typically pre-defined and listed based on the rule registry. These input variables provide context and data that the rule can operate on, and their availability helps guide the rule development process.

Therefore, the correct answer is A. Yes .

The proposed solution suggests changing the Email Notification Type to "Redirect to file using FTP protocol" under Global Settings > Configure IdentityIQ Settings > Mail Settings. However, IdentityIQ does not provide an option to redirect emails to a file using the FTP protocol directly through the Global Settings in the application.

Typically, to test generated emails in a non-production environment, you would change the Email Notification Type to "Redirect to File" (if the option is available) or configure an SMTP server with a different setup that captures emails in a file or a specific mailbox designed for testing purposes. The specific steps for testing email generation may vary, but the solution as stated does not align with standard IdentityIQ practices.

Thus, the correct answer is B. No .

The provided BeanShell code snippet attempts to filter and print the names of GroupDefinition objects owned by "Randy.Knight." However, the code contains a few issues that prevent it from functioning correctly as written:

Class Import : The GroupDefinition class should be imported explicitly at the beginning of the script, which is missing here.

Query Execution : The use of context.getObjectsByNumber(GroupDefinition.class, i) is incorrect. This method does not exist in this context. The correct approach would be to use context.getObjects() to retrieve the list of objects and iterate over them.

Looping Logic : The loop logic also contains a flaw. Instead of using a counter-based loop with context.getObjectsByNumber() , the recommended approach is to use context.search() to retrieve a list of filtered objects and then iterate through the results.

A corrected version of this code would look something like this:

import sailpoint.object.GroupDefinition;

import sailpoint.object.Filter;

import sailpoint.object.QueryOptions;

Filter filter = Filter.eq("owner.name", "Randy.Knight");

QueryOptions qo = new QueryOptions();

qo.addFilter(filter);

List < GroupDefinition > groupDefinitions = context.getObjects(GroupDefinition.class, qo);

for (GroupDefinition group : groupDefinitions) {

System.out.println(group.getName());

}

In this corrected version:

We explicitly import GroupDefinition .

We retrieve the filtered objects with context.getObjects(GroupDefinition.class, qo) instead of getObjectsByNumber .

Thus, the original code is not correct as written. The correct answer is B. No .

Yes, the statement is true . In SailPoint IdentityIQ, the built-in auditing options are indeed immutable, meaning they are always recorded and cannot be disabled or altered. This ensures that critical actions and changes are always logged for compliance and security purposes. However, custom audit configurations, such as additional custom audit fields or logs, can be turned on or off based on specific organizational requirements.

References :

SailPoint IdentityIQ Audit Guide

SailPoint IdentityIQ Administration Guide (Sections on Auditing and Compliance)

No, this statement is incorrect. When a wait step is encountered in a foreground workflow, it does not cause the user’s screen to freeze for the specified number of seconds. Instead, the wait step simply pauses the workflow execution for the specified duration, but this is managed in the background. The user interface remains responsive, and the end-user typically won’t notice any freezing or delays caused by the wait step itself.

References :

SailPoint IdentityIQ Workflow Guide (Section on Workflow Step Types)

SailPoint IdentityIQ Scripting and Workflow Best Practices

The statement is false . The "Run Rule" feature on the Debug-Object page is not intended for creating, modifying, or deleting SailPoint database objects. Instead, it is used to execute specific rules for testing and debugging purposes. While it allows you to test the logic of a rule by running it in isolation, it does not directly manipulate database objects. For creating, modifying, or deleting database objects, administrators would typically use the appropriate IdentityIQ APIs or database scripts.

References :

SailPoint IdentityIQ Administration Guide (Debugging and Rule Management Sections)

SailPoint IdentityIQ Developer Guide (Working with Rules and Debugging Tools)

The statement "All Identity Mappings must use a rule to set the identity attribute" is incorrect. While source mapping rules can be used to populate identity attributes dynamically, it is not mandatory for all identity mappings to rely on a rule. Identity mappings can also be configured using direct mappings, where attributes from a source are directly mapped to IdentityIQ attributes without any rule-based logic.

Therefore, the correct answer is B. No .

When setting up a new IdentityIQ test environment, it is important to assess the needs of the customer, including whether they would benefit from using a deployment accelerator.

Deployment accelerators are pre-configured sets of rules, policies, and workflows that can significantly reduce the time and effort required to deploy IdentityIQ in a test or production environment. These accelerators are particularly useful for rapidly setting up environments that align with common industry practices or specific compliance requirements.

Asking the customer whether they need a deployment accelerator is a valid and important question during the initial setup phase, as it helps to determine the best approach to configuring the test environment efficiently. Therefore, the correct answer is A. Yes .

No, the Provisioning tab under the "Administrator Console" is not used to map the associated WorkflowCase to a particular Provisioning Transaction . The Provisioning tab is primarily for monitoring and managing provisioning operations, not for mapping workflow cases to transactions. Such mappings are typically handled within the workflow configuration itself, not through the Provisioning tab.

References :

SailPoint IdentityIQ Workflow Guide (Handling Workflow and Provisioning Transactions)

SailPoint IdentityIQ Administration Guide (Provisioning Tab Limitations)

In SailPoint IdentityIQ, a Workgroup can indeed be used to provide a group of users with specific capabilities. Workgroups are collections of users that can be assigned roles, tasks, and permissions. By associating capabilities with a Workgroup, all members of that Workgroup will inherit the capabilities defined.

This feature is commonly used to manage teams or departments that need to share specific privileges, such as the ability to approve access requests or manage certifications. Configuring capabilities for a Workgroup is a standard practice within IdentityIQ to simplify permission management and ensure consistent access control across the group.

Therefore, the correct answer is A. Yes .

The workflow transition condition shown in the image is Transition to="Approve" when="identityName != null" . This condition checks whether the identityName variable is not null . In the provided scenario, the identityName variable has a value of "Catherine.Simmons," which is clearly not null . Therefore, the condition for transitioning to the "Approve" step will evaluate as true , meaning the workflow will indeed continue to the "Approve" step.

However, it seems like the question might be worded incorrectly as it asks if the workflow will continue to the "Approve" step when it actually will. If this was an error and the intention was to determine if it should not continue, the answer would have been "No." But based on the logic, the workflow will continue to the "Approve" step.

References :

SailPoint IdentityIQ Workflow Documentation

SailPoint IdentityIQ Scripting Guide (Conditions and Transitions in Workflows)