IdentityNow-Engineer SailPoint Certified IdentityNow Engineer Questions and Answers

No, a user with Report-admin level permissions cannot view a live display of events in progress. The Report-admin role is primarily concerned with reporting functions, such as viewing and managing reports. Viewing live events, especially operational or real-time system events, would require higher-level permissions, typically associated with System Admin or Operations Admin roles, which have access to system dashboards, monitoring tools, and event logs.

References:

SailPoint IdentityNow Role-Based Access Control (RBAC) Documentation.

SailPoint IdentityNow Monitoring and Event Logging Permissions Guide.

The configuration provided is not valid due to an error in the server specification for Domain B . The server for Domain B (domainb.com) is incorrectly set to server.domaina.com , which is not correct. Each domain in the Active Directory (AD) forest should have its own respective server. For Domain B, the correct server should be something like server.domainb.com , assuming that there are distinct domain controllers for each domain.

Additionally, the search DN for Domain A appears to be valid as it correctly filters for employees with (employeeType=employee). The search DN for Domain B seems to be partially correct, as it targets the OU=Contingent Workers , but the issue lies with the incorrect server assignment.

Key Reference from SailPoint Documentation:

Active Directory Configuration: Each domain in a forest should be connected to its respective server, and incorrect server assignments between domains can cause LDAP search and synchronization issues. Proper domain controller assignment for both domaina.com and domainb.com is required.

No, deleting the access profile is not the correct way to meet the requirement of removing approval for access requests. The access profile defines the entitlements and permissions that users can request for an application. Deleting it would remove the entire ability to request access, rather than just removing the approval workflow. The correct step would be to modify the approval settings in the access profile (as explained in Question 44), not to delete it.

Key Reference from SailPoint Documentation:

Access Profile Management: Modifying approval settings in the access profile is the appropriate step to meet management ' s new requirement, not deleting the profile itself.

Reviewing the Identities without Managers report is not directly related to troubleshooting incomplete identities on an authoritative source. The " Identities without Managers " report is specifically useful for identifying identities that are missing a manager assignment, which might be relevant for access reviews or other management-related tasks. However, when troubleshooting incomplete identities, the focus is typically on missing attributes or data mappings, not the manager attribute specifically.

Therefore, this report is not the most appropriate action for this particular issue.

References:

SailPoint IdentityNow Reporting and Identity Data Review Documentation.

SailPoint IdentityNow Troubleshooting Incomplete Identities.

IQService does not run on the Virtual Appliance (VA). It is a separate service that must be installed on a Windows Server within the environment that has access to the target system, particularly for Active Directory and other Windows-based systems. IQService acts as a proxy between the IdentityNow tenant and these target systems, allowing operations such as password management and account provisioning to be executed on systems that do not support native connectors on the VA. It communicates with the VA but is not hosted on it.

References:

SailPoint IdentityNow IQService Installation Guide.

SailPoint IdentityNow Target Connector Architecture.

Yes, using a query select statement with a clause to match the incoming account to an existing account is a key configuration for the Single Account SQL Query in a JDBC connector. This query is used to fetch specific account details from the database and must be written in such a way that it uniquely identifies each account, ensuring accurate correlation between the data in the source and the identities in IdentityNow. Properly configuring this SQL query ensures the right accounts are matched and managed.

References:

SailPoint IdentityNow JDBC Connector Single Account Query Configuration Guide.

SailPoint IdentityNow SQL Query Best Practices Documentation.

Passthrough authentication in SailPoint IdentityNow refers to a method where the authentication process happens through a trusted identity provider (IdP), rather than using credentials stored directly in SailPoint IdentityNow. The key feature of passthrough authentication is that the user ' s login attempt is authenticated via external authentication mechanisms such as Active Directory, SAML-based Identity Providers (IdPs), or other federated identity providers.

In the given use case, the user is logging into IdentityNow using a password set directly in IdentityNow during registration. This process describes local authentication (where IdentityNow manages the credentials), not passthrough authentication. Since passthrough authentication relies on external IdPs or federated systems, this case does not accurately describe passthrough authentication.

References:

SailPoint IdentityNow Documentation on Authentication Methods.

SailPoint IdentityNow Federation and SSO Configuration Guides.

No, the search syntax @accounts( source.name: " AD " AND disabled:true ) is incorrect for SailPoint IdentityNow because the attribute disabled may not be universally recognized or applicable for all sources in the system. Using the state: " disabled " condition (as in previous correct answers) is a more reliable and system-compliant approach to find disabled accounts.

Key Reference from SailPoint Documentation:

Standard Account State Search: The correct search syntax involves using state: " disabled " instead of disabled:true for querying disabled accounts.

Yes, an access profile can be acknowledged during certifications. During access certification campaigns, reviewers can review access profiles as part of the items that need to be certified. They can either approve or revoke access to the access profiles, just like they would with individual entitlements. This ensures that users ' access to these bundled entitlements is regularly reviewed and compliant with organizational policies.

References:

SailPoint IdentityNow Certification Campaigns Guide.

SailPoint IdentityNow Access Profile Certification Documentation.

No, an access profile does not directly reference roles to provide access. Instead, access profiles are collections of entitlements or permissions that are bundled together to simplify access provisioning. Access profiles can be associated with roles, but they do not reference roles directly. Roles in IdentityNow define broader sets of permissions, which may include access profiles, but access profiles themselves are not tied directly to roles.

References:

SailPoint IdentityNow Access Profiles Documentation.

SailPoint IdentityNow Roles and Access Profiles Configuration Guide.

No, the provided steps are not correct. The sequence of actions is misplaced:

Step 1: Before clicking " Test Connection, " you need to download or procure the VA image and import it into the virtualization platform.

Step 6: After logging in and changing the password, the next step is to configure the networking settings, not downloading the image again.

Step 12: After uploading the config.yaml, you should proceed with testing the connection to ensure the VA is correctly configured and can communicate with IdentityNow.

Corrected Steps:

Download / procure the VA image .

Configure networking configurations (as needed) .

Click Test Connection on the VA configuration .

References:

SailPoint IdentityNow Virtual Appliance Installation and Configuration Guide.

SailPoint IdentityNow Virtual Appliance Test Connection Documentation.

No, custom connectors are not developed and compiled inside IdentityNow . Custom connectors are typically developed outside of the IdentityNow platform using a development environment and then tested and packaged before being uploaded to the platform. These connectors can be developed using tools provided by SailPoint, but the actual development process occurs externally, not directly within the IdentityNow environment.

Key Reference from SailPoint Documentation:

Custom Connector Development: Custom connectors are developed outside of the IdentityNow platform and then integrated into it for use.

In SailPoint IdentityNow, provisioning is the process of granting or revoking access to systems and applications based on access requests or changes in user identity attributes. The scenario describes John Doe requesting access to the " Sales " profile in Salesforce, which is approved by his manager.

However, simply approving an access request does not automatically trigger provisioning unless specific conditions are met:

Provisioning Policy: For the access to be provisioned, SailPoint IdentityNow requires a provisioning policy that defines the action to be taken after the approval process. This policy is often configured to specify whether access should be granted or denied after approval. If no provisioning policy is linked to the requested access, no action will be triggered.

Source Configuration: The Salesforce source (connector) in SailPoint IdentityNow must also be properly configured to handle provisioning tasks. Without proper configuration of the Salesforce source, no provisioning action will be sent even if the request is approved.

Manual Provisioning Workflow: In some cases, IdentityNow might be configured to require manual intervention after approval (e.g., triggering a manual provisioning workflow or an additional step) to enforce the provisioning action. If this configuration is missing, the approved request will not lead to automatic provisioning.

Since the scenario does not explicitly state that a provisioning policy or source configuration exists to handle the access request, the correct conclusion is that no provisioning would be sent out.

Key Reference from SailPoint Documentation:

Provisioning Concepts in IdentityNow: Documentation emphasizes that provisioning is triggered by defined workflows and provisioning policies that link the request to the connector source. Without these, the approval does not lead to actual provisioning.

Yes, when using the AWS deployment option, SailPoint shares an Amazon Machine Image (AMI) with the customer’s AWS account in the selected region. This AMI contains the pre-configured Virtual Appliance (VA) image that the customer can use to deploy within their own AWS environment, simplifying the deployment process and ensuring compatibility with AWS services.

Key Reference from SailPoint Documentation:

AWS AMI for VA Deployment: SailPoint provides a dedicated AMI that is shared with customers in their chosen AWS region to facilitate the deployment of the Virtual Appliance.

In SailPoint IdentityNow, email notifications related to source events (such as successful connections or other operational states) are not automatically sent immediately after a successful source connection. The system focuses on error conditions or alerts based on source status changes or failures. While successful source operations may be logged, notifications are not configured by default to trigger upon every successful action.

Key Reference from SailPoint Documentation:

Source Event Notifications: SailPoint ' s notifications for source-related events primarily focus on error handling rather than successful operations, which are generally logged for reference but do not trigger immediate notifications.

The default non-production tenant does not have the same full performance scalability as a production tenant. Non-production environments are typically configured with reduced resources since they are intended for testing, development, or demonstration rather than handling large-scale, live workloads.

Key Reference from SailPoint Documentation:

Performance Differences Between Tenants: SailPoint non-production tenants are generally scaled down compared to production environments to reflect their testing and demonstration purposes, not for high-performance or large-scale operations.

Yes, search-based certification campaigns can be leveraged to target specific access held by users. This allows administrators to create highly focused certification campaigns by searching for specific attributes, entitlements, or roles within the system. These campaigns enable targeted access reviews, ensuring that particular access rights, such as high-risk entitlements, are regularly reviewed and certified by the appropriate stakeholders.

References:

SailPoint IdentityNow Search-Based Certification Campaign Documentation.

SailPoint IdentityNow Access Review and Targeted Certification Guides.

No, verifying that the VA is configured for automatic updates by setting autoupdate=true in the config.yaml file is not directly related to troubleshooting a failed status on the VA. While keeping the VA updated is important for long-term stability and functionality, the configuration for automatic updates does not resolve immediate connection or service failure issues. The troubleshooting focus should be on network connectivity, service status, and log reviews.

Key Reference from SailPoint Documentation:

VA Autoupdate Configuration: Configuring the VA for automatic updates is a best practice for maintaining up-to-date software but is not a direct troubleshooting step for addressing an immediate VA failure.

Yes, the Virtual Appliances (VAs) should reside in C , which represents the on-premise network. In this scenario, the engineer has an Active Directory, a database server, and cloud applications. The VA needs to reside inside the internal on-premises network (C) to securely communicate with the Active Directory and database server. The VA will manage the secure connection to these internal resources and can also interact with cloud applications via SailPoint IdentityNow.

Key Reference from SailPoint Documentation:

VA Deployment in On-Prem Network: SailPoint advises deploying Virtual Appliances within the internal on-premises network where they can securely access identity sources like Active Directory and internal databases.

A non-production tenant is commonly used for demonstrating functionality, as well as for testing and development purposes. In a SailPoint IdentityNow environment, non-production tenants provide a sandbox environment where customers and engineers can safely explore the system, simulate use cases, and demonstrate functionality without impacting the live production environment.

Key Reference from SailPoint Documentation:

Non-Production Tenant Usage: SailPoint recommends non-production tenants for testing, demonstrating functionality, and conducting proofs of concept, ensuring that the production environment remains unaffected.

Yes, search-based certification campaigns can be used to review access for non-correlated accounts . Non-correlated accounts are accounts that do not have a direct link to any identity in the system, which means they may represent orphaned or unmanaged accounts. Search-based certifications allow administrators to create campaigns based on specific criteria, including targeting these non-correlated accounts to ensure they are properly reviewed and addressed within the organization.

References:

SailPoint IdentityNow Search-Based Certification Campaign Guide.

SailPoint IdentityNow Non-Correlated Account Management Documentation.

Certifications are not assigned to the reviewer when the campaign status is " Preview Ready. " The " Preview Ready " status indicates that the campaign is prepared for review by administrators, and the certification details can be previewed before launching the campaign. However, the certifications are only assigned to the reviewers once the campaign is in the " Active " status, which signifies the start of the certification process. At this point, reviewers can access the certifications assigned to them.

References:

SailPoint IdentityNow Certification Campaign Lifecycle Guide.

SailPoint IdentityNow Certification Campaign Status Documentation.

No, this example does not accurately describe an IdentityNow data flow. The step where the domain controller sends a list of accounts directly to the virtual appliance is incorrect. Instead, during manual aggregation, the virtual appliance is responsible for initiating the connection to the domain controller (or other authoritative source), retrieving account data, and then sending the results to the IdentityNow tenant. Sensitive information is masked before sending the data from the virtual appliance to the IdentityNow tenant, but the domain controller does not interact directly with the IdentityNow tenant.

References:

SailPoint IdentityNow Aggregation Process Documentation.

SailPoint IdentityNow Virtual Appliance Data Flow Guide.

In this scenario, the Virtual Appliances (VAs) should not reside in the DMZ (B) , which is typically used for hosting services that need to be exposed to both internal and external networks, like web servers or email gateways. However, VAs require more direct and secure access to internal resources like Active Directory and databases. The VA needs to reside where it has secure and reliable connectivity to internal resources like Active Directory and database servers, which would be in the internal network.

Key Reference from SailPoint Documentation:

VA Placement Guidance: Virtual Appliances are placed within the internal network, where they can securely connect to Active Directory, databases, and other internal applications for synchronization and provisioning tasks.

Yes, checking that the port values configured on the source in SailPoint IdentityNow are correct and accessible is an essential troubleshooting step. A timeout error can occur if the virtual appliance (VA) cannot reach the source due to incorrect port configuration or network issues blocking communication. Verifying the correct port numbers and ensuring that the necessary ports are open on both the VA and the source ' s firewall is critical.

Key Reference from SailPoint Documentation:

Port Configuration for Source Connectivity: Ensuring that the proper port values are configured and accessible is one of the primary troubleshooting steps when facing timeout errors in IdentityNow.

Yes, the file /etc/systemd/network/static.network (or a similarly named file depending on the Linux distribution used by the Virtual Appliance) is typically used to configure a static IP address for the VA. This file is part of the systemd network configuration, and modifying it allows you to specify static IP settings, such as the IP address, netmask, gateway, and DNS servers, for the Virtual Appliance ' s network interface.

To set a static IP address, you would need to modify this file and restart the network service for the changes to take effect.

References:

SailPoint IdentityNow Virtual Appliance Network Configuration Guide.

Linux systemd Network Configuration Documentation.

No, selecting a checkbox to use the database admin as the service account is not a recommended or required configuration when implementing a source that uses a JDBC connector. Typically, for security and least privilege, a dedicated service account with only the necessary permissions to read and manage identities within the database is used. Granting database administrator (DBA) privileges to the service account introduces unnecessary security risks and is against best practices.

References:

SailPoint IdentityNow JDBC Connector Configuration Guide.

SailPoint IdentityNow Best Practices for Service Accounts Documentation.

Yes, downloading the accounts data CSV from the Accounts tab on the authoritative source is a reasonable action for troubleshooting incomplete identities. This CSV file contains detailed account information pulled from the authoritative source, allowing the engineer to manually inspect the raw data and identify any discrepancies or missing attributes that could lead to incomplete identities. This is a useful step in verifying the accuracy and completeness of the data being aggregated from the authoritative source.

References:

SailPoint IdentityNow Source Account Data Inspection and CSV Export Documentation.

SailPoint IdentityNow Identity Data Troubleshooting Guide.

Live access reviews, which involve reviewing and certifying user access to various resources, should be performed in a production environment. This is because access reviews are directly related to active identities and entitlements in a live system, ensuring compliance and security in real-time operations.

Key Reference from SailPoint Documentation:

Access Reviews in Production: SailPoint recommends conducting live access reviews in production environments to ensure that the access being reviewed reflects the actual, current access of users in the system.