SCAIP Saviynt Certified Advanced IGA Professional (Level 200) Questions and Answers

In Saviynt–ServiceNow integration using theSaviynt App for ServiceNow, therequest fulfillment location is flexible and depends on how the integration is configured. This is why Option C is correct.

Saviynt supports different integration patterns with ServiceNow. In one model,ServiceNow acts as the front-end request system, while Saviynt handles the fulfillment (provisioning, approvals, and access governance). In another model, ServiceNow can handle certain fulfillment steps depending on how workflows, APIs, and ticketing configurations are defined.

For example, if the integration is configured such that ServiceNow creates a request and passes it to Saviynt, thenSaviynt performs fulfillment. Alternatively, if certain fulfillment logic or orchestration is handled within ServiceNow workflows or ITSM processes, thenServiceNow may drive parts of the fulfillment process.

This flexibility allows organizations to align the integration with their operational model, whether centralized in Saviynt or distributed with ServiceNow. Therefore, fulfillment is not restricted to a single system and is determined byconfiguration and architectural design choices.

In Saviynt EIC integration with ServiceNow as a ticketing system (ITSM), various JSON configurations are used to define how tickets are created, updated, and tracked. To enable users tocheck the status of tickets from EIC, the correct configuration isTICKETSTATUSJSON.

TICKETSTATUSJSONis specifically used to define how Saviynt retrieves the current status of a ticket from ServiceNow. It maps the API response fields from ServiceNow (such as state, status, or resolution) to Saviynt fields, allowing the system to display real-time ticket status within the EIC interface.

Option A (SYNCTICKETSTATUSJSON) is typically used for synchronization jobs that update ticket statuses in bulk, not for direct user-level status retrieval. Option B (CREATETICKETJSON) is used only for ticket creation, defining how requests are sent to ServiceNow. Option D is incorrect because Saviynt does support ticket status tracking through proper integration configuration.

Thus,TICKETSTATUSJSONis the correct option to enable visibility of ticket status within Saviynt EIC.

In Saviynt EIC, retrieving reports such as users and their assigned SAV roles can be achieved through multipleanalytics and reporting mechanisms.

Option A is correct because administrators can createAnalytics using SQL queriesand configure them tosend results via email as attachments, which is useful for scheduled reporting and automated distribution.

Option B is also valid since Analytics allows administrators toexport query results into CSV or Excel formats, enabling offline analysis, auditing, and sharing with stakeholders.

Option C is correct becauseData Analyzerprovides a direct interface to execute SQL queries on the Saviynt database, allowing administrators to quickly retrieve required data without creating a formal analytics job.

Option D (Using enhanced query) is not a standard or recognized reporting method within Saviynt for this use case. While advanced queries can be written, “enhanced query” is not a defined feature or module for report extraction.

Thus, the correct answers areA, B, and C, which represent the primary supported methods for reporting in Saviynt.

In Saviynt EIC REST connector configuration,ImportAccountEntJSONis used to define how account and entitlement data are imported (reconciled) from a target system. This JSON structure includes several predefined and supported parameters that control how accounts, entitlements, and their ownership relationships are processed.

accountParams (Option C)is a valid parameter and is used to map account-level attributes such as account name, status, and identifiers.entitlementParams (Option B)is also valid and defines how entitlement data (groups, roles, permissions) are fetched and mapped.accountOwnerParams (Option A)is another valid parameter used to define account ownership mapping, helping assign owners to accounts during reconciliation.

However,entOwnerParams (Option D)is NOT a valid parameter in the ImportAccountEntJSON structure. The correct naming convention for entitlement ownership (if applicable) does not use "entOwnerParams" in Saviynt REST connector configuration. Saviynt follows strict parameter naming standards, and incorrect parameter names will not be recognized or processed by the connector.

Thus, Option D is the correct answer, as it represents an invalid configuration parameter in the context of ImportAccountEntJSON.

In Saviynt EIC,Password Policy precedence and enforcementdepend on where the policy is configured within the hierarchy of Security System and Connector.

Option A is correct because when password policies are defined at both levels, theSecurity System-level policy takes precedence. This ensures centralized governance and consistency across all endpoints under that security system.

Option B is also correct since Saviynt allows administrators to control password change permissions at a granular level using the“Change Password Access Query”at the endpoint. This enables restriction of password changes based on user attributes or conditions.

Option C is incorrect because connector-level policies do not override security system-level configurations when both are present.

Option D is correct because if no policy is defined at the security system level, theconnector-level password policy will be applied by default, ensuring that password rules are still enforced.

Thus, the correct answers areA, B, and D, reflecting Saviynt’s hierarchical and flexible password policy framework.

In Saviynt EIC, approval assignment for access requests is primarily controlled throughworkflow configurations, which are associated either at theendpoint level or security system level. Therefore, the first step in troubleshooting incorrect approver assignment is to validate whether the correct workflow is attached and properly configured at both levels (Options A and C). Workflows define approval logic such as manager, owner, or custom approvers, and misconfiguration here often leads to incorrect routing.

Option B is also correct becausedelegation settingscan override the intended approver. If a delegate is configured for an approver, the request may be routed to the delegate instead of the original approver, causing confusion if not validated.

Option D is incorrect because in Saviynt, approvers are typicallysystem-driven based on workflow rules, not manually selected by the requester in most standard configurations. The requester does not usually control approver assignment unless explicitly customized, making this option irrelevant for standard troubleshooting.

The correct answer is A. User Manager Campaign . In Saviynt, the User Manager campaign is specifically designed for manager-based certifications, where managers review and certify the access of their direct reportees. Saviynt documentation explicitly states that in a User Manager campaign, managers are responsible for reviewing and certifying the access of users who report to them. That makes this campaign type the best fit when the certification driver is the reporting hierarchy rather than entitlement ownership, role ownership, or service account ownership.

The other options represent different certification ownership models. Entitlement Owner Campaign is meant for entitlement owners, Role Owner Campaign is for role owners, and Service Account Campaign is focused on service account ownership verification and access review. Saviynt also describes campaigns as a way to automatically generate and distribute certifications to the appropriate certifiers based on the selected campaign type and ownership model. Therefore, when the requirement clearly says “managers must review direct reportees,” the User Manager campaign is the correct and most aligned selection within Saviynt Level 200 scope.

In Saviynt EIC, when configuringdynamic attributes or custom forms, system variables are used to fetch context-specific data such as the currently logged-in user. To retrieve theDisplay Name of the logged-in user, the correct variable is${loggedInUser}, which directly represents the userkey of the active session user.

Option A correctly uses this variable in the SQL query to fetch the DISPLAYNAME from the Users table. This ensures that the attribute dynamically reflects the logged-in user's display name at runtime.

Option B is incorrect because${user.id}typically refers to the target user in a request context, not necessarily the logged-in user. Option C (${requestor}) may represent the requester in certain workflows but is not consistently equivalent to the logged-in user in all scenarios, especially in delegated or admin-driven requests.

Therefore, Option A is the most accurate and reliable approach for retrieving the logged-in user’s display name in Saviynt configurations, ensuring proper context-aware data population.

The correct answer is B. REST Connector . Saviynt documentation explains that REST integration is intended for applications whose data and lifecycle actions are available through REST endpoints. It states that the REST integration enables organizations to gain visibility, manage the user lifecycle, and govern access for data available in the REST application or REST endpoint. That directly matches the question, which requires imports plus provisioning and deprovisioning for an API-driven target system.

Saviynt’s REST connector documentation also notes that provisioning and deprovisioning are supported when the connection is configured correctly. This makes the REST connector the standard choice when the target system does not use an out-of-the-box native connector but does provide usable REST APIs. The other options do not fit the requirement. Active Directory Connector is specific to AD use cases, SMTP Configuration is only for email delivery, and Dataset Configuration is an administrative data-structuring feature rather than an application integration method. In Saviynt Level 200 terms, when an application is API-first and lifecycle actions must be automated, the REST connector is the appropriate design decision.

The correct answers are A, B, and C . Saviynt documentation for Active Directory group management states that the connector can be used to create, update, and delete AD or ADSI groups. It also supports related group-management functions such as updating group attributes and maintaining group membership and owners. This confirms that Saviynt group management is not limited to visibility or request tracking; it supports the full operational lifecycle for AD groups when configured correctly.

Saviynt’s administrative documentation further explains that group management must be configured to enable users to create and manage groups in Saviynt Identity Cloud. That broader wording aligns with the specific lifecycle operations of create, update, and delete. Option D is incorrect because campaign launching is part of certification governance, not the core capability set of AD group management itself. A campaign may later review group-related access, but group management is fundamentally about administering the group object and its membership lifecycle. For Level 200 preparation, this distinction matters: group management handles the lifecycle of the group object, while campaigns handle review and attestation of access associated with identities, roles, or entitlements.

In Saviynt EIC,time-bound accessis a standard feature used to ensure that access granted to users is automatically revoked after a defined duration. This requirement is fulfilled by enabling thetime-bound configuration for roles under Global Configurations > Roles(Option B). Once this setting is enabled, users can request roles with a specified start and end date, and Saviynt automatically deprovisions the access when the validity period expires.

This capability is essential for enforcingleast privilege and compliance requirements, as it eliminates the need for manual revocation and reduces the risk of lingering access. The system leverages scheduled jobs to monitor and remove expired entitlements or roles.

Option A is incorrect because Dynamic Attributes are mainly used for form customization and conditional logic, not for enforcing access expiration. Option C (Emergency Access Role) is designed for temporary elevated access but follows a different configuration pattern and use case. Option D is not a valid standard approach for enabling automatic revocation.

Thus, enablingtime-bound roles in global configurationis the correct and scalable solution.

The correct answer is A. Transfer Ownership . Saviynt documentation on User Update Rules explains that the purpose of Transfer Ownership is to change ownership, and specifically notes that service accounts can be reassigned to the OwnerOnTerminate user when the current owner is terminated. The documentation further states that when the current service account owner is terminated, a user update rule with the action Transfer Ownership is triggered so that service account ownership is moved appropriately. This directly matches the scenario in the question.

This is also consistent with Saviynt’s service account model, where every service account must have at least one designated owner who is authorized to manage it. Because ownership is required, Saviynt provides lifecycle controls to preserve accountable ownership when a human owner leaves the organization. The remaining options are unrelated. Run Role Mining belongs to analytics and role engineering, Launch Campaign belongs to certification processes, and Disable SMTP is an email configuration concept. For Level 200 understanding, the key takeaway is that automatic service account ownership continuity is handled through a User Update Rule using the Transfer Ownership action, often combined with OwnerOnTerminate configuration.

Saviynt’sRole MiningandDuplicate Identity Management (DIM)features are key components of Identity Analytics and Governance.

Option Ais correct because Role Mining analyzes user access patterns and identifies similarities across users. Based on these similarities, Saviynt suggests logical groupings of entitlements that can be converted into roles, improving role design and governance.

Option Bis also correct. Thepercentage cut-offin Role Mining defines the threshold for common access across users. A higher threshold (e.g., 60% or more) ensures that only frequently shared entitlements are considered. In practice, this drives mining toward highly consistent access patterns, often close to universally assigned (near 100%), ensuring stronger role accuracy.

Option Cis correct because access to DIM functionality is controlled throughSAV Roles. Administrators must explicitly grant permissions to view and manage duplicate identities.

Option Dis incorrect because DIM not only merges identity attributes but can also consolidate associated access (accounts and entitlements), ensuring a unified identity profile.

In Saviynt EIC, retrieving reports such as users and their assigned SAV roles can be achieved through multiple analytics and reporting mechanisms. The correct approaches areOptions A, B, and C, all of which leverage SQL-based analytics capabilities.

Option Ais correct because Saviynt allows administrators to create analytics using SQL queries and schedule them. The“Send Email As Attachment”feature enables automated report delivery, making it useful for periodic reporting and compliance requirements.

Option Bis also valid, as analytics results can be exported directly into formats like CSV or Excel, allowing further analysis or sharing outside the platform.

Option Cis correct because theData Analyzertool enables administrators to run SQL queries directly on the Saviynt database to retrieve real-time data for reporting and troubleshooting purposes.

Option D (Using enhanced query)is not considered a standard or distinct reporting mechanism in Saviynt for this use case.

Together, these methods provide flexible reporting options, supporting both real-time access and scheduled report distribution within Saviynt.

In Saviynt EIC, the correct configuration for controlling which roles appear in the Access Request screen is theRequest Roles Query / Role Request QueryunderGlobal Configuration. Saviynt’s official documentation forConfiguring Role Requestsstates that this setting is used tospecify a query to control the display of roles in Access Request, meaning only roles returned by that query are shown to the requester. That is exactly the use case in this question: filtering the visible role list by a user attribute such as country or location. A query can be written so that users from Country A see only the roles mapped for Country A.

The other options are not correct in this context.SAV Rolecontrols administrative UI permissions in Saviynt, not end-user role catalog filtering.Role Configuration - > User Queryis not the standard setting used to drive request-time role visibility for this scenario. Option D is incorrect because Saviynt explicitly supports this use case through the Request Roles Query capability.