SCAIP Saviynt Certified Advanced IGA Professional (Level 200) Questions and Answers

In Saviynt EIC,Duplicate Identity Management (DIM)supports multiple mechanisms to detect duplicate identities across the identity lifecycle, makingOption D (All of the above)the correct answer.

Firstly, duplicate identities can be detectedduring user import (Option A)when data is ingested from authoritative sources like HR systems. Saviynt can apply matching rules and prevent or flag duplicates at the ingestion stage. Secondly, duplicates can be identified by executing theDuplicate Identity Detection Job (Option B), which is a detective control that scans existing identities in the repository and identifies potential duplicates based on configured correlation rules such as email, username, or employee ID.

Additionally, duplicates may also be identifiedduring manual updates in the Identity Repository (Option C)when administrators modify user attributes. If updated values match existing identities based on defined criteria, Saviynt can flag potential duplicates.

These multiple detection points ensure both proactive and reactive duplicate management, helping maintain identity data accuracy and preventing access risks associated with duplicate identities.

The correct answer is A. Transfer Ownership . Saviynt documentation on User Update Rules explains that the purpose of Transfer Ownership is to change ownership, and specifically notes that service accounts can be reassigned to the OwnerOnTerminate user when the current owner is terminated. The documentation further states that when the current service account owner is terminated, a user update rule with the action Transfer Ownership is triggered so that service account ownership is moved appropriately. This directly matches the scenario in the question.

This is also consistent with Saviynt’s service account model, where every service account must have at least one designated owner who is authorized to manage it. Because ownership is required, Saviynt provides lifecycle controls to preserve accountable ownership when a human owner leaves the organization. The remaining options are unrelated. Run Role Mining belongs to analytics and role engineering, Launch Campaign belongs to certification processes, and Disable SMTP is an email configuration concept. For Level 200 understanding, the key takeaway is that automatic service account ownership continuity is handled through a User Update Rule using the Transfer Ownership action, often combined with OwnerOnTerminate configuration.

In Saviynt–ServiceNow integration, the synchronization ofRITM (Request Item) statusbetween Saviynt and ServiceNow is handled through bothmanual and automated mechanisms.

Option B is correct because users or administrators can manuallyclick the Refresh button on the RITM page in ServiceNowto immediately fetch the latest status from Saviynt. This is useful for real-time validation when monitoring request progress.

Option C is also correct as ServiceNow includes aRequest Item History Job, which runs periodically (commonly every minute) to automatically sync and update the RITM status based on the latest state in Saviynt. This ensures near real-time consistency between both systems without manual intervention.

Option A is incorrect because Postman API calls are not a standard or supported operational method for end users to refresh RITM status. Option D is unrelated, as regenerating catalog items does not impact ticket status synchronization.

Thus, the correct answers aremanual refresh and automated job-based synchronization.

In Saviynt EIC, approval assignment for access requests is primarily controlled throughworkflow configurations, which are associated either at theendpoint level or security system level. Therefore, the first step in troubleshooting incorrect approver assignment is to validate whether the correct workflow is attached and properly configured at both levels (Options A and C). Workflows define approval logic such as manager, owner, or custom approvers, and misconfiguration here often leads to incorrect routing.

Option B is also correct becausedelegation settingscan override the intended approver. If a delegate is configured for an approver, the request may be routed to the delegate instead of the original approver, causing confusion if not validated.

Option D is incorrect because in Saviynt, approvers are typicallysystem-driven based on workflow rules, not manually selected by the requester in most standard configurations. The requester does not usually control approver assignment unless explicitly customized, making this option irrelevant for standard troubleshooting.

In Saviynt EIC REST connector configuration, account reconciliation (also known as account import or aggregation) requires specific mandatory JSON parameters that define how the system connects to the target application and retrieves account data. The two essential parameters areConnectionJSONandImportAccountEntJSON.

ConnectionJSON (Option A)is mandatory because it contains the core connection details such as base URL, authentication mechanism (OAuth, Basic, etc.), headers, and endpoint configurations. Without this, Saviynt cannot establish communication with the target REST application.

ImportAccountEntJSON (Option B)is also required because it defines the API call used to fetch account (entitlement/account) data from the target system. It includes endpoint URLs, response parsing logic, pagination handling, and mapping rules needed to bring account data into Saviynt.

OptionC (ImportUserJSON)is typically used for identity/user import, not for account reconciliation in REST connectors. OptionD (CreateAccountJSON)is used during provisioning (account creation), not during reconciliation.

Therefore, for account reconciliation using REST connector, the mandatory configurations are ConnectionJSON and ImportAccountEntJSON, as per Saviynt IGA Level 200 connector guidelines.

In Saviynt EIC, generating anAuthorization Tokenfor API access is performed using theHTTP POST method. This is aligned with standard REST API authentication practices, where sensitive information such as credentials (username, password, client ID, or client secret) is securely transmitted in the request body rather than in the URL.

Saviynt provides API endpoints (such as/ECM/api/login) that require aPOST requestcontaining authentication details in JSON format. Upon successful authentication, the system returns asession token or authorization token, which is then used in subsequent API calls (typically passed in headers likeAuthorizationortoken).

Option A (PUT) and Option B (GET) are not suitable for authentication token generation. GET exposes parameters in the URL and is not secure for credential transmission, while PUT is typically used for updating resources. Option D (GIVE) is not a valid HTTP method.

Therefore, POST is the correct and secure method used in Saviynt APIs forauthentication and token generation, ensuring compliance with RESTful and security best practices.

In Saviynt EIC REST connector configuration,ConnectionJSONis the central configuration block where all connection-level properties are defined. This includes not only the base URL, authentication details, and headers, but also critical operational parameters such asconnection timeout settingsandprovisioning limits (such as throttling or API limits).

Provisioning activities like account creation, update, and deletion rely on stable connectivity to the target system. Therefore, timeout configurations (for example, connection timeout and read timeout) are defined inConnectionJSONto ensure that API calls do not hang indefinitely and can fail gracefully if the target system is unresponsive. Similarly, provisioning limits—such as maximum records processed or API throttling controls—are configured at this level to manage performance and avoid overloading external systems.

OptionA (ConfigJSON)is not a standard JSON used in REST connector configurations. OptionB (MODIFYUSERDATAJSON)is used specifically for user update operations. OptionD (StatusthresholdConfig)relates to job/status handling rather than connection parameters.

Thus, ConnectionJSON is the correct place for configuring provisioning limits and timeout settings in Saviynt REST connectors.

In Saviynt EIC when integrated with ServiceNow as aticketing system (ITSM)for disconnected applications, ticket creation behavior depends on the configuration setting“Enable Multi Entitlement Request.”

If this option is enabled, Saviynt treats each entitlement independently and createsseparate tickets in ServiceNow for each entitlementselected in the request. Therefore, if a user selects three entitlements,three individual ticketswill be generated, allowing granular tracking and fulfillment of each entitlement.

If the option is not enabled, Saviynt consolidates multiple entitlements into asingle request payload, resulting inone ServiceNow ticketthat includes all requested entitlements. This approach simplifies ticket management but reduces granularity.

Option B is incorrect because Saviynt fully supports multiple entitlement requests with ServiceNow integration. Option C is only conditionally correct (depends on configuration), making it incomplete. Option D is also conditional and not always true.

Thus, the correct answer isA, as it accurately reflects the behavior based on system configuration.

The error message"Connection Name Specified in accountJSON is not found"clearly indicates that the issue is related to theaccountJSON configuration, which directly corresponds toImportAccountJSONin Saviynt REST connector terminology. This JSON is responsible for handling account import (reconciliation) operations, including defining the connection name, API endpoints, and parsing logic for retrieving account data.

TheWSRETRY jobis typically used to retry failed web service (REST) operations, especially related to account imports or provisioning failures. Since the error explicitly referencesaccountJSON, it means the system is unable to locate the connection name defined within theImportAccountJSONconfiguration. This usually happens when the connection name is either misspelled, mismatched with the ConnectionJSON configuration, or incorrectly referenced.

Other options are incorrect becauseCreateAccountJSONis used for provisioning (account creation),ImportUserJSONis for identity import, andImportAccountEntJSONis primarily used for entitlement and combined account-entitlement imports.

Therefore, correcting the connection name inImportAccountJSONresolves this issue.

In Saviynt EIC, password management is highly configurable, allowing organizations to defineseparate password policies for different account types, including service accounts and regular user accounts. This requirement is achieved by creating a dedicated password policy specifically for service accounts and associating it appropriately within the system.

Option A is correct because Saviynt allows administrators to define aseparate Password Policy for Service Accountsand map it using thePolicy Rule Service Account field under the Security System configuration. This ensures that when service account operations such as password resets or provisioning occur, the system enforces the correct policy distinct from regular user accounts.

Option B is incorrect since Saviynt supports multiple password policies and does not restrict to a single policy. Option C is incorrect because simply selecting a checkbox in password policy configuration does not link it to service account usage. Option D is incorrect as Global Configurations do not directly assign password policies for service accounts at the execution level.

Thus, configuring and mapping the policy at theSecurity System levelensures correct enforcement for service accounts.

In Saviynt EIC, cascading relationships between form fields are implemented usingDynamic Attributes configuration, where one field (child) depends on the value of another field (parent). Certain configurations are mandatory to ensure proper functionality.

Option A is required because the system must know what action to perform when the parent attribute changes. Setting it toMappingenables dynamic value population based on parent selection.

Option B is mandatory because theParent Attribute parameterdefines the relationship between parent and child fields. Without this mapping, the system cannot establish dependency.

Option D is also essential since Saviynt configurations arecase-sensitive, and mismatched attribute names will break the cascading logic.

Option C, however, isnot mandatory. TheAction String (CHILD###PARENT)is used in specific advanced scenarios but is not required for standard cascading configurations using mapping and parent attribute settings.

Therefore, the correct answer isC, as it is optional and not required for basic cascading functionality.

In Saviynt EIC REST connector configurations, pagination is a critical mechanism used duringuser import (identity reconciliation)to efficiently process large datasets from target systems. The parameterMAX_PAGINATION_SIZEdetermines how many records are fetched and processed per API call (per page).

IfMAX_PAGINATION_SIZEis not explicitly defined, Saviynt uses adefault value of 1000 records per page. This default is designed to balance performance and system stability. Fetching too many records in a single API call can lead to performance bottlenecks, API timeouts, or memory issues, while too few records can increase the number of API calls and slow down the overall import process.

OptionA (50000)andC (10000)are incorrect because these values are typically too large for default settings and must be explicitly configured if required. OptionBis incorrect because Saviynt does provide a default fallback value rather than leaving it undefined.

Therefore, when MAX_PAGINATION_SIZE is not specified, Saviynt defaults to1000, ensuring efficient and stable data import operations.

The correct answer is A. User Manager Campaign . In Saviynt, the User Manager campaign is specifically designed for manager-based certifications, where managers review and certify the access of their direct reportees. Saviynt documentation explicitly states that in a User Manager campaign, managers are responsible for reviewing and certifying the access of users who report to them. That makes this campaign type the best fit when the certification driver is the reporting hierarchy rather than entitlement ownership, role ownership, or service account ownership.

The other options represent different certification ownership models. Entitlement Owner Campaign is meant for entitlement owners, Role Owner Campaign is for role owners, and Service Account Campaign is focused on service account ownership verification and access review. Saviynt also describes campaigns as a way to automatically generate and distribute certifications to the appropriate certifiers based on the selected campaign type and ownership model. Therefore, when the requirement clearly says “managers must review direct reportees,” the User Manager campaign is the correct and most aligned selection within Saviynt Level 200 scope.