SailPoint IdentityNow-Engineer SailPoint Certified IdentityNow Engineer Exam Practice Test

Answer : A

Yes, an access profile can be acknowledged during certifications. During access certification campaigns, reviewers can review access profiles as part of the items that need to be certified. They can either approve or revoke access to the access profiles, just like they would with individual entitlements. This ensures that users' access to these bundled entitlements is regularly reviewed and compliant with organizational policies.

SailPoint IdentityNow Certification Campaigns Guide.

SailPoint IdentityNow Access Profile Certification Documentation.

Answer : A

Yes, an access profile allows the definition of an approval process. When an access profile is created, administrators can configure specific approval workflows that must be followed before the access is granted. This includes designating approvers or specifying multiple levels of approval, depending on the organization's policies. This capability is useful for ensuring that sensitive access requests are properly reviewed and approved.

SailPoint IdentityNow Access Request and Approval Workflow Guide.

SailPoint IdentityNow Access Profile Configuration Documentation.

Answer : B

No, an access profile does not directly reference roles to provide access. Instead, access profiles are collections of entitlements or permissions that are bundled together to simplify access provisioning. Access profiles can be associated with roles, but they do not reference roles directly. Roles in IdentityNow define broader sets of permissions, which may include access profiles, but access profiles themselves are not tied directly to roles.

SailPoint IdentityNow Access Profiles Documentation.

SailPoint IdentityNow Roles and Access Profiles Configuration Guide.

Answer : A

Yes, this example accurately describes an IdentityNow data flow for password changes in an Active Directory environment. When a user changes their password in IdentityNow, the request is sent to the virtual appliance, which then communicates with the IQService host. The IQService is responsible for making changes to Active Directory. This flow reflects the standard procedure for password management using IdentityNow with Active Directory, where the virtual appliance and IQService coordinate to complete the password change.

SailPoint IdentityNow Password Management Documentation.

SailPoint IdentityNow IQService and Virtual Appliance Data Flow Guide.

Answer : A

Yes, this statement is correct. When setting up a Virtual Appliance (VA) cluster, SailPoint does indeed create an asymmetric key pair based on a user-provided passphrase. This key pair is used for secure communication between the Virtual Appliance and the IdentityNow tenant. The asymmetric encryption model uses a public-private key pair where the private key is stored securely within the VA, and the public key is shared with the IdentityNow tenant to establish a secure, encrypted communication channel. This setup ensures that data exchanged between the VA and the IdentityNow tenant remains protected.

SailPoint IdentityNow Virtual Appliance Security Guide.

SailPoint IdentityNow Asymmetric Encryption and Key Management Documentation.

Answer : B

The virtual appliance (VA) private key is not stored in both the IdentityNow tenant and the VA. The VA private key, which is critical for secure communications, is stored only on the Virtual Appliance (VA) itself. It is used to authenticate and encrypt communications between the VA and the IdentityNow tenant. Storing such sensitive information in the IdentityNow tenant would violate best practices for key management and security.

Instead, the IdentityNow tenant only holds the public key or a reference to the key to facilitate secure exchanges with the VA. The private key remains secured locally within the VA, protecting it from potential security vulnerabilities associated with external storage.

SailPoint IdentityNow Virtual Appliance Architecture Guide.

SailPoint IdentityNow Security and Encryption Documentation.

Answer : A

The use case describes a user logging into IdentityNow via an external identity provider's login, where information is exchanged via federation. This correctly aligns with the concept of passthrough authentication.

Passthrough authentication often uses protocols like SAML (Security Assertion Markup Language) or OAuth for federation. In this case, the identity provider (IdP) handles the authentication and then passes the necessary authentication tokens or assertions back to SailPoint IdentityNow, granting the user access without directly requiring their password to be stored or authenticated by IdentityNow. This is a typical use case of federation and passthrough authentication.

SailPoint IdentityNow Documentation on SAML and OAuth Federation.

SailPoint IdentityNow Federation and Passthrough Authentication Configuration Guides.