Page: 1
/ 14
Total 108 questions
SailPoint Certified IdentityNow Engineer IdentityNow-Engineer Exam Questions
Question 1
Is the following statement accurate regarding Separation of Duties (SoD)?
Solution: An SoD policy must define control matrix.
Answer : B
No, an SoD (Separation of Duties) policy does not require a control matrix to be defined. While a control matrix can be a useful tool for organizations to visualize and enforce SoD policies by mapping roles to potential conflicting access rights, it is not a mandatory component of an SoD policy. An SoD policy primarily focuses on preventing conflicts of interest by ensuring that no individual has access to perform conflicting tasks within a business process (e.g., approving and processing payments). The control matrix is a recommended method for managing SoD but not a requirement.
Key Reference from SailPoint Documentation:
SoD Policy Overview: SailPoint recommends structuring SoD policies to focus on preventing conflicting access but does not mandate the use of a control matrix, which is an optional best practice for visualizing these controls.
Question 2
An IdentityNow engineer needs to review logs to diagnose when the secure tunnel fails to allow communication. Could reviewing thi9 log file help diagnose the issue?
Solution: /home/sailpoint/log/relay.log
Answer : A
Yes, reviewing the /home/sailpoint/log/relay.log file can help diagnose issues related to the secure tunnel in SailPoint IdentityNow. The relay.log file captures information about the communication between the IdentityNow Virtual Appliance (VA) and the SailPoint cloud. This secure tunnel is responsible for ensuring encrypted communication, and any issues with establishing or maintaining the connection can often be found in this log.
Key Reference from SailPoint Documentation:
Relay Log for Troubleshooting: The relay.log is the primary log file to review for communication issues between the Virtual Appliance and SailPoint IdentityNow cloud, including secure tunnel failures.
Question 3
Is the following true about custom connectors in IdentityNow?
Solution: Custom connector are developed and compiled inside identityNow.
Answer : B
No, custom connectors are not developed and compiled inside IdentityNow. Custom connectors are typically developed outside of the IdentityNow platform using a development environment and then tested and packaged before being uploaded to the platform. These connectors can be developed using tools provided by SailPoint, but the actual development process occurs externally, not directly within the IdentityNow environment.
Key Reference from SailPoint Documentation:
Custom Connector Development: Custom connectors are developed outside of the IdentityNow platform and then integrated into it for use.
Question 4
Is this an item that an IdentityNow engineer should configure when implementing a source that uses a JDBC connector?
Solution: Select the checkbox to use database admin as service account.
Answer : B
No, selecting a checkbox to use the database admin as the service account is not a recommended or required configuration when implementing a source that uses a JDBC connector. Typically, for security and least privilege, a dedicated service account with only the necessary permissions to read and manage identities within the database is used. Granting database administrator (DBA) privileges to the service account introduces unnecessary security risks and is against best practices.
SailPoint IdentityNow JDBC Connector Configuration Guide.
SailPoint IdentityNow Best Practices for Service Accounts Documentation.
Question 5
An IdentityNow engineer needs to find identities with disabled AD accounts by using IdentityNow's search features. Is this the correct search syntax to perform this task?
Solution:
Answer : A
Yes, the search syntax @accounts( source.name:'AD' AND state:'disabled' ) is correct for finding identities with disabled AD accounts. In this case, the query filters accounts based on the state being 'disabled,' which is valid and effective for identifying disabled accounts.
Key Reference from SailPoint Documentation:
Search by Account State: Using state:'disabled' is an accurate way to search for disabled accounts in SailPoint IdentityNow.
Question 6
Does the following use case correctly describe passthrough authentication?
Solution: A user logs into identityNow via an identity provider's login. The identity provider exchanges information via federation.
Answer : A
The use case describes a user logging into IdentityNow via an external identity provider's login, where information is exchanged via federation. This correctly aligns with the concept of passthrough authentication.
Passthrough authentication often uses protocols like SAML (Security Assertion Markup Language) or OAuth for federation. In this case, the identity provider (IdP) handles the authentication and then passes the necessary authentication tokens or assertions back to SailPoint IdentityNow, granting the user access without directly requiring their password to be stored or authenticated by IdentityNow. This is a typical use case of federation and passthrough authentication.
SailPoint IdentityNow Documentation on SAML and OAuth Federation.
SailPoint IdentityNow Federation and Passthrough Authentication Configuration Guides.
Question 7
Is this statement true about the purpose of a tenant?
Solution: A non-production tenant is used for testing new features.
Answer : A
Yes, a non-production tenant is typically used for testing new features before they are deployed to the production environment. This allows administrators to validate functionality, identify potential issues, and ensure the features work as expected without affecting the live users and operations.
Key Reference from SailPoint Documentation:
Testing New Features in Non-Production: SailPoint advises using non-production environments for testing new functionalities to safeguard production environments from untested changes.
All Official Question Types