Saviynt Certified IGA Professional Exam (L100) SAVIGA-C01 Exam Questions

Answer : B

The Job responsible for configuring a dashboard (among other configurations) in a Saviynt Campaign is B. Create or Schedule Attestation Job. Here's a detailed explanation:

Saviynt's Campaigns: Campaigns in Saviynt are used for access certification, allowing reviewers (Certifiers) to review and approve or revoke user access.

Create or Schedule Attestation Job: This job is the core mechanism for creating and configuring various aspects of a campaign, including:

Campaign Scope: Defining which users, entitlements, or resources are included in the campaign.

Certifier Selection: Specifying who will be the reviewers for the campaign.

Scheduling: Setting the start and end dates for the campaign.

Notifications: Configuring email notifications for Certifiers and other stakeholders.

Dashboard Configuration: Defining the information and layout displayed on the campaign dashboard for Certifiers. This includes selecting which data points, charts, and filters are visible.

Why Other Options Are Incorrect:

A . Campaign Export Job: This job is used to export campaign data, not to configure the campaign itself.

C . Campaign Import Job: This job is used to import data into a campaign, typically from an external source.

D . Upgrade Job: This job is related to upgrading the Saviynt platform, not to campaign configuration.

In summary: The 'Create or Schedule Attestation Job' is the central job for setting up and configuring all aspects of a Saviynt campaign, including the dashboard that provides Certifiers with a summarized view of the certification data.

Answer : C

To automatically deprovision birthright access when the defining condition fails, the correct option is C. Remove the birthright Access if the condition fails under the created Rule. Here's a detailed explanation:

Saviynt's Birthright Access (Automatic Provisioning): Saviynt allows administrators to define rules that automatically grant access (birthright access) based on user attributes or other criteria (e.g., new hires in a specific department automatically get access to certain applications).

Rule-Based Access Management: These rules are a core part of Saviynt's access management capabilities, allowing for dynamic and automated provisioning.

'Remove the birthright Access if the condition fails': This option, typically found within the birthright rule configuration itself, is crucial for ensuring that access is revoked when the conditions that granted it are no longer met.

Example: If a user is granted access to an application because they are in the 'Sales' department, and they are later moved to the 'Marketing' department, the condition for the birthright rule would fail, and Saviynt would automatically deprovision the access.

Saviynt's Continuous Monitoring: Saviynt continuously monitors user attributes and rule conditions. When a change occurs that causes a condition to fail, the deprovisioning action is triggered.

Other Options:

A . Remove the Access Rule: This would remove the entire rule, preventing it from granting access to anyone, not just the user whose condition has failed.

B . Apply a new Technical Rule to remove the Access: While technically possible, it's less efficient and more complex than using the built-in option within the birthright rule.

D . Use the Request Rule: Request Rules are for access requests, not for automatically provisioning or deprovisioning birthright access.

Answer : D

In Saviynt, a Campaign is best described as a D. Group of similar Certifications. Here's a breakdown:

Saviynt's Campaigns and Certifications:

Campaign: A container that defines the scope, schedule, participants, and other settings for a set of related access certifications.

Certification: The individual review task assigned to a Certifier (e.g., a manager reviewing their subordinates' access, an application owner reviewing users of their application).

Analogy: Think of a Campaign as a project, and Certifications as individual tasks within that project.

Purpose of Campaigns: Campaigns provide a structured way to manage and track access reviews, ensuring that they are conducted regularly and consistently.

Examples of Campaigns:

User Manager Campaign: Groups certifications where managers review their subordinates' access.

Entitlement Owner Campaign: Groups certifications where entitlement owners review who has access to their entitlements.

Application Owner Campaign: Groups certifications where application owners review who has access to their applications.

Why Other Options Are Incorrect:

A . Group of similar Endpoints: Endpoints are systems or applications connected to Saviynt, not the primary grouping within a campaign.

B . Group of User Groups: User groups are collections of users, not the defining element of a campaign.

C . Group of Dashboards: Dashboards provide visualizations of data, but they are not the core component of a campaign.

In conclusion: A Campaign in Saviynt is essentially a container for a set of related access certifications, providing a framework for managing and organizing the review process based on specific criteria and objectives.

Answer : B

When Single Sign-On (SSO) is enabled in Saviynt EIC using an external Identity Provider (IdP) like Azure AD, it generally becomes the exclusive authentication method. This means users cannot use Saviynt's native authentication (i.e., logging in with a username/password stored directly within Saviynt).

Reasons for this:

Security and Centralized Control: SSO with an IdP enhances security by centralizing authentication and enforcing stronger password policies. Allowing native logins would create a potential bypass of these security measures.

User Experience: SSO provides a seamless login experience, eliminating the need for users to remember multiple credentials. Offering both SSO and native logins could lead to confusion and a less streamlined process.

Administrative Efficiency: SSO simplifies user management by delegating authentication to the IdP. Administrators don't need to manage separate user accounts and passwords within Saviynt.

Saviynt IGA Reference:

Saviynt Documentation: Saviynt's documentation on SSO configurations emphasizes that enabling SSO typically disables native authentication methods.

Saviynt Best Practices: Saviynt's best practices for SSO recommend enforcing SSO as the sole authentication method for improved security and user experience.

Saviynt Implementation Guides: Implementation guides for setting up SSO with various IdPs, including Azure AD, often highlight the exclusive nature of SSO authentication.

Answer : C

A Service Desk Connection in Saviynt is used to integrate with external ticketing systems. This integration allows Saviynt to:

Automate request fulfillment: Access requests created in Saviynt can automatically generate tickets in the service desk system.

Track request status: Saviynt can update the status of access requests based on the corresponding ticket status in the service desk system.

Improve communication: Integration facilitates seamless communication and collaboration between Saviynt and the service desk team.

Why other options are incorrect:

Service Ticket Connection, Ticket Connection, Provisioning Connection: These are not standard terms used in Saviynt for service desk integration.

Saviynt IGA Reference:

Saviynt Documentation: The documentation on integrating with Service Desk systems explains the purpose and configuration of a Service Desk Connection.

Saviynt Connectors: Saviynt provides connectors for popular service desk solutions like ServiceNow, facilitating the integration process.

Answer : B

The statement is False. In the provided USER_IMPORT_MAPPING, USERNAME is the user attribute defined in EIC (Enterprise Identity Cloud), and wd:User_Name is the attribute defined in Workday. Here's a breakdown:

Saviynt's USER_IMPORT_MAPPING: This configuration within a connection (in this case, Workday RAAS) defines how data from the connected system (Workday) should be mapped to attributes within Saviynt's EIC.

ImportMapping: This section specifies the mapping between source attributes (Workday) and target attributes (EIC).

USERNAME: In the provided mapping, USERNAME (without the wd: prefix) is the target attribute, meaning it's an attribute within Saviynt's EIC.

wd:User_Name: The wd: prefix typically indicates a Workday attribute. Therefore, wd:User_Name is the source attribute from Workday.

~#~string: This likely indicates the data type of the attribute (string in this case).

Correct Interpretation: The mapping is saying: 'Take the value of the wd:User_Name attribute from Workday and map it to the USERNAME attribute in EIC.'

In essence: The USER_IMPORT_MAPPING defines how data from Workday is translated into Saviynt's internal data model, and in this case, USERNAME belongs to Saviynt (EIC), while wd:User_Name belongs to Workday.

Answer : A

In the given scenario, where ABC Company has a one-level workflow with the manager as the sole approver, and Margaret (Edward's manager) raises a request on behalf of Edward, the statement that would be true/applicable is A. Manager's approval is auto-approved. Here's why:

Saviynt's Workflow Configuration: Saviynt allows for the configuration of various workflow scenarios, including auto-approval based on certain conditions.

Self-Approval Prevention/Auto-Approval: A common security best practice is to prevent users from approving their own access requests. However, when a manager requests on behalf of a subordinate, this is considered a delegated request and many organizations find it acceptable to auto-approve since the approval should be implicit in the act of requesting.

Manager Requesting on Behalf: When a manager initiates a request for a subordinate, it's often considered an implicit approval. The manager is essentially saying, 'I approve this access for my team member.'

Saviynt's Default Behavior (Typically): By default, or through common configuration practices, Saviynt is often set up to recognize this scenario and auto-approve the manager's approval step in the workflow. This streamlines the process and avoids unnecessary delays.

Configuration Options: While auto-approval is common, Saviynt's workflow engine is flexible. It's possible to configure it differently, for instance, to still require explicit manager approval even in this scenario. However, this is less typical.

Other Options:

B . Manager's approval is auto-rejected: This is highly unlikely and would defeat the purpose of having a manager initiate the request.

C . Manager must manually approve/reject the request: While possible through configuration, it's not the typical or default behavior in this scenario.

D . None of the above: Option A is the most likely and common outcome.

In summary: In a one-level workflow where the manager is the approver, and the manager requests access on behalf of a subordinate, Saviynt is typically configured to auto-approve the manager's approval step, streamlining the process and reflecting the implicit approval inherent in the manager's action.