Saviynt SAVIGA-C01 Saviynt Certified IGA Professional Exam (L100) Exam Practice Test

Answer : C

To save different settings for various categories of Manager Access Reviews within User Manager Campaigns, a Campaign Owner can create C. Campaign Templates. Here's why:

Saviynt's Campaign Templates: Templates allow you to pre-configure various settings for a campaign and save them as a reusable template. This includes settings related to:

Campaign Scope: Defining which users, applications, or entitlements are included.

Certifier Selection: Specifying the type of certifiers (e.g., Managers, Application Owners).

Scheduling and Notifications: Setting up the campaign schedule and email notifications.

Advanced Configurations: Including filters, risk scores, and other advanced settings.

Multiple Templates for Different Categories: A Campaign Owner can create multiple templates, each tailored to a specific category of Manager Access Review. For example:

Template 1: For high-risk applications, with stricter filters and more frequent reviews.

Template 2: For low-risk applications, with broader scope and less frequent reviews.

Template 3: For specific departments or business units, with customized certifier selection.

Benefits of Using Templates:

Consistency: Ensures that similar types of reviews are conducted consistently.

Efficiency: Saves time by eliminating the need to configure each campaign from scratch.

Reduced Errors: Minimizes the risk of manual configuration errors.

Why Other Options Are Less Suitable:

A . Global Configurations: Global configurations apply to all campaigns, not to specific categories of reviews.

B . Campaign Types: Campaign types (e.g., User Manager, Entitlement Owner) define the overall purpose of the campaign, not the specific settings for different categories within a campaign type.

D . Campaign Previews: Previews are for reviewing the campaign data before launch, not for saving different configurations.

In conclusion: Campaign Templates in Saviynt provide a powerful way to save and reuse different configurations for various categories of Manager Access Reviews, promoting consistency, efficiency, and accuracy in the certification process.

Answer : D

In Saviynt, a Campaign is best described as a D. Group of similar Certifications. Here's a breakdown:

Saviynt's Campaigns and Certifications:

Campaign: A container that defines the scope, schedule, participants, and other settings for a set of related access certifications.

Certification: The individual review task assigned to a Certifier (e.g., a manager reviewing their subordinates' access, an application owner reviewing users of their application).

Analogy: Think of a Campaign as a project, and Certifications as individual tasks within that project.

Purpose of Campaigns: Campaigns provide a structured way to manage and track access reviews, ensuring that they are conducted regularly and consistently.

Examples of Campaigns:

User Manager Campaign: Groups certifications where managers review their subordinates' access.

Entitlement Owner Campaign: Groups certifications where entitlement owners review who has access to their entitlements.

Application Owner Campaign: Groups certifications where application owners review who has access to their applications.

Why Other Options Are Incorrect:

A . Group of similar Endpoints: Endpoints are systems or applications connected to Saviynt, not the primary grouping within a campaign.

B . Group of User Groups: User groups are collections of users, not the defining element of a campaign.

C . Group of Dashboards: Dashboards provide visualizations of data, but they are not the core component of a campaign.

In conclusion: A Campaign in Saviynt is essentially a container for a set of related access certifications, providing a framework for managing and organizing the review process based on specific criteria and objectives.

Answer : D

To decommission an AD Group and revoke access for all users, Jane should use D. Entitlement Owner Certification. Here is why:

AD Group as an Entitlement: In Saviynt, an AD Group is typically represented as an Entitlement.

Entitlement Owner Certification: This type of campaign allows the designated owner of an entitlement (in this case, Jane, as the manager of the AD Group) to review and certify who should have access to that entitlement.

Revoking Access: As the Entitlement Owner, Jane can use the certification campaign to:

Review the list of users: See all users who are currently members of the AD Group.

Revoke access for all users: Mark all users for removal from the group.

Decommissioning the Group: After revoking access for all users through the certification, Jane can then proceed with decommissioning the AD Group itself (either through Saviynt if it manages AD group lifecycle or directly in Active Directory).

Why Other Options Are Less Suitable:

A . Segregation of Duties: SoD is a principle, not a specific action for revoking access.

B . Entitlement Update Rule: While rules can automate some actions, a certification campaign provides a more controlled and auditable way to review and revoke access, especially for a sensitive action like decommissioning a group.

C . Mitigation Control: Mitigation controls are used to manage SoD conflicts, not for revoking access to entitlements.

In conclusion: An Entitlement Owner Certification campaign provides a structured and auditable way for Jane to review the membership of the AD Group, revoke access for all users, and prepare for the group's decommissioning, aligning with best practices for access management.

Answer : B

When Single Sign-On (SSO) is enabled in Saviynt EIC using an external Identity Provider (IdP) like Azure AD, it generally becomes the exclusive authentication method. This means users cannot use Saviynt's native authentication (i.e., logging in with a username/password stored directly within Saviynt).

Reasons for this:

Security and Centralized Control: SSO with an IdP enhances security by centralizing authentication and enforcing stronger password policies. Allowing native logins would create a potential bypass of these security measures.

User Experience: SSO provides a seamless login experience, eliminating the need for users to remember multiple credentials. Offering both SSO and native logins could lead to confusion and a less streamlined process.

Administrative Efficiency: SSO simplifies user management by delegating authentication to the IdP. Administrators don't need to manage separate user accounts and passwords within Saviynt.

Saviynt IGA Reference:

Saviynt Documentation: Saviynt's documentation on SSO configurations emphasizes that enabling SSO typically disables native authentication methods.

Saviynt Best Practices: Saviynt's best practices for SSO recommend enforcing SSO as the sole authentication method for improved security and user experience.

Saviynt Implementation Guides: Implementation guides for setting up SSO with various IdPs, including Azure AD, often highlight the exclusive nature of SSO authentication.

Answer : C

To reduce certification fatigue for Anitha, a manager with a large number of remote users, the recommended approach is C. Launch a Self Certification Campaign and then User Manager Campaign on certified items. Here's the rationale:

Self Certification Campaign:

Purpose: Allows users to review and certify their own access.

Benefits for this scenario:

Reduces Manager Burden: Shifts the initial review responsibility from Anitha to the individual users, who are most familiar with their own access needs.

Scalability: Well-suited for large, distributed teams, as it doesn't rely solely on the manager's capacity.

Empowerment: Gives users more control over their access and promotes a culture of accountability.

User Manager Campaign on Certified Items:

Purpose: Allows managers to review and certify their subordinates' access.

Benefits when combined with Self Certification:

Focus on Exceptions: Anitha can focus her review on items that were not self-certified or that require further scrutiny after the initial self-certification.

Reduced Volume: The volume of items Anitha needs to review is significantly reduced, as users have already certified their own access.

Increased Efficiency: Streamlines the manager's review process, making it more manageable and less time-consuming.

Why Other Options Are Less Suitable:

A . Launch User Manager Campaign and then Self Certification Campaign on certified items: This sequence is less effective because it puts the burden on the manager first, potentially leading to fatigue.

B . Launch Application Owner Campaign and then Self Certification Campaign on certified items: Application Owner campaigns are not relevant to a manager's review of their subordinates' access.

D . Launch Service Account Campaign and then User Manager Campaign on certified items: Service Account campaigns are for reviewing service accounts, not user access.

Answer : B

The statement is False. In the provided USER_IMPORT_MAPPING, USERNAME is the user attribute defined in EIC (Enterprise Identity Cloud), and wd:User_Name is the attribute defined in Workday. Here's a breakdown:

Saviynt's USER_IMPORT_MAPPING: This configuration within a connection (in this case, Workday RAAS) defines how data from the connected system (Workday) should be mapped to attributes within Saviynt's EIC.

ImportMapping: This section specifies the mapping between source attributes (Workday) and target attributes (EIC).

USERNAME: In the provided mapping, USERNAME (without the wd: prefix) is the target attribute, meaning it's an attribute within Saviynt's EIC.

wd:User_Name: The wd: prefix typically indicates a Workday attribute. Therefore, wd:User_Name is the source attribute from Workday.

~#~string: This likely indicates the data type of the attribute (string in this case).

Correct Interpretation: The mapping is saying: 'Take the value of the wd:User_Name attribute from Workday and map it to the USERNAME attribute in EIC.'

In essence: The USER_IMPORT_MAPPING defines how data from Workday is translated into Saviynt's internal data model, and in this case, USERNAME belongs to Saviynt (EIC), while wd:User_Name belongs to Workday.

Answer : D

The Account status that is not typically considered in a User Manager Campaign certification in Saviynt is D. Manually Provisioned. Here's why:

Saviynt's User Manager Campaign Focus: User Manager Campaigns primarily focus on reviewing and certifying access that is actively managed and tracked within Saviynt.

Account Statuses and Their Relevance:

A . Manually Suspended: Indicates an account that has been intentionally disabled within Saviynt. These accounts are often included in reviews to ensure the suspension is still valid.

B . Inactive: Indicates an account that has not been used for a certain period. These accounts are often included in reviews to determine if they should be disabled or removed.

C . Suspended from Import Service: Indicates an account that has been suspended due to issues during an import process. These accounts are typically reviewed to resolve the import problem and determine the appropriate account status.

Manually Provisioned Accounts: These accounts are created directly in the target system, bypassing Saviynt's provisioning processes. As such, they might not be fully tracked or managed within Saviynt.

Out-of-Band Access: Manually provisioned accounts represent a form of out-of-band access, which is often excluded from standard User Manager Campaigns.

Separate Review Process: Organizations might have separate processes for reviewing manually provisioned accounts, such as using the RevokeOutOfBandAccessJob or a different type of campaign.

In conclusion: While other account statuses like Manually Suspended, Inactive, and Suspended from Import Service are relevant to access management within Saviynt and are often included in User Manager Campaigns, Manually Provisioned accounts might be excluded because they represent access granted outside of Saviynt's control and might require a different review process.