IDN_4_Features

1 - Trigger provisioning – Even actioned by user or automated event. Trigger provisioning – Even actioned by user or automated event. Package the plan – IDN packages request in a plan with data + operations. Manage fulfillment – IDN sends request to connected systems for execution, notification to ticketing system or manual. Verify the change– aggregation and confirmation of effected changes.

Which of these certification reports only appears after the campaign is completed?. Campaign Composition Report. Campaign Status Report. Certification Sign-off Report. Campaign Remediation Status Report.

What actions can a certifier take on the line items they are reviewing?. Revoke. Approve. Acknowledge access items. Reassign identities. Leave comments.

Certification Process. Define parameter & initiate campaign generation. IDN in background for (1) generation campaign (on demand / schedule). Preview allows admin to look at list of reviews and pending reviews, can be cancelled, started and admin reassignments. Active campaigns - reviewers notified via email, can view on My Certifications page. Can reassign to associate, must signoff to complete certification. End when certification reached due date or admin ends certification, IDN performs access revocation. Certification appears in completed page for reviewers.

Who can create certification campaign. Org Admin. Cert Admins. Helpdesk. Source Admin.

Name 2 types of certifications. Identity certification. Access Item certification. Source certification. Role certification.

Certification reassignment can be done in preview stage and the active phase. TRUE. FALSE.

Certifications are designed to keep your organization secure and successful by... Reducing the risk of inappropriate access. Accounting for errors in user data. Helping your company satisfy audit requirements.

Once the due date arrives, the campaign auto closes and auto-approves outstanding items. TRUE. FALSE.

Identify the various approver options that can be selected for access request. Manager. Application Owner. Source Owner. Access Profile Owner. Governance Groups. System owner.

What if the requester of the app is also listed as a reviewer?. The request is delegated to the requester's manager. If the requester is part of a governance group that's listed as a reviewer for the request, they aren't included in the review. If they're the only member of that governance group, the request is delegated to their manager. If the requester doesn't have a manager, the request is delegated to an IdentityNow administrator. Request is auto approved.

IDN never sends passwords out in email, There are three IdentityNow options for handling provisioning of passwords for new source accounts. Static – Set password in account profile for a source for all new users. Dynamic – User identity attribute value. Dynamic Unknown – Random password generation. Strong authentication.

Which of the following is not an option for handling the provisioning of passwords for new accounts?. Using a static password for everyone. Emailing a generated password to the user. Setting an initial password based on identity data the user will know. Setting a random password and having the user reset it before logging in.

Identity move to a lifecycle state in 2 modes. Automatic – Authoritative source aggregation and moved to a state by updating the lifecycle state identity attribute. Manual – Set by the admin by selection. If source value changes, lifecycle state field is reset to automatic value.

Roles can be auto assigned through logic in their Membership definition, Membership settings. Entitlement matching. Attribute matching. Identity List. Lifecycle state.

Role assigned based on membership criteria automatically when: Aggregation / identity refresh – Source aggregation evaluated with active roles for auto-assignment. Daily refresh job – IDN runs role and assignment evaluation at 1am UTC via automated system process scheduler. Manual update – Force update via role configuration page. On demand - when attribute changes the roles are automatically calculated.

To enforce access removal on role change, you can follow the steps outlined below. Delete the old role that is no longer needed. Define a new role with all of the same access with the exception of that which you want removed from the original role. Change the membership requirement for the old role so that users no longer meet the requirements. The new role will be assigned and the old one revoked. The users will retain the overlapping access.

Roles can be auto assigned through membership logic definitions. True. FALSE.

What happens when a user gets a role in which they already have a subset of the profiles / entitlements. The access they don’t have gets assigned to them and the access they have gets rolled up into the role. No change, the user already has the entitlements and profiles.

What is the difference between a role and a life cycle state?. Role is model automated and on demand functional access and lifecycle is used to model birthright access. Lifecycle state is linked to roles and assigned on user state change.

If a user is granted access by a role and they no longer meet the membership requirements, what happens?. Associated access to the role is removed from the user. Nothing changes, users need to have the role removed and associated access profiles removed. Access profiles remain assigned to the identity.

What is the purpose of attribute synchronization?. Push changes to identity attributes out to source attributes that need to share the same data. Import source changes to the identity. Synchronize.

Can any attribute from a source create profile be used for attribute synch?. No, only attributes mapped from identity attributes will be synched. Yes.

Any attribute from a source create profile can be used for attribute sync. TRUE. FALSE.

During attribute sync, a new value from the account is populated into the identity attribute. TRUE. FALSE.

Access will be removed from an identity if the access was previously granted by a role and the identity no longer meets the role membership criteria. TRUE. FALSE.

Which of the following actions will result in a provisioning plan to remove entitlement A from a user's account?. During a certification review, the reviewer revokes Entitlement A. The user already has entitlement A from an access profile assignment with the "active" lifecycle state. The user's lifecycle changes to "inactive" which is configured to remove all access and disable all accounts. The user has Entitlement A because it was a part of Role B. Role B applies only to identities in the Service department. The user recently transferred to the Engineering department. All of the above.

Each source that supports password changes needs to be associated with a password policy. TRUE. FALSE.

In sync groups, each source must share the same password policy. TRUE. FALSE.

Password changes made within IDN are always evaliuated upstream by IDN first then downstream system. TRUE. FALSE.

Can each source have its own unique password policy. Yes, if custom password policy is created. No, password policies are assgined on password synch group and shared to all sources.

Are password policies configurable. Yes. No.

What does the IDN synch groups functionality allow?. Password to be same across multiple direct connect sources, can synchronise by combining sources into password synch groups. Attributes are synched to sources in the synch groups.

Which of the following should be completed first when establishing Password Management?. Configure sources for password management. Define password sync groups. Define password policies.

PASSWORD POLICY ENFORCEMENT - Upstream. Enforcement of password policy in IDN. Source Password Policy i.e Password policy on native source system.

PASSWORD POLICY ENFORCEMENT - Downstream What can be enforced in Downsteam source systems not in IDN. Enforcement of password policy in IDN. Password History. More Complexity. Password length. Password special characters. Source Password Policy.

certification campaign types. Manager Certification Campaign. Source Owner Certification Campaign. Search Initiated Campaign. Access profile entitlement campaign.

Campaign filters can be created on any of the following. Access Profile. Account Attribute. Identity Attribute.

Certification Lifecycle Phases. Generation. Preview. Active. End. Review. Post Review.

which policy type would you choose in the following scenario? User must not be allowed to submit salary changes or bonus awats and approve payment processing. SOD policy. General policy.

which policy type would you choose in the following scenario? All identities must have managers in HR. General policy. SOD policy.

which policy type would you choose in the following scenario? No one in Engineering should have entitlements on Accounting System. SOD policy. General policy.

Which of the following describe Separation of Duties?. Limits a user's involvement in important processes. Used in conjunction with internal security processes. Identity search-based policy.

Which policy compares two lists of access data?. General Policy. Correctly unselected. Separation of Duties Policy.

Subscriptions are scheduled notifications of policy violations. TRUE. FALSE.

What are the benefits of Polices?. Uncover problematic identity and access conditions. Ensure compliance with laws. Ensure compliance with auditing guidelines. Ensure control and validation of data.

Policy violation reports can be executed and sent to all stakeholders on a scheduled basis. TRUE. FALSE.

4 email templates for certification campaigns. Campaign Pre-generation Notification. Certification Email. Certification Due. Certification Reassignment. Certification complete. Certification Sign-off Report.

3 method to provision passwords to users. Static. Dynamic. Dynamic unknown. List generated. Generate password.

Which of the following can be configured to approve access requests?. Governance Group. Manager. Role Owner. Helpdesk User.

What options do reviewers have when assigned to review an access request?. Skip. Approve. Reassign. Deny. Send back to requester.

identity configuration needs 2 things. source config. identity profile. authoritative source. entitlements.

Which of the following access request components can a user request? . Access Profile. Source. Approval Process.

Which of the following object models groups together one or more access points from a single source?. Lifecycle State. Access Profile. Role. Entitlement.

An account that cannot be matched to an authoritative identity is referred to as a(n) _____________ account. Correlated. Uncorrelated. Source.

Correlation behavior must be defined for each source. TRUE. False (This is false. You only need to specify correlation logic for non-authoritative sources.).

Which of the following statements best describes the correlation process?. The process of reading non-authoritative source data into IdentityNow. The process of promoting account attribute values to identity attributes. The process of matching accounts to the appropriate identity.

Non-authoritative sources include entitlement data that can be governed and managed in IdentityNow. TRUE. FALSE.

What does an account create profile specify. Account create profile specifies what attributes and values to use to create an account. Correlation logic for non-authoritative sources.

When is a create profile applied. On user account creation on a source. On identity profile creation.

What are the 2 categories of actions which trigger provisioning. Data-driven/Automated. Request-driven/User-initiated.

Users can be assigned to more than one role or lifecycle state at the same time to drive the correct access provisioning. FALSE, user can only have 1 lifecycle state. TRUE.

Which of the following object models defines birthright access for users within each identity profile?. Lifecycle State. Role.

Which of the following object models groups access by job role or business function, possibly across sources?. Lifecycle State. Roles. Access profiles. Entitlement.

It is considered a best practice to enforce "least privilege" when building your access model. TRUE. FALSE.

Which 2 things are checked when the password changes. Password Policy Enforcement. Password Synchronization Groupings. Source Password Policy. Password Downward Enforicements. Account Policy.

Password change communication when the changes are completed. All successes and errors will be communicated in the user interface. A password change email notification will also accompany the change. Notifications do not include the new password value. Email sent to the user with the new password.

Implementation steps for password policy. Define Password Policies. Configure Source(s) for Password Management. Define Password Sync Groups (if applicable). Configure Email Templates.

Password policies define three things. Password Requirements (length, complexity). Password Expiration Notification. Strong Authentication Options. Password source.

Password Synchronization Groups. All sources in the group will be changed. All sources in the group will share a password policy. Each source has to linked to a password policy. Each source has a unique password policy linked.

Reminders - There are default reminders built-into the active phase. Reminders start 7 days after the certification campaign begins. Reminders are sent every 7 days until reviewer signs off or the certification expires. Reminders are not sent for campaigns that are shorter than 7 days. Reminder email notifications can be configured in the email templates. Reminders can be defined to any amount of days. Reminders can be sent for campaigns shorted than 7 days.

Upon Sign-Off, remediation messages will be sent out. Automatic - For sources with provisioning enabled, these will be automatically removed on the target source(s. Manual - Emails will be generated with a Task for source owners to complete. No action - No changes are performed to the revoke access from users.

Defined actions on past-due certification campaigns with unanswered items. Allow unanswered items to assume auto-approve response. Admin chooses to approve or revoke all unanswered items. Wait for certifier to answer. Options only available in campaign after due date. Available for Manager and Source Owner campaign types. Unanswered items have an auto-remove response. Available for all campaign types.

Manager certfication campaign troubleshooting. Uncorrelated accounts and identity exceptions are not included in any certification campaigns. If an identity doesn't have a manager relationship defined in IDN, the identity will not be part of the manager certification campaign. If a reviewer's identity no longer exists in IdentityNow, you'll see an error next to their certification. Please reassign that certification to an existing identity. Access profiles that were granted to users through a role are included in manager certification campaigns for review only, because roles and their contents can only be acknowledged. Access profiles that were granted to users through a lifecycle state are not included in manager certification campaigns. If an identity has a set of entitlements that exactly match an access profile, IdentityNow automatically grants them that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile. Only roles are reviewed in the manager certification campaigns. If a reviewer's identity no longer exists in IdentityNow,the certification will be reassigned to the one up line manager.

Source Owner certfication campaign troubleshooting. By default, uncorrelated accounts and identity exceptions are not included in the campaign. If a reviewer's identity no longer exists in IdentityNow, you'll see an error next to their certification. Please reassign that certification to an existing identity. Access profiles that were granted to users through a role or lifecycle state are not included in Source Owner certification campaigns. If an identity has a set of entitlements that exactly match an access profile, IdentityNow automatically grants them that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile. If an identity doesn't have a manager relationship defined in IDN, the identity will not be part of the manager certification campaign. Access profiles that were granted to users through a role are included.

Search initiated certfication campaign troubleshooting. It is possible to generate a campaign preview that has no content. For example, a campaign filter might inadvertently filter out all entitlements. If your campaign has no content, the preview will appear to be generating but when it finishes, the campaign is automatically removed from the list and appears in the Completed tab.  In addition, the completed campaign is empty. When you click the campaign, you might see an error message indicating that the campaign could not be generated. You'll need to delete the campaign and start again. This is an infrequent error caused by a background task in IdentityNow that might take 30 minutes to 2 hours to process. By default, uncorrelated accounts and identity exceptions are not included in the campaign. If a reviewer's identity no longer exists in IdentityNow, you'll see an error next to their certification. Please reassign that certification to an existing identity. Access profiles that were granted to users through a role or lifecycle state are not included in Source Owner certification campaigns. If an identity has a set of entitlements that exactly match an access profile, IdentityNow automatically grants them that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile.

Campaign filters can be created on any of the following. Access Profile. Account Attribute. Entitlement. Identity. Identity Attribute. Role. Source. Virtual Appliance. Accounts.

best practices in order to prepare for certifications. No managers -no manager certifications. account correlation before generating certifications. entitlement descriptions. ’Privileged’ access on entitlements. Configure email templates to make the most sense to your business. Layer certification processes to achieve the best overall processes.

Certification Campaign Reports. Campaign Remediation Status Report. Certification Signoff Report. Campaign Status Report. Campaign Composition Report. Campaign Results Report. Campaign Completion Report.

Actions which generate Provisioning. Password Management (Password Changes). Certifications (Revocations of Certification Items). Access Request (Provisioning of Requested Access). Provisioning (Lifecycle State Changes, Roles/Access Profile Assignments, Account Attribute Synchronization Updates). Source change.

provisioning plan includes: Account Operation (CRUD). Source (System/Application). Attributes. Campaign status. Virtual Appliance.

No deprovisioning is triggered when. Role access list is modified - Previously granted access profiles remain intact for the user. Access profile is deleted - Entitlements associated with the access profile remain intact for the user. Role is deleted - Access profiles associated with the role remain intact for the user. Roles removed from identity.

Provisioning Triggers. Lifecycle State. Roles and access profiles. Account attribute synchronisation. Source (System/Application).

Access Profile. An access profile is a group of one or more entitlements that grants a specific set of access rights associated with a single source. Access profiles assigned via roles are not included in the certifications. Model based assignment – identity lifecycle. Detected through entitlement equivalency. Provided as choices in access request catalog. An access profile is a group of one or more entitlements that grants a specific set of access rights associated to multiple sources. Model based assignment – assignment criteria.

Roles. An access profile is a group of one or more entitlements that grants a specific set of access rights associated with a single source. Access profiles assigned via roles are not included in the certifications. Model based assignment – identity lifecycle. Detected through entitlement equivalency. Provided as choices in access request catalog. A role is a group of one or more access profiles from same or different sources bundled together for granting specific access to the user. Model based assignment – assignment criteria.

DEPROVISIONING THROUGH ROLES, what is true?. Removing access from a user does not remove any source accounts that were created because of provisioning through the role. Role-based deprovisioning only removes entitlements from a user and removes related apps from their Launchpads. When an administrator removes access profiles from the list of access granted by the role, those access profiles are not deprovisioned from identities in the role. When an administrator deletes an access profile, identities who got that access profile do not lose the related entitlements. When an administrator deletes a role, identities who had that role do not lose the related access profiles. Removing an access profile from a role does not take the access away from the identities associated with it. To work around this problem, you can create a new role with the appropriate access. When you remove users from the previous role, their access will be deprovisioned. You can then add them to the new role. When an administrator removes access profiles from the list of access granted by the role, those access profiles are deprovisioned from the identities. When an administrator deletes an access profile, identities who got that access profile lose the related entitlements. When an administrator deletes a role, identities who had that role lose the related access profiles.

Password changes made within IdentityNow are always evaluated by SailPoint first. If the password meets the requirements of the IdentityNow password policy, the changed password is then sent to and processed by the source system, which might have its own set of policy requirements. True. FALSE.

Upstream Enforcement password policy. Enforcement of password policy in IdentityNow. Friendly messages showing end users what to change. via IdentityNow Password Policy i.e Password policy on IdentityNow. via Source Password Policy i.e Password policy on native source system. Enforcement of password policy in native systems. Unadulterated messages communicated back to end users. Can enforce things that IdentityNow doesn’t know about.

Downstream Enforcement password policy. Enforcement of password policy in IdentityNow. Friendly messages showing end users what to change. via IdentityNow Password Policy i.e Password policy on IdentityNow. via Source Password Policy i.e Password policy on native source system. Enforcement of password policy in native systems. Unadulterated messages communicated back to end users. Can enforce things that IdentityNow doesn’t know about.

What can downstream enforcement do that IDN cannot. Password History. More Complexity. Error messages returned from the downstream check are passed through to the user which sometimes means they are less user-friendly and more challenging for the user to interpret. Friendly messages showing end users what to change.

if the review process requires manager approval and the access recipient doesn't have one listed. If the requested item is an access profile, the review is reassigned to both the app owner and the source owner. If the source or app owner isn't found, the review responsibility is reassigned to an IdentityNow administrator. If the requested item is a role, the review is reassigned to the role owner. If it's an entitlement, the review is reassigned to the source owner. If the requested item is a role, the review is reassigned to administrator. If it's an entitlement, the review is reassigned to the application owner.

To create an SoD policy, you'll use a general policy. True. FALSE.

To create an SoD policy, you'll create two lists of access. A violation will be triggered if an identity has access found in both lists. True. FALSE.

General policies. General policies are intended to keep your identity data organized. Use a search query to build a general policy that can uncover data problems so you can correct them. Use a SOD policy to compliment the general policy.