Saviynt Certified IGA Professional Exam (L100) SAVIGA-C01 Exam Practice Test

Answer : C

In Saviynt's SAML 2.0 based Single Sign-On (SSO) configuration, the 'SP Entity ID' uniquely identifies Saviynt as the Service Provider (SP) to the Identity Provider (IdP). The correct SSO URL structure incorporates this 'SP Entity ID' within a specific path.

Saviynt's URL Structure: Saviynt's SSO URLs follow a pattern to ensure proper routing and authentication. The /ECM/saml/SSO/alias/ portion is crucial for directing SAML-based login attempts.

Why the other options are incorrect:

A . https://myorg.saviyntcloud.com/ECM/saml/SSO/SaviyntSP: This URL is missing the crucial 'alias' segment in the path, making it invalid for SAML SSO.

B . https://myorg.saviyntcloud.com/SaviyntSP: This URL doesn't include the necessary components for SAML-based authentication within Saviynt.

Saviynt IGA Reference:

Saviynt Documentation: Saviynt's official documentation on configuring SAML SSO provides details on the correct URL structure and the significance of the 'SP Entity ID.'

Saviynt Support: Saviynt's support resources and knowledge base articles often address issues related to SSO configuration, reinforcing the correct URL format

Answer : B

When access privileges for a specific Analytical Control are assigned using SAV Roles in Saviynt, users belonging to that role can, by default, perform the following tasks: B. View Control, Run Control, and View Analytic History of the Control. Here's a breakdown:

Saviynt's Role-Based Access Control (RBAC): Saviynt uses RBAC to manage access to various features and functionalities, including Analytical Controls.

Analytical Controls: These are pre-defined or custom-built analytics reports or dashboards.

Default Permissions: When a user is granted access to an Analytical Control via an SAV Role, they typically receive a set of default permissions:

View Control: Allows the user to view the configuration and definition of the Analytical Control (e.g., the query, parameters, visualization).

Run Control: Allows the user to execute the Analytical Control and generate results.

View Analytic History: Allows the user to see the history of previous executions of the Analytical Control, including the results and timestamps.

Why These Permissions Are Important:

Transparency: Users can understand how the analytics are defined and generated.

Usability: Users can run the analytics and obtain insights.

Auditing: Users can review past results for trend analysis or investigation.

Other Options:

A . Only view the configurations of the Control: This is too restrictive; users need to be able to run the control to get value from it.

C . Only view the Analytic History of the Control: This is also too limited; users should be able to run the control and view its configuration as well.

D . View Control and Run Control: While closer, it's missing the 'View Analytic History' permission, which is important for auditing and analysis.

MISCELLANEOUS

Answer : D

The Account status that is not typically considered in a User Manager Campaign certification in Saviynt is D. Manually Provisioned. Here's why:

Saviynt's User Manager Campaign Focus: User Manager Campaigns primarily focus on reviewing and certifying access that is actively managed and tracked within Saviynt.

Account Statuses and Their Relevance:

A . Manually Suspended: Indicates an account that has been intentionally disabled within Saviynt. These accounts are often included in reviews to ensure the suspension is still valid.

B . Inactive: Indicates an account that has not been used for a certain period. These accounts are often included in reviews to determine if they should be disabled or removed.

C . Suspended from Import Service: Indicates an account that has been suspended due to issues during an import process. These accounts are typically reviewed to resolve the import problem and determine the appropriate account status.

Manually Provisioned Accounts: These accounts are created directly in the target system, bypassing Saviynt's provisioning processes. As such, they might not be fully tracked or managed within Saviynt.

Out-of-Band Access: Manually provisioned accounts represent a form of out-of-band access, which is often excluded from standard User Manager Campaigns.

Separate Review Process: Organizations might have separate processes for reviewing manually provisioned accounts, such as using the RevokeOutOfBandAccessJob or a different type of campaign.

In conclusion: While other account statuses like Manually Suspended, Inactive, and Suspended from Import Service are relevant to access management within Saviynt and are often included in User Manager Campaigns, Manually Provisioned accounts might be excluded because they represent access granted outside of Saviynt's control and might require a different review process.

Answer : A

To set up an Entitlement Owner Campaign for Entitlements belonging to an Oracle ERP Endpoint that launches at the beginning of every month, and includes only Accounts and Entitlements that meet the prerequisites, the 2-key configurations you should recommend are A . Use Campaign Template and the Schedule Later option. Here's a breakdown:

Campaign Template:

Purpose: Templates allow you to save a set of campaign configurations as a reusable template. This is ideal for recurring campaigns with consistent settings.

Benefits: Using a template saves time and ensures consistency across multiple campaign instances. You can define the scope (Oracle ERP Endpoint), Certifier type (Entitlement Owners), and other settings within the template.

Prerequisites: You can include logic within the template to filter for Accounts and Entitlements that meet the defined prerequisites.

Schedule Later option:

Purpose: This option allows you to schedule the campaign to launch at a specific date and time in the future.

Recurring Scheduling: You can configure the campaign to run on a recurring schedule, such as the beginning of every month.

Automation: This automates the campaign launch process, eliminating the need for manual intervention each month.

Why Other Options Are Less Suitable:

B . Use Advanced Configurations and Preview mode and create the Campaign at the beginning of each month: This approach is manual and prone to errors. It doesn't leverage the automation benefits of templates and scheduling.

C . Use Advanced Configurations and set the Campaign expiry to 31 days: While setting an expiry is important, it doesn't address the need for recurring monthly launches or using a template for consistent configuration.

D . Cannot be achieved: This is incorrect; the scenario can be easily achieved using Campaign Templates and the Schedule Later option.

Answer : C

To reduce certification fatigue for Anitha, a manager with a large number of remote users, the recommended approach is C. Launch a Self Certification Campaign and then User Manager Campaign on certified items. Here's the rationale:

Self Certification Campaign:

Purpose: Allows users to review and certify their own access.

Benefits for this scenario:

Reduces Manager Burden: Shifts the initial review responsibility from Anitha to the individual users, who are most familiar with their own access needs.

Scalability: Well-suited for large, distributed teams, as it doesn't rely solely on the manager's capacity.

Empowerment: Gives users more control over their access and promotes a culture of accountability.

User Manager Campaign on Certified Items:

Purpose: Allows managers to review and certify their subordinates' access.

Benefits when combined with Self Certification:

Focus on Exceptions: Anitha can focus her review on items that were not self-certified or that require further scrutiny after the initial self-certification.

Reduced Volume: The volume of items Anitha needs to review is significantly reduced, as users have already certified their own access.

Increased Efficiency: Streamlines the manager's review process, making it more manageable and less time-consuming.

Why Other Options Are Less Suitable:

A . Launch User Manager Campaign and then Self Certification Campaign on certified items: This sequence is less effective because it puts the burden on the manager first, potentially leading to fatigue.

B . Launch Application Owner Campaign and then Self Certification Campaign on certified items: Application Owner campaigns are not relevant to a manager's review of their subordinates' access.

D . Launch Service Account Campaign and then User Manager Campaign on certified items: Service Account campaigns are for reviewing service accounts, not user access.

Answer : A

The connection type best suited to expose Workday reports as a data service in Saviynt is A. Workday-RAAS (Report as a Service). Here's why:

Workday-RAAS: This connection type is specifically designed to integrate with Workday's RaaS functionality. Workday RaaS allows you to expose custom reports created within Workday as web services that can be consumed by external applications like Saviynt.

Data Service for Reports: RaaS essentially turns a Workday report into a data service, making it easy to retrieve the report's data in a structured format (typically XML or JSON).

Saviynt's Integration: Saviynt's Workday-RAAS connection type is built to leverage this capability, allowing you to:

Select Workday Reports: Choose the specific Workday reports you want to integrate with.

Import Data: Import the data from those reports into Saviynt for various purposes (e.g., identity governance, access certification, analytics).

Schedule Imports: Schedule regular data imports to keep Saviynt's data synchronized with Workday.

Why Other Options Are Less Suitable:

B . Workday-REST: While Workday has a REST API, it's more general-purpose and not specifically tailored for exposing reports as data services in the same way as RaaS.

C . Workday-OAuth: OAuth is an authorization protocol, not a connection type for retrieving report data.

D . Workday-SOAP: Workday's SOAP API is being gradually replaced by the REST API and is less focused on report data retrieval than RaaS.

Answer : D

To decommission an AD Group and revoke access for all users, Jane should use D. Entitlement Owner Certification. Here is why:

AD Group as an Entitlement: In Saviynt, an AD Group is typically represented as an Entitlement.

Entitlement Owner Certification: This type of campaign allows the designated owner of an entitlement (in this case, Jane, as the manager of the AD Group) to review and certify who should have access to that entitlement.

Revoking Access: As the Entitlement Owner, Jane can use the certification campaign to:

Review the list of users: See all users who are currently members of the AD Group.

Revoke access for all users: Mark all users for removal from the group.

Decommissioning the Group: After revoking access for all users through the certification, Jane can then proceed with decommissioning the AD Group itself (either through Saviynt if it manages AD group lifecycle or directly in Active Directory).

Why Other Options Are Less Suitable:

A . Segregation of Duties: SoD is a principle, not a specific action for revoking access.

B . Entitlement Update Rule: While rules can automate some actions, a certification campaign provides a more controlled and auditable way to review and revoke access, especially for a sensitive action like decommissioning a group.

C . Mitigation Control: Mitigation controls are used to manage SoD conflicts, not for revoking access to entitlements.

In conclusion: An Entitlement Owner Certification campaign provides a structured and auditable way for Jane to review the membership of the AD Group, revoke access for all users, and prepare for the group's decommissioning, aligning with best practices for access management.