SAVIGA-C01 Saviynt IGA Certified Professional Exam (L100) Questions and Answers

A Request Rule in Saviynt is triggered B. When an Access Request is created and matches the conditions. Here's a detailed explanation:

Saviynt's Request Rules: Request Rules are a type of rule specifically designed to govern the access request process.

Triggering Event: The primary trigger for a Request Rule is the creation of a new access request within Saviynt's Access Request System (ARS).

Condition Evaluation: When a new request is submitted, Saviynt evaluates the conditions defined in any applicable Request Rules. These conditions can be based on:

Requester Attributes: (e.g., department, location, job title)

Beneficiary Attributes: (if the request is for another user)

Requested Resource: (e.g., application, role, entitlement)

Request Details: (e.g., requested start/end dates)

Rule Actions: If the conditions of a Request Rule are met, the rule's defined actions are executed. These actions can include:

Modifying the request: (e.g., adding approvers, changing the approval workflow)

Auto-approving or auto-rejecting the request:

Generating notifications:

Triggering other workflows:

Other Options:

A. When a user is imported: This might trigger User Update Rules or birthright rules, but not Request Rules.

C. When the Run Detective Rule job is run: This job evaluates detective rules, not Request Rules.

D. When changes are detected in the import: This could trigger various rules, but not specifically Request Rules.

The Saviynt feature that allows detection of access rights granted outside the Saviynt platform is the B. RevokeOutOfBandAccessJob. Here's a detailed explanation:

Out-of-Band Access: This refers to access that is provisioned directly in the target system, bypassing the normal access request and approval processes within Saviynt. This can create security risks and compliance issues.

Saviynt's Reconciliation Process: Saviynt uses a reconciliation process to compare the access rights defined within its system with the actual access rights present in connected applications.

RevokeOutOfBandAccessJob: This specific job is designed to identify and flag out-of-band access. It works by:

Importing Account and Entitlement Data: The job imports data from the target system, capturing the current state of user access.

Comparing with Saviynt Data: It compares this imported data with the access rights managed within Saviynt.

Identifying Discrepancies: Any discrepancies, where a user has access in the target system that wasn't granted through Saviynt, are identified as out-of-band access.

Taking Action (Optional): The job can be configured to automatically revoke this out-of-band access or to simply generate a report for review and manual remediation. Or it can be configured to create a task for an administrator to review.

Saviynt's Access Governance: This feature is a crucial part of Saviynt's overall access governance capabilities, helping organizations maintain control over user access and enforce the principle of least privilege.

Other Options:

A. REST API: While Saviynt's REST API can be used to interact with the system and potentially retrieve access data, it's not the specific feature designed for out-of-band access detection.

C. Bulk Upload: This is a method for importing data into Saviynt, but it doesn't inherently detect out-of-band access.

D. ARS > Request Access for Others: This is part of the access request process, not related to detecting access granted outside of Saviynt.

In conclusion: The RevokeOutOfBandAccessJob in Saviynt plays a vital role in identifying and remediating out-of-band access, ensuring that access rights are managed centrally and consistently through the Saviynt platform.

In the given scenario, where ABC Company has a one-level workflow with the manager as the sole approver, and Margaret (Edward's manager) raises a request on behalf of Edward, the statement that would be true/applicable is A. Manager's approval is auto-approved. Here's why:

Saviynt's Workflow Configuration: Saviynt allows for the configuration of various workflow scenarios, including auto-approval based on certain conditions.

Self-Approval Prevention/Auto-Approval: A common security best practice is to prevent users from approving their own access requests. However, when a manager requests on behalf of a subordinate, this is considered a delegated request and many organizations find it acceptable to auto-approve since the approval should be implicit in the act of requesting.

Manager Requesting on Behalf: When a manager initiates a request for a subordinate, it's often considered an implicit approval. The manager is essentially saying, "I approve this access for my team member."

Saviynt's Default Behavior (Typically): By default, or through common configuration practices, Saviynt is often set up to recognize this scenario and auto-approve the manager's approval step in the workflow. This streamlines the process and avoids unnecessary delays.

Configuration Options: While auto-approval is common, Saviynt's workflow engine is flexible. It's possible to configure it differently, for instance, to still require explicit manager approval even in this scenario. However, this is less typical.

Other Options:

B. Manager's approval is auto-rejected: This is highly unlikely and would defeat the purpose of having a manager initiate the request.

C. Manager must manually approve/reject the request: While possible through configuration, it's not the typical or default behavior in this scenario.

D. None of the above: Option A is the most likely and common outcome.

In summary: In a one-level workflow where the manager is the approver, and the manager requests access on behalf of a subordinate, Saviynt is typically configured to auto-approve the manager's approval step, streamlining the process and reflecting the implicit approval inherent in the manager's action.

=================

The component that filters the requestable applications under "Request New Access" in Saviynt is the Access Query. Here's a detailed explanation:

Saviynt's Access Request System (ARS): As the front end for requesting access, the ARS needs a mechanism to determine which applications (and entitlements) should be displayed to a user as requestable.

Access Query: This is a powerful feature within Saviynt that allows administrators to define specific criteria to control the visibility of applications and entitlements in the ARS. Think of it as a filter that determines what a user can see and request.

How Access Queries Work:

Defined on Applications/Entitlements: Access Queries are configured on individual applications or entitlements within Saviynt.

Based on User Attributes: They use user attributes (e.g., department, location, job title, group memberships) and other criteria (e.g., risk level) to determine if a user should see a particular application or entitlement.

Dynamic Filtering: When a user accesses the "Request New Access" section, Saviynt evaluates the Access Queries associated with each application and entitlement in real-time. Based on the user's attributes, the system dynamically filters the list, showing only the applications and entitlements that match the query conditions.

Saviynt's Security Model: Access Queries are a fundamental part of Saviynt's security model. They ensure that users are only presented with access options that are relevant and appropriate for their role and context, preventing accidental over-provisioning and reducing the attack surface.

Other Options:

Access Add Workflow: While essential for processing access requests, the workflow itself doesn't filter which applications are initially displayed.

Provisioning Connection: This relates to how Saviynt connects to target systems for automated provisioning. It doesn't control the initial visibility of applications in the ARS.

Whom to Request: This setting might determine the available approvers, but it doesn't filter the list of requestable applications.

In essence: Access Queries act as a dynamic filter, leveraging user attributes and defined criteria to determine which applications and entitlements are presented to a user within Saviynt's "Request New Access" interface, ensuring a personalized and secure access request experience.

=================

To certify all existing entitlements of John by relevant stakeholders after he moves from Department A to B, and you have a User Update Rule to trigger a certification, the action you should configure is C. Launch Entitlement Owner Campaign. Here's why:

Saviynt's Certification Campaigns: Saviynt supports various types of certification campaigns to review and validate user access.

Entitlement Owner Campaign: This specific campaign type is designed to have the owners of entitlements (typically application or business owners) review and certify the users who have access to those entitlements.

User Update Rule Trigger: The User Update Rule, triggered by the department change, can initiate the certification process.

Least Privilege Principle: This approach aligns with the principle of least privilege by ensuring that access is regularly reviewed and validated, especially after significant changes like a department transfer.

Why Other Options Are Less Suitable:

A. Launch Manager Campaign: While manager campaigns are useful, they might not be the most appropriate in this case. Entitlement owners are generally more knowledgeable about who should have access to specific entitlements.

B. Launch Service Account Campaign: This is for certifying service accounts, not user entitlements.

D. Launch Organization Owner Campaign: This is not a standard campaign type in Saviynt and might not be relevant to certifying user entitlements.

In conclusion: Launching an Entitlement Owner Campaign from a User Update Rule triggered by a department change is the most effective way to ensure that John's existing entitlements are reviewed and certified by the appropriate stakeholders, adhering to the principle of least privilege.

In Saviynt, a User represents the unique identity of a person. It's the central object that ties together all the information about an individual, including their accounts, entitlements, roles, and attributes.

Why other options are incorrect:

Endpoint: Represents a system or application, not a person.

Employee: While many users might be employees, the term "user" is more general and can include contractors, partners, etc.

Account: Represents a user's access to a specific system, not their overall identity.

Saviynt IGA References:

Saviynt Documentation: Throughout the documentation, "User" consistently refers to the individual's identity within the system.

Saviynt User Interface: The User Management section in Saviynt focuses on managing the lifecycle and access of individual users.

It is True that multiple indices can be selected while creating Analytics using the Elasticsearch Query in Saviynt. Here's why:

Saviynt's Analytics and Elasticsearch: Saviynt's analytics capabilities are often built on top of Elasticsearch, a powerful search and analytics engine.

Indices in Elasticsearch: In Elasticsearch, an index is like a database table. It's a collection of documents with similar characteristics. Saviynt uses indices to store various types of data, such as user data, account data, entitlement data, and event logs.

Multi-Index Queries: Elasticsearch allows you to query across multiple indices simultaneously. This is a fundamental feature of the search engine.

Saviynt's Interface: When creating analytics in Saviynt using Elasticsearch queries, the interface typically allows you to select multiple indices as the data source for your analysis.

Use Cases: This capability is essential for creating comprehensive analytics that span different data domains. For example, you might want to analyze user access patterns (from one index) in conjunction with application usage data (from another index).

In conclusion: The ability to select multiple indices is a core feature of Elasticsearch and is supported within Saviynt's analytics interface,

=================

Closed: SoD Violations which are closed with or without remediation

Open: SoD Violations which require immediate attention

Risk Accepted: SoD Violations which have Mitigation Controls applied

In Process: SoD Violations which are assigned

Closed: This status implies that the SoD violation has been addressed. It could have been resolved through remediation (e.g., removing conflicting access) or through acceptance after a review process (without direct remediation, perhaps mitigated in another way).

Open: This status indicates that the SoD violation is active and needs immediate attention to mitigate the associated risk.

Risk Accepted: This status suggests that the SoD violation has been acknowledged, but instead of being fully remediated, mitigation controls have been put in place to reduce the risk to an acceptable level. This usually follows a formal risk acceptance process.

In Process: This status means that the SoD violation is currently being worked on. It has likely been assigned to someone for investigation, remediation, or further action.

Therefore, the matches you've made in the image are accurate and reflect standard SoD management practices.

To save different settings for various categories of Manager Access Reviews within User Manager Campaigns, a Campaign Owner can create C. Campaign Templates. Here's why:

Saviynt's Campaign Templates: Templates allow you to pre-configure various settings for a campaign and save them as a reusable template. This includes settings related to:

Campaign Scope: Defining which users, applications, or entitlements are included.

Certifier Selection: Specifying the type of certifiers (e.g., Managers, Application Owners).

Scheduling and Notifications: Setting up the campaign schedule and email notifications.

Advanced Configurations: Including filters, risk scores, and other advanced settings.

Multiple Templates for Different Categories: A Campaign Owner can create multiple templates, each tailored to a specific category of Manager Access Review. For example:

Template 1: For high-risk applications, with stricter filters and more frequent reviews.

Template 2: For low-risk applications, with broader scope and less frequent reviews.

Template 3: For specific departments or business units, with customized certifier selection.

Benefits of Using Templates:

Consistency: Ensures that similar types of reviews are conducted consistently.

Efficiency: Saves time by eliminating the need to configure each campaign from scratch.

Reduced Errors: Minimizes the risk of manual configuration errors.

Why Other Options Are Less Suitable:

A. Global Configurations: Global configurations apply to all campaigns, not to specific categories of reviews.

B. Campaign Types: Campaign types (e.g., User Manager, Entitlement Owner) define the overall purpose of the campaign, not the specific settings for different categories within a campaign type.

D. Campaign Previews: Previews are for reviewing the campaign data before launch, not for saving different configurations.

In conclusion: Campaign Templates in Saviynt provide a powerful way to save and reuse different configurations for various categories of Manager Access Reviews, promoting consistency, efficiency, and accuracy in the certification process.

=================

In Saviynt, Enterprise Roles are specifically designed to encompass entitlements that span multiple applications. This is in contrast to Application Roles, which are limited to entitlements within a single application.

Enterprise Roles: Provide a way to group entitlements across different applications, reflecting a user's overall job function or responsibilities within the organization. This is essential for managing access for users who need permissions in various systems to perform their duties.

Other Role Types:

Application Role: Grants permissions specific to a single application.

Transactional Role: Focuses on granting permissions for specific tasks or transactions within an application.

Enabler Role: Provides supplementary permissions that enhance or support other roles.

Saviynt IGA References:

Saviynt Documentation: The section on Role Management within Saviynt's documentation clearly defines the different role types and their purposes.

Saviynt Training Materials: Saviynt's training courses emphasize the importance of Enterprise Roles in managing cross-application access.

The connection type best suited to expose Workday reports as a data service in Saviynt is A. Workday-RAAS (Report as a Service). Here's why:

Workday-RAAS: This connection type is specifically designed to integrate with Workday's RaaS functionality. Workday RaaS allows you to expose custom reports created within Workday as web services that can be consumed by external applications like Saviynt.

Data Service for Reports: RaaS essentially turns a Workday report into a data service, making it easy to retrieve the report's data in a structured format (typically XML or JSON).

Saviynt's Integration: Saviynt's Workday-RAAS connection type is built to leverage this capability, allowing you to:

Select Workday Reports: Choose the specific Workday reports you want to integrate with.

Import Data: Import the data from those reports into Saviynt for various purposes (e.g., identity governance, access certification, analytics).

Schedule Imports: Schedule regular data imports to keep Saviynt's data synchronized with Workday.

Why Other Options Are Less Suitable:

B. Workday-REST: While Workday has a REST API, it's more general-purpose and not specifically tailored for exposing reports as data services in the same way as RaaS.

C. Workday-OAuth: OAuth is an authorization protocol, not a connection type for retrieving report data.

D. Workday-SOAP: Workday's SOAP API is being gradually replaced by the REST API and is less focused on report data retrieval than RaaS.

=================

In Saviynt's SSO setup, the "Max Authentication Session" parameter determines the maximum duration of an SSO session within Saviynt, overriding any longer durations set by the Identity Provider (IdP).

Session Duration Logic: Saviynt's internal session timeout setting takes precedence over the IdP's session timeout. This ensures that Saviynt can enforce its own security policies regarding session lifetimes.

Why other options are incorrect:

B. 10,000 seconds: This is the IdP's session logout value, but Saviynt's "Max Authentication Session" setting overrides it.

C. 3600 seconds: This is the default value, but the question specifies a configured value of 5000 seconds.

Saviynt IGA References:

Saviynt Documentation: The documentation for configuring SSO settings within Saviynt explains the "Max Authentication Session" parameter and its impact on session duration.

Saviynt Best Practices: Saviynt's best practices for SSO often recommend aligning session timeouts between the IdP and Saviynt to avoid confusion and potential security gaps.

To get the details of a successfully executed Rule in Saviynt, an Admin should look in the C. Current Rule Trail. Here's why:

Saviynt's Rule Engine and Logging: Saviynt's rule engine executes various types of rules (e.g., birthright rules, user update rules, technical rules). It maintains logs to track rule execution and outcomes.

Current Rule Trail: This log specifically captures the details of recently executed rules, including:

Rule Name: The name of the rule that was executed.

Execution Time: The timestamp of when the rule was executed.

Status: Whether the rule execution was successful or not.

Details: Specific information about the rule's execution, such as the conditions that were evaluated and the actions that were taken.

Troubleshooting and Auditing: The Current Rule Trail is invaluable for troubleshooting rule behavior and for auditing purposes, providing a clear record of what rules were executed and their results.

Other Options:

A. Archived Rule Trail: This log stores details of older rule executions that have been archived. It's useful for historical analysis but not for recent executions.

B. Archived Application Logs: These logs are related to application activity, not rule execution.

D. Action Trail: The Action Trail captures general user and administrative actions within Saviynt, but it might not provide the detailed information about rule execution that the Current Rule Trail does.

The option that cannot be regarded as a Smart Filter in Saviynt's User Manager and Service Account Campaigns is A. User's Assigned Role counts. Here's why:

Saviynt's Smart Filters: Smart Filters are pre-defined filters in Saviynt that help Certifiers quickly focus on specific access patterns or risk indicators during a certification campaign. They are designed to highlight potentially problematic or high-risk access.

Examples of Smart Filters:

B. Access with SoD Violations: This is a Smart Filter because it highlights access that violates Segregation of Duties policies, a significant risk indicator.

C. Out-of-Band Access for Entitlements: This is a Smart Filter as it identifies access that was granted outside of the normal Saviynt processes, potentially indicating a security risk.

D. Risk Level for Accounts: This is a Smart Filter because it allows Certifiers to focus on accounts with high-risk levels, which might require more scrutiny.

Why "User's Assigned Role counts" Is Not a Smart Filter:

Not a Risk Indicator: Simply knowing the number of roles assigned to a user doesn't inherently indicate a risk or a specific access pattern that requires attention. A user might have many roles legitimately, or they might have few roles but with high-risk access.

Not Actionable: This information alone doesn't provide enough context for a Certifier to make an informed decision about whether to approve or revoke access.

Alternative: While not a "Smart Filter", the number of roles assigned could be a data point displayed within the campaign, but it wouldn't be considered a pre-defined filter for highlighting risks.

=================

When an "Add Access" task is successfully completed in Saviynt, the applicable status is typically "Provisioned." Here's a detailed explanation with Saviynt references:

Saviynt's Task Management: Saviynt uses tasks to track the progress of various operations, including access provisioning. These tasks are generated as part of workflows, such as the "Access Add Workflow."

"Add Access" Task Type: This specific task type is created when the access request is approved and the system is ready to grant the requested access to the target application.

Task Statuses in Saviynt: Saviynt uses different statuses to indicate the current state of a task. Common statuses include:

Pending: The task is waiting to be processed.

In Progress: The task is currently being executed.

Provisioned: This status signifies that the requested access has been successfully granted to the user in the target system.

Failed: The task encountered an error and could not be completed.

Manually Provisioned: The task was completed manually by an administrator, rather than through automated provisioning.

Success: While sometimes used, this status is less specific than "Provisioned" in the context of "Add Access" tasks, since it does not specify that the action completed was a provisioning action.

Active: Typically applies to accounts or users, not tasks.

Saviynt's Workflow Engine: The workflow engine in Saviynt updates the task status as it progresses through the defined steps. For connected applications, the workflow engine might directly interact with the target system's API to provision the access. Once the provisioning is successful, the status is updated to "Provisioned."

Saviynt's Audit Trails: Saviynt maintains detailed audit trails, and the task status changes are logged. This provides a clear record of when access was provisioned for a user.

Other Options:

Success: As mentioned above, this is a general status. While technically correct (the task succeeded), "Provisioned" provides more context.

Manually Provisioned: This status is only applicable if an administrator intervened and manually granted the access outside of the automated workflow.

Active: This status typically pertains to a user or account's overall status, not specifically to the completion of an "Add Access" task.

=================