Pass the SailPoint Identity Security Engineer IdentityIQ-Engineer Questions and answers with ExamsMirror

Yes, the typical input variables for a rule are listed in the BeanShell rule editor in IdentityIQ, based on the rule registry. When you create or edit a rule in IdentityIQ using the BeanShell editor, the available input variables that are relevant to the rule type are typically pre-defined and listed based on the rule registry. These input variables provide context and data that the rule can operate on, and their availability helps guide the rule development process.

Therefore, the correct answer isA. Yes.

The statement "The Identity object is passed to the rule" is correct. When writing source mapping rules to populate identity attributes, the Identity object is indeed passed to the rule. This allows the rule to access and modify attributes on the Identity object based on the logic defined within the rule.

Therefore, the correct answer isA. Yes.

Yes, the statement istrue. Both logging and auditing in SailPoint IdentityIQ can have a negative influence on performance because they involve additional function calls within the application. These processes generate data that needs to be stored, which can impact performance if not managed properly. Extensive logging and auditing, particularly at high levels of detail, can lead to increased I/O and storage usage, potentially slowing down system operations.

References:

SailPoint IdentityIQ Performance Tuning Guide

SailPoint IdentityIQ Logging and Auditing Guide (Impact on Performance)

Yes, this is an example of a mover lifecycle event. A mover lifecycle event typically occurs when an individual's role or employment status within the organization changes, requiring updates to their accounts and access rights. In this scenario, a contractor whose accounts were previously disabled due to contract expiration needs those accounts re-enabled upon securing a new contract. This reactivation and adjustment of access rights based on a change in employment status fits the definition of a mover event.

Therefore, the correct answer isA. Yes.

The configuration option "Comment Character" isnot requiredwhen setting up a SCIM 2.0 application in SailPoint IdentityIQ. The "Comment Character" option is generally used for handling comment lines in flat files or CSV file-based connectors. Since SCIM 2.0 is a RESTful API-based protocol designed for managing identities in a standardized way, this option does not apply to SCIM 2.0 integrations. Therefore, it is not a necessary configuration when working with SCIM 2.0 applications.

References:

SailPoint IdentityIQ SCIM 2.0 Integration Guide

SailPoint IdentityIQ Application Configuration Guide (SCIM and REST API sections)

No, this statement is incorrect. When a wait step is encountered in a foreground workflow, it does not cause the user’s screen to freeze for the specified number of seconds. Instead, the wait step simply pauses the workflow execution for the specified duration, but this is managed in the background. The user interface remains responsive, and the end-user typically won’t notice any freezing or delays caused by the wait step itself.

References:

SailPoint IdentityIQ Workflow Guide (Section on Workflow Step Types)

SailPoint IdentityIQ Scripting and Workflow Best Practices

In SailPoint IdentityIQ, what users can see and do is indeed partly controlled by their authorized scope. Authorized scopes define the range of objects (such as identities, roles, applications) that a user has access to. Scopes can be applied to limit access based on specific criteria, ensuring that users only interact with the data and functionalities relevant to their role or responsibility within the organization.

For example, a user with access to a specific scope may only view or manage identities within a certain department or geographical location, depending on how the scope is configured.

Therefore, the correct answer isA. Yes.

The best policy types for defining each access policy are as follows:

Users cannot be members of the AccountsPayable group in AD and have the CreateVendor access right in the Vendor System application at the same time.Answer:Entitlement SOD

This policy deals with conflicting access rights at the entitlement level (i.e., group membership and specific access rights). "Entitlement Separation of Duties" (SOD) ensures that users don't have access to conflicting entitlements.

Users can have two accounts on a given system, but no more.Answer:Account

This policy pertains to the number of accounts a user can have on a system. The "Account" policy type manages restrictions on how many accounts users can possess.

Users who have either the VPN role or the Travel role cannot also be in the Contractor role.Answer:Role SOD

This policy involves conflicting roles. "Role Separation of Duties" (Role SOD) ensures that users cannot have conflicting roles, such as VPN and Contractor, or Travel and Contractor.

Comprehensive Detailed Explanation with All IdentityIQ Engineer References

Entitlement SOD: This policy prevents users from having conflicting access rights. In this case, being in the AccountsPayable group while also having access to create vendors creates a potential conflict. IdentityIQ uses Entitlement SOD to handle these scenarios by preventing such combinations of entitlements.

Account: This type of policy limits the number of accounts users can have on a given system. By setting up an Account policy, IdentityIQ ensures that a user cannot exceed the set number of accounts (e.g., two accounts on a system).

Role SOD: When dealing with conflicting roles (such as VPN or Travel role conflicting with a Contractor role), Role SOD policies ensure that users do not end up in roles that violate governance or security policies. This type of policy ensures role-based access conflicts are mitigated in IdentityIQ.

The statement that "An Application object is not required to aggregate external user account information into IdentityIQ" isfalse. In SailPoint IdentityIQ, an Application object is essential for aggregating (importing) external user account information. The Application object defines the connection settings, schema, and mapping that enable IdentityIQ to connect to external systems and retrieve identity data. Without an Application object, IdentityIQ would not have the necessary configuration to establish a connection and aggregate user data from external sources.

References:

SailPoint IdentityIQ Administration Guide (Section on Applications and Aggregation)

SailPoint IdentityIQ Integration and Configuration Guide

The statement isfalse. While it is true that logging and auditing require extra function calls and generate data, the suggestion that this data can be compressed to avoid storage issues and improve performance is misleading. In practice, while compression might save storage space, it does not inherently improve performance, particularly because the overhead of compression and decompression could negate the performance benefits. Effective performance management in IdentityIQ involves more nuanced approaches, such as optimizing the level of detail in logs, managing log rotation, and tuning the system for efficient I/O operations.

References:

SailPoint IdentityIQ Logging and Auditing Guide

SailPoint IdentityIQ Performance Tuning Guide