The Saviynt IGA Certified Professional Exam (L100) (SAVIGA-C01)

In Saviynt ' s Access Request configurations, the following can be set up as either optional or mandatory based on business requirements:

A. Approval comments: When an approver approves or rejects a request, they can be required to provide comments, or it can be made optional.

B. Add Attachment: Requesters can be allowed or required to attach supporting documentation to their access requests.

C. Business justification at Request level: Requesters can be obligated to provide a business justification for their access request, or it can be made optional.

Here ' s a breakdown with Saviynt IGA references:

Saviynt ' s Access Request System (ARS) Configuration: Saviynt provides granular control over the ARS ' s behavior, allowing administrators to customize various aspects of the request process, including data validation and required fields.

Mandatory vs. Optional Fields: Many fields and actions within the ARS can be configured as either mandatory or optional. This allows organizations to tailor the request process to their specific needs and compliance requirements.

Configuration Locations: These settings are typically found within the ARS configuration section of Saviynt ' s administrative interface.

Approval Comments: Often configurable within the workflow definition, at the approval step level. You can define whether comments are required for approval, rejection, or both.

Add Attachment: Generally found under general ARS settings, allowing you to enable or disable attachments and potentially set them as mandatory.

Business Justification: Also found within the ARS settings, allowing you to toggle the requirement for a business justification at the request level or even at the individual entitlement level.

Business Rationale: The flexibility to make these elements optional or mandatory allows organizations to balance the need for information with the desire for a streamlined user experience. For example, high-risk access requests might require detailed justification and attachments, while low-risk requests might not.

Saviynt ' s Audit Trail: Regardless of whether these fields are mandatory or optional, Saviynt ' s audit trail will capture the information provided, ensuring a complete record of the request and approval process.

In summary: Saviynt ' s ARS allows administrators to configure approval comments, attachments, and business justifications as either optional or mandatory, providing the flexibility to adapt the access request process to meet diverse organizational needs and compliance requirements.

In Saviynt, Enterprise Roles are specifically designed to encompass entitlements that span multiple applications. This is in contrast to Application Roles, which are limited to entitlements within a single application.

Enterprise Roles: Provide a way to group entitlements across different applications, reflecting a user ' s overall job function or responsibilities within the organization. This is essential for managing access for users who need permissions in various systems to perform their duties.

Other Role Types:

Application Role: Grants permissions specific to a single application.

Transactional Role: Focuses on granting permissions for specific tasks or transactions within an application.

Enabler Role: Provides supplementary permissions that enhance or support other roles.

Saviynt IGA References:

Saviynt Documentation: The section on Role Management within Saviynt ' s documentation clearly defines the different role types and their purposes.

Saviynt Training Materials: Saviynt ' s training courses emphasize the importance of Enterprise Roles in managing cross-application access.

The Job that should be created and scheduled to evaluate Rules on a need basis in Saviynt is A. Run Detective Rules and Take Action . Here ' s an explanation:

Saviynt ' s Jobs: Saviynt uses Jobs to perform various tasks, including data imports, rule evaluations, and provisioning operations.

" Run Detective Rules and Take Action " : This specific job is designed to:

Evaluate Rules: It evaluates rules that are configured for detective (monitoring) purposes. These rules typically check for specific conditions or changes in user attributes, access rights, or other data.

Take Action (Optional): Based on the rule evaluation results, the job can be configured to automatically take actions, such as:

Generating alerts or notifications.

Creating tasks for administrators to review.

Triggering workflows.

Automatically remediating issues (e.g., revoking access if a rule detects a violation).

Scheduling: This job can be scheduled to run periodically (e.g., daily, hourly) to continuously monitor for changes and enforce defined rules.

On-Demand Execution: You can also run this job on-demand to evaluate rules immediately.

Other Options:

B. Provisioning Job: This job is primarily used for provisioning access to target systems, not for evaluating general-purpose rules.

C. User Import via Connection: This job is for importing user data from external sources.

D. Trigger Chain Job: This allows for running a series or " chain " of jobs, but it doesn ' t directly evaluate rules itself.

To implement a workflow involving a Saviynt User Group ' s approval, the appropriate workflow block is B. TASK Access Approve . Here ' s an explanation:

Saviynt ' s Workflow Engine: Saviynt ' s workflow engine allows for the creation of complex approval processes using various building blocks or activities.

TASK Access Approve: This specific activity is designed to handle approval steps within a workflow. It allows you to define who the approver(s) should be and how the approval should be processed.

User Group Approval: To implement approval by a Saviynt User Group, you would configure the " TASK Access Approve " activity as follows:

Approver Type: You would select " User Group " as the approver type.

User Group Selection: You would then specify the particular Saviynt User Group that should be responsible for the approval.

Approval Logic: You can define whether all members of the group must approve, or if a certain number or percentage of approvals is sufficient.

Saviynt User Groups: User Groups in Saviynt are collections of users, often based on department, role, or other criteria. They are useful for managing access and approvals at a group level.

Other Options:

A. CONDITION IF Else: This block is used for branching logic in a workflow, not specifically for assigning approvals to user groups.

C. Action Prompt: This might be used for displaying information or collecting input, but not for defining an approval step.

D. TASK Custom Assignment: While you could potentially use custom assignment with scripting to achieve user group approval, the " TASK Access Approve " activity provides a more straightforward and built-in way to do it.

In conclusion: The " TASK Access Approve " workflow block in Saviynt, configured with a User Group as the approver type, is the most appropriate and direct way to implement a workflow that requires approval from a specific Saviynt User Group.

To certify all existing entitlements of John by relevant stakeholders after he moves from Department A to B, and you have a User Update Rule to trigger a certification, the action you should configure is C. Launch Entitlement Owner Campaign . Here ' s why:

Saviynt ' s Certification Campaigns: Saviynt supports various types of certification campaigns to review and validate user access.

Entitlement Owner Campaign: This specific campaign type is designed to have the owners of entitlements (typically application or business owners) review and certify the users who have access to those entitlements.

User Update Rule Trigger: The User Update Rule, triggered by the department change, can initiate the certification process.

Least Privilege Principle: This approach aligns with the principle of least privilege by ensuring that access is regularly reviewed and validated, especially after significant changes like a department transfer.

Why Other Options Are Less Suitable:

A. Launch Manager Campaign: While manager campaigns are useful, they might not be the most appropriate in this case. Entitlement owners are generally more knowledgeable about who should have access to specific entitlements.

B. Launch Service Account Campaign: This is for certifying service accounts, not user entitlements.

D. Launch Organization Owner Campaign: This is not a standard campaign type in Saviynt and might not be relevant to certifying user entitlements.

In conclusion: Launching an Entitlement Owner Campaign from a User Update Rule triggered by a department change is the most effective way to ensure that John ' s existing entitlements are reviewed and certified by the appropriate stakeholders, adhering to the principle of least privilege.

In Saviynt, a User represents the unique identity of a person. It ' s the central object that ties together all the information about an individual, including their accounts, entitlements, roles, and attributes.

Why other options are incorrect:

Endpoint: Represents a system or application, not a person.

Employee: While many users might be employees, the term " user " is more general and can include contractors, partners, etc.

Account: Represents a user ' s access to a specific system, not their overall identity.

Saviynt IGA References:

Saviynt Documentation: Throughout the documentation, " User " consistently refers to the individual ' s identity within the system.

Saviynt User Interface: The User Management section in Saviynt focuses on managing the lifecycle and access of individual users.

In Saviynt ' s SAML 2.0 based Single Sign-On (SSO) configuration, the " SP Entity ID " uniquely identifies Saviynt as the Service Provider (SP) to the Identity Provider (IdP). The correct SSO URL structure incorporates this " SP Entity ID " within a specific path.

Saviynt ' s URL Structure: Saviynt ' s SSO URLs follow a pattern to ensure proper routing and authentication. The /ECM/saml/SSO/alias/ portion is crucial for directing SAML-based login attempts.

Why the other options are incorrect:

A. https://myorg.saviyntcloud.com/ECM/saml/SSO/SaviyntSP : This URL is missing the crucial " alias " segment in the path, making it invalid for SAML SSO.

B. https://myorg.saviyntcloud.com/SaviyntSP : This URL doesn ' t include the necessary components for SAML-based authentication within Saviynt.

Saviynt IGA References:

Saviynt Documentation: Saviynt ' s official documentation on configuring SAML SSO provides details on the correct URL structure and the significance of the " SP Entity ID. "

Saviynt Support: Saviynt ' s support resources and knowledge base articles often address issues related to SSO configuration, reinforcing the correct URL format

To apply a User Update Rule to existing users in Saviynt, you should enable the option B. Retrofit rule actions for users . Here ' s an explanation:

Saviynt ' s User Update Rules - Initial Application: When a User Update Rule is created, it typically applies to users who are newly created or updated after the rule is put in place.

Retrofit Functionality: The " Retrofit rule actions for users " option allows you to apply the rule retroactively to users who already exist in the system and meet the rule ' s conditions.

How it Works: When enabled, Saviynt will evaluate the rule against all existing users. If a user matches the rule ' s conditions, the defined actions (e.g., assigning roles, updating attributes) will be applied to that user, even if they were created before the rule.

Use Cases: This is useful when you create a new rule that should have been in place all along, or when you need to make a broad change to existing user configurations based on a new policy.

Other Options:

A. Trigger when user is created from import: This applies the rule to new users imported into Saviynt, not existing users.

C. Trigger when user is updated from import: This applies the rule when existing users are updated via import, but it won ' t necessarily apply to all existing users who meet the conditions.

D. Action > Rerun All Provisioning Rules: This action is more general and might not be the most efficient way to apply a specific User Update Rule retroactively.

In summary: The " Retrofit rule actions for users " setting within a Saviynt User Update Rule is crucial for applying the rule ' s logic and actions to existing users, ensuring consistent configuration across the user base.

The formats suitable for downloading an Analytics report in Saviynt typically include A. CSV file and Excel Sheet . Here ' s an explanation:

Saviynt ' s Reporting Capabilities: Saviynt provides options for exporting and downloading analytics reports in various formats to facilitate data sharing and further analysis.

Common Export Formats:

CSV (Comma Separated Values): A widely used format for storing tabular data in plain text. It ' s easily imported into various data analysis tools and spreadsheet programs.

Excel Sheet (e.g., .xlsx): A popular spreadsheet format that allows for data organization, formatting, and calculations.

Why These Formats Are Suitable:

Data Analysis: Both CSV and Excel formats are well-suited for further data analysis and manipulation.

Reporting: They are commonly used for creating reports and sharing data with stakeholders.

Compatibility: Most data analysis and reporting tools support these formats.

Other Less Common Options: While less frequent, Saviynt might offer other export formats like PDF, depending on the specific version and configuration.

B. Text file: Although technically a text file, a raw .txt export might not be as useful for structured data like analytics reports. CSV would be preferred.

In conclusion: CSV and Excel are the most common and practical formats for downloading analytics reports from Saviynt, offering flexibility for data analysis, reporting, and sharing.