SailPoint IdentityNow-Engineer - SailPoint Certified IdentityNow Engineer

The use case describes a user logging into IdentityNow via an external identity provider’s login, where information is exchanged via federation. This correctly aligns with the concept of passthrough authentication.

Passthrough authentication often uses protocols like SAML (Security Assertion Markup Language) or OAuth for federation. In this case, the identity provider (IdP) handles the authentication and then passes the necessary authentication tokens or assertions back to SailPoint IdentityNow, granting the user access without directly requiring their password to be stored or authenticated by IdentityNow. This is a typical use case of federation and passthrough authentication.

References:

SailPoint IdentityNow Documentation on SAML and OAuth Federation.

SailPoint IdentityNow Federation and Passthrough Authentication Configuration Guides.

No, a user with Report-admin level permissions cannot invite new users to IdentityNow. The Report-admin role in IdentityNow is restricted to managing reports—this includes generating, viewing, and managing access to reports but does not extend to user management tasks such as inviting new users. Only users with Admin, Org Admin, or other higher-level roles with explicit user management permissions can invite new users to the platform.

References:

SailPoint IdentityNow Role-Based Access Control Documentation.

SailPoint IdentityNow Permissions Matrix for Admin Roles.

Yes, SailPoint IdentityNow sends a notification if a source has been in an error state for a sustained period, typically after fifteen minutes. This type of alert helps administrators to be aware of prolonged connection or operational issues with a source, so they can take corrective action promptly. The notification system is designed to escalate issues that may impact synchronization, provisioning, or access-related processes.

Key Reference from SailPoint Documentation:

Error State Notifications: SailPoint IdentityNow sends alerts for sources in error states, including when the error persists for a predefined period such as 15 minutes, helping administrators to respond to ongoing issues.

Yes, the fact that the disaster recovery (DR) VAs are not being utilized until a disaster recovery event occurs is a disadvantage. In this strategy, the DR VAs remain idle, leading to underutilization of resources. These VAs could otherwise handle workloads during normal operations to improve efficiency, distribute load, or reduce latency, especially if they are geographically closer to specific target systems. Relying on DR VAs only during failover scenarios limits their potential to optimize performance and balance loads in day-to-day operations.

References:

SailPoint IdentityNow Virtual Appliance Clustering and Disaster Recovery Documentation.

SailPoint IdentityNow High Availability and DR Strategies.

Yes, an access profile allows the definition of an approval process. When an access profile is created, administrators can configure specific approval workflows that must be followed before the access is granted. This includes designating approvers or specifying multiple levels of approval, depending on the organization's policies. This capability is useful for ensuring that sensitive access requests are properly reviewed and approved.

References:

SailPoint IdentityNow Access Request and Approval Workflow Guide.

SailPoint IdentityNow Access Profile Configuration Documentation.

No, the Virtual Appliances (VAs) should not reside in A, which represents the SailPoint cloud environment. VAs are typically deployed in the on-premises network to interface directly with internal resources like Active Directory, databases, and applications. The cloud environment is where IdentityNow services are hosted, but the VAs need to be positioned closer to on-premise resources to manage identity synchronization and provisioning tasks.

Key Reference from SailPoint Documentation:

VA Placement Recommendations: Virtual Appliances are deployed in the on-premise network rather than the cloud, to ensure they have direct and secure access to internal resources.

No, an access profile does not directly reference roles to provide access. Instead, access profiles are collections of entitlements or permissions that are bundled together to simplify access provisioning. Access profiles can be associated with roles, but they do not reference roles directly. Roles in IdentityNow define broader sets of permissions, which may include access profiles, but access profiles themselves are not tied directly to roles.

References:

SailPoint IdentityNow Access Profiles Documentation.

SailPoint IdentityNow Roles and Access Profiles Configuration Guide.

Yes, an access profile can be acknowledged during certifications. During access certification campaigns, reviewers can review access profiles as part of the items that need to be certified. They can either approve or revoke access to the access profiles, just like they would with individual entitlements. This ensures that users' access to these bundled entitlements is regularly reviewed and compliant with organizational policies.

References:

SailPoint IdentityNow Certification Campaigns Guide.

SailPoint IdentityNow Access Profile Certification Documentation.

No, selecting a checkbox to use the database admin as the service account is not a recommended or required configuration when implementing a source that uses a JDBC connector. Typically, for security and least privilege, a dedicated service account with only the necessary permissions to read and manage identities within the database is used. Granting database administrator (DBA) privileges to the service account introduces unnecessary security risks and is against best practices.

References:

SailPoint IdentityNow JDBC Connector Configuration Guide.

SailPoint IdentityNow Best Practices for Service Accounts Documentation.

Clearing the authentication checkbox for a source in SailPoint IdentityNow is not a typical troubleshooting step for a timeout error. This option is related to whether or not authentication is required for the source connection. A timeout error typically points to a network issue (e.g., port, firewall, or network latency), not authentication problems. The engineer should instead focus on network-related configurations such as checking port access or firewall settings.

Key Reference from SailPoint Documentation:

Source Connectivity Troubleshooting: Timeout errors are generally caused by network issues rather than authentication problems, so adjusting authentication settings is not recommended for resolving such errors.