Saviynt SAVIGA-C01 - Saviynt IGA Certified Professional Exam (L100)

User matches with Identity

Security System matches with Application Category

Endpoint matches with Application

Workflow matches with Access Approval

User and Identity: In the context of Identity and Access Management (IAM), "User" often relates to "Identity" management, which deals with user accounts, profiles, and their associated attributes.

Security System and Application Category: "Security System" is a broad term. Within the image, it is a category under which applications are managed, making "Application Category" the correct match.

Endpoint and Application: "Endpoints" in Saviynt refer to the target systems or applications that are being managed or integrated. Therefore "Endpoint" relates to "Application."

Workflow and Access Approval: "Workflows" are often used to define and automate processes, and in this case, it relates to the "Access Approval" process.

An AD Connection in Saviynt is required to establish communication and data exchange with an Active Directory (AD) domain. This connection enables Saviynt to automatically reconcile accounts from AD, ensuring that the identity information in Saviynt stays synchronized with the AD.

Why other options are incorrect:

AD Control, AD Rule, AD Role: These terms are not standard components within Saviynt's framework for integrating with Active Directory.

Saviynt IGA References:

Saviynt Documentation: The section on integrating with Active Directory clearly outlines the need for an AD Connection and provides step-by-step instructions for configuring it.

Saviynt Connectors: Saviynt offers pre-built connectors for Active Directory that simplify the process of establishing the connection.

A Service Desk Connection in Saviynt is used to integrate with external ticketing systems. This integration allows Saviynt to:

Automate request fulfillment: Access requests created in Saviynt can automatically generate tickets in the service desk system.

Track request status: Saviynt can update the status of access requests based on the corresponding ticket status in the service desk system.

Improve communication: Integration facilitates seamless communication and collaboration between Saviynt and the service desk team.

Why other options are incorrect:

Service Ticket Connection, Ticket Connection, Provisioning Connection: These are not standard terms used in Saviynt for service desk integration.

Saviynt IGA References:

Saviynt Documentation: The documentation on integrating with Service Desk systems explains the purpose and configuration of a Service Desk Connection.

Saviynt Connectors: Saviynt provides connectors for popular service desk solutions like ServiceNow, facilitating the integration process.

To certify all existing entitlements of John by relevant stakeholders after he moves from Department A to B, and you have a User Update Rule to trigger a certification, the action you should configure is C. Launch Entitlement Owner Campaign. Here's why:

Saviynt's Certification Campaigns: Saviynt supports various types of certification campaigns to review and validate user access.

Entitlement Owner Campaign: This specific campaign type is designed to have the owners of entitlements (typically application or business owners) review and certify the users who have access to those entitlements.

User Update Rule Trigger: The User Update Rule, triggered by the department change, can initiate the certification process.

Least Privilege Principle: This approach aligns with the principle of least privilege by ensuring that access is regularly reviewed and validated, especially after significant changes like a department transfer.

Why Other Options Are Less Suitable:

A. Launch Manager Campaign: While manager campaigns are useful, they might not be the most appropriate in this case. Entitlement owners are generally more knowledgeable about who should have access to specific entitlements.

B. Launch Service Account Campaign: This is for certifying service accounts, not user entitlements.

D. Launch Organization Owner Campaign: This is not a standard campaign type in Saviynt and might not be relevant to certifying user entitlements.

In conclusion: Launching an Entitlement Owner Campaign from a User Update Rule triggered by a department change is the most effective way to ensure that John's existing entitlements are reviewed and certified by the appropriate stakeholders, adhering to the principle of least privilege.

In Saviynt, Enterprise Roles are specifically designed to encompass entitlements that span multiple applications. This is in contrast to Application Roles, which are limited to entitlements within a single application.

Enterprise Roles: Provide a way to group entitlements across different applications, reflecting a user's overall job function or responsibilities within the organization. This is essential for managing access for users who need permissions in various systems to perform their duties.

Other Role Types:

Application Role: Grants permissions specific to a single application.

Transactional Role: Focuses on granting permissions for specific tasks or transactions within an application.

Enabler Role: Provides supplementary permissions that enhance or support other roles.

Saviynt IGA References:

Saviynt Documentation: The section on Role Management within Saviynt's documentation clearly defines the different role types and their purposes.

Saviynt Training Materials: Saviynt's training courses emphasize the importance of Enterprise Roles in managing cross-application access.

In the given scenario, where ABC Company has a one-level workflow with the manager as the sole approver, and Margaret (Edward's manager) raises a request on behalf of Edward, the statement that would be true/applicable is A. Manager's approval is auto-approved. Here's why:

Saviynt's Workflow Configuration: Saviynt allows for the configuration of various workflow scenarios, including auto-approval based on certain conditions.

Self-Approval Prevention/Auto-Approval: A common security best practice is to prevent users from approving their own access requests. However, when a manager requests on behalf of a subordinate, this is considered a delegated request and many organizations find it acceptable to auto-approve since the approval should be implicit in the act of requesting.

Manager Requesting on Behalf: When a manager initiates a request for a subordinate, it's often considered an implicit approval. The manager is essentially saying, "I approve this access for my team member."

Saviynt's Default Behavior (Typically): By default, or through common configuration practices, Saviynt is often set up to recognize this scenario and auto-approve the manager's approval step in the workflow. This streamlines the process and avoids unnecessary delays.

Configuration Options: While auto-approval is common, Saviynt's workflow engine is flexible. It's possible to configure it differently, for instance, to still require explicit manager approval even in this scenario. However, this is less typical.

Other Options:

B. Manager's approval is auto-rejected: This is highly unlikely and would defeat the purpose of having a manager initiate the request.

C. Manager must manually approve/reject the request: While possible through configuration, it's not the typical or default behavior in this scenario.

D. None of the above: Option A is the most likely and common outcome.

In summary: In a one-level workflow where the manager is the approver, and the manager requests access on behalf of a subordinate, Saviynt is typically configured to auto-approve the manager's approval step, streamlining the process and reflecting the implicit approval inherent in the manager's action.

=================

The component that filters the requestable applications under "Request New Access" in Saviynt is the Access Query. Here's a detailed explanation:

Saviynt's Access Request System (ARS): As the front end for requesting access, the ARS needs a mechanism to determine which applications (and entitlements) should be displayed to a user as requestable.

Access Query: This is a powerful feature within Saviynt that allows administrators to define specific criteria to control the visibility of applications and entitlements in the ARS. Think of it as a filter that determines what a user can see and request.

How Access Queries Work:

Defined on Applications/Entitlements: Access Queries are configured on individual applications or entitlements within Saviynt.

Based on User Attributes: They use user attributes (e.g., department, location, job title, group memberships) and other criteria (e.g., risk level) to determine if a user should see a particular application or entitlement.

Dynamic Filtering: When a user accesses the "Request New Access" section, Saviynt evaluates the Access Queries associated with each application and entitlement in real-time. Based on the user's attributes, the system dynamically filters the list, showing only the applications and entitlements that match the query conditions.

Saviynt's Security Model: Access Queries are a fundamental part of Saviynt's security model. They ensure that users are only presented with access options that are relevant and appropriate for their role and context, preventing accidental over-provisioning and reducing the attack surface.

Other Options:

Access Add Workflow: While essential for processing access requests, the workflow itself doesn't filter which applications are initially displayed.

Provisioning Connection: This relates to how Saviynt connects to target systems for automated provisioning. It doesn't control the initial visibility of applications in the ARS.

Whom to Request: This setting might determine the available approvers, but it doesn't filter the list of requestable applications.

In essence: Access Queries act as a dynamic filter, leveraging user attributes and defined criteria to determine which applications and entitlements are presented to a user within Saviynt's "Request New Access" interface, ensuring a personalized and secure access request experience.

=================

The Job responsible for configuring a dashboard (among other configurations) in a Saviynt Campaign is B. Create or Schedule Attestation Job. Here's a detailed explanation:

Saviynt's Campaigns: Campaigns in Saviynt are used for access certification, allowing reviewers (Certifiers) to review and approve or revoke user access.

Create or Schedule Attestation Job: This job is the core mechanism for creating and configuring various aspects of a campaign, including:

Campaign Scope: Defining which users, entitlements, or resources are included in the campaign.

Certifier Selection: Specifying who will be the reviewers for the campaign.

Scheduling: Setting the start and end dates for the campaign.

Notifications: Configuring email notifications for Certifiers and other stakeholders.

Dashboard Configuration: Defining the information and layout displayed on the campaign dashboard for Certifiers. This includes selecting which data points, charts, and filters are visible.

Why Other Options Are Incorrect:

A. Campaign Export Job: This job is used to export campaign data, not to configure the campaign itself.

C. Campaign Import Job: This job is used to import data into a campaign, typically from an external source.

D. Upgrade Job: This job is related to upgrading the Saviynt platform, not to campaign configuration.

In summary: The "Create or Schedule Attestation Job" is the central job for setting up and configuring all aspects of a Saviynt campaign, including the dashboard that provides Certifiers with a summarized view of the certification data.

=================

When access privileges for a specific Analytical Control are assigned using SAV Roles in Saviynt, users belonging to that role can, by default, perform the following tasks: B. View Control, Run Control, and View Analytic History of the Control. Here's a breakdown:

Saviynt's Role-Based Access Control (RBAC): Saviynt uses RBAC to manage access to various features and functionalities, including Analytical Controls.

Analytical Controls: These are pre-defined or custom-built analytics reports or dashboards.

Default Permissions: When a user is granted access to an Analytical Control via an SAV Role, they typically receive a set of default permissions:

View Control: Allows the user to view the configuration and definition of the Analytical Control (e.g., the query, parameters, visualization).

Run Control: Allows the user to execute the Analytical Control and generate results.

View Analytic History: Allows the user to see the history of previous executions of the Analytical Control, including the results and timestamps.

Why These Permissions Are Important:

Transparency: Users can understand how the analytics are defined and generated.

Usability: Users can run the analytics and obtain insights.

Auditing: Users can review past results for trend analysis or investigation.

Other Options:

A. Only view the configurations of the Control: This is too restrictive; users need to be able to run the control to get value from it.

C. Only view the Analytic History of the Control: This is also too limited; users should be able to run the control and view its configuration as well.

D. View Control and Run Control: While closer, it's missing the "View Analytic History" permission, which is important for auditing and analysis.

MISCELLANEOUS