An engineer is assigned to configure an account attribute. The requirements are:
Purpose: Flag privileged accounts
Read from: Financial application, privileged attribute
Calculate from: Keystore application, responsibility-code attribute
Usage 1: Display as option in Advanced Analytics
Usage 2: Use when writing rules
Usage 3: Include in policies
Does the engineer need to set this configuration option on the account attribute to meet the requirements?
Solution: Source Mappings: Application Rule
Yes, setting the 'Source Mappings: Application Rule' configuration on the account attribute is necessary to meet the requirements described. The use case involves flagging privileged accounts based on attributes read from different applications and using these flags in various IdentityIQ features like Advanced Analytics, rule writing, and policy enforcement. By configuring the attribute with a source mapping that uses an Application Rule, you can implement complex logic to derive the attribute's value from multiple sources, such as a financial application and a keystore application, according to the specific requirements.
Therefore, the correct answer is A. Yes.
Reference: This answer is based on the SailPoint IdentityIQ Implementation Guide, which discusses the use of source mappings and application rules for complex attribute calculations and configurations. The guide explains how to set up attributes that pull data from multiple sources and use this data across various IdentityIQ features.
Is the following statement about workflows and sub-workflows (subprocesses) true?
Solution: Sub-workflows can be nested up to 3 levels only.
The statement is false. In SailPoint IdentityIQ, there is no strict limitation on nesting sub-workflows (subprocesses) up to 3 levels. You can nest sub-workflows as deeply as required by your business logic and system design. However, it is advisable to manage the complexity of nested workflows to ensure maintainability and performance, but there is no enforced limit of 3 levels for nesting.
SailPoint IdentityIQ Workflow Guide
SailPoint IdentityIQ Administration Guide (Sections on Workflow Design Best Practices)
Can a Workgroup be used for the following scenario?
Solution: Providing a group of users with specific capabilities.
In SailPoint IdentityIQ, a Workgroup can indeed be used to provide a group of users with specific capabilities. Workgroups are collections of users that can be assigned roles, tasks, and permissions. By associating capabilities with a Workgroup, all members of that Workgroup will inherit the capabilities defined.
This feature is commonly used to manage teams or departments that need to share specific privileges, such as the ability to approve access requests or manage certifications. Configuring capabilities for a Workgroup is a standard practice within IdentityIQ to simplify permission management and ensure consistent access control across the group.
Therefore, the correct answer is A. Yes.
Reference: This conclusion is drawn from the SailPoint IdentityIQ Administration Guide, which details how Workgroups function and how they can be used to assign capabilities and manage access control within the platform.
A client wants users who belong to an IdentitylQ workgroup named Management to be able to request entitlements and roles, but only for other users whose location attribute is the same as theirs.
Is this a population that will achieve the goal?
Solution: Create a quicklink population, set the membership match list to the IdentitylQ workgroup "Management," and set "Who can members request for?" as report to the requester.
The provided solution does not fulfill the client's requirement. Setting 'Who can members request for?' to 'report to the requester' only limits the request scope to users who directly report to the requester, which does not account for the location attribute. The goal is to restrict requests based on the location attribute, and this specific configuration does not consider that attribute. To achieve the desired behavior, the configuration should include logic that filters users based on the same location as the requester.
SailPoint IdentityIQ Quicklink Population Configuration Guide
SailPoint IdentityIQ Advanced Population Management Guide
Is this statement correct about writing and executing source mapping rules to populate identity attributes?
Solution: The Identity object is passed to the rule.
The statement 'The Identity object is passed to the rule' is correct. When writing source mapping rules to populate identity attributes, the Identity object is indeed passed to the rule. This allows the rule to access and modify attributes on the Identity object based on the logic defined within the rule.
Therefore, the correct answer is A. Yes.
