In SailPoint IdentityNow, provisioning is the process of granting or revoking access to systems and applications based on access requests or changes in user identity attributes. The scenario describes John Doe requesting access to the "Sales" profile in Salesforce, which is approved by his manager.

However, simply approving an access request does not automatically trigger provisioning unless specific conditions are met:

Provisioning Policy: For the access to be provisioned, SailPoint IdentityNow requires a provisioning policy that defines the action to be taken after the approval process. This policy is often configured to specify whether access should be granted or denied after approval. If no provisioning policy is linked to the requested access, no action will be triggered.

Source Configuration: The Salesforce source (connector) in SailPoint IdentityNow must also be properly configured to handle provisioning tasks. Without proper configuration of the Salesforce source, no provisioning action will be sent even if the request is approved.

Manual Provisioning Workflow: In some cases, IdentityNow might be configured to require manual intervention after approval (e.g., triggering a manual provisioning workflow or an additional step) to enforce the provisioning action. If this configuration is missing, the approved request will not lead to automatic provisioning.

Since the scenario does not explicitly state that a provisioning policy or source configuration exists to handle the access request, the correct conclusion is that no provisioning would be sent out.

Key Reference from SailPoint Documentation:

Provisioning Concepts in IdentityNow: Documentation emphasizes that provisioning is triggered by defined workflows and provisioning policies that link the request to the connector source. Without these, the approval does not lead to actual provisioning.

Yes, reviewing the log files in the /home/sailpoint/log directory is a standard troubleshooting step for diagnosing a failed VA. The log files, such as relay.log, vs_agent.log, and others, can provide detailed error messages and insights into what might be causing the VA failure, such as connectivity issues, service failures, or configuration problems.

Key Reference from SailPoint Documentation:

Log Files for VA Troubleshooting: SailPoint's best practices for troubleshooting VA issues involve reviewing log files to check for error messages or warnings that can help identify the root cause of the failure.

Yes, evaluating available campaign administration filters is a best practice before generating the campaign preview. Campaign filters allow administrators to control the scope of the campaign by filtering users, entitlements, or other criteria, which is crucial for tailoring the certification to the right audience. By evaluating and applying filters, administrators ensure that only the relevant users and entitlements are included in the certification campaign, leading to more effective and targeted certifications.

References:

SailPoint IdentityNow Campaign Administration Guide.

SailPoint IdentityNow Certification Campaign Filtering and Scope Documentation.

Yes, the search syntax @accounts( source.name:"AD" AND state:"disabled" ) is correct, as it matches the necessary criteria for finding disabled AD accounts. This query searches for accounts in the AD source where the account state is set to "disabled," which effectively filters for the desired result.

Key Reference from SailPoint Documentation:

Correct Syntax for Disabled Accounts: The search correctly identifies accounts with a disabled state using this syntax.

Yes, custom connector configurations in SailPoint IdentityNow can have account correlation settings defined. Account correlation is used to link accounts from different sources to the correct identity in IdentityNow. When configuring a custom connector, it is possible to define how accounts from the connected system are correlated to existing identities based on attributes like usernames or other unique identifiers.

Key Reference from SailPoint Documentation:

Custom Connector Configuration: SailPoint allows for the definition of account correlation settings in custom connectors to ensure proper linking of external accounts to internal identities.

Yes, using a query select statement with a clause to match the incoming account to an existing account is a key configuration for the Single Account SQL Query in a JDBC connector. This query is used to fetch specific account details from the database and must be written in such a way that it uniquely identifies each account, ensuring accurate correlation between the data in the source and the identities in IdentityNow. Properly configuring this SQL query ensures the right accounts are matched and managed.

References:

SailPoint IdentityNow JDBC Connector Single Account Query Configuration Guide.

SailPoint IdentityNow SQL Query Best Practices Documentation.

The Web Services connector in SailPoint IdentityNow does not support SAML authentication. SAML is primarily used for Single Sign-On (SSO) authentication for web applications, whereas the Web Services connector in IdentityNow typically supports Basic Authentication, OAuth, or custom header-based authentication for API-based integrations. SAML authentication is generally used for federated identity management rather than for API-based interactions.

References:

SailPoint IdentityNow Web Services Connector Configuration Guide.

SailPoint IdentityNow Authentication Methods for Connectors.

Turning off the Virtual Appliance’s (VA) internal firewall is not recommended as a standard troubleshooting step in SailPoint IdentityNow. The VA’s firewall is crucial for maintaining the security of the environment, and disabling it can expose the system to unnecessary risks. Instead, an IdentityNow engineer should verify the VA’s network configuration and ensure that the required ports are open for communication between the VA and the source.

Key Reference from SailPoint Documentation:

VA Configuration and Network Troubleshooting: Troubleshooting connection issues typically involves checking network connectivity and firewall rules, not turning off the internal firewall.

No, the OpenLDAP Connector is not suitable for this use case. OpenLDAP is designed for integrating with LDAP-based directories, and the system described is a cloud-based web application that uses a SCIM 2.0 interface with OAuth 2.0 for authentication. Since the system supports SCIM, the correct connector would be the SCIM 2.0 Connector, which is tailored for cloud-based systems with SCIM interfaces.

References:

SailPoint IdentityNow OpenLDAP Connector Guide.

SailPoint IdentityNow SCIM 2.0 Connector Documentation.

No, selecting a checkbox to use the database admin as the service account is not a recommended or required configuration when implementing a source that uses a JDBC connector. Typically, for security and least privilege, a dedicated service account with only the necessary permissions to read and manage identities within the database is used. Granting database administrator (DBA) privileges to the service account introduces unnecessary security risks and is against best practices.

References:

SailPoint IdentityNow JDBC Connector Configuration Guide.

SailPoint IdentityNow Best Practices for Service Accounts Documentation.

Yes, using the Build Map is appropriate for modifying map data of an account for a JDBC or Delimited File source. The Build Map allows you to define how data from a source system (like JDBC or a Delimited File) is transformed and mapped into IdentityNow's data model. This step is crucial when creating or modifying mappings between source fields and IdentityNow identity attributes, ensuring accurate data representation.

Modifying map data is essential for handling specific transformations or adjustments when synchronizing data from these sources to ensure that identity data is complete and correct.

References:

SailPoint IdentityNow Source Configuration and Build Map Documentation.

SailPoint JDBC and Delimited File Source Configuration Guides.

No, this statement describes Manager Certification rather than Manager Correlation. Manager Certification refers to an approval process in which managers are required to periodically review and approve the access rights of their direct reports. This is a governance feature used to ensure that employees only have the access they need, and it helps managers validate their team’s access periodically. Manager Correlation, on the other hand, is about linking identities to their managers based on attributes.

Key Reference from SailPoint Documentation:

Manager Certification vs. Manager Correlation: While Manager Certification involves periodic review and approval of access by managers, Manager Correlation is strictly about linking identities to their respective managers based on defined attributes.

No, deleting the access profile is not the correct way to meet the requirement of removing approval for access requests. The access profile defines the entitlements and permissions that users can request for an application. Deleting it would remove the entire ability to request access, rather than just removing the approval workflow. The correct step would be to modify the approval settings in the access profile (as explained in Question 44), not to delete it.

Key Reference from SailPoint Documentation:

Access Profile Management: Modifying approval settings in the access profile is the appropriate step to meet management's new requirement, not deleting the profile itself.

Yes, defining an account schema is an essential step when implementing a JDBC connector. The schema defines the structure of the identity data being pulled from the database, including the attributes that will be mapped to identity profiles in IdentityNow. The schema can be defined either by using the "Discover Schema" option, which automatically identifies available attributes, or by manually configuring the schema attributes if specific custom mappings are required.

References:

SailPoint IdentityNow JDBC Connector Schema Configuration Guide.

SailPoint IdentityNow Source Schema Discovery Documentation.

The /home/sailpoint/proxy.yaml file is used for proxy settings, not for configuring the Virtual Appliance to use a static IP address. This file is typically modified to configure outbound proxy settings for the VA if it needs to route traffic through a proxy server. Static IP address configuration is handled elsewhere, at the operating system or network configuration level.

References:

SailPoint IdentityNow Virtual Appliance Proxy Configuration Documentation.

SailPoint IdentityNow Network Settings Documentation.

No, reconfiguration within IdentityNow is not required to connect to the disaster recovery (DR) VAs, which makes this scenario not a disadvantage. When properly configured, all VAs (including DR VAs) in a cluster are part of the same logical unit, meaning that failover to the DR VAs should happen seamlessly without manual intervention or significant reconfiguration. IdentityNow handles the failover automatically, directing traffic to the DR VAs when primary VAs become unavailable.

While there might be some overhead in a manual failover scenario for certain configurations, the use of a single VA cluster helps mitigate this by ensuring the system can failover without needing complex reconfigurations for every source.

References:

SailPoint IdentityNow Virtual Appliance Failover and Disaster Recovery Configuration.

SailPoint IdentityNow High Availability Architecture Guide.

Yes, downloading the Identity Exceptions report from the identity profile page is a reasonable and recommended action when troubleshooting incomplete identities on an authoritative source. This report provides detailed information about any issues or exceptions encountered during identity aggregation, such as missing required attributes or mapping errors. Analyzing this report can help identify the root cause of incomplete identity records and assist in resolving those issues.

References:

SailPoint IdentityNow Identity Profile Configuration and Troubleshooting Guide.

SailPoint IdentityNow Exception Handling and Reporting Documentation.

Certifications are not assigned to the reviewer when the campaign status is "Preview Ready." The "Preview Ready" status indicates that the campaign is prepared for review by administrators, and the certification details can be previewed before launching the campaign. However, the certifications are only assigned to the reviewers once the campaign is in the "Active" status, which signifies the start of the certification process. At this point, reviewers can access the certifications assigned to them.

References:

SailPoint IdentityNow Certification Campaign Lifecycle Guide.

SailPoint IdentityNow Certification Campaign Status Documentation.

Yes, the Active Directory connector can run on the Virtual Appliance (VA). The VA is responsible for hosting connectors that communicate with various target systems, including Active Directory. The connector establishes the communication between IdentityNow and the target Active Directory instance for operations such as provisioning, deprovisioning, and account synchronization. The VA acts as the bridge between IdentityNow's cloud service and the on-premises AD environment, enabling secure communication through the connector.

References:

SailPoint IdentityNow Active Directory Connector Configuration Guide.

SailPoint IdentityNow Virtual Appliance Architecture and Setup Documentation.

Clearing the authentication checkbox for a source in SailPoint IdentityNow is not a typical troubleshooting step for a timeout error. This option is related to whether or not authentication is required for the source connection. A timeout error typically points to a network issue (e.g., port, firewall, or network latency), not authentication problems. The engineer should instead focus on network-related configurations such as checking port access or firewall settings.

Key Reference from SailPoint Documentation:

Source Connectivity Troubleshooting: Timeout errors are generally caused by network issues rather than authentication problems, so adjusting authentication settings is not recommended for resolving such errors.

Yes, checking that the port values configured on the source in SailPoint IdentityNow are correct and accessible is an essential troubleshooting step. A timeout error can occur if the virtual appliance (VA) cannot reach the source due to incorrect port configuration or network issues blocking communication. Verifying the correct port numbers and ensuring that the necessary ports are open on both the VA and the source's firewall is critical.

Key Reference from SailPoint Documentation:

Port Configuration for Source Connectivity: Ensuring that the proper port values are configured and accessible is one of the primary troubleshooting steps when facing timeout errors in IdentityNow.

No, this example does not accurately describe the complete data flow in IdentityNow. While it correctly mentions identity aggregation and the building of an identity model, the third step, "Accounts are provisioned to source systems," is not always part of the identity aggregation process. Provisioning is typically a separate workflow initiated by access requests or certification decisions, not directly tied to identity aggregation. Additionally, the periodic synchronization of identity attributes happens as part of identity refreshes but is not necessarily tied to provisioning accounts in all cases.

References:

SailPoint IdentityNow Aggregation and Identity Model Documentation.

SailPoint IdentityNow Provisioning Workflow Guide.

In an optimized aggregation, if an account has not changed since the last aggregation, the Virtual Appliance (VA) does not need to connect to the target system to retrieve that account’s information again. Optimized aggregation is designed to reduce the load on the system by skipping over accounts that have not been updated, thus preventing unnecessary data retrieval and improving performance.

During optimized aggregation, only accounts or data that have been modified or added since the last aggregation are retrieved. This efficiency is achieved by using timestamps or incremental updates to determine which data needs to be pulled from the target system.

References:

SailPoint IdentityNow Aggregation and Optimization Documentation.

SailPoint IdentityNow Virtual Appliance Configuration Guide for Aggregation.

Yes, downloading the accounts data CSV from the Accounts tab on the authoritative source is a reasonable action for troubleshooting incomplete identities. This CSV file contains detailed account information pulled from the authoritative source, allowing the engineer to manually inspect the raw data and identify any discrepancies or missing attributes that could lead to incomplete identities. This is a useful step in verifying the accuracy and completeness of the data being aggregated from the authoritative source.

References:

SailPoint IdentityNow Source Account Data Inspection and CSV Export Documentation.

SailPoint IdentityNow Identity Data Troubleshooting Guide.

Yes, this statement is correct. When setting up a Virtual Appliance (VA) cluster, SailPoint does indeed create an asymmetric key pair based on a user-provided passphrase. This key pair is used for secure communication between the Virtual Appliance and the IdentityNow tenant. The asymmetric encryption model uses a public-private key pair where the private key is stored securely within the VA, and the public key is shared with the IdentityNow tenant to establish a secure, encrypted communication channel. This setup ensures that data exchanged between the VA and the IdentityNow tenant remains protected.

References:

SailPoint IdentityNow Virtual Appliance Security Guide.

SailPoint IdentityNow Asymmetric Encryption and Key Management Documentation.

Yes, SailPoint uses a proprietary fairness algorithm to manage and distribute workloads in its multi-tenant environment. This algorithm ensures that resources are allocated fairly among tenants, preventing any single tenant from consuming excessive resources at the expense of others. It helps maintain system performance and stability, balancing the processing load and providing equitable access to shared infrastructure in a multi-tenant setup.

References:

SailPoint IdentityNow Multi-Tenant Architecture Documentation.

SailPoint IdentityNow Resource Allocation and Fairness Algorithm Guide.

No, the provided steps are not correct. The sequence of actions is misplaced:

Step 1: Before clicking "Test Connection," you need to download or procure the VA image and import it into the virtualization platform.

Step 6: After logging in and changing the password, the next step is to configure the networking settings, not downloading the image again.

Step 12: After uploading the config.yaml, you should proceed with testing the connection to ensure the VA is correctly configured and can communicate with IdentityNow.

Corrected Steps:

Download / procure the VA image.

Configure networking configurations (as needed).

Click Test Connection on the VA configuration.

References:

SailPoint IdentityNow Virtual Appliance Installation and Configuration Guide.

SailPoint IdentityNow Virtual Appliance Test Connection Documentation.

Yes, validating the email template (e.g., Certification Due) is a best practice before the campaign preview is generated. Communication during a certification campaign is key to ensuring that managers are aware of their tasks and deadlines. Validating the email templates helps ensure that the messaging is clear, correct, and aligned with the campaign's objectives. It also ensures that any necessary details, such as deadlines, instructions, and links to the certification tasks, are properly included.

Proper validation of email templates helps avoid communication issues that could delay or negatively impact the campaign's success.

References:

SailPoint IdentityNow Certification Campaign Email Templates Guide.

SailPoint IdentityNow Best Practices for Campaign Communication.

Yes, the file /etc/systemd/network/static.network (or a similarly named file depending on the Linux distribution used by the Virtual Appliance) is typically used to configure a static IP address for the VA. This file is part of the systemd network configuration, and modifying it allows you to specify static IP settings, such as the IP address, netmask, gateway, and DNS servers, for the Virtual Appliance's network interface.

To set a static IP address, you would need to modify this file and restart the network service for the changes to take effect.

References:

SailPoint IdentityNow Virtual Appliance Network Configuration Guide.

Linux systemd Network Configuration Documentation.