To set up an Entitlement Owner Campaign for Entitlements belonging to an Oracle ERP Endpoint that launches at the beginning of every month, and includes only Accounts and Entitlements that meet the prerequisites, the 2-key configurations you should recommend are A. Use Campaign Template and the Schedule Later option . Here ' s a breakdown:

Campaign Template:

Purpose: Templates allow you to save a set of campaign configurations as a reusable template. This is ideal for recurring campaigns with consistent settings.

Benefits: Using a template saves time and ensures consistency across multiple campaign instances. You can define the scope (Oracle ERP Endpoint), Certifier type (Entitlement Owners), and other settings within the template.

Prerequisites: You can include logic within the template to filter for Accounts and Entitlements that meet the defined prerequisites.

Schedule Later option:

Purpose: This option allows you to schedule the campaign to launch at a specific date and time in the future.

Recurring Scheduling: You can configure the campaign to run on a recurring schedule, such as the beginning of every month.

Automation: This automates the campaign launch process, eliminating the need for manual intervention each month.

Why Other Options Are Less Suitable:

B. Use Advanced Configurations and Preview mode and create the Campaign at the beginning of each month: This approach is manual and prone to errors. It doesn ' t leverage the automation benefits of templates and scheduling.

C. Use Advanced Configurations and set the Campaign expiry to 31 days: While setting an expiry is important, it doesn ' t address the need for recurring monthly launches or using a template for consistent configuration.

D. Cannot be achieved: This is incorrect; the scenario can be easily achieved using Campaign Templates and the Schedule Later option.

=================

The option that cannot be regarded as a Smart Filter in Saviynt ' s User Manager and Service Account Campaigns is A. User ' s Assigned Role counts . Here ' s why:

Saviynt ' s Smart Filters: Smart Filters are pre-defined filters in Saviynt that help Certifiers quickly focus on specific access patterns or risk indicators during a certification campaign. They are designed to highlight potentially problematic or high-risk access.

Examples of Smart Filters:

B. Access with SoD Violations: This is a Smart Filter because it highlights access that violates Segregation of Duties policies, a significant risk indicator.

C. Out-of-Band Access for Entitlements: This is a Smart Filter as it identifies access that was granted outside of the normal Saviynt processes, potentially indicating a security risk.

D. Risk Level for Accounts: This is a Smart Filter because it allows Certifiers to focus on accounts with high-risk levels, which might require more scrutiny.

Why " User ' s Assigned Role counts " Is Not a Smart Filter:

Not a Risk Indicator: Simply knowing the number of roles assigned to a user doesn ' t inherently indicate a risk or a specific access pattern that requires attention. A user might have many roles legitimately, or they might have few roles but with high-risk access.

Not Actionable: This information alone doesn ' t provide enough context for a Certifier to make an informed decision about whether to approve or revoke access.

Alternative: While not a " Smart Filter " , the number of roles assigned could be a data point displayed within the campaign, but it wouldn ' t be considered a pre-defined filter for highlighting risks.

=================

The connection type best suited to expose Workday reports as a data service in Saviynt is A. Workday-RAAS (Report as a Service) . Here ' s why:

Workday-RAAS: This connection type is specifically designed to integrate with Workday ' s RaaS functionality. Workday RaaS allows you to expose custom reports created within Workday as web services that can be consumed by external applications like Saviynt.

Data Service for Reports: RaaS essentially turns a Workday report into a data service, making it easy to retrieve the report ' s data in a structured format (typically XML or JSON).

Saviynt ' s Integration: Saviynt ' s Workday-RAAS connection type is built to leverage this capability, allowing you to:

Select Workday Reports: Choose the specific Workday reports you want to integrate with.

Import Data: Import the data from those reports into Saviynt for various purposes (e.g., identity governance, access certification, analytics).

Schedule Imports: Schedule regular data imports to keep Saviynt ' s data synchronized with Workday.

Why Other Options Are Less Suitable:

B. Workday-REST: While Workday has a REST API, it ' s more general-purpose and not specifically tailored for exposing reports as data services in the same way as RaaS.

C. Workday-OAuth: OAuth is an authorization protocol, not a connection type for retrieving report data.

D. Workday-SOAP: Workday ' s SOAP API is being gradually replaced by the REST API and is less focused on report data retrieval than RaaS.

=================

Saviynt primarily leverages SAML 2.0 as its core authentication mechanism. SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, in this case, between users and Saviynt. It allows for secure, single sign-on experiences.

While Saviynt can interact with databases, REST APIs, and LDAP directories for various purposes like identity data aggregation or provisioning, these are not its primary authentication methods.

Databases: Saviynt can connect to databases to pull identity information, but the platform itself doesn ' t authenticate users directly against a database.

REST: REST APIs are used for programmatic interaction with Saviynt, not typically for initial user authentication.

LDAP: While LDAP can be a source of identity data, Saviynt ' s core authentication relies on SAML for its standardized and secure approach.

Key Saviynt IGA references supporting this:

Saviynt Documentation: The official Saviynt documentation consistently refers to SAML as the primary authentication mechanism.

Saviynt Connectors: Saviynt provides pre-built connectors for various identity providers (IdPs) that support SAML, further emphasizing its reliance on this standard.

Saviynt Training Materials: Saviynt ' s training courses and certifications highlight SAML ' s role in the platform ' s authentication framework.

The statement " An Application Owner Campaign can have multiple primary Certifiers and a single secondary Certifier " is generally False in Saviynt. Here ' s why:

Saviynt ' s Application Owner Campaign: This campaign type is designed for Application Owners to review and certify access to their applications.

Primary Certifier: There is usually a single designated Application Owner for each application. This is because application ownership is typically a single point of accountability. While it is technically possible to assign multiple owners, it is not considered a best practice.

Secondary Certifiers (Backup/Delegates): Application Owner Campaigns can have multiple secondary certifiers. These are often used as:

Backup: To ensure the campaign can proceed if the primary certifier is unavailable.

Delegates: To allow the primary certifier to delegate some of the certification tasks.

Consultants: Other stakeholders, such as security or compliance teams, who can be consulted during the decision-making process.

Why the Statement Is Generally False: The core principle of application ownership implies a single point of accountability. While multiple secondary certifiers can assist, having multiple primary certifiers can lead to confusion and conflicting decisions.

Possible Exceptions (Less Common):

Highly Customized Configurations: In some very specific scenarios, organizations might customize Saviynt to allow multiple primary certifiers for an application, but this is not a standard or recommended practice.

In this scenario, where John is a new full-time employee required to work from the Sydney office, the most specific and appropriate Enterprise Role assigned from the Birthright Rule would likely be A. Birthright - Sydney . Here ' s the reasoning:

Saviynt ' s Birthright Roles and Rules: Birthright roles are designed to automatically provision access based on specific criteria like location, job role, or employment type. Birthright rules define the conditions for assigning these roles.

Specificity of Role Assignment: The goal is to assign the most relevant and granular role based on the available information. In this case, John ' s location (Sydney) is the most specific criterion mentioned.

Why Other Options Are Less Likely:

B. Birthright - Permanent - Full-time: While John is a full-time employee, this role might be too broad if there are other location-specific roles.

C. Birthright - All: This role is likely too generic and would grant excessive access. It ' s generally not good practice to have an " all-encompassing " birthright role.

D. Birthright - Employee: Similar to the " Full-time " role, this might be too broad if location-specific roles are available.

Best Practices: It ' s a best practice in identity governance to use the most specific criteria possible when assigning birthright access. This helps enforce the principle of least privilege.

In summary: The " Birthright - Sydney " role is the most appropriate choice because it aligns with John ' s specific work location, ensuring he receives the necessary access for his role while adhering to the principle of least privilege.

In Saviynt, " Entitlements " refers to any type of access granted to users within a managed system or application. This broad term encompasses various forms of access controls, including:

Groups: Collections of users with shared access permissions.

Roles: Sets of permissions that define a user ' s job function or responsibilities.

Permissions: Specific access rights to resources or functionalities.

Responsibilities: Duties or tasks associated with a particular role.

Why other options are incorrect:

Endpoints: Refer to network devices or systems, not access rights.

Workflows: Are automated processes for tasks like approvals, not access itself.

Accounts: Represent user identities, not the specific access they have.

Saviynt IGA References:

Saviynt Documentation: Saviynt ' s documentation consistently uses the term " Entitlements " to describe the various types of access it manages.

Saviynt User Interface: The Saviynt interface uses " Entitlements " throughout its menus and features related to access management.