SAVIGA-C01 Questions and Answers

To reduce certification fatigue for Anitha, a manager with a large number of remote users, the recommended approach is C. Launch a Self Certification Campaign and then User Manager Campaign on certified items. Here's the rationale:

Self Certification Campaign:

Purpose: Allows users to review and certify their own access.

Benefits for this scenario:

Reduces Manager Burden: Shifts the initial review responsibility from Anitha to the individual users, who are most familiar with their own access needs.

Scalability: Well-suited for large, distributed teams, as it doesn't rely solely on the manager's capacity.

Empowerment: Gives users more control over their access and promotes a culture of accountability.

User Manager Campaign on Certified Items:

Purpose: Allows managers to review and certify their subordinates' access.

Benefits when combined with Self Certification:

Focus on Exceptions: Anitha can focus her review on items that were not self-certified or that require further scrutiny after the initial self-certification.

Reduced Volume: The volume of items Anitha needs to review is significantly reduced, as users have already certified their own access.

Increased Efficiency: Streamlines the manager's review process, making it more manageable and less time-consuming.

Why Other Options Are Less Suitable:

A. Launch User Manager Campaign and then Self Certification Campaign on certified items: This sequence is less effective because it puts the burden on the manager first, potentially leading to fatigue.

B. Launch Application Owner Campaign and then Self Certification Campaign on certified items: Application Owner campaigns are not relevant to a manager's review of their subordinates' access.

D. Launch Service Account Campaign and then User Manager Campaign on certified items: Service Account campaigns are for reviewing service accounts, not user access.

When access privileges for a specific Analytical Control are assigned using SAV Roles in Saviynt, users belonging to that role can, by default, perform the following tasks: B. View Control, Run Control, and View Analytic History of the Control. Here's a breakdown:

Saviynt's Role-Based Access Control (RBAC): Saviynt uses RBAC to manage access to various features and functionalities, including Analytical Controls.

Analytical Controls: These are pre-defined or custom-built analytics reports or dashboards.

Default Permissions: When a user is granted access to an Analytical Control via an SAV Role, they typically receive a set of default permissions:

View Control: Allows the user to view the configuration and definition of the Analytical Control (e.g., the query, parameters, visualization).

Run Control: Allows the user to execute the Analytical Control and generate results.

View Analytic History: Allows the user to see the history of previous executions of the Analytical Control, including the results and timestamps.

Why These Permissions Are Important:

Transparency: Users can understand how the analytics are defined and generated.

Usability: Users can run the analytics and obtain insights.

Auditing: Users can review past results for trend analysis or investigation.

Other Options:

A. Only view the configurations of the Control: This is too restrictive; users need to be able to run the control to get value from it.

C. Only view the Analytic History of the Control: This is also too limited; users should be able to run the control and view its configuration as well.

D. View Control and Run Control: While closer, it's missing the "View Analytic History" permission, which is important for auditing and analysis.

MISCELLANEOUS

To make an application available for access requests (either self-service or requests for others), the Access Add Workflow needs to be configured within Saviynt. This workflow defines the process that governs how access to the application is granted. Here's a breakdown with Saviynt IGA references:

Saviynt's Access Request System (ARS): This is the module within Saviynt that handles access requests. The ARS relies on defined workflows to manage the approval and provisioning process.

Access Add Workflow: This specific type of workflow within Saviynt's ARS is triggered when a user requests access to an application or entitlement. It dictates the steps involved, such as:

Requester Details: Capturing information about who is requesting access.

Application/Entitlement Selection: The user selects the application (and potentially specific roles or entitlements within that application) for which they are requesting access.

Approval Routing: Defining the approval chain (e.g., manager approval, application owner approval, etc.). This is configured within the workflow using various approval activities.

Provisioning: Upon approval, the workflow can trigger automated provisioning of access to the target system (if connected integration is set up).

Saviynt's Application Onboarding: For an application to be available in the ARS, it needs to be onboarded into Saviynt. During this process, you would typically define the relevant entitlements (access rights) associated with the application.

Workflow Configuration in Saviynt: Saviynt's admin interface allows administrators to create and customize workflows using a visual designer. This includes setting up conditions, defining approval steps, and configuring actions to be taken at each stage of the workflow.

Other options:

Proposed Accounts Workflow: This is less common, often used to suggest potential accounts during the request or account creation process. It's not the primary mechanism for making an application available for access requests.

Access Remove Workflow: This workflow is used when access needs to be revoked, not granted.

Emergency Access ID Request Workflow: This workflow is specific to requesting temporary, elevated access in emergency situations. It's not the workflow for general access requests to applications.

=================

In Saviynt's Access Request configurations, the following can be set up as either optional or mandatory based on business requirements:

A. Approval comments: When an approver approves or rejects a request, they can be required to provide comments, or it can be made optional.

B. Add Attachment: Requesters can be allowed or required to attach supporting documentation to their access requests.

C. Business justification at Request level: Requesters can be obligated to provide a business justification for their access request, or it can be made optional.

Here's a breakdown with Saviynt IGA references:

Saviynt's Access Request System (ARS) Configuration: Saviynt provides granular control over the ARS's behavior, allowing administrators to customize various aspects of the request process, including data validation and required fields.

Mandatory vs. Optional Fields: Many fields and actions within the ARS can be configured as either mandatory or optional. This allows organizations to tailor the request process to their specific needs and compliance requirements.

Configuration Locations: These settings are typically found within the ARS configuration section of Saviynt's administrative interface.

Approval Comments: Often configurable within the workflow definition, at the approval step level. You can define whether comments are required for approval, rejection, or both.

Add Attachment: Generally found under general ARS settings, allowing you to enable or disable attachments and potentially set them as mandatory.

Business Justification: Also found within the ARS settings, allowing you to toggle the requirement for a business justification at the request level or even at the individual entitlement level.

Business Rationale: The flexibility to make these elements optional or mandatory allows organizations to balance the need for information with the desire for a streamlined user experience. For example, high-risk access requests might require detailed justification and attachments, while low-risk requests might not.

Saviynt's Audit Trail: Regardless of whether these fields are mandatory or optional, Saviynt's audit trail will capture the information provided, ensuring a complete record of the request and approval process.

In summary: Saviynt's ARS allows administrators to configure approval comments, attachments, and business justifications as either optional or mandatory, providing the flexibility to adapt the access request process to meet diverse organizational needs and compliance requirements.

To certify all existing entitlements of John by relevant stakeholders after he moves from Department A to B, and you have a User Update Rule to trigger a certification, the action you should configure is C. Launch Entitlement Owner Campaign. Here's why:

Saviynt's Certification Campaigns: Saviynt supports various types of certification campaigns to review and validate user access.

Entitlement Owner Campaign: This specific campaign type is designed to have the owners of entitlements (typically application or business owners) review and certify the users who have access to those entitlements.

User Update Rule Trigger: The User Update Rule, triggered by the department change, can initiate the certification process.

Least Privilege Principle: This approach aligns with the principle of least privilege by ensuring that access is regularly reviewed and validated, especially after significant changes like a department transfer.

Why Other Options Are Less Suitable:

A. Launch Manager Campaign: While manager campaigns are useful, they might not be the most appropriate in this case. Entitlement owners are generally more knowledgeable about who should have access to specific entitlements.

B. Launch Service Account Campaign: This is for certifying service accounts, not user entitlements.

D. Launch Organization Owner Campaign: This is not a standard campaign type in Saviynt and might not be relevant to certifying user entitlements.

In conclusion: Launching an Entitlement Owner Campaign from a User Update Rule triggered by a department change is the most effective way to ensure that John's existing entitlements are reviewed and certified by the appropriate stakeholders, adhering to the principle of least privilege.

The statement is False. In the provided USER_IMPORT_MAPPING, USERNAME is the user attribute defined in EIC (Enterprise Identity Cloud), and wd:User_Name is the attribute defined in Workday. Here's a breakdown:

Saviynt's USER_IMPORT_MAPPING: This configuration within a connection (in this case, Workday RAAS) defines how data from the connected system (Workday) should be mapped to attributes within Saviynt's EIC.

ImportMapping: This section specifies the mapping between source attributes (Workday) and target attributes (EIC).

USERNAME: In the provided mapping, USERNAME (without the wd: prefix) is the target attribute, meaning it's an attribute within Saviynt's EIC.

wd:User_Name: The wd: prefix typically indicates a Workday attribute. Therefore, wd:User_Name is the source attribute from Workday.

~#~string: This likely indicates the data type of the attribute (string in this case).

Correct Interpretation: The mapping is saying: "Take the value of the wd:User_Name attribute from Workday and map it to the USERNAME attribute in EIC."

In essence: The USER_IMPORT_MAPPING defines how data from Workday is translated into Saviynt's internal data model, and in this case, USERNAME belongs to Saviynt (EIC), while wd:User_Name belongs to Workday.

To implement a workflow involving a Saviynt User Group's approval, the appropriate workflow block is B. TASK Access Approve. Here's an explanation:

Saviynt's Workflow Engine: Saviynt's workflow engine allows for the creation of complex approval processes using various building blocks or activities.

TASK Access Approve: This specific activity is designed to handle approval steps within a workflow. It allows you to define who the approver(s) should be and how the approval should be processed.

User Group Approval: To implement approval by a Saviynt User Group, you would configure the "TASK Access Approve" activity as follows:

Approver Type: You would select "User Group" as the approver type.

User Group Selection: You would then specify the particular Saviynt User Group that should be responsible for the approval.

Approval Logic: You can define whether all members of the group must approve, or if a certain number or percentage of approvals is sufficient.

Saviynt User Groups: User Groups in Saviynt are collections of users, often based on department, role, or other criteria. They are useful for managing access and approvals at a group level.

Other Options:

A. CONDITION IF Else: This block is used for branching logic in a workflow, not specifically for assigning approvals to user groups.

C. Action Prompt: This might be used for displaying information or collecting input, but not for defining an approval step.

D. TASK Custom Assignment: While you could potentially use custom assignment with scripting to achieve user group approval, the "TASK Access Approve" activity provides a more straightforward and built-in way to do it.

In conclusion: The "TASK Access Approve" workflow block in Saviynt, configured with a User Group as the approver type, is the most appropriate and direct way to implement a workflow that requires approval from a specific Saviynt User Group.

To configure a single report that displays the account attributes of all the accounts to their respective Application Owners in Saviynt, the best approach is D. V2 Analytics using SQL Query with User Context. Here's a breakdown:

Saviynt's Analytics V2: This is Saviynt's newer analytics platform, offering more advanced features and flexibility compared to the older version.

SQL Query with User Context: This is the key to achieving the desired outcome. "User Context" means that the query will be executed in the context of the currently logged-in user (in this case, the Application Owner).

How it Works:

Dynamic Filtering: When an Application Owner runs the report, the "User Context" will automatically filter the data to show only the accounts that they own.

Security and Data Privacy: This ensures that each Application Owner only sees the data that they are authorized to access.

SQL Query Structure: The SQL query would likely involve a JOIN between the accounts table and a table that defines application ownership (e.g., applications), using a WHERE clause that filters based on the current user's ID or username. Something like this (syntax might need adjustment for Saviynt's specific SQL dialect):

SELECT a.*

FROM accounts a

JOIN applications app ON a.application_id = app.application_id

WHERE app.owner_id = ${CURRENT_USER_ID} -- This is the user context part

Why Other Options Are Less Suitable:

A. Use Elasticsearch Query: While Elasticsearch can be used for analytics, it might not be the best tool for this specific requirement, as it doesn't inherently support the concept of "User Context" in the same way as SQL queries in Analytics V2.

B. V2 Analytics using SQL Query with External Connection: External connections are used to query data from external databases, which is not necessary in this scenario.

C. V2 Analytics using SQL Query with Allowed Action: Allowed Actions are used to define actions that can be performed on analytics results, not for filtering data based on user context.

Given that an Admin launched a Role Ownership Campaign for you in Saviynt, the option you can not certify is A. Role Ownership. Here's why:

Saviynt's Role Ownership Campaign: This type of campaign is specifically designed for reviewing and certifying the ownership of roles, not the other aspects of a role.

Your Role as Certifier: In this scenario, you are the designated reviewer for role ownership. This means you are responsible for confirming who should be the owner of specific roles.

What You Can Certify in a Role Ownership Campaign:

Confirm or Change Role Owner: You can confirm that the current role owner is correct or assign a new owner.

What You Cannot Certify in This Campaign:

A. Role Ownership: You are the one certifying role ownership, so you cannot certify your own action of assigning an owner. It would be a circular process.

B. User membership of the Role: This is typically reviewed in a User Access Campaign or a Role Membership Campaign.

C. Delete Role: Role deletion is an administrative action, not typically part of a Role Ownership Campaign.

D. Associated Entitlements: Entitlement certification is usually handled in an Entitlement Owner Campaign or as part of a broader User Access Campaign.

In essence: A Role Ownership Campaign focuses solely on validating and assigning role owners. Other aspects of role management, such as user membership or associated entitlements, are handled in different campaign types or through separate administrative actions. As the certifier in this specific campaign, you cannot certify the very action you are performing, which is assigning role ownership.

The object that is available in the User Update Rule to configure Rule conditions in Saviynt is A. Users. Here's an explanation:

User Update Rule Purpose: As mentioned before, User Update Rules are used to automatically update user attributes based on certain conditions.

Condition Based on User Attributes: The conditions for triggering a User Update Rule are primarily based on attributes of the User object itself.

Examples of User Attributes: These attributes can include:

User Status: (e.g., Active, Inactive, Disabled)

Department:

Location:

Job Title:

Manager:

Custom Attributes: Any custom attributes defined for users in your Saviynt environment.

Triggering the Rule: When a user's attributes change, and those changes match the conditions defined in a User Update Rule, the rule is triggered.

Other Options:

B. Accounts: While account attributes can be updated as an action of a User Update Rule, the conditions for triggering the rule are typically based on user attributes, not account attributes.

C. Roles: Similar to accounts, roles can be assigned or removed as an action of a User Update Rule, but the triggering conditions are usually based on user attributes.

D. Entitlements: Entitlements are also typically managed as an action of a User Update Rule, not as part of the triggering condition.

In conclusion: The User object and its attributes are the primary focus for defining conditions within a Saviynt User Update Rule. Changes to user attributes trigger the rule, which can then perform actions such as updating other user attributes, accounts, roles, or entitlements.

To get the details of a successfully executed Rule in Saviynt, an Admin should look in the C. Current Rule Trail. Here's why:

Saviynt's Rule Engine and Logging: Saviynt's rule engine executes various types of rules (e.g., birthright rules, user update rules, technical rules). It maintains logs to track rule execution and outcomes.

Current Rule Trail: This log specifically captures the details of recently executed rules, including:

Rule Name: The name of the rule that was executed.

Execution Time: The timestamp of when the rule was executed.

Status: Whether the rule execution was successful or not.

Details: Specific information about the rule's execution, such as the conditions that were evaluated and the actions that were taken.

Troubleshooting and Auditing: The Current Rule Trail is invaluable for troubleshooting rule behavior and for auditing purposes, providing a clear record of what rules were executed and their results.

Other Options:

A. Archived Rule Trail: This log stores details of older rule executions that have been archived. It's useful for historical analysis but not for recent executions.

B. Archived Application Logs: These logs are related to application activity, not rule execution.

D. Action Trail: The Action Trail captures general user and administrative actions within Saviynt, but it might not provide the detailed information about rule execution that the Current Rule Trail does.

To view the Entitlements Query used in a previously launched Campaign in Saviynt, a Campaign Owner can use the C. Campaign Summary. Here's why:

Saviynt's Campaign Summary: The Campaign Summary provides a detailed overview of a campaign's configuration, including:

Campaign Scope: The users, applications, or entitlements included in the campaign.

Filters and Queries: Any filters or queries used to define the campaign scope, including the Entitlements Query.

Certifier Information: Details about the assigned certifiers.

Schedule: The campaign's start and end dates.

Status: The current status of the campaign (e.g., Active, Completed, Expired).

Accessing the Entitlements Query: The Campaign Summary typically includes a section that displays the exact query used to select the entitlements included in the campaign.

Why Other Options Are Less Suitable:

A. Reconfigure option: While you might be able to see the query by going into the reconfiguration, it's not the most direct way. The Campaign Summary is designed to provide this information readily.

B. Campaign Export: Exporting the campaign data might include the list of entitlements but not necessarily the original query used to select them.

D. Export option at the top right corner of the page, next to the Refresh Progress option: This option typically exports the current view of the campaign data, not the underlying configuration details like the Entitlements Query.

In conclusion: The Campaign Summary in Saviynt is the most direct and convenient place for a Campaign Owner to review the detailed configuration of a campaign, including the Entitlements Query used to define the campaign's scope.

=================

In Saviynt, "Entitlements" refers to any type of access granted to users within a managed system or application. This broad term encompasses various forms of access controls, including:

Groups: Collections of users with shared access permissions.

Roles: Sets of permissions that define a user's job function or responsibilities.

Permissions: Specific access rights to resources or functionalities.

Responsibilities: Duties or tasks associated with a particular role.

Why other options are incorrect:

Endpoints: Refer to network devices or systems, not access rights.

Workflows: Are automated processes for tasks like approvals, not access itself.

Accounts: Represent user identities, not the specific access they have.

Saviynt IGA References:

Saviynt Documentation: Saviynt's documentation consistently uses the term "Entitlements" to describe the various types of access it manages.

Saviynt User Interface: The Saviynt interface uses "Entitlements" throughout its menus and features related to access management.