raw questions
1.What is cretfication ?
2.What are certification in sailpoint ?
Manager certification
application owner certification
entitlement owner certification
advanced certification
Role Membership
Role composition
Account Group Permissions
Account Group Membership
3.What are the lifecylce of certification ?
1.Staging period ?
2.Challenge period ?
3.Revocation period ?
4.Sign off period
4. is it possible to hold certification ?
yes, challenging phase, user can challenge his access
5. is it possible exclude certification for members ?
yes, it is possible to sepecify the members from certification in advance certiification?
6. What is rule ?
Rule is nothing but it is bean shell script and this can be resuable.
7. What is pre-iterate ?
PreIterate Rule: This rule runs only once for the whole file before the records in the file are
processed; it is available to address any file-management needs for the aggregation task.
Common examples include unzipping the file, validating the file date before aggregating potentially stale data,
building a local map of lookup data from a remote source which can be used in the aggregation
process (more efficient than a remote lookup for each record), etc
8. What is build map rule ?
This rule offers an opportunity to perform data manipulation on the delimited file
account data as it is read from the file. In the absence of a build map rule, IdentityIQ automatically
takes the columns list and the data values in the current record of the file and builds a hashmap of
name-value pairs (i.e. column - rowValue). If the record should be manipulated differently from that
default, the build map rule can be used to control that behavior. This rule runs for each record in the
file
9. Customized rule ?
Build map rule for delimited file,SAP,Ldap.
10.Pre-deligation rule.
if manager went leave. this rule is going to be run.
11. What is access Managagment ?
Providing secure access to resources through web browsers and mobile applications
12.What is Role and what is the use of Role ?
it is cubling together of acccess on different system.
Roles uses is as below:
• Categorize and manage users based on job function
• Provide a translation between business and IT functions
• Earsese the provisioning and the request process for new access
• Simplify auditing and the access and certification proces
13. What are Roles ?
Rolesn are similar to Logical Applications in that they can encapsulate the entitlements needed to access
enterprise applications
1.Organization role(Can n't be requested)
2.Business role(Can be requested)
3.Entitlement role(Can be requested),
4.IT role(Can n't be requested) ,
14.Workflows
15.Identity Mapping ?
16.account mapping.
Application -account mapping
17.Entitlement
18.Entitlement catlog
19.What is managed attribute ?
20.What is mitigation ?
if you want to provide expection
21)
22)How can we set limit for delete aggreation ?
23)Identity refresh cube ?
if you want to referesh Identities attributes of Identity Cube, we are going to do Identity Refresh Cube.
Update identity attributes from the identity account attributes and through calculations
The Refresh Task is critical to finalizing data on the Identity Cubes.
1)all entitlements are promoted from the Account Data to the Identity Cubes by the Refresh Task.
2) policy violations and risk scores are calculated by the Refresh Task.
Typically Aggregation Tasks are followed by a Refresh Task.
different options in Identity Refresh:
24)
25)Identity risk ? application risk ?
26) What is service account and how you are going to represetnt ?
The three main options for representing service accounts in IdentityIQ are:
27. Attach the service account to account owner's identity
28. Create a standalone identity cube for each service account
29. Create a service identity cube for each resource (application) to hold all service accounts for the given resource
30.How many ways, you can inialize variables in workflows.
Referenece,
String
Rule
Callmethod
Script
31)How to debug the workflows ?
<Variable initializer="true" input="true" name="trace"/>
32) Enable logging (log files) for sailpoint
) Open file .. \identityiq\WEB-INF\classes\log4j.properties
2) Search for log4j.appender.file=org.apache.log4j.FileAppender
3) uncomment (remove # symbol) for next 4 lines
log4j.appender.file=org.apache.log4j.FileAppender
log4j.appender.file.File=C:/trainingData/sailpointInstallables/logs/sailpoint.log
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{ISO8601} %5p %t %c{4}:%L - %m%n
Search for. log4jrootLogger=warn,file and uncomment.
Go to end of the file and add the class against which you want to debug.
To find the class name - Go to debug page.
In object browser, provide object name as Application
provide your application name in search filter.
Open that application.
copy the class name mentioned against connector tag in app xml.
At the end of log4j.properties file
append log4j.logger. connector class =trace/debug/info/all/warn (save the file)
33) Go to debug page of sailpoint
From menue with name debug ----> logging option
Reload logging configuration.
Logging is enabled.
34)How to set debug logger for logginer in sailpoint.
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("sailpoint.services.bshdemo");
// TODO: Remove this forced log level set before checking in this Rule.
log.setLevel(Level.DEBUG);
log.debug("Hello logging world!");
35)How to set Info logger for logginer in sailpoint.
Logger log = Logger.getLogger("sailpoint.services.bshdemo");
// TODO: Remove this forced log level set before checking in this Rule.
log.setLevel(Level.INFO);
36) how to save identity object ?
context.saveObject(id);
context.commitTransaction();
37) What is Access Management?
Ans - Managing the permission of an account through which the account gets some access on target system is called as access management.
This is achieved in sailpoint by re-certification process.
38) What is Roles?
Clubbing together all permissions of an different target system into single entity to maintain permission in an efficient way is termed as Roles.
39) What is Identity cube?
The identity along with it all details like entitilement, history, policy, account etc is called as identity cube. It is a virtual 3 dimentional representation of an identity.
40) What is Applicaiton onboarding?
Configuring setting to connec to a target system to bring all accounts and permission from a target system is called as application onboarding.
41)
how many types extended attributes can increase in saailpoint ?
8 types of extended attributes can be increase
1. AlertExtended.hbm
2.ApplicationExtended.hbm
3.BundleExtended.hbm
4.CertificationItemExtended.hbm
5.IdentityExtended.hbm
6.LinkExtended.hbm
7.ManagedAttributeExtended.hbm
8.TargetExtended.hbm
42) Extended attribute mappings for Identity.
By default we will map 10 extended attributes, but this may be raised to
a maximum of 20.
Using ExtendedPropertyAccessor can add attributes beyond
the limit of 20 and have meaningful names.
Only the first five attributes are indexed, to provide
an example of how to specify an index. In a production deployment you
will usually index most of the extended attributes since they are
usually added for searching
43) What are the paramters need to uncomment in iiq.properties file.
Depending on the type of database being
# used, you will need to do the following:
#
# 1) Uncomment the correct sessionFactory.hibernateProperties.hibernate.dialect
# and ensure that all other dialects are commented out.
# 2) If using MS SQL Server, also uncomment the quartz properties:
# scheduler.quartzProperties.org.quartz.jobStore.driverDelegateClass and
# scheduler.quartzProperties.org.quartz.jobStore.selectWithLockSQL.
44)
IDENTITYIQ MANAGED DATASOURCES ONLY
#
# In addition to the steps above, if IdentityIQ is creating its own datasource
# (ie - not using an application server managed datasource), you will need to
# perform the following steps:
#
# 1) Modify dataSource.username and dataSource.password to include the username
# and password of the database user. The password may be an encrypted using
# the "encrypt" command when running "iiq console".
# 2) Configure the dataSource.url to connect to the database, and uncomment the
# appropriate dataSource.driverClassName.
# 3) Optionally configure other connection pool settings.
45) How many types of Roles can be created in Sailpoint.
IT, Business, Entitilemnt, Organization
Business E OT
46)
57) What is role memebership certificaiton?
certifying access of those people which are associated with a role is called as role memebership cert.
58) What is role composition certification?
Certifying the composition of a role, means certifying all permissions through which a role is combined is called as certification.
59) What is application owner certification?
certifying access of people associated with certain application is called as app owner cert.
60) What is exclusion rule?
Rule written to excluding some person from certification (access review ) process.
61) What is nativeIdentity?
Unique attribute through which an identity is identified. ex- employeeId.
62) How we can represent an organization in Sailpoint?
Using Roles. Can creaate roles for one organization.
63) In case there is a new target system , how will you interact with that target system to get all records from it and do the governance for that target sytstem.
Need to write a custom connector for that.
64) What is lifecycle events?
joiner, mover, leaver( process which shows that an identity is added to a firm, removed from a firm or their department gets changed).
65) What is population and how it is used?
population is grouping of identity based on search result. Like people working in same department. It is used in certification process.
66) How population is created in sailpoint?
Using Advanced analytics section, Need to search group of identity and the save that as population.
68) What are different types of certification. Which all you have worked on?
69) What is exclusion rule in certification
70) What is predelegation rule.
In case actual approver is absent, then the review is delegated to some other person. Rule written in certification for this process is called as predelegation rule.
71) Whether workflows can be called from certification or not?
No.
72)what is role based access control?
Managing access of users using Roles in sailpoint is RBAC(Role Based Access Control)
73)What is beanshell scripts?
Scritping language introducced to write rules in java.Ref - http://www.beanshell.org/manual/syntax.html
74)What can i do, when i have launched a certification, and after the certification I have taken a decision to remove a role from an Identity. But as soon as I click on revoke access, it should not get revoked , the access should persist for some day, Only after few days, the access should get revoked.
There is a check box in certificaction configuration called as "Process revokes immediately". If this is checked the revokation occurs instantly, otherwise not.
75) Have you done the SSO configuration? Tell me the steps and configuration?
There is a section in Login configuration -->SSO configuration , where we need to write rule for SSO configuration.
76) In case I have done some changes in target system, I want to find in audit whether the changes are made from target system or from sailpoint. What configuration i need to do?
System setup --> audit configuration.
77) How to write a custom task? Give all necessary steps which need to be done.
covered in session.
78) What are important tables of database for Sailpoint identityiq?
spt_identity, spt_link, spt_bundle, spt_certification, spt_rule , spt_taskdefinition.
79) What is ruleLibrary. What is the purpose of writing a rule library.
Collection of small function in a single place is called as rule Library.
80) What is Library in workflow?
Libraries are class file which has some functions mentioned,, which can be used in a workflow to do some processings.
81) When ever a user joins the firm, what all things is done in sailpoint for that. Waht all configuration required?
lifecycle event --> joiner --> joining workflow
82) What is nativechange type of life cycle event.
if some change happen directly on target system, and we want to use some workflow to be triggered in sailpoint for that, we need to enable nativeCahange detection and configure nativechange event in lifecycle event.
83) What is rule based life cycle event. How it is used?
if an event need to be triggered base on some condition everytime, then Rule based life cycle event.
84) What are capabilities in sailpoint identityiq?
capabilities in sailpoint is used to restrict access of a user on user interface of saailpoint.
84) What is the differece between capabilities and roles?
capabilities are used to restrict access of a user on menues of sailpoint, while roles are used to restrict access of a user on target system.
85) What are approval items?
When ever a request is made is sailpont, some approvals are created, which is sent to approver in form of approval items.
86) What are different modes of approval?
serial, parallel, parallel poll, serial poll, any
87) How we can open a custom form in approval?
Need to use sailpoint forms in step of workflow.
88) Is there any difference between role mining and role engineering. If it is there what are them?
No difference.
89) What is role mininig? What are different approaches for role mining?
top down
bottom up.
90)what kind of roles you have implemented?
Ans) A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. I have involved in creating business and IT roles.
91)what are componets required to configure LDAP and AD?
Ans)
92)if you are using application servers - weblogic and any applicaiton servers, we need to configure the JNDI name.
APPLICATION SERVER MANAGED DATASOURCES ONLY
#
# In addition to the steps above, if IdentityIQ is using an application server
# managed datasource, you will need to perform the following steps:
#
# 1) Configure the datasource in your application server. This usually involves
# putting the JDBC driver jar file in a common location and configuring
# properties for your database connection and pool settings. Consult the
# documentation for the application server for more information. Also,
# ensure that the JDBC driver jar file is not in the WEB-INF\lib directory
# of the IdentityIQ web application.
# 2) Change jndiDataSource.jndiName to point to the location in JNDI in which
# the datasource is stored.
# 3) Change configuredDataSource.targetBeanName to "jndiDataSource".
93)What is logical application?
Ans:Sometimes, we need to identify an “application” and corresponding “accounts” as something that spans one or more applications. Take an example whereby a web application uses a specific entitlement in Active Directory to define membership in an application. Any user who has this specific Active Directory entitlement has an “account” on this application. This is an example of a Logical Application.
94)What kind of custom tasks you build?
Tasks perform periodic operations such as Aggregation,Identity Refresh,System Maintenance.It’s possible and very common to write your own tasks.Please specify Custom task written by you.
95)What are differnt phase in certification?
Generation Phase,Active Phase,Challenge Phase,Sign Off Phase,Remediation\Revocation Phase,End Phase
96)How can we use forms?
Forms are used to solicit user input in several areas of IdentityIQ. They are used with:
a) Application and role provisioning policies
b) Identity provisioning policies (only applicable for installations using Lifecycle Manager)
c) Data entry and approvals in workflow steps
d)Report filter specification
97)what is Identity mapping?
Ans)To configure identity attributes that are used by identifyiq
98)What is account Mapping?
Ans)To configure account that are managed by identifyiq
99)What is connector Rule?
Connector Rules are used during aggregation from specific connectors, specifically DelimitedFile, JDBC, SAP and
RuleBasedFileParser. Connector rules run before Aggregation rules in the aggregation process. These rules are
used to:
1)implement pre-processing of data
2)implement post-processing of data
3)manipulate, merge or otherwise transform the incoming data as it’s being read
100)What is assigned role and dectected role?
101)What is rolemineing?
Role Mining is used to create roles based on specified criteria in an existing enterprise
IdentityIQ separates role mining into the following categories:
IT Role Mining
Business Role Mining
102) what different types of provisionings?
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
103)What is aggregation?
Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.
104)What kind of certification you have involed so for?
Ans) application owner cert, manager cert, entitlement, role memebership, role composition, Advanced etc
105)What are the steps involved in sailpoint installation?
a)StopTomcat
b)Unzip and extract the IdentityIQ war file in ~/webapps folder.(jar –xvf identityiq.war)
c)Goto IIQ console and run ./iiq schema
d)Login to DB and run corresponding script. For example,Run command for Mysql(source create_identityiq_tables.mysql)
106) During the installation process which xml you need to load in IIQ.
import inti.xml
107) What is upgradation and how did you perform upgradation ?
108) What kind of issues , have you faced in upgradation process ?
109) What is patching and how you have performed in patching in sailpoint ?
in Patching activity. we have three steps.
1.extracting the jar file into right locations.
2.executing the database script.
3.run the iiq console task.
110) What are comments do you use for patching activity ?
111)Do you know Hibernate implementation?
112)How to user import? Expalin
113)By extendinng AbstractConnector ,we have implemented Open connector ?
114)what kind of roles you have implemented?
Ans) A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. I have involved in creating business and IT roles.
115)what are componets required to configure LDAP and AD?
Ans)
116)How can we use forms?
Forms are used to solicit user input in several areas of IdentityIQ. They are used with:
a) Application and role provisioning policies
b) Identity provisioning policies (only applicable for installations using Lifecycle Manager)
c) Data entry and approvals in workflow steps
d)Report filter specification
117)what is Identity mapping?
Ans)To configure identity attributes that are used by identifyiq
118)What is account Mapping?
Ans)To configure account that are managed by identifyiq
119)What is connector Rule?
Connector Rules are used during aggregation from specific connectors, specifically DelimitedFile, JDBC, SAP and
RuleBasedFileParser. Connector rules run before Aggregation rules in the aggregation process. These rules are
used to:
implement pre-processing of data
implement post-processing of data
manipulate, merge or otherwise transform the incoming data as it’s being read
110)What is assigned role and dectected role?
111)What is rolemineing?
Ans)IdentityIQ helps to identify role in organization by performing Role mining. Here we have two approaches.
a)Top-Down approach.
b)Bottom-Up approach.
112) what different types of provisionings?
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
113)What is aggregation?
Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.
114)What kind of certification you have involed so for?
Ans) application owner cert, manager cert, entitlement, role memebership, role composition, Advanced etc
115)What are the steps involved in sailpoint installation?
a)StopTomcat
b)Unzip and extract the IdentityIQ war file in ~/webapps folder.(jar –xvf identityiq.war)
c)Goto IIQ console and run ./iiq schema
d)Login to DB and run corresponding script. For example,Run command for Mysql(source create_identityiq_tables.mysql)
116)Do you know Hibernate implementation?
117)How to user import? Expalin
118)Diffrence between work groups and populations?
Groups — used to track accessibility, activity, and monitored risk by group membership. Risk scores are
displayed on the Home Page. Groups are defined automatically by values assigned to identity attributes.
Populations — are query based groups created from the results of searches run from the Identity Search
page. Searches that result in interesting populations of identities can, optionally, be saved as populations
for reuse within IdentityIQ.
Populations are similar to groups, except that they are driven off of multiple search criteria
whereas Groups are statically defined based off a single Identity attribute.
These group themselves are not dynamic. You must run the Refresh Groups task
periodically to update them. Between runs of Refresh Groups, the groups themselves
remain static, but the membership is always based off a dynamic query.
Note: Populations are dynamic queries, so every time you view a population, you
are viewing its current members at that point in time.
119)How to trigger customworkflow?
120)Any other way to trigger custom workflow?
121)workflow modules?
122)why do we need I services?
123)Explain about your project?
124)Diffrence between IT role and Bussiness role?
125)Types of certifications?
Manager certification
application owner certification
entitlement owner certification
advanced certification
126)Phases of certifications?
127)What is scope in sailpoint?
128)What did you write in provisining plan?
129)Correlation and types?
130)Why correlation rule?
131)What is transition?
In workflow, tranition decides flow of the work flow.
132)Cloud modules?
133)Can we use buildmap rule in AD?
134)Manager transfer what type of approverls?
135)Variables in workflow?
String
script
rule
call
reference
136.Promote managed attributes
137.Detect deleted accounts ?
in case account is not exists in system the corresponding accounts going
138)What is logical application? *****
Ans:Sometimes, we need to identify an “application” and corresponding “accounts” as something that spans one or more applications.
Take an example whereby a web application uses a specific entitlement in Active Directory to define membership in an application. Any user who has this specific Active Directory entitlement has an “account” on this application. This is an example of a Logical Application.
140)What kind of custom tasks to build ? *****
Tasks perform periodic operations such as Aggregation,Identity Refresh,System Maintenance.
141)What are differnt phase in certification?
Generation Phase,
Active Phase,
Challenge Phase,
Sign Off Phase,
Remediation\Revocation Phase,
End Phase
142)About life cycle events?
Joiner
mover
leaver
144)Buildmaprule and what did u write in beanshell?
145)How provision works?
146)Types of approvels?
serial,serials-poll,parallel,parallel-poll,any
147)Diffrence between customization and buildmap rule?
Customization rule can connects.
148)Role mining
Role mining analyzes data in the system using pattern-matching algorithms. You can use the results to help
determine what new roles to create.. IdentityIQ supports role mining to create both business and IT roles.
• "IT Role Mining"
• "Business Role Mining"
150)What is purpose of Perform maintenance ?
Keeps standard systems moving through their phase this task run every 5 mins.
151) What is the purpose of Check expired mitigations daily ?
Scans for policy & certification exceptions that have expired. this task runs every day
152) What is the purpose of Check expired work items daily ?
Scans for uncompleted workitems that have expired . this task run runs every day
153) What is the purpose of the task Perform Identity Request Maintenance ?
Checks for provisioning completeness
154)How to find out no of users login and log out failed in sailpoint.
In Advanced Analatiks report ,Select audit seach in that define class as loginFailure
155)How many searches are available in Advanced Analatiks report?
IdentitySearch
AccessReviewSearch
RoleSearch
AccountGroupSearch
ActivitySearch
AuditSearch
PrcessMetricsSearch
SyslogSearch
156)How many Standared attributes are there in Indentity Serach ?
8
157)How many Searchable Attributes are there by default?
4
158) What is Searchable Attributes and how to define them ?
In System Settings ---> Identity Mapping. While defining Attribute. we are defining Searchable attributes ?
159) Where is the Log4j.properties file exists in identifyiq.
identityiq/WEB-INF/classes
160) What is group factory ?
161) What is multi-value field ?
162) What is identity Attribute ?
These fields define which attributes that we are reading in will be used to define uniqueness
The Identity Attribute defines which attribute will
be used to determine the uniqueness of the account.
You could think of this as the primary key for the
application accounts. In this case, we are using the
“User ID” which is unique for each user
163) What is differene between Rule and Script ?
164) What is Detect deleted accounts ?
to sync up data between identityIQ and target sync.
165) What is Disable optimization of unchanged accounts ?
166) What is the use of move account in application accounts tab ?
167)
What is the name of the field you set for IdentityIQ to populate this attribute?
DisplayAttribute ?
What ever attribute you have set as DisplayAttribute,That attribute is going to appear as user id
• Identifies which attribute holds display attribute
• Used for friendly display name
167) What is the difference between account mapping and identity mapping
Specify the applications and rules from which account data is derived
Specify the applications and rules from which identity data is derived.
SAP HP
======
empid ,location,email
table:-
empid,accountstatus,
168) What is Extended Identity Attributes ?
We will now define and configure additional Identity Attributes. These are attributes specific to the
implementation that are additional to the out of the box attributes. These attributes are called
Extended Identity Attributes.
169) By Default Multi-valued attributes are searchable ?
Multi-valued attributes and all standard attributes are automatically searchable in
IdentityIQ. They are not shown as searchable in the summary list because they do not count
against your configured set of searchable attributes.
170) What is applicatin rule and What is globale rule in Identity mappping ?
171) if you want to use in account correlation which type of identity attributes, you need to specify ?
Ans: A field should be marked as searchable and GroupFactory.
A field should be marked as searchable if you will need to use it for account correlation
(like Employee ID) or for Analytics (Location, Region). Group Factory identifies
those fields from which groups of users may be created (for example, a group of
inactive users).
172) uncorrelated identifies ?
173) What is authorative source ?
174) What is links on Sailpoint ?
Access on different servers.
175) Un correlated Identity ?
if an Identity don't have link with any authorated source application those identities are called as un correlated Identities ?
176) What is the difference between Identity and account ?
177) State Identity or orphan Identity in Sailpoint ?
if any identifies don't have accounts those identities are called as orphan Identity or stale Identity ?
178) What is prune Idenitity task ?
Manually correlate the accounts using the UI. This involves moving the uncorrelated
account to the proper identity. once uncorrelated task is completed.to delete the orphan identites. we run the prun task.
179) Which application identities automatically correlated identities ?
Authoritative application identites automatically correlated identities
180) Define correlation attributes for below given applications
HR
===
Id,Fname,lastname,email
Oracel Server
=========
id,position,manager
SAP Server
======
username,email,dept
Blog
=====
Ad Server:-
SAMAccount,fullname,position,Manager,dept
181) Which are applcations( correlation will be happend)
correlation always happen betweeen correlation and non correlation applcations
182)Correlation always happen which attributes ?
Correlation always happen only Identities and account only
183) What is use of correlation rule ?
if you don't find common attributes between authorative application and non - authorative,then we need to define correlation rule to create correlation attribute.
184)What is Manager correlation ?
1.Define which application attribute defines a user’s manager.
2.Map the application attribute to the manager’s Identity
Attribute
185)What is the difference betweeen Identity correlation and Manager correlation ?
186)How to configure new Identity Attributes in identity clube
1) Goto Debug mode 2)UI configuration 3) Serach for name: identityViewAttributes.
modify the <entry key="identityViewAttributes" value="name,firstname,lastname,email,manager"/>
<entry key="identityViewAttributes" value="name,firstname,lastname,email,manager,department,location,empId,region,jobtitle,costcenter,status"/>
187)How to delete all indentities from IdentityIQ
delete Identity *
188) how to delete accounts for one specify application ?
189) What is Instance Attribute ? *****
190)Customize the Identities page to include new Identity ?
Add the following two lines to the entry for identityTableColumns and click Save
<ColumnConfig dataIndex="status" headerKey="Status" hideable="true"
property="status" sortProperty="status" sortable="true"/>
<ColumnConfig dataIndex="correlated" headerKey="Authoritative?" hideable="true"
property="correlated" sortProperty="correlated" sortable="true"/>
191)if you define attributes are searchable,when you can find them as searchable attributes ?
You can find them in advanced Analatiks, you can find them as searchable
192)if you have loaded authorative applications, if you are loading non-authoritative accounts. what are things you need to take care ?
When loading a non-authoritative application, it is necessary to correlate user accounts from this
new application to existing Identity Cubes. We will do this by defining an Account Correlation
configuration when configuring each application. Account Correlation can be configured as a simple
attribute mapping or, for more complicated examples; we can implement Account Correlation as a
rule. In this section we will use an attribute mapping to correlate accounts.
193)What is orphan accounts ?
(those accounts that cannot be linked to existing identity cubes)
193)you have authorative source got loaded and you have loaded non-authoritative by applying correlation,but still you could see non linked accounts(orphan acccounts), how do you map them ?
We need to do manually correlation ?
194)To promote entitlement into Entitlement Catalog ?
1) We need to configure attribute as Managed in the application schema,then particular values will be loaded into Entitlement catlog
groupmbr go loaded into Entitilemnt Catalog.
We need to select Promote managed attributes in aggregation task ?
195) What is the use of Data needs to be merged in application on boarding ?
196) How to skip starting 'n' of lines in file loading using delimiter connecor ?
In File on boarding Filtering section. specify the no of lines to skipped while applicaiton onboarding.
197) How to filer empty lines loading in file loading approach ?
In File on boarding Filtering section. Check out the Filter Empty option
198) How to ingore department value as manufacture in delimiter file.
In File on boarding Filtering section. specify the Filter String.
Filter String: Specify a filter string to ignore objects in the feed based on attribute values. For
example, if all records with a department value of "Manufacturing" should be ignored, the Filter String
would be specified as department == \"Manufacturing\". Details on filter string syntax can be found
in the Filters and Filter Strings white paper on Compass.
198)How to skip record loading if read starting with "#"
In File on boarding Filtering section,Comment Character specify the special Character
• Comment Character: Enter a comment character used in the data file. Any line starting with this
character will be skipped.
199)What is the use of Revoker in application on boarding ?
select a user who will receive and process the manual work item to revoke an identity's
access to this application when their access is revoked through IdentityIQ (through a certification,
a Lifecycle Manager request, etc.). If no Revoker is specified, the application owner receives the
revocation work item.n
200) Which are connectors, we will specify Native Object Type other than account ?
Applications using the LDAP connector, where it is "iNetOrgPerson" but should be
"account" for most application types, including delimited file
201)What is PostIterate Rule and where exactly this rule being used ?
PostIterate Rule: This rule runs once for the whole file after the records in the file are processed; it is
available to address any post-aggregation file management needs for the task. Common examples
include deleting or archiving the file, clearing the local map of lookup data, validating counts of
records processed, etc.
202) What is Map to ResourceObject Rule and where it is being used ?
Like the build map rule, this is a rule hook available for data
manipulation of the account data as each record is processed. This rule is run after any record
merging configured for the application has occurred. Without a map to resourceObject rule present,
IdentityIQ will automatically translate a record's hashmap representation into a resourceObject
representation; this rule allows customers to manipulate data during that transformation process
203)What are the Connector Rules ?
1.Build Map Rule
2.PreIterate Rule
3.PostIterate Rule
4.Map To ResourceObject Rule
5.MergeMaps Rule
204)What are the Aggregation Rules
1)Correlation Rule
2)Creation Rule
3)Manager Correlation Rule
4.Customization Rule
5.Managed Entitlement Customization Rule
204)What is difference between Connector Rules and Aggregation Rules ?
Connector rules are being run during connecting application time and Aggregation rules are being executing while running aggreation task.
205)What is the use of clearCache command ?
206)How to clear the pending emails queue ?
207)What is the use of connectorDebug ?
connectorDebug PAM iterate group
208)If you want any attribute to be part of entitilement catalog. where do you need to specify attributes?
In scheme, attributes section specify the column name as entitilement so that field will appear in entitilement catalog.
209) What is Delta Identity Refresh ?
IdentityIQ version 7.0 introduces Delta Identity Refresh to IdentityIQ: the ability to perform identity refresh functions on only the identities which have recently changed/
210) How many steps involved in Delta Identity Refresh setup.
Delta Identity Refresh feature involves this two-step process:
Configure and run aggregation tasks to mark identities as changed as they modify attribute or account data on the identities
Configure and run identity refresh tasks to perform their functions only on the marked identities
211) What is Multiplexing application ?
The application definition that points to the single source feed containing data for multiple resources
212) Multiplexed applications:
The application definitions representing the individual resources whose
data is contained in the source feed; these are usually auto-generated during the aggregation
process
213) What is updateMultiplexedSchemas and where exactly this attribute being used ?
214) What is logical application ?
215) What are the reserved words for multiplexed application
IIQSourceApplication and IQMultiplexIdentity.
216)What is differece between Multiplexed application and Logical applcations ?
217) Similarities and Differences between roles and Logical applicatins
Logical Applications and Roles have a number of similarities.
Both are abstractions.
• They provide a way to manage user access to critical applications and systems.
• They can simplify the provisioning and certification processes by encapsulating entitlements and permissions in a single unit.
• They can present entitlement data in a way that is more easily understood by non-technical reviewers.
The primary differences between Logical Applications and Roles are:
They provide different ways of modeling access.
Logical Applications are account-centric, while Roles are entitlement-centric.
• Roles have an extended set of features not available to Logical Applications including:
o Automated creation and management through role mining, entitlement analysis, impact
analysis, role inheritance, and role archiving
o Management through workflows that can create/update/delete roles, schedule role creation
and decommissioning, and schedule role/entitlement assignment
• Roles scale significantly better than Logical Applications. Refer to the section titled Performance
Impacts below for more details about the scalability of Logical Applications and Roles.
218)If you want to refresh only one specific applicaiton identify cubes ?
In Refresh cube, Filter string, you can specify the applicatin string based on that you can perform filtering the applications.
219) What is the synonymous for account ?
link is synonymous to account.
220) how to create custom Identity Refresh Cube ?
In Monitor,Select the task and select the Identity Refresh Cube and specify the filter
221) How to create custom tasks ?
In Monitor tasks --> select the related task.
222)Can you please describe about IIQ Disabled and where exactly this is being used ?
223) What is Workgroups and where Workgroups can be used?
224) What is Group Factory and Where it is being defined and where it is being used
if you want to define group based on attribute for that attribute, you need to fine as Group factory.
if you defined one attribute as group factory, automatically that pariticular field will appear in groups creation menu.
225) What kind of visibilty is there for populations ?
By default,populations are private. it can be visible only for created person.
if you want to make it visibale make the population - un check private check box.
226) What is policy ?
Policies are defined and used to monitor identities that are in violation of the policies.
227)how are you going to manage Policy violations ?
Policy violations can be managed through certifications or the policy violations page
You can also configure violations to trigger a business process to send email notifications and generate work items
so that policy violations can be managed immediately upon detection
228) Examples of Policies ?
Separation of duties policy:-
a separation of duties policy can prohibit one identity from requesting and approving purchase orders.
Activity policy:-
An activity policy can prohibit an identity with the Human Resource role from
updating the payroll application even though the identity has view access to the application.
Rule violations for a policy:-
Rule violations for a policy, when detected, are stored in the identity cube. These violations also appear on
identity score cards and enable you to identify high-risk employees and take appropriate action.
229)How many policies and describe them ?
1.Custom Policies:
are any policies that were created outside of IdentityIQ to meet special needs of your
enterprise. You cannot create a custom policy from inside the product. Use the Edit Policy page to view
information about a custom policy, but changes made here will not affect the performance of the policy
2.SOD
separation of duties policies ensure that identities are not assigned conflicting roles
3.Entitlement SOD
separation of dutiesm policies ensure that identities are not assigned conflicting
entitlements
4.Activity
ensure that users are not accessing sensitive application if they should not or when they
should not.
5.Account
ensure that an identity does not have multiple accounts on an application
6. Risk
ensure that users are not exceeding the maximum risk threshold set for your enterprise.
7.Advanced
custom policies created using match lists, filters, scripts, rules, or populations.
To access Policies
230) how are you handling policy violations ?
go to manage and select policy violation
231) What is Risk scoring ?
232) How many types of Risk scores are available ?
1.Base Risk Score
The score assigned to each role, entitlement, or policy violation
2.Total Base Risk Score
The total score of all base risk scores of the same component type on a per user
basis.
3.Compensated Risk Score
The value of the base risk score for a component multiplied by the compensating
factor for that component type.
4.Total Compensated Risk
Score
5.Composite Risk Score or
Identity Risk Score
233) What is the use of Refresh Group ?
once you have defined the groups. to get refersh identifies into correct groups. we need to run Refresh Groups ?
234) What is the use of Refresh Risk Scores?
once you have defined Risk score for relavent task. to get refresh identities . we need to run the Refresh Risk scores task
235) Wat is the use of Refresh Continuous Certification task ?
if an employee leaves the company and they are marked as inactive, the Refresh Continuous Certifications task removes them from the certification.
236) types of Certification ?
1 • Manager Certifications — certify that your direct reports have the entitlements they need to do their job
and only the entitlements they need to do their job.
2.Application Owner Certifications — certify that all identities accessing applications for which you are
responsible have the proper entitlements.
3.Entitlement Owner Certifications — certify that all identities accessing entitlements for which you are
responsible are correct.
4.Advanced Certifications — certify that all identities included in the population associated with that
Advanced Certification have the correct entitlements and roles.
.
5 Account Group Certifications — certify that account groups /application objects for which you are
responsible have the proper permissions or the proper group membership. Account groups that do not
have owners assigned are certified by the owner of the application on which they reside.
6 Role Certifications — certify that roles for which you are responsible are composed of the proper roles
and entitlements or that the roles are assigned to the correct identities.
7 Identity Certifications — certify the entitlement information for the identities selected from the Identity
Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
8 Event-Based Certifications — certify the entitlement information for the identities selected based on
events detected within IdentityIQ.
237.What are the different kind of cerfications phase ?
Active:
Challenge:
Revocation:
End:
9) how many ways assigned cerfications review can be completed.
1. on sailpoint dashboard - access Review
2. by selecting workitems. we can select the assigned work items to the manager
238) What is Entitlement Catalog and what it contains ?
In this Entitlement Catalog, we will define Entitlement description,ownership is defined in the Entitlement Catalog.
239) If there are things , you are configuraint offen ,where you can configure them to avoid configuring frequently ?
in System setup (Gare buttion) --> Compliance manager. you can specify them.
240)if user challenge his access. where certifier can see the user challenge ?
in Certificer can see in acess Review page as with Star symbol. Certifier can handle the Challenge by right clicking?
250)After user challenge this access what are the steps carried out by Certifier and IIQ ?
1. if the Challenge is accepeted, the revoke decision on the challenge item is cleared.
2. the certifier makes a new decision and save change.
3. if that was only challenged decsion, IIQ promts the cerifier to sign of the access reveiew
4.once sign off,Access Review is completed and moves to the next step.
241)What is custom tasks ? how to create them ?
In tasks, click new task and select what ever task you want to get created ,specify the options accordlingly.
Rules:
======
251)how to get object name in rules ?
Identity i=getObjectByName(Identity.class,"Gopu");
252) how to get attributes of Identities ?
Identity i=getObjectByName(Identity.class,"Gopu");
253) Display all attributes of all Identity of mappings of attributes ?
System.out.println("Attributes: "+i.getAttributes());
253) display one specific attribute of identity mapping attribute ?
Identity i=getObjectByName(Identity.class,"Gopu);
System.out.println("department:\t"+i.getAttribute("department"));
254)how do develop custom task?
1) develop java files
2. develop the Rule Runner Task in tasks.(monitor)
255) to load the lcm manager.
> import init-lcm.xml
Idenitity i=new Identity(Identy.class,"");
256) two types of UIrequests , batch tasks ?
Batch handles:
Workflows
Tasks/Reports
Certification generation
UI hosts handles user internations:
==================================
Access Requests
Performing Certification
Dynamic Analatics
257) How to different specify different requests for Batch servers,UI Servers ?
in iiq.properties files, specify the following hostnames
environment.taskSchedulerHosts
environment.requestSchedulerHosts
environment.taskSchedulerHosts=HostA,HostB
environment.requestSchedulerHosts=HostA,HostB
258) How many mechanisms IdentiyIQ cube data is going to get created in IdentityIQ cube ?
1.During Data Aggregation:-
• By aggregating data from Authoritative Application(s)
• HR Application
• Enterprise Directory
• By aggregating data from Non-authoritative Applications
• Creates non-authoritative cube (more later)
Using Lifecycle Manager
• Using the Create Identity or Self-registration option in Lifecycle
Manager
• Identity Attributes are entered as part of the creation process
259 What is Group Attribute ?
1.Identifies which attribute holds the group attribute
2.Used to identify group membership (groupmbr, memberOf)
260) What is extended attributes ?
Additional Identity Attributes are typically defined (called
extended attributes)
261) What is Manager Correlation
262) Differecet kinds of connector types
delimiter:
263)What are differnet kind of correlatin methods ?
1.Correlation wizard
2.Correlation rule
3.Manually
264) What is the benifit of Monioring enable tab in workflows?
this is going to give statistics of workflows failures
265) How to enable monitoring for all workflows?
If you select Identity Initialize, you can find monitoring,if you select Initialize all workflows are going to monitored with stastics
how many no of times , workflows got failured and all.
<Variable name="transient" initializer="true"/>
265) What is the difference between Java and BeanShell scripts ?
IdentityIQ allows system integrators to write rules in the BeanShell scripting language. The BeanShell language
is based on Java and can use all Java classes that are available to IdentityIQ, including custom code.The main
difference between Java and BeanShell is that Java is compiled into byte code, which is executed by the Java
Virtual Machine, while BeanShell scripts are interpreted on executio
266) how to get
IdentityIQ makes it easy to establish a connection to it's local database:
Connection dbCxn = context.getJdbcConnection();
267)How to increase workitem justificatin width?
268) Rule editior won't complile the beanshell script ?
269) What is the Rule Libraries
A library is a special kind of Rule object. A library collects functions that can be called from other Rule objects.
To use a library in a rule, a function must use the <ReferencedRules/> XML tag.
An example library called "String Utils" could contain the following functions:
270)How to add Libraries ?
By adding multiple <Reference/> tags. you can libraries in the rules.
271) System.out.println("Hello, World!"); if you run the command, output will be display ?
Output sent to standard output, usually ends up in the application server's logfile. In case of Apache Tomcat
this is the catalina.out file.
278)
2.What are certification in sailpoint ?
Manager certification
application owner certification
entitlement owner certification
advanced certification
Role Membership
Role composition
Account Group Permissions
Account Group Membership
3.What are the lifecylce of certification ?
1.Staging period ?
2.Challenge period ?
3.Revocation period ?
4.Sign off period
4. is it possible to hold certification ?
yes, challenging phase, user can challenge his access
5. is it possible exclude certification for members ?
yes, it is possible to sepecify the members from certification in advance certiification?
6. What is rule ?
Rule is nothing but it is bean shell script and this can be resuable.
7. What is pre-iterate ?
PreIterate Rule: This rule runs only once for the whole file before the records in the file are
processed; it is available to address any file-management needs for the aggregation task.
Common examples include unzipping the file, validating the file date before aggregating potentially stale data,
building a local map of lookup data from a remote source which can be used in the aggregation
process (more efficient than a remote lookup for each record), etc
8. What is build map rule ?
This rule offers an opportunity to perform data manipulation on the delimited file
account data as it is read from the file. In the absence of a build map rule, IdentityIQ automatically
takes the columns list and the data values in the current record of the file and builds a hashmap of
name-value pairs (i.e. column - rowValue). If the record should be manipulated differently from that
default, the build map rule can be used to control that behavior. This rule runs for each record in the
file
9. Customized rule ?
Build map rule for delimited file,SAP,Ldap.
10.Pre-deligation rule.
if manager went leave. this rule is going to be run.
11. What is access Managagment ?
Providing secure access to resources through web browsers and mobile applications
12.What is Role and what is the use of Role ?
it is cubling together of acccess on different system.
Roles uses is as below:
• Categorize and manage users based on job function
• Provide a translation between business and IT functions
• Earsese the provisioning and the request process for new access
• Simplify auditing and the access and certification proces
13. What are Roles ?
Rolesn are similar to Logical Applications in that they can encapsulate the entitlements needed to access
enterprise applications
1.Organization role(Can n't be requested)
2.Business role(Can be requested)
3.Entitlement role(Can be requested),
4.IT role(Can n't be requested) ,
14.Workflows
15.Identity Mapping ?
16.account mapping.
Application -account mapping
17.Entitlement
18.Entitlement catlog
19.What is managed attribute ?
20.What is mitigation ?
if you want to provide expection
21)
22)How can we set limit for delete aggreation ?
23)Identity refresh cube ?
if you want to referesh Identities attributes of Identity Cube, we are going to do Identity Refresh Cube.
Update identity attributes from the identity account attributes and through calculations
The Refresh Task is critical to finalizing data on the Identity Cubes.
1)all entitlements are promoted from the Account Data to the Identity Cubes by the Refresh Task.
2) policy violations and risk scores are calculated by the Refresh Task.
Typically Aggregation Tasks are followed by a Refresh Task.
different options in Identity Refresh:
24)
25)Identity risk ? application risk ?
26) What is service account and how you are going to represetnt ?
The three main options for representing service accounts in IdentityIQ are:
27. Attach the service account to account owner's identity
28. Create a standalone identity cube for each service account
29. Create a service identity cube for each resource (application) to hold all service accounts for the given resource
30.How many ways, you can inialize variables in workflows.
Referenece,
String
Rule
Callmethod
Script
31)How to debug the workflows ?
<Variable initializer="true" input="true" name="trace"/>
32) Enable logging (log files) for sailpoint
) Open file .. \identityiq\WEB-INF\classes\log4j.properties
2) Search for log4j.appender.file=org.apache.log4j.FileAppender
3) uncomment (remove # symbol) for next 4 lines
log4j.appender.file=org.apache.log4j.FileAppender
log4j.appender.file.File=C:/trainingData/sailpointInstallables/logs/sailpoint.log
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{ISO8601} %5p %t %c{4}:%L - %m%n
Search for. log4jrootLogger=warn,file and uncomment.
Go to end of the file and add the class against which you want to debug.
To find the class name - Go to debug page.
In object browser, provide object name as Application
provide your application name in search filter.
Open that application.
copy the class name mentioned against connector tag in app xml.
At the end of log4j.properties file
append log4j.logger. connector class =trace/debug/info/all/warn (save the file)
33) Go to debug page of sailpoint
From menue with name debug ----> logging option
Reload logging configuration.
Logging is enabled.
34)How to set debug logger for logginer in sailpoint.
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("sailpoint.services.bshdemo");
// TODO: Remove this forced log level set before checking in this Rule.
log.setLevel(Level.DEBUG);
log.debug("Hello logging world!");
35)How to set Info logger for logginer in sailpoint.
Logger log = Logger.getLogger("sailpoint.services.bshdemo");
// TODO: Remove this forced log level set before checking in this Rule.
log.setLevel(Level.INFO);
36) how to save identity object ?
context.saveObject(id);
context.commitTransaction();
37) What is Access Management?
Ans - Managing the permission of an account through which the account gets some access on target system is called as access management.
This is achieved in sailpoint by re-certification process.
38) What is Roles?
Clubbing together all permissions of an different target system into single entity to maintain permission in an efficient way is termed as Roles.
39) What is Identity cube?
The identity along with it all details like entitilement, history, policy, account etc is called as identity cube. It is a virtual 3 dimentional representation of an identity.
40) What is Applicaiton onboarding?
Configuring setting to connec to a target system to bring all accounts and permission from a target system is called as application onboarding.
41)
how many types extended attributes can increase in saailpoint ?
8 types of extended attributes can be increase
1. AlertExtended.hbm
2.ApplicationExtended.hbm
3.BundleExtended.hbm
4.CertificationItemExtended.hbm
5.IdentityExtended.hbm
6.LinkExtended.hbm
7.ManagedAttributeExtended.hbm
8.TargetExtended.hbm
42) Extended attribute mappings for Identity.
By default we will map 10 extended attributes, but this may be raised to
a maximum of 20.
Using ExtendedPropertyAccessor can add attributes beyond
the limit of 20 and have meaningful names.
Only the first five attributes are indexed, to provide
an example of how to specify an index. In a production deployment you
will usually index most of the extended attributes since they are
usually added for searching
43) What are the paramters need to uncomment in iiq.properties file.
Depending on the type of database being
# used, you will need to do the following:
#
# 1) Uncomment the correct sessionFactory.hibernateProperties.hibernate.dialect
# and ensure that all other dialects are commented out.
# 2) If using MS SQL Server, also uncomment the quartz properties:
# scheduler.quartzProperties.org.quartz.jobStore.driverDelegateClass and
# scheduler.quartzProperties.org.quartz.jobStore.selectWithLockSQL.
44)
IDENTITYIQ MANAGED DATASOURCES ONLY
#
# In addition to the steps above, if IdentityIQ is creating its own datasource
# (ie - not using an application server managed datasource), you will need to
# perform the following steps:
#
# 1) Modify dataSource.username and dataSource.password to include the username
# and password of the database user. The password may be an encrypted using
# the "encrypt" command when running "iiq console".
# 2) Configure the dataSource.url to connect to the database, and uncomment the
# appropriate dataSource.driverClassName.
# 3) Optionally configure other connection pool settings.
45) How many types of Roles can be created in Sailpoint.
IT, Business, Entitilemnt, Organization
Business E OT
46)
57) What is role memebership certificaiton?
certifying access of those people which are associated with a role is called as role memebership cert.
58) What is role composition certification?
Certifying the composition of a role, means certifying all permissions through which a role is combined is called as certification.
59) What is application owner certification?
certifying access of people associated with certain application is called as app owner cert.
60) What is exclusion rule?
Rule written to excluding some person from certification (access review ) process.
61) What is nativeIdentity?
Unique attribute through which an identity is identified. ex- employeeId.
62) How we can represent an organization in Sailpoint?
Using Roles. Can creaate roles for one organization.
63) In case there is a new target system , how will you interact with that target system to get all records from it and do the governance for that target sytstem.
Need to write a custom connector for that.
64) What is lifecycle events?
joiner, mover, leaver( process which shows that an identity is added to a firm, removed from a firm or their department gets changed).
65) What is population and how it is used?
population is grouping of identity based on search result. Like people working in same department. It is used in certification process.
66) How population is created in sailpoint?
Using Advanced analytics section, Need to search group of identity and the save that as population.
68) What are different types of certification. Which all you have worked on?
69) What is exclusion rule in certification
70) What is predelegation rule.
In case actual approver is absent, then the review is delegated to some other person. Rule written in certification for this process is called as predelegation rule.
71) Whether workflows can be called from certification or not?
No.
72)what is role based access control?
Managing access of users using Roles in sailpoint is RBAC(Role Based Access Control)
73)What is beanshell scripts?
Scritping language introducced to write rules in java.Ref - http://www.beanshell.org/manual/syntax.html
74)What can i do, when i have launched a certification, and after the certification I have taken a decision to remove a role from an Identity. But as soon as I click on revoke access, it should not get revoked , the access should persist for some day, Only after few days, the access should get revoked.
There is a check box in certificaction configuration called as "Process revokes immediately". If this is checked the revokation occurs instantly, otherwise not.
75) Have you done the SSO configuration? Tell me the steps and configuration?
There is a section in Login configuration -->SSO configuration , where we need to write rule for SSO configuration.
76) In case I have done some changes in target system, I want to find in audit whether the changes are made from target system or from sailpoint. What configuration i need to do?
System setup --> audit configuration.
77) How to write a custom task? Give all necessary steps which need to be done.
covered in session.
78) What are important tables of database for Sailpoint identityiq?
spt_identity, spt_link, spt_bundle, spt_certification, spt_rule , spt_taskdefinition.
79) What is ruleLibrary. What is the purpose of writing a rule library.
Collection of small function in a single place is called as rule Library.
80) What is Library in workflow?
Libraries are class file which has some functions mentioned,, which can be used in a workflow to do some processings.
81) When ever a user joins the firm, what all things is done in sailpoint for that. Waht all configuration required?
lifecycle event --> joiner --> joining workflow
82) What is nativechange type of life cycle event.
if some change happen directly on target system, and we want to use some workflow to be triggered in sailpoint for that, we need to enable nativeCahange detection and configure nativechange event in lifecycle event.
83) What is rule based life cycle event. How it is used?
if an event need to be triggered base on some condition everytime, then Rule based life cycle event.
84) What are capabilities in sailpoint identityiq?
capabilities in sailpoint is used to restrict access of a user on user interface of saailpoint.
84) What is the differece between capabilities and roles?
capabilities are used to restrict access of a user on menues of sailpoint, while roles are used to restrict access of a user on target system.
85) What are approval items?
When ever a request is made is sailpont, some approvals are created, which is sent to approver in form of approval items.
86) What are different modes of approval?
serial, parallel, parallel poll, serial poll, any
87) How we can open a custom form in approval?
Need to use sailpoint forms in step of workflow.
88) Is there any difference between role mining and role engineering. If it is there what are them?
No difference.
89) What is role mininig? What are different approaches for role mining?
top down
bottom up.
90)what kind of roles you have implemented?
Ans) A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. I have involved in creating business and IT roles.
91)what are componets required to configure LDAP and AD?
Ans)
92)if you are using application servers - weblogic and any applicaiton servers, we need to configure the JNDI name.
APPLICATION SERVER MANAGED DATASOURCES ONLY
#
# In addition to the steps above, if IdentityIQ is using an application server
# managed datasource, you will need to perform the following steps:
#
# 1) Configure the datasource in your application server. This usually involves
# putting the JDBC driver jar file in a common location and configuring
# properties for your database connection and pool settings. Consult the
# documentation for the application server for more information. Also,
# ensure that the JDBC driver jar file is not in the WEB-INF\lib directory
# of the IdentityIQ web application.
# 2) Change jndiDataSource.jndiName to point to the location in JNDI in which
# the datasource is stored.
# 3) Change configuredDataSource.targetBeanName to "jndiDataSource".
93)What is logical application?
Ans:Sometimes, we need to identify an “application” and corresponding “accounts” as something that spans one or more applications. Take an example whereby a web application uses a specific entitlement in Active Directory to define membership in an application. Any user who has this specific Active Directory entitlement has an “account” on this application. This is an example of a Logical Application.
94)What kind of custom tasks you build?
Tasks perform periodic operations such as Aggregation,Identity Refresh,System Maintenance.It’s possible and very common to write your own tasks.Please specify Custom task written by you.
95)What are differnt phase in certification?
Generation Phase,Active Phase,Challenge Phase,Sign Off Phase,Remediation\Revocation Phase,End Phase
96)How can we use forms?
Forms are used to solicit user input in several areas of IdentityIQ. They are used with:
a) Application and role provisioning policies
b) Identity provisioning policies (only applicable for installations using Lifecycle Manager)
c) Data entry and approvals in workflow steps
d)Report filter specification
97)what is Identity mapping?
Ans)To configure identity attributes that are used by identifyiq
98)What is account Mapping?
Ans)To configure account that are managed by identifyiq
99)What is connector Rule?
Connector Rules are used during aggregation from specific connectors, specifically DelimitedFile, JDBC, SAP and
RuleBasedFileParser. Connector rules run before Aggregation rules in the aggregation process. These rules are
used to:
1)implement pre-processing of data
2)implement post-processing of data
3)manipulate, merge or otherwise transform the incoming data as it’s being read
100)What is assigned role and dectected role?
101)What is rolemineing?
Role Mining is used to create roles based on specified criteria in an existing enterprise
IdentityIQ separates role mining into the following categories:
IT Role Mining
Business Role Mining
102) what different types of provisionings?
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
103)What is aggregation?
Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.
104)What kind of certification you have involed so for?
Ans) application owner cert, manager cert, entitlement, role memebership, role composition, Advanced etc
105)What are the steps involved in sailpoint installation?
a)StopTomcat
b)Unzip and extract the IdentityIQ war file in ~/webapps folder.(jar –xvf identityiq.war)
c)Goto IIQ console and run ./iiq schema
d)Login to DB and run corresponding script. For example,Run command for Mysql(source create_identityiq_tables.mysql)
106) During the installation process which xml you need to load in IIQ.
import inti.xml
107) What is upgradation and how did you perform upgradation ?
108) What kind of issues , have you faced in upgradation process ?
109) What is patching and how you have performed in patching in sailpoint ?
in Patching activity. we have three steps.
1.extracting the jar file into right locations.
2.executing the database script.
3.run the iiq console task.
110) What are comments do you use for patching activity ?
111)Do you know Hibernate implementation?
112)How to user import? Expalin
113)By extendinng AbstractConnector ,we have implemented Open connector ?
114)what kind of roles you have implemented?
Ans) A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. I have involved in creating business and IT roles.
115)what are componets required to configure LDAP and AD?
Ans)
116)How can we use forms?
Forms are used to solicit user input in several areas of IdentityIQ. They are used with:
a) Application and role provisioning policies
b) Identity provisioning policies (only applicable for installations using Lifecycle Manager)
c) Data entry and approvals in workflow steps
d)Report filter specification
117)what is Identity mapping?
Ans)To configure identity attributes that are used by identifyiq
118)What is account Mapping?
Ans)To configure account that are managed by identifyiq
119)What is connector Rule?
Connector Rules are used during aggregation from specific connectors, specifically DelimitedFile, JDBC, SAP and
RuleBasedFileParser. Connector rules run before Aggregation rules in the aggregation process. These rules are
used to:
implement pre-processing of data
implement post-processing of data
manipulate, merge or otherwise transform the incoming data as it’s being read
110)What is assigned role and dectected role?
111)What is rolemineing?
Ans)IdentityIQ helps to identify role in organization by performing Role mining. Here we have two approaches.
a)Top-Down approach.
b)Bottom-Up approach.
112) what different types of provisionings?
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
113)What is aggregation?
Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.
114)What kind of certification you have involed so for?
Ans) application owner cert, manager cert, entitlement, role memebership, role composition, Advanced etc
115)What are the steps involved in sailpoint installation?
a)StopTomcat
b)Unzip and extract the IdentityIQ war file in ~/webapps folder.(jar –xvf identityiq.war)
c)Goto IIQ console and run ./iiq schema
d)Login to DB and run corresponding script. For example,Run command for Mysql(source create_identityiq_tables.mysql)
116)Do you know Hibernate implementation?
117)How to user import? Expalin
118)Diffrence between work groups and populations?
Groups — used to track accessibility, activity, and monitored risk by group membership. Risk scores are
displayed on the Home Page. Groups are defined automatically by values assigned to identity attributes.
Populations — are query based groups created from the results of searches run from the Identity Search
page. Searches that result in interesting populations of identities can, optionally, be saved as populations
for reuse within IdentityIQ.
Populations are similar to groups, except that they are driven off of multiple search criteria
whereas Groups are statically defined based off a single Identity attribute.
These group themselves are not dynamic. You must run the Refresh Groups task
periodically to update them. Between runs of Refresh Groups, the groups themselves
remain static, but the membership is always based off a dynamic query.
Note: Populations are dynamic queries, so every time you view a population, you
are viewing its current members at that point in time.
119)How to trigger customworkflow?
120)Any other way to trigger custom workflow?
121)workflow modules?
122)why do we need I services?
123)Explain about your project?
124)Diffrence between IT role and Bussiness role?
125)Types of certifications?
Manager certification
application owner certification
entitlement owner certification
advanced certification
126)Phases of certifications?
127)What is scope in sailpoint?
128)What did you write in provisining plan?
129)Correlation and types?
130)Why correlation rule?
131)What is transition?
In workflow, tranition decides flow of the work flow.
132)Cloud modules?
133)Can we use buildmap rule in AD?
134)Manager transfer what type of approverls?
135)Variables in workflow?
String
script
rule
call
reference
136.Promote managed attributes
137.Detect deleted accounts ?
in case account is not exists in system the corresponding accounts going
138)What is logical application? *****
Ans:Sometimes, we need to identify an “application” and corresponding “accounts” as something that spans one or more applications.
Take an example whereby a web application uses a specific entitlement in Active Directory to define membership in an application. Any user who has this specific Active Directory entitlement has an “account” on this application. This is an example of a Logical Application.
140)What kind of custom tasks to build ? *****
Tasks perform periodic operations such as Aggregation,Identity Refresh,System Maintenance.
141)What are differnt phase in certification?
Generation Phase,
Active Phase,
Challenge Phase,
Sign Off Phase,
Remediation\Revocation Phase,
End Phase
142)About life cycle events?
Joiner
mover
leaver
144)Buildmaprule and what did u write in beanshell?
145)How provision works?
146)Types of approvels?
serial,serials-poll,parallel,parallel-poll,any
147)Diffrence between customization and buildmap rule?
Customization rule can connects.
148)Role mining
Role mining analyzes data in the system using pattern-matching algorithms. You can use the results to help
determine what new roles to create.. IdentityIQ supports role mining to create both business and IT roles.
• "IT Role Mining"
• "Business Role Mining"
150)What is purpose of Perform maintenance ?
Keeps standard systems moving through their phase this task run every 5 mins.
151) What is the purpose of Check expired mitigations daily ?
Scans for policy & certification exceptions that have expired. this task runs every day
152) What is the purpose of Check expired work items daily ?
Scans for uncompleted workitems that have expired . this task run runs every day
153) What is the purpose of the task Perform Identity Request Maintenance ?
Checks for provisioning completeness
154)How to find out no of users login and log out failed in sailpoint.
In Advanced Analatiks report ,Select audit seach in that define class as loginFailure
155)How many searches are available in Advanced Analatiks report?
IdentitySearch
AccessReviewSearch
RoleSearch
AccountGroupSearch
ActivitySearch
AuditSearch
PrcessMetricsSearch
SyslogSearch
156)How many Standared attributes are there in Indentity Serach ?
8
157)How many Searchable Attributes are there by default?
4
158) What is Searchable Attributes and how to define them ?
In System Settings ---> Identity Mapping. While defining Attribute. we are defining Searchable attributes ?
159) Where is the Log4j.properties file exists in identifyiq.
identityiq/WEB-INF/classes
160) What is group factory ?
161) What is multi-value field ?
162) What is identity Attribute ?
These fields define which attributes that we are reading in will be used to define uniqueness
The Identity Attribute defines which attribute will
be used to determine the uniqueness of the account.
You could think of this as the primary key for the
application accounts. In this case, we are using the
“User ID” which is unique for each user
163) What is differene between Rule and Script ?
164) What is Detect deleted accounts ?
to sync up data between identityIQ and target sync.
165) What is Disable optimization of unchanged accounts ?
166) What is the use of move account in application accounts tab ?
167)
What is the name of the field you set for IdentityIQ to populate this attribute?
DisplayAttribute ?
What ever attribute you have set as DisplayAttribute,That attribute is going to appear as user id
• Identifies which attribute holds display attribute
• Used for friendly display name
167) What is the difference between account mapping and identity mapping
Specify the applications and rules from which account data is derived
Specify the applications and rules from which identity data is derived.
SAP HP
======
empid ,location,email
table:-
empid,accountstatus,
168) What is Extended Identity Attributes ?
We will now define and configure additional Identity Attributes. These are attributes specific to the
implementation that are additional to the out of the box attributes. These attributes are called
Extended Identity Attributes.
169) By Default Multi-valued attributes are searchable ?
Multi-valued attributes and all standard attributes are automatically searchable in
IdentityIQ. They are not shown as searchable in the summary list because they do not count
against your configured set of searchable attributes.
170) What is applicatin rule and What is globale rule in Identity mappping ?
171) if you want to use in account correlation which type of identity attributes, you need to specify ?
Ans: A field should be marked as searchable and GroupFactory.
A field should be marked as searchable if you will need to use it for account correlation
(like Employee ID) or for Analytics (Location, Region). Group Factory identifies
those fields from which groups of users may be created (for example, a group of
inactive users).
172) uncorrelated identifies ?
173) What is authorative source ?
174) What is links on Sailpoint ?
Access on different servers.
175) Un correlated Identity ?
if an Identity don't have link with any authorated source application those identities are called as un correlated Identities ?
176) What is the difference between Identity and account ?
177) State Identity or orphan Identity in Sailpoint ?
if any identifies don't have accounts those identities are called as orphan Identity or stale Identity ?
178) What is prune Idenitity task ?
Manually correlate the accounts using the UI. This involves moving the uncorrelated
account to the proper identity. once uncorrelated task is completed.to delete the orphan identites. we run the prun task.
179) Which application identities automatically correlated identities ?
Authoritative application identites automatically correlated identities
180) Define correlation attributes for below given applications
HR
===
Id,Fname,lastname,email
Oracel Server
=========
id,position,manager
SAP Server
======
username,email,dept
Blog
=====
Ad Server:-
SAMAccount,fullname,position,Manager,dept
181) Which are applcations( correlation will be happend)
correlation always happen betweeen correlation and non correlation applcations
182)Correlation always happen which attributes ?
Correlation always happen only Identities and account only
183) What is use of correlation rule ?
if you don't find common attributes between authorative application and non - authorative,then we need to define correlation rule to create correlation attribute.
184)What is Manager correlation ?
1.Define which application attribute defines a user’s manager.
2.Map the application attribute to the manager’s Identity
Attribute
185)What is the difference betweeen Identity correlation and Manager correlation ?
186)How to configure new Identity Attributes in identity clube
1) Goto Debug mode 2)UI configuration 3) Serach for name: identityViewAttributes.
modify the <entry key="identityViewAttributes" value="name,firstname,lastname,email,manager"/>
<entry key="identityViewAttributes" value="name,firstname,lastname,email,manager,department,location,empId,region,jobtitle,costcenter,status"/>
187)How to delete all indentities from IdentityIQ
delete Identity *
188) how to delete accounts for one specify application ?
189) What is Instance Attribute ? *****
190)Customize the Identities page to include new Identity ?
Add the following two lines to the entry for identityTableColumns and click Save
<ColumnConfig dataIndex="status" headerKey="Status" hideable="true"
property="status" sortProperty="status" sortable="true"/>
<ColumnConfig dataIndex="correlated" headerKey="Authoritative?" hideable="true"
property="correlated" sortProperty="correlated" sortable="true"/>
191)if you define attributes are searchable,when you can find them as searchable attributes ?
You can find them in advanced Analatiks, you can find them as searchable
192)if you have loaded authorative applications, if you are loading non-authoritative accounts. what are things you need to take care ?
When loading a non-authoritative application, it is necessary to correlate user accounts from this
new application to existing Identity Cubes. We will do this by defining an Account Correlation
configuration when configuring each application. Account Correlation can be configured as a simple
attribute mapping or, for more complicated examples; we can implement Account Correlation as a
rule. In this section we will use an attribute mapping to correlate accounts.
193)What is orphan accounts ?
(those accounts that cannot be linked to existing identity cubes)
193)you have authorative source got loaded and you have loaded non-authoritative by applying correlation,but still you could see non linked accounts(orphan acccounts), how do you map them ?
We need to do manually correlation ?
194)To promote entitlement into Entitlement Catalog ?
1) We need to configure attribute as Managed in the application schema,then particular values will be loaded into Entitlement catlog
groupmbr go loaded into Entitilemnt Catalog.
We need to select Promote managed attributes in aggregation task ?
195) What is the use of Data needs to be merged in application on boarding ?
196) How to skip starting 'n' of lines in file loading using delimiter connecor ?
In File on boarding Filtering section. specify the no of lines to skipped while applicaiton onboarding.
197) How to filer empty lines loading in file loading approach ?
In File on boarding Filtering section. Check out the Filter Empty option
198) How to ingore department value as manufacture in delimiter file.
In File on boarding Filtering section. specify the Filter String.
Filter String: Specify a filter string to ignore objects in the feed based on attribute values. For
example, if all records with a department value of "Manufacturing" should be ignored, the Filter String
would be specified as department == \"Manufacturing\". Details on filter string syntax can be found
in the Filters and Filter Strings white paper on Compass.
198)How to skip record loading if read starting with "#"
In File on boarding Filtering section,Comment Character specify the special Character
• Comment Character: Enter a comment character used in the data file. Any line starting with this
character will be skipped.
199)What is the use of Revoker in application on boarding ?
select a user who will receive and process the manual work item to revoke an identity's
access to this application when their access is revoked through IdentityIQ (through a certification,
a Lifecycle Manager request, etc.). If no Revoker is specified, the application owner receives the
revocation work item.n
200) Which are connectors, we will specify Native Object Type other than account ?
Applications using the LDAP connector, where it is "iNetOrgPerson" but should be
"account" for most application types, including delimited file
201)What is PostIterate Rule and where exactly this rule being used ?
PostIterate Rule: This rule runs once for the whole file after the records in the file are processed; it is
available to address any post-aggregation file management needs for the task. Common examples
include deleting or archiving the file, clearing the local map of lookup data, validating counts of
records processed, etc.
202) What is Map to ResourceObject Rule and where it is being used ?
Like the build map rule, this is a rule hook available for data
manipulation of the account data as each record is processed. This rule is run after any record
merging configured for the application has occurred. Without a map to resourceObject rule present,
IdentityIQ will automatically translate a record's hashmap representation into a resourceObject
representation; this rule allows customers to manipulate data during that transformation process
203)What are the Connector Rules ?
1.Build Map Rule
2.PreIterate Rule
3.PostIterate Rule
4.Map To ResourceObject Rule
5.MergeMaps Rule
204)What are the Aggregation Rules
1)Correlation Rule
2)Creation Rule
3)Manager Correlation Rule
4.Customization Rule
5.Managed Entitlement Customization Rule
204)What is difference between Connector Rules and Aggregation Rules ?
Connector rules are being run during connecting application time and Aggregation rules are being executing while running aggreation task.
205)What is the use of clearCache command ?
206)How to clear the pending emails queue ?
207)What is the use of connectorDebug ?
connectorDebug PAM iterate group
208)If you want any attribute to be part of entitilement catalog. where do you need to specify attributes?
In scheme, attributes section specify the column name as entitilement so that field will appear in entitilement catalog.
209) What is Delta Identity Refresh ?
IdentityIQ version 7.0 introduces Delta Identity Refresh to IdentityIQ: the ability to perform identity refresh functions on only the identities which have recently changed/
210) How many steps involved in Delta Identity Refresh setup.
Delta Identity Refresh feature involves this two-step process:
Configure and run aggregation tasks to mark identities as changed as they modify attribute or account data on the identities
Configure and run identity refresh tasks to perform their functions only on the marked identities
211) What is Multiplexing application ?
The application definition that points to the single source feed containing data for multiple resources
212) Multiplexed applications:
The application definitions representing the individual resources whose
data is contained in the source feed; these are usually auto-generated during the aggregation
process
213) What is updateMultiplexedSchemas and where exactly this attribute being used ?
214) What is logical application ?
215) What are the reserved words for multiplexed application
IIQSourceApplication and IQMultiplexIdentity.
216)What is differece between Multiplexed application and Logical applcations ?
217) Similarities and Differences between roles and Logical applicatins
Logical Applications and Roles have a number of similarities.
Both are abstractions.
• They provide a way to manage user access to critical applications and systems.
• They can simplify the provisioning and certification processes by encapsulating entitlements and permissions in a single unit.
• They can present entitlement data in a way that is more easily understood by non-technical reviewers.
The primary differences between Logical Applications and Roles are:
They provide different ways of modeling access.
Logical Applications are account-centric, while Roles are entitlement-centric.
• Roles have an extended set of features not available to Logical Applications including:
o Automated creation and management through role mining, entitlement analysis, impact
analysis, role inheritance, and role archiving
o Management through workflows that can create/update/delete roles, schedule role creation
and decommissioning, and schedule role/entitlement assignment
• Roles scale significantly better than Logical Applications. Refer to the section titled Performance
Impacts below for more details about the scalability of Logical Applications and Roles.
218)If you want to refresh only one specific applicaiton identify cubes ?
In Refresh cube, Filter string, you can specify the applicatin string based on that you can perform filtering the applications.
219) What is the synonymous for account ?
link is synonymous to account.
220) how to create custom Identity Refresh Cube ?
In Monitor,Select the task and select the Identity Refresh Cube and specify the filter
221) How to create custom tasks ?
In Monitor tasks --> select the related task.
222)Can you please describe about IIQ Disabled and where exactly this is being used ?
223) What is Workgroups and where Workgroups can be used?
224) What is Group Factory and Where it is being defined and where it is being used
if you want to define group based on attribute for that attribute, you need to fine as Group factory.
if you defined one attribute as group factory, automatically that pariticular field will appear in groups creation menu.
225) What kind of visibilty is there for populations ?
By default,populations are private. it can be visible only for created person.
if you want to make it visibale make the population - un check private check box.
226) What is policy ?
Policies are defined and used to monitor identities that are in violation of the policies.
227)how are you going to manage Policy violations ?
Policy violations can be managed through certifications or the policy violations page
You can also configure violations to trigger a business process to send email notifications and generate work items
so that policy violations can be managed immediately upon detection
228) Examples of Policies ?
Separation of duties policy:-
a separation of duties policy can prohibit one identity from requesting and approving purchase orders.
Activity policy:-
An activity policy can prohibit an identity with the Human Resource role from
updating the payroll application even though the identity has view access to the application.
Rule violations for a policy:-
Rule violations for a policy, when detected, are stored in the identity cube. These violations also appear on
identity score cards and enable you to identify high-risk employees and take appropriate action.
229)How many policies and describe them ?
1.Custom Policies:
are any policies that were created outside of IdentityIQ to meet special needs of your
enterprise. You cannot create a custom policy from inside the product. Use the Edit Policy page to view
information about a custom policy, but changes made here will not affect the performance of the policy
2.SOD
separation of duties policies ensure that identities are not assigned conflicting roles
3.Entitlement SOD
separation of dutiesm policies ensure that identities are not assigned conflicting
entitlements
4.Activity
ensure that users are not accessing sensitive application if they should not or when they
should not.
5.Account
ensure that an identity does not have multiple accounts on an application
6. Risk
ensure that users are not exceeding the maximum risk threshold set for your enterprise.
7.Advanced
custom policies created using match lists, filters, scripts, rules, or populations.
To access Policies
230) how are you handling policy violations ?
go to manage and select policy violation
231) What is Risk scoring ?
232) How many types of Risk scores are available ?
1.Base Risk Score
The score assigned to each role, entitlement, or policy violation
2.Total Base Risk Score
The total score of all base risk scores of the same component type on a per user
basis.
3.Compensated Risk Score
The value of the base risk score for a component multiplied by the compensating
factor for that component type.
4.Total Compensated Risk
Score
5.Composite Risk Score or
Identity Risk Score
233) What is the use of Refresh Group ?
once you have defined the groups. to get refersh identifies into correct groups. we need to run Refresh Groups ?
234) What is the use of Refresh Risk Scores?
once you have defined Risk score for relavent task. to get refresh identities . we need to run the Refresh Risk scores task
235) Wat is the use of Refresh Continuous Certification task ?
if an employee leaves the company and they are marked as inactive, the Refresh Continuous Certifications task removes them from the certification.
236) types of Certification ?
1 • Manager Certifications — certify that your direct reports have the entitlements they need to do their job
and only the entitlements they need to do their job.
2.Application Owner Certifications — certify that all identities accessing applications for which you are
responsible have the proper entitlements.
3.Entitlement Owner Certifications — certify that all identities accessing entitlements for which you are
responsible are correct.
4.Advanced Certifications — certify that all identities included in the population associated with that
Advanced Certification have the correct entitlements and roles.
.
5 Account Group Certifications — certify that account groups /application objects for which you are
responsible have the proper permissions or the proper group membership. Account groups that do not
have owners assigned are certified by the owner of the application on which they reside.
6 Role Certifications — certify that roles for which you are responsible are composed of the proper roles
and entitlements or that the roles are assigned to the correct identities.
7 Identity Certifications — certify the entitlement information for the identities selected from the Identity
Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
8 Event-Based Certifications — certify the entitlement information for the identities selected based on
events detected within IdentityIQ.
237.What are the different kind of cerfications phase ?
Active:
Challenge:
Revocation:
End:
9) how many ways assigned cerfications review can be completed.
1. on sailpoint dashboard - access Review
2. by selecting workitems. we can select the assigned work items to the manager
238) What is Entitlement Catalog and what it contains ?
In this Entitlement Catalog, we will define Entitlement description,ownership is defined in the Entitlement Catalog.
239) If there are things , you are configuraint offen ,where you can configure them to avoid configuring frequently ?
in System setup (Gare buttion) --> Compliance manager. you can specify them.
240)if user challenge his access. where certifier can see the user challenge ?
in Certificer can see in acess Review page as with Star symbol. Certifier can handle the Challenge by right clicking?
250)After user challenge this access what are the steps carried out by Certifier and IIQ ?
1. if the Challenge is accepeted, the revoke decision on the challenge item is cleared.
2. the certifier makes a new decision and save change.
3. if that was only challenged decsion, IIQ promts the cerifier to sign of the access reveiew
4.once sign off,Access Review is completed and moves to the next step.
241)What is custom tasks ? how to create them ?
In tasks, click new task and select what ever task you want to get created ,specify the options accordlingly.
Rules:
======
251)how to get object name in rules ?
Identity i=getObjectByName(Identity.class,"Gopu");
252) how to get attributes of Identities ?
Identity i=getObjectByName(Identity.class,"Gopu");
253) Display all attributes of all Identity of mappings of attributes ?
System.out.println("Attributes: "+i.getAttributes());
253) display one specific attribute of identity mapping attribute ?
Identity i=getObjectByName(Identity.class,"Gopu);
System.out.println("department:\t"+i.getAttribute("department"));
254)how do develop custom task?
1) develop java files
2. develop the Rule Runner Task in tasks.(monitor)
255) to load the lcm manager.
> import init-lcm.xml
Idenitity i=new Identity(Identy.class,"");
256) two types of UIrequests , batch tasks ?
Batch handles:
Workflows
Tasks/Reports
Certification generation
UI hosts handles user internations:
==================================
Access Requests
Performing Certification
Dynamic Analatics
257) How to different specify different requests for Batch servers,UI Servers ?
in iiq.properties files, specify the following hostnames
environment.taskSchedulerHosts
environment.requestSchedulerHosts
environment.taskSchedulerHosts=HostA,HostB
environment.requestSchedulerHosts=HostA,HostB
258) How many mechanisms IdentiyIQ cube data is going to get created in IdentityIQ cube ?
1.During Data Aggregation:-
• By aggregating data from Authoritative Application(s)
• HR Application
• Enterprise Directory
• By aggregating data from Non-authoritative Applications
• Creates non-authoritative cube (more later)
Using Lifecycle Manager
• Using the Create Identity or Self-registration option in Lifecycle
Manager
• Identity Attributes are entered as part of the creation process
259 What is Group Attribute ?
1.Identifies which attribute holds the group attribute
2.Used to identify group membership (groupmbr, memberOf)
260) What is extended attributes ?
Additional Identity Attributes are typically defined (called
extended attributes)
261) What is Manager Correlation
262) Differecet kinds of connector types
delimiter:
263)What are differnet kind of correlatin methods ?
1.Correlation wizard
2.Correlation rule
3.Manually
264) What is the benifit of Monioring enable tab in workflows?
this is going to give statistics of workflows failures
265) How to enable monitoring for all workflows?
If you select Identity Initialize, you can find monitoring,if you select Initialize all workflows are going to monitored with stastics
how many no of times , workflows got failured and all.
<Variable name="transient" initializer="true"/>
265) What is the difference between Java and BeanShell scripts ?
IdentityIQ allows system integrators to write rules in the BeanShell scripting language. The BeanShell language
is based on Java and can use all Java classes that are available to IdentityIQ, including custom code.The main
difference between Java and BeanShell is that Java is compiled into byte code, which is executed by the Java
Virtual Machine, while BeanShell scripts are interpreted on executio
266) how to get
IdentityIQ makes it easy to establish a connection to it's local database:
Connection dbCxn = context.getJdbcConnection();
267)How to increase workitem justificatin width?
268) Rule editior won't complile the beanshell script ?
269) What is the Rule Libraries
A library is a special kind of Rule object. A library collects functions that can be called from other Rule objects.
To use a library in a rule, a function must use the <ReferencedRules/> XML tag.
An example library called "String Utils" could contain the following functions:
270)How to add Libraries ?
By adding multiple <Reference/> tags. you can libraries in the rules.
271) System.out.println("Hello, World!"); if you run the command, output will be display ?
Output sent to standard output, usually ends up in the application server's logfile. In case of Apache Tomcat
this is the catalina.out file.
278)
Comments
Post a Comment