To help users make informed and quick decisions, Saviynt provides filters for retrieving Certification data in the User Manager Campaign and Service Account Campaign.
Which of the following options cannot be regarded as a Smart Filter?
User's Assigned Role counts
Access with SoD Violations
Out-of-Band Access for Entitlements
Risk Level for Accounts
The option that cannot be regarded as a Smart Filter in Saviynt's User Manager and Service Account Campaigns is A. User's Assigned Role counts. Here's why:
Saviynt's Smart Filters: Smart Filters are pre-defined filters in Saviynt that help Certifiers quickly focus on specific access patterns or risk indicators during a certification campaign. They are designed to highlight potentially problematic or high-risk access.
Examples of Smart Filters:
B. Access with SoD Violations: This is a Smart Filter because it highlights access that violates Segregation of Duties policies, a significant risk indicator.
C. Out-of-Band Access for Entitlements: This is a Smart Filter as it identifies access that was granted outside of the normal Saviynt processes, potentially indicating a security risk.
D. Risk Level for Accounts: This is a Smart Filter because it allows Certifiers to focus on accounts with high-risk levels, which might require more scrutiny.
Why "User's Assigned Role counts" Is Not a Smart Filter:
Not a Risk Indicator: Simply knowing the number of roles assigned to a user doesn't inherently indicate a risk or a specific access pattern that requires attention. A user might have many roles legitimately, or they might have few roles but with high-risk access.
Not Actionable: This information alone doesn't provide enough context for a Certifier to make an informed decision about whether to approve or revoke access.
Alternative: While not a "Smart Filter", the number of roles assigned could be a data point displayed within the campaign, but it wouldn't be considered a pre-defined filter for highlighting risks.
=================
________ filters the requestable applications under "Request New Access."
Access Add Workflow
Access Query
Provisioning Connection
Whom to Request
The component that filters the requestable applications under "Request New Access" in Saviynt is the Access Query. Here's a detailed explanation:
Saviynt's Access Request System (ARS): As the front end for requesting access, the ARS needs a mechanism to determine which applications (and entitlements) should be displayed to a user as requestable.
Access Query: This is a powerful feature within Saviynt that allows administrators to define specific criteria to control the visibility of applications and entitlements in the ARS. Think of it as a filter that determines what a user can see and request.
How Access Queries Work:
Defined on Applications/Entitlements: Access Queries are configured on individual applications or entitlements within Saviynt.
Based on User Attributes: They use user attributes (e.g., department, location, job title, group memberships) and other criteria (e.g., risk level) to determine if a user should see a particular application or entitlement.
Dynamic Filtering: When a user accesses the "Request New Access" section, Saviynt evaluates the Access Queries associated with each application and entitlement in real-time. Based on the user's attributes, the system dynamically filters the list, showing only the applications and entitlements that match the query conditions.
Saviynt's Security Model: Access Queries are a fundamental part of Saviynt's security model. They ensure that users are only presented with access options that are relevant and appropriate for their role and context, preventing accidental over-provisioning and reducing the attack surface.
Other Options:
Access Add Workflow: While essential for processing access requests, the workflow itself doesn't filter which applications are initially displayed.
Provisioning Connection: This relates to how Saviynt connects to target systems for automated provisioning. It doesn't control the initial visibility of applications in the ARS.
Whom to Request: This setting might determine the available approvers, but it doesn't filter the list of requestable applications.
In essence: Access Queries act as a dynamic filter, leveraging user attributes and defined criteria to determine which applications and entitlements are presented to a user within Saviynt's "Request New Access" interface, ensuring a personalized and secure access request experience.
=================
Jane was managing an AD Group; however, she had to decommission this group and revoke access for all the users.
Which of the following options should be used to perform the above task?
Segregation of Duties
Entitlement Update Rule
Mitigation Control
Entitlement Owner Certification
To decommission an AD Group and revoke access for all users, Jane should use D. Entitlement Owner Certification. Here is why:
AD Group as an Entitlement: In Saviynt, an AD Group is typically represented as an Entitlement.
Entitlement Owner Certification: This type of campaign allows the designated owner of an entitlement (in this case, Jane, as the manager of the AD Group) to review and certify who should have access to that entitlement.
Revoking Access: As the Entitlement Owner, Jane can use the certification campaign to:
Review the list of users: See all users who are currently members of the AD Group.
Revoke access for all users: Mark all users for removal from the group.
Decommissioning the Group: After revoking access for all users through the certification, Jane can then proceed with decommissioning the AD Group itself (either through Saviynt if it manages AD group lifecycle or directly in Active Directory).
Why Other Options Are Less Suitable:
A. Segregation of Duties: SoD is a principle, not a specific action for revoking access.
B. Entitlement Update Rule: While rules can automate some actions, a certification campaign provides a more controlled and auditable way to review and revoke access, especially for a sensitive action like decommissioning a group.
C. Mitigation Control: Mitigation controls are used to manage SoD conflicts, not for revoking access to entitlements.
In conclusion: An Entitlement Owner Certification campaign provides a structured and auditable way for Jane to review the membership of the AD Group, revoke access for all users, and prepare for the group's decommissioning, aligning with best practices for access management.
=================
Which of the following options can a Campaign Owner use to view the Entitlements Query that was used in a previously launched Campaign?
Reconfigure option
Campaign Export
Campaign Summary
Export option at the top right corner of the page, next to the Refresh Progress option
To view the Entitlements Query used in a previously launched Campaign in Saviynt, a Campaign Owner can use the C. Campaign Summary. Here's why:
Saviynt's Campaign Summary: The Campaign Summary provides a detailed overview of a campaign's configuration, including:
Campaign Scope: The users, applications, or entitlements included in the campaign.
Filters and Queries: Any filters or queries used to define the campaign scope, including the Entitlements Query.
Certifier Information: Details about the assigned certifiers.
Schedule: The campaign's start and end dates.
Status: The current status of the campaign (e.g., Active, Completed, Expired).
Accessing the Entitlements Query: The Campaign Summary typically includes a section that displays the exact query used to select the entitlements included in the campaign.
Why Other Options Are Less Suitable:
A. Reconfigure option: While you might be able to see the query by going into the reconfiguration, it's not the most direct way. The Campaign Summary is designed to provide this information readily.
B. Campaign Export: Exporting the campaign data might include the list of entitlements but not necessarily the original query used to select them.
D. Export option at the top right corner of the page, next to the Refresh Progress option: This option typically exports the current view of the campaign data, not the underlying configuration details like the Entitlements Query.
In conclusion: The Campaign Summary in Saviynt is the most direct and convenient place for a Campaign Owner to review the detailed configuration of a campaign, including the Entitlements Query used to define the campaign's scope.
=================
An Application Owner Campaign can have multiple primary Certifiers and a single secondary Certifier.
True
False
The statement "An Application Owner Campaign can have multiple primary Certifiers and a single secondary Certifier" is generally False in Saviynt. Here's why:
Saviynt's Application Owner Campaign: This campaign type is designed for Application Owners to review and certify access to their applications.
Primary Certifier: There is usually a single designated Application Owner for each application. This is because application ownership is typically a single point of accountability. While it is technically possible to assign multiple owners, it is not considered a best practice.
Secondary Certifiers (Backup/Delegates): Application Owner Campaigns can have multiple secondary certifiers. These are often used as:
Backup: To ensure the campaign can proceed if the primary certifier is unavailable.
Delegates: To allow the primary certifier to delegate some of the certification tasks.
Consultants: Other stakeholders, such as security or compliance teams, who can be consulted during the decision-making process.
Why the Statement Is Generally False: The core principle of application ownership implies a single point of accountability. While multiple secondary certifiers can assist, having multiple primary certifiers can lead to confusion and conflicting decisions.
Possible Exceptions (Less Common):
Highly Customized Configurations: In some very specific scenarios, organizations might customize Saviynt to allow multiple primary certifiers for an application, but this is not a standard or recommended practice.
________ allows detection of access rights granted outside the Saviynt platform.
REST API
RevokeOutOfBandAccessJob
Bulk Upload
ARS > Request Access for Others
The Saviynt feature that allows detection of access rights granted outside the Saviynt platform is the B. RevokeOutOfBandAccessJob. Here's a detailed explanation:
Out-of-Band Access: This refers to access that is provisioned directly in the target system, bypassing the normal access request and approval processes within Saviynt. This can create security risks and compliance issues.
Saviynt's Reconciliation Process: Saviynt uses a reconciliation process to compare the access rights defined within its system with the actual access rights present in connected applications.
RevokeOutOfBandAccessJob: This specific job is designed to identify and flag out-of-band access. It works by:
Importing Account and Entitlement Data: The job imports data from the target system, capturing the current state of user access.
Comparing with Saviynt Data: It compares this imported data with the access rights managed within Saviynt.
Identifying Discrepancies: Any discrepancies, where a user has access in the target system that wasn't granted through Saviynt, are identified as out-of-band access.
Taking Action (Optional): The job can be configured to automatically revoke this out-of-band access or to simply generate a report for review and manual remediation. Or it can be configured to create a task for an administrator to review.
Saviynt's Access Governance: This feature is a crucial part of Saviynt's overall access governance capabilities, helping organizations maintain control over user access and enforce the principle of least privilege.
Other Options:
A. REST API: While Saviynt's REST API can be used to interact with the system and potentially retrieve access data, it's not the specific feature designed for out-of-band access detection.
C. Bulk Upload: This is a method for importing data into Saviynt, but it doesn't inherently detect out-of-band access.
D. ARS > Request Access for Others: This is part of the access request process, not related to detecting access granted outside of Saviynt.
In conclusion: The RevokeOutOfBandAccessJob in Saviynt plays a vital role in identifying and remediating out-of-band access, ensuring that access rights are managed centrally and consistently through the Saviynt platform.
Which of the following Application types can be associated with the Automated Provisioning configuration turned OFF?
Service Desk Application
Hybrid Application
Connected Application
Disconnected Application
Disconnected applications in Saviynt are those that do not have real-time integration with the platform for provisioning and de-provisioning users. Therefore, automated provisioning would be turned OFF for these types of applications.
Disconnected Applications: These applications typically require manual intervention or custom scripts to manage user access. Saviynt can still manage entitlements and access requests for these applications, but it doesn't directly provision or de-provision accounts.
Other Application Types:
Service Desk Application: Usually integrated with Saviynt for automated request fulfillment.
Hybrid Application: May have some level of automated provisioning, depending on the specific configuration.
Connected Application: Fully integrated with Saviynt for real-time, automated provisioning.
Saviynt IGA References:
Saviynt Documentation: The section on Application Onboarding in Saviynt's documentation explains the different application types and their integration capabilities, including the concept of disconnected applications.
The Sales department of a company requires an approval workflow to be created for an application where the Manager's approval should be followed by the Application Owner’s approval. Which of the following sequences form the correct order of the workflow events?
Start > Resource Owner's Approval > Manager's Approval > Approve/Reject > End
Start > Manager's Approval > Custom Assignment > Approve/Reject > End
Start > Manager's Approval > Access Approval > Approve/Reject > End
Start > Manager's Approval > Resource Owner's Approval > Approve/Reject > End
The correct sequence of workflow events for an application where the Manager's approval should be followed by the Application Owner's approval is D. Start > Manager's Approval > Resource Owner's Approval > Approve/Reject > End. Here's a breakdown:
Saviynt's Workflow Structure: Saviynt workflows follow a sequential structure, starting with a "Start" event and ending with an "End" event.
Workflow Activities: Each step in the workflow is represented by an activity, such as an approval task.
Manager's Approval: In this scenario, the first required approval is from the Manager. This would be represented by a "TASK Access Approve" activity (or similar, depending on the specific configuration) assigned to the user's manager.
Application Owner's Approval: After the Manager's approval, the workflow needs to proceed to the Application Owner for their approval. This would be another "TASK Access Approve" activity assigned to the Application Owner. In Saviynt terms, Application Owner is a type of Resource Owner.
Approve/Reject: This activity represents the decision point where the final approver (in this case, the Application Owner) either approves or rejects the request.
End: The workflow concludes with the "End" event, signifying the completion of the process.
Other Options:
A. Start > Resource Owner's Approval > Manager's Approval > Approve/Reject > End: Incorrect order; the manager's approval should come before the application owner's.
B. Start > Manager's Approval > Custom Assignment > Approve/Reject > End: "Custom Assignment" is not the most appropriate activity for a standard approval step. "TASK Access Approve" would be more suitable.
C. Start > Manager's Approval > Access Approval > Approve/Reject > End: "Access Approval" is a bit redundant; "TASK Access Approve" assigned to the appropriate role is clearer.
In essence: The correct workflow sequence accurately reflects the required approval hierarchy: first the Manager, then the Application Owner, followed by the final decision (Approve/Reject) and the end of the workflow.
What is the maximum file attachment limit for a request?
15
5
10
20
The maximum file attachment limit for a request in Saviynt is typically 10. Here's an explanation:
Saviynt's Access Request System (ARS): The ARS allows users to attach files to access requests to provide supporting documentation or justification.
Attachment Limits: To prevent excessive storage usage and potential performance issues, Saviynt imposes limits on the number and size of attachments allowed per request.
Default Limit: The default maximum number of attachments allowed per request in Saviynt is generally 10.
Configuration: While 10 is the common default, it's worth noting that this limit might be configurable within the ARS settings in some Saviynt deployments. However, significantly increasing this limit could impact performance.
File Size Limit: In addition to the number of attachments, there's also usually a limit on the individual file size and the total size of all attachments combined. This is also generally configurable. These file size limits are important for maintain system stability and performance.
Error Handling: If a user attempts to exceed the attachment limit, Saviynt will typically display an error message, preventing them from submitting the request until the number of attachments is reduced.
Which of the following SAV Roles grant users the privilege to edit UI Labels?
UIADMIN ROLE
ROLE_ADMINUI
ADMINULROLE
ROLE.UIADMIN
The UIADMIN ROLE in Saviynt grants users the privilege to edit UI (User Interface) labels. This role is crucial for customizing the Saviynt interface to align with an organization's terminology and branding.
UI Customization: Saviynt allows administrators to modify various UI elements, including labels, to improve user experience and comprehension. The UIADMIN ROLE provides the necessary permissions for these modifications.
Why other options are incorrect:
The other options are not standard Saviynt roles and do not have any associated privileges for UI label editing.
Saviynt IGA References:
Saviynt Documentation: The documentation on Saviynt's administration and configuration settings includes information about UI customization and the associated UIADMIN ROLE.
Saviynt Support: Saviynt's support resources may contain articles or knowledge base entries related to UI customization and the permissions required.
The Max Authentication Session parameter in Single Sign-On settings specifies the maximum duration, in seconds, for which an SSO session will remain valid. The default value is 3600 seconds. If the session logout value defined in IDP is 10,000 seconds and Max Authentication Session in Saviynt SSO is 5000 seconds, how long will the session last?
5000 seconds
10,000 seconds
3600 seconds
None of the above
In Saviynt's SSO setup, the "Max Authentication Session" parameter determines the maximum duration of an SSO session within Saviynt, overriding any longer durations set by the Identity Provider (IdP).
Session Duration Logic: Saviynt's internal session timeout setting takes precedence over the IdP's session timeout. This ensures that Saviynt can enforce its own security policies regarding session lifetimes.
Why other options are incorrect:
B. 10,000 seconds: This is the IdP's session logout value, but Saviynt's "Max Authentication Session" setting overrides it.
C. 3600 seconds: This is the default value, but the question specifies a configured value of 5000 seconds.
Saviynt IGA References:
Saviynt Documentation: The documentation for configuring SSO settings within Saviynt explains the "Max Authentication Session" parameter and its impact on session duration.
Saviynt Best Practices: Saviynt's best practices for SSO often recommend aligning session timeouts between the IdP and Saviynt to avoid confusion and potential security gaps.
Which of the following Access Request configurations can be set up as either optional or mandatory, based on business requirements?
Approval comments
Add Attachment
Business justification at Request level
None of the above
In Saviynt's Access Request configurations, the following can be set up as either optional or mandatory based on business requirements:
A. Approval comments: When an approver approves or rejects a request, they can be required to provide comments, or it can be made optional.
B. Add Attachment: Requesters can be allowed or required to attach supporting documentation to their access requests.
C. Business justification at Request level: Requesters can be obligated to provide a business justification for their access request, or it can be made optional.
Here's a breakdown with Saviynt IGA references:
Saviynt's Access Request System (ARS) Configuration: Saviynt provides granular control over the ARS's behavior, allowing administrators to customize various aspects of the request process, including data validation and required fields.
Mandatory vs. Optional Fields: Many fields and actions within the ARS can be configured as either mandatory or optional. This allows organizations to tailor the request process to their specific needs and compliance requirements.
Configuration Locations: These settings are typically found within the ARS configuration section of Saviynt's administrative interface.
Approval Comments: Often configurable within the workflow definition, at the approval step level. You can define whether comments are required for approval, rejection, or both.
Add Attachment: Generally found under general ARS settings, allowing you to enable or disable attachments and potentially set them as mandatory.
Business Justification: Also found within the ARS settings, allowing you to toggle the requirement for a business justification at the request level or even at the individual entitlement level.
Business Rationale: The flexibility to make these elements optional or mandatory allows organizations to balance the need for information with the desire for a streamlined user experience. For example, high-risk access requests might require detailed justification and attachments, while low-risk requests might not.
Saviynt's Audit Trail: Regardless of whether these fields are mandatory or optional, Saviynt's audit trail will capture the information provided, ensuring a complete record of the request and approval process.
In summary: Saviynt's ARS allows administrators to configure approval comments, attachments, and business justifications as either optional or mandatory, providing the flexibility to adapt the access request process to meet diverse organizational needs and compliance requirements.
Which of the following Jobs is responsible for configuring a dashboard in a Campaign?
Campaign Export Job
Create or Schedule Attestation Job
Campaign Import Job
Upgrade Job
The Job responsible for configuring a dashboard (among other configurations) in a Saviynt Campaign is B. Create or Schedule Attestation Job. Here's a detailed explanation:
Saviynt's Campaigns: Campaigns in Saviynt are used for access certification, allowing reviewers (Certifiers) to review and approve or revoke user access.
Create or Schedule Attestation Job: This job is the core mechanism for creating and configuring various aspects of a campaign, including:
Campaign Scope: Defining which users, entitlements, or resources are included in the campaign.
Certifier Selection: Specifying who will be the reviewers for the campaign.
Scheduling: Setting the start and end dates for the campaign.
Notifications: Configuring email notifications for Certifiers and other stakeholders.
Dashboard Configuration: Defining the information and layout displayed on the campaign dashboard for Certifiers. This includes selecting which data points, charts, and filters are visible.
Why Other Options Are Incorrect:
A. Campaign Export Job: This job is used to export campaign data, not to configure the campaign itself.
C. Campaign Import Job: This job is used to import data into a campaign, typically from an external source.
D. Upgrade Job: This job is related to upgrading the Saviynt platform, not to campaign configuration.
In summary: The "Create or Schedule Attestation Job" is the central job for setting up and configuring all aspects of a Saviynt campaign, including the dashboard that provides Certifiers with a summarized view of the certification data.
=================
If you want an application to be available for requesting access (self or other), which of the following should be configured?
Proposed Accounts Workflow
Access Remove Workflow
Access Add Workflow
Emergency Access ID Request Workflow
To make an application available for access requests (either self-service or requests for others), the Access Add Workflow needs to be configured within Saviynt. This workflow defines the process that governs how access to the application is granted. Here's a breakdown with Saviynt IGA references:
Saviynt's Access Request System (ARS): This is the module within Saviynt that handles access requests. The ARS relies on defined workflows to manage the approval and provisioning process.
Access Add Workflow: This specific type of workflow within Saviynt's ARS is triggered when a user requests access to an application or entitlement. It dictates the steps involved, such as:
Requester Details: Capturing information about who is requesting access.
Application/Entitlement Selection: The user selects the application (and potentially specific roles or entitlements within that application) for which they are requesting access.
Approval Routing: Defining the approval chain (e.g., manager approval, application owner approval, etc.). This is configured within the workflow using various approval activities.
Provisioning: Upon approval, the workflow can trigger automated provisioning of access to the target system (if connected integration is set up).
Saviynt's Application Onboarding: For an application to be available in the ARS, it needs to be onboarded into Saviynt. During this process, you would typically define the relevant entitlements (access rights) associated with the application.
Workflow Configuration in Saviynt: Saviynt's admin interface allows administrators to create and customize workflows using a visual designer. This includes setting up conditions, defining approval steps, and configuring actions to be taken at each stage of the workflow.
Other options:
Proposed Accounts Workflow: This is less common, often used to suggest potential accounts during the request or account creation process. It's not the primary mechanism for making an application available for access requests.
Access Remove Workflow: This workflow is used when access needs to be revoked, not granted.
Emergency Access ID Request Workflow: This workflow is specific to requesting temporary, elevated access in emergency situations. It's not the workflow for general access requests to applications.
=================
________ refers to any type of access that is associated with a managed system or application, such as groups, roles, permissions, or responsibilities.
Entitlements
Endpoints
Workflows
Accounts
In Saviynt, "Entitlements" refers to any type of access granted to users within a managed system or application. This broad term encompasses various forms of access controls, including:
Groups: Collections of users with shared access permissions.
Roles: Sets of permissions that define a user's job function or responsibilities.
Permissions: Specific access rights to resources or functionalities.
Responsibilities: Duties or tasks associated with a particular role.
Why other options are incorrect:
Endpoints: Refer to network devices or systems, not access rights.
Workflows: Are automated processes for tasks like approvals, not access itself.
Accounts: Represent user identities, not the specific access they have.
Saviynt IGA References:
Saviynt Documentation: Saviynt's documentation consistently uses the term "Entitlements" to describe the various types of access it manages.
Saviynt User Interface: The Saviynt interface uses "Entitlements" throughout its menus and features related to access management.
TESTED 16 Jul 2026
