Saviynt SAVIGA-C01 Exam Questions

To decommission an AD Group and revoke access for all users, Jane should use D. Entitlement Owner Certification. Here is why:

AD Group as an Entitlement: In Saviynt, an AD Group is typically represented as an Entitlement.

Entitlement Owner Certification: This type of campaign allows the designated owner of an entitlement (in this case, Jane, as the manager of the AD Group) to review and certify who should have access to that entitlement.

Revoking Access: As the Entitlement Owner, Jane can use the certification campaign to:

Review the list of users: See all users who are currently members of the AD Group.

Revoke access for all users: Mark all users for removal from the group.

Decommissioning the Group: After revoking access for all users through the certification, Jane can then proceed with decommissioning the AD Group itself (either through Saviynt if it manages AD group lifecycle or directly in Active Directory).

Why Other Options Are Less Suitable:

A . Segregation of Duties: SoD is a principle, not a specific action for revoking access.

B . Entitlement Update Rule: While rules can automate some actions, a certification campaign provides a more controlled and auditable way to review and revoke access, especially for a sensitive action like decommissioning a group.

C . Mitigation Control: Mitigation controls are used to manage SoD conflicts, not for revoking access to entitlements.

In conclusion: An Entitlement Owner Certification campaign provides a structured and auditable way for Jane to review the membership of the AD Group, revoke access for all users, and prepare for the group's decommissioning, aligning with best practices for access management.

The statement is False. In the provided USER_IMPORT_MAPPING, USERNAME is the user attribute defined in EIC (Enterprise Identity Cloud), and wd:User_Name is the attribute defined in Workday. Here's a breakdown:

Saviynt's USER_IMPORT_MAPPING: This configuration within a connection (in this case, Workday RAAS) defines how data from the connected system (Workday) should be mapped to attributes within Saviynt's EIC.

ImportMapping: This section specifies the mapping between source attributes (Workday) and target attributes (EIC).

USERNAME: In the provided mapping, USERNAME (without the wd: prefix) is the target attribute, meaning it's an attribute within Saviynt's EIC.

wd:User_Name: The wd: prefix typically indicates a Workday attribute. Therefore, wd:User_Name is the source attribute from Workday.

~#~string: This likely indicates the data type of the attribute (string in this case).

Correct Interpretation: The mapping is saying: 'Take the value of the wd:User_Name attribute from Workday and map it to the USERNAME attribute in EIC.'

In essence: The USER_IMPORT_MAPPING defines how data from Workday is translated into Saviynt's internal data model, and in this case, USERNAME belongs to Saviynt (EIC), while wd:User_Name belongs to Workday.

If the data displayed in the Campaign Preview mode does not meet the requirement in Saviynt, the appropriate action is A. Re-configure Campaign. Here's why:

Saviynt's Campaign Preview Mode: This mode allows administrators to review the data that will be included in a campaign before activating it. It's a crucial step for ensuring that the campaign scope, data, and configuration are correct.

Purpose of Preview Mode: The primary purpose of the preview is to identify any issues or discrepancies in the campaign setup before it goes live.

Re-configure Campaign: If the preview reveals problems (e.g., incorrect users or entitlements are included, the wrong Certifiers are assigned, filters are not working as expected), the administrator needs to go back and re-configure the campaign settings. This might involve:

Adjusting the campaign scope.

Modifying filters or selection criteria.

Changing Certifier assignments.

Updating the campaign schedule or notifications.

Why Other Options Are Incorrect:

B . Check Summary: The summary provides a high-level overview of the campaign, but it doesn't allow for detailed data review like the preview mode.

C . Export Campaign: Exporting the campaign data won't fix the underlying configuration issues.

D . Activate Campaign: Activating a campaign with incorrect data would lead to inaccurate certification decisions and potential security risks.

Given that an Admin launched a Role Ownership Campaign for you in Saviynt, the option you can not certify is A. Role Ownership. Here's why:

Saviynt's Role Ownership Campaign: This type of campaign is specifically designed for reviewing and certifying the ownership of roles, not the other aspects of a role.

Your Role as Certifier: In this scenario, you are the designated reviewer for role ownership. This means you are responsible for confirming who should be the owner of specific roles.

What You Can Certify in a Role Ownership Campaign:

Confirm or Change Role Owner: You can confirm that the current role owner is correct or assign a new owner.

What You Cannot Certify in This Campaign:

A . Role Ownership: You are the one certifying role ownership, so you cannot certify your own action of assigning an owner. It would be a circular process.

B . User membership of the Role: This is typically reviewed in a User Access Campaign or a Role Membership Campaign.

C . Delete Role: Role deletion is an administrative action, not typically part of a Role Ownership Campaign.

D . Associated Entitlements: Entitlement certification is usually handled in an Entitlement Owner Campaign or as part of a broader User Access Campaign.

In essence: A Role Ownership Campaign focuses solely on validating and assigning role owners. Other aspects of role management, such as user membership or associated entitlements, are handled in different campaign types or through separate administrative actions. As the certifier in this specific campaign, you cannot certify the very action you are performing, which is assigning role ownership.

The option that cannot be regarded as a Smart Filter in Saviynt's User Manager and Service Account Campaigns is A. User's Assigned Role counts. Here's why:

Saviynt's Smart Filters: Smart Filters are pre-defined filters in Saviynt that help Certifiers quickly focus on specific access patterns or risk indicators during a certification campaign. They are designed to highlight potentially problematic or high-risk access.

Examples of Smart Filters:

B . Access with SoD Violations: This is a Smart Filter because it highlights access that violates Segregation of Duties policies, a significant risk indicator.

C . Out-of-Band Access for Entitlements: This is a Smart Filter as it identifies access that was granted outside of the normal Saviynt processes, potentially indicating a security risk.

D . Risk Level for Accounts: This is a Smart Filter because it allows Certifiers to focus on accounts with high-risk levels, which might require more scrutiny.

Why 'User's Assigned Role counts' Is Not a Smart Filter:

Not a Risk Indicator: Simply knowing the number of roles assigned to a user doesn't inherently indicate a risk or a specific access pattern that requires attention. A user might have many roles legitimately, or they might have few roles but with high-risk access.

Not Actionable: This information alone doesn't provide enough context for a Certifier to make an informed decision about whether to approve or revoke access.

Alternative: While not a 'Smart Filter', the number of roles assigned could be a data point displayed within the campaign, but it wouldn't be considered a pre-defined filter for highlighting risks.