Saviynt SCAIP Saviynt Certified Advanced IGA Professional (Level 200) Exam Practice Test

Saviynt’sDuplicate Identity Management (DIM)feature is designed to identify, analyze, and remediate duplicate identities within the Identity Repository, ensuring data integrity and governance. All the listed actions are core capabilities of DIM, makingOption D (All of the Above)the correct answer.

Firstly, DIM enablesduplicate detectionboth during identity import (pre-processing stage) and for already existing identities using detective jobs. This ensures that duplicates are identified proactively and retrospectively. Secondly, DIM provides aside-by-side comparison view, allowing administrators or reviewers to analyze ambiguous duplicate records and decide whether they should be merged. This comparison highlights attribute-level differences for informed decision-making.

Finally, after merging duplicate identities, Saviynt allows administrators todeactivate or retire redundant identities, ensuring only a single authoritative identity remains active. This helps maintain clean identity data and prevents access risks.

Together, these features support identity consolidation, reduce redundancy, and improve overall governance, making DIM a critical component of Saviynt’s intelligence and analytics capabilities.

In Saviynt EIC,Password Policy precedence and enforcementdepend on where the policy is configured within the hierarchy of Security System and Connector.

Option A is correct because when password policies are defined at both levels, theSecurity System-level policy takes precedence. This ensures centralized governance and consistency across all endpoints under that security system.

Option B is also correct since Saviynt allows administrators to control password change permissions at a granular level using the“Change Password Access Query”at the endpoint. This enables restriction of password changes based on user attributes or conditions.

Option C is incorrect because connector-level policies do not override security system-level configurations when both are present.

Option D is correct because if no policy is defined at the security system level, theconnector-level password policy will be applied by default, ensuring that password rules are still enforced.

Thus, the correct answers areA, B, and D, reflecting Saviynt’s hierarchical and flexible password policy framework.

In Saviynt REST connector configuration,acctEntMappingsis used to define how account-entitlement relationships are extracted and mapped from the target system response. This configuration is critical when importing entitlements associated with accounts, such as groups, roles, or permissions.

The required parameters for configuring acctEntMappings includelistPath, idPath, and keyField.listPath (Option A)specifies the JSON path where the entitlement list is located within the API response. This allows Saviynt to identify the array or collection containing entitlement data.idPath (Option B)defines the unique identifier for each entitlement within that list, ensuring proper tracking and mapping.keyField (Option C)is used to associate the entitlement back to the account, effectively linking account and entitlement records.

OptionD (accountID)is not a valid parameter within acctEntMappings configuration. While account identifiers are important in overall mapping, acctEntMappings specifically uses keyField instead of accountID to establish relationships.

Thus, the correct parameters required for acctEntMappings are listPath, idPath, and keyField, as per Saviynt REST connector configuration standards.

In Saviynt EIC, when configuringdynamic attributes or custom forms, system variables are used to fetch context-specific data such as the currently logged-in user. To retrieve theDisplay Name of the logged-in user, the correct variable is${loggedInUser}, which directly represents the userkey of the active session user.

Option A correctly uses this variable in the SQL query to fetch the DISPLAYNAME from the Users table. This ensures that the attribute dynamically reflects the logged-in user's display name at runtime.

Option B is incorrect because${user.id}typically refers to the target user in a request context, not necessarily the logged-in user. Option C (${requestor}) may represent the requester in certain workflows but is not consistently equivalent to the logged-in user in all scenarios, especially in delegated or admin-driven requests.

Therefore, Option A is the most accurate and reliable approach for retrieving the logged-in user’s display name in Saviynt configurations, ensuring proper context-aware data population.

Setting up anEmergency Access Role (EAR)request in Saviynt EIC requires multiple coordinated configurations across different components of the system. Option A is correct because emergency access roles must be configured at therole level, where parameters such as emergency access flag, duration, justification requirement, and elevated privileges are defined.

Option C is also necessary becauseSAV Role Configurationscontrol which users (such as administrators or requesters) have the ability to request or manage emergency access roles. Without proper SAV role permissions, users cannot initiate or approve EAR requests.

Option D is equally important becauseworkflows defined under Global Configurationsgovern the approval process, escalation paths, and auditing requirements for emergency access. These workflows ensure that emergency access is properly controlled, reviewed, and revoked after use.

Since all these configurations collectively enable emergency access functionality in Saviynt, the correct answer isAll the above. This aligns with Saviynt best practices for implementing secure, auditable, and compliant emergency access management.

In Saviynt EIC, when an account is compromised and requiresimmediate containment, the most appropriate action is tolock the account(Option A). Locking an account ensures that the user is instantly prevented from logging into the target system without removing the account or affecting its underlying configuration. This action is reversible and allows administrators to quickly secure the account while further investigation or remediation steps (such as password reset or access review) are performed.

Option B (Suspend) is typically used for longer-term access revocation scenarios, such as employee leave or inactivity, and may depend on application-specific configurations. Option C (Expire) relates to setting an end date for account validity, which is not suitable for immediate threat mitigation. Option D (Delete) is a permanent and destructive action, generally avoided in incident response because it removes audit trails and complicates recovery.

Therefore, locking the account aligns with Saviynt best practices forincident response and rapid risk mitigation, ensuring security without losing account traceability.

In Saviynt EIC REST connector configuration,ImportAccountEntJSONis used to define how account and entitlement data are imported (reconciled) from a target system. This JSON structure includes several predefined and supported parameters that control how accounts, entitlements, and their ownership relationships are processed.

accountParams (Option C)is a valid parameter and is used to map account-level attributes such as account name, status, and identifiers.entitlementParams (Option B)is also valid and defines how entitlement data (groups, roles, permissions) are fetched and mapped.accountOwnerParams (Option A)is another valid parameter used to define account ownership mapping, helping assign owners to accounts during reconciliation.

However,entOwnerParams (Option D)is NOT a valid parameter in the ImportAccountEntJSON structure. The correct naming convention for entitlement ownership (if applicable) does not use "entOwnerParams" in Saviynt REST connector configuration. Saviynt follows strict parameter naming standards, and incorrect parameter names will not be recognized or processed by the connector.

Thus, Option D is the correct answer, as it represents an invalid configuration parameter in the context of ImportAccountEntJSON.

In Saviynt EIC, identity data transformation and normalization during ingestion from authoritative sources like Workday are handled at theimport stage, specifically usingIMPORTUSERJSON. This JSON configuration governs how user data is fetched, parsed, and mapped into the Saviynt Identity Repository.

To meet the requirement of combining first name and last name into a full name and ensuring near real-time reflection of updates, aninline preprocessor within IMPORTUSERJSONis used. This allows administrators to apply transformation logic—such as concatenation, formatting, or conditional mapping—directly during the import process before the data is persisted in Saviynt.

OptionA (USERUPDATEJSON)andB (MODIFYUSERDATAJSON)are used for post-import updates or provisioning-related user modifications, not for initial transformation during ingestion. These do not meet the requirement of transforming data before it is stored in the Identity Repository.

OptionDis incorrect because Saviynt explicitly supports inline preprocessors in IMPORTUSERJSON for such use cases.

Thus, configuring an inline preprocessor inIMPORTUSERJSONis the correct and recommended approach for identity data normalization during import.

Saviynt EIC provides multiple flexible integration options with ServiceNow to support different business and operational use cases. Therefore,Option D (All of the above)is correct.

ServiceNow as a Managed Application (Option A)allows Saviynt to treat ServiceNow like any other application, enabling account provisioning, deprovisioning, and access governance directly within ServiceNow using REST connectors.

ServiceNow as a Request Form (Option B)enables organizations to leverage ServiceNow’s front-end portal for access requests. Users can initiate requests in ServiceNow, which are then processed and fulfilled by Saviynt, ensuring seamless user experience while maintaining governance.

ServiceNow as a Ticketing System (ITSM) (Option C)is another key integration pattern where Saviynt generates tickets (incidents, requests, or tasks) in ServiceNow for approval workflows, provisioning actions, or tracking purposes. This ensures alignment with enterprise ITSM processes.

These multiple integration models provide flexibility, allowing organizations to choose the approach that best fits their operational and governance requirements.

In Saviynt–ServiceNow integration, user visibility in request forms depends on properidentity correlation between ServiceNow users and Saviynt identities. The most common reason a valid ServiceNow (SNOW) user does not appear in the request form is that theSNOW user record is not linked or mapped to an imported Saviynt user(Option B).

Saviynt relies on its internal identity repository to populate requestable users. Even if a user exists in ServiceNow, they must also exist in Saviynt and be properly correlated (typically via attributes like username, email, or employee ID). Without this linkage, Saviynt cannot recognize the user during request submission, and therefore the user will not appear in the search results.

Option A is incorrect because even if the user already has access, they would still appear in search results (though requests may be restricted). Option C is unrelated to user visibility. Option D is incorrect because lack of an account does not prevent user selection—it only affects provisioning outcomes.

Thus, properuser correlation between SNOW and Saviyntis essential for request visibility.

In Saviynt EIC REST connector configurations, pagination is a critical mechanism used duringuser import (identity reconciliation)to efficiently process large datasets from target systems. The parameterMAX_PAGINATION_SIZEdetermines how many records are fetched and processed per API call (per page).

IfMAX_PAGINATION_SIZEis not explicitly defined, Saviynt uses adefault value of 1000 records per page. This default is designed to balance performance and system stability. Fetching too many records in a single API call can lead to performance bottlenecks, API timeouts, or memory issues, while too few records can increase the number of API calls and slow down the overall import process.

OptionA (50000)andC (10000)are incorrect because these values are typically too large for default settings and must be explicitly configured if required. OptionBis incorrect because Saviynt does provide a default fallback value rather than leaving it undefined.

Therefore, when MAX_PAGINATION_SIZE is not specified, Saviynt defaults to1000, ensuring efficient and stable data import operations.

In Saviynt REST connector configurations, data transformation and manipulation during import (reconciliation) are handled using special keywords or placeholders within JSON mappings. Among the given options,#VALUE#is the correct parameter used to manipulate and transform incoming data from the target application.

The#VALUE#keyword represents the actual value retrieved from the API response and allows administrators to apply transformations such as concatenation, conditional logic, or formatting before storing the data in Saviynt. It is commonly used within accountParams or entitlementParams mappings to ensure that incoming data aligns with Saviynt schema requirements.

OptionA (#nextApiKeyField#)is used for pagination handling in REST APIs, helping to fetch subsequent pages of data, not for manipulation. OptionC (#CHAR#)is not a valid or commonly used parameter in Saviynt REST connectors. OptionD (#CONST#)is used to assign constant/static values but does not manipulate incoming API data dynamically.

Therefore,#VALUE#is the correct parameter used for data manipulation during import in REST connector configurations.

In Saviynt EIC REST connector configuration,ConnectionJSONis the central configuration block where all connection-level properties are defined. This includes not only the base URL, authentication details, and headers, but also critical operational parameters such asconnection timeout settingsandprovisioning limits (such as throttling or API limits).

Provisioning activities like account creation, update, and deletion rely on stable connectivity to the target system. Therefore, timeout configurations (for example, connection timeout and read timeout) are defined inConnectionJSONto ensure that API calls do not hang indefinitely and can fail gracefully if the target system is unresponsive. Similarly, provisioning limits—such as maximum records processed or API throttling controls—are configured at this level to manage performance and avoid overloading external systems.

OptionA (ConfigJSON)is not a standard JSON used in REST connector configurations. OptionB (MODIFYUSERDATAJSON)is used specifically for user update operations. OptionD (StatusthresholdConfig)relates to job/status handling rather than connection parameters.

Thus, ConnectionJSON is the correct place for configuring provisioning limits and timeout settings in Saviynt REST connectors.

In Saviynt EIC, automation of campaigns based on identity changes is typically achieved usingUser Update Rules. These rules monitor changes in user attributes (such as department, role, manager, or status) and can trigger predefined actions when conditions are met.

Option A is correct because aUser Update Rule can be configured to trigger a campaignwhen specific attribute changes are detected. This allows organizations to automatically initiate certification campaigns when critical identity attributes change, ensuring continuous compliance and governance without manual intervention.

Option B is incorrect because connection attributes are primarily used for provisioning and integration logic, not for triggering campaigns. Option C is partially valid in a general sense, but scheduled campaigns do not dynamically react to attribute changes—they run on predefined schedules regardless of changes. Option D is incorrect because Saviynt supports automation through rules.

Thus,User Update Rules provide an event-driven mechanismto launch campaigns based on real-time user attribute changes, making Option A the correct answer.

In Saviynt EIC,SAV Roles are additive in nature, meaning that when a user is assigned multiple roles, the system grants theunion of all permissionsacross those roles. There is no restrictive override where one role limits another; instead, the highest level of access prevails.

In this scenario, the user is assigned bothROLE_ADMINandROLE_CUSTOM_READ (Read Only). While ROLE_CUSTOM_READ restricts access to read-only, theROLE_ADMIN role provides full administrative privileges, including both view and edit capabilities across modules.

Saviynt does not enforce precedence based on role assignment order, nor does a read-only role override an admin role. Instead, permissions are cumulative, and the most permissive access is effectively granted.

Therefore,Option Dis correct: the user will havefull view and edit accessbecause ROLE_ADMIN includes comprehensive permissions that supersede the limitations of the read-only role.

This behavior ensures flexibility in role assignments but also requires careful governance to avoid over-provisioning of administrative access.

In Saviynt EIC,Technical Rulesare triggered based on lifecycle events related to user creation, updates, and imports, provided the defined conditions evaluate to true. The correct answers areB, C, and D.

Option Bis correct because duringImport Jobs, when users are brought into Saviynt from authoritative sources, Technical Rules are evaluated, and if conditions match, they are executed. This is a common mechanism for provisioning access during onboarding.

Option Cis also correct since when anew user is created via the UI, Technical Rules can be triggered if the user attributes meet the rule conditions. This ensures consistent provisioning regardless of how users are created.

Option Dis correct because when anexisting user is updated, and a User Update Rule is configured tore-run provisioning rules, it can trigger associated Technical Rules again.

Option Ais incorrect because deletion events typically trigger deprovisioning workflows rather than standard Technical Rule execution.

Thus, Technical Rules are triggered during import, creation, and update events—not deletion.

In Saviynt EIC, theservice account name generationis controlled through configuration-driven mechanisms to ensure consistency, automation, and compliance with naming standards.

Option A is correct because administrators can define naming conventions at theEndpoint level using the Service Account Name Rule. This allows dynamic generation of account names based on attributes such as application name, environment, or other identifiers, ensuring standardized naming across systems.

Option D is also correct since in many connector-based integrations, theCreate Account JSONconfiguration plays a role in provisioning. The account name can be derived or constructed within this JSON payload based on defined mappings and logic, especially for REST or custom connectors.

Option B is incorrect because service account creation in Saviynt is typically controlled and standardized; manual entry of account names is generally restricted or governed to avoid inconsistencies. Option C is incorrect because Global Configurations do not directly define service account naming rules in standard implementations.

Thus, the correct answers areEndpoint-based naming rules and Connection-level JSON configuration, ensuring automated and consistent service account naming.

In Saviynt EIC,Technical Rulesare essential for automating provisioning, deprovisioning, and enforcing access policies. Following best practices ensures reliability, performance, and governance compliance. Hence,Option D (All of the above)is correct.

Using Advanced Configurations (Option A)allows administrators to implement complex logic, optimize rule execution, and handle sophisticated use cases such as conditional provisioning or attribute-based decisions.

Configuring Retrofit for all rules (Option B)is a recommended practice because it ensures that rules are applied not only to new users but also to existing users. This maintains consistency across the identity repository and prevents access gaps for legacy users.

Including a condition like user.statuskey = 1 (Option C)ensures that rules are applied only to active users. This avoids unnecessary processing for inactive or terminated users and prevents unintended provisioning actions.

Together, these practices improve rule efficiency, reduce errors, and ensure consistent enforcement of identity governance policies across the organization.