SailPoint IdentityIQ-Associate Dumps

The statement is false. In SailPoint IdentityIQ, an uncorrelated account is an account record aggregated from an application that has not been matched to an IdentityCube. Manual correlation is one valid remediation method, but it is not the only method. IdentityIQ can also resolve uncorrelated accounts through configured correlation logic, correlation rules, identity refresh processing, and re-aggregation after application correlation settings are corrected.

Correlation is normally configured on the application using identity attributes, account attributes, or rules that determine how an account should be associated with an identity. For example, an account attribute such as employee ID, email address, user name, or another unique identifier can be used to locate the matching IdentityCube. When the correlation configuration is improved and aggregation or refresh is rerun, previously uncorrelated accounts may be automatically linked without manual intervention.

Manual correlation is primarily an administrative correction path for exceptions where automatic matching cannot safely determine ownership. Therefore, “only manually” is too restrictive and does not reflect IdentityIQ’s correlation model. Reference topics: Applications, correlation configuration, uncorrelated account resolution, account aggregation, IdentityCube association, and Identity Modeling.

Yes. In SailPoint IdentityIQ, birthright roles represent access that is automatically granted based on identity context, such as job function, department, location, lifecycle state, or organizational assignment. A mover lifecycle event occurs when an identity undergoes a material change, such as transfer to a new department, change in manager, change in location, or change in business role eligibility. Because these changes can alter what baseline access the identity should have, birthright role assignment may be processed as part of the mover event.

The mover event can launch a configured business process that evaluates the identity’s updated attributes and initiates access changes, including assignment of new birthright roles or removal of access no longer appropriate. This differs from requestable roles, where a user or manager explicitly asks for access through Lifecycle Manager. Birthright access is driven by identity state and business rules.

Therefore, the statement is accurate. Mover lifecycle processing can be used to keep baseline role-based access aligned with the user’s changed business position. Reference topics: Access Modeling, birthright roles, role assignment, Identity Refresh, Lifecycle Events, mover processes, and Provisioning.

No. This statement does not accurately describe role acquisition in IdentityIQ. Business roles are not restricted to being requested only by managers. In IdentityIQ, roles may be acquired through role assignment logic, role detection, access requests, or administrative action, depending on the role configuration and the organization’s request model.

A business role commonly represents access associated with a business function, job, department, location, or organizational responsibility. Users may receive business roles automatically when their identity attributes satisfy configured role profiles or assignment rules, typically recalculated during Identity Refresh. Separately, roles may be made requestable through Lifecycle Manager and exposed through QuickLinks, where request eligibility is controlled by QuickLink Populations, request configuration, and workflow rules.

Managers may be allowed to request roles for direct reports, but that is only one possible configuration. IdentityIQ can also allow users to request roles for themselves, allow delegated requesters to request for others, or restrict requests to specific populations.

Therefore, “only requested by managers” is too narrow and incorrect. Reference topics: Access Modeling, business roles, role assignment, role detection, Identity Refresh, User-Driven Requests, QuickLink Populations, and role request configuration.

Yes. Lifecycle Events in SailPoint IdentityIQ are defined to detect significant identity changes and trigger the appropriate business process in response. Organizations commonly use them to automate joiner, mover, and leaver scenarios. A joiner event may be triggered when a new identity is created or becomes active. A mover event may be triggered by changes such as department, job title, manager, location, or business unit. A leaver event may be triggered when an identity’s employment status or lifecycle state indicates termination.

The lifecycle event configuration defines the condition to monitor and the business process or workflow to execute when that condition is met. This allows IdentityIQ to automate access provisioning, role assignment, account creation, access removal, account disablement, approvals, notifications, and other lifecycle-driven actions.

Therefore, the statement is accurate. Lifecycle Events are specifically used to define what identity data changes should initiate joiner, mover, or leaver processing.

Reference topics: Provisioning, Lifecycle Events, joiner-mover-leaver processing, identity attribute changes, business processes, workflows, and event-driven provisioning.

Yes. In SailPoint IdentityIQ, correlation logic can be specified for authoritative applications. An authoritative application is commonly used as a trusted source for identity data, such as HR or another system of record. During aggregation, IdentityIQ reads account or source records from the application and uses correlation logic to determine whether each record should be linked to an existing IdentityCube or used in identity creation and update processing.

Correlation logic may be configured using account attributes, identity attributes, or correlation rules. For example, an authoritative source may correlate records by employee ID, user name, email address, or another unique identifier. This ensures that incoming authoritative data updates the correct identity instead of creating duplicates or leaving records uncorrelated.

The authoritative nature of the application does not eliminate the need for correlation. It defines the trust level and identity-data role of the source, while correlation defines how records from that source are matched to identities in IdentityIQ.

Reference topics: Applications, authoritative applications, correlation options, account aggregation, IdentityCube creation, identity attribute mapping, and uncorrelated account resolution.

No. The statement is too restrictive. In SailPoint IdentityIQ, business roles do not have to be requested in order to become associated with identities. A business role can be associated through access-request processing when the role is configured as requestable, but request submission is not the only acquisition path.

In the default role model, role association is maintained through IdentityIQ role evaluation and identity refresh behavior. Business roles may be assigned directly, assigned through administrative action, or associated through configured assignment logic. IdentityIQ then evaluates role relationships and updates the IdentityCube accordingly during refresh processing. By contrast, detected roles are commonly inferred from the access an identity already has, based on role profiles and entitlement conditions.

The important distinction is between requestable access and role association. Requestability controls whether users can ask for a role through Lifecycle Manager and QuickLinks. It does not mean the role can only be associated through a request. Therefore, “must be requested” is inaccurate.

Reference topics: Access Modeling, business roles, role assignment, detected roles, requestable roles, Identity Refresh, IdentityCube role data, and User-Driven Requests.

Yes. In SailPoint IdentityIQ, the Identity Warehouse presents identity-centered information collected and modeled inside the IdentityCube. Entitlements are part of that identity view because they represent the user’s permissions or access rights on connected applications. During aggregation, IdentityIQ reads account data from applications, including entitlement-bearing attributes such as groups, roles, permissions, or other managed access values. These are stored on the identity’s application accounts and surfaced in the Identity Warehouse so reviewers, administrators, and governance users can understand what access the identity currently has.

This is distinct from identity attributes such as department, manager, location, or lifecycle state. Entitlements describe access on target systems and are central to access reviews, policy evaluation, role modeling, and access request decisions. Displaying entitlements in the Identity Warehouse allows IdentityIQ to provide a complete access profile for the identity, including accounts, assigned roles, detected roles, policy violations, and application permissions.

Therefore, entitlements are displayed as part of the Identity Warehouse identity details. Reference topics: Identity Modeling, IdentityCube contents, Identity Warehouse, application accounts, entitlement aggregation, managed attributes, and access visibility.

The statement is false. The Identity Refresh task does not use application definitions to determine how to connect to native target systems. That function belongs to application aggregation and connector-based operations. In IdentityIQ, an application definition contains the connector configuration, schemas, correlation settings, aggregation options, and provisioning-related settings required for IdentityIQ to communicate with a managed system.

The Identity Refresh task operates primarily on identity data already present inside IdentityIQ. It updates IdentityCubes by recalculating identity attributes, refreshing role assignments and detections, evaluating policies, processing lifecycle events, updating manager relationships, and applying selected identity model calculations. It is typically run after aggregation or configuration changes so that identity-level governance data reflects current account and entitlement information.

Therefore, connecting to native systems is not the purpose of Identity Refresh. IdentityIQ connects to native systems through aggregation tasks or provisioning operations that reference the application definitions and connectors. Identity Refresh consumes the resulting identity, account, entitlement, and application link data within the IdentityIQ repository.

Reference topics: Identity Modeling — Identity Refresh options; Applications — application definitions and connector settings; Foundational Concepts — tasks versus workflows; Provisioning — connector-based fulfillment.

No. An Identity Cube is not an IdentityIQ account. In SailPoint IdentityIQ, the Identity Cube is the central identity record that represents a person or identity being governed by the platform. It consolidates identity attributes, correlated application accounts, account links, entitlements, assigned roles, detected roles, manager relationship, lifecycle state, policy violations, and other governance-relevant information.

An “IdentityIQ account” usually refers to a login account or user object that allows someone to access the IdentityIQ application itself. That is different from the Identity Cube, which is used to model the user’s enterprise identity and access across connected systems. For example, one Identity Cube may contain links to multiple accounts such as Active Directory, Workday, ServiceNow, database accounts, and cloud application accounts.

Therefore, the proposed definition is inaccurate because it confuses an application login account with the broader identity model used for governance. Reference topics: Identity Modeling, IdentityCube contents, identity attributes, application account links, entitlements, roles, manager correlation, and Identity Warehouse.

No. Connector-based delta processing is not available to all connectors in SailPoint IdentityIQ. Delta aggregation is a performance optimization that allows IdentityIQ to process only changes since a previous aggregation, instead of reading and processing the complete account population each time. However, this capability depends on whether the selected connector and target system support reliable change detection.

Some systems can expose changes through timestamps, change logs, sequence numbers, tokens, directory synchronization controls, or similar mechanisms. Other systems, such as simple file-based sources or connectors without change-tracking capability, may only support full aggregation. Because IdentityIQ connector behavior is connector-dependent, delta processing cannot be treated as a universal aggregation option.

The application’s connector selection determines which aggregation options are available, including whether connector-based delta processing can be enabled. Administrators must verify connector capability and configure aggregation accordingly.

Therefore, the statement is false because connector-based delta processing is a performance option only for supported connectors, not for every connector in IdentityIQ. Reference topics: Applications, aggregation task options, connector-dependent capabilities, account aggregation, delta aggregation, and performance optimization.

No. IdentityIQ capabilities are used to control what a user can do inside SailPoint IdentityIQ, not to grant elevated permissions on a connected target application. A capability defines access to IdentityIQ functions such as administration, reporting, certification management, policy management, role management, access request functions, or other internal product features. Capabilities are part of IdentityIQ’s internal authorization model and determine which menus, pages, actions, and administrative operations a logged-in IdentityIQ user may perform.

Elevated permissions on a connected application must be granted through governed access, such as requesting or provisioning an account, entitlement, role, or permission on that target system. That process is handled through access requests, approval workflows, provisioning plans, connector operations, and application-specific provisioning policies. For example, adding a privileged group in Active Directory or assigning an administrative application role would be modeled as target-system access, not as an IdentityIQ capability.

Therefore, granting an IdentityIQ capability is appropriate when the user needs additional permissions within IdentityIQ itself, not when they need elevated access on an external connected application. Reference topics: Identity Modeling — how IdentityIQ access is granted to users; User-Driven Requests — access requests; Provisioning — target application access fulfillment.

The statement is false. The Identity Refresh task does not execute aggregation rules configured on an application definition. Aggregation rules are part of the application aggregation process, where IdentityIQ connects to a source system, reads account or group data, applies connector and application-level processing, and stores account links, entitlement values, and related data in the IdentityIQ repository.

The Identity Refresh task operates after data is already present in IdentityIQ. Its function is to update IdentityCubes and recalculate identity-level governance information. Depending on selected options, Identity Refresh may update identity attributes, refresh role assignments, detect assigned or detected roles, evaluate policies, process lifecycle events, refresh manager relationships, or recalculate risk and access-related identity state.

Application aggregation and identity refresh are separate task functions. Aggregation obtains and normalizes data from applications; Identity Refresh interprets and recalculates identity governance state using that aggregated data. Therefore, rules tied specifically to aggregation on the application definition are execute during aggregation, not during Identity Refresh.

Reference topics: Identity Modeling — Identity Refresh task options; Applications — aggregation rules and application definitions; Foundational Concepts — tasks and workflows.

Yes. Granting an IdentityIQ capability is a valid way to provide access to additional functions within SailPoint IdentityIQ, including areas such as Advanced Analytics. Capabilities are part of IdentityIQ’s internal authorization model. They determine what a logged-in user is allowed to see and perform inside the IdentityIQ interface, such as administration, reporting, certification administration, role management, policy management, or advanced search and analysis functions.

Advanced Analytics searches are IdentityIQ functions, not external application permissions. Therefore, access to those search types is governed by IdentityIQ security controls, including capabilities, rights, and in some deployments, scoping. This is different from granting access on a connected application, which would be handled through accounts, entitlements, roles, access requests, and provisioning.

The key distinction is that capabilities grant authority inside IdentityIQ itself. They do not directly modify a user’s access on a target system. Providing access to different types of Advanced Analytics searches is therefore an appropriate reason to assign an IdentityIQ capability.

Reference topics: Identity Modeling — how IdentityIQ access is granted to users; Foundational Concepts — common IdentityIQ objects and components; Governance — analytics and access visibility.

The statement is true. In SailPoint IdentityIQ, group factories are used to generate identity groups dynamically based on identity attribute values or configured grouping logic. A group factory defines the rule or attribute basis for grouping identities, but the actual creation or refresh of the resulting groups occurs when the appropriate task is executed. For example, a group factory might be configured to create groups by department, location, cost center, or business unit. When the task runs, IdentityIQ evaluates identities against the factory definition and creates or updates the corresponding groups.

This differs from populations, which are typically defined sets of identities used for targeting, filtering, reporting, or governance scoping. Group factories are more generation-oriented because they can produce multiple group objects from identity data. The task execution step is important because it materializes the groups so they can be used in IdentityIQ operations.

Therefore, new groups can be created as a result of executing a task tied to group factory processing. Reference topics: Identity Modeling — groups and populations, group factories, identity grouping, and task-driven group creation.

Yes. In SailPoint IdentityIQ, an entitlement represents an access right, permission, privilege, group membership, role membership, or similar access-granting value on an application. Entitlements are discovered from application account data during aggregation and are commonly modeled in IdentityIQ through schema attributes marked as entitlement attributes. Once aggregated, these values may appear in the entitlement catalog as managed attributes, where they can be reviewed, requested, certified, governed by policies, and associated with roles.

The definition “an access right on an application” is accurate because entitlements describe what an identity’s account is allowed to do or access within a connected system. Examples include Active Directory group membership, database roles, application permissions, cloud groups, or other system-specific access values. IdentityIQ uses entitlements as core governance objects for certifications, access requests, policy checks, role modeling, and provisioning.

This definition is intentionally broad because different target systems represent access differently. IdentityIQ normalizes those application-specific access values into entitlement concepts for identity governance.

Reference topics: Access Modeling, entitlement catalog, managed attributes, application schema, entitlement aggregation, certifications, access requests, and provisioning.

‘

The statement is true. In SailPoint IdentityIQ, account attributes are defined on the application’s account schema. The application definition tells IdentityIQ how to represent accounts from a connected source, and the account schema specifies which attributes exist on those accounts. Examples may include account ID, display name, email, status, department, groups, roles, permissions, or other source-specific fields returned by the connector during aggregation.

This is distinct from identity attributes, which are stored on the IdentityCube and represent normalized identity-level data used across IdentityIQ. Account attributes belong to application account links, while identity attributes belong to the identity model. During aggregation, IdentityIQ reads account data according to the application schema and stores the discovered values as account/link attributes. Some account schema attributes may also be marked as managed when their values represent entitlement-like access that should be governed through the Entitlement Catalog.

Therefore, account attributes are correctly defined in the application account schema. Reference topics: Applications — application definitions, account schema attributes, schema attribute properties; Identity Modeling — identity attributes versus account attributes; Access Modeling — managed attributes and entitlement catalog.

This is not a standard example of a policy that can be defined in IdentityIQ. IdentityIQ policies are governance controls used to detect inappropriate access, risky access combinations, account conditions, identity conditions, or activity-related violations based on configured policy logic. Common policy examples include separation of duties policies, account policies, identity policies, risk policies, and activity policies. These policies evaluate identities, accounts, roles, entitlements, attributes, and access relationships to determine whether a violation exists.

The wording “administrator policy” is not a standard IdentityIQ policy category. IdentityIQ can audit administrative activity and can secure administrative functions through capabilities, scopes, workgroups, permissions, and object-level controls, but that is different from defining an “administrator policy” as a governance policy type. Risky actions performed within IdentityIQ itself are generally handled through audit events, administrative security configuration, logging, and operational monitoring rather than a standard policy definition named administrator policy.

Therefore, this statement does not describe a valid common IdentityIQ policy example. Reference topics: Governance — examples of common policies, policy detection, policy violations; Foundational Concepts — common objects and components; Identity Modeling — IdentityCube attributes and access context.

Yes. In SailPoint IdentityIQ, an application definition represents an external system or managed source and contains the configuration IdentityIQ needs to connect to and interact with that system. The selected connector determines which connectivity settings are required, and the application definition stores those values. Examples can include server host, port, credentials, JDBC URL, file path, API endpoint, tenant information, authentication parameters, or other connector-specific settings.

This connectivity information enables IdentityIQ to perform operations such as account aggregation, group aggregation, schema discovery, entitlement collection, and provisioning where the connector supports write operations. The exact fields vary by connector type, which is why an LDAP, JDBC, Delimited File, Active Directory, or Web Services application may expose different configuration requirements.

Therefore, the statement is accurate: application definitions contain the communication and connectivity configuration used by IdentityIQ to access the application. Reference topics: Applications, application definition, connector selection, connector-dependent settings, account aggregation, schema configuration, and provisioning support.

Marking an account schema attribute as managed does not mean the attribute can be edited in IdentityIQ. In IdentityIQ application schema configuration, a managed attribute is one whose values are promoted into IdentityIQ as governable access objects, commonly represented in the entitlement catalog. This allows IdentityIQ to attach governance metadata to the discovered values, such as display name, description, owner, requestability, classification, and review-related context.

Editability is controlled through different mechanisms, including provisioning policies, forms, workflows, connector capabilities, and provisioning plan operations. An attribute may be managed for governance purposes without being directly editable by a user in IdentityIQ. Conversely, an attribute may be populated during provisioning if the application connector and provisioning policy support it, but that is separate from the schema’s managed designation.

The managed setting is therefore about governance, cataloging, and access modeling, not direct modification. It enables IdentityIQ to treat values of that schema attribute as objects that can be reviewed, requested, certified, described, and owned.

Reference topics: Applications — account schema attributes and their functions; Access Modeling — entitlement catalog; Governance — certifications; Provisioning — provisioning policies and attribute handling.

No. In SailPoint IdentityIQ, tasks are used to execute defined system operations, often as background or scheduled processes. Common task usage includes account aggregation, identity refresh, entitlement aggregation, maintenance activities, report execution, role processing, and other repeatable administrative operations. A task may calculate, update, import, refresh, or process data, but it does not itself perform the governance decision of confirming whether access in a role is correct.

Confirming that the correct access is included in a role is a governance review function, most closely associated with role certification, especially role composition certification. In that process, a role owner or designated certifier reviews the access profiles, entitlements, permissions, or requirements contained in a role and decides whether they are appropriate. The confirmation requires business judgment and reviewer action, not merely task execution.

A task may support role governance indirectly by refreshing role data or generating background processing, but the validation of role contents belongs to certifications and access governance. Therefore, this statement is not accurate for the use of tasks. Reference topics: Foundational Concepts, tasks versus workflows, Governance, role composition certification, Access Modeling, and role governance.

The statement is true. In SailPoint IdentityIQ, identity attributes are stored on the IdentityCube and represent normalized information about a user. These attributes describe the identity at the governance level rather than describing a single account on a connected application. Common examples include first name, last name, email, department, location, job title, employee number, manager, lifecycle state, and status.

Identity attributes are important because IdentityIQ uses them throughout identity governance processes. They support identity correlation, manager correlation, certification scoping, policy evaluation, role assignment, lifecycle events, access request routing, reporting, and population or group membership. Identity attributes may be sourced from an authoritative application, derived from account data, calculated through rules, or refreshed through Identity Refresh processing.

This differs from account attributes, which are defined in an application account schema and belong to a specific application account link. Identity attributes provide the consolidated user profile that IdentityIQ uses to make governance decisions.

Reference topics: Identity Modeling — IdentityCubes, identity attributes versus account attributes, manager correlation, Identity Refresh options.