28 Basic Interview QAs for SailPoint Engineer

Listed here are 28 basic questions and answers that are frequently asked for SailPoint Engineer

1.?????What is SailPoint?

SailPoint is a software company that provides identity and access management solutions to help organizations manage user identities and access privileges to applications, data, and systems. SailPoint provides identity and access management solutions. It helps organizations manage user identities and access privileges to applications, data, and systems in a secure and compliant manner.

2.?????What is Identity Mapping?

Identity mapping is a process in which an identity management system maps or associates a set of digital identities with the corresponding physical identities of individuals, organizations, or other entities. This process is critical in ensuring that the right people have access to the right information and resources and that sensitive information is protected and secure.

Identity mapping is a key component of identity and access management (IAM) systems, which helps organizations manage user identities, permissions, and access to systems and applications. The identity mapping process involves collecting and storing information about identities and linking that information to the corresponding entities. This information can include basic identity information, such as name and address, as well as additional attributes, such as roles and privileges, that are used to determine access and authorization.

In many organizations, identity mapping is performed through the use of identity management software, which automates the process of collecting, storing, and linking identity information. This helps to ensure that identity mapping is accurate, consistent, and secure and that the organization’s identity and access management policies are effectively enforced.

3.????What are some of the versions of SailPoint?

SailPoint offers several versions of its identity governance solutions including:

-???????SailPoint IdentityIQ: A comprehensive identity governance solution that automates the identity management process and helps organizations meet compliance requirements.

-???????SailPoint IdentityNow: A cloud-based identity governance solution that provides real-time access management and simplifies identity management for organizations of all sizes.

-???????SailPoint Predictive Identity: An AI-powered identity governance solution that predicts and prevents identity-related risks in real time.

?4.????What is Identity Governance?

SailPoint provides identity governance solutions that automate the identity management process and help organizations manage user identities, and access privileges, and meet compliance requirements. This includes role-based access control, identity lifecycle management, and policy enforcement.

5.????What is Identity Analytics?

SailPoint provides identity analytics solutions that help organizations better understand their identity and access data, identify risks and vulnerabilities, and make informed decisions about access privileges.

6.????Define Identity Security?

SailPoint provides identity security solutions that help organizations secure their identities and access to applications, data, and systems. This includes multi-factor authentication, single sign-on, and password management.

7.????What do you mean by Identity Operations in SailPoint?

SailPoint provides identity operations solutions that help organizations manage the day-to-day operations of their identity and access management systems. This includes identity provisioning, de-provisioning, and certification.

8.?????What is certification? What are the certifications in SailPoint?

In SailPoint IdentityIQ, certification is a process used to review and verify the accuracy and compliance of access controls within an organization. The purpose of certification is to ensure that only authorized individuals have access to sensitive information and systems and that all access privileges are properly assigned and reviewed on a regular basis.

In SailPoint IdentityIQ, certification is performed by authorized users, such as security administrators or managers, who are responsible for reviewing access requests and verifying that they meet the organization's security policies and standards. The certification process involves reviewing access requests, identifying and mitigating potential security risks, and documenting the results of the review.

SailPoint IdentityIQ provides a robust certification framework that enables organizations to automate and streamline their certification processes. The platform provides a range of certification options, including manual and automated certifications, that can be tailored to meet the needs of different organizations. Additionally, SailPoint IdentityIQ provides real-time reporting and tracking capabilities to help organizations monitor the progress of their certification initiatives and ensure that they are effectively mitigating security risks.

The certifications in SailPoint are:

• Manager certification
• Application owner certification
• Entitlement owner certification
• Advanced certification
• Role Membership
• Role composition
• Account Group Permissions
• Account Group Membership

?9.?????What is the rule?

In SailPoint IdentityIQ, a rule is a set of conditions or logic that is used to control access to systems, applications, or other resources within an organization. Rules define the conditions under which access is granted or denied to a user, and are used to enforce the organization's security policies and standards.

SailPoint IdentityIQ provides a flexible rule-based framework that enables organizations to define their own access control policies and procedures. Rules can be based on a wide range of criteria, including job function, role, location, time of day, and more. Rules can also be combined and nested to create complex access control policies that meet each organization's unique needs.

In SailPoint IdentityIQ, rules can be used to manage access control in a number of different ways, including:

-???????Access certification: Define the conditions under which users will be certified for access to systems and applications, and automate the certification process.

-???????Authorization: Define the conditions under which users will be granted or denied access to specific systems and applications.

-???????Provisioning: Define the conditions under which user accounts will be provisioned or de-provisioned in systems and applications.

-???????Delegated administration: Define the conditions under which administrators can delegate access to systems and applications to other users.

By using rules in SailPoint IdentityIQ, organizations can define and enforce their own access control policies, reduce security risks, and ensure that access to systems and applications is granted only to those who need it.

10.??What is the pre-iterate rule?

In SailPoint IdentityIQ, pre-iterate rules are a type of rule that is executed before the main authorization rules. Pre-iterate rules are used to perform actions that must be completed before the main authorization rules can be processed. This rule runs only once for the whole file before the records in the file are processed; it is available to address any file-management needs for the aggregation task.

Common examples include unzipping the file, validating the file date before aggregating potentially stale data, building a local map of lookup data from a remote source that can be used in the aggregation process (more efficient than a remote lookup for each record), etc.

By using pre-iterate rules in SailPoint IdentityIQ, organizations can ensure that their authorization rules are executed in the correct order and that the data that is used by the rules is in the proper format. This can help to ensure that the authorization process is efficient and accurate, and that security risks are reduced.

11.?What is the build map rule?

In SailPoint IdentityIQ, a build map rule is a type of rule that is used to build a map of values that can be used in other rules. Build map rules are used to create a collection of key-value pairs that can be used to store and retrieve data that is used by other rules in the authorization process.

This rule offers an opportunity to perform data manipulation on the delimited file account data as it is read from the file. In the absence of a build map rule, IdentityIQ automatically takes the columns list and the data values in the current record of the file and builds a hashmap of name-value pairs (i.e. column - rowValue). If the record should be manipulated differently from that default, the build map rule can be used to control that behavior. This rule runs for each record in the file.

For example, a build map rule might be used to create a map of user attributes, such as the user's department or location, that can be used in other authorization rules. This map can then be used to control access to specific systems or applications based on the user's attributes.

Build map rules are particularly useful in complex authorization scenarios where multiple rules need to access the same data. By using a build map rule to create a map of values, organizations can ensure that this data is available to all of the rules that need it, and that it is only calculated once. This can help to improve the performance of the authorization process, and reduce the risk of errors.

By using build map rules in SailPoint IdentityIQ, organizations can improve the efficiency and accuracy of their authorization process, and ensure that their access control policies are implemented in a consistent and reliable manner.

Here is an example of a build map rule in SailPoint IdentityIQ that adds a new attribute called "secondaryEmail" to the user's attributes in the HR application:

In this example, the rule is triggered when an identity is associated with the HR application. The rule creates a new map of values and adds a key-value pair to the map for the user's secondary email address. The key is the user's identity name, and the value is a string that is constructed from the user's first name and last name. The first letter of the first name and last name are always upper case. Finally, the map is added to the user's attributes as a new attribute named "secondaryEmails".

?This build map rule will ensure that the secondary email address is available for use in other authorization rules in the HR application. By using this rule, organizations can ensure that their authorization policies are implemented in a consistent and reliable manner, and that they can take advantage of the additional data that is stored in the user's attributes.

12.?What is a Customized rule?

Runs after buildmap rule, this can be used to transform data of resource object/account data during account aggregation. Ex: if you have a status value as ‘A’ in target and you want to transform this to ‘Active’ then you can go for this Rule. Use the set/get attributes method on resource objects already available as ‘object’ as an argument for the rule. This rule gets executed in every aggregation.

13.?What is the Pre-delegation rule?

A pre-delegation rule in SailPoint IdentityIQ is used to delegate a certification review to another person if the original approver is absent. This rule allows the certification process to continue even if the original approver is not available, and ensures that the certification review is completed in a timely manner. Pre-delegation rules are an important component of the certification process in SailPoint, as they provide a mechanism for ensuring that certifications are completed even if the original approver is unavailable.

14.?What is a Role and what are the uses of a Role?

Clubbing together all permissions of a different target system into single entity to maintain permission in an efficient way is termed as Roles. The roles used are as below:

• Categorize and manage users based on job function.
• Provide a translation between business and IT functions.
• Erase the provisioning and the request process for new access.
• Simplify auditing and the access and certification process.

?15.?What is a Business Process (aka Workflow)?

A Business Process is a sequence of operations or steps executed to perform work. The IdentityIQ Business Processes ‐ both the standard “out of the box” and custom, written for a specific installation ‐‐ are triggered by system events or by a user request. A business process is launched as a side effect of some IdentityIQ operations such as editing a role, updating an identity, or the discovery of a policy violation. The available triggering events include:

• Role creation
• Identity update
• Identity refresh
• Identity correlation
• Deferred role assignment/de-assignment
• Deferred role activation/deactivation
• Any Lifecycle Manager event
• Any Lifecycle Event (marked by changes to an Identity's attributes)

You cannot schedule a business process, but you can schedule a custom task that launches a business process.

16.?What is Account Mapping?

Application -account mapping: Specify the account attributes to be used in filters and searches throughout the application. The account Mapping page is used to set up and map specialized accounts. Specialized accounts can be any accounts that justify special handling throughout your enterprise. For example, privileged accounts such as Root, Administrator, or Super User, and service accounts that access a specific service or function on an application. Any attribute extended on this page is available for searching on the Identity Search page.

17.??What is Entitlement? What is an Entitlement catalog?

Entitlement is either a specific value for an account attribute, most commonly group membership, or permission.

A business-friendly dictionary of user access descriptions that can be associated with individual entitlements and permissions.

?18.?What is managed attribute?

An attribute that has been defined on an application schema to have additional meta-data maintained about that attribute. For each value read for the attribute from the Application during aggregation, an entry will be created in the Entitlement Catalog.

19.?What is mitigation?

Mitigation refers to any exceptions that are allowed on policy violations discovered during a certification process. if you want to provide expectations that lead to mitigation.

20.?What is Application Onboarding and Offboarding?

Onboarding (aka “Joiner” processing): The process initiated when a new employee, contractor, or another type of worker is made known to IdentityIQ, whether through aggregation from an authoritative source like the HR system or through someone using the Create Identity functionality in LCM. This process usually includes creating accounts, adding group memberships, and granting other access required for the new worker to be productive when he/she starts his/her new job. The basic access required for a new worker is sometimes referred to as “birthright” access.

Offboarding (aka “Leaver” processing): The process initiated when IdentityIQ determines that a worker has left the company, whether through aggregation from an authoritative source like the HR system or through someone using a “Terminate Immediately” button. This process usually includes disabling or deleting all of the worker’s accounts and sending notifications as appropriate.

Configuring setting to connect to a target system to bring all accounts and permission from a target system is called as application onboarding.

21.?What is an Identity refresh cube?

If you want to refresh Identities attributes of Identity Cube, we are going to do Identity Refresh Cube. It updates identity attributes from the identity account attributes and through calculations. The Refresh Task is critical to finalizing data on the Identity Cubes. Typically, Aggregation Tasks are followed by a Refresh Task. Different options in Identity Refresh are:

• all entitlements are promoted from the Account Data to the Identity Cubes by the Refresh Task.
• policy violations and risk scores are calculated by the Refresh Task.

?22.?What are Permissions referred to in SailPoint IIQ?

The authorization that is given to users enables them to access specific resources on the network, such as data files and applications. They also designate the type of access: for example, can data only be viewed (read-only) or can they be updated (read/write)? Also called user rights, user authorizations, and user privileges.

23.?What is Access Management?

Managing the permission of an account through which the account gets some access on target system is called as access management. This is achieved in sailpoint by re-certification process.

?24.??What is aggregation?

Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.

25.??Difference between work groups and populations?

Groups — used to track accessibility, and activity, and monitored risk by group membership. Risk scores are displayed on the Home Page. Groups are defined automatically by values assigned to identity attributes.

Populations — are query based groups created from the results of searches run from the Identity Search page. Searches that result in interesting populations of identities can, optionally, be saved as populations for reuse within IdentityIQ.

?Populations are similar to groups, except that they are driven off of multiple search criteria whereas Groups are statically defined based off a single Identity attribute. These group themselves are not dynamic.??You must run the Refresh Groups task periodically to update them. Between runs of Refresh Groups, the groups themselves remain static, but the membership is always based off a dynamic query.

?Note: Populations are dynamic queries, so every time you view a population, you are viewing its current members at that point in time.

26.?What is identity attribute?

These fields define which attributes that we are reading will be used to define uniqueness. The Identity Attribute defines which attribute will be used to determine the uniqueness of the account. You could think of this as the primary key for the application accounts. In this case, we are using the “User ID” which is unique for each user.

27.?What are the differences between Rule and Script?

The rule is an XML object with fully programmable java-based implementation hooks (Bean Shell). Rules can capture pieces of business-logic and is re-usable. Whereas A script is a segment of Beanshell code that is included in an object and only used within the given location, such as a Workflow step.

28. What are the types of Certifications?

1. Manager Certifications — certify that your direct reports have the entitlements they need to do their job and only the entitlements they need to do their job.
2. Application Owner Certifications — certify that all identities accessing applications for which you are responsible have the proper entitlements.
3. Entitlement Owner Certifications — certify that all identities accessing entitlements for which you are responsible are correct.
4. Advanced Certifications — certify that all identities included in the population associated with that Advanced Certification have the correct entitlements and roles.
5. Account Group Certifications — certify that account groups /application objects for which you are responsible have the proper permissions or the proper group membership. Account groups that do not have owners assigned are certified by the owner of the application on which they reside.
6. Role Certifications — certify that roles for which you are responsible are composed of the proper roles and entitlements or that the roles are assigned to the correct identities.
7. Identity Certifications — certify the entitlement information for the identities selected from the Identity Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
8. Event-Based Certifications — certify the entitlement information for the identities selected based on events detected within IdentityIQ.

These are only a few (basic) questions. If I missed something, feel free to adit d in the comment below.