Practice Free IdentityIQ-Associate SailPoint Certified IdentityIQ Associate Exam Exam Questions Answers With Explanation

This is not a correct example of an IdentityIQ policy as stated. IdentityIQ policies are used to detect governance violations based on identity, account, entitlement, role, risk, or activity conditions. An account policy is concerned with whether an identity has an account, lacks a required account, or has an account that violates defined account-related criteria. It evaluates existing identity and account state after data is aggregated and correlated into IdentityIQ.

The phrase “has requested the appropriate account” describes an access request validation concept rather than a policy-detection use case. Requests are handled through the user-driven request and provisioning framework, including QuickLinks, request forms, approvals, workflows, provisioning policies, and provisioning plans. A request can be evaluated, approved, rejected, or fulfilled, but a governance policy is normally not defined to determine whether a request itself was “appropriate.”

IdentityIQ policies detect violations against current or observed access conditions. Therefore, an account policy may check whether an identity has an inappropriate account, but not whether the identity requested the appropriate account. Reference topics: Governance — common policy examples and policy detection; User-Driven Requests — access requests; Provisioning — provisioning process and provisioning policies.

The statement is true. In SailPoint IdentityIQ, account correlation is the process used to associate an application account, represented as a Link, with the appropriate IdentityCube. Correlation logic is configured on the application and may use account attributes, identity attributes, or correlation rules to determine ownership. When that logic is changed, a subsequent account aggregation can evaluate account data against the updated correlation configuration and adjust account-to-identity associations where the aggregation process is configured to perform correlation.

This is important when accounts were previously uncorrelated, incorrectly correlated, or correlated under outdated matching criteria. For example, if an application originally correlated accounts by user name but is later changed to correlate by employee ID, aggregation can apply the new logic so that accounts align with the correct identities. Manual correlation is therefore not the only remediation path; proper correlation configuration followed by aggregation is a standard way to resolve or correct account ownership.

The behavior depends on the aggregation and correlation configuration, but the principle is accurate: aggregation can apply changed correlation logic to account correlations. Reference topics: Applications, correlation options, account aggregation, uncorrelated account resolution, Link-to-IdentityCube association, and Identity Modeling.

No. In SailPoint IdentityIQ, tasks are execution mechanisms used to perform system operations such as aggregation, identity refresh, certification generation support, report execution, maintenance processing, and other repeatable administrative jobs. A task can collect data, refresh calculated identity information, process objects, or execute configured logic, but it does not itself provide the business review function of confirming whether an account group provides the correct access.

Confirming that an account group provides appropriate access is a governance activity. That type of validation is performed through access reviews or certifications, where a designated reviewer evaluates group membership, permissions, ownership, or entitlement meaning and decides whether the access remains appropriate. This requires human or configured governance judgment, not simply execution of a background task.

A task may support the process indirectly by aggregating current account group data or preparing certification data, but the actual confirmation of correctness belongs to certification and governance review functionality.

Reference topics: Foundational Concepts, tasks versus workflows, Governance, certifications, account group reviews, access reviews, and Access Modeling.

The statement is false. IdentityIQ does not apply a universal rule that removes uncorrelated IdentityCubes after 30 days. Uncorrelated accounts or uncorrelated identity records result from aggregation and correlation processing when IdentityIQ cannot confidently associate an account from an application with an existing IdentityCube. These records remain available for administrative review and remediation until they are resolved through correlation logic, manual correlation, re-aggregation, identity refresh activity, or configured cleanup processes.

The key point is that retention and removal behavior is configuration-driven, not controlled by a fixed 30-day product rule. Administrators may use tasks, aggregation settings, pruning behavior, or lifecycle processes to clean up stale identity or account data, but such actions depend on implementation choices and task configuration. IdentityIQ preserves uncorrelated data because it may represent a real account requiring governance, certification, policy evaluation, or investigation.

Therefore, the assertion that uncorrelated IdentityCubes are automatically removed after 30 days is incorrect. Reference topics: Applications, uncorrelated account resolution, correlation configuration, aggregation results, IdentityCube association, identity refresh, and administrative cleanup tasks.

The statement is true. In SailPoint IdentityIQ, manager relationships are an important part of the identity model and are frequently used by workflows. Once an identity’s manager is resolved through manager correlation, IdentityIQ can use that manager relationship in governance and request processes. A workflow may route an approval work item to the requester’s manager, notify the manager about a submitted request, request a decision during access approval, or involve the manager in lifecycle-related actions such as onboarding, transfer, or termination processing.

Managers are commonly used because they represent business accountability for a user’s access. For example, in an access request workflow, the manager may approve or reject requested roles, entitlements, or accounts before provisioning occurs. In certification workflows, managers may also be assigned review responsibility for their direct reports’ access.

Therefore, IdentityIQ workflows can interact with managers both for approvals and notifications. Reference topics: Identity Modeling — manager correlation and IdentityCube relationships; User-Driven Requests — approval routing; Provisioning — workflow-driven provisioning; Governance — manager certifications and access review ownership.

The statement is true. In SailPoint IdentityIQ, groups and populations are identity-segmentation mechanisms used to define sets of identities that share specific characteristics. A population is typically a saved collection of identities based on search criteria or defined membership logic. A group factory can dynamically generate identity groups based on identity attributes, such as department, location, cost center, job title, or business unit.

These constructs are useful because many IdentityIQ operations should not apply to the entire identity population. They allow administrators to scope or target actions to the relevant identities only. For example, populations and groups can support targeted reporting, focused analysis, certification scoping, and other governance activities where only a defined subset of identities should be included. This improves accuracy, reduces review noise, and aligns governance activity with business structure.

They should not be confused with ownership objects such as workgroups. Their primary purpose is identity grouping and operational targeting, not shared ownership accountability.

Reference topics: Identity Modeling — groups and populations; Governance — certification targeting and reporting scope; Foundational Concepts — business modeling and identity segmentation.

Yes. In SailPoint IdentityIQ, marking an application account schema attribute as managed designates that the values discovered for that attribute are treated as managed entitlement values and promoted into the Entitlement Catalog. This is typically used for attributes that represent access, such as groups, roles, permissions, profiles, or other application-specific entitlement assignments. During aggregation, IdentityIQ reads account data from the application. When a schema attribute is marked as managed, the distinct values of that attribute can become ManagedAttribute objects, allowing IdentityIQ to govern them as cataloged access items.

This catalog promotion is important because raw technical values often need business context before they can be reviewed, requested, approved, certified, or reported on. The Entitlement Catalog can store metadata such as display name, description, owner, requestability, classification, and other governance attributes. These values then become usable in access certifications, access requests, reports, policy evaluation, and role modeling.

Therefore, the statement accurately describes the managed attribute function. Reference topics: Applications — account schema attribute properties; Access Modeling — entitlement catalog; Governance — certification content and entitlement review.

The statement is true. In SailPoint IdentityIQ, account attributes are defined on the application’s account schema. The application definition tells IdentityIQ how to represent accounts from a connected source, and the account schema specifies which attributes exist on those accounts. Examples may include account ID, display name, email, status, department, groups, roles, permissions, or other source-specific fields returned by the connector during aggregation.

This is distinct from identity attributes, which are stored on the IdentityCube and represent normalized identity-level data used across IdentityIQ. Account attributes belong to application account links, while identity attributes belong to the identity model. During aggregation, IdentityIQ reads account data according to the application schema and stores the discovered values as account/link attributes. Some account schema attributes may also be marked as managed when their values represent entitlement-like access that should be governed through the Entitlement Catalog.

Therefore, account attributes are correctly defined in the application account schema. Reference topics: Applications — application definitions, account schema attributes, schema attribute properties; Identity Modeling — identity attributes versus account attributes; Access Modeling — managed attributes and entitlement catalog.

The statement is false. In SailPoint IdentityIQ, account attributes are updated through application aggregation, not through the Identity Refresh task. Account attributes belong to account links for a specific application and are defined in that application’s account schema. When an aggregation task runs, IdentityIQ connects to the target application using the application definition and connector configuration, reads account data, and updates the account/link attributes stored in IdentityIQ.

The Identity Refresh task performs a different function. It operates on IdentityCubes and recalculates identity-level information using data already present in the IdentityIQ repository. Identity Refresh can update identity attributes, refresh role assignments, evaluate policies, process lifecycle events, update manager relationships, and recalculate governance state. It does not directly re-read account attribute values from connected systems.

This distinction is central to IdentityIQ’s data model: account attributes describe accounts on applications, while identity attributes describe the consolidated user identity. Therefore, account attribute updates come from aggregation, while identity attribute updates may occur during Identity Refresh.

Reference topics: Applications — application account schema and aggregation; Identity Modeling — identity attributes versus account attributes; Identity Refresh task options.

No. The “Detect deleted accounts” aggregation task option is not used to ignore accounts that were previously deleted from IdentityIQ. Its purpose is to compare the accounts returned by the current aggregation with the accounts already stored in IdentityIQ for that application. When an account exists in IdentityIQ but is no longer found in the authoritative aggregation results from the source application, IdentityIQ can treat that account as deleted or removed from the target system.

This option helps keep IdentityIQ’s account inventory accurate by identifying stale Links that remain in IdentityIQ even though the corresponding account is no longer present on the application. It is especially important for governance accuracy because certifications, policy checks, identity warehouse views, and access reporting rely on current account and entitlement data.

The statement is incorrect because it reverses the behavior. Detecting deleted accounts is about recognizing accounts missing from the source during aggregation, not ignoring newly returned source accounts that were once deleted in IdentityIQ.

Reference topics: Applications, aggregation task options, account aggregation, deleted account detection, Link maintenance, IdentityCube account data, and application data reconciliation.

The statement is false. Preventive policy checking in SailPoint IdentityIQ is not limited only to self-service requests. Preventive policy evaluation is used to identify policy violations before access changes are completed. This can occur during access request processing, provisioning-related activity, or other configured request paths where IdentityIQ evaluates proposed changes against defined policies before allowing the transaction to proceed.

A self-service request is only one possible entry point. IdentityIQ access requests may be submitted by an end user, a manager, an administrator, or another authorized requester depending on QuickLink Population rules, request configuration, and access-request permissions. Preventive policy checking evaluates the requested access change itself, not merely the fact that the request was self-initiated. If the proposed access would violate a separation-of-duty, risk, or other governance policy, IdentityIQ can warn, require additional handling, or block the request depending on policy and workflow configuration.

Therefore, the word “only” makes the statement incorrect. Preventive policy checking is a governance control applied to configured access-change activity, not exclusively to self-service actions. Reference topics: Governance, policy detection, preventive policy checking, access request policy evaluation, User-Driven Requests, and provisioning request control.

Yes. In SailPoint IdentityIQ, correlation logic can be specified for authoritative applications. An authoritative application is commonly used as a trusted source for identity data, such as HR or another system of record. During aggregation, IdentityIQ reads account or source records from the application and uses correlation logic to determine whether each record should be linked to an existing IdentityCube or used in identity creation and update processing.

Correlation logic may be configured using account attributes, identity attributes, or correlation rules. For example, an authoritative source may correlate records by employee ID, user name, email address, or another unique identifier. This ensures that incoming authoritative data updates the correct identity instead of creating duplicates or leaving records uncorrelated.

The authoritative nature of the application does not eliminate the need for correlation. It defines the trust level and identity-data role of the source, while correlation defines how records from that source are matched to identities in IdentityIQ.

Reference topics: Applications, authoritative applications, correlation options, account aggregation, IdentityCube creation, identity attribute mapping, and uncorrelated account resolution.

The statement is false. In SailPoint IdentityIQ, connectivity settings are determined by the connector selected for the application definition. An application represents an authoritative source, target system, or managed resource, and the connector defines how IdentityIQ communicates with that system. Because different connectors use different communication models, their required configuration fields are not universal.

For example, an LDAP or Active Directory connector commonly requires server connection details such as host, port, credentials, and search base configuration. A JDBC-based connector may require a JDBC URL, driver class, database credentials, and SQL-related configuration. A delimited file connector does not require a hostname because it reads account and entitlement data from a file location rather than connecting to a network service. Similarly, cloud or API-based connectors may require endpoint URLs, tokens, client credentials, or tenant-specific settings instead of a simple hostname field.

Therefore, hostname cannot be considered a required connectivity setting for every connector type. Required settings are connector-dependent and appear according to the selected connector’s configuration model. Reference topics: Applications, connector selection, application definition, connector-dependent settings, schema configuration, and aggregation prerequisites.

Yes. In SailPoint IdentityIQ, preventive policy checking evaluates proposed access changes before the request is completed or provisioned. When a user submits an access request, IdentityIQ can analyze the requested roles, entitlements, or account changes against configured policies, including separation-of-duty and other access-control policies. If the requested access would create a policy violation, IdentityIQ can present a notification or warning to the requester during the request process.

This notification allows the requester to understand that the requested access conflicts with defined governance rules before the request proceeds further. Depending on configuration, IdentityIQ may allow the request to continue with warning, require additional approval or mitigation, or prevent the request from being submitted. The behavior is controlled by policy configuration, request workflow, and preventive checking settings.

Therefore, the statement is accurate: IdentityIQ can notify the requester when an access request will cause a policy violation. Reference topics: Governance, policy detection, preventive policy checking, access request evaluation, policy violations, and User-Driven Requests.

No. Reviewing an identity’s access during a certification campaign is not provisioning. In SailPoint IdentityIQ, certification campaigns are part of governance and access review functionality. Their purpose is to allow designated reviewers, such as managers, application owners, role owners, or other certifiers, to examine existing access and decide whether it should be approved, revoked, delegated, or otherwise acted upon.

Provisioning is different. Provisioning refers to the fulfillment of access changes, such as creating accounts, modifying account attributes, adding or removing entitlements, disabling accounts, deleting accounts, or executing manual fulfillment work items when direct connector-based provisioning is unavailable. A certification decision may later trigger provisioning if a reviewer revokes access and IdentityIQ generates a remediation or deprovisioning action. However, the review activity itself is governance, not provisioning.

Therefore, “reviewing an identity’s access during a certification campaign” is an access review action, not a provisioning action. Reference topics: Governance, certifications, access reviews, remediation, revocation decisions, Provisioning, provisioning plans, and deprovisioning fulfillment.

The statement is not a correct use case for entitlement catalog data. In SailPoint IdentityIQ, the entitlement catalog is used to govern and enrich entitlement data after entitlements are discovered from application account/group schemas and aggregation. The catalog stores managed entitlement metadata such as display name, description, owner, classification, requestability, risk-related information, and other governance attributes. This information supports access reviews, access requests, approvals, role modeling, policy analysis, and decision-making by presenting business-readable information about technical access.

The application definition is primarily the configuration object for connecting to a target system. It contains connector settings, schemas, correlation configuration, aggregation options, provisioning settings, and related application-level controls. While entitlement-related configuration begins with the application schema, the entitlement catalog is not principally used to provide descriptions “for viewing on the application definition.” Its governed data is used in operational governance contexts, especially where reviewers, requesters, approvers, and administrators need understandable access context.

Therefore, entitlement descriptions are catalog governance metadata, not a feature whose purpose is simply display on the application definition. Reference topics: Access Modeling — purpose of the entitlement catalog; Applications — group/account schemas; Governance — certification decision support; User-Driven Requests — access request display and approval context.