Saviynt SCAIP Saviynt Certified Advanced IGA Professional (Level 200) Exam Practice Test

In Saviynt EIC REST connector configuration,ImportAccountEntJSONis used to define how account and entitlement data are imported (reconciled) from a target system. This JSON structure includes several predefined and supported parameters that control how accounts, entitlements, and their ownership relationships are processed.

accountParams (Option C)is a valid parameter and is used to map account-level attributes such as account name, status, and identifiers.entitlementParams (Option B)is also valid and defines how entitlement data (groups, roles, permissions) are fetched and mapped.accountOwnerParams (Option A)is another valid parameter used to define account ownership mapping, helping assign owners to accounts during reconciliation.

However,entOwnerParams (Option D)is NOT a valid parameter in the ImportAccountEntJSON structure. The correct naming convention for entitlement ownership (if applicable) does not use "entOwnerParams" in Saviynt REST connector configuration. Saviynt follows strict parameter naming standards, and incorrect parameter names will not be recognized or processed by the connector.

Thus, Option D is the correct answer, as it represents an invalid configuration parameter in the context of ImportAccountEntJSON.

Statement A is correct becauseRole Miningin Saviynt analyzes user access patterns and identifies relationships between users who share similar entitlements. These patterns are then used to logically group access into roles, enabling efficient role-based access control (RBAC) implementation and reducing manual effort in role creation.

Statement B is incorrect because apercentage cut-off (e.g., 60%)in role mining means that entitlements common to at least 60% of users are considered for role creation—not 100%. The statement incorrectly interprets how threshold-based mining works.

Statement C is correct since access toDuplicate Identity Management (DIM)features is controlled viaSAV Role configurations. Administrators must grant appropriate permissions within SAV roles to allow users to view and manage duplicate identities in the system.

Statement D is incorrect because DIM supports merging not only user attributes but also associated accounts and access depending on configuration. It is not limited to attributes alone.

Thus, the correct answers areA and C.

In Saviynt EIC,SAV Roles are additive in nature, meaning that when a user is assigned multiple roles, the system grants theunion of all permissionsacross those roles. There is no restrictive override where one role limits another; instead, the highest level of access prevails.

In this scenario, the user is assigned bothROLE_ADMINandROLE_CUSTOM_READ (Read Only). While ROLE_CUSTOM_READ restricts access to read-only, theROLE_ADMIN role provides full administrative privileges, including both view and edit capabilities across modules.

Saviynt does not enforce precedence based on role assignment order, nor does a read-only role override an admin role. Instead, permissions are cumulative, and the most permissive access is effectively granted.

Therefore,Option Dis correct: the user will havefull view and edit accessbecause ROLE_ADMIN includes comprehensive permissions that supersede the limitations of the read-only role.

This behavior ensures flexibility in role assignments but also requires careful governance to avoid over-provisioning of administrative access.

The correct answer is A. User Manager Campaign . In Saviynt, the User Manager campaign is specifically designed for manager-based certifications, where managers review and certify the access of their direct reportees. Saviynt documentation explicitly states that in a User Manager campaign, managers are responsible for reviewing and certifying the access of users who report to them. That makes this campaign type the best fit when the certification driver is the reporting hierarchy rather than entitlement ownership, role ownership, or service account ownership.

The other options represent different certification ownership models. Entitlement Owner Campaign is meant for entitlement owners, Role Owner Campaign is for role owners, and Service Account Campaign is focused on service account ownership verification and access review. Saviynt also describes campaigns as a way to automatically generate and distribute certifications to the appropriate certifiers based on the selected campaign type and ownership model. Therefore, when the requirement clearly says “managers must review direct reportees,” the User Manager campaign is the correct and most aligned selection within Saviynt Level 200 scope.

Setting up anEmergency Access Role (EAR)request in Saviynt EIC requires multiple coordinated configurations across different components of the system. Option A is correct because emergency access roles must be configured at therole level, where parameters such as emergency access flag, duration, justification requirement, and elevated privileges are defined.

Option C is also necessary becauseSAV Role Configurationscontrol which users (such as administrators or requesters) have the ability to request or manage emergency access roles. Without proper SAV role permissions, users cannot initiate or approve EAR requests.

Option D is equally important becauseworkflows defined under Global Configurationsgovern the approval process, escalation paths, and auditing requirements for emergency access. These workflows ensure that emergency access is properly controlled, reviewed, and revoked after use.

Since all these configurations collectively enable emergency access functionality in Saviynt, the correct answer isAll the above. This aligns with Saviynt best practices for implementing secure, auditable, and compliant emergency access management.

In Saviynt EIC,Technical Rulesare triggered based on lifecycle events related to user creation, updates, and imports, provided the defined conditions evaluate to true. The correct answers areB, C, and D.

Option Bis correct because duringImport Jobs, when users are brought into Saviynt from authoritative sources, Technical Rules are evaluated, and if conditions match, they are executed. This is a common mechanism for provisioning access during onboarding.

Option Cis also correct since when anew user is created via the UI, Technical Rules can be triggered if the user attributes meet the rule conditions. This ensures consistent provisioning regardless of how users are created.

Option Dis correct because when anexisting user is updated, and a User Update Rule is configured tore-run provisioning rules, it can trigger associated Technical Rules again.

Option Ais incorrect because deletion events typically trigger deprovisioning workflows rather than standard Technical Rule execution.

Thus, Technical Rules are triggered during import, creation, and update events—not deletion.

In Saviynt EIC, workflows are internally represented inXML format, which defines the sequence of approval steps, conditions, and actions. The“Show XML”option is specifically designed to allow administrators toview the underlying XML structure of a workflow. However, this view is provided in aread-only mode, meaning administrators can inspect the configuration but cannot directly modify it from this option.

This feature is particularly useful fordebugging, auditing, and understanding workflow logic, especially in complex approval processes involving multiple steps and conditions. It helps administrators verify how a workflow is constructed without risking accidental changes to the configuration.

Option C is incorrect because editing workflow XML is not typically done directly through the “Show XML” view in Saviynt UI; modifications are handled through workflow configuration screens or controlled import/export processes. Option A is unrelated since Saviynt workflows are XML-based, not JSON-based. Option B is also incorrect because version history is managed separately and not through the Show XML option.

Thus, the correct purpose of “Show XML” is toview workflow configuration safely in read-only format.

The correct answer is A. Transfer Ownership . Saviynt documentation on User Update Rules explains that the purpose of Transfer Ownership is to change ownership, and specifically notes that service accounts can be reassigned to the OwnerOnTerminate user when the current owner is terminated. The documentation further states that when the current service account owner is terminated, a user update rule with the action Transfer Ownership is triggered so that service account ownership is moved appropriately. This directly matches the scenario in the question.

This is also consistent with Saviynt’s service account model, where every service account must have at least one designated owner who is authorized to manage it. Because ownership is required, Saviynt provides lifecycle controls to preserve accountable ownership when a human owner leaves the organization. The remaining options are unrelated. Run Role Mining belongs to analytics and role engineering, Launch Campaign belongs to certification processes, and Disable SMTP is an email configuration concept. For Level 200 understanding, the key takeaway is that automatic service account ownership continuity is handled through a User Update Rule using the Transfer Ownership action, often combined with OwnerOnTerminate configuration.

In Saviynt EIC, mass unintended changes—such as all accounts being disabled due to incorrect target application configuration—can be prevented usingthreshold-based controls. These controls are defined using theSTATUS_THRESHOLD_CONFIGconnection parameter, which acts as a safeguard during reconciliation and provisioning processes.

The correct attribute in this scenario isaccountThresholdValue (Option D). This parameter allows administrators to define a threshold limit for account status changes (such as disablement). If the number or percentage of accounts being disabled exceeds the defined threshold, Saviynt can stop or flag the operation, preventing large-scale unintended impact.

OptionA (accEntThresholdValue)is used for entitlement-level thresholds, not account status changes. OptionBis incorrect because Saviynt does provide this safeguard mechanism. OptionCis also incorrect since such controls are not managed externally but are part of Saviynt’s connector configuration.

By usingaccountThresholdValuewithin STATUS_THRESHOLD_CONFIG, organizations can implement strong governance and prevent bulk account disablement due to misconfigurations or data issues during account import or reconciliation.

In Saviynt–ServiceNow integration, user visibility in request forms depends on properidentity correlation between ServiceNow users and Saviynt identities. The most common reason a valid ServiceNow (SNOW) user does not appear in the request form is that theSNOW user record is not linked or mapped to an imported Saviynt user(Option B).

Saviynt relies on its internal identity repository to populate requestable users. Even if a user exists in ServiceNow, they must also exist in Saviynt and be properly correlated (typically via attributes like username, email, or employee ID). Without this linkage, Saviynt cannot recognize the user during request submission, and therefore the user will not appear in the search results.

Option A is incorrect because even if the user already has access, they would still appear in search results (though requests may be restricted). Option C is unrelated to user visibility. Option D is incorrect because lack of an account does not prevent user selection—it only affects provisioning outcomes.

Thus, properuser correlation between SNOW and Saviyntis essential for request visibility.

In Saviynt EIC, approval assignment for access requests is primarily controlled throughworkflow configurations, which are associated either at theendpoint level or security system level. Therefore, the first step in troubleshooting incorrect approver assignment is to validate whether the correct workflow is attached and properly configured at both levels (Options A and C). Workflows define approval logic such as manager, owner, or custom approvers, and misconfiguration here often leads to incorrect routing.

Option B is also correct becausedelegation settingscan override the intended approver. If a delegate is configured for an approver, the request may be routed to the delegate instead of the original approver, causing confusion if not validated.

Option D is incorrect because in Saviynt, approvers are typicallysystem-driven based on workflow rules, not manually selected by the requester in most standard configurations. The requester does not usually control approver assignment unless explicitly customized, making this option irrelevant for standard troubleshooting.

The correct answer is B. Technical Rule . Saviynt documentation clearly states that a Technical Rule is primarily used to provision birthright access , also referred to as zero-day provisioning , to users joining the organization based on specified conditions. This is one of the most important distinctions in the Rules and Policies section of the Level 200 syllabus. Technical Rules are intended for automated access assignment logic, especially where access must be granted immediately when user attributes match business conditions such as department, location, or cost center.

The other options are not correct for this use case. User Update Rules are generally used to take actions when user records change and can support lifecycle events, but the documentation identifies Technical Rules as the primary mechanism for birthright provisioning. Scan Rules are used for detection and policy-based scanning use cases, not default access assignment. SAV Role controls platform authorization inside Saviynt rather than provisioning target application access. Saviynt also documents that entitlement assignments in a Birthright Rule can be parameterized using user attributes, which reinforces that Technical Rules are the intended framework for this type of zero-day access automation.

In Saviynt–ServiceNow integration using theSaviynt App for ServiceNow, therequest fulfillment location is flexible and depends on how the integration is configured. This is why Option C is correct.

Saviynt supports different integration patterns with ServiceNow. In one model,ServiceNow acts as the front-end request system, while Saviynt handles the fulfillment (provisioning, approvals, and access governance). In another model, ServiceNow can handle certain fulfillment steps depending on how workflows, APIs, and ticketing configurations are defined.

For example, if the integration is configured such that ServiceNow creates a request and passes it to Saviynt, thenSaviynt performs fulfillment. Alternatively, if certain fulfillment logic or orchestration is handled within ServiceNow workflows or ITSM processes, thenServiceNow may drive parts of the fulfillment process.

This flexibility allows organizations to align the integration with their operational model, whether centralized in Saviynt or distributed with ServiceNow. Therefore, fulfillment is not restricted to a single system and is determined byconfiguration and architectural design choices.

In Saviynt EIC,job orchestration and sequencingare critical for automating identity lifecycle processes such as user import followed by provisioning. To ensure that provisioning starts immediately after user import completes, Saviynt provides the concept of aTrigger Chain Job.

ATrigger Chain Job (Option B)allows administrators to define a sequence of jobs where one job is automatically triggered upon the successful completion of another. In this scenario, once theUser Import Jobfinishes, the system can automatically trigger theProvisioning Job, ensuring seamless and immediate execution without manual intervention or time delays.

Option A (Multi-threading job) relates to performance optimization, not sequencing. Option C (Single Threaded Job) defines execution style but does not control job dependency. Option D (WSRetry job) is used for retrying failed web service calls, not for chaining processes.

Thus,Trigger Chain Jobis the correct approach for automating dependent job execution and is widely used in Saviynt for efficient workflow orchestration.

In Saviynt EIC,Technical Rulesare essential for automating provisioning, deprovisioning, and enforcing access policies. Following best practices ensures reliability, performance, and governance compliance. Hence,Option D (All of the above)is correct.

Using Advanced Configurations (Option A)allows administrators to implement complex logic, optimize rule execution, and handle sophisticated use cases such as conditional provisioning or attribute-based decisions.

Configuring Retrofit for all rules (Option B)is a recommended practice because it ensures that rules are applied not only to new users but also to existing users. This maintains consistency across the identity repository and prevents access gaps for legacy users.

Including a condition like user.statuskey = 1 (Option C)ensures that rules are applied only to active users. This avoids unnecessary processing for inactive or terminated users and prevents unintended provisioning actions.

Together, these practices improve rule efficiency, reduce errors, and ensure consistent enforcement of identity governance policies across the organization.

In Saviynt REST connector configurations, data transformation and manipulation during import (reconciliation) are handled using special keywords or placeholders within JSON mappings. Among the given options,#VALUE#is the correct parameter used to manipulate and transform incoming data from the target application.

The#VALUE#keyword represents the actual value retrieved from the API response and allows administrators to apply transformations such as concatenation, conditional logic, or formatting before storing the data in Saviynt. It is commonly used within accountParams or entitlementParams mappings to ensure that incoming data aligns with Saviynt schema requirements.

OptionA (#nextApiKeyField#)is used for pagination handling in REST APIs, helping to fetch subsequent pages of data, not for manipulation. OptionC (#CHAR#)is not a valid or commonly used parameter in Saviynt REST connectors. OptionD (#CONST#)is used to assign constant/static values but does not manipulate incoming API data dynamically.

Therefore,#VALUE#is the correct parameter used for data manipulation during import in REST connector configurations.

In Saviynt EIC,Password Policy precedence and enforcementdepend on where the policy is configured within the hierarchy of Security System and Connector.

Option A is correct because when password policies are defined at both levels, theSecurity System-level policy takes precedence. This ensures centralized governance and consistency across all endpoints under that security system.

Option B is also correct since Saviynt allows administrators to control password change permissions at a granular level using the“Change Password Access Query”at the endpoint. This enables restriction of password changes based on user attributes or conditions.

Option C is incorrect because connector-level policies do not override security system-level configurations when both are present.

Option D is correct because if no policy is defined at the security system level, theconnector-level password policy will be applied by default, ensuring that password rules are still enforced.

Thus, the correct answers areA, B, and D, reflecting Saviynt’s hierarchical and flexible password policy framework.

In Saviynt EIC, schema-based account import jobs rely heavily on theSAV file, which acts as the schema definition for interpreting incoming data. The error message“Schema definition file not found and No SAV file found”specifically indicates that Saviynt is unable to locate or process the required SAV file.

Option Ais correct because the SAV file must be placed in the designatedFile Directory → SAV files location. If the file is missing from this directory, the system cannot read the schema definition, resulting in job failure.

Option Dis also correct because even if the SAV file is present, anincorrectly formatted or corrupted SAV filewill prevent Saviynt from parsing it properly, leading to the same error.

OptionBis incorrect since SAV files are not expected in the Data files directory. OptionCis unrelated to this specific error, as missing CSV files would generate a different error related to missing data, not schema definition.

Thus, the issue is specifically tied to missing or invalid SAV schema files.