Knowledge Checks Flashcards by James Huggard

Which of the following is not a use for workflows in IdentityIQ?
A. Processing access requests
B. Executing scheduled tasks
C. Driving lifecycle event activity
D. Implementing custom functionality through Quicklinks
E .Processing scheduled role assignment or activation

B. Executing scheduled tasks

How well did you know this?

Not at all

Perfectly

Yes or No

Processing access requests is a use for workflows in IdentityIQ?

Yes

How well did you know this?

Not at all

Perfectly

Processing scheduled role assignment or activation is a use for workflows in IdentityIQ?

Yes

How well did you know this?

Not at all

Perfectly

Yes or No

IdentityIQ’s default workflows are configurable through workflow variables. Variable values can drive functional changes like who is involved in approvals or whether whole steps of the workflow get executed or skipped.

Yes

How well did you know this?

Not at all

Perfectly

Yes or No

A workflow case is an objects that represents a running instance of a workflow.

Yes

How well did you know this?

Not at all

Perfectly

Yes or No

A workflow case is an object assigned to a user by the workflow when the workflow requires input from a user.

This is a work item

How well did you know this?

Not at all

Perfectly

True or False

A workflow will follow as many transition paths out of a given step as apply, spawning a separate workflowcase to track each path, as needed.

False

Only the first transition that evaluates to “true” is followed.

How well did you know this?

Not at all

Perfectly

What are the two key operations (processes) of the provisioning engine?

Compilation and Evaluation

How well did you know this?

Not at all

Perfectly

Which of these IdentityIQ functions can be customized per installation by extending or modifying the workflow attached to it? Choose all that apply.

A. Access requests
B. Certification remediation
C. Lifecycle events
D. Password changes

All except Certification remediation

In IdentityIQ, certification remediation (what happens after a cert decision like Revoke/Remove, and how that decision turns into provisioning work) is primarily handled by the certification engine + revocation/provisioning processing (revocation requests, background tasks, provisioning plans), not by a single “remediation workflow” that you can swap/extend per installation in the same direct way you can for requests, lifecycle, or password flows.

How well did you know this?

Not at all

Perfectly

Workflows

“wait -1” will make the work flow step pause for how long?

Until Perform Maintenance runs

How well did you know this?

Not at all

Perfectly

What does Reason “Expansion” means with this Access Request

Expansion as the reason means these attributes were added to the request during Plan Compilation and were not in the original provisioningPlan.

How well did you know this?

Not at all

Perfectly

True or false

If a user needs to get a new entitlement on an application where they do not already have an account the system will automatically create the account during entitlement provisioning.

True

How well did you know this?

Not at all

Perfectly

Yes or No

“Success” value in a ProvisioningResult indicates a successful provisioning.

Committed

COMMITTED = success, changes applied
FAILED = error occurred
PENDING = waiting (common in approval scenarios)
QUEUED = scheduled but not started
RETRY = will try again
CANCELLED = operation stopped
COMPILED = plan ready but not executed yet

How well did you know this?

Not at all

Perfectly

In a create account operations, how does IdentityIQ know which attributes need to be provided to the target system for a new account.

The application’s “Create” provisioning policy

How well did you know this?

Not at all

Perfectly

The provision method for any connector/integration is passed to the request in the form of what object?

Provisioning Plan

How well did you know this?

Not at all

Perfectly

Which of these components supports the execution of pre- and post- scripts during provisioning to Active Directory?

IQService

How well did you know this?

Not at all

Perfectly

What featuresString keyword indicates that an application’s connector is capable of writing directly to the target system?

PROVISIONING

Key Exam Points:

These are boolean feature flags that control provisioning behavior
PROVISIONING - the actual execution of provisioning
APPROVALS - whether to route through approval workflows
NOTIFY - whether to send notifications
TRACE - debugging/logging detail
Can combine multiple keywords with commas

How well did you know this?

Not at all

Perfectly

What attribute in an IntegrationConfig would stop IdentityIQ from creating manual provisioning work items for any application?

UniversalManager

How well did you know this?

Not at all

Perfectly

What specification in an IntegrationConfig indicates the list of target applications it writes for?

ManagedResources

How well did you know this?

Not at all

Perfectly

When should the Plan’s “targetIntegration” and the AccountRequest’s “application” values not match each other?

When the application’s provisioning channel is an Integration Configuration. (example: ticketing system like SNOW)

How well did you know this?

Not at all

Perfectly

Yes or No

Create Identity is one of the Identity Provisioning Policies for IdentityIQ?

Yes

How well did you know this?

Not at all

Perfectly

True or False

Allowing a Quicklink population to request adding of entitlements while not letting them request entitlement removal is a supported configuration option.

True

The request add and request remove of entitlements are separate configuration settings.

How well did you know this?

Not at all

Perfectly

True or False

Processing access requests made by one Quicklink population through one workflow, while using a different workflow for access requests submitted by another Quicklink population is supported.

False

Only one workflow per access request flow is supported.

How well did you know this?

Not at all

Perfectly

Yes or No

Self-service Registration is one of the Identity Provisioning Policies for IdentityIQ?

Yes

How well did you know this?

Not at all

Perfectly

# Yes or No Delete is one of the Identity Provisioning Policies for IdentityIQ?

Yes ## Footnote CUDE-DUCP Create Update Delete Enable Disable Unlock Change Password

# Yes or No Lifecycle Events run during aggregation, immediately on detection of data changes.

No ## Footnote Events are detected during aggregation but not executed at that time. needsRefresh set to true

# Yes or No Do Lifecycle Events run during an Identity Refresh task by default?

No ## Footnote Process Events option must be selected.

# Yes or No Lifecycle Events run automatically by LCM workflows, when warranted by LCM identity creation or edit.

Yes ## Footnote LCM workflows (Joiner/Mover/Leaver) can trigger lifecycle events When identities are created or modified through LCM processes, associated lifecycle events execute

# True or False (Role/Application Provisioning) Only one single and the most specific provisioning policy that applies to a provisioning request is applied to affect the request details.

False

Which of these is required to set up a Quicklink so it runs a workflow? A. action = name of the workflow to run B. WorkflowRef pointing to the workflow to run C. action = workflow and workflowName attribute = name of the workflow to run

**C.** action = workflow and workflowName attribute = name of the workflow to run ## Footnote Example:

When a Quicklink runs a workflow, how does the workflow know which user should be the target of the request?

The target user is determined before the workflow is launched and its ID value is passed to the workflow in the argument quickLinkIdentityId

Which of the main LCM workflows handles role and entitlement provisioning requests?

LCM Provisioning

# True or False If you don’t need supporting functions like approvals and notifications, LCM can process the mandatory compilation and evaluation steps of provisioning without calling a workflow.

False

Which of the five key process steps performs the **evaluation** step of the required compilation-evaluation process flow?

Provision

# Yes or No The **Initialize** step performs the evaluation step of the required compilation and evaluation process flow.

No | Provisioning Engine is the step that does Compilation and Evaluation

How do you return values from a subprocess workflow to the workflow that invoked it?

Two-Part Process: **In subprocess**: Mark variables as output="true" **In parent**: Use return attribute or tags (note: these are Return tags for WorkflowRef, not standalone Return elements) to specify which output variables to retrieve

Which processes uses the RemediationManager to build the ProvisioningPlan?

Certification revocations ## Footnote The RemediationManager is used when IdentityIQ is taking certification decisions (like revoke/remove access) and converting them into a ProvisioningPlan to execute the remediation/provisioning changes.

How do you control logging from the various Java classes involved in processing a provisioning request?

Add entries to the log4j.properties file to specify the logging level per class

What does an approval owner attribute specify?

The user who will be assigned the work item to complete

# True or False Form definitions are specific to an individual workflow and cannot be shared across multiple workflows.

False Forms can me used by mutiple workflows.

What does a form button’s “back” action indicate to the workflow?

Follow a transition path which specifies lastApprovalState=“rejected”

What are the types of controls that can be specified on a form?

**PRTMC** (say: “per-tim-see”) **P**ick-lists (identities) **R**adio buttons **T**ext areas **M**ulti-select combo boxes **C**alendars (date pickers)

# True or False Form specifications can be stored as embedded within workflows, roles, and applications.

True

# True or False Form specifications can not be stored as first-class objects.

False

What two arguments are required when you call the sendEmail method?

"to" and the email template

# True or False The following step syntax is required to create a workItem and send an email to the owner of that work item.

False ## Footnote You either use workItemNotificationTemplate when using an approval, or call sendEmail when not using an approval.

When you call the audit() method, IdentityIQ uses the ____________ method argument to check the AuditConfig. IdentityIQ only writes the audit record to the database if the configuration is enabled.

action | IdentityIQ uses the action method argument.

# True or False Some auditing is built into the default workflows in IdentityIQ, but you can change what is recorded in those audit steps, and you can create custom audit event types and custom audit steps in your own workflows.

True

How does IdentityIQ know what error messages should set the “Retry” status vs. the “Failed” status?

You must specify a retryableErrors entry in the Application definition and add the error messages which should be treated as retryable to its list

What kind of workflow step can be enabled for step replication?

Subprocess

Where and how are the pre/post scripts defined?

They are recorded as Rule objects in IdentityIQ but are written in Windows scripting languages and are passed to the IQService for execution during the provisioning operation

# True or False IdentityIQ allows external applications to request data and to initiate processes, like workflows, through public web services.

True

# True or False You can define a ProvisioningPlan for IdentityIQ to process by specifying it in XML and populating a workflow variable with its XML representation.

False ## Footnote The XML is only for serializing the plan to a more readable format; you must build the plan in Java/BeanShell.

How would you make a provisioning plan, built inside a script step, available to subsequent workflow steps?

Include a return statement in your script logic and specify a **resultVariable** attribute on the step

You must always specify an account nativeIdentity in your plan before passing it to the compilation process.

False ## Footnote Compilation will calculate the native identity for you; however, if the user has more than one account on the target application, you must specify the native identity to choose the target account for the operation.

# True or False The only things a workflow step can be configured to do are: * Call a rule * Call a subprocess * Call a method

False ## Footnote Approvals, forms, custom steps and many more.

How many users can a provisioning plan be applied to in a single provisioning operation?

One ## Footnote You can multiple requests for a single user, but the plan is tied to a single user.

What does the nativeIdentity attribute on the AccountRequest object specify?

The account identifier ## Footnote This is the native/unique identifier of the account on the target system

Which of these is NOT an operation that can be specified on an AccountRequest? a. Create b. Unlock c. Set d. Modify

C. Set ## Footnote **Valid AccountRequest Operations** Create - Create new account Lock - Lock an account Unlock - Unlock a locked account Disable - Disable an account Delete - Remove an account Enable - Enable a disabled account Modify - Update existing account attributes

# True or False If the application FeaturesString supports enabling and disabling of accounts, user will always be able to perform those actions for their own account.

False ## Footnote FeaturesString set capalility, not permissions.

# Is this a supported configuration option? Allowing new account requests on some applications while not allowing secondary accounts to be requested on any applications.

Yes ## Footnote You can control "Add" vs "Remove" permissions separately

# Is this a supported configuration option? Some entitlements not requestable by anyone, others visible only to selected populations

Yes ## Footnote Entitlements have a requestable attribute (can be set to false to block all requests). Also other limits that can be set up.

# Is this a supported configuration option? Different workflows for different QuickLink populations

Yes ## Footnote Applications can be individually configured for what's requestable The allowNewAccountRequests setting is per-application

Which log file typically contains BeanShell exception stack traces in IdentityIQ?

iiq.log ## Footnote BeanShell errors usually flow through IdentityIQ’s Log4j logging and land in the main application log.

Where do Workflow Trace details get written when workflow tracing is enabled?

workflowtrace.log ## Footnote This log is dedicated to workflow trace output (separate from general application logging).

If you add System.out.println(...) in custom code/rules, where does that output usually appear?

stdout (app server console log, e.g., catalina.out on Tomcat) ## Footnote System.out writes to the JVM/servlet container console, not Log4j.

Which log file commonly records WorkItem notification messages?

notification.log ## Footnote Email/notification-related events are typically routed to the notifications log for easier troubleshooting.

If IdentityIQ code (or a custom Log4j logger you call from BeanShell) writes log output, which file most commonly contains it?

iiq.log ## Footnote Log4j output (INFO/WARN/ERROR) generally goes to the primary IdentityIQ log unless you’ve configured a custom appender.

A workflow is behaving unexpectedly and you need step-by-step trace output. Which log should you check first?

workflowtrace.log ## Footnote Workflow trace is the “play-by-play” log; iiq.log is usually higher-level.

True/False: System.out.println output is captured in workflowtrace.log by default.

False ## Footnote System.out goes to stdout/console logs; workflowtrace.log only captures workflow tracing.

True/False: notification.log is the best place to look for BeanShell stack traces.

False ## Footnote BeanShell exceptions typically appear in iiq.log (or stdout if printed directly), not the notifications log.

In one phrase: what is iiq.log primarily used for?

General IdentityIQ application logging (including many errors/stack traces) ## Footnote Think of iiq.log as the “main log” for most troubleshooting unless a feature has a dedicated log.

Where is iiq.log usually stored/saved?

Tomcat (common IdentityIQ installs): /webapps/identityiq/WEB-INF/log/iiq.log JBoss / EAP / WildFly (varies by config): Often under something like /standalone/log/ if Log4j is pointed there, but many installs still write under the IdentityIQ webapp WEB-INF/log/

# True or False Implementers never need to be concerned with whether an AuditAction is enabled, as IdentityIQ automatically takes care of this for them.

False ## Footnote Implementers do need to be aware of whether an AuditAction is enabled/configured, because if it’s disabled (or not configured the way you expect), the event may not be recorded the way you intend in the audit trail.

Which set correctly lists all IQService script hook points for CRUD operations?

Before Create / After Create / Before Modify / After Modify / Before Delete / After Delete

If you need to validate data before an account is updated by IQService, which hook should you use?

Before Modify

If you need to log the results right after an account is removed by IQService, which hook should you use?

After Delete

Knowledge Checks Flashcards

(77 cards)