Is this a function of QuickLink Populations?
They control which capabilities are granted to an identity.
No. QuickLink Populations do not control which capabilities are granted to an identity. In SailPoint IdentityIQ, capabilities are administrative permission sets assigned to identities to determine what system-level functions they can perform, such as administration, certification management, report access, or other privileged IdentityIQ operations. Capabilities are part of the identity's authorization model and are managed separately from QuickLink Population configuration.
QuickLink Populations serve a different purpose. They determine which QuickLinks are visible and usable for a defined population of users, and they can also influence request behavior such as who may perform a request, what actions are available, and for whom the request may be submitted. For example, a QuickLink Population may allow certain users to request access for themselves, request access for others, edit identities, or initiate password-related actions, depending on configuration.
Therefore, QuickLink Populations control access to request actions and QuickLink availability, not the granting of IdentityIQ capabilities themselves. Reference topics: User-Driven Requests, QuickLink Populations, identity authorization, capabilities, access request configuration, and self-service request controls.
Is this an example of a policy that can be defined in IdentityIQ?
An account policy to check whether an identity has requested the appropriate account
This is not a correct example of an IdentityIQ policy as stated. IdentityIQ policies are used to detect governance violations based on identity, account, entitlement, role, risk, or activity conditions. An account policy is concerned with whether an identity has an account, lacks a required account, or has an account that violates defined account-related criteria. It evaluates existing identity and account state after data is aggregated and correlated into IdentityIQ.
The phrase ''has requested the appropriate account'' describes an access request validation concept rather than a policy-detection use case. Requests are handled through the user-driven request and provisioning framework, including QuickLinks, request forms, approvals, workflows, provisioning policies, and provisioning plans. A request can be evaluated, approved, rejected, or fulfilled, but a governance policy is normally not defined to determine whether a request itself was ''appropriate.''
IdentityIQ policies detect violations against current or observed access conditions. Therefore, an account policy may check whether an identity has an inappropriate account, but not whether the identity requested the appropriate account. Reference topics: Governance --- common policy examples and policy detection; User-Driven Requests --- access requests; Provisioning --- provisioning process and provisioning policies.
Is this statement true about group factories and/or populations?
Groups and populations are used to target operations to only a specific set of identities.
The statement is true. In SailPoint IdentityIQ, groups and populations are identity-segmentation mechanisms used to define sets of identities that share specific characteristics. A population is typically a saved collection of identities based on search criteria or defined membership logic. A group factory can dynamically generate identity groups based on identity attributes, such as department, location, cost center, job title, or business unit.
These constructs are useful because many IdentityIQ operations should not apply to the entire identity population. They allow administrators to scope or target actions to the relevant identities only. For example, populations and groups can support targeted reporting, focused analysis, certification scoping, and other governance activities where only a defined subset of identities should be included. This improves accuracy, reduces review noise, and aligns governance activity with business structure.
They should not be confused with ownership objects such as workgroups. Their primary purpose is identity grouping and operational targeting, not shared ownership accountability.
Reference topics: Identity Modeling --- groups and populations; Governance --- certification targeting and reporting scope; Foundational Concepts --- business modeling and identity segmentation.
Is this statement true for IdentityIQ application definitions?
Applications in IdentityIQ are named with the connector that is selected.
No. In SailPoint IdentityIQ, the application name is a configurable label assigned to the application object and does not have to match the connector selected. The application definition represents an external system or source, while the connector defines the technical integration method used to communicate with that system. These are related configuration elements, but they are not the same field and one does not automatically name the other.
For example, an application could be named ''Corporate Directory,'' ''North America Active Directory,'' or ''HR Source,'' while using an LDAP, Active Directory, JDBC, Delimited File, Web Services, or another connector type. The connector selection determines available configuration settings, supported schema behavior, aggregation options, and provisioning capabilities. The application name is used for identification within IdentityIQ, reporting, certifications, requests, policies, and administrative configuration.
Therefore, the statement is incorrect because IdentityIQ applications are not named by the selected connector. They are named by the administrator or implementer according to the business or system context. Reference topics: Applications, application definition, connector selection, connector-dependent settings, schemas, aggregation, and provisioning support.
Is this an accurate statement about access reviews and certifications?
Certifications can be manually created and executed for users of IdentityIQ.
Yes. In SailPoint IdentityIQ, certifications are governance objects used to perform access reviews over identities, accounts, entitlements, roles, policy violations, and other reviewable access items. Certifications can be launched through scheduled campaigns, but they can also be manually created and executed by authorized users such as certification administrators or governance personnel. Manual creation is commonly used for targeted reviews, exception reviews, ad hoc compliance activity, application-specific reviews, manager reviews, or validation of a defined population of identities.
When a certification is created, IdentityIQ generates review items and assigns them to appropriate certifiers based on the certification type and configuration. The certification then proceeds through its lifecycle phases, which may include generation, active review, challenge, remediation, and sign-off. Reviewers can approve, revoke, delegate, or otherwise act on access items according to the certification configuration.
Therefore, the statement is accurate because IdentityIQ supports both scheduled and manually initiated certifications for reviewing user access. Reference topics: Governance, access reviews, certification creation, certification execution, certification phases, certifier assignment, and remediation processing.
Sumayya Rahman
6 days agoMiguel Sanchez
17 days agoKhanh Yang
18 days ago