The SailPoint Certified IdentityIQ Associate exam validates your foundational knowledge of identity governance concepts and SailPoint IdentityIQ platform capabilities. This certification is ideal for identity administrators, consultants, and IT professionals who work with identity management systems. The IdentityIQ-Associate credential demonstrates competency across core platform features, user provisioning workflows, and identity compliance processes. This page provides a structured study path, topic breakdown, and practical preparation guidance to help you pass confidently.
Use this topic map to guide your study for SailPoint IdentityIQ-Associate (SailPoint Certified IdentityIQ Associate) within the SailPoint IdentityIQ Certifications path.
The exam uses a mix of question types to assess both conceptual understanding and practical decision-making. Questions progress in difficulty and reflect real-world identity governance scenarios you will encounter in production environments.
Effective preparation combines structured topic review, hands-on practice, and progressive testing. Allocate 4-6 weeks for study, dedicating time each week to specific topic clusters and building integration across areas.
Explore other SailPoint certifications: view all SailPoint exams.
Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to IdentityIQ-Associate and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test, or get a bundle discount for both formats: SailPoint Certified IdentityIQ Associate.
User provisioning, access request fulfillment, and compliance certification typically account for 40-50% of exam questions. These workflows form the core of identity governance operations. Architecture and identity correlation questions represent another 25-30%, while reporting and security best practices make up the remainder. Focus your study time proportionally on these high-impact areas.
Provisioning creates and manages access, while compliance certification validates that access is appropriate and justified. In practice, certification reviews flag over-provisioned or orphaned accounts, triggering deprovisioning workflows to remediate violations. Understanding this cycle helps you design workflows that support both access delivery and governance audits. Study how approval chains, entitlements, and certification rules interact to maintain a clean access landscape.
Hands-on labs are valuable but not required to pass. If you have access to a test environment, practice building a simple provisioning workflow, creating access request templates, and running a certification campaign. If not, focus on understanding the logical flow and configuration concepts. Study scenario questions carefully, as they simulate the decision-making you would do in the UI.
Confusing entitlements with roles, misunderstanding approval chain sequencing, and overlooking separation of duties controls are frequent errors. Candidates also sometimes choose technically correct answers that don't align with best practices or business requirements. Read scenario questions carefully, identify the business context, and select answers that balance technical correctness with governance principles. Review question explanations to spot patterns in your reasoning.
In the last 7 days, shift from learning new topics to reinforcing weak areas. Take a full-length practice test, review all incorrect answers, and re-read explanations for any topic where you scored below 80%. Do a second timed mini-test focused only on scenario questions. The day before the exam, review your notes on provisioning workflows and compliance processes, then rest well to arrive focused and alert.
Does this statement accurately describe how roles are acquired by users in the default role model configuration?
Birthright role assignment may be processed during a mover lifecycle event.
Yes. In SailPoint IdentityIQ, birthright roles represent access that is automatically granted based on identity context, such as job function, department, location, lifecycle state, or organizational assignment. A mover lifecycle event occurs when an identity undergoes a material change, such as transfer to a new department, change in manager, change in location, or change in business role eligibility. Because these changes can alter what baseline access the identity should have, birthright role assignment may be processed as part of the mover event.
The mover event can launch a configured business process that evaluates the identity's updated attributes and initiates access changes, including assignment of new birthright roles or removal of access no longer appropriate. This differs from requestable roles, where a user or manager explicitly asks for access through Lifecycle Manager. Birthright access is driven by identity state and business rules.
Therefore, the statement is accurate. Mover lifecycle processing can be used to keep baseline role-based access aligned with the user's changed business position. Reference topics: Access Modeling, birthright roles, role assignment, Identity Refresh, Lifecycle Events, mover processes, and Provisioning.
Is this statement accurate about the BeanShell rules used in the aggregation process?
The application's creation rule, if specified, will run when IdentityIQ is unable to correlate an account to an existing identity.
Yes. In SailPoint IdentityIQ aggregation, correlation is attempted first to match an aggregated account to an existing IdentityCube. Correlation may use configured attribute mappings, correlation rules, or other application correlation logic. If IdentityIQ cannot correlate the account to an existing identity, the application's creation rule, when configured, can be invoked to determine how IdentityIQ should handle identity creation for that uncorrelated account.
This is especially relevant for authoritative applications, where aggregated account records may represent people who should exist as identities in IdentityIQ. The creation rule can control identity creation behavior, populate required identity attributes, and apply implementation-specific logic when standard correlation does not find a match. Without appropriate creation behavior, the account may remain uncorrelated and require later remediation through corrected correlation logic, re-aggregation, or manual correlation.
Therefore, the statement is accurate: the creation rule is associated with the aggregation and correlation process and is used when an account cannot be matched to an existing IdentityCube. Reference topics: Applications, BeanShell rules, account aggregation, correlation logic, identity creation rules, authoritative applications, and uncorrelated account handling.
Is this an accurate statement about the Manage Accounts feature in LifeCycle Manager?
It allows users to request additional accounts on applications that support additional accounts.
The statement is accurate. In SailPoint IdentityIQ LifeCycle Manager, the Manage Accounts feature is used for account-level request operations. It allows authorized users to request account changes on connected applications, including requesting an additional account when the target application and IdentityIQ configuration support multiple or additional accounts for the same identity.
This capability is controlled through the application definition, request configuration, QuickLink availability, provisioning policies, and workflow approvals. When an application supports additional accounts, IdentityIQ can present account-request options that allow the requester to create another account rather than only modifying or removing an existing one. The request is then converted into a provisioning plan, routed through configured approval logic, and fulfilled either automatically through the connector or manually through a work item.
This is different from requesting entitlements alone. Manage Accounts focuses on account lifecycle operations such as create, modify, delete, enable, disable, or unlock, depending on connector and application support. Therefore, allowing users to request additional accounts on applications configured to support them is a valid Manage Accounts function.
Reference topics: User-Driven Requests --- account request types and operations; Provisioning --- provisioning plans and provisioning policies; Applications --- application configuration and connector support.
Is this statement true for the use of tasks?
They can be used to confirm that the correct access is included in a role.
No. In SailPoint IdentityIQ, tasks are used to execute defined system operations, often as background or scheduled processes. Common task usage includes account aggregation, identity refresh, entitlement aggregation, maintenance activities, report execution, role processing, and other repeatable administrative operations. A task may calculate, update, import, refresh, or process data, but it does not itself perform the governance decision of confirming whether access in a role is correct.
Confirming that the correct access is included in a role is a governance review function, most closely associated with role certification, especially role composition certification. In that process, a role owner or designated certifier reviews the access profiles, entitlements, permissions, or requirements contained in a role and decides whether they are appropriate. The confirmation requires business judgment and reviewer action, not merely task execution.
A task may support role governance indirectly by refreshing role data or generating background processing, but the validation of role contents belongs to certifications and access governance. Therefore, this statement is not accurate for the use of tasks. Reference topics: Foundational Concepts, tasks versus workflows, Governance, role composition certification, Access Modeling, and role governance.
Is this a true statement about Lifecycle Events?
They can only be triggered by data changes aggregated from authoritative applications.
No. Lifecycle Events in SailPoint IdentityIQ are not limited only to data changes aggregated from authoritative applications. They are configured to respond to qualifying changes on an identity, typically evaluated during identity refresh processing. Authoritative application data is a common source of lifecycle-driving attributes, such as employee status, hire date, termination date, department, location, or manager. However, the event mechanism is based on the identity data change and the configured event condition, not exclusively on whether the change originated from an authoritative source.
Identity attributes can be updated through aggregation, correlation, refresh logic, rules, manual administrative changes, or other configured processes. When the relevant identity state changes and the Lifecycle Event condition is met, IdentityIQ can launch the associated business process or workflow. For example, a mover event may be based on department or manager change, while a leaver event may be based on lifecycle state or employment status.
Therefore, ''only'' makes the statement incorrect. Authoritative applications are frequently used for lifecycle events, but they are not the sole possible trigger source. Reference topics: Provisioning, Lifecycle Events, identity refresh, identity attribute changes, business process execution, and event-driven provisioning.
