TTechclick ⚡ XP 0% All lessons
SailPoint · Identity Governance · Interview Q&AInteractive · L1 / L2 / L3

SailPoint IGA Interview Questions — IdentityNow / ISC Answers & Prep

Whether you are sitting for a SailPoint engineer role or want to sound sharp on Identity Governance, interviewers probe the same four clusters: the platform and architecture (IdentityIQ vs Identity Security Cloud, multi-tenant SaaS, Virtual Appliance), the joiner-mover-leaver lifecycle and provisioning (Sources, Account Aggregation, Birthright vs Request-based, Plan and Policy), access certifications and SoD (Campaign types, Remediators, SoD policy violations and exceptions), and AI-driven governance plus connector types (Role Discovery, Access Insights, SaaS Connectivity, Direct Connect). This lesson works through 16 interview questions across those four clusters with crisp, scenario-led model answers grounded in SailPoint's 2026 Identity Security Cloud (ISC) platform.

📅 2026-06-20 · ⏱ 20 min · 16 interview Q&As · live scenario · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Ace your SailPoint IGA interview with 16 model questions and answers covering IdentityNow architecture, lifecycle and provisioning, certifications and SoD, plus AI-driven features and connector types.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Platform & Architecture

IdentityIQ vs ISC, SaaS, Virtual Appliance.

 2

Lifecycle & Provisioning

Joiner-mover-leaver, Sources, plans, connectors.

 3

Certifications & SoD

Campaign types, remediators, SoD policies.

 4

AI, Connectors & Scenarios

Role Discovery, Harbor Pilot, SaaS Connectivity.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What is the key architectural difference between SailPoint IdentityIQ and Identity Security Cloud (ISC)?

Answered in Platform & Architecture.

2. In SailPoint IGA, what triggers a provisioning plan?

Answered in Lifecycle & Provisioning.

3. What is the purpose of a Segregation of Duties (SoD) policy in SailPoint?

Answered in Certifications & SoD.

Common interview slip

Many candidates say 'SailPoint is just an Active Directory tool' or confuse IdentityIQ with Identity Security Cloud. Both slips cost marks in an IGA interview.

SailPoint Identity Governance covers any authoritative source — HR systems, directories, cloud apps — and enforces access across the whole estate, not just AD. IdentityIQ (IIQ) is the on-premises Java-based platform used by large enterprises needing deep customisation; Identity Security Cloud (ISC), formerly IdentityNow, is the multi-tenant SaaS platform built on microservices that connects to on-prem systems via a Virtual Appliance (VA). And access governance is not just about who has access — SailPoint also governs who should have access, enforces SoD policies, automates certifications, and uses AI to surface anomalous access. Knowing these distinctions is exactly what interviewers probe.

① Platform & Architecture — IdentityIQ vs Identity Security Cloud

Q: What is SailPoint and what problem does IGA solve?

Model answer: SailPoint is a leading IGA vendor. IGA solves the core compliance challenge: organisations accumulate user access over time through joiners, movers and leavers, and without governance that access drifts until it violates least-privilege or regulatory rules (SOX, HIPAA, GDPR). SailPoint automates the access lifecycle — provisioning the right access on day one, adjusting it as roles change, revoking it on departure, and continuously certifying that what remains is still appropriate — reducing both risk and manual workload.

Q: What is the difference between IdentityIQ and Identity Security Cloud (ISC)?

Model answer: IdentityIQ (IIQ) is SailPoint's on-premises, Java-based platform. Large enterprises choose it for deep customisation, complex workflows written in BeanShell/Java, and full control over their data. It requires infrastructure management and patching. Identity Security Cloud (ISC) — formerly IdentityNow — is the multi-tenant SaaS platform built on microservices, delivered and maintained by SailPoint. ISC gets continuous feature updates, scales automatically, and connects to on-prem systems via a Virtual Appliance (VA) gateway. Most new SailPoint deployments start with ISC; IIQ migrations to ISC are common in 2026.

Q: What is the Virtual Appliance (VA) in ISC and why is it needed?

Model answer: The Virtual Appliance (VA) is a lightweight VM deployed in the customer's network that acts as a secure tunnel between the ISC SaaS platform in the cloud and on-premises sources (Active Directory, LDAP, HR systems, databases). Because ISC is a multi-tenant SaaS product, it cannot reach customer-internal systems directly; the VA bridges that gap without opening inbound firewall ports — it establishes an outbound encrypted connection to ISC. VAs are deployed in clusters for high availability. Sources that are cloud-native (Salesforce, ServiceNow) can use SaaS Connectors that connect directly without a VA.

Q: What are the core modules of the ISC (SailPoint Identity Security Cloud) platform?

Model answer: ISC is built around several modules: Access Lifecycle (joiner-mover-leaver provisioning and de-provisioning), Access Certifications (automated review campaigns), Access Requests (self-service request portal with approval workflows), Separation of Duties (SoD) (policy-based detection of conflicting access), Role Management (business roles and IT entitlements), Password Management (self-service reset and sync), and AI-Driven Insights (Role Discovery, Access Insights, Peer Group analysis, Harbor Pilot AI agent). Together they form a full IGA platform that answers the three questions every auditor asks: who has access, is it appropriate, and how was it granted.

Figure 1 — SailPoint ISC at a glance
Identity Security Cloud is a multi-tenant SaaS platform; the Virtual Appliance bridges it to on-premises sources.SailPoint ISC at a glanceISC (SaaS)multi-tenant platformHR System (Auth)Active DirectorySaaS AppsVirtual ApplianceAI Insights
Identity Security Cloud is a multi-tenant SaaS platform; the Virtual Appliance bridges it to on-premises sources.
Figure 2 — IdentityIQ vs Identity Security Cloud
IdentityIQ is the on-premises platform; ISC is the SaaS evolution with continuous updates and VA-based on-prem connectivity.IdentityIQ vs Identity Security CloudIdentityIQ (on-prem)Java EE, self-hostedDeep BeanShell customisationFull data controlManual patching requiredISC (SaaS)Multi-tenant microservicesContinuous SailPoint updatesVA for on-prem sourcesNo infrastructure to manage
IdentityIQ is the on-premises platform; ISC is the SaaS evolution with continuous updates and VA-based on-prem connectivity.
Name ISC, not just IdentityNow

In a 2026 SailPoint interview, say 'Identity Security Cloud (ISC)' rather than 'IdentityNow' — SailPoint officially rebranded the SaaS platform as ISC, and using the current name signals you are up to date. Interviewers notice candidates who still default to the old name as a sign they haven't worked with the platform recently.

Quick check · Q1 of 10 · Remember

What is the primary role of the Virtual Appliance (VA) in SailPoint Identity Security Cloud?

Correct: b. The Virtual Appliance is a lightweight VM deployed in the customer's network that creates an outbound encrypted tunnel to ISC, allowing the cloud platform to reach on-premises sources like Active Directory without inbound firewall ports. Cloud-native SaaS sources can connect without a VA using SaaS Connectors.
👉 So far: SailPoint IGA = who has access, is it appropriate, how was it granted. IdentityIQ = on-prem Java. ISC (Identity Security Cloud) = multi-tenant SaaS with Virtual Appliance for on-prem sources. Core modules: Lifecycle, Certifications, Access Requests, SoD, Role Management, AI Insights.

② Lifecycle & Provisioning — joiner-mover-leaver, Sources and plans

Q: Explain the joiner-mover-leaver (JML) lifecycle in SailPoint ISC.

Model answer: The JML lifecycle is the core provisioning engine in ISC. A Joiner event occurs when a new identity appears in the authoritative source (usually an HR system); ISC detects it on the next account aggregation, applies birthright provisioning rules (role assignments based on attributes like department and location) and provisions accounts to the required target systems. A Mover event occurs when attributes change (e.g. department transfer); ISC revokes roles that no longer apply and grants new ones matching the new profile. A Leaver event occurs on termination; ISC triggers de-provisioning — disabling accounts, removing group memberships, revoking entitlements — within the defined SLAs. The whole flow is automated, audit-logged and measurable, replacing manual ticket-based processes.

Q: What is a Source in SailPoint ISC, and what is account aggregation?

Model answer: A Source is ISC's representation of any connected system — Active Directory, an HR platform, Salesforce, a database, or a custom application. Each Source has a connector (the technical integration) and a schema (which attributes to collect). Account Aggregation is the scheduled or on-demand process where ISC reads all accounts and entitlements from a Source into its identity warehouse. Aggregation feeds the identity cube — correlating accounts across sources to build a single identity view per person. Aggregation is the foundation: you cannot govern access you have not first discovered. Entitlement aggregation is a separate step that collects the available entitlements (groups, roles, permissions) from the source so ISC knows what can be granted or revoked.

Q: What is a provisioning plan and how does ISC build and execute one?

Model answer: A Provisioning Plan is the structured object ISC creates when it decides to change access on a target system. It contains account requests (create, modify, delete) and attribute/entitlement requests (add or remove a group, set a value). ISC builds a plan in response to a lifecycle event, an approved access request, or a certification revocation. Before committing, ISC runs the plan through Policy evaluation (SoD checks, pre-provisioning rules) and optionally an approval workflow. The plan is then dispatched to the target source's connector via the Provisioning Broker. If the connector is authoritative-provisioning-capable (direct connect), ISC sends the change and tracks the result; if not, ISC generates a manual work item for a human to execute. Every plan and its outcome is stored in the Provisioning History for audit.

Q: What is the difference between birthright provisioning and request-based provisioning?

Model answer: Birthright provisioning is automatic — access that ISC grants based on identity attributes (department, job code, location) without any request. A new hire in Finance automatically gets the Finance-standard accounts and entitlements defined in the role model. Birthright is managed through Role Assignment Rules or Population-based assignments in ISC. Request-based provisioning is on-demand — a user or manager opens an access request through the ISC portal (or via a Service Catalog integration) for additional access beyond the birthright baseline. Request-based flows always go through an approval workflow and optionally a SoD check before provisioning. The key governance point: birthright gives the minimum needed on day one; request-based handles exceptions and elevated access with full auditability.

Figure 3 — Joiner provisioning flow
A new hire in HR triggers aggregation, role assignment, plan build, policy check and provisioning to target systems.Joiner provisioning flowHR eventnew hire detectedAggregationidentity correlatedRole assignbirthright rulesProv planpolicy + approvalTarget systemsaccounts created
A new hire in HR triggers aggregation, role assignment, plan build, policy check and provisioning to target systems.
🏛
IdentityIQ vs ISC
tap to flip

IdentityIQ is on-premises, Java-based, deeply customisable. Identity Security Cloud (ISC) is the multi-tenant SaaS evolution with microservices, continuous updates, and a Virtual Appliance for on-prem sources.

🔄
Joiner-Mover-Leaver
tap to flip

Joiner: auto-provision birthright access on hire. Mover: revoke old roles, grant new ones on attribute change. Leaver: de-provision accounts and entitlements on termination. Every action is audit-logged.

📋
Certification Types
tap to flip

Manager (reviews direct reports), Entitlement Owner (reviews who holds an entitlement), Role Membership (reviews who holds a role), Source Owner (reviews all accounts on a source). Revoke decisions auto-generate provisioning plans.

🤖
SailPoint AI Features
tap to flip

Role Discovery: AI suggests business roles from access patterns. Access Insights: surfaces anomalous entitlements. Peer Group Analysis: flags access outliers. Harbor Pilot: AI agent for natural-language governance queries and decision support.

Always check aggregation before provisioning trouble

When a joiner is missing access or a mover still has old roles, the first diagnostic step is to confirm that the HR Source aggregation has run and the identity's attributes reflect the latest HR data. If aggregation is stale or the attribute that drives role assignment is missing, no provisioning plan will ever be generated — because ISC never saw the change. Check aggregation history before assuming a connector or workflow bug.

Quick check · Q2 of 10 · Apply

A new employee joins the Finance department. Which provisioning type automatically grants them the standard Finance accounts without any manual request?

Correct: c. Birthright provisioning grants access automatically based on identity attributes (department, title, location) via Role Assignment Rules attached to Business Roles — no request needed. Request-based provisioning handles exceptions beyond the birthright baseline. Manual provisioning and certifications serve different purposes.
👉 So far: Source = connected system with connector + schema. Aggregation = read accounts into ISC identity warehouse. Joiner = auto birthright provisioning. Mover = role delta (revoke old, grant new). Leaver = de-provision. Provisioning Plan = structured change object → policy check → connector → Provisioning History.

③ Certifications, SoD & Roles — campaign types and conflict detection

Q: What is an Access Certification campaign in SailPoint, and what types exist?

Model answer: An Access Certification campaign is a structured review process where designated reviewers — Remediators — examine user access and decide to Approve, Revoke, or Request a change. Campaigns are scheduled (quarterly, annually) or triggered by an event. ISC supports several campaign types: Manager Certification — a manager reviews all access held by their direct reports (the most common type); Entitlement Owner Certification — the owner of a specific entitlement or application reviews everyone who holds it; Role Membership Certification — a role owner reviews all identities assigned to that role; and Source Owner Certification — the owner of a connected source reviews all accounts on it. When a reviewer clicks Revoke, ISC auto-generates a provisioning plan to remove the access on the target system — closing the loop without a manual ticket.

Q: What is a Segregation of Duties (SoD) policy in SailPoint and how does it work?

Model answer: A Segregation of Duties (SoD) policy defines combinations of roles or entitlements that should never coexist on a single identity because together they enable fraud or error — for example, the ability to create a vendor and approve payment. ISC evaluates SoD policies in two contexts: during Access Requests (pre-provisioning — ISC blocks or warns before granting the conflicting access) and during Certifications (ISC flags existing violations so reviewers can remediate). SoD violations can be given a Policy Exception with an approver, business justification and an expiry date, which ISC tracks for audit. The compliance reporting view shows open violations, exceptions and remediation status — exactly what an auditor wants to see.

Q: How does SailPoint handle Role Management and what is the difference between a Business Role and an IT Role (Entitlement)?

Model answer: SailPoint's role model has two layers. IT Roles (also called Entitlement Roles or Provisioning Roles) map directly to a technical entitlement on a source — an AD group, a Salesforce permission set, a database account. They are the atomic grants that connectors actually provision. Business Roles are the business-language construct — a job function like 'Finance Analyst' that bundles one or more IT roles. A Business Role can have Required IT roles (always granted with the business role) and Permitted IT roles (the user may request these additionally). Assignment criteria (department, title, location) on the Business Role drive birthright provisioning. This two-layer model lets business stakeholders own the Business Roles without needing to understand the technical entitlements underneath. Role Discovery — an AI feature — analyses actual access patterns to suggest new business roles based on peer groups who share the same entitlements.

Q: What happens after a reviewer clicks Revoke in a certification campaign?

Model answer: When a reviewer marks an access item as Revoke in a campaign, ISC does not immediately remove access — it marks the decision and waits for the campaign to be signed off (or reaches the deadline). On campaign completion, ISC processes all Revoke decisions by auto-generating provisioning plans for each revoked item and dispatching them through the connector to the target source. If the connector supports direct provisioning, the group or account is removed automatically and the result is logged. If the connector is read-only (manual provisioning), ISC creates a work item assigned to the source administrator to perform the removal, and the campaign's remediation report tracks whether it was actioned. The full decision trail — who reviewed, what they decided, when it was remediated — is stored and reportable for audit.

Figure 4 — Access Certification flow
Campaigns move from launch through reviewer decisions, remediation plans and audit-ready reporting.Access Certification flowCampaign launchedscheduled or event-triggeredReviewer decisionsApprove / Revoke / ChangeRemediation plansauto-provisioning or work itemAudit reportingfull decision trail stored
Campaigns move from launch through reviewer decisions, remediation plans and audit-ready reporting.
'SoD is only checked at certification' mistake

A common slip is thinking SoD policies only fire during certification campaigns. In SailPoint ISC, SoD evaluation also runs during Access Requests — as a pre-provisioning check — so conflicting access can be blocked before it is ever granted. Naming both checkpoints (request-time and certification-time) is the answer interviewers want.

▶ Watch a joiner get provisioned — and see what breaks role assignment

Step through how a new hire gets access in SailPoint ISC. Press Play for the healthy joiner path, then Break it to see the classic missing-attribute failure.

① HR aggregationISC runs Account Aggregation on the HR Source. A new identity — 'Ravi, Finance, AP Clerk' — is detected and correlated into the identity warehouse.
② Role assignmentISC evaluates Role Assignment Criteria. The Business Role 'AP Clerk — Finance' matches on department = Finance and employeeType = fulltime, so the role is assigned.
③ Provisioning planISC builds a Joiner provisioning plan: create AD account, grant Finance ERP access. SoD policy runs — no violations. Plan approved automatically (no manual approval configured for birthright).
④ Accounts createdThe provisioning plan is dispatched via Direct Connect (AD) and SaaS Connector (ERP). Both succeed. Provisioning History shows Success. Ravi can log in on day one.
Press Play to step through a healthy SailPoint joiner provisioning flow. Then press Break it.
Quick check · Q3 of 10 · Understand

During an Access Certification campaign, a reviewer clicks Revoke on a user's Finance application entitlement. What does ISC do next?

Correct: b. ISC records all revoke decisions during the campaign; on completion or sign-off it processes them by generating provisioning plans dispatched to the target connector. It does not remove access immediately mid-campaign. If the connector is read-only, ISC creates a manual work item instead of auto-provisioning.
👉 So far: Certification types: Manager, Entitlement Owner, Role Membership, Source Owner. Revoke → plan on campaign close. SoD = conflicting role combos, checked at request-time AND certification-time. Policy Exception = approved violation with justification + expiry. Business Role bundles IT Roles; Role Discovery uses AI to suggest new roles.

④ AI, Connectors & Scenarios — intelligent governance and integration types

Q: What AI features does SailPoint Identity Security Cloud provide?

Model answer: SailPoint ISC includes several AI-driven capabilities that move governance from reactive to proactive. Role Discovery analyses the actual access patterns of identities across sources and uses machine learning to suggest new Business Roles based on groups of users who share similar entitlements — reducing the manual effort of role engineering. Access Insights surfaces anomalous access — entitlements held by an identity that are not typical for their peer group — flagging them for review. Peer Group Analysis calculates what access is normal for a given population (same department, title, location) so that outliers stand out during certifications. Harbor Pilot is SailPoint's AI agent that can answer natural-language governance questions, draft certification decisions and summarise access risk. These AI features give reviewers decision support so that certifications become targeted reviews of anomalies rather than rubber-stamp exercises on thousands of entitlements.

Q: What are the connector types in SailPoint ISC and when would you use each?

Model answer: ISC supports several connector patterns. SaaS Connectors (built on the SaaS Connectivity framework) are cloud-hosted, call the target application's REST API directly, and require no Virtual Appliance — ideal for modern SaaS applications like Salesforce, Workday, or GitHub. Direct Connect connectors are SailPoint-built connectors for common enterprise sources (Active Directory, LDAP, SAP) that run through a VA and support both read and provisioning. Custom/Flat-File connectors use CSV or delimited file drops via SFTP for systems with no live API — ISC reads the file, aggregates accounts, and provisions by generating an export file. Web Services connectors wrap a REST or SOAP API using a configuration-driven approach without custom code. The right choice depends on whether the target has a live API, is cloud or on-prem, and whether provisioning (write) capability is needed or read-only aggregation is sufficient.

Q: Walk me through how you would troubleshoot a provisioning failure in SailPoint ISC.

Model answer: Start with the Provisioning History on the identity's profile — it shows every plan, its status (Success, Failed, Pending), and the connector error message. If the plan shows Failed, the error text usually identifies whether the failure is an authentication error (connector credentials expired), a schema mismatch (an attribute required by the target is missing in the plan), a SoD policy block (the plan was rejected pre-provisioning), or an approval workflow issue (the request is stuck waiting for an approver). Check the Activity Log and the VA logs (if a VA-based connector) for the raw connector error. If the VA is suspect, confirm the VA cluster is healthy in Admin ▸ Connections ▸ Virtual Appliance Clusters. The gold troubleshooting sequence: Provisioning History → error detail → VA health → connector test → re-trigger the plan once fixed.

Q: Describe a real governance scenario — how would SailPoint handle a user transferring from Finance to Engineering?

Model answer: When the HR system updates the user's department from Finance to Engineering, ISC detects the attribute change on the next Source Aggregation (or via real-time event from the HRMS connector). ISC evaluates the Role Assignment Criteria: the Finance Business Role no longer matches (department ≠ Finance) and the Engineering Business Role now matches. ISC builds a Mover provisioning plan: revoke all IT roles tied only to Finance (remove Finance AD groups, revoke Financials application access) and grant the IT roles tied to Engineering (add Engineering AD group, grant the engineering-standard tools). The plan goes through the provisioning broker — direct provisioning where connectors support it, work items where they don't. The access certifications scheduled next quarter will reflect the new access profile. Any Finance entitlements that were explicitly requested (not birthright) flag as SoD risks if they now conflict with Engineering roles. The whole flow is automated, with every action in the Provisioning History for the auditor.

Figure 5 — Mover lifecycle flow
A department transfer triggers a Mover provisioning plan that revokes old roles and grants new birthright access automatically.Mover lifecycle flowHR updatedept changesAggregationattribute deltaRole deltarevoke + grantProv brokerplan dispatchedTarget systemsaccess updated
A department transfer triggers a Mover provisioning plan that revokes old roles and grants new birthright access automatically.

Priya at FinSecure Bank in Mumbai faces this

FinSecure onboarded SailPoint ISC six months ago. A new Accounts Payable joiner, Ravi, was hired last week. His HR record shows department = 'Finance' and title = 'AP Clerk', but three days later he still has no accounts provisioned to the Finance ERP or the corporate AD. The business is escalating.

Likely cause

The HR Source aggregation ran and created Ravi's identity in ISC, but the Business Role 'AP Clerk — Finance' has a Role Assignment Rule that checks both department = 'Finance' AND a custom attribute 'employeeType = fulltime'. Ravi's HR record was imported without the employeeType attribute populated, so the role never matched and no provisioning plan was generated.

Diagnosis

In ISC, navigate to the identity profile for Ravi — the Roles tab shows zero assigned roles. Check the Role Assignment Criteria for 'AP Clerk — Finance': the rule requires employeeType = fulltime. Check Ravi's identity attributes: employeeType is null. The Provisioning History shows no plans were ever triggered, confirming the role never matched.

Admin ▸ Identities ▸ [Ravi] ▸ Roles tab → Admin ▸ Role Management ▸ AP Clerk Finance ▸ Assignment Criteria
Fix

Two actions: (1) correct the HR source data so employeeType = fulltime is populated for Ravi (fix at source), then re-run Account Aggregation on the HR Source so ISC re-evaluates the role assignment. (2) Longer-term, review the Role Assignment Rule — if employeeType is unreliable, consider using a simpler criterion like department alone or adding a fallback default value in the source schema mapping.

Verify

After the aggregation re-run, Ravi's identity profile shows 'AP Clerk — Finance' in the Roles tab. The Provisioning History shows a new joiner plan with status Success. Ravi can log into the Finance ERP and AD within the connector's provisioning SLA. Priya confirms with the business and logs the root cause in the change record.

Quick check · Q4 of 10 · Analyze

A provisioning plan for a new joiner shows status 'Failed'. What is the first place to investigate in SailPoint ISC?

Correct: b. The Provisioning History on the identity's profile shows every plan, its status and the connector error message, which identifies whether the failure is an auth error, schema mismatch, SoD block or workflow issue. You then follow up with VA health checks and connector tests based on what the error says — not by rebooting blindly or recreating connectors.
👉 So far: AI features: Role Discovery, Access Insights, Peer Group Analysis, Harbor Pilot. Connector types: SaaS Connector (no VA, REST), Direct Connect (VA, enterprise sources), Flat-File (CSV/SFTP), Web Services (REST/SOAP config). Provisioning trouble: start at Provisioning History → connector error → VA health → connector test.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which SailPoint platform is on-premises, Java-based, and supports deep BeanShell customisation?

Correct: a. IdentityIQ (IIQ) is SailPoint's on-premises, Java EE-based platform that supports deep customisation via BeanShell and Java workflows, and gives the customer full control of the infrastructure. ISC is the multi-tenant SaaS platform; VA is the on-prem bridge; Harbor Pilot is the AI agent.
Q6 · Understand

Why does SailPoint ISC require a Virtual Appliance when connecting to an on-premises Active Directory?

Correct: c. ISC is a multi-tenant SaaS product hosted in the cloud, so it cannot initiate connections into a private corporate network. The Virtual Appliance is deployed inside the customer network and creates an outbound encrypted tunnel to ISC, bridging the gap without inbound firewall rules. Cloud SaaS sources use SaaS Connectors that connect without a VA.
Q7 · Apply

A user is trying to get both 'Create Vendor' and 'Approve Payment' access in SailPoint ISC, but the access request is blocked. What is the most likely reason?

Correct: c. SoD policies define forbidden combinations of roles or entitlements that enable fraud if held together. ISC evaluates SoD at access request time (pre-provisioning), blocking or warning before the conflicting access is granted. A VA being offline would cause aggregation failures, not policy blocks; campaign status is unrelated to request-time SoD.
Q8 · Apply

Which campaign type would you use to have each application owner review everyone who currently holds access to their specific entitlement?

Correct: d. Entitlement Owner Certification assigns each entitlement's designated owner as the reviewer for all identities holding that entitlement — perfect for application-level access reviews. Manager Certification has managers review their direct reports across all access. Source Owner reviews all accounts on a source. Role Membership has role owners review who is in each role.
Q9 · Analyze

A provisioning plan for a new joiner shows 'Failed' with the error 'missing required attribute: employeeId'. Where is the root cause most likely?

Correct: b. A 'missing required attribute' error means the connector needs a value (employeeId) to perform the provisioning action, but that attribute is either not mapped in the Source schema or is null on the identity. The fix is to add the attribute mapping in the Source configuration and re-aggregate, or populate the value directly. SoD errors have different messages; VA firmware and certification status are unrelated to attribute schema errors.
Q10 · Evaluate

Your organisation wants to reduce the effort of annual access certifications by focusing reviewers only on access that looks anomalous for each user's peer group. Which SailPoint ISC AI feature supports this?

Correct: c. Access Insights combined with Peer Group Analysis calculates what access is normal for a given population (same department, title, location) and surfaces entitlements that are outliers for that identity — so reviewers focus on anomalies rather than rubber-stamping thousands of normal entries. Harbor Pilot assists with queries but does not fully replace reviewers; SaaS Connectivity is about connector architecture; Role Discovery is about role engineering, not certification focus.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is a provisioning plan in SailPoint ISC, and what lifecycle events trigger one? Then compare with the expert version.

Expert version: A Provisioning Plan is the structured object SailPoint ISC builds when it decides to change access on a target system — it contains account requests (create, modify, or delete) and entitlement requests (add or remove groups or permissions). ISC generates provisioning plans in response to three joiner-mover-leaver lifecycle events: a Joiner (new identity detected in an authoritative source triggers birthright provisioning), a Mover (identity attribute change causes a role delta — old roles revoked, new roles granted), and a Leaver (termination triggers de-provisioning of all governed accounts). Plans also arise from approved Access Requests and from Revoke decisions in Access Certification campaigns. Before executing, each plan passes through SoD policy evaluation and any configured approval workflow, then the result — success or failure with the connector error — is stored in the Provisioning History for audit.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

IGA
Identity Governance and Administration — the discipline of managing who has access to what across all systems, ensuring access is appropriate and certifying it continuously.
Identity Security Cloud (ISC)
SailPoint's multi-tenant SaaS IGA platform (formerly IdentityNow), built on microservices, with continuous updates and VA-based connectivity to on-premises sources.
Virtual Appliance (VA)
A lightweight VM deployed in the customer network that creates an outbound encrypted tunnel to ISC, bridging cloud-hosted ISC to on-premises sources without inbound firewall ports.
Joiner-Mover-Leaver (JML)
The three core lifecycle events ISC governs: Joiner (new hire — birthright provisioning), Mover (role/attribute change — access delta), Leaver (termination — de-provisioning).
Provisioning Plan
The structured object ISC builds for a change action — containing account and entitlement requests. Validated against SoD policies and approval workflows before dispatch to the target connector.
Access Certification
A structured review campaign where designated Remediators approve or revoke user access. Types: Manager, Entitlement Owner, Role Membership, Source Owner. Revoke decisions auto-generate provisioning plans.
SoD (Segregation of Duties)
Policies that define conflicting role or entitlement combinations that must not coexist on one identity. ISC evaluates SoD at both Access Request time and during Certifications.
SaaS Connector
A cloud-hosted connector built on SailPoint's SaaS Connectivity framework that calls a target application's REST API directly from ISC, requiring no Virtual Appliance.
Role Discovery
An AI feature in ISC that analyses actual access patterns across identities and uses machine learning to suggest new Business Roles based on groups sharing similar entitlements.
Harbor Pilot
SailPoint's AI agent in ISC that responds to natural-language governance queries, assists with certification decisions, and summarises access risk for reviewers.

📚 Sources

  1. SailPoint — Identity Security Cloud (ISC): platform architecture and multi-tenant SaaS overview. documentation.sailpoint.com
  2. SailPoint — Virtual Appliance clusters: connecting ISC to on-premises sources. documentation.sailpoint.com
  3. SailPoint — SaaS Connectivity framework: building cloud-native connectors without a VA. developer.sailpoint.com/docs/connectivity/saas-connectivity
  4. SailPoint — Access Certifications: campaign types, remediators, and remediation plans in ISC. documentation.sailpoint.com
  5. SailPoint — AI-driven identity security: Role Discovery, Access Insights, Peer Group Analysis and Harbor Pilot. documentation.sailpoint.com/saas/help/ai/index.html
  6. SailPoint — Segregation of Duties policies: request-time and certification-time evaluation in ISC. documentation.sailpoint.com

What's next?

Done with the interview prep? Go deeper on SailPoint design — provisioning plan architecture, building custom connectors with the SaaS Connectivity framework, campaign configuration, SoD policy design, and managing an enterprise from the Identity Security Cloud admin console.

Next · All interview lessons → Practice on exam.techclick.in →