IdentityIQ-Associate SailPoint Exam Lab Questions

The statement is false. IdentityIQ does not apply a universal rule that removes uncorrelated IdentityCubes after 30 days. Uncorrelated accounts or uncorrelated identity records result from aggregation and correlation processing when IdentityIQ cannot confidently associate an account from an application with an existing IdentityCube. These records remain available for administrative review and remediation until they are resolved through correlation logic, manual correlation, re-aggregation, identity refresh activity, or configured cleanup processes.

The key point is that retention and removal behavior is configuration-driven, not controlled by a fixed 30-day product rule. Administrators may use tasks, aggregation settings, pruning behavior, or lifecycle processes to clean up stale identity or account data, but such actions depend on implementation choices and task configuration. IdentityIQ preserves uncorrelated data because it may represent a real account requiring governance, certification, policy evaluation, or investigation.

Therefore, the assertion that uncorrelated IdentityCubes are automatically removed after 30 days is incorrect. Reference topics: Applications, uncorrelated account resolution, correlation configuration, aggregation results, IdentityCube association, identity refresh, and administrative cleanup tasks.

Yes. In SailPoint IdentityIQ, BeanShell rules used during aggregation are optional processing extensions, and task configuration can control whether rule processing is applied for a particular aggregation run. Aggregation itself is performed through the application definition, connector, schema, and aggregation task. Rules may be added to customize behavior, such as transforming incoming account data, applying custom correlation logic, handling identity creation, or modifying account information before it is stored.

Because rules can significantly affect aggregation behavior, IdentityIQ provides task-level controls that allow administrators to disable rule processing when appropriate. This can be useful for testing connector behavior, isolating troubleshooting scenarios, improving performance during certain runs, or validating source data without custom transformation logic. When rule processing is disabled, aggregation relies on standard connector and configuration behavior rather than custom BeanShell execution.

Therefore, the statement is accurate. Rule execution is not mandatory for aggregation and can be controlled from the task definition. Reference topics: Applications, aggregation tasks, BeanShell rules, connector configuration, account schema, correlation rules, creation rules, and aggregation task options.

No. The “Detect deleted accounts” aggregation task option is not used to ignore accounts that were previously deleted from IdentityIQ. Its purpose is to compare the accounts returned by the current aggregation with the accounts already stored in IdentityIQ for that application. When an account exists in IdentityIQ but is no longer found in the authoritative aggregation results from the source application, IdentityIQ can treat that account as deleted or removed from the target system.

This option helps keep IdentityIQ’s account inventory accurate by identifying stale Links that remain in IdentityIQ even though the corresponding account is no longer present on the application. It is especially important for governance accuracy because certifications, policy checks, identity warehouse views, and access reporting rely on current account and entitlement data.

The statement is incorrect because it reverses the behavior. Detecting deleted accounts is about recognizing accounts missing from the source during aggregation, not ignoring newly returned source accounts that were once deleted in IdentityIQ.

Reference topics: Applications, aggregation task options, account aggregation, deleted account detection, Link maintenance, IdentityCube account data, and application data reconciliation.

The statement is false. The Identity Refresh task does not execute aggregation rules configured on an application definition. Aggregation rules are part of the application aggregation process, where IdentityIQ connects to a source system, reads account or group data, applies connector and application-level processing, and stores account links, entitlement values, and related data in the IdentityIQ repository.

The Identity Refresh task operates after data is already present in IdentityIQ. Its function is to update IdentityCubes and recalculate identity-level governance information. Depending on selected options, Identity Refresh may update identity attributes, refresh role assignments, detect assigned or detected roles, evaluate policies, process lifecycle events, refresh manager relationships, or recalculate risk and access-related identity state.

Application aggregation and identity refresh are separate task functions. Aggregation obtains and normalizes data from applications; Identity Refresh interprets and recalculates identity governance state using that aggregated data. Therefore, rules tied specifically to aggregation on the application definition are execute during aggregation, not during Identity Refresh.

Reference topics: Identity Modeling — Identity Refresh task options; Applications — aggregation rules and application definitions; Foundational Concepts — tasks and workflows.