Cybersecurity IAM - Interview Questions Only

When you think of Cybersecurity what do you think of?

When I think if cybersecurity, I think of protecting data, networks and systems from authorized access, breaches and threats.

How do you know what to configure in Sailpoint?

We configure Sailpoint based on the requirements defined in user stories. Our team follows an Agile process with two-week sprints, and each user story outlines who the change is for and why it’s needed.

That’s how we determine what to configure or automate in SailPoint for each task.

Explain one functional requirement which you did related to data warehousing

One functional requirement I worked on involved integrating SED data into the data warehouse and configuring automated notifications. When new or updated SED data was loaded, SailPoint triggered notifications to alert the relevant teams.

This ensured data availability, timely updates, and transparency in data processing — improving the efficiency of our data management workflows.

What is the basic difference between Functional Requirement vs Non Functional Requirement?

Functional requirements define what the system should do. This includes specific actions or features such as user provisioning, access request or notifications.

Non-functional requirements define how the system should perform. Aspects like performance, security, scalability and usability.

For ex: A functional requirement might be automating user account creation, while a non-functional one could be ensuri

What is IAM?

Identity and Access Management is the framework of policies, technologies and processes used to ensure that the right individuals have the right acess to the right resources at all times.

 It involves managing user identities, controlling access permissions, and enforcing security policies across systems and applications.

Why do we need IAM?

IAM is needed for security, complance and operational efficiency. It helps organizations:

• Prevent unauthorized access to sensitive data and systems.

• Ensure users receive timely and appropriate access when they join, move, or leave.

• Maintain audit trails for regulatory compliance.

• Reduce manual errors and administrative overhead through automation.

What does Sailpoint do?

SailPoint is an Identity Governance and Administration (IGA) platform that automates and governs user access across the organization.
It provides capabilities such as:

• User lifecycle management (Joiner–Mover–Leaver automation)

• Access requests and approvals

• Access certifications and attestation

• Policy and role management

• Access reviews and audit reporting

SailPoint ensures every user has appropriate, least-privilege access based on their role and responsibilities.

What business problem does SailPoint solve?

SailPoint addresses the problem of access governance — ensuring users have the minimum required access to perform their jobs while maintaining security and compliance.
It automates provisioning and deprovisioning, reduces manual access administration, and provides clear visibility for audits and regulatory reporting.

Scenario: You have integrated an HR application into Sailpoint, when you open the identity it is blank, you can't see the attributes showing values. (Delimmited)

If the identity attributes are not showing values after integration, the first step I would take is to run an Identity Refresh task in SailPoint. This task recalculates and updates the identity attributes based on the latest data from the connected application.

Specifically, I would go to the Identity Refresh Task settings, ensure that “Refresh Identity Attributes” is checked, and then execute the task. This ensures SailPoint pulls and maps the correct attribute values (like name, department, or employee ID) from the HR source into the identity cube.

If the issue persists after the refresh, I would verify that the attribute mappings between the HR application schema and SailPoint identity attributes are configured correctly in the application definition or aggregation configuration.

In Sailpoint which application would we select as “operator/authoritative (?)"?

Only HR System

How do you know something got changed in the file? How does SailPoint detect it?

SailPoint detects changes by comparing the application account attributes from the source system or file against the values already stored in SailPoint — not the identity attributes.

During aggregation, SailPoint reads the current data from the connected source (like a flat file or HR system) and compares it with the existing account attributes in its database. If there’s any difference — for example, a change in department, title, or manager — SailPoint recognizes that as an update and triggers the necessary provisioning or policy actions.

In short, SailPoint uses the account attribute values as the point of reference to detect changes, not the identity attributes.

What does correlation mean?

Correlation in SailPoint means linking user accounts from target applications (like payroll, HR, or finance systems) to a single identity in SailPoint. It helps SailPoint know which accounts belong to which user, so all their access across different applications is tied to one identity record.

Who will set up the Sailpoint server?

• DevOps Team: Sets up and deploys the SailPoint application.

• Windows Team: Manages and maintains the servers.

• Networking Team: Manages the load balancer.

• SQL Team: Handles the SQL database setup and maintenance.

How can you use an API call over the internet to call data or to call an API from your local system

You can use the Postman Agent, which allows your local system to send API requests over the internet.

It acts as a bridge between your local environment and external APIs, converting local calls into internet-based requests.

What are basic HTTP operations?

Get Post, Put, Patch, Delete

• Get - Get Data

• Post - creation of a new thing (new item, new object)

• Put - modify something as a whole

• Patch - Partial modification (one attribute)

• Delete - delete entire thing

• Do not use head or options in Sailpoint

How can you make a role requestable in Sailpoint?

Entitlement catalog, export and import back

How many approval levels can we set for a role?

As many levels as we would like

Can you provide comments while you are requesting a role?

Yes, you can

If you want to grant a role to 1,000 users, how would you do that?

You would use the Add Role command, batch request

How do you know that the application team has granted access?

You will typically get an email or notification that the team has completed it

Which is the most secure authentication method?

OAuth2

What are the authentication methods available in a web service connector?

• OAuth2 (Most Secure)

• API Token (Used for dummy testing)

• Basic Authentication (user/password)

• No / Custom Authentication

What are the Grant Types available?

• Client Credentials 

• Refresh Token

• JWT - Uses Private Key

• Password

• SAML Bearer Assertion - Uses SAML Assertion / Request Body

What is a parent endpoint?

Chaining 2 HTTP calls. It occurs when an initial API call does not provide all the necessary information, requiring a subsequent API call to a different endpoint to retrieve complete data

How do you get all attributes from multiple endpoints in SailPoint?

• If some attributes come from one endpoint and others from another, you can:

• Use a parent endpoint to link both endpoints.

• Define two HTTP operations:
  First operation retrieves the attributes from the first endpoint.

  • Second operation retrieves the remaining attributes from the second endpoint.

In the parent endpoint, reference the second operation so SailPoint combines the data from both calls into a single identity record.

If I have 3 endpoints, what will the parent endpoint be?

The parent endpoint will always be the primary HTTP operation from the primary identity attribute

Which application type will you use to integrate an API based application?

Web Services

What level of customization have you done in a web service standpoint?

I have customized SuccessFactor integration by creating Web service calls to connect with its APIs

How do you identify the risk of a person?

I implement an identity-based risk model in SailPoint that evaluates user entitlements and application risk.

What measures do you take to avoid a cyber attack?

• We monitor dormant or inactive accounts and track high-risk accounts that exceed a set threshold (e.g., 500 points).
  Reports are generated and sent daily to the risk management team.

• Based on the reports, we configure risk models and workflows to mitigate threats and enforce standard operating procedures, reducing the chance of cyber or data theft.

Where do you get logs for any system errors?

In the syste logs in Advanced Analytics

What is a Parent Endpoint? Why is it useful?

• A parent endpoint in SailPoint is used to link multiple HTTP operations from different endpoints.

  • It allows you to combine attributes from multiple sources into a single identity.

  • Example: First endpoint provides first and last name, second endpoint provides email; the parent endpoint links them so all attributes are captured together.

Which operation would you use to assign access to a user in a web service connector?

“Add Entitlement” ; Go through all the operations that are available in web services

How do you assign access automatically based on location or department?

• We configure a Business Role in SailPoint and set up an Assignment Rule.

  • The rule checks specific user attributes (e.g., location, department).

  • If the user matches the criteria, the Business Role is automatically assigned, granting access to the relevant applications.

• This ensures users get the right access by default without manual intervention.

Have you worked on Roles and Business Roles?

• Yes. We use Business Roles to assign IT roles and entitlements automatically based on user attributes such as location, department, or job function.

  • Existing and new employees can be granted access by default according to these assignment criteria.

  • This ensures consistent, automated access provisioning and reduces manual effort.

What is a Birthright Role and how do you assign it?

• A Birthright Role is a set of default accesses or entitlements given to a new employee.

  • You configure the applications and entitlements within the Birthright Role.
    You define assignment criteria (e.g., department, location, job function).

  • When a new user joins and meets the criteria, the Birthright Role is automatically assigned, giving them the necessary access by default.

What is the authentication method that we use in SuccessFactor? How do you get these credentials? Where do you get these credentials?

We use OAuth 2.0 for authentication.

The application team provides the credentials, usually as a certificate.

What are the account types that you can manage via successfactor?

• Employees and Users

• Employees are a subset of users including active users and inactive users. Users full set of accounts in the organization including employees, onboarding users, temporary workers, and terminated users.

How would you explain to an Application team why you are integrating Sailpoint with SuccessFactors?

• We are part of the IAM Transformation team, focused on automating access management across the organization. SuccessFactors is our HR system of record, so integrating it with SailPoint allows us to import all user information and manage the Joiner–Mover–Leaver (JML) process automatically.

  • Purpose: Ensure users get the right access when they join, move roles, or leave, while removing manual processes.

  • Business Outcome: Improves security, efficiency, and audit compliance.

  • Authorization: This integration is approved by the IAM Transformation leadership team.

  • Data Use: We use SuccessFactors data to create accounts, assign access, and deprovision users based on their employment status.

  • Goal: Maintain accurate access records and enforce least-privilege access for all employees.

• In short, this integration helps us automate user access, maintain compliance, and reduce manual effort.

Why are we integrating Target Application (S4Hannah)?

• We’re integrating SAP S4HANA with SailPoint as part of our IAM transformation to automate user access management. The goal is to eliminate manual work and improve security and compliance.

• Through this integration, SailPoint will automatically provision and revoke roles in SAP. When a user joins or requests access, approvals will flow through SailPoint, and roles will be assigned automatically. When a user leaves, their access will be automatically removed.

• To complete the integration, we’ll need connection details — such as the URL, username, password, and a role details file path — along with admin-level access to set up and manage the connector.

Have you worked on SuccessFactors Integration? What is Picklist Mapping?

Yes. Picklist Mapping is used when an attribute has multiple possible values (ex., “Employee Type”). It defines which value should be used or selected when SailPoint calls the API, ensuring the correct data is mapped and processed during integration.

Can you define some additional attributes in SuccessFactor? Is it possible?

Yes, it is possible

Have you worked on policies in Sailpoint? Have you configured policies? What policies have you configured?

• Yes, I have configured policies in SailPoint.

  • Policies are usually configured for business applications like SAP S/4HANA, payroll, billing, inventory management, and invoicing. 

  • Example: For the payroll application, I set up policies to enforce access rules, SOD (separation of duties), and compliance requirements to ensure users have the correct access without violating governance standards.

What can you customize in SailPoint?

You can customize watermarks, branded images, UI, UI settings, and anything in the UI

Where can you define the assignment criteria in which type of role?

Only in a business role can you define assignment criteria.

Have you worked on certifications? What certifications have you worked on?

• Targeted - Based on filter.

• Manager - Who reports to that manager

• Application Owner - Whoever has access to that application will be included.

• Entitlement Owner - Whoever has access to that entitlement will be included in the campaign.

What are the different stages of a certification?

• Creation phase, where you create the certification

• Staging period, an optional phase you can use to test or validate a certification before sending it to reviewers.

• Active phase, the review period when the reviews are performed, that is, when all decisions that are required for the access review are made.

• Challenge phase, an optional period when users can challenge all revocation requests if any of their roles, entitlements, or account group access are being removed.

• Revocation period, the period when all revocation work is completed. When the revocation phase is entered, revocation can be done either automatically or manually.

• End. If a Revocation phase is not enabled for the certification, revocations can be done during the end period.