IdentityIQ-Associate Certification Exam Guide + Practice Questions Updated 2026

Explanation:
No. This statement more accurately describes IdentityIQ connector technology, not Lifecycle Manager. In IdentityIQ, connectors and application definitions are responsible for communicating with external systems such as enterprise applications, cloud platforms, directories, databases, operating systems, and other infrastructure components. They support activities such as account aggregation, entitlement collection, schema handling, and, where supported, provisioning operations back to the target system.
Lifecycle Manager is a functional area of IdentityIQ focused on managing access changes through controlled business processes. It supports access requests, approvals, lifecycle events, self-service actions, provisioning policy evaluation, and fulfillment of approved changes. Lifecycle Manager may use connectors during provisioning, but it is not itself the technology that performs collection of identity access data from external applications.
The distinction is important: aggregation and connectivity belong to applications/connectors, while Lifecycle Manager governs request-driven and event-driven access changes. Therefore, the provided description does not correctly describe Lifecycle Manager.
Reference topics: Foundational Concepts, IdentityIQ components, Applications and connectors, User-Driven Requests, Lifecycle Events, and Provisioning.

Explanation:
Yes. In SailPoint IdentityIQ, the Active period is the main review window of a certification campaign. During this period, assigned certifiers review the certification items and make access decisions such as approve, revoke, delegate, allow exception, or otherwise act according to the certification configuration. This is the required operational phase in which reviewers complete their access review responsibilities before the certification moves into later lifecycle stages.
The Active period is distinct from other certification timing or processing stages.
For example, generation prepares the certification contents, while challenge and remediation periods may occur after reviewer decisions depending on campaign configuration. The Active period specifically represents the time when certification decisions are expected to be made by the responsible reviewers.
Therefore, the definition is accurate because it correctly identifies the Active period as the required review period for certification decision-making.
Reference topics: Governance, access reviews, certification lifecycle, Active period, certification decisions, certifier work items, challenge period, remediation, and certification sign-off.

Explanation:
Yes. In SailPoint IdentityIQ, certifications are governance objects used to perform access reviews over identities, accounts, entitlements, roles, policy violations, and other reviewable access items. Certifications can be launched through scheduled campaigns, but they can also be manually created and executed by authorized users such as certification administrators or governance personnel. Manual creation is commonly used for targeted reviews, exception reviews, ad hoc compliance activity, application-specific reviews, manager reviews, or validation of a defined population of identities.
When a certification is created, IdentityIQ generates review items and assigns them to appropriate certifiers based on the certification type and configuration. The certification then proceeds through its lifecycle phases, which may include generation, active review, challenge, remediation, and sign-off. Reviewers can approve, revoke, delegate, or otherwise act on access items according to the certification configuration.
Therefore, the statement is accurate because IdentityIQ supports both scheduled and manually initiated certifications for reviewing user access.
Reference topics: Governance, access reviews, certification creation, certification execution, certification phases, certifier assignment, and remediation processing.

Explanation:
The statement is false. In IdentityIQ, an account attribute is defined within a specific application account schema and represents data stored on an account link for that application. Its value is obtained from the account data aggregated from that particular application connector.
For example, an account attribute such as memberOf, department, title, or accountStatus belongs to the account schema of a defined application and is populated from that application’s aggregation results.
The concept of sourcing values from several applications applies more directly to identity attributes, not account attributes. Identity attributes reside on the IdentityCube and may be derived from authoritative sources, account links, rules, mappings, or precedence logic across multiple applications. IdentityIQ uses identity attribute configuration to normalize data such as department, location, manager, email, or lifecycle state at the identity level.
Therefore, while multiple applications may contain similarly named account attributes, each account attribute value is tied to its own application account schema and account link. It is not a single shared account attribute sourced from several applications.
Reference topics: Applications ― account schema attributes; Identity Modeling ― identity attributes versus account attributes; Identity Refresh ― updating IdentityCube attributes.

Explanation:
Yes. In SailPoint IdentityIQ provisioning, the system evaluates the requested access change in the context of the identity’s existing application accounts. When a provisioning request requires a modification on an application, IdentityIQ must determine whether the identity already has an account, represented by a Link, on that application. If no existing account is available and the requested change requires one, IdentityIQ can include account creation as part of the provisioning activity before applying attribute or entitlement modifications.
This behavior is central to request-based provisioning.
For example, if a user requests an entitlement on an application where they do not yet have an account, IdentityIQ cannot simply add the entitlement to a nonexistent account. The provisioning process must first establish the account, collect required values through provisioning policies, and then apply the requested access. The provisioning plan may therefore be expanded or adjusted during compilation and fulfillment.
Therefore, the statement is true: IdentityIQ can determine whether an account must be created before modification.
Reference topics: Provisioning, provisioning plan processing, account requests, provisioning policies, account creation, entitlement modification, and plan compilation.