100+ Free IIQ Engineer Practice Questions

Pass your SailPoint Certified IdentityIQ Engineer exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~55-65% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

An application cannot be provisioned directly, so IdentityIQ assigns an application owner to make the access change manually. What object is typically created for that owner?

A managed attribute

A work item

A policy rule

A native identity

to track

Same family resources

Explore More SailPoint Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

SailPoint Certified Identity Security Cloud Engineer

Practice Questions100 questions

2026 Statistics

Key Facts: IIQ Engineer Exam

~60

Exam Questions

SailPoint

105 min

Exam Duration

SailPoint

70%

Passing Score

SailPoint

$250

Exam Fee

SailPoint

2 years

Certification Validity

SailPoint

BeanShell

Scripting Language

SailPoint IdentityIQ

The IIQ Engineer exam has approximately 60 questions in 105 minutes with a 70% passing threshold. Key domains: identity model and aggregation, provisioning and lifecycle events, roles and SoD, certification campaigns, and BeanShell/workflow development. Hands-on IdentityIQ experience and Java/BeanShell familiarity are required. Exam fee is $250. Valid for 2 years.

Sample IIQ Engineer Practice Questions

Try these sample questions to test your IIQ Engineer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In SailPoint IdentityIQ, what is an 'Identity Cube'?

A.A hardware appliance that stores identity data on-premise

B.The aggregated identity record for a user that contains all accounts, entitlements, roles, and attributes sourced from connected applications

C.A reporting template that displays identity compliance metrics

D.A network segmentation policy that restricts identity provider communication

Explanation: The Identity Cube is SailPoint IdentityIQ's central data model for a user identity. It aggregates all identity information — accounts across all connected applications, entitlements, roles, attributes, policy violations, and certifications — into a single unified identity record. All IdentityIQ processes operate against these identity cubes.

2What is the purpose of 'Application Onboarding' in SailPoint IdentityIQ?

A.Installing IdentityIQ software on a new server application

B.Connecting a new authoritative or managed system to IdentityIQ so its accounts and entitlements are aggregated and governed

C.Granting a user access to a new application via the access request module

D.Creating a new role definition for application-specific entitlements

Explanation: Application Onboarding in IdentityIQ is the process of configuring a new system (HR system, Active Directory, Salesforce, SAP, etc.) as a connected source. It involves setting up the connector (type, host, credentials), configuring the account and entitlement schema, defining aggregation schedules, and establishing provisioning settings so IdentityIQ can manage access on that application.

3In IdentityIQ, what language is used for writing custom Rules?

A.Python 3

B.BeanShell (a Java scripting language)

C.JavaScript (Node.js)

D.PowerShell

Explanation: SailPoint IdentityIQ rules are written in BeanShell, which is a Java-compatible scripting language. BeanShell scripts can use the full Java API and IdentityIQ's SailPointContext to perform custom logic for provisioning rules, correlation rules, attribute transformations, approval workflows, and other customizations. Knowledge of BeanShell/Java is essential for IdentityIQ engineers.

4What is a 'Lifecycle Event' in SailPoint IdentityIQ?

A.A scheduled report generation triggered by calendar dates

B.A triggered business process (joiner, mover, leaver) that automatically provisions or deprovisions access when an identity attribute changes

C.A compliance policy that defines which roles trigger a Separation of Duties violation

D.A connector event raised when an application's account data schema changes

Explanation: Lifecycle Events in IdentityIQ are automated business process triggers that execute when identity attributes change. Classic examples are the 'Joiner' (new hire), 'Mover' (role/department change), and 'Leaver' (termination) events. When these conditions are met, IdentityIQ automatically provisions entitlements, revokes access, triggers approval workflows, or performs other configured actions.

5What is the difference between a 'Business Role' and an 'IT Role' in IdentityIQ?

A.Business Roles are created by HR; IT Roles are created by security engineers — there is no technical difference

B.Business Roles define groupings of entitlements from a business function perspective and are assigned to identities; IT Roles define technical entitlements on specific applications and are typically contained within Business Roles

C.Business Roles are for provisioning; IT Roles are for certification campaigns only

D.Business Roles require manager approval; IT Roles are auto-approved

Explanation: In IdentityIQ's role model hierarchy, Business Roles represent job functions (e.g., 'Sales Representative') and are assigned to identities based on their HR attributes. IT Roles contain the actual technical entitlements required on specific applications (e.g., Salesforce 'Read' access). Business Roles contain or reference IT Roles, providing a business-understandable abstraction over technical access grants.

6In IdentityIQ, what is 'Aggregation' and when does it occur?

A.The process of combining multiple IdentityIQ deployment nodes for high availability

B.The process of reading account and entitlement data from connected applications and updating IdentityIQ's identity cube data

C.The accumulation of policy violations before they are sent in a batch notification

D.The merging of duplicate identity records into a single identity cube

Explanation: Aggregation is the core data collection process in IdentityIQ where the platform reads account, entitlement, and group data from connected applications (Active Directory, LDAP, SAP, Salesforce, etc.) and stores it in IdentityIQ's database to populate identity cubes. Aggregation runs on configurable schedules and is the foundation for accurate access visibility and governance.

7What is 'Correlation' in the context of SailPoint IdentityIQ?

A.Matching application accounts to IdentityIQ identity records based on defined rules to build the identity cube

B.Creating relationships between roles and entitlements in the role catalog

C.Aligning compliance policies to specific regulatory frameworks

D.Comparing access request approvals against historical provisioning patterns

Explanation: Correlation in IdentityIQ is the process of associating aggregated accounts from managed applications with the correct identity records (identity cubes). Correlation rules use attributes (e.g., employee ID, email, username format) to match an account in Salesforce or Active Directory to the correct person's identity cube. Uncorrelated accounts appear as orphaned or unmanaged accounts.

8What is a 'Certification Campaign' in IdentityIQ?

A.A marketing initiative to increase IdentityIQ user adoption within the organization

B.A periodic review process where managers or application owners certify whether users' access is still appropriate and revoke excess entitlements

C.An automated provisioning workflow triggered when a new application is onboarded

D.A test campaign that verifies IdentityIQ policy rules are correctly configured

Explanation: Certification Campaigns (also called access reviews or recertifications) in IdentityIQ are scheduled or ad-hoc reviews where designated reviewers (managers, application owners, or others) examine assigned access and certify whether each entitlement is still appropriate. Items that are not certified can be automatically revoked, supporting access governance and compliance with least privilege principles.

9In IdentityIQ, what is 'Separation of Duties' (SoD) and how is it enforced?

A.SoD ensures IT and business teams use separate IdentityIQ deployment environments

B.SoD policies define conflicting combinations of roles or entitlements that a single user should not hold, and IdentityIQ detects violations during provisioning and certification

C.SoD requires that access requests are approved by two separate managers before provisioning

D.SoD automatically expires access after a defined time period to prevent accumulation

Explanation: Separation of Duties (SoD) is a compliance control requiring that conflicting functions be held by different people — for example, the ability to create a vendor and approve payment should not be held by the same person. IdentityIQ's Policy module allows defining SoD policies as pairs or sets of conflicting entitlements/roles, then automatically detects violations during provisioning requests and certification reviews.

10What is 'Provisioning' in IdentityIQ and which two primary methods does it support?

A.Provisioning is the process of deploying IdentityIQ to a new server; it supports cloud and on-premise deployment

B.Provisioning is creating or modifying access on target applications; it supports direct connector-based provisioning and manual work items for applications without connectors

C.Provisioning is the process of backing up IdentityIQ configuration; it supports local and remote backup

D.Provisioning is user training on IdentityIQ; it supports self-service and instructor-led methods

Explanation: Provisioning in IdentityIQ is the process of creating, modifying, enabling, or disabling accounts and entitlements on target applications based on identity governance decisions. It supports two methods: (1) direct connector-based provisioning where IdentityIQ's connector sends commands directly to the application API/directory, and (2) manual provisioning work items where IdentityIQ notifies an application admin to perform the change manually.

About the IIQ Engineer Exam

The SailPoint Certified IdentityIQ Engineer certification validates expertise in implementing and administering SailPoint IdentityIQ — the on-premise enterprise identity governance platform. It covers the Identity Cube data model, application onboarding and connectors, aggregation and correlation, provisioning workflows, lifecycle events, role and entitlement governance, certification campaigns, SoD policy enforcement, and BeanShell rule and workflow development.

Questions

60 scored questions

Time Limit

105 minutes

Passing Score

70%

Exam Fee

$250 (SailPoint)

IIQ Engineer Exam Content Outline

~20%

Architecture and Identity Model

Identity Cubes, authoritative sources, application onboarding, connectors, aggregation, group aggregation, correlation rules, orphan accounts, Tomcat/PostgreSQL deployment

~25%

Provisioning and Lifecycle Management

Provisioning Plans (AccountRequest operations), lifecycle events (Joiner/Mover/Leaver), Identity Refresh, attribute synchronization, password sync, Provisioning Transaction Log

~20%

Roles, Entitlements, and Policy

Business Roles, IT Roles, Entitlement Catalog, Role Mining, managed attributes, SoD policies, policy violations, risk scoring, provisioning policies/forms

~15%

Certification Campaigns

Campaign types (Manager, App Owner, Entitlement Owner), campaign lifecycle, delegation, revocation remediation, AI recommendations, compliance reporting

~20%

Rules, Workflows, and Administration

BeanShell rules, SailPointContext API, Rule Libraries, workflows, work items, XML import/export, iiq console, audit configuration, task results, partitioning

How to Pass the IIQ Engineer Exam

What You Need to Know

Passing score: 70%
Exam length: 60 questions
Time limit: 105 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

IIQ Engineer Study Tips from Top Performers

1Master the Identity Cube concept — understand it as the aggregated identity record containing all accounts, entitlements, roles, and attributes

2Know the Provisioning Plan object model deeply — AccountRequest operations (Create, Modify, Enable, Disable, Unlock, Delete) and what each does

3Understand the Identity Refresh task thoroughly — know what it recalculates and why you run it after aggregation

4Learn BeanShell/Java fundamentals if you don't already know Java — the SailPointContext API is essential

5Study SoD policies and the violation lifecycle (detection, notification, remediation, exception)

6Know the three types of Certification Campaigns (Manager, App Owner, Entitlement Owner) and what each reviews

7Use the SailPoint Compass community — real implementation discussions are invaluable exam preparation

8Hands-on lab time in an IdentityIQ environment is essential — install a trial version for practice

Frequently Asked Questions

What is the SailPoint Certified IdentityIQ Engineer certification?

The IdentityIQ Engineer certification validates expertise in implementing and operating SailPoint IdentityIQ — the on-premise enterprise identity governance and administration (IGA) platform. It tests knowledge of the identity data model, provisioning workflows, role governance, certification campaigns, SoD policy enforcement, and BeanShell/workflow development.

How many questions are on the IdentityIQ Engineer exam?

The IdentityIQ Engineer exam has approximately 60 questions to be completed in 105 minutes. The passing score is 70%. Questions include multiple choice, multiple select, and scenario-based formats that test both conceptual understanding and practical implementation knowledge.

What BeanShell skills are tested?

The exam tests BeanShell rule development fundamentals including: using SailPointContext to access and modify IdentityIQ objects, writing correlation rules, attribute rules, and provisioning rules, creating and using Rule Libraries for code reuse, and avoiding performance anti-patterns (loading all objects without pagination, not calling context.decache()). You should be able to read and understand BeanShell code snippets.

What are the most important topics to study?

Focus heavily on: (1) the Provisioning Plan and AccountRequest object model — how provisioning operations work, (2) Lifecycle Events and the Joiner/Mover/Leaver pattern, (3) Identity Refresh and what it recalculates, (4) SoD policies and violation handling, and (5) Certification Campaign types and the remediation process. These represent the core of day-to-day IdentityIQ engineering work.

What is the difference between aggregation and correlation in IdentityIQ?

Aggregation is the process of reading account and entitlement data from a connected application and storing it in IdentityIQ's database. Correlation is the subsequent process of matching those aggregated accounts to the correct identity records (Identity Cubes) using matching rules (e.g., account email matches identity email). Aggregation brings data in; Correlation assigns that data to the right identity owner.