000-006 3-0

000-006
IBM Tivoli Identity Manager V5.1 Implementation
Version 3.0
QUESTION NO: 1
Which two join directives can be used when multiple provisioning policies affect the same
account? {Choose two.)
A. Xor
B. Not
C. And
D. None
E. Union
Answer: C, E
QUESTION NO: 2
Which two options should be included in a custom adapter design document? (Choose two.)
A. supported platforms, Java version, log file locations
B. input requirements, installation instructions, prerequisites
C. process flow diagram, debugging information and log file information
D. prerequisites, supported platforms, process flow diagrams, source code
E. security certificate configuration, installation location, input requirements
Answer: B, C
QUESTION NO: NO: 3
Click the Exhibit button.
Based on the organization chart and list of roles, which option is correct for this IBM Tivoli
Identity Manager V5.1 configuration?
A. A user in the On Demand Incorporated business unit can be granted the DESIGNER
organizational role.
B. Only users in the Engineering and any sub tree business units can be granted the DESIGNER
organizational role.
C. A provisioning policy with DESIGNER organizational role as membership can only be

created in the Engineering business unit.
D. Users in the On Demand Incorporated and sub tree business units will automatically be
granted the EMPLOYEE organizational role
Answer: A
QUESTION NO: 4
Which information is stored in a certificate used to secure the connection between IBM Tivoii
Identity Manager Server and its adapters?
A. certificate expiration date
B. certificate encryption type
C. certificate requester's name
D. certificate encryption strength
Answer: A
QUESTION NO: 5
The Business Continuity Review describes the system availability characteristics of the solution
design. In a typical high availability (HA) configuration, a load balancer is configured in front of
several peer masters for the directory server. Which statement is true regarding load balancing in
an IBM Tivoii Identity Manager (Tivoii Identity Manager) HA solution design?
A. If a primary master goes down, all traffic to that master is hold until the master is available
B. Load balancing of write traffic is unwise, because it leads to a possibility of an update conflict
C. If the primary system goes down, the remaining systems do not need to be able to bear the
work load.
D. The Tivoii Identity Manager dataservices component will assist the load balancer in the
redirecting ot requests to one of the other replicated Tivoii Identity Manager servers.
Answer: B
QUESTION NO: 6
Which steps are needed to create the password policy design?

A. define password policy scope, select password settings, document password policy design
B. define password policy requirements, analyze password settings, document password policy
design
C. gather current password settings, analyze password policy, define password scope, document
password policy design
D. gather password policy requirements, define password policy scope, define password settings,
document password policy design
Answer: D
QUESTION NO: 7
Which option Is relevant to gathering requirements and creating an IBM Tivoli Identity Manager
(Tivoli Identity Manager) system architecture document?
A. formulate list of QUESTION NO:s, identify interviewees, identify timelines for project
phases, and delegate responsibility
B. formulate list of QUESTION NO:s, identify interviewees, identify network topology, and
ensure business continuity planning
C. formulate list of QUESTION NO:s, identify interviewees, discuss organization chart

structure, and discuss Tivoli Identity Manager ACI and group security model
D. discuss firewall rules, discuss certificate installations for HTTPS communication, and discuss
Tivoli Identity Manager Web application security and hljack-prevention features
Answer: B
QUESTION NO: 8
Which sequence of actions best describes a secure practice for sensitive data in an IBM Tivoll
Identity Manager (Tivoli Identity Manager) database?
A. Schedule periodic database backups regularly in order to prevent losing sensitive data.
B. Enable security on the WebSphere Application Server and disallow running the WebSphere
Application Server using a non-root account.
C. Restrict tietwutk traffic to those ports ur systems needed by the deployment only. If you write
your own application and use a Tivoli Identity Manager API to retrieve sensitive data, encrypt
the data before sending it over the network.
D. Restrict operating system access to database files. Limit the privileges of the operating system
accounts (administrative, root-privileged, or DBA) to the least privileges needed, change the
default passwords, and enforce periodic password changes.
Answer: D
QUESTION NO: 9
Given the desired services list and organization structure design, which two options are essential
to create a service design? (Choose two.)
A. Define reporting data.
B. Validate human resource data.
C. Define organization requirements.
D. Gather platform business processes.
E. Gather IBM Tivoli Identity Manager access requirements
Answer: C, D
QUESTION NO: 10
In which formats can reports from the IBM Tivoli Identity Manager user interface be generated?
A. PDF, CSV
B. TXT, XML
C. PDF, TXT
D. HTML, PDF
Answer: A
QUESTION NO: 11
A simple IBM Tivoli Identity Manager (Tivoli Identity Manager) implementation running on a
Windows-based server includes a single AIX platform with two adapters (UNIX and DB2).
What are two necessary considerations when creating an upgrade planning document for this
scenario?
A. middleware versions and domain trust relationships
B. secure FTP constraints and domain trust relationships
C. middleware versions and operating system release levels
D. secure FTP constraints and operating system release levels
Answer: C
QUESTION NO: 12
Which two options describe components of the Self-Service User Interface that can be included
in the customization design? (Choose two.)
A. changing the button text

B. changing the banner colors
C. creating a custom workflow approval process
D. changing the default lifecycle management flow
E. creating new views for IBM Tivoli Identity Manager groups
Answer: A, B
QUESTION NO: 13
When performing analysis for designing a global identity policy, which considerations are
essential?
A. UID constraints of each managed service type, and the erglobalid of the person object
B. which managed service has the least restrictive UID constraints, and the erglobalid of the
person objects
C. UID constraints of each managed service type, and which attributes are available from the
person objects
D. which managed service has the least restrictive UID constraints, and which attributes are
available from the person object
Answer: C
QUESTION NO: 14
Given the information In the sample Organization Chart, which three pairs of roles are valid in a
rule of a separation of duty policy? (Choose three.)
A. Operations and Web Page design
B. Development and Web page design

C. Operations and Production Web Team
D. Web page design and Production Web Team
E. Engineering and Web Infrastructure Engineering
F. Development and Web Infrastructure Engineering
Answer: A, D, F
QUESTION NO: 15
In preparation for an initial identity or Identity feed to I3M Tivoli Identity Manager (Tivoli
Identity Manager) V5.1 „ which two person attributes are required as a minimum in the feed?
(Choose two.)
A. Last Name (attribute sn)
B. Common Name (attribute en)
C. Organizational Unil (attribute ou)
D. First Name (attribute givenname)
E. Employee Number (attribute employeeNumber)
Answer: A, B
QUESTION NO: 16
A customer has chosen to separate the administration in IBM Tivoli Identity Manager (Tivoli
Identity Manager) of some target application services and provisioning parameters using Tivoli
Identity Manager groups. Which two options will be required, as a minimum, to implement
security in this instance? (Choose two.)
A. group-based ACIs
B. service-based ACIs for the application services
C. account-based ACIs tor the application targets
D. provisioning policy ACIs for the provisioning policies
E. organizational unit ACIs with services and policies defined at that level
Answer: B, D
QUESTION NO: 17
In a CSV identity feed, what is the definition of the name attribute?
A. the attribute that uniquely identifies the person
B. the attribute that contains the full name of the person
C. the attribute that is used by IBM Tivoli Identity Manager to resolve account ownerships
during reconciliations
D. the attribute that contains the fully qualified DN of the person in the IBM Tivoli Identity
Manager ou=person container
Answer: A
QUESTION NO: 18
The account and password design document indicates that new accounts and passwords are
initially set up by a designated security officer Therefore, the notification is sent to the security
officer and Is not sent to each account owner. Which two options can be configured to meet this
requirement? (Choose two.)
A. Modify the existing e-mail notification templates to add the custom recipient.
B. Design a new e-mail notification template and add to the list of available workflow
notification templates.
C. Configure a mail node in the operation workflow where the participant is a person with an e-
mail account.
D. The IBM Tivoli Identity Manager administrator would disable the New Account Notification
template and the New Password template in Configuration > Properties > Notification
Templates.
E. The IBM Tivoli Identity Manager administrator would disable the New Account Notification
template and the New Password template in Configure System > Workflow Notification
Properties.
Answer: C, E
QUESTION NO: 19
What is the proper ordering of tasks during an IBM Tivoli Identity Manager V5.1 solution
project?
A. solution design, installation, configuration, customization, testing, turn over
B. assessment, solution design, installation, customization, configuration, testing, turn over
C. assessment, solution design, installation, configuration, testing, customization, turn over
D. assessment, solution design, installation, configuration, customization, testing, turn over
Answer: D
QUESTION NO: 20
When can an IBM Tivoli Identity Manager (Tivoli Identity Manager) functional test case be
executed on a Tivoli Identity Manager adapter?
A. after performance tests on the adapter have been completed
B. after the adapter is installed and the corresponding service has been reconciled
C. when a remediation procedure exists as part of the risk assessment if the test case fails
D. after test cases on the Tivoli Identity Manager server configuration have been completed
Answer: D
QUESTION NO: 21
A backup design requiring backups of all IBM Tivoli Identity Manager (Tivoli Identity
Manager)-related components (WebSphere, LDAP, database) to occur at midnight has been
created. All Tivoli Identity Manager processes are quiesced for the duration of the backups. The
backups run successfully, and Tivoli Identity Manager is restarted. During the night an identity
feed runs, creating 1000 new employees. The identify feed specifies Use Workflow on the
service definition and both a Tivoli Identity Manager account and an AD account are
automatically provisioned for each person. Both services specify that noncompliance must be
corrected. The related provisioning policies use UID from the person object for eruid on both
services. An adoption policy exists for AD to search person objects for UIDs matching eruid
during reconciliation. The identify feed and all of its provisioning operations are completed by 3
a.m. At 7 a.m., a catastrophic hardware failure occurs against the Tivoli Identity Manager LDAP
and a restoration from the previous 12 a.m. backup must be performed.
Which actions must be taken to recover the updates to LDAP that occurred during the identity
feed and related provisioning activities?
A. Rerun the identify feed exactly as it was originally run.
B. Rerun the identify feed with Use Workflow disabled. Then perform reconciliation against the
Tivoli Identity Manager service specifying policy checking.
C. Rerun the identify feed, disabling Use Workflow. Then perform reconciliation against the AD
service specifying that policy checking not be performed during the reconciliation.
D. Make the AD provisioning policy manual. Rerun the identify feed as it was originally run.
Then perform reconciliation against the AD service specifying that policy checking be performed
during the reconciliation. Make the AD provisioning policy automatic.
Answer: D
QUESTION NO: 22
Which two options would be included in a customization design? (Choose two.)
A. definitions of e-mail content for all approval e-mails
B. JavaScript for the Active Directory service identity policy
C. a matrix of requirements for password policies for all UNIX platforms
D. requirements for JavaScript extensions that will be used in workflows
E. requirements for a service provider that will be used to interface with the managed platform
using Web Services
Answer: D, E
QUESTION NO: 23
Which three recertification reports can be requested? (Choose three.)
A. Recertification Policies Report
B. Recertification Completion Report
C. Recertification Compliance Report
D. Recertification Change History Report
E. Recertification Accounts/Access Pending Report
F. Accounts/Access Pending Recertification Report

Answer: A, D, F
QUESTION NO: 24
Which steps are needed to create an organization structure design from an existing organization
and reporting structure?
A. define organization structure, review organization structure with customer, document

organization structure
B. review organization and reporting structure, formalize organization structure, document

organization structure
C. gather organization structure requirements, discuss alternatives, formalize organization

structure, document organization structure
D. gather organization structure requirements, formalize organization structure, review

organization structure with customer, document organization structure
Answer: C
QUESTION NO: 25
Which basic tasks should a recertification process include?
A. user notification, user acknowledgment
B. user notification, user acknowledgment, logging
C. manager notification, manager approval, logging
D. user notification, user acknowledgment, manager approval, logging
Answer: B
QUESTION NO: 26
Which option would be most appropriate to include in a lifecycle management design?
A. provisioning policy definition
B. the requirements for dynamic role definition
C. reconciliation requirements for Active Directory
D. the requirements for how often to check for inactive accounts
Answer: D
QUESTION NO: 27
A. The request is escalated to the first-line manager peer, and the remaining workflows continue.
B. The Enterprise LDAP User account will not be created, and the remainder of the workflow
continues.
C. The Enterprise LDAP Global Administrator account will not be created, and the remainder of
the workflow continues.
D. All accounts for the user are created except for the Enterprise LDAP Global Administrator
account, and an escalation is sent to the Service Desk.
Answer: C
QUESTION NO: 28
Where do the assembly lines associated with RMI-based adapter functions reside?
A. IBM Tivoli Identity Manager LDAP
B. IBM Tivoli Identity Manager database
C. IBM Tivoli Identity Manager property files
D. IBM Tivoli Directory Integrator Solutions directory
Answer: A
QUESTION NO: 29
Which three database servers are supported by IBM Tivoli Identity Manager V5.1? (Choose
three.)
A. Oracle
B. MySQL Enterprise Edition
C. IBM DB2 Enterprise Edition
D. IBM Informix Dynamic Server

E. Sybase Adaptive Server Enterprise
F. Microsoft SQL Server Enterprise Edition
Answer: A, C, F
QUESTION NO: 30
On a single-server WebSphere configuration, where is the SelfServiceUI.properties file located?
A. <ITIM_HOME>/data
B. <WAS_PROFILE_HOME>\installedApps\<node_name>\itim_self_service.war
C. <WAS_PROFILE_HOME>\installedApps\<node_name>\ITIM.ear\itim_self_service.war
D.
<WAS_PROFILE_HOME>\installedApps\<node_name>\ITIM.ear\itim_self_seivice.war/custo
m
Answer: A
QUESTION NO: 31
The process of creating a Certificate Signing Request with the adapter certificate tool would only
apply to which class of adapters?
A. JAAS-based
B. DAML-based
C. TDI/RMI-based
D. Secure FTP-based
Answer: B
QUESTION NO: 32
Which two steps are required to independently install IBM Tivoli Directory Integrator (Tivoli
Directory Integrator) on a separate computer? (Choose two.)
A. Read the IBM Tivoli Identity Manager (Tivoli Identity Manager) release notes relating to
support levels of Tivoli Directory Integrator and fixes required.
B. After Tivoli Identity Manager is installed, the agentless adapters and the adapter profiles are
automatically installed on the computer that hosts Tivoli Identity Manager.
C. After Tivoli Identity Manager is installed, the agentless adapters are automatically installed.
Manually install the adapter profiles on the computer that hosts Tivoli Identity Manager.
D. After Tivoli Identity Manager is installed, manually install the 5.1 agentless adapters provided
with the product on the computer that hosts Tivoli Directory Integrator. Manually install the
adapter profiles on the computer that hosts Tivoli Identity Manager.
E. After Tivoli Identity Manager is installed, the agentless adapters are automatically installed on
the computer that hosts Tivoli Identity Manager. Import the adapter profiles using the
Import/Export facility on the Tivoli Identity Manager administrative console.
Answer: A, D
QUESTION NO: 33
In a cluster installation, which option should be used to create the IBM Tivoli Identity Manager
V5.1 installation directories?
A. Directory name must be unique for all cluster members.
B. Directory name must be the same for all cluster members.
C. Directory name must contain the host name of the cluster members.
D. Directory should be shared among cluster members on a storage area network (SAN) drive
Answer: B
QUESTION NO: 34
Which two commands are used to schedule a report in IBM Tivoli Common Reporting? (Choose
two.)
A. trcmd -run
B. scheduler-run
C. scheduler-set
D. trcmd -distribute
E. scheduler –distribute
Answer: A, D
QUESTION NO: 35
What is the initial logon password for the itim manager user?
A. reset
B. admin
C. secret
D. itim mana
Answer: C
QUESTION NO: 36
What sets of areas can be disabled on the Self Service Console?
A. Banner area, Toolbar area, and Footer area
B. Banner area, Content area, and Footer area
C. Content area, Banner area, and Toolbar area
D. Navigation area, Toolbar area, and Content area
Answer: A
QUESTION NO: 37
Which statement is true regarding the function that post office configuration can provide?
A. The post office template can be cloned to reuse as different types of aggregate templates.
B. It allows a test of aggregation to be performed with chosen notification style from the
administrative console.
C. It controls the volume of e-mail notifications if post office is enabled globally and Is not
disallowed by Workflow activities.
D. It provides the capability to configure an alert facility to indicate that e-mail notifications are
not being sent to the mail server
Answer: C
QUESTION NO: 38
Where are the challenge-response QUESTION NO:s and Answers stored?

A. enRole.properties file
B. IBM Tivoli Identity Manager Database
C. WebSphere Application Server database
D. IBM Tivoli Identity Manager LDAP Directory
Answer: D
QUESTION NO: 39
Which statement is true of Email Notification templates in IBM Tivoli Identity Manager (Tivoli
Identity Manager) V5.1?
A. JavaScript content or tags are only available to Plaintext and XHTML bodies when
customizing a Workflow Notification template.
B. The Tivoli Identity Manager Administrative Console will throw a parsing error if it finds a
dynamic content tag Is not recognized when saving an edited template.
C. The Manual Activity templates can be disabled by choosing the Disable option for the
template under Configure System > Workflow Notification Properties.
D. Mail templates saved using the Tivoli Identity Manager Mail activity template in Entitlement
or Operational Workflows are available under Configure System > Workflow Notification
Properties.
Answer: B
QUESTION NO: 40
Which two tasks can be included as direct URL links on the IBM Tivoli Identity Manager V5.1
Administrative Console home page? (Choose two.)
A. Manage service types.
B. Monitor recycle bin properties.
C. Set workflow notification properties.
D. Change core component logging levels.
E. Configure number of search results displayed on a panel
Answer: A, C
QUESTION NO: 41
Which option describes the choices for defining an e-mail activity template?
A. The system template can be modified.
B. User-defined templates are not allowed.
C. Only system-defined templates can be selected.
D. The system template can be copied and modified
Answer: D
QUESTION NO: 42
The join directive behavior for the provisioning policy for the ITIMService needs to be
customized. Which option is the correct method to change the join behavior?
A. From the navigation tree, select Manage Services> ITIMService > Configure Policy Join
Behaviors.
B. From the navigation tree, select Manage Policies > Manage Provisioning Policies, and click
Service Type to select ITIMService.
C. From the Tivoli Identity Manager administrative console, select Configuration > Policy, and
click Service Type to select ITIMService
D. From the navigation tree, select Configure System > Configure Policy Join Behaviors, and
click Service Type to select ITIMService.
Answer: D
QUESTION NO: 43
What are the two valid settings or behaviors for the enrole.workflow.notify password property?
(Choose two.)
A. True: e-mail notification of a password change is sent to the user.
B. False: e-mail notification of a password change is not sent to the user.
C. Sup: e-mail notification of a password change is not sent to the user; it is instead sent to his
supervisor (manager).
D. URL: e-mail notification of a password change is sent to the user. The e-mail contains a URL
where the user can obtain the password by entering his shared secret.
E. False: e-mail notification of a password change is sent to the user. The e-mail contains a URL
where the user can obtain the password by entering his shared secret.
Answer: A, E
QUESTION NO: 44
Which two of these entities can be customized? (Choose two.)
A. Person
B. Location
C. Admin Domain
D. Identity Manager User
E. BPerson (Business Partner Person)
Answer: A, E
QUESTION NO: 45
Where can a password policy for a service reside in the organizational chart in relation to its
target service?
A. It can only reside in the same business unit that contains the service.
B. It can reside in the same business unit that contains the service or above the business unit that
contains the service.
C. It can reside in the same business unit that contains the service, or below the business unit that
contains the service.
D. It can reside anywhere in relation to its target service because the location of the password
policy is driven by the location of the users to whose passwords it will apply.
Answer: B
QUESTION NO: 46
What JavaScript engine is used by IBM Tivoli Identity Manager V5.1 as a script interpreter?
A. IBM JSEngine
B. Windows Scripting Host
C. Rhino JavaScript Engine
D. PHP JavaScript Interpreter

Answer: A
QUESTION NO: 47
The IBM Tivoli Identity Manager (Tivoli Identity Manager) Server uses a placement rule to
determine where in the organization chart a person should be placed. Which statement is true
regarding placement rules?
A. Placement rules are only evaluated during an add operation.
B. Placement rules are written with JavaScript that returns the organization path in a common
name (en) format.
C. Placement rules are written with JavaScript that returns the organization path in a
distinguished name (dn) format.
D. If organization information cannot be determined by the placement rule, then the person is not
added to the Tivoli Identity Manager directory
Answer: C
QUESTION NO: 48
Which option is vital to ensuring that IBM Tivoli Identity Manager is properly tuned?
A. Minimize the use of static roles.
B. Use dynamic roles whenever possible.
C. Ensure that all attributes used in searches are indexed in LDAP.
D. Place all ACIs as high as possible in the organization tree to ensure maximum coverage
Answer: C
QUESTION NO: 49
Afresh copy of IBM Tivoli Identity Manager (Tivoli Identity Manager) has been installed and
the Active Directory (AD) adapter profile has been imported. Where are the labels for the
attributes on the AD account form stored?
A. Tivoli Identity Manager database
B. Tivoli Identity Manager LDAP directory
C. Formtemplates.properties in <$itim_home>/data
D. CustomLabels.properties file in <$itim_home>/data
Answer: A
QUESTION NO: 50
Which three types of files control the appearance of the Self-Service user interface? (Choose
three.)
A. Properties configuration files
B. Java Archive (JAR) configuration files
C. Java Key Store (JKS) configuration files
D. HyperText Markup Language (HTML) flies
E. Java Server Pages (JSP) configuration files
F. Cascading Style Sheet (CSS) configuration files
Answer: A, E, F
QUESTION NO: 51
Which two actions cause dynamic roles to be reevaluated? (Choose two.)
A. when the LDAP filter is modified
B. when a new ou is added to the organization tree
C. when a person entity's personal information is modified
D. when the IBM Tivoli Identity Manager LDAP schema is updated
E. when an associated provisioning policy is modified (one for which the role defines
membership)
Answer: A, C
QUESTION NO: 52
Which IBM Tivoli Identity Manager service types are available by default?
A. IDI data feed, HTTP identity feed, XML
B. RMI dispatcher, DAML service, Hosted service
C. DSML identity feed, CSV identity feed, Hosted service
D. LDAP service, Windows service, inetOrgPerson identity feed
Answer: C
QUESTION NO: 53
Custom workflow elements are registered with IBM Tivoli Identity Manager by editing which
file in the $ITIM_HOME/data directory?
A. enRole.properties
B. workflowextensions.xml
C. workflowDataSyntax.xm!
D. workflowextensions.properties
Answer: B
QUESTION NO: 54
Which list displays all the entitlement workflow design elements available in IBM Tivoli
Identity Manager?
A. Approval, Loop, Subprocess, RFI, Operation, Work Order, Script, Extension
B. Approval, Mail, RFI, Operation, Loop, Extension, Script, Work Order, Subprocess
C. Approval, Loop, Subprocess, RFI, Operation, Event Notification, Script, Extension
D. Approval, Denial, Suspend, Subprocess, RFI, Operation, Work Order, Script, Extension
Answer: B
QUESTION NO: 55
Which two fields are required when an identity policy is defined? (Choose two.)
A. Name
B. Prefix
C. Business Unit
D. Common Name
E. Organizational Name
Answer: A, C
QUESTION NO: 56
Which option describes valid memberships for a Report ACI (an ACI that protects a Report
category item) in IBM Tivoli Identity Manager (Tivoli Identity Manager)?
A. members of an organizational role
B. members of an Tivoli Identity Manager group
C. the report owner, members of an Tivoli Identity Manager group
D. the supervisor of the business unit in which the user resides, members of an Tivoli Identity
Manager group
Answer: B
QUESTION NO: 57
The administrator has modified the system-defined add operation for the person entity type by
adding an approval node to the workflow. The requirements have changed, and the approval for
adding a new person is no longer required. The administrator would like to remove the approval
node from the workflow. Which activity should the administrator perform?
A. From Configuration > Entities, select the person entity. Select Define Operations. Select the
Add operation and Delete pushbutton option.
B. From Configure System > Manage Operations, select Entity type level and the Entity type of
Person. Select the Add operation and the Delete pushbutton option.
C. From Design Workflows > Manage Person Request Workflows, search for the Person Add
Workflow. Select the Default Person Add Workflow of type Entity override and Delete
pushbutton option.
D. From Configure System > Manage Operations, select Entity type level and the Entity type of
Person. Select the Add operation and the Change pushbutton option. Then remove the approval
node from the operation diagram.
Answer: D
QUESTION NO: 58
Which IBM Tivoli Identity Manager (Tivoli Identity Manager) users can approve exemptions to
Separation of Duty policy violations?
A. Only the Policy owner can approve exemptions to Separation of Duty violations.
B. Approval of exemptions to Separation of Duty policy violations is not allowed in Tivoli

Identity Manager.
C. Only members of the Tivoli Identity Manager Administrator Group can approve exemptions
to Separation of Duty violations.
D. Both members of the Tivoli Identity Manager Administrator Group and the Policy owner can
approve exemptions to Separation of Duty violations.
Answer: D
QUESTION NO: 59
Which two statements are true of service selection policies? (Choose two.)
A. Any JavaScript entered in the service selection script Is syntax-checked before saving.
B. Deleting a service selection policy may result in the removal of previous accesses provided by
this policy.
C. Deleting a service selection policy will not result in the removal of previous accesses provided
by this policy.
D. After a policy is saved, it will perform an immediate evaluation, regardless of whether it is

enabled or disabled.
E. As a result of a service selection evaluation, IBM Tivoli Identity Manager V5.1 access
entitlements can be provisioned
Answer: B, E
QUESTION NO: 60
When specifying All Users in the Organization as the membership type for a provisioning policy,
which option describes the operation of the policy when a single service is specified as the
manual entitlement?
A. All users on the system can only have an account of the specified service.
B. Any user in the system is authorized to have an account on the specified service.
C. This policy overrides any automatic policy for the same service for all users in the system.
D. All users in the system will be provisioned an account on the specified service when the
policy is evaluated
Answer: B
QUESTION NO: 61
For IBM Tivoli Identity Manager (Tivoli Identity Manager) 5.1 DAML-based adapters, what
item relating to reconciliations can be configured using agentCfg?
A. use of xforms.xml
B. use of LDAP v3 reconciliation filters
C. specification of supporting-data-only reconciliation parameters
D. use of SSL communication with the Tivoli Identity Manager server
Answer: D
QUESTION NO: 62
Which default objectclass will IBM Tivoli Identity Manager V5.1 expect during an identity feed?
A. inetOrgPerson
B. hruserOrgPerson
C. distinguishedName
D. userPrincipalName
Answer: A
QUESTION NO: 63
A company uses PeopleSoft to generate a unique employee designator as each new employee is
entered Into the HR system. IBM Tivoli Identity Manager has been configured to import the HR
data from PeopleSoft, including the unique Identifier (gbculd). As a policy, the company has
used the gbcuid attribute as the UID of its managed targets. During the implementation, which
action would the IBM consultants take to match the AD accounts to their corresponding person
entities and minimize any orphans?
A. Set the eraliases attribute to the gbcuid.
B. Configure the identity policy to return the gbcuid.

C. Create a dynamic role with the filter: (eralias=gbcuid).
D. Mimic the gbcuid algorithm with JavaScript for generating the uid attribute on the AD
entitlements form
Answer: A
QUESTION NO: 64
Click the Exhibit button. Based on the logical architecture, which action can be considered to
enforce provisioning policies on target resources during the identity feed process?
A. Configure adapters to enforce provisioning policies of new identities.
B. Enable workflow to enforce provisioning policies of incoming identities.
C. Initiate a reconciliation activity immediately on an identity feed service.
D. Schedule a reconciliation to run at a specific interval. During the reconciliation, IBM Tivoli
Identity Manager automatically enforces provisioning policies.
Answer: B
QUESTION NO: 65
Which two statements are true when enabling increased trace logging to help determine a
problem in IBM Tivoli Identity Manager? (Choose two.)
A. Set logger.trace.level=DEBUG_MAX in errorLogging.properties.
B. Set logger.trace.com.ibm=DEBUG_MA>; in errorLogging.properties.
C. Set logger.trace.level=DEBUG_MAX in the file enRoleLogging.properties.
D. Turn on the setting logger.trace.logging=true in enRoleLogging.properties.
E. Configure the setting logger.trace.level=10 for maximum detail in the trace log
Answer: C, D
QUESTION NO: 66
Which statement is true of message, trace, and authentication log formats in IBM Tivoli Identity
Manager (Tivoli Identity Manager)?
A. All files are stored by Tivoli Identity Manager in XML format.
B. All files are stored by Tivoli Identity Manager in HTML format.
C. All files are stored by Tivoli Identity Manager in CTGIM format.
D. All files are stored by Tivoli Identity Manager in plaintext format
Answer: A
QUESTION NO: 67
After making changes to a custom adapter and reloading the profile into IBM Tivoli Identity
Manager (Tivoli Identity Manager) using the import capability, a test is run on the adapter. The
test results show that the changes did not appear to make any difference in the results. After
inspecting the IBM Tivoli Directory Integrator (Tivoli Directory Integrator) log file for the
adapter, the logging statements that were added do not appear to be logging any output. What is
one possible explanation for this behavior?
A. Logging is not supported in Tivoli Directory Integrator-based adapters.
B. The existing profile must be uninstalled before installing a new profile update.
C. The Tivoli Directory Integrator server was not restarted after the profile was reloaded.
D. Tivoli Identity Manager must be restarted after making any changes to the profile information
Answer: C
QUESTION NO: 68
Which command can be used on a UNIX system to collect data to be sent to a support
representative?
A. ffdc.sh
B. itiittbackup. sh
C. collect_ffdc.sh
D. serviceability.sh
Answer: D
QUESTION NO: 69
Which statement is true when evaluating a placement rule on an identity feed service?
A. The placement rule is only evaluated if the "Use workflow" option is checked.
B. The placement rule determines the placement of the identity into organizational roles.
C. The placement rule returns the organizational container where the identity is to be anchored.
D. The placement rule returns a true or false value to determine if an identity can be placed into
IBM Tivoli Identity Manager or not
Answer: C
QUESTION NO: 70
When migrating IBM Tivoli Identity Manager (Tivoli Identity Manager) from a test to a
production environment, which task is valid?
A. Export all the LDAP user accounts from test to production.
B. Use the Import/Export feature to migrate the Tivoli Identity Manager configuration.
C. Assign the Tivoli Identity Manager test server the same host name as the production server.
D. Copy all the IBM Tivoli Directory Server data files to the Tivoli Identity Manager production
system
Answer: B
QUESTION NO: 71
New accounts that are reconciled from a remote platform are put up for adoption through the
applicable adoption policy, or they are orphaned. What person attribute Is matched against the
account eruid attribute by the default global adoption policy in IBM Tivoli Identity Manager
V5.1?
A. the sn attribute
B. the en attribute
C. the uid attribute
D. the eraliases attribute
Answer: C
QUESTION NO: 72
After testing the SSL connection between the IBM Tivoli Identity Manager V5.1 server and the
directory server, the login fails. Which two options should be checked? (Choose two.)
A. The .der file Is corrupted.
B. The truststore file is corrupted.
C. The path to the .der file is valid.
D. The path to the truststore file is valid.
E. The path to the IdapConfig file is valid
Answer: B, D
QUESTION NO: 73
What are the correct steps to set up a reconciliation of only supporting data after the service
definition has been created and reconciliation was not initially defined?
A. Supporting data can only be reconciled when the service is created

B. Existing service definitions are displayed by selecting Configure System > Managing Service
Types.
C. Existing service definitions are displayed by selecting Manage Services and then searching for
the specific service. When the service is listed, click the service name hyperlink to specify the
Query to Reconcile supporting data only.
D. Existing service definitions are displayed by selecting Manage Services and then searching
for the specific service. When the service is listed, selecting the icon next to the name of the
service will allow the administrator to set up Reconciliation and specify the Query to Reconcile
supporting data only.
Answer: D
QUESTION NO: 74
IBM Tivoli Identity Manager (Tivoli Identity Manager) development has released a fix pack to
address a specific problem that was found with the reporting module. Which three components,
at a minimum, should be backed up? (Choose three.)
A. JDK/SDK
B. Database
C. JMS queues
D. LDAP Directory
E. WebSphere Application Server configuration files
F. Data subdirectory of Tivoli Identity Manager installation directory
Answer: B, D, F
QUESTION NO: 75
When an AD Adapter is being upgraded, what consideration must be given to the ADK
component?
A. Any AD upgrade requires an ADK upgrade.
B. None; they can be upgraded independently of each other.
C. The ADK must be at the same or higher level than the AD Adapter.
D. The AD Adapter and ADK are one component and are upgraded together
Answer: B
QUESTION NO: 76
The IBM Tivoli Identity Manager (Tivoli Identity Manager) system has been installed and
configured with the initial default parameter settings. The administrator detects rollback errors in
the trace.log.Which area of the Tivoli Identity Manager system should the administrator review
in order to eliminate the rollback errors?
A. Transaction rollbacks can be reduced or eliminated by creating additional indexes for the
Directory Server.
B. Transaction rollbacks can be reduced or eliminated by increasing the number of

max_connections for the IBM HTTP Server.
C. Transaction rollbacks can be reduced or eliminated by adjusting the database storage space or
database locking or database memory.
D. Transaction rollbacks can be reduced or eliminated by increasing the value of

SearchAIUmUsedTimeout parameter for the RMI Dispatcher
Answer: C
QUESTION NO: 77
Which two options are correct for configuring the recycle bin in IBM Tivoli Identity Manager
(Tivoli Identity Manager)? (Choose two.)
A. The recycle bin is disabled by default in Tivoli Identity Manager and must be enabled
explicitly.
B. The recycle bin age limit is the number of days, after which the recycle bin is emptied
automatically.
C. The recycle bin can be explicitly emptied by running the Tivoli Identity Manager runConfig
script and setting the Recycle Bin Age Limit parameter to 0 (zero).
D. The recycle bin age limit is the number of days after which an object in the recycle bin is
eligible for deletion by the Tivoli Identity Manager IdapClean cleanup script.
E. The recycle bin holds data objects that are deleted from the Tivoli Identity Manager LDAP
repository and the Tivoli Identity Manager database during the course of operations.
Answer: A, D
QUESTION NO: 78
Which option describes a prerequisite for installing an IBM Tivoli Identity Manager (Tivoli
Identity Manager) fix pack?
A. Stop the LDAP server that is used to contain the Tivoli Identity Manager data.
B. Install the WebSphere Update installer for the appropriate WebSphere version.
C. Make sure that the WebSphere server that is running the Tivoli Identity Manager application
is running.
D. Ensure that the SOAP request timeout value is set to 150 or less by using the com.ibm.SOAP.
requestTimeout property
Answer: B
QUESTION NO: 79
What is the main purpose of the IBM Tivoli Identity Manager recycle bin?
A. to enhance LDAP performance
F. Data subdirectory of Tivoli Identity Manager installation directory
B. to preserve a history of user IDs that have been used
C. to provide a ready-recoverability of inadvertently deleted objects
D. to provide a quick failover mechanism if IBM Tivoli Identity Manager LDAP fails
Answer: B
QUESTION NO: 80
IBM Tivoli Identity Manager (Tivoli Identity Manager) development has released a fix pack to
address a specific problem that was found with the reporting module. Which three components,
at a minimum, should be backed up? (Choose three.)
A. JDK/SDK
B. Database
C. JMS queues
D. LDAP Directory
E. WebSphere Application Server configuration files
Answer: B, D, F
QUESTION NO: 81
The e-rnail business process design indicates that there will be a large number of e-mail
transactions. The IBM Tivoli Identity Manager (Tivoli Identity Manager) administrator has
configured the system to enable store forwarding with a collection interval of 60. Which of these
scenarios will occur?
A. When the collection interval expires and notifications are aggregated, and there is only one
notification for a given group e-mail topic, the message will be delivered using the post office e-
mail template.
B. All activities that generate e-mail notifications will be intercepted and held for 60 minutes.
After that time, notifications are aggregated into one e-mail based on the group e-mail topic
value and sent to the recipients.
C. All manual activities that generate e-mail notifications that have the Use Group E-mail Topic
enabled will be intercepted and held for up to 60 minutes. After that time, notifications are
aggregated into one e-mail based on the group e-mail topic value and sent to the recipients.
D. All manual activities that generate e-mail notifications that have the Use Group E-mail Topic
enabled will be intercepted and held for up to 60 seconds. After that time, notifications are
aggregated into one e-mail based on the group e-mail topic value and sent to the recipients.
Answer: C
QUESTION NO: 82
Which three statements are valid regarding the IBM Tivoli Identity Manager organization tree?
(Choose three.)
A. ACIs are attached to nodes in the organization tree.
B. After it is defined, an organization tree cannot be modified.
C. An organization tree can have multiple organizational units.
D. People are attached at a single point in the organization tree.
E. There can be only one organization at the top of the organization tree.
F. Locations, organizational units, and business partner organizations are technically different
containers
Answer: A, C, D
QUESTION NO: 83
A. Accounts for Active Directory, Enterprise LDAP User, and Exchange are provisioned
immediately. An approval request is sent to the Payroll system owner for approval of the Payroll
account. An approval request is sent to the Sales system owner for approval of the Sales account.
An approval request is sent to the Information Technology Risk group for approval of the Global
Administrator account and for justification information.
B. Accounts for Active Directory, Enterprise LDAP User, and Exchange are provisioned
immediately. An approval request is sent to the employee's first-line manager for approval of the
Payroll account. An approval request is sent to the Sales system owner for approval of the Sales
account. An approval request is sent to the Information Technology Risk group for approval of
the Global Administrator account and for justification information.
C. Accounts for Active Directory, Enterprise LDAP User, and Exchange are provisioned
immediately. An approval request is sent to the peer of the employee's first-line manager for
approval of the Payroll account. An approval request is sent to the Sales system owner for
approval of the Sales account. An approval request is sent to the Information Technology Risk
group for approval of the Global Administrator account and for justification information.
D. Accounts for Active Directory, Enterprise LDAP User, and Human Resources are provisioned
immediately. An approval request Is sent to the peer of the employee's first-line manager for
approval of the Payroll account. An approval request is sent to the Sales system owner for
approval of the Sales account. An approval request Is sent to the Information Technology Risk
group for approval of the Global Administrator account and for justification information.
Answer: B
QUESTION NO: 84
What is the key area of concern when considering the high availability (HA) design for the IBM
Tivoli Identity Manager (Tivoli Identity Manager) Application Server?
A. the directory server replication framework to eliminate single points of failure and provide
peer-to-peer failover for the Tivoli Identity Manager application server
B. the configuration of DB2 high availability disaster recovery (HADR) to eliminate single
points of failure and provide peer-to-peer failover for the Tivoli Identity Manager application
server
C. the configuration of the WebSphere Application Server vertical clustering to eliminate single
points of failure and provide peer-to-peer failover for the Tivoli Identity Manager application
server
D. the WebSphere Application Server high availability framework and configuration to eliminate
single points of failure and provide peer-to-peer failover for the Tivoli Identity Manager
application server
Answer: D
QUESTION NO: 85
Which two options should be included in a custom adapter design document? (Choose two.)
A. supported platforms, Java version, log file locations
B. input requirements, installation instructions, prerequisites
C. process flow diagram, debugging information and log file information
D. prerequisites, supported platforms, process flow diagrams, source code
E. security certificate configuration, installation location, input requirements
Answer: B, C
QUESTION NO: 86
Which option would be included in the lifecycle management design?
A. reconciliation schedule for all UNIX services
B. approval requirements for the Active Directory accounts
C. e-mail notification to the service owner when accounts are provisioned
D. e-mail notification requirements when a new IBM Tivoli Identity Manager identity is created
with an identity feed
Answer: D
QUESTION NO: 87
Which methodology can be used to extend the standard password rules?

A. None; password rules cannot be extended.
B. Password rules can be extended using JavaScript.
C. Password Java APIs can be used to extend password rules.
D. Password rules can be extended using the Pluggable Authentication Module (PAM)
framework
Answer: C
QUESTION NO: 88
Which two options are part of the customization design process? (Choose two.)
A. Test the customization.
B. Create a customization prototype.
C. Document the customization code.
D. Determine the customization scope.
E. Determine the feasibility of the customization
Answer: D, E
QUESTION NO: 89
Which two statements are true in relation to designing custom person entities? (Choose two.)
A. Required attributes must be specified in new entity objectclasses.
B. A custom person objectclass must have inetorgperson as its parent.
C. ACIs for the new person entities must be defined before the entity is created.
D. An objectclass can be used by multiple person entities in IBM Tivoli Identity Manager.
E. An entity's objectclass in IBM Tivoli Identity Manager can be named the same as the
objectclass in the customer's authoritative source directory.
Answer: B, E
QUESTION NO: 90
A customer wants to translate the logical architecture into a physical model the IBM Tivoli
Identity Manager (Tivoli Identity Manager) configuration? Which change must be made to
increase the security and performance of the IBM Tivoli Identity Manager (Tivoli Identity
Manager) configuration?
A. Keep the configuration as it is, no changes are needed.
B. Move the HTTP server to a standalone computer that has no other Tivoli Identity Manager
component.
C. Remove the HTTP server component and use built-in WAS HTTP service to improve
performance and avoid a security breach.
D. Establish a two-way SSL channel between the HTTP server and Tivoli Identity Manager.
Gain performance by keeping the HTTP server in the same Tivoli Identity Manager computer.
Answer: B
QUESTION NO: 91
Which information is stored in a certificate used to secure the connection between IBM Tivoli
Identity Manager Server and its adapters?
A. certificate expiration date
B. certificate encryption type
C. certificate requester's name
D. certificate encryption strength
Answer: A
QUESTION NO: 92
Which file in English locale contains the definition for the IBM Tivoli Identity Manager screen
text that can be customized?
A. enRole.properties
B. CustomLabels. properties
C. CustomScreenText_en.propeities
D. SelfServiceScreenText_en.properties
Answer: D
QUESTION NO: 93
Which statement is correct regarding separation of duty rules?
A. Each separation of duty policy has no more than 7 rules.
B. With the use of a permit rule, a user can belong to all the roles in a given rule.
C. The number of roles that you allow to coexist must be at least one fewer than the number of
roles in the list.
D. Each rule must have one or more roles listed, the number of roles to which a user can belong
depends on the number in the list
Answer: C
QUESTION NO: 94
A customer is setting up a role-based access control (RBAC) model. Which relationship

(between organizational roles and another entity) must be primarily factored in when designing
organizational roles?
A. the relationship between organizational roles and provisioning policies
B. the relationship between organizational roles and workflow participants
C. the relationship between organizational roles and entitlement workflows
D. the relationship between organizational roles and IBM Tivoli Identity Manager groups
Answer: A
QUESTION NO: 95
What are the primary sources for gathering identity policy requirements?
A. IBM Tivoli Identity Manager System Architecture and IT Security account creation
procedures
B. IBM Tivoli Identity Manager Solution Design Document and IT Security account creation
procedures
C. IBM Tivoli Identity Manager System Architecture and the access control policies for the
customer's Web space
D. IBM Tivoli Identity Manager Solution Design Document and the access control policies for
the customer's Web space
Answer: B
QUESTION NO: 96
Which three options are valid membership types of a provisioning policy? (Choose three.)
A. All
B. None
C. Others
D. All other users
E. Organizational role
F. All users in the organization

Answer: D, E, F
QUESTION NO: 97
During an architecture discussion, a customer states that their company already has an extensive
LDAP infrastructure in place that supports the Enterprise Directory project. The Enterprise
Directory is currently provisioned by a feed from a human resources system. The eventual goal is
for IBM Tivoli Identity Manager (Tivoli Identity Manager) to provision the Enterprise Directory
so that other external applications can use It for authentication and authorization. As a result, a
significant amount of data interaction is expected to occur between Tivoli Identity Manager and
the Enterprise Directory. Which option would be appropriate for a Tivoli Identity Manager
architecture at the customer site?
A. Create a separate instance of the LDAP directory server to use for Tivoli Identity Manager.
B. Create a new suffix for Tivoli Identity Manager in the existing Enterprise Directory LDAP
directory server.
C. Create a new root for Tivoli Identity Manager under one of the existing suffixes in the
Enterprise Directory LDAP directory server.
D. Phase out the Enterprise Directory, because the Tivoli Identity Manager LDAP directory can
be positioned as the Enterprise Directory by augmenting its person and account attributes.
Answer: A
QUESTION NO: 98
When using the IBM Tivoli Identity Manager user interface, which categories can the report
templates be applied to?
A. Users, Accounts, Services, Custom
B. Requests, Services, Custom, Users
C. Requests, Users and Accounts, Services, Audit and Security, Custom

D. Transactions, Users and Groups, Services, Audit and Security, Custom
Answer: C
QUESTION NO: 99
A customer requires additional attributes as per their IBM Tivoli Identity Manager solution
design. Which base LDAP objectclass is used to extend the schema to add new attributes to
create a custom person class?
A. person
B. erPerson
C. erPersonltem
D. inetOrgPerson
Answer: D
QUESTION NO: 100
Identification of target platform business processes is essential to which IBM Tivoli Identity
Manager configuration task?
A. Adoption policies
B. Account re certification
C. Organization administration
D. Provisioning policy join directives
Answer: B
QUESTION NO: 101
Which post-upgrade validation test would verify that the custom entity object was intact?
A. creating a new person
B. modifying an existing ACI
C. creating a new dynamic role
D. scanning completed requests
Answer: A
QUESTION NO: 102
Which two statements are true of groups and ACIs in an out-of-the box IBM Tivoli Identity
Manager (Tivoli Identity Manager) environment populated with some users and some basic
services reconciled? (Choose two.)
A. The default HelpDesk Assistant group allows members of that group to manage entitlement
workflows.
B. Groups define what tasks Tivoli Identity Manager users will see on the administrative console
through their group membership.
C. In the shipped product, default groups and default ACIs reflect the typical needs of
administrative users in Tivoli Identity Manager.
D. Access owners can access the basic services relating to their defined target group Accesses
without the need for additional ACIs.
E. Members of the default Auditor group need additional ACIs only to manage their directly
defined subordinates in Tivoli Identity Manager
Answer: C, D
QUESTION NO: 103
Which three recertification reports can be requested? (Choose three.)
A. Recertification Policies Report
B. Recertification Completion Report
C. Recertification Compliance Report
D. Recertification Change History Report
E. Recertification Accounts/Access Pending Report
F. Accounts/Access Pending Recertification Report
Answer: A, D, F
QUESTION NO: 104
Which option describes best practices for scheduling recertification in large organizations?
A. Schedule on a rolling basis.
B. Schedule all accounts for the end of the calendar year.
C. Schedule all accounts for the beginning of the calendar year.
D. Divide the accounts into quarters and schedule them on a quarterly basis
Answer: A
QUESTION NO: 105
Which test phase should occur first in an IBM Tivoli Identity Manager acceptance plan?
A. system testing
B. functional testing
C. performance testing
D. user acceptance testing
Answer: B
QUESTION NO: 106
A customer requires that mission-critical LDAP-based applications like IBM Tivoli Identity
Manager (Tivoli Identity Manager) use LDAP replication. The Tivoli Identity Manager recovery
design implements an LDAP master/replica topology. Which statement describes the actions that
must be taken to most quickly recover from a failure of the master LDAP?
A. Tivoli Identity Manager must be quiesced and pointed to the correct LDAP.
B. WebSphere must be stopped, pointed to the correct LDAP, and restarted.
C. Tivoli Identity Manager must be quiesced while the master LDAP is re-created from the
subordinate.
D. Tivoli Identity Manager will fail over automatically to the subordinate LDAP because of
properties specified in the enRoleLDAPConnection .properties file.
Answer: A
QUESTION NO: 107
Which task is least likely to be affected by client delays?
A. installation
B. assessment
C. customization
D. solution design
Answer: D
QUESTION NO: 108
Which two LDAP directory servers does IBM Tivoli Identity Manager V5.1 support? (Choose
two.)
A. OpenLDAP
B. Novel! eDirectory
C. Microsoft Active Directory
D. Sun ONE Directory Server
E. IBM Tivoli Directory Server
Answer: D, E
QUESTION NO: 109
Why will a test of a DAML-based adapter fail?
A. HOSTADDR is incorrect in agentcfg.
B. SRV_PORTNUMBER is incorrect in agentcfg.
C. CA is not defined to WebSphere and USE_SSL is set to FALSE.
D. USE_SSL=FALSE in agentcfg and https:// is specified on the service form

Answer: D
QUESTION NO: 110
What configuration file is used to set up the default values for IBM Tivoli Common Reporting?
A. config.xml
B. defaults .xml
C. defaultsConfig .xml
D. reportingConfig.xml
Answer: D
QUESTION NO: 111
When installing IBM Tivoli Identity Manager V5.1 on a UNIX system, what is the log-in
account type requirement?
A. Root
B. Superuser
C. Administrator
D. Root Equivalent
Answer: A
QUESTION NO: 112

A customer has created a new custom True64 UNIX RMI-based agentless adapter profile using a
toolkit capability. The customer is ready to use this profile. If IBM Tivoli Directory Integrator is
installed on the same computer as IBM Tivoli Identity Manager, what is required for the
customer to use this particular profile?
A. Import the custom jar file using Import/Export from the administrative console; install the
adapter on the target.
B. Import the custom jar file using Import/Export from the administrative console; the adapter
profile is ready for use.
C. Import the custom jar file and the Service Definition file using the Import button on Manage
Services Types on the administrative console.
D. Click Create under Manage Service Types, define the new Service Type name, and then
browse for the new custom service schema on the LDAP class search facility.
Answer: C
QUESTION NO: 113
Generating a Certificate Signing Request (CSR) is Option A of which utility?
A. CertCfg
B. CertTool
C. agentCfg
D. agentTool
Answer: B
QUESTION NO: 114

Which file must be modified to change the background color in the IBM Tivoli Identity Manager
V5.1 Self-Service user interface?
A. nav.jsp
B. Home.jsp
C. console.css
D. SelfServiceUI.properties
Answer: C
QUESTION NO: 115
Which files can be checked to verify that IBM Tivoli Directory Server is running normally?
A. Ids.log and ids.trace
B. slapd.msg and slapd.trace
C. ibmslapd.log and db2cli.log
D. ibmlDS.log and ibmlDS.ffdc
Answer: C
QUESTION NO: 116
Which option lists a set of valid membership items for an ACI to protect a static organizational
role in IBM Tivoli Identity Manager (Tivoli Identity Manager)?
A. the owner of the role, the role members, and the administrator of the domain in which the
roles resides
B. the owner of the role, the supervisor of the business unit in which the role resides, and
members of Tivoli Identity Manager groups
C. the supervisor of the role owner, the supervisor of the business unit in which the role resides,
and members of Tivoli Identity Manager groups
D. the supervisor of the business unit in which the role resides, the owner of the services that the
role grants access using provisioning policy, and members of Tivoli Identity Manager groups
Answer: B
QUESTION NO: 117
Afresh copy of IBM Tivoli Identity Manager (Tivoli Identity Manager) has been installed and
the Active Directory (AD )adapter profile has been imported. Extension attributes are added to
customize the AD profile. The account form labels for the new attributes are specified in which
two places? (Choose two.)
A. schema .dsml in the AD profile
B. Tivoli Identity Manager database
C. Tivoli Identity Manager LDAP directory
D Formtemplales properties in <$itim_home>/data
D. CustomLabels.properties file in <$itim_home>/data
Answer: B
QUESTION NO: 118
Where are the challenge-response QUESTION NO:s and Answers stored?
A. enRole.properties file
B. IBM Tivoli Identity Manager Database
C. WebSphere Application Server database
D. IBM Tivoli Identity Manager LDAP Directory
Answer: D
QUESTION NO: 119
Under which three conditions are service selection policies evaluated? (Choose three.)
A. whenever a service instance is deleted
B. whenever the service selection policy script is changed
C. whenever an IBM Tivoli Identity Manager user's attributes are modified
D. whenever a provisioning policy that targets a service selection policy is changed
E. whenever a user is added to an organizational unit where a provisioning policy is defined
F. whenever a user is added to an organizational role (static or dynamic) that is a member of a

provisioning policy that targets such a service selection policy
Answer: B, C, F
QUESTION NO: 120
Which two Configure View options can be set for the IBM Tivoli Identity Manager V5.1
Administrative Console? (Choose two.)
A. View Accounts
B. Request Accounts
C. Change Passwords
D. Manage Adoption Policies
E. Change My Personal Profile
Answer: C, D
QUESTION NO: 121
A priority-based provisioning policy join directive is in place. According to the information in

the table, which definition of erdivision, a single-valued attribute, will be valid during policy
validation including reconciliation with policy checking enabled?
A. An error will occur during evaluation.
B. Policy 2 has a higher priority, therefore erdivision will be set to divisionB.
C. divisionA can exist on the erdivision attribute. All other values are also valid.
D. Any value other than divisionB will be invalid because enforcement = Mandatory
Answer: C
QUESTION NO: 122
Which option describes the initial setting of the recycle bin in IBM Tivoli Identity Manager
(Tivoli Identity Manager) V5.1?
A. The recycle bin is disabled by default.

B. The recycle bin is enabled by default.
C. There is no recycle bin in Tivoli Identity Manager V5.1.
D. The recycle bin settings cannot be modified in Tivoli Identity Manager V5.1
Answer: A
QUESTION NO: 123
Which option describes the processing when two provisioning policies apply to a user for the
same service?
A. The provisioning request fails.
B. The policy with the lowest priority is the only one that is processed.
C. The policy with the highest priority is the only one that is processed.
D. The policies are joined according to the current join directives, and the resulting attribute
elements are provisioned
Answer: D
QUESTION NO: 124
When the IBM Tivoli Identity Manager administrator is searching for a user from the Manage
User > Select a User panel, the default value for Search By is set to Last Name. The
administrator would like to set the default value to MyCoUid, which is a unique identifier used at
MyCo. Which action must the administrator perform?
A. Using the Directory tools, remove the Last Name attribute and add the MyCoUid attribute.
B. From Manage Users > Advanced Search, modify the default search attribute for the Person
User type.
C. From Configure System > Manage Entities, modify the default search attribute on the Entity
Detail Information form.
D. From the Manage Users > Select a User panel, select MyCoUid from the drop-down Search
By list box and click Save
Answer: C
QUESTION NO: 125
How is the post office enabled for workflow activities?
A. Workflow activities cannot use the post office function.
B. On the Post Office configuration panel, select the General tab, select workflow activities, and
save the post office configuration.
C. Select the Notification tab on the workflow activity in the Workflow Designer, check the Use
Group Email Topic, enter a value, and save the workflow.
D. Open the Post Office configuration panel, select the Workflow tab, select the workflows that
will use the post office using the check boxes, and save the post office configuration.
Answer: C
QUESTION NO: 126
Which two rules apply when two or more access control items conflict? (Choose two.)
A. An explicit denial (using a Deny selection) by one access control item overrides an explicit
grant by other access control items.
B. An implied denial (using a None selection) by one access control item overrides an explicit
grant by other access control items.
C. An explicit grant by one access control item overrides an implied denial (using a None
selection) by other access control items.
D. An implied grant by one access control item overrides an implied denial (using a None
selection) by other access control items.
E. An explicit grant by one access control item at the organization level overrides an implied
denial (using a None selection) by other access control items.
Answer: A, C
QUESTION NO: 127
An organization would like the End User community to be able to change personal profile
information. To accomplish this change in the self-service application, which two tasks would
the administrator need to perform IBM Tivoli Identity Manager (Tivoli Identity Manager)?
(Choose two.)
A. No changes are needed to the Access Control Item.
B. Change the Access Control Item and grant the modify permission for person.
C. Change the Access Control Item and grant the modify permission for account.
D. From the Tivoli Identity Manager Self-Service User Interface, enable the Change My
Personal Profile from Set System Security > Manage Views > User Views > Configure Views >
Self Service Console.
E. From the Tivoli Identity Manager Administrative Console, enable the Change My Personal
Profile from Set System Security > Manage Views > User Views > Configure Views > Self
Service Console.
Answer: B, E
QUESTION NO: 128
Which two statements are true for service type account defaults? (Choose two.)
A. Account defaults must be hard-coded values or a person attribute.
B. Service type account defaults must be specified for each created service.
C. Service type account defaults are global and are inherited by a service when the service is
created.
D. Subsequent changes to the account defaults on the service type are not reflected in existing
services.
E. Account defaults for an existing service can be modified by changing the service type account
defaults
Answer: C, D
QUESTION NO: 129
What is separation of duty in IBM Tivoli Identity Manager V5.1?
A. It is a feature to manage invalid combinations of Groups.
B. It is a feature to manage invalid participants in Workflows.
C. It is a feature to manage potential or existing Role conflicts.
D. It is a feature to manage ACI violations in the Administrative Console
Answer: A
QUESTION NO: 130

From the code snippet displayed in the exhibit, what will be the result for a new identity if the
base Identity variable is null or empty?
A. An identity will be created based on the person's last name only.
B. An identity will be created based on the person's common name.
C. An identity will be created based on the person's first initial and last name
D. An identity will be created based on the person's last initial and first name
Answer: C
QUESTION NO: 131
Click the Exhibit button. What impact will the value of the enrole.ui.pageLinkMax properly have
on the behavior of the Self Service Console?
A. This property determines the number of page links displayed for multipage result sets.
B. This property determines the maximum time period before a timeout occurs when a user
clicks a link on the Self Service Console.
C. This property determines the number of page links displayed for multipage result sets. It
cannot exceed the value specified by the enrole.ui.pageLinkMax property specified in the
ITIM_HOME/data/ui. properties file.
D. This property determines the maximum number of Web page links to tasks that will be
displayed in a section. If more page links exist, the Self Service Console will display a More link
that can be clicked to display the rest of the tasks.
Answer: A
QUESTION NO: 132
Transfer between different business units is supported by which entity type?
A. Person
B. Service
C. Provisioning policy
D. Access control item
Answer: A
QUESTION NO: 133
A company has a policy not to notify users directly when they have a new account and password;
instead, they want the respective department security administrators to inform the employees
when a new account and password is created. Each of the five departments has its own
administrator which has been granted the IBM Tivoli Identity Manager (Tivoli Identity Manager)
Group Dept Admin. Additionally, every department administrator has the is Admin check box
checked on the Tivoli Identity Manager person profile. The company wants only the department
administrator to be notified when a new account is created for any employee in their department.
Which step would not be required in implementing a solution for the above scenario?
A. Disabling the New Account notification base template.
B. Disabling the New Password notification base template.
C. Modifying the add person operational workflow by adding a work order to the department
administrator.
D. Modifying the add account operational workflow by adding a work order to the department
administrator
Answer: C
QUESTION NO: 134
When multiple password policies apply to a service, which option describes how password
policy is applied to the service?
A. All the password policies that target the service are joined and applied.
B. The password policy that most specifically targets the service is applied.
C. The global password policy (that applies to All Service Types) is joined with the password
policy that targets the service most specifically and applied.
D. The password policy that most specifically targets the service is applied. If there Is more than
one policy that targets the service at the same specificity, they are joined and applied.
Answer: B
QUESTION NO: 135
When adding an e-mail activity to a workflow, which option is a valid system template from
which e-mail content can be created?
A. RFISubmitted
B. ActivityRejected
C. ActivityApproved
D. WorkflowComplete
Answer: A
QUESTION NO: 136
The IBM Tivoli Identity Manager system-wide Escalation Limit is set to 2 days 0 hours 0
minutes. The Reminder Interval is set to 1 day and an entitlement workflow approval activity
(Escalation participant: Branch Manager) set to an escalation period of 3 days, 12 hours, 0
minutes. Assuming that Post office is turned off, no approval for the Access request has taken
place and default Approval activity notification settings apply, which statement is true?
A. The Branch Manager will receive two reminder e-mails before receiving the escalation e-
mail.
B. The Branch Manager will receive an escalation e-mail after 2 days 0 hours 0 minutes as no
approval has taken place.
C. The Branch Manager will receive an escalation e-mail after 3 days 0 hours 0 minutes as no
approval has taken place.
D. The Branch Manager will receive an escalation e-mail after 3 days, 12 hours, 0 minutes as no
approval has taken place
Answer: D
QUESTION NO: 137
What is one drawback when using dynamic roles versus static roles?
A. Dynamic roles add a performance hit.
B. Dynamic roles can only be used for assigning membership to provisioning policies.
C. Membership (assignments) cannot be viewed from the Person Entity Information panel.
D. Membership (assignments) cannot be viewed from the organizational roles information panel
Answer: A
QUESTION NO: 138
Which two workflows have notification templates? (Choose two.)
A. new person
B. new account
C. suspend person
D. change password
E. password expiration
Answer: B, D
QUESTION NO: 139
What is the response from the IBM Tivoli Identity Manager logon page when the LDAP
directory server is not currently running?
A. CTGIM<error code> The directory server refused the connection
B. CTGIM <error code> The specified user ID is not found.
C. CTGIM <error code> A communication error occurred: A remote host refused an attempted
connect operation
D. CTGIM <error code> The specified user ID and password are not valid. CTGIM <error code>
The directory server is not available.
Answer: D
QUESTION NO: 140
A company has a requirement that all account creations be logged into the Remedy tracking
system. As a result, a custom JavaScript extension developed to send the new account
information to Remedy in near-real-time. The new extension Java class, gbcUtilitiesExtension, in
package com.ibm.itim.scriptextensions was developed by the IBM consulting team and packaged
into gbcUtilities.jar. Which addition to the scriptframework.properties file would be the most
appropriate for integrating the new extension?
A. ITIM .interpreter.Workflow=gbcUtilities
B. ITIM .extension .Workflow.gbcUtils=com .ibm .itim .script.extensions .gbcUtilities
C. ITIM .extension .Workflow.gbcUtils=com .ibm .itim .script.extensions .gbcUtilitiesExtension
D. ITIM.extension.accountAdd.gbcUtils=com.ibm.itim.script.extensions.gbcUtilitiesExtension
Answer: C
QUESTION NO: 141

Based on the logical architecture, which two services can be used to import the identity feed file
into IBM Tivoii Identity Manager? (Choose two.)
A. AD
B. CSV
C. DSML
D. IDI Data Feed
E. Hosted Service
Answer: B, C
QUESTION NO: 142
Which default objectclass will IBM Tivoii Identity Manager V5.1 expect during an identity feed?
A. inetOrgPerson
B. hruserOrgPerson
C. distinguishedName
D. userPrincipalName
Answer: A
QUESTION NO: 143
A company uses PeopleSoft to generate a unique employee designator as each new employee is
entered into the HR system. IBM Tivoii Identity Manager has been configured to import the HR
data from PeopleSoft, including the unique identifier (gbcuid). As a policy, the company has
used the gbcuid attribute as the DID of its managed targets. Recently, IBM consultants
implemented the AD service to manage the company's primary AD domain. During the
discovery phase, it was found that an older algorithm for generating AD UIDs had been used
before the company's policy of using the gbcuid attribute. The older algorithm concatenated the
last name with a serial number. Which action could the IBM consultants take to match all of the
AD accounts to their corresponding person entities?
A. In the Add workflow, set the erllases values to both the gbcuid and the value generated by the
older algorithm; then rerun the data feed from PeopleSoft.
B. Create an adoption rule that includes logic for returning people that correspond to both
eraliases and the older algorithm; then rerun the AD reconciliation.
C. Create an adoption rule that includes logic for returning people that correspond to both
eraliases and the older algorithm; then rerun the data feed from PeopleSoft.
D. Create an adoption rule that includes logic for returning people that correspond to the older
algorithm, and in the Add workflow, set the erliases values to the gbcuid; then rerun the AD
reconciliation
Answer: B
QUESTION NO: 144
For IBM Tivoli Identity Manager (Tivoli Identity Manager) 5.1 DAML-based adapters, what
item relating to reconciliations can be configured using agentCfg?
A. use of xforms.xml
B. use of LDAP v3 reconciliation filters
C. specification of supporting-data-only reconciliation parameters
D. use of SSL communication with the Tivoli Identity Manager server
Answer: D
QUESTION NO: 145
Which file contains the output for Java extensions that use system, out. println() methods?
A. msg.log
B. trace.log
C. SystemOut.log
D. System Err. Out
Answer: C
QUESTION NO: 146
Which two log files found under the WAS_HOME/profiles/<profile name>/logs/server1

directory are useful in troubleshooting an IBM Tivoli Identity Manager application problem with
a standard installation using WebSphere? (Choose two.)
A. msg.log
B. trace.log
C. SystemErr.log
D. SystemOut.log
E. cfg_itim_mw.log
Answer: C, D
QUESTION NO: 147
While testing communications to a DAML managed resource in the Manage Services screens, a
message is displayed indicating failed communication What are two possible reasons for this
failure? (Choose two.)
A. Incorrect user IDs or passwords
B. Service locked for reconciliation
C. No ACIs defined for adapter testing
D. Incorrect URL to the managed resource
E. No provisioning policy defined for the service
Answer: A, D
QUESTION NO: 148
Which two statements are true when enabling increased trace logging to help determine a
problem in IBM Tivoli Identity Manager? (Choose two.)
A. Set logger.trace.level=DEBUG_MAX in errorLogging.properties.
B. Set logger trace.com.iom=DEBUG_MAX in errorLogging.properties.
C. Set logger trace level=DEBUG_MAX in the file enRoleLogging properties.
D. Turn on the setting logger trace.logging=true in enRoleLogging properties.
E. Configure the setting logger.trace.leveNIO for maximum detail in the trace log
Answer: C, D
QUESTION NO: 149
A functioning IBM Tivoli Identity Manager (Tivoli Identity Manager) test environment has been
configured and tested and is ready to move into production. The information in the Tivoli
Identity Manager Directory Server has been migrated to production. Additional configuration
information should be promoted from the Tivoli Identity Manager server file system. Which
additional data would need to be promoted to production?
A. The <ITIM-HOME> directory
B. The enroleDatabase.properties file
C. The customizations defined in the ui.properties file
D. The audit tables in the Tivoli Identity Manager database
Answer: C
QUESTION NO: 150
When migrating IBM Tivoli Identity Manager (Tivoli Identity Manager) from a test to a
production environment, which task is valid?
A. Export all the LDAP user accounts from test to production.

B. Use the Import/Export feature to migrate the Tivoli Identity Manager configuration.
C. Assign the Tivoli Identity Manager test server the same host name as the production server.
D. Copy all the IBM Tivoli Directory Server data files to the Tivoli Identity Manager production
system
Answer: B
QUESTION NO: 151
After testing the SSL connection between the IBM Tivoli Identity Manager V5.1 server and the
directory server, the login fails. Which two options should be checked? (Choose two.)
A. The .der file is corrupted.
B. The truststore file is corrupted.
C. The path to the .der file is valid.
D. The path to the truststore file is valid.
E. The path to the IdapConfig file is valid
Answer: B, D
QUESTION NO: 152
Consider an identity synchronization scenario at a customer where the customer wants to pull in
identities at scheduled times, and push emergency identity deletes to IBM Tivoli Identity
Manager (Tivoli Identity Manager) for offboarding in near real time. Which statement is true in
this scenario?
A. A DSML identity feed service in Tivoli Identity Manager can onboard and offboard identities.
B. Identities deleted in Tivoli Identity Manager during an identity feed are never placed into the
Recycle Bin.
C. Reconciling an identity feed service with the Use Workflow option enabled will allow
provisioning and separation of duty policies to be evaluated during processing.
D. An IDI data feed identity service can be reconciled to pull in identities into Tivoli Identity
Manager, and can be contacted by an external process to push identities to Tivoli Identity
Manager.
Answer: D
QUESTION NO: 153
A manual service has been created to provision voice mail accounts in IBM Tivoli Identity
Manager (Tivoli Identity Manager). Which reconciliation strategy is available to reconcile voice
mail accounts?
A. The voice mail accounts can be reconciled with a CSV file that contains voice mail account
attribute and group information.
B. Reconciliation is a redundant concept for manual services because Tivoli Identity Manager
does not actually communicate with the remote platform.
C. Account data must be reconciled by using an external process or utility that can read voice
mail account data and use the Tivoli Identity Manager API to perform reconciliation.
D. The voice mail account and group data must be sent over as a form submittal using HTTP or
HTTPS to the Tivoli Identity Manager 5.1 Reconcile Manual Service servlet at
http(s)://itimServer:port/itim/ reconcileManualServlet.
Answer: A
QUESTION NO: 154
What are two means of testing connectivity to the IBM Tivoli Identity Manager LDAP
directory? (Choose two.)
A. DBConfig
B. runConflg
C. Idapsearch
D. SetupEnrole
E. WebSphere administrative console
Answer: B, C
QUESTION NO: 155
Which statement is true for the use of V4.6 adapters with IBM Tivoli Identity Manager (Tivoli
Identity Manager) V5.1?
A. Tivoli Identity Manager V5.1 only supports V5.X adapters.
B. All V4.X adapters are fully supported by Tivoli Identity Manager V5.1.
C. All V4.6 adapters based on RMI are fully supported by Tivoli Identity Manager V5.1.
D. All non-FTP V4.6 adapters can be used with Tivoli Identity Manager V5.1 (upgrade
scenario); the adapters will not support any new V5.1 adapter features.
Answer: D
QUESTION NO: 156
In IBM Tivoli Identity Manager (Tivoli Identity Manager), which two data can the DBPurge
utility affect? (Choose two.)
A. Orphaned accounts
B. Auditing data in the Tivoli Identity Manager database
C. identities which have been unused for a period of time
D. The current error backlog in the WebSphere Messaging Queue
E. Transactional / Reconciliation data in the Tivoli Identity Manager database
Answer: B, E
QUESTION NO: 157
IBM Tivoli Identity Manager (Tivoli Identity Manager) reconciliations are resource-intensive
operations that can take a long time for services with a large account population. Which option
will improve reconciliation performance?
A. Enable Tivoli Identity Manager server-side sorting.
B. Decrease the default maximum duration as specified in the reconciliation schedule.
C. Decrease the SearchALUnusedTimeout configuration parameter in the RMI Dispatcher.
D. Limit the number of attributes returned by the adapter and processed by Tivoli Identity
Manager
Answer: D
QUESTION NO: 158
Which option correctly describes a task to be done before the installation of a fix pack on the
IBM Tivoli Identity Manager V5.1 server?
A. Back up the WebSphere properties files.
B. Back up all IBM Tivoli Directory Integrator configuration files.
C. Make sure all running processes have completed successfully.

D. Back up all configuration flies, including properties files located in the ITIM_HOME/data
directory
Answer: D

000-006 3-0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

000-006 3-0

Uploaded by

Copyright:

Available Formats

000-006

IBM Tivoli Identity Manager V5.1 Implementation

A. supported platforms, Java version, log file locations

B. input requirements, installation instructions, prerequisites

C. process flow diagram, debugging information and log file information

D. prerequisites, supported platforms, process flow diagrams, source code

E. security certificate configuration, installation location, input requirements

Click the Exhibit button.

C. A provisioning policy with DESIGNER organizational role as membership can only be

A. certificate expiration date

B. certificate encryption type

C. certificate requester's name

D. certificate encryption strength

Which steps are needed to create the password policy design?

C. formulate list of QUESTION NO:s, identify interviewees, discuss organization chart

A. Define reporting data.

B. Validate human resource data.

C. Define organization requirements.

D. Gather platform business processes.

E. Gather IBM Tivoli Identity Manager access requirements

A. middleware versions and domain trust relationships

B. secure FTP constraints and domain trust relationships

C. middleware versions and operating system release levels

D. secure FTP constraints and operating system release levels

A. changing the button text

C. creating a custom workflow approval process

D. changing the default lifecycle management flow

E. creating new views for IBM Tivoli Identity Manager groups

A. Operations and Web Page design

B. Development and Web page design

D. Web page design and Production Web Team

E. Engineering and Web Infrastructure Engineering

F. Development and Web Infrastructure Engineering

A. Last Name (attribute sn)

B. Common Name (attribute en)

C. Organizational Unil (attribute ou)

D. First Name (attribute givenname)

E. Employee Number (attribute employeeNumber)

C. account-based ACIs tor the application targets

D. provisioning policy ACIs for the provisioning policies

In a CSV identity feed, what is the definition of the name attribute?

A. the attribute that uniquely identifies the person

B. the attribute that contains the full name of the person

A. solution design, installation, configuration, customization, testing, turn over

B. assessment, solution design, installation, customization, configuration, testing, turn over

C. assessment, solution design, installation, configuration, testing, customization, turn over

D. assessment, solution design, installation, configuration, customization, testing, turn over

A. Rerun the identify feed exactly as it was originally run.

Which two options would be included in a customization design? (Choose two.)

A. definitions of e-mail content for all approval e-mails

B. JavaScript for the Active Directory service identity policy

C. a matrix of requirements for password policies for all UNIX platforms

D. requirements for JavaScript extensions that will be used in workflows

Which three recertification reports can be requested? (Choose three.)

A. Recertification Policies Report

B. Recertification Completion Report

C. Recertification Compliance Report

D. Recertification Change History Report

E. Recertification Accounts/Access Pending Report

F. Accounts/Access Pending Recertification Report

A. define organization structure, review organization structure with customer, document

B. review organization and reporting structure, formalize organization structure, document

C. gather organization structure requirements, discuss alternatives, formalize organization

D. gather organization structure requirements, formalize organization structure, review