Dumps4free
Discount Offer
Go Back on Identity-and-Access-Management-Architect Exam
Available in 1, 3, 6 and 12 Months Free Updates Plans
PDF: $15 $60

Test Engine: $20 $80

PDF + Engine: $25 $99



Pass exam with Dumps4free or we will provide you with three additional months of access for FREE.

Identity-and-Access-Management-Architect Practice Test

Whether you're a beginner or brushing up on skills, our Identity-and-Access-Management-Architect practice exam is your key to success. Our comprehensive question bank covers all key topics, ensuring you’re fully prepared.


Page 10 out of 51 Pages

Universal containers want to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?


A. Access Tokens


B. Mobile pins


C. Refresh Tokens


D. Scopes





D.   Scopes

Explanation: The OAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopes can be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuth token and protect against unauthorized or excessive access.

In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?


A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.


B. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA


C. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.


D. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.





D.   Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Explanation: D is correct because using a self-signed certificate leads to higher maintenance for the trusting party, which is the client or browser that connects to the server. The trusting party needs to add the self-signed certificate to their truststore, which is a repository of trusted certificates, in order to establish a secure connection with the server. Otherwise, the trusting party will see a warning message or an error when accessing the server.
A is incorrect because using a self-signed certificate leads to higher maintenance for the trusted party, not lower. The trusted party needs to maintain multiple self-signed certificates from different servers in their truststore.
B is incorrect because using a self-signed certificate does not make the trusted party act as the trusted CA (Certificate Authority). The trusted CA is the entity that issues and validates certificates for servers. The trusted party only needs to trust the CA’s root certificate, which is usually pre-installed in their truststore.
C is incorrect because using a self-signed certificate leads to higher maintenance for the trusting party, not lower. The trusting party still needs to maintain a trusted CA cert in their truststore, which is the self-signed certificate itself.

IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?


A. Use the Salesforce Authenticator mobile app with two-step verification


B. Lock sessions to the IP address from which they originated.


C. Increase Password complexity requirements in Salesforce.


D. Implement Single Sign-on using a corporate Identity store.





A.   Use the Salesforce Authenticator mobile app with two-step verification

Explanation: The Salesforce Authenticator mobile app adds an extra layer of security for online accounts with two-factor authentication. It allows users to respond to push notifications or use location services to verify their logins and other account activity1. This can help prevent phishing scams and unauthorized access. References: Salesforce Authenticator, Salesforce Authenticator: Mobile App Security Features, Salesforce Authenticator

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers


A. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.


B. Enable the "Enforce Ip restrictions" settings in the connected App.


C. Enable the "All users may self-authorize" setting in the Connected App.


D. Enable the "High Assurance session required" setting in the Connected App.





A.   Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.

C.   Enable the "All users may self-authorize" setting in the Connected App.

A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: " Failed: Not approved for access." What is the most likely cause of this issue?


A. The Connected App settings "All users may self-authorize" is enabled.


B. The Salesforce Administrators have revoked the OAuth authorization.


C. The Users do not have the correct permission set assigned to them.


D. The User of High Assurance sessions are required for the Connected App.





C.   The Users do not have the correct permission set assigned to them.

Explanation: The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioning is a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning or deprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning. References: Just-in-Time Provisioning for SAML, [Just-in-Time Deprovisioning], [SOAP API Developer Guide]QUESTION NO: 13
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?
A. SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
B. Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.
C. Provisioning API for both Provisioning and Deprovisioning.
D. Just-in-Time (JIT) for both Provisioning and Deprovisioning. Answer: D
Just-in-Time (JIT) provisioning and deprovisioning can be used to create, update, or deactivate users in Salesforce based on the information in the SAML assertion sent by the IdP. This way, the user lifecycle can be managed automatically without the need for a separate provisioning API.


Page 10 out of 51 Pages
Previous