What IdM Hides: A Functional Comparison of IdM Solutions

    Those who have already tried to choose the right IdM solution for themselves know that this is not such a simple matter as it seems at first glance. In general, all IdM systems have approximately the same set of functions — the same “role model”, “integration modules”, and “approval of applications”. However, a more detailed examination of IdM solutions reveals a large number of details that, if not taken into account, can seriously ruin the life of future users. For example, not all IdM solutions “are able” to group (stick together) applications by consonants. And this is fraught with the occurrence of such situations when, say, for 10 employees, 10 roles are requested, for which there is one sole owner, and the latter receives 100 instead of one application - one for each requested role for each employee. And his work, which would seem to be

    Experience shows that in order to well understand such details of the functioning of IdM systems, you need to implement at least one of them. A rare vendor will say that his product does not know how. And independent study of all the nuances requires a huge amount of time and effort. And pilot projects do not always help in this matter, since many simplifications are allowed in them, which hinder the evaluation of the system's operation in real conditions. Therefore, in an effort to simplify the lives of those people who are faced with the problem of choosing an IdM system, we have prepared a functional comparison of a number of IdM solutions.

    We did not set ourselves the goal of covering all the vendors represented on the Russian market, and considered only those that are the most significant. Namely: Oracle, IBM and Microsoft - the solutions that have existed in our market for more than 7 years have their own audience, and which account for the bulk of all implementations. And to show where IdM technologies are moving, SailPoint is a new solution in our market that has received the highest ratings from Western analysts.

    Comparison criteria are taken from real projects. We collected data on 20 IdM implementation projects in Russian companies and identified all the main functional requirements that met in these projects. The number of companies included in the sample ranges from 1,500 to 70,000 employees. It presents both local Moscow companies and companies geographically distributed throughout Russia.

    I would like to emphasize that when choosing an IdM solution, you should not take into account only its functionality. There are many other criteria that will be more or less important for a particular company. For example, implementation experience, the availability of local support, the ability to build multiple solutions on the platform of one supplier, and the credibility of the vendor.

    Nevertheless, I hope that the given functional comparison of IdM solutions will allow people to more consciously approach the choice of a platform, form adequate expectations, and, ultimately, get exactly what they need from the chosen solution.

    For convenience, the comparison table is represented by several spoilers:

    Rights Management Features
    FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
    Manual Entry of Employee Data in IdMthere isthere isthere isthere is
    Role-based access controlthere isthere isNotthere is
    Role hierarchy supportthere isthere isNotthere is
    Role management processes (create, reconcile, modify, delete)Partially (approval in a separate product)there isNotthere is
    Controlling SoD Conflictsthere isthere isNotthere is
    Certification (revision of access rights)there isthere isNotthere is
    Monitoring changes to the system bypassing IdMYes (via reports)there isNotthere is
    Monitoring user activity on target systemsNotNotNotthere is
    User access risk controlthere isNotNotthere is
    Support for multiple accounts for an employee in one systemthere isthere isthere isthere is
    Service Account Managementthere isthere isNotthere is
    Differentiation of access to IdM functions (setting up functional roles)there isthere isthere isthere is
    Differentiation of scopes of rights / roles (who and what can request)there isthere isNotthere is
    Differentiation of visibility of interface forms and their fieldsthere isthere isNotthere is
    Dynamic calculation of field values ​​in interface formsthere isNotNotthere is
    Password reset for security questionsthere isthere isthere isthere is
    Password reset when logging into WindowsNo (in a separate product)Notthere isthere is

    Ticket Management Features
    FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
    Creation of applications for additional rightsthere isthere isNotthere is
    Request for time rightsNotNotNotthere is
    Request for rights “like with another employee”NotNotNotthere is
    Request for rights by pre-configured application templatethere isNotNotNot
    Request multiple employees multiple roles in one applicationthere isNotNotthere is
    Approval of applicationsthere isthere isthere isthere is
    Approval of part of the roles requested in the applicationNotNotNotthere is
    Bulk approval of applicationsthere isNotNotNot
    The ability to split the application into components for separate approval and assemble them into a single applicationNotNotNotthere is
    Digital Signature of ApplicationsNotNotNotthere is
    Delegation of authority to coordinate applications for the vacation periodthere isthere isNotthere is
    Email Notificationsthere isthere isthere isthere is
    Assigning Manual Execution Ordersthere isthere isNotthere is

    Report Functions
    FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
    Report Buildingthere isthere isNotthere is
    Reporting the status of rights for a specific date in the pastthere isNotNotthere is
    Using bar charts and graphs in reportsthere isthere isNotthere is

    Configuration tools
    FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
    Report Designerthere isthere isNotthere is
    Change employee card formthere isthere isthere isthere is
    Change application formthere isNotNotNot
    Adding Your Own Entities and Formsthere isthere isNotthere is
    Individual layout of the interfacethere isNotNotthere is
    Role Mining ToolsNo (in a separate product)there isNotthere is

    In comparison, the most popular IdM functions are presented by customers, and an assessment of the possibility of their implementation using the standard tools of each individual product. The absence of a specific functionality does not mean the impossibility of its development. Almost any IdM system can be modified to implement the necessary functionality, but you must understand that in this case the ability to install product updates is almost always lost (without losing the developed functionality).

    Only registered users can participate in the survey. Please come in.

    Do you know what IdM systems are for?

    • 70.3% yes 38
    • 29.6% no 16

    Do you understand the potential benefits of using IdM?

    • 63.2% yes 31
    • 36.7% no 18

    Have you faced the question of choosing an IdM solution?

    • 33.9% yes 19
    • 66% no 37

    Also popular now: