What IdM Hides: A Functional Comparison of IdM Solutions
Those who have already tried to choose the right IdM solution for themselves know that this is not such a simple matter as it seems at first glance. In general, all IdM systems have approximately the same set of functions — the same “role model”, “integration modules”, and “approval of applications”. However, a more detailed examination of IdM solutions reveals a large number of details that, if not taken into account, can seriously ruin the life of future users. For example, not all IdM solutions “are able” to group (stick together) applications by consonants. And this is fraught with the occurrence of such situations when, say, for 10 employees, 10 roles are requested, for which there is one sole owner, and the latter receives 100 instead of one application - one for each requested role for each employee. And his work, which would seem to be
Experience shows that in order to well understand such details of the functioning of IdM systems, you need to implement at least one of them. A rare vendor will say that his product does not know how. And independent study of all the nuances requires a huge amount of time and effort. And pilot projects do not always help in this matter, since many simplifications are allowed in them, which hinder the evaluation of the system's operation in real conditions. Therefore, in an effort to simplify the lives of those people who are faced with the problem of choosing an IdM system, we have prepared a functional comparison of a number of IdM solutions.
We did not set ourselves the goal of covering all the vendors represented on the Russian market, and considered only those that are the most significant. Namely: Oracle, IBM and Microsoft - the solutions that have existed in our market for more than 7 years have their own audience, and which account for the bulk of all implementations. And to show where IdM technologies are moving, SailPoint is a new solution in our market that has received the highest ratings from Western analysts.
Comparison criteria are taken from real projects. We collected data on 20 IdM implementation projects in Russian companies and identified all the main functional requirements that met in these projects. The number of companies included in the sample ranges from 1,500 to 70,000 employees. It presents both local Moscow companies and companies geographically distributed throughout Russia.
I would like to emphasize that when choosing an IdM solution, you should not take into account only its functionality. There are many other criteria that will be more or less important for a particular company. For example, implementation experience, the availability of local support, the ability to build multiple solutions on the platform of one supplier, and the credibility of the vendor.
Nevertheless, I hope that the given functional comparison of IdM solutions will allow people to more consciously approach the choice of a platform, form adequate expectations, and, ultimately, get exactly what they need from the chosen solution.
For convenience, the comparison table is represented by several spoilers:
In comparison, the most popular IdM functions are presented by customers, and an assessment of the possibility of their implementation using the standard tools of each individual product. The absence of a specific functionality does not mean the impossibility of its development. Almost any IdM system can be modified to implement the necessary functionality, but you must understand that in this case the ability to install product updates is almost always lost (without losing the developed functionality).
Experience shows that in order to well understand such details of the functioning of IdM systems, you need to implement at least one of them. A rare vendor will say that his product does not know how. And independent study of all the nuances requires a huge amount of time and effort. And pilot projects do not always help in this matter, since many simplifications are allowed in them, which hinder the evaluation of the system's operation in real conditions. Therefore, in an effort to simplify the lives of those people who are faced with the problem of choosing an IdM system, we have prepared a functional comparison of a number of IdM solutions.
We did not set ourselves the goal of covering all the vendors represented on the Russian market, and considered only those that are the most significant. Namely: Oracle, IBM and Microsoft - the solutions that have existed in our market for more than 7 years have their own audience, and which account for the bulk of all implementations. And to show where IdM technologies are moving, SailPoint is a new solution in our market that has received the highest ratings from Western analysts.
Comparison criteria are taken from real projects. We collected data on 20 IdM implementation projects in Russian companies and identified all the main functional requirements that met in these projects. The number of companies included in the sample ranges from 1,500 to 70,000 employees. It presents both local Moscow companies and companies geographically distributed throughout Russia.
I would like to emphasize that when choosing an IdM solution, you should not take into account only its functionality. There are many other criteria that will be more or less important for a particular company. For example, implementation experience, the availability of local support, the ability to build multiple solutions on the platform of one supplier, and the credibility of the vendor.
Nevertheless, I hope that the given functional comparison of IdM solutions will allow people to more consciously approach the choice of a platform, form adequate expectations, and, ultimately, get exactly what they need from the chosen solution.
For convenience, the comparison table is represented by several spoilers:
Rights Management Features
| Functions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
|---|---|---|---|---|
| Manual Entry of Employee Data in IdM | there is | there is | there is | there is |
| Role-based access control | there is | there is | Not | there is |
| Role hierarchy support | there is | there is | Not | there is |
| Role management processes (create, reconcile, modify, delete) | Partially (approval in a separate product) | there is | Not | there is |
| Controlling SoD Conflicts | there is | there is | Not | there is |
| Certification (revision of access rights) | there is | there is | Not | there is |
| Monitoring changes to the system bypassing IdM | Yes (via reports) | there is | Not | there is |
| Monitoring user activity on target systems | Not | Not | Not | there is |
| User access risk control | there is | Not | Not | there is |
| Support for multiple accounts for an employee in one system | there is | there is | there is | there is |
| Service Account Management | there is | there is | Not | there is |
| Differentiation of access to IdM functions (setting up functional roles) | there is | there is | there is | there is |
| Differentiation of scopes of rights / roles (who and what can request) | there is | there is | Not | there is |
| Differentiation of visibility of interface forms and their fields | there is | there is | Not | there is |
| Dynamic calculation of field values in interface forms | there is | Not | Not | there is |
| Password reset for security questions | there is | there is | there is | there is |
| Password reset when logging into Windows | No (in a separate product) | Not | there is | there is |
Ticket Management Features
| Functions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
|---|---|---|---|---|
| Creation of applications for additional rights | there is | there is | Not | there is |
| Request for time rights | Not | Not | Not | there is |
| Request for rights “like with another employee” | Not | Not | Not | there is |
| Request for rights by pre-configured application template | there is | Not | Not | Not |
| Request multiple employees multiple roles in one application | there is | Not | Not | there is |
| Approval of applications | there is | there is | there is | there is |
| Approval of part of the roles requested in the application | Not | Not | Not | there is |
| Bulk approval of applications | there is | Not | Not | Not |
| The ability to split the application into components for separate approval and assemble them into a single application | Not | Not | Not | there is |
| Digital Signature of Applications | Not | Not | Not | there is |
| Delegation of authority to coordinate applications for the vacation period | there is | there is | Not | there is |
| Email Notifications | there is | there is | there is | there is |
| Assigning Manual Execution Orders | there is | there is | Not | there is |
Report Functions
| Functions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
|---|---|---|---|---|
| Report Building | there is | there is | Not | there is |
| Reporting the status of rights for a specific date in the past | there is | Not | Not | there is |
| Using bar charts and graphs in reports | there is | there is | Not | there is |
Configuration tools
| Functions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
|---|---|---|---|---|
| Report Designer | there is | there is | Not | there is |
| Change employee card form | there is | there is | there is | there is |
| Change application form | there is | Not | Not | Not |
| Adding Your Own Entities and Forms | there is | there is | Not | there is |
| Individual layout of the interface | there is | Not | Not | there is |
| Role Mining Tools | No (in a separate product) | there is | Not | there is |
In comparison, the most popular IdM functions are presented by customers, and an assessment of the possibility of their implementation using the standard tools of each individual product. The absence of a specific functionality does not mean the impossibility of its development. Almost any IdM system can be modified to implement the necessary functionality, but you must understand that in this case the ability to install product updates is almost always lost (without losing the developed functionality).
Only registered users can participate in the survey. Please come in.
Do you know what IdM systems are for?
- 70.3% yes 38
- 29.6% no 16
Do you understand the potential benefits of using IdM?
- 63.2% yes 31
- 36.7% no 18
Have you faced the question of choosing an IdM solution?
- 33.9% yes 19
- 66% no 37