⬆️ ⬇️

What IdM hides: functional comparison of IdM solutions

Those who have already tried to choose an appropriate IdM solution for themselves know that this is not such a simple matter as it seems at first glance. In the general consideration, all IdM systems have approximately the same set of functions - the same “role model”, “integration modules” and “application coordination”. However, a closer look at IdM solutions reveals a large number of details that, if not taken into account, can seriously ruin the lives of future users. For example, not all IdM solutions “are able” to group (glue) applications by matching persons. And this is fraught with the occurrence of such situations when, say, for 10 employees 10 roles are requested, in which only one owner, and the latter instead of one application, receives 100 - one for each requested role for each employee. And his work, which, it would seem, with the introduction of IdM should be simplified, turns into a living hell.



Experience shows that in order to understand well the details of the functioning of IdM systems, you need to implement at least one of them. A rare vendor will say that his product does not know how. And an independent study of all the nuances requires an enormous amount of time and effort. And pilot projects do not always help in this matter, since they allow for a lot of simplifications that make it difficult to evaluate the performance of the system in real conditions. Therefore, in an effort to simplify the lives of those people who are faced with the problem of choosing an IdM system, we have prepared a functional comparison of a number of IdM solutions.



We did not set ourselves the goal of covering all the vendors on the Russian market, and considered only those that are the most significant. Namely: Oracle, IBM and Microsoft - solutions that have existed in our market for more than 7 years, have their own audience, and whose share accounts for the bulk of all implementations. And, to show where IdM technologies are moving, SailPoint is a new solution in our market that has received the highest marks from Western analysts.

')

Comparison criteria are taken from real projects. We collected data on 20 IdM implementation projects in Russian companies and identified all the main functional requirements that were encountered in these projects. The number of companies in the sample ranges from 1,500 to 70,000 employees. It presents both local Moscow companies and companies geographically distributed throughout Russia.



I would like to emphasize that when choosing an IdM solution, you should not take into account only its functionality. There are many other criteria that will be more or less important for a particular company. For example, implementation experience, local support, the ability to build multiple solutions on a single vendor platform, vendor credibility.



Nevertheless, I hope that the above functional comparison of IdM solutions will allow people to more consciously approach the choice of platform, form adequate expectations, and, ultimately, obtain from the chosen solution exactly what is needed.



For convenience, the comparison table is represented by several spoilers:



Rights Management Functions
FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
Manual entry of employee data in IdMthere isthere isthere isthere is
Role Access Controlthere isthere isNotthere is
Role hierarchy supportthere isthere isNotthere is
Role management processes (create, negotiate, modify, delete)Partially (negotiation in a separate product)there isNotthere is
SoD Conflict Controlthere isthere isNotthere is
Certification (revision of access rights)there isthere isNotthere is
Monitoring system changes made to bypass IdMYes (through reports)there isNotthere is
Control user activity on target systemsNotNotNotthere is
User Access Risk Controlthere isNotNotthere is
Multiple account support for employee in one systemthere isthere isthere isthere is
Service Account Managementthere isthere isNotthere is
Differentiation of access to IdM functions (setting functional roles)there isthere isthere isthere is
Differentiation of scope of rights / roles (who and what can request)there isthere isNotthere is
Delimiting the visibility of interface forms and their fieldsthere isthere isNotthere is
Dynamic calculation of field values ​​in interface formsthere isNotNotthere is
Reset password for security questionsthere isthere isthere isthere is
Reset password when logging into WindowsNo (in a separate product)Notthere isthere is






Application Management Functions
FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
Creating applications for additional rightsthere isthere isNotthere is
Request for rights to timeNotNotNotthere is
Request rights "like another employee"NotNotNotthere is
Request for rights by pre-configured application templatethere isNotNotNot
Request multiple employees multiple roles in one applicationthere isNotNotthere is
Approval of applicationsthere isthere isthere isthere is
Approval of parts of the roles requested in the applicationNotNotNotthere is
Mass approval of applicationsthere isNotNotNot
Ability to split the application into component parts for separate coordination and collect them into a single applicationNotNotNotthere is
Digital Signature of ApplicationsNotNotNotthere is
Delegation of authority to approve applications for the vacation periodthere isthere isNotthere is
Email Notificationsthere isthere isthere isthere is
Manual execution of ordersthere isthere isNotthere is






Reporting Functions
FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
Building reportsthere isthere isNotthere is
Reporting on the status of rights to a certain date in the pastthere isNotNotthere is
Using histograms and graphs in reportsthere isthere isNotthere is






Configuration Tools
FunctionsOracle Identity Manager 11R2IBM Tivoli Identity Manager 6Microsoft Forefront Identity Manager 2010SailPoint IdentityIQ 6.2
Report Designerthere isthere isNotthere is
Change employee card formthere isthere isthere isthere is
Change application formthere isNotNotNot
Add your own entities and formsthere isthere isNotthere is
Individual interface layoutthere isNotNotthere is
Role Mining ToolsNo (in a separate product)there isNotthere is






In comparison, IdM functions most demanded by customers are presented, and the assessment of the possibility of their implementation by the standard means of each individual product. The absence of a certain functional does not mean the impossibility of its refinement. Almost any IdM system can be modified to implement the necessary functionality, but we must understand that in this case, the ability to install product updates is almost always lost (without loss of the developed functionality).

Source: https://habr.com/ru/post/222619/



All Articles