Those who have already tried to choose an appropriate IdM solution for themselves know that this is not such a simple matter as it seems at first glance. In the general consideration, all IdM systems have approximately the same set of functions - the same “role model”, “integration modules” and “application coordination”. However, a closer look at IdM solutions reveals a large number of details that, if not taken into account, can seriously ruin the lives of future users. For example, not all IdM solutions “are able” to group (glue) applications by matching persons. And this is fraught with the occurrence of such situations when, say, for 10 employees 10 roles are requested, in which only one owner, and the latter instead of one application, receives 100 - one for each requested role for each employee. And his work, which, it would seem, with the introduction of IdM should be simplified, turns into a living hell.
Experience shows that in order to understand well the details of the functioning of IdM systems, you need to implement at least one of them. A rare vendor will say that his product does not know how. And an independent study of all the nuances requires an enormous amount of time and effort. And pilot projects do not always help in this matter, since they allow for a lot of simplifications that make it difficult to evaluate the performance of the system in real conditions. Therefore, in an effort to simplify the lives of those people who are faced with the problem of choosing an IdM system, we have prepared a functional comparison of a number of IdM solutions.
We did not set ourselves the goal of covering all the vendors on the Russian market, and considered only those that are the most significant. Namely: Oracle, IBM and Microsoft - solutions that have existed in our market for more than 7 years, have their own audience, and whose share accounts for the bulk of all implementations. And, to show where IdM technologies are moving, SailPoint is a new solution in our market that has received the highest marks from Western analysts.
')
Comparison criteria are taken from real projects. We collected data on 20 IdM implementation projects in Russian companies and identified all the main functional requirements that were encountered in these projects. The number of companies in the sample ranges from 1,500 to 70,000 employees. It presents both local Moscow companies and companies geographically distributed throughout Russia.
I would like to emphasize that when choosing an IdM solution, you should not take into account only its functionality. There are many other criteria that will be more or less important for a particular company. For example, implementation experience, local support, the ability to build multiple solutions on a single vendor platform, vendor credibility.
Nevertheless, I hope that the above functional comparison of IdM solutions will allow people to more consciously approach the choice of platform, form adequate expectations, and, ultimately, obtain from the chosen solution exactly what is needed.
For convenience, the comparison table is represented by several spoilers:
Rights Management FunctionsFunctions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
---|
Manual entry of employee data in IdM | there is | there is | there is | there is |
Role Access Control | there is | there is | Not | there is |
Role hierarchy support | there is | there is | Not | there is |
Role management processes (create, negotiate, modify, delete) | Partially (negotiation in a separate product) | there is | Not | there is |
SoD Conflict Control | there is | there is | Not | there is |
Certification (revision of access rights) | there is | there is | Not | there is |
Monitoring system changes made to bypass IdM | Yes (through reports) | there is | Not | there is |
Control user activity on target systems | Not | Not | Not | there is |
User Access Risk Control | there is | Not | Not | there is |
Multiple account support for employee in one system | there is | there is | there is | there is |
Service Account Management | there is | there is | Not | there is |
Differentiation of access to IdM functions (setting functional roles) | there is | there is | there is | there is |
Differentiation of scope of rights / roles (who and what can request) | there is | there is | Not | there is |
Delimiting the visibility of interface forms and their fields | there is | there is | Not | there is |
Dynamic calculation of field values ​​in interface forms | there is | Not | Not | there is |
Reset password for security questions | there is | there is | there is | there is |
Reset password when logging into Windows | No (in a separate product) | Not | there is | there is |
Application Management FunctionsFunctions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
---|
Creating applications for additional rights | there is | there is | Not | there is |
Request for rights to time | Not | Not | Not | there is |
Request rights "like another employee" | Not | Not | Not | there is |
Request for rights by pre-configured application template | there is | Not | Not | Not |
Request multiple employees multiple roles in one application | there is | Not | Not | there is |
Approval of applications | there is | there is | there is | there is |
Approval of parts of the roles requested in the application | Not | Not | Not | there is |
Mass approval of applications | there is | Not | Not | Not |
Ability to split the application into component parts for separate coordination and collect them into a single application | Not | Not | Not | there is |
Digital Signature of Applications | Not | Not | Not | there is |
Delegation of authority to approve applications for the vacation period | there is | there is | Not | there is |
Email Notifications | there is | there is | there is | there is |
Manual execution of orders | there is | there is | Not | there is |
Reporting FunctionsFunctions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
---|
Building reports | there is | there is | Not | there is |
Reporting on the status of rights to a certain date in the past | there is | Not | Not | there is |
Using histograms and graphs in reports | there is | there is | Not | there is |
Configuration ToolsFunctions | Oracle Identity Manager 11R2 | IBM Tivoli Identity Manager 6 | Microsoft Forefront Identity Manager 2010 | SailPoint IdentityIQ 6.2 |
---|
Report Designer | there is | there is | Not | there is |
Change employee card form | there is | there is | there is | there is |
Change application form | there is | Not | Not | Not |
Add your own entities and forms | there is | there is | Not | there is |
Individual interface layout | there is | Not | Not | there is |
Role Mining Tools | No (in a separate product) | there is | Not | there is |
In comparison, IdM functions most demanded by customers are presented, and the assessment of the possibility of their implementation by the standard means of each individual product. The absence of a certain functional does not mean the impossibility of its refinement. Almost any IdM system can be modified to implement the necessary functionality, but we must understand that in this case, the ability to install product updates is almost always lost (without loss of the developed functionality).