Relative strengths and weaknesses of various Identity Management solutions you have used

This is somewhat more of a survey question, than a specific question. (I assume that is still ok).

I work as a consultant doing Identity Management projects. We focus mostly on Novell's Identity Manager product, which we find to be quite good.

I am curious to know what IDM products you have used, and what strengths and weaknesses you have seen in them.

I can start off with Novell's product.

Lots of connectors, that are truly bidirectional, password sync included, not just pushing passwords. (We have deployed the AD, eDir, Notes, AS400, NIS/NIS+, LDAP, JDBC, HTML Screen scraper, TN3270 Screen scraper, SAP HR, SAP UM, Remedy drivers, and there are still many more we have not touched yet like the SAP GRC, Netweaver, RACF/TopSecret/ACF2 drivers)

Event driven, which can be very powerful.

Good workflow engine.

Scalable. (We have a client with 150 eDir and AD drivers in production, 500K users).

Excellent design tools. (Novell Designer for Identity Manager).

Straightforward design language for manipulating events. (DirXML Script).

There are lots of other products out there:
IBM's Tivoli Identity Manager (TIM).
Sun's Identity Manager
Oracle Identity Manager
Courion
Hitachi's (formerly Mtech out of Calgary) ID-Synch and P-Synch
MS ILM

Which have you used, and what has your experience been like? What strengths and weaknesses have you seen?

Best Answer

I've spent some time prototyping Microsoft's Identity Lifecycle Manager a year ago. They've move things around since then, so this may not be accurate of the current state of the product. At the same time I did spend time working with Novell IDM.

ILM had some marked differences from IDM.

Significantly more connectors out of the box. Unlike Novell IDM, you're not going to pay extra to get things like your Oracle and MS-SQL connectors. If you're at all cost-conscious, this is a biggie. In our environment the cost difference was $100K versus $15K.
New-object replication requires custom code At least as of my review of the product, the "New Object" event requires linking to a compiled DLL that actually handles the object-create process in the remote environment. Presumably compiled in VisualStudio, this contains the functions required to actually set up a new object and related environment in a remote identity domain. On the one hand, this gives you complete control of the setup process, which is something that Novell IDM isn't that great about. On the other hand, you need to be able to create C#/VB programs in Visual Studio.
Not nearly as well defined transform stages IDM was very good about creating a visual environment that described the various stages of object transformation between two environments. ILM doesn't have this. IDM is intuitive. ILM requires a good deal of reading. What's more, to get fancy in the intermediary transform stages in ILM requires a compiled DLL, where in IDM it's handled in large part through the DirXML script Novell has evolved since 1999.
Poor design tools There is no equivalent to the Identity Manager Designer.

Novell IDM really is the top tier of identity management solutions. It has been on the market for the longest and has had a chance to really solidify its feature set and mind-share. Even though it cost w-a-y more than ILM, you really do get what you pay for. In the end, in our environment the cost of ILM versus IDM would have been a wash due to the additional man-hours required to get an ILM-based environment up and running.

In the end we decided that the cheapest way was to continue rolling our own. We already had a home-built system in place, and the cost projections were not that much different than an IDM/ILM implementation project would have been. Inertia won.

Best Answer

Related Solutions

active-directory – Resolving ‘Send As’ Permission and ‘You Do Not Have Permission to Send to This Recipient’ Error

Related Topic