Feb 05, 2018
I have had the privilege to work both systems during my career. Below is my detailed response.
There are a number of differences in both products in terms of functionality and approach towards the Identity Governance and administration. Before i go into the details i would like to point out that SailPoint is a leading company that does business in identity Governance and nothing else. They are continued market leaders as per Gartner IGA MQ , Forrester IMG Wave and Kuppinger Cole.
The approach of SailPoint is different from all of the IGA systems out there in the market. The focus is to first analyze then get clean and stay clean and then move towards the user life cycle management. And this is a key factor for the success of SailPoint. On the other hand Approach of Oracle and every other vendor out there is very old school and conventional, which is focusing on automated provisioning. in this day and age this approach is not fruit full for the customers.
Lets talk about the Interface. In IdentityIQ there is only one interface to completely manage your Identity Governance (By which i mean Compliance and governance, life cycle management and password management) as well as to provide users with self service. In Orace there are separate consoles for Administration, Self service and Application connectivity.
Visibility: OIM has a very nice user's store where you can see all the organization's identities and their associated access. some reports are available out of the box. In SailPoint there is an Identity warehouse that gives you 360 degree view of the identities with information of not just Accounts and entitlements but risk scores, certification history and access request histories. In addition to that there are a number of out of the box reports available. the most interesting functionality in IdentityIQ is Advanced analytics, which allows the business users to build their own reports using the same UI without having the need of any help from technical personal.
Role management: Oracle has conventional Single tiered Role management. SailPoint Has two tiered Role model with the option that allows you to use single tier model as well. With this two tiered approach, you have the flexibility to create the roles that translate your business model and the roles that translate your IT Domain separately and on top of that create relationships between them to allow implementation of a more complex Role model.
Policy Management: In Oracle you have the options available for Access Policy management that allows you to create Policies for automated account provisioning (without the flexibility of retries) and segregation of duties policies. in IdentityIQ however, Provisioning is managed through the Roles but has a separate Policy management functionality that allow you to create a variety of SOD policies on Roles and entitlements. it also allows you to create policies for account activities, value changes and processes.
Dynamic Risk Management: Oracle has a Separate Product for risk management and i have not had any experience with that product. In IdentityIQ there is a comprehensive Dynamic Risk management module that enables the organizations to shift their focus on the users of interest i.e. with high risk scores. Around this risk model you can apply compliance and governance.
Access Certifications: In Oracle Identity Governance you have the option to define certification campaigns for Roles, Entitlements and user Accounts. Each type of certification allows a specific number of certifiers. These certifications can be launched or scheduled. In IdentityIQ you have the flexibility of defining the certification campaigns for Roles, Entitlements, Accounts, application Entitlement Permissions, role composition(Entitlements in a role) and policy violations. You can define the number of certifiers. you can launch the certification right away, you can schedule them or you can configure the automatic launch of certification at specific events in user life cycle for example crossing a threshold risk score.
User life Cycle management: In OIM user life cycle is managed through access policies. These access policies allow you to configure Automated provisioning, de provisioning of Entitlements and accounts in your IT applications. In IdentityIQ the life cycle of a user is managed by event based triggers. For example Joiner Event, Mover Event, Rehire Event and Leaver Event. These Events can be configured based on Attribute changes(Data Change), Create accounts or custom rules. These events then use the Role and Policy model in IdentityIQ to manage accesses of the users through out their life cycle.
Self Service Access Request management: OIM has a nice Access Request management module that uses shopping cart functionality to allow users to request accesses for themselves or others. These requests then initiate approval workflows based on approval policy assigned to the requested item. In IdentityIQ Access requests are managed through the Life Cycle manager Events. these events are treated as user initiated change events. Users can request Entitlements and accounts for themselves or others. The request-able Items are restricted by SOD policies with an option to submit requests as an exception allowing the aprrover visibility of the violations and risks associated with the request. Approval workflows are flexible to customization.
Connectivity: OIM has a limited number of connectors available out of the box and you have to buy additional license for some of those. in IdentityIQ there is a range of OOTB connectors available and you dont have to pay anything extra for any of them.
Customization: Oracle has never welcomed any customizations to its products unless it is identified as a Bug and the you would have to wait for the next patch or release. SailPoint on the other hand allows customers to customise each and every single of the functionalities to meet the customer's requirements and the customization is as simple as writing java code.
Client base: There are around a 170 clients worldwide who have migrated from OIM to IdentityIQ in the past 5 years.
My recommendation as it would have been clear by now from the above text, is to choose IdentityIQ because it always works :)
