Symantec Identity Governance and Administration Reviews

The most valuable aspects of Symantec Identity Governance and Administration are all the features, it is the most complete solution on the market. It has features, such as scanners and portals, it has everything.

I have been using Symantec Identity Governance and Administration for approximately 10 years.

We have approximately 2,000 users using Symantec Identity Governance and Administration in my organization. It is scalable.

The support from Symantec Identity Governance and Administration could improve.

The price of Symantec Identity Governance and Administration could improve.

I rate Symantec Identity Governance and Administration an eight out of ten.

We have three primary uses for the solution. We use it to centralize  accounts and directories. We also use it for  new registration of our new employees and for users to self-reset password.

Our customers get ROI by implementing Self User Registration & Self Reset

There are many valuable features within the solution. The product is easy to customize. It’s also highly secure.

The directory has room for improvement. Also, the dashboards and, in particular, the KPI dashboard that shows the current user’s information needs reworking.

It would be ideal if they could consolidate the workflow. Right now, because everything is on a different workflow engine, seamless integration cannot happen. If the solution offers a single workflow engine and a single reporting engine for all security targets, that would be ideal.

I’ve been using the solution for three to four years.

The solution is very stable.

This product is highly customizable and flexible in terms of handling customer requirements.

I’m not happy with technical support at all. It’s very limited.

Positive

Nop

With any identity management product, you’re going to have complexities, so the setup is not simple. It’s a complex infrastructure and implementation and it requires reasonable expertise from those handling the implementation.

Our team of technical consultants implemented to customer site

Secure Automated Mechanism to have centralize directory to manage Users.

Expensive solution & implementation takes time to implement

Yes 

For an organization looking for an identity management suite, it’s the kind of tool you can invest in the long term.

For those considering implementing the solution, I would recommend finding the right partners who have the right implementation experience to assist. There is no doubt this product has capabilities. The important thing is to find someone who understands the business requirements. It’s really important because statistically, 70% of identity management projects fail. Most of the time the product has the capabilities but the consultant doesn’t have the ability to customize the solution.

I’d rate the solution nine out of ten.

We offer solutions to financial and government institutions. Symantec Identity Governance and Administration is a part of our security solutions. We use it to create users and assign them privileges.

Self-registration and self-service password management are valuable features. The role modeling feature is also very useful. It allows you to model your enterprise role.

They provide a framework to develop your own connectors. A connector is a piece of software that integrates with the solutions that are not a part of the support matrix. Currently, it is difficult to create these connectors in this solution. Other solutions, such as NetIQ Identity, provide a better way to create your own connector.

Currently, there is no cloud version. It should have a full cloud version.

I have been using this solution for about seven years.

It is very stable. There are no issues.

It is easy to code into this solution. You just have to run a setup configuration and, in a few minutes, you have two services. In terms of the number of users, we have around 10,000 users.

When I started working with this solution, I had some issues, and they helped me a lot. I don't have any issues with their technical support.

Its latest version is very easy to set up. The deployment takes around one hour, and after that, you have to do some configurations. The duration for that depends on how many systems you have. It can take one or two months.

I would recommend this solution to others. It is a great solution. I like this solution, and that's why I have been using it for seven years. I would advise others to do proper role modeling before implementing this solution. Role modeling is really important for any identity management solution.

I would rate Symantec Identity Governance and Administration a nine out of ten.

The primary use we have for this product is dividing access into streams. We have to provide the client organization with group and directory structures. The technical part, or provisioning, always seems to be more of a problem because the client companies have some semi-manual processes that depend on human interaction. This is often for something like disabling users, creating new users or changing roles.  

Of course, provisioning takes a lot of time because it involves accurately defining and managing privileges. It includes accounting for all the access types from temporary access to agile access and also risk evaluation. All these things are often handled through a business process where a lot of the activity is done manually before a solution for automation — like CA Identity Manager — is in place. The agent for CA can handle criteria and rules and has templates for these activities. In short, it can handle these situations automatically starting from the HR Assistant included in the core suite to do recruitment or provisioning of users, and allowing basic access to things like email.  

Leveraging access depends on which group a user is in and which business rules should be applied. There are often a lot of access attempts on what should be restricted resources. The client has to provide the rules to define which users have access. If there is no rule in place the issue has to first be identified and then to go through a process of approval in an appropriate department. This may lead to a need to change the access process and maybe go back again to think further about the business rules. When all the right rules are in place the processing can be handled automatically by CA IDM.  

After you change something and test the process again, you can find that there are exceptions and we do not have all the rules in place to handle them. Then the identification and approval process needs to be adjusted on the system again. This, of course, is done with manager approval and the rules have to be examined. We need to repeat this process for the entire site. It is a business process improvement that takes time but will eventually save time by eliminating human intervention and errors.  

So the main use case is provisioning and access and implementation for security reasons. For example, if you request the use of an application and it is approved, the identity manager learns this and the user is then able to access this application.  

Out-of-the-box connectors have a lot of opportunities for configuration. The governance port and business rules are difficult. At a certain point, the product discovers dormant accounts because it monitors which accounts are active but which are not being used. So it will perform some service on these dormant accounts that are not active for six months or maybe never used before. This is a good feature. We also have a dynamic workflow, with approval stages which helps validate the ID.  

They have a form designer, which is good because you can create exactly what you want as far as access controls. They have value-added modules like the one they have for asset management. This means that when you are in the role of a manager in CA IDM, you are able to restrict access to certain types of laptops — maybe by mobile provider, maybe by core type. So if a user tries to access the system with an asset of a certain type, we can allow it. It is a value-add, not necessarily related to the user distinctly. But if you take it from the point of view of asset management, it also helps in tracking the assets, which is another interesting outcome.  

As far as improvements, the first thing I think CA needs to do is redesign the user interface. The functionality is good but the interface itself is not that user-friendly.  

I think also that there are some issues with the privileges of service accounts. For working with Oracle, we need some kind of service account with administrative privileges. Access works when we give the user account administrative privilege. But in some cases, particular access needs to work for user roles that have less than administrative privileges and these users and rules need to be stored in the database. I need the ability to directly configure users and rules store on databases.  

Maybe it is more complicated and related to Oracle services — I do not know the database side as well. But we need to read and write on the rules table and the users tables and store that data in the database.  

Otherwise, the product has good performance and it is a very capable solution. I can automate a lot of processes related to provisioning users and identity management, but the controls can be even more flexible with these few changes.  

The deployment cannot be pushed through the management console when you define the credentials for a user that can connect to the endpoint. It would be easier for deployment if the service could look at the endpoint or data center and detect what is needed to push this deployment based on the application version or based on whatever the operating system is. Things like that can make a difference at times.  

If they can customize by the customer, it means that if someone upgraded their environment, the client does not have to go back and request the version of an executable for a new OS. The result is that the correct executable will be deployed by the agent.  

The last time I used CA Identity Manager was in May of 2019. Actually I was not using the product, but I was working with it in implementation. My job sometimes gravitates to implementation in the form of policy implementation and technology implementation. In order to do implementation, I had to have a good knowledge of CA IDM technologies as far as the connectors, the components, and integration ports, et cetera.  

I was dealing with CA IDM for seven months. In the process, we had to go through the basic procurement, the deployment, the provisioning of the users, the integration of the second phase for the government and business rules, as well as other configurations. I have had to think through all of this with the available capabilities of the product and made sure everything would work. The last component that involved analytics was not something I was involved in. I did not work on that part, but I know the analytic features are good.   

My impression of the stability of CA IDM is that the product is very dependable. They have a good HA (High Availability) design and good DR (Disaster Recovery) for data transmission and security in all situations.  

The deployment is very good. After you set up a new component you just go to the console and access the component you need to make adjustments to it at the console. The high availability works on active-active so it does not require a switch automatically to the other component because they act simultaneously. And, of course, we can also work with active-passive mode if you make that choice.  

I am not sure that this type of node management is an advantage to most users or not because in IT management you may not need this type of high availability design depending on the industry. But the capability is there and it can add stability to the infrastructure.  

I did not specifically examine scalability during the implementation because I did not have the chance or the necessity. We were in the process of considering all that we needed and not what would happen if we needed to scale to expand the system. From what I remember, we also had plugins that we could have installed so maybe the availability of plugins is an example that it is scalable in the sense of functionality.  

But I think, with CA, that the scalability is fine and it is exactly what an organization will need as they grow. We are not involved in really scaling the product when we are deploying it.  

For availability, I think you can definitely scale up as much as you want because you deploy the clients and the endpoint or the console. So in this way scalability works from an availability standpoint.  

For scaling the functionality of the product itself, I think it will need some other kind of intervention or maybe new development. It depends on what you need and what they already have in the form of plugins. I know they have an API but we did not need to work with it for our purposes. With the API's you can extend the functionality outside the original identity.  

During the process with a particular client that I have in mind, we argued about the starting point for the verification and whether it should be the HR system or the identity. This is a business decision that has to comply with the rules and business processes as defined by the organization and any regulations that apply. The question has to be answered before a solution can be put in place. With this client, we agreed that the starting point was the HR system, and one of the proposed solutions was that the HR system would call an API to perform the provisioning for identity. That was one possible approach. The second approach to working with identity was to install an agent on the HR system that could be run on a schedule. This solution is what we settled on and we agreed that this would be scheduled to run once a day, which is more than enough for what they needed to accomplish.  

Because we chose the second approach we did not go for working with the APIs. The approach would be to run the process once a day on schedules like when most of the system resources would be in minimal demand — for example at the end of the workday. This would be done to check each employee for those that were added, transferred or changed privileges. And then an automated adjustment would be done for functionality and organization based on the established rules.  

This is the kind of flexibility you have in deciding processes for an enterprise business — even a very complex business with demanding requirements. It shows another type of scalability.  

I did not have a chance to contact support personally, so I can not talk about how my experience with them was from a personal point of view. However, the people on the team right now working on projects who have called support said they were helpful. They have a good understanding of the product and seemed to have a lot of experience. I do not know what kind of resolution the members of our team were looking for from the support people. It might have just been for more information or troubleshooting or some type of issue resolution. But our company has had experience with the CA technical support team and from what I know the experiences were good.  

The initial setup is not that difficult. We deployed the components and deployed the agents. This is just the basic framework.  

Our deployment took seven months because the design phase is very complicated. We need to collect information for the access matrix, we need to validate, and we need to do some kind of cleansing. So, it is a very intensive task. Mainly it is the design which takes most of the time, not the basic deployment. The difficulty is in the business logic, the business rules, and the cleansing of users.  

Working with the system is an ongoing process. When users request a type of access, there are only two paths. One of them is to grant access and the other is to deny access. For the denial, we may have to go through a long approval process which requires some justification for the requested access.  

The implementation team that we use is divided between different roles. It is not a very big team but it represents different functions in the operation. There are the technical people, the people responsible for identity management, those responsible for manual processes, the people responsible for revision to the business logic, the people responsible for validating the access matrix, the risk evaluation people, the IT people, the operations group, the compliance people, and, of course, HR. So we are talking about a sustainable team of maybe 12 people involved in the implementation activity, but up to as many as 20 may be needed for approvals or other consultation. A lot of parts of the company are involved with the implementation process and defining business rules, all for different reasons and functions.  

We are the ones who do the implementations, so we are the ones that others contact to perform this service.  

The advice I would give to others who are looking to implementing this product would be to define exactly what you need before the implementation of the solution. This is a key factor. If you need to change the deployment after it is deployed — such as the policies or structure — it is not a matter of just changing the configuration. It is more like you are starting from the beginning. If you have questions related to what needs to be addressed they need to be answered first. The way we deploy this is as a black box appliance. So it would be defined once. Even the IP cannot be changed. To make this type of change, it would have to be deployed again.  

The biggest lesson I have learned from working with Identity Manager is that despite the product you use, the implementation is a process. You have to understand the process to see what activities do not give you value and also what activities serve to complicate the process. If you take the easier route and work with the standard deployment as much as possible, it will be more secure and faster. You need to see everything as an activity. So despite the impact that the product has on working with identity management, it is a process because the result is not to be blamed on the product at the end.  

On a scale from one to ten where one is the worst and ten is the best, I would rate CA Identity Manager as an eight. To make this product closer to something like a ten they have to pay more attention to integrating with other solutions. Currently, CA is integrating is with CA products only. In some cases, there are categories that CA does not compete in, like Service Manager, so they should pay attention to out-of-the-box integrations with non-competing services.  

They definitely have a problem integrating with solutions that compete and this is really another problem. Really, this type of integration would allow users of their product to have more flexibility. They could choose their own solutions which may better fit their needs. In one instance, we had to end up using different solutions for managing internal personnel accounts and managing normal users. This is not convenient and can be expensive. So I think they have to be more open to broader integration and simplifying those processes.  

Our primary use case of this solution is for managing identities and environment controllers in order to make it more unified and standard. 

I like that it is easy to diagnose. It has a version of a virtual appliance so we can download it, run it, configure it, and it would take about 10 to 15 minutes to configure the cluster or so.

It's easy to deploy, it's two versions, the manual deployment version, if it can be prepared in clusters it'll take one or two days. But the software appliance will take from 15 to 20 minutes.

They should easier and better integration with other software. It's hard to create custom integration rules with other software, like Oracle. This needs to be improved to give the customer an easier way to integrate.

I have been using this solution for the past two to three years. 

It is stable. If I had to rate the stability from one to ten, I would give it an 8.5.

Technical support from CA is not very good. I would give them a seven out of ten for their assistance and their knowledge. They could use improvement. 

I would rate it an eight out of ten.

To make it a ten, it should have more remote capabilities. There should be better partnerships with remoting tools. They need more remote partners and better dashboards.

We use the private cloud deployment model of this solution. 

Word mining and risk campaigns are the most valuable features of this solution.

I would like to have differential campaigns. In the next release, there should be the provisioning of your certifications. When you remove access or grant extra access to someone, it would be good to have direct provisioning to different sources.

It's stable and runs well. 

Technical support is good and efficient. 

The initial setup was easy. Sometimes upgrades are a little bit complex. There are many components where you have to apply a patch to each component of the solution. For the installation, I would say it's a little bit complex. It's a little bit complex to set up but when it's okay, it runs fine.

My advice to someone implementing this solution is to take a few days to plan with professional services for the setup. 

I would rate it between a six and seven out of ten. Not a ten because of the complex setup and because we had some issues applying some patches. 

Ease of use for the configuration of provisioning accounts through an account template concept for an OOTB connector.

It does not requires an extensive programming or development background. The screen of the admin tool creates an account on the system to CA IAM, which provides it to the OOTB connector, then you can simply configure CA IAM to do the provisioning. CA IAM can help with the automation of user provisioning at the same level as the system admin. 

When comparing it to other products, you can set up CA IAM in a PoC very quickly to demonstrate its provisioning capabilities.

It fits for organizations having simple, basic provisioning requirements. If your organization has complex provisioning use cases and requirements, then you must have an architect and developer on the team to help bridge the gap that CA IAM cannot provide.

The product has a lot of need for improvement. Our issues are being raised back to the vendor as enhancements.

We have encountered issues with stability.

We have encountered issues with scalability.

Our experience with the technical support team is good. CA technical support is very keen to help their customers. 

Most issues are solved by the our team, but at least, their team has provided moral support to us.

We did previously use a different solution, and we switched for several reasons.

The initial setup can be both straightforward and complex. This is up to an organization's requirements of the CA Identity Manager solution.

This product is the same as other CA IDM product, which can help improve organizations, similar to the messaging on the product brochure.

In real life, it is up to the skill of the implementation team as to how they can configure the product to serve the business processes of the organization. The reason why some IDM projects have failed comes from implementation. The team must be good at the functional, technical, and designing of business processes. The product could be mediocre, but the implementation team must be top gun. Choose an implementation team wisely, especially when your requirements and processes are complex. A good product under a poor team cannot bring about the result seen on the product brochure.

The connector is free, and bundled with the product.

The product is considered good, in the top five. Looking at the product features carefully if your organization has complex provisioning requirements and business processes to find gaps.

Finally, always search for the best implementation team, who has skills and experience.

The primary uses cases are:
- The analysis of privileges to generate roles
- Revision of segregation of rights based on client rules
- Certification of privileges (compliance)
- Fulfill the cycle of existing privileges, under review / approval and delivery to the IM solution to materialize the changes and maintain the standard

In the processes where we need to analyze data, IG has enabled and facilitated the analysis of privileges, generation of roles to cover RBAC and integrate with the solution of Identity Manager, as well as the compliance aspect by the certification of privileges “Compliance”.

Additionally it helps us in analyzing predefined SoD rules for SAP and any others applications where the client defines their business policy rules.

• Identifies, debugs and models the privileges of your organization, adapting it to business strategies.
• Helps discover roles based on available patterns ("basic roles" / "Iterated Search" / "Characteristic Roles" / "Rule Hierarchies Roles" / "User Hierarchy Based Roles" / "Structured Search" / "Obvious Roles").
• Enables review campaigns to certify user privileges, roles and resources, activating the RACI model in the process.
• Identity Governance comes with Connector Xpress but if you have Identity Manager you can use the integration between them and import the information that comes from CA Identity Manager and its connectors.
• Allows the construction of segregation of rights (SoD) rules by definition of the client and enables “detective" and "corrective" levels for violations of business rules policies.
• Provides a set of SoD rules for SAP in order to apply "best practices" to this type of "endpoint" (more than 3,000 rules / Consult CA Technologies if available in last version).
• Helps to analyze privileges to find points of cleaning and improvement (Similar Roles / Roles Hierarchy / dual link / Suspect connections / Collectors, etc.).
• Regulatory compliance is one of the objectives of the solution.
• Covers the life cycle of enterprise privileges and maintains the role model "shallow" or "deep" / "functional" or "granular per application".
• Helps you take advantage of the Identity Governance on the portal but better if you integrate with Identity Suite (best user experience).
• You can enable LDAP authentication (AD/others) or integrate with CA Single Sign-On for portal access.
• Real integration between CA Identity Manager and CA Identity Governance for better use of compliance approved roles, data exchange, and improved customer experience.
• Data Transformation available using PDI (Pentaho Data Integration)
• New functionality when integrating with Identity Portal.

The administrative part is not very intuitive. Actually I think it is because it requires specialization and knowledge in what is done.

I found an option to import specific information, but the functionality was non-existent so they have to update the documentation or remove it from the menu (import from ITIM). Improve release updates when there is an obsolete function or it is not still supported.

No.

No.

When you open a ticket with priority-one, the technical support is excellent - 10/10. However, when the ticket is priority two, three, or four, then it's 7/10.

I did not use a previous different solution. 

The initial basic configuration is simple, but deploying the solution in greater depth and integration with high implementation reach requires expertise and certain complexities.

About prices when validated with other solutions where the "SAP" endpoint will be included, Identity Governance is a good option. But if you are going to integrate with Identity Manager it is better to acquire IDS, it will be more economical.

No.

Important to find someone with experience implementing this type of solution to ensure the success of its implementation.