Symantec Identity Governance and Administration Reviews

The most valuable feature is probably the role-base access granting, so we actually control everyone's access through roles. There are ad hoc accesses, but for the most part by being on-boarded as an employee or as contractor, you get a different set of baseline accesses. Those are managed through the Identity Management suite. Those will give you things like email, active directory account, access to our remedy ticketing system, and access to CA PPM.

It also allows us to manage different types of users in different scenarios and different structures in active directory. For example, if you're a union warehouse employee, you don't need an email address. Or, if you're a contractor, it doesn't matter where your location is because you'll never be treated as an employee. All those different attributes are managed through Identity Manager.

Before we had this role-based control, we manually requested the security team to create a profile in the right place and to give individual access for each new hire. Now, Identity Manager reduces the manual requests for on-boarding someone. It helps ensure that when a new hire comes in, they automatically have the same access as everyone else on their team.

I saw some of the presentations here at CA world about the new interface for users to go in and request access and have their portal look really good. It's just a matter of us upgrading to that. The new user interface on the user side looks good, apparently it's not quite there yet on the admin side. To see something like that on the admin side would be amazing.

If we were to add a new active directory group for someone to request access to, we have to build account templates and things like that for it. It's a very manual process that needs to be done ahead of time. With the newer version, you can actually go from the requester view. The requester can type in the name of the AD group he wants access to, and it will add that to the system in real time. Then it'll go through whatever approval we've setup saying that if you add a new AD group you would get managed professionally.

It has been stable. We do have an issue with the task persistence table that's an audit log in the data base. If unchecked it can grow to ridiculous sizes, which will cause the whole system to hang. The database will not be full, it's just that the table is so large that it can't write to old records anymore. It typically updates the status of old tasks. In the previous version that we had, there were issues with the clean-up task for that, which flat-out would not work. Since upgrading to 12.5, that task works. So we run it every week to keep only two, three weeks in that task persistence state-of-base. It's simpler from the actual audit data, so we don't need to keep very much of it, and if we keep too much operating data in there, it does cause issues.

It's a scheduled task, so even within the product we're able to schedule that task. The problem was that in the previous version it didn't actually work, it wouldn't actually feedback data.

We're currently running it for over 100,000 users in the system, but not all of them are active. Our active count is probably somewhere around 60,000. We're looking to take on more because we've acquired another company. We're looking to bring in their whole organization. We're going to be starting by bringing on their IT department, but we're looking to bring on their entire organization which will add another 40-50 thousand. We're currently talking with our account manager on licensing and costs for that.

CA technical support is usually pretty good. Just like any kind of support, it takes time for them to get back to you and to actually come up with a solution.

I don't do it myself directly as we have a team that supports it and they're the ones who'll engage CA.

We had a consultant firm come in and do the install originally in 2009. They did a very bad job. It was a proof-of-concept version of a connector, and they hacked it together to make it work. It did not work probably, along with a lot of other things in the way that they configured and setup the tool. It just was not installed probably and there were all kinds of issues. We knew we had to basically tear this down and rebuild from scratch.

Actually what we're running right now was the result of a complete rebuild in 2011, for which I was a major part. Prior to that, we were running an older version.

It was complex because we wanted to migrate all of our data. It was a bit of a challenge to get everything moved from the old system to the new one. We did have problems outside of the scope of the software, but it was more of a business process issue. Just a week before we went live, our security manager over on the business side, decided he wanted to do an active directory account clean-up, which took us completely out of sync without data. Just before we went live, it took quite a bit to clean up, but it did make our go-live look bad.

Make sure you integrate with other CA solutions from day one. It can be a challenge to get buy-in from other teams if you want to integrate later on.

The features that I find most valuable are the creation of access and admin roles. You can also manage many different applications -- more than one hundred -- in only one box. It also adds a level of security that we didn't have previously.

We can identify a role for each application or for a group of applications. It's great in helping us organize and provide access to different apps.

Because it's software on our network, there are sometimes load-balancing issues or latency delays.

We've had no issues with deployment.

It's always stable. We have different boxes installed and have never had a stability issue.

Nobody's complaining about it and we have 100,000 users, even though they're usually not all being authenticated at the same time.

We use technical support for issues and installations and they always help us. The biggest issues took a few weeks.

The upgrades were complex, like from R6 to R12. Sometimes the import/export process was not working properly, but, we just opened a case and they figured it out for us.

Learn well how to use it. Train. Get CA training if you can as that would be the best.

It gives us the ability to automate the IAM process.

• Automating the process for new employees, removing employees, and so on
• Self-service to grant access for applications and software
• Delegate some functions to the help desk
• Type group for some people with the same functions in the company

The provisioning manager could use improvements.

I've used it since 2008.

No issues encountered.

No issues encountered.

No issues encountered.

9/10

9/10

No previous solution was used.

The initial set-up was standard.

We used CA Spain.

It's very high.

Good prices and services.

We did, but I don't know which ones.

You should know well your company's HR processes and rules to control the automation process.

As far as valuable features go, one of the first ones is self-provisioning. The best thing is that our internal employees can provision their own access using the tool rather than contacting an internal group. Its built-in workflow handles all the needed approvals before it will provision the access.

The big benefit is that the end users have an easier process requesting security access. It’s a faster process for them so people get up and running faster and can do their jobs.

We’re in the middle of an upgrade with IM to 12.6. Once that’s done, we will get a better feel for what’s available; they’re deprecating some of the functionality in their provisioning manager product.

It would be nice to have someone at CA that can handle some of the more technical questions we have.

We have some stability issues. We go through waves every few months where it goes up and down lot. The product will look as if it’s available, but a request you submit will get stuck. There will be times where you can’t even log into it and it’s completely unavailable.

Our team hasn’t used their support directly, but our IT support team raises tickets and has a good working relationship with CA support. Sometimes getting a resolution is an ongoing problem. They are always helpful and there’s a good level of interaction, but we’re not necessarily always getting a solution. Sometimes CA points to our environment which could be the case, as opposed to their product.

It was so complex. For us, it was a wholesale process change in our organization, not just the solution implementation, so it was lengthy. A lot of that time was spent internally going from one provisioning model to another. We had a lot of customization requests from CA who helped.

They’re reactive to our needs but don’t really understand our environment. A more in-depth understanding of our environment would help dig deep enough to help us get to where we need to be.

They should have a handle on the role methodology that they’re going to pursue and use in their solution. That can get out of hand and become ridiculously unmanageable. That’s where we kind of jumped in and didn’t have anyone to guide us and provide an alternate perspective. We got into a methodology before understanding that’s the road we should have gone down.

I use the user record (a permanently stored data element), self-service features (access requests, application access, remove/change users), and the rules and entitlements for users.

These features really help our organization because they are the best features available for managing users.

The only issue we have is that sometimes we have an issue related to the Microsoft integration. That impacts Identity Manager's performance, and it's something we need.

I've been using it for four years.

No issues with deployment.

Most of the time, because we do a lot of testing, it seems to be in good shape, and as far as I can see there's no problem at all with stability.

We have issues with scalability, and it has taken time due to the requirement of extra memory and more CPU.

Very well, as I have been working with these people for a while. I have never had any issues with the technical support. They support us 24/7 and are really good.

The initial set up was complex because we had a lot of documentation. We had to look at our system first and see the platform with other products. It takes a while to build and for it to work with our sandbox, but eventually it was fine. Although it did take time initially, after that it was a cake walk.

It was all done in-house, but again the technical support was there when required.

We saw other options in the market, but the technical support of CA made the difference. This is why we chose the product. If the system is down, someone could help us and this was an important factor.

I don't see any issues with CA, and everyone in the business is happy with CA and their support. Everything is good.

• Identity
• Lifecycle
• Provisioning

Compliance improvements.

• Cloud integration
• More flexibility and interoperability - how components interact with each other and external components

I have experienced implementing previous versions of the product six years ago.

No issues encountered.

No issues encountered.

No issues encountered.

9/10

9/10

Quite straightforward.

I’m part of a consulting team that does the implementation.

I’m aware on qualities of Novell (Netiq) Identity Manager and IBM Security (Tivoli) identity manager. It depends completely on business needs – for some cases one product will fit, for another cases another.

At first, a company should have an IAM strategy and clear vision. Then thorough a vendor comparison matrix to determine what product(s) matches what you need. Only then it will you have an understanding of whether to implement CA or not.

• The user interface
• The synchronization with our HR system

I know that CA are always trying to improve and upgrading with improvements.

I've used it for 11 years, and it has improved greatly over time.

After a big update and upgrade, we have no problems with the system.

The system is very stable, it isn’t freezing and it handles everything very well.

They don’t give a resolution immediately. They tend to take time coming up with answers. We are not really satisfied with the customer service. They do solve problems in the end, it just takes time.

No, we didn’t use a previous solution. This is the first solution we ever implemented and we have been very satisfied ever since.

Initially it was a bit complicated as it was really something new in the market and the idea of identity management that works automatically and synchronizes with a HR system was not common. We were a pioneer. It was complicated to start these projects, the planning, architecture, and data mining that we had to do in the first step.

We did it by ourselves, and had to do a lot of thinking by ourselves to get to the step of implementation. It took a bit of time because at that point there was not a lot of knowledge on how to implement such a new solution, so it took time. After we passed this step it moved on. But today when you launch these projects, everyone has a lot of experience from over the years and knows the steps. In 2004 it was really a startup. Now we are specialists.

Yes, we have had a return on investment. All of the time saved on administration and user lifecycles. Now it’s all automatic. When a new employee is coming to the organization a new user is created, when I put it in the HR system a new user will be automatically created. Also when a user is let go, or has retired everything happens automatically. It helps because we have a lot of temporary employees that we bring in. It’s hard to imagine having to do this all manually.

I think the pricing is reasonable.

I find that the propagation of identities is what is most valuable about the solution.

It would be great if they could enable social media identities. That’s the one thing we would like to have.

I've used it for five years.

The installation was OK. We had some problems with operating it, and because we use other products in the suite it made upgrading more complex. We do have a lot of other of their products also.

We’re only using it for employees, so the stability is handled very well.

We're not putting too many users into the system, so it handles this very well.

They have been very proactive.

They have been very proactive.

It was done in-house.

We have a functional need. Therefore it was considered as more of an expense rather than an investment.

We looked at Oracle Identity and Access Management Suite that was the major contender at the time.

I would be clear on what is the price for your customer and their identities. If you are going to manage partners, customers and other entities the numbers can get quite large, so it’s important to understand what you are getting.

We did a number of things in our deployment which made life more difficult on us. All in all it’s a positive relationship. The only concern we have is with the social logins and clouds.