Symantec Identity Governance and Administration Reviews

The product is easy to install, setup and configure. For me the ease of installation and configuration was most valuable as my experience with earlier Oracle Identity Manager products was slightly tedious. Things might be different now with Oracle products though. Also, CA provided a long list of standard connectors which did not require too much of customization and it suited well with the customer.

For the customer, the product provided an easy to use GUI for user-account centralization and auto-maintenance of accounts on different end points (target systems). Much of the manual tasks such as sending mails for approval and requests were reduced greatly. The amount of helpdesk calls were greatly reduced due to self-service tasks provided by the product.

With the new age products such as Dell, Forgerock, and Ping, and the change in demands of the customer, CA needs to do a lot more. For example, Dell IM provides built-in features with governance in mind, although they also provide a separate product called IM with governance edition.

The GUI in CA is more complicated where a user might have to drill down more into the menu to find the real form. Also, during configuration for a new person it's a tough deal to drill into the menus to find the place to actually setup.

CA came up with SIGMA to be better on GUI and scalability, but it had a lot of issues and poor scalability in both versions. I lost one bid purely based more on the poorer GUI provided by CA, and due to the fact that SIGMA did not provide things which were asked by the customer and did not provide scope of much customization either, so I did not understand the use of the product. I am not aware if SIGMA is officially launched now or not.

I've used it for around three years.

Migrating and comparing objects using the add-on tool Config Xpress has its own challenges, we had some issues when we connected the two development and production environments and tried comparing. We used it the other way, i.e exporting the environment XML files which was indeed time consuming.

Overall, it's quite a stable product.

I would 3.5/5 as it was good, but with some slight delay.

I have used Oracle's product, and am currently also using Dell. My previous customer moved from Oracle to CA purely due to cost factor. With a simple requirement, I would still use CA, but with newer customer demands. CA has to come up with new features which other vendors provide and tune up the GUI.

It's a very straightforward process, very easy to use.

I have implemented it both with a vendor team and an in-house one as well. Implementation is straightforward, you just need to read the manuals provided by CA which says it all from installation and configuration to tuning.

I haven't actually dealt with the licensing costs etc. but i know it's cheaper than Oracle, but more expensive than Dell/Microsoft/Forgerock.

As with all products, this has its pros and cons please do a study of other products based on your requirements before deciding on a product.

• Self-service
• Role-based provisioning
• Access

It's saved on administration time, and reduced the wait time for access. It's also improved our compliance.

• Installation and upgrading is complex
• User Interface

I've used it for six years.

We did have some issues, but we were able to resolve them.

Yes, as Jboss cannot handle too much load.

Yes, when feeding many users.

It's good.

It's very good.

No previous solution was used.

It was complex because many servers are needed to follow best practice. Many manual steps are time consuming. If you add the Governance component for full IAG, it will be even more complex, because it is not properly integrated with IdM but more a separate product.

We used a vendor team who had a high level of experience.

We also looked at options from IBM and Oracle.

You should use a vendor team for the design and initial implementation.

The range of provisionning possibilities, such as native connectors and tools which facilitate the development of new ones.

• The automatic creation and removal of the accounts
• Passwords change process organized and controlled by the user
• Least priviledge rules applied
• Profiles easy to configure, so less people are needed to administrate the solution
• All processes around user accounts are simplified
• Assets and business modeling improved

CA technologies must improve IHM for a better user-friendly approach.

I've been using the solution for eight years.

Version changes are long and tiresome.

There are issues with the web services.

7/10.

5/10.

No solution was previously in place.

Setup is still complex when you plug a solution in a huge environment. A number of days were necessary to adjust everything.

We used a vendor team who were 8/10.

We only need two people to administrate, maintain and support the solution.

The same price as the other editors with a cost by users, but with additional solutions there is often room for negociation.

• Sailpoint Identity IQ
• Ping Identity
• IBM Tivoli Identity Manager

Stay with the native functions, and don't make too many custom developments.

Our customers find it easy to use.

It provides a user-friendly front-end to manage LDAP-based users.

The interface is modern, but could have been made even easier to use for the customers.

I managed it for approximately three years.

No issues encountered.

No issues encountered.

It's a little bit difficult to support.

It's reasonable. The support is not the quickest to respond and does not have a mature process in terms of what logs must be gathered, and what to gather before raising a case.

CA provided assistance with augmentation of the existing solution, they provided quite a good level of support during the project.

• User-friendly UI
• In built connectors for various endpoints

It's provided a centralized platform to manage the lifecycle of all identities across different endpoint systems such as Active Directory, Salesforce, etc.

It should be better when doing custom connections.

I've used it for one year and two months.

There were very few issues.

At times we had issues with CA Identity Manager tasks getting hung in an "In Progress" state. We had to restart the instances, but that happens very seldom.

No issues encountered.

8/10.

7/10.

No previous solution was in place.

It was complex due to the vast number of identities in the organization.

It was implemented in-house.

It's more than satisfactory.

The ability to customise the screen, and create a technical solution suited to the business requirements including delegation, password management and role based access.

Delegated responsibility across to the customers, instead of the organisation maintaining the user. In addition, this also allows user privacy and security to be maintained.

Multiple areas:

• Bulk Load capability
• Services
• Organisation propagation, etc.

I've used it for the last seven years.

Deployment was stable. Only issue was with the policy express and emails which were very dependent on the exact name instead of a tag.

If the product has been tuned, appropriated, and appropriate memory has been allocated, there are no issues with stability.

No issues encountered.

8/10.

8/10.

No. We moved from a manual user management system to a delegated user management system.

Provided the requirements are set, the initial setup was straightforward. Subsequent functionality within CA IM is not appropriately documented creating issues.

We used a vendor whose level of expertise was 8/10.

Yes, we also considered using Oracle Identity Manager.

Use an agile approach of delivery if the business is not aware of what it wants.

• Group management
• Task delegation
• Access granularity

It allowed local departments to manage the people in their own groups, without any help from the IT department.

Better recovery for the application server with the DB connectivity.

Two years.

Yes, at some point CA support repaired the bug.

Yes, sometimes the connection with the DB is lost, and it isn't fully recovered without restarting the server.

No issues encountered.

7/10.

7/10.

No previous solution used.

I think it depends on your background, but as soon as you understand the terminology it's not so complex.

We did an in-house implementation.

Engineering and operational.

Do a good gathering of your requirements and make sure you are creating the system architecture it in the right way.

The most valuable features of this product are the following:

1. Policy Xpress
   Allows for the ability to build policies triggered off of events in a codeless manner.
2. Separation of Duty (SOD) policies
   Gives the ability to create roles and/or policies with a criteria for removal or addition of a role, policy, or an entitlement based on the user’s title as an example.
3. Connectors
   IDM has a rich set of connectors that covers traditional on premise, SAAS related, or custom resources. IDM provides the ability to create a custom connector through its Connector Xpress module. The module itself allows one to build a connector to any resource that is either LDAP or database driven. Once again this process involves no coding for the task.

I'm an integrator, and as a result I deploy solutions in behalf of an organization. IDM improves the organizations ability to govern the life cycle of an end user. The life cycle starts with the on-boarding of an individual to the organization, whether it’s a contractor, consultant, employee (full or part time), or a partner. The life cycle ends with the departure of the individual from the organization. Everything in between is about managing the user's access, permissions, profile, and evolution from an identity stand point. We (Mycroft) advise and implement the necessary user cases that drives the successful central management of identities for an organization. Plain and simple, IDM provides the automation that allows the IT and respective business department(s) to focus in on other pressing needs while IDM standardizes the identity practice.

The areas of this product which requires improvement are as follows:

1. The User Interface (UI)
   The User Interface has been improving over time and there are products such as IDMLogic Sigma that improves upon the user UI experience.
2. Its delegation model
   While IDM has the capability to delegate, the delegation process is not intuitive or forthcoming to the clients. The delegation model is present but it’s not a straight forward model to design against.

These two areas are the ones that stand out, as I probably developed a tolerance over the years for any other if others do exist.

Eight years.

Yes, but deployment issues are hardly product installations, but rather retro-fitting the installation to the core principals of the organization. Anyone can install the product within a 20 minute window in an ideal scenario. Each organization has environmental complexities and business policies that at times causes issues with the deployment.

No issues with stability.

No issues with scalability. Typically deployments are done with an assumption that an organization will grow by a certain percentage in the foreseeable future. As a result the architecture will adhere to the growth plans accordingly.

Technical support has drastically improved over the years, as a result I would rate them at 7.5 and climbing.

While I implement solutions for organizations, I witness switches for the following reasons:

• Staff are no longer knowledgeable on the solution as a result of staff turnover over time
• Product configuration has not been maintained to support needs of the business over time
• Vendor Support and direction
• Cost model
• The direction of the organization and its relationship with other vendors

In my experience, the posture of the setup has a direct correlation to the use case mapped to the feature set and functionality. There are numerous ways to implement a solution, but the level of complexity stems from the ability to simplify the requirements and work with the business on compromises. All organizations have security and business policies that they mandate by or govern towards. As a result, the initial setup or configuration is a direct by-product of how the use case is socialized into the product. At times, some business processes should not be subjected to IDM at all. unless there are compromises to how the business flow is managed. Understanding this basic idea and product limitations go hand in hand.

The ROI on CA IDM is a result of the following 3 areas:

1. Employee productivity
   Faster onboarding process and provisioning. The ability for end user to perform self-service password resets and utilize an access requests system.
2. IT cost savings
   The ability to focus less on traditional cost areas around password resets, user on-boarding, and essentially the whole user life cycle allows IT to spend on other technical areas wisely. Cost savings to IT is not only how to save but also how to re-purpose the funds to other needed areas.
3. Cost avoidance.
   Potentially recovering from security breaches or violations and the cost to recover from them. Centralized management introduces efficiency that leads to shared resources not redundant work throughout an organization.