Coming October 25: PeerSpot Awards will be announced! Learn more
it_user799734 - PeerSpot reviewer
Developer at a tech company with 51-200 employees
  • 6
  • 74

Sailpoint IdentityIQ vs Oracle identity Governance

What are the Major differences between Sailpoint IdentityIQ  and Oracle identity Governance? I want to know the differences between these identity management systems.

PeerSpot user
6 Answers
PeerSpot user
Sales Engineer - Identity and Access Management at Sailpoint
Real User
05 February 18

I have had the privilege to work both systems during my career. Below is my detailed response.

There are a number of differences in both products in terms of functionality and approach towards the Identity Governance and administration. Before i go into the details i would like to point out that SailPoint is a leading company that does business in identity Governance and nothing else. They are continued market leaders as per Gartner IGA MQ , Forrester IMG Wave and Kuppinger Cole.

The approach of SailPoint is different from all of the IGA systems out there in the market. The focus is to first analyze then get clean and stay clean and then move towards the user life cycle management. And this is a key factor for the success of SailPoint. On the other hand Approach of Oracle and every other vendor out there is very old school and conventional, which is focusing on automated provisioning. in this day and age this approach is not fruit full for the customers.

Lets talk about the Interface. In IdentityIQ there is only one interface to completely manage your Identity Governance (By which i mean Compliance and governance, life cycle management and password management) as well as to provide users with self service. In Orace there are separate consoles for Administration, Self service and Application connectivity.

Visibility: OIM has a very nice user's store where you can see all the organization's identities and their associated access. some reports are available out of the box. In SailPoint there is an Identity warehouse that gives you 360 degree view of the identities with information of not just Accounts and entitlements but risk scores, certification history and access request histories. In addition to that there are a number of out of the box reports available. the most interesting functionality in IdentityIQ is Advanced analytics, which allows the business users to build their own reports using the same UI without having the need of any help from technical personal.

Role management: Oracle has conventional Single tiered Role management. SailPoint Has two tiered Role model with the option that allows you to use single tier model as well. With this two tiered approach, you have the flexibility to create the roles that translate your business model and the roles that translate your IT Domain separately and on top of that create relationships between them to allow implementation of a more complex Role model.

Policy Management: In Oracle you have the options available for Access Policy management that allows you to create Policies for automated account provisioning (without the flexibility of retries) and segregation of duties policies. in IdentityIQ however, Provisioning is managed through the Roles but has a separate Policy management functionality that allow you to create a variety of SOD policies on Roles and entitlements. it also allows you to create policies for account activities, value changes and processes.

Dynamic Risk Management: Oracle has a Separate Product for risk management and i have not had any experience with that product. In IdentityIQ there is a comprehensive Dynamic Risk management module that enables the organizations to shift their focus on the users of interest i.e. with high risk scores. Around this risk model you can apply compliance and governance.

Access Certifications: In Oracle Identity Governance you have the option to define certification campaigns for Roles, Entitlements and user Accounts. Each type of certification allows a specific number of certifiers. These certifications can be launched or scheduled. In IdentityIQ you have the flexibility of defining the certification campaigns for Roles, Entitlements, Accounts, application Entitlement Permissions, role composition(Entitlements in a role) and policy violations. You can define the number of certifiers. you can launch the certification right away, you can schedule them or you can configure the automatic launch of certification at specific events in user life cycle for example crossing a threshold risk score.

User life Cycle management: In OIM user life cycle is managed through access policies. These access policies allow you to configure Automated provisioning, de provisioning of Entitlements and accounts in your IT applications. In IdentityIQ the life cycle of a user is managed by event based triggers. For example Joiner Event, Mover Event, Rehire Event and Leaver Event. These Events can be configured based on Attribute changes(Data Change), Create accounts or custom rules. These events then use the Role and Policy model in IdentityIQ to manage accesses of the users through out their life cycle.

Self Service Access Request management: OIM has a nice Access Request management module that uses shopping cart functionality to allow users to request accesses for themselves or others. These requests then initiate approval workflows based on approval policy assigned to the requested item. In IdentityIQ Access requests are managed through the Life Cycle manager Events. these events are treated as user initiated change events. Users can request Entitlements and accounts for themselves or others. The request-able Items are restricted by SOD policies with an option to submit requests as an exception allowing the aprrover visibility of the violations and risks associated with the request. Approval workflows are flexible to customization.

Connectivity: OIM has a limited number of connectors available out of the box and you have to buy additional license for some of those. in IdentityIQ there is a range of OOTB connectors available and you dont have to pay anything extra for any of them.

Customization: Oracle has never welcomed any customizations to its products unless it is identified as a Bug and the you would have to wait for the next patch or release. SailPoint on the other hand allows customers to customise each and every single of the functionalities to meet the customer's requirements and the customization is as simple as writing java code.

Client base: There are around a 170 clients worldwide who have migrated from OIM to IdentityIQ in the past 5 years.

My recommendation as it would have been clear by now from the above text, is to choose IdentityIQ because it always works :)

it_user719499 - PeerSpot reviewer
CEO with self employed
05 February 18

Here follow my inputs about your questions concerning SailPoint IQ and Oracle.


1. As representatives of SailPoint told me in 2008, SailPoint IQ was designed in 2005 by reusing the functional and technical requirements of SocGen Corporate Investment Banking (I participated to the initial design in 2004 in Paris… we live in a small world).
2. Oracle Identity Governance was formerly RBAC X purchased by Sun Microsystems then selected as the Identity Analytics components by Oracle.


Both solutions are based on the Role Based Access Control model (RBAC) consisting of telling who occupies some business roles to be granted more or less consistent list of authorizations.

This is a model of the second generation while the NIST envisioned up to 6 generations in 2009! So… it’s a pretty old model.


If one succeeds to implement this model, then it is possible to tell:

1. Who should have access to what by occupying a role that has to be mined with a half automated process that is pretty laboring and expensive,
2. Who has ‘’out role’’ entitlements to be terminated. Reviews of entitlements can be focused on ‘’Out roles’’ and even if they don’t understand the descriptions of authorizations, managers can take a decision.



If one large organization is willing to satisfy the core prerequisite of these 2 solutions, it is necessary:

1. to spend 30 to 60 minutes for each department of an organization to mine User Roles and to associate a list of authorizations that are impossible to understand by any business analyst,
2. then spend about an hour with each manager to validate the roles and associated entitlements (impossible to understand by managers as well),
3. last but not least, implement the roles and lists of entitlements.


Large organizations are totally unable to implement such an approach for following reasons:

1. ..X for example used SailPoint IQ and mined 1.500 roles instead of estimated 15.000 (low estimation),
2. ..X was unable to validate roles because managers could not understand labels of authorizations such as: ZZX00152, ZX215521, zz_top_group_senior,…
3. it would have been:

a. too long to make it for 126.000 employees / 10 team members in average = 12.600 work units located in about 100 countries * 30 minutes in average = 787 man days without vacations, travels, coordination!
b. too expensive:

i. 1 role analyst * 30 minutes in average * 80$ per hour * 12.600 units = 504.000$ for role mining only

ii. 1 role analyst + 1 manager * 220$ per hour * 12.600 units = 2.772 K$ for role validation

iii. Implementation of roles into IAM solution such as Oracle Identity Manager or IBM SIM is a technical thing that costs more…


SailPoint and Oracle have nice features to add translations to entitlements.

The thing is that where you have several ten thousand labels to translate…

* it takes time and lots of $ before to deliver.
* People around a table will take time to come to a shared understanding (if they are very motivated)


* SailPoint proposes to use Risk Based approach and to add Risk Criteria to several ten thousands labels… (sic) to be considered from a Risk Standpoint…
* Oracle proposes to use indicators and requests and to let managers think about a decision to be taken thanks to dashboards and reports. Some kind of Business Intelligence.


1. ...X came to the conclusion that it was not possible to make it with SailPoint IQ alone. A custom algorithm is necessary to enhance SailPoint capabilities.

2. The Gartner Group exposed the issue for the last 3 years. Advanced analytics and Self Learning systems will make it.

3. We, at EasyPatternZ:

a. are the first to make it with Artificial Intelligence.
b. take about 5 seconds per work unit in average to deliver the answer to the question ‘’Who has access to what, why, whatever the circumstances’’ better and faster than any leader.
c. made it 3 times since 2013. The Federal Government of Canada will qualify it between April and July this year with 23.000 employees.
d. Are watched by USCIS.

05 February 18

My experience in IAM is with HPE Aruba ClearPass & Cisco ISE. A couple of other competing products, such as the ForeScout and Auconet products that were evaluated at a high level, but didn’t progress further.

I’m not at all familiar with Sailpoint IdentityIQ and Oracle Identity Governance and couldn’t provide any meaningful insight into either of them.

PeerSpot user
Account Executive at a tech services company with 10,001+ employees
Real User
05 February 18

I am not an SC so my response is very salesy :).

Sailpiont is more of a next gen solution in the IAM space.

If an organization was a huge Oracle shop I would have them consider Oracle – if not I would be heading to Sailpoint.

*Sailpoint is as robust but does not have the legacy issues that Oracle has to deal with which makes it easier to implement/operate

Sailpoint will also be lower in price.

PeerSpot user
IAM governance and Process expert at a energy/utilities company with 1,001-5,000 employees
Real User
05 February 18

Basically the question is 'what will you achive ?'. I agree with the comment above, Oracle is known to have a high TCO due to complexity. The fact is also that Oracle claims to ease the end-user experience but this mean a mandatory extensive preparation in order to provide users with accurate and in context information. Sailpoint IIQ is probably easier to implement and indeed is efficient in respect of RBAC and ABAC or preferably some kind of hybrid modeling. Don't forget IAM needs a very good preparation (analysis, modeling, inventory, classification, process analysis etc.) From my experience, IIQ is able to respond to complex needs and is far cheaper than Oracle and this allows to invest in added value activities (extra licence). Sorry if this is not a factual response in terms of pros & conts between OIG and IIQ but IIQ is more affordable and from my point of view covers all needed capabilities to build a strong IAM solution.

PeerSpot user
Customer Relations at Axiomatics
05 February 18

I think at a high level, both are going to provide the same functions. You'll see the main differences in how one has to implement workflows, UIs, and rules. Where Oracle uses BPML, ADF and OES, respectively, SailPoint is more Java-centric, IMHO. I found OIG's SOD rule definition UI hard to use and some serious limitations in its hierarchal role model. I think SailPoint has surpassed OIG in its extensibility with the framework in its 7.0 release. I would definitely evaluate roadmap if you want to stay on-prem.

Find out what your peers are saying about Oracle Identity Governance vs. SailPoint IdentityIQ and other solutions. Updated: September 2022.
634,590 professionals have used our research since 2012.
Related Questions
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Dec 01, 2021
Which is better and why?
See 2 answers
17 November 21
We evaluated Sailpoint IdentityIQ before ultimately choosing CyberArk. Sailpoint Identity Platform is a solution to manage risks in cloud enterprise environments. It automates and streamlines the management of user identities, systems, data, and cloud services. It works great for Identity Access Management, specifically for cleaning up inactive and orphaned accounts. It has the joiner-mover-leaver feature. One of the features we like is the large availability of connectors for different applications and platforms. You can also recertify an account, which is very useful. It is well suited for large companies with lots of users and applications. However, for small companies, it might be a bit of an overkill. Sailpoint has a steep learning curve, so it is not for inexperienced users. Moreover, it doesn’t offer a lot of supporting documentation. It also doesn’t integrate well with other solutions. We chose CyberArk despite the cost because it works great for password management. CyberArk helps manage privileged accounts and service accounts, for example, when users need to connect remotely into systems. It is especially useful for IT staff to access their privileged accounts without having to remember the passwords every time - individually and even as a group. What we like the most about CyberArk is the ease of use and effectiveness in managing privileged accounts. For instance, it automatically changes the passwords for privileged accounts and reconciles and verifies passwords. New users can obtain secure credentials with minimal time and effort. The initial cost is high, which can be a bit of a stretch for small organizations. It also has high requirements for the initial setup and is difficult to customize. The performance could be faster. Conclusions While Sailpoint IdentityIQ is a very good privileged account solution, CyberArk is better suited for us because of its ease of use and efficiency in password management.
Identity Management Consultant at IdentityMD
01 December 21
The two products are actually complimentary. Both companies have been very good about staying in their lanes and are their respective market leaders. CyberArk's PAM solution is aimed at protecting privileged accounts by providing features like vaulting, credential rotation, session monitoring and recording. They also have solutions for DevOps and Secrets management. SailPoint is an Identity Governance solution and actually manages CyberArk as an application the same way it manages accounts and privileges in SAP, AD, AAD and over 100 more applications. For CyberArk, it can add/change/delete users as well as create safes and assign users to those safes. At a user account certification time, it will show the CyberArk users and their associated privileges and allow the user's manager or other appropriate people to approve or revoke the privileged access.  SailPoint creates an Identity warehouse so that a user's accounts and entitlements are gathered, managed and reported on in a centralized manner. See Youtube for a quick explanation - SailPoint Identity Governance Integrates with CyberAek Privileged Access Security.  SailPoint does not provide the vault and session management functions that CyberArk does.
Isha K - PeerSpot reviewer
Senior Manager, CIAM & Payments Security at a financial services firm with 10,001+ employees
Nov 04, 2019
I'm a senior manager at a financial services firm with 10,001+ employees. We are evaluating both SailPoint and CA IDM.What is the main difference between the two?Thanks for your help. I appreciate it!
2 out of 4 answers
AVP - Product Marketing at ILANTUS Technologies
01 November 19
When you say "differences" are you looking at a feature-by-feature comparison or at an overall level - the various "-abilities" like implement-ability, integrate-ability, support-ability, afford-ability and so on?
Principal Architect at a government with 10,001+ employees
01 November 19
I checked with a colleague who has more “hands-on” experience, here is his response: If so CA IDM please no. They have done some work but it’s still not good performance-wise. It has been updated from the original netegrity or whatever code (as of a couple of years the scripts still had that in the header comments, as in untouched in years after purchase). I am not saying SailPoint is the cat's meow, as I don’t know. But given my experiences with CA IDM, and its use internally. It’s complex, does a lot but doesn’t perform very well. At one time there was an issue with data integrity due to the replication cycle (2 repositories, user/id, and a replication repository just for that and data are flushed through both in sequence) as in the last change to data was not necessarily applied in sequence. Results were last change was not the attribute state. Surely that has been fixed by now but with CA you never know. And that’s another issue. My experiences with CA support pretty much got the right support engineer, you get real answers. The wrong one, not so much. If I was starting from scratch I might well consider OpenAM. The commercial product I am pretty sure but a great IAM swiss army knife. It’s descended from Sun One which oracle tossed out when they bought sun over their own IAM product.
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 16, 2021
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privileged identity management, privileged access management, and identity and access management. Oftentimes, they also believe that privileged access management (PAM) and privileged account management (also PAM) are interchangeable terms – which is not entirely true. To shed some light on this topic, in...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 11, 2021
                                What is Privileged Account Management (PAM)? Privileged account management can be defined as managing and auditing account and data access by privileged users. A privileged user is someone who has administrative access to critical systems. For instance, anyone who can set up and delete user accounts and roles on your Oracle database is a privileged user. Lik...
Abhirup Sarkar - PeerSpot reviewer
Director, Middle East, East India & SAARC at EverestIMS Technologies
Dec 08, 2021
Zero Trust is a set of techniques to secure end-to-end IT network infrastructure. Given the complexity of today’s networks, Zero Trust security principles continue to evolve and adapt to current demands. As indicated by the history of Zero Trust, an evolving IT security landscape was what had eventually led to this concept. And right from the start, the end goal was to ensure a strong and resi...
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
Oct 27, 2020
Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged Infrastructure vs Converged Infrastructure. Which is the best SIEM tool for a mid-sized enter...
See 1 comment
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
27 October 20
@Himanshu Shah ​@Consulta85d2 ​@Aji Joseph ​@Mark Adams ​@Steffen Hornung ​@Dan Reynolds ​
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 16, 2021
Defining PIM, PAM and IAM
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privi...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 11, 2021
What is Privileged Account Management (PAM) and How Does It Work?
                                What is Privileged Account Management (PAM)? Privileged accoun...
Related Categories
Download Free Report
Download our free SailPoint IdentityIQ Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
634,590 professionals have used our research since 2012.