Senior Identity and Access Management Specialist at a tech vendor with 10,001+ employees
Real User
Top 20
Sep 4, 2017
While I can't comment on Forgerock Identity Management, I can still share my two cents on 1IM based on my experience with it for the past few years:
1. Configurations - Mostly wizard based configurations, so it's not to complex in that sense. Configuration options are also plenty. Good out of box connector support for AD, SAP, LDAP etc.
2. Customization - Process orchestration is fairly flexible and allows for creation of custom processes that can invoke various actions. Scripts written within 1IM are in VB.NET.
3. Support - Average support experience so far. In some cases, we get prompt and thorough responses with good follow ups, whereas, sometimes the experience is quite the opposite. Some escalation engineers are very knowledgeable and it can be a really great experience troubleshooting with them.
4. Client implementations - Till now, I have been involved in 3-4 implementations. All of them had varying levels of complexity. While the product allows for a lot of customizations, from personal experience, I would say that it is always a better practice to promote out of box functionalities first even if they require some process changes. Customizations can often get out of hand very quickly and with constant revisions/upgrades happening to the tool, it may be so that customizations don't migrate that well when upgrading. Like the v6 to v7 was a major product upgrade and a lot of v6 customizations did not port over as expected.
Apart from that, I also have a few very specific complaints with the product:
- The DB queue behaves very inconsistently. Recently that caused a lot of grief in one of the implementations we were doing. The DB queue just gets stuck and doesn't process tasks and it has to be "pushed" manually. This happened in the Development environment so it wasn't the end of the world for us, but it was a major inconvenience nevertheless.
- v7 introduced the concept of Extensions on the Web designer (it allowed for re-usability of certain elements within a module/component without the need of copying entire module/component). While I appreciated the idea at first, in practice it did not perform that well. It may just be me, but it was just a convoluted implementation which made the already cumbersome Web designer tool even more confusing.
- Database Transporter issues - Transporting changes across environments can cause problems. Using change labels can sometimes lead to errors and can be a bit frustrating. As a practice, it's better to document changes stored within labels from the very beginning and store all transport files in a shared folder for hassle free migrations. Different kind of changes done (Designer changes, WebDesigner Changes, Sync Editor changes, Schema changes etc) all have different best practices and ways of transporting and it's better to know about that from the beginning.
- Synchronization editor issues - v7 introduced the Sync. editor which is a great tool no doubt, but it doesn't feel robust. I have faced several issues using CSV connectors. Changes made to the schema of the CSV are often not synced up to 1IM even after "Updating Schema" on 1IM end. This can cause the definition of the connector to remain outdated. In some cases, I had to reconfigure the connector from scratch, which in itself is pretty easy to do but it can certainly cause inconvenience.
- Cache issues - Like many tools, 1IM also caches a lot of information and makes use of that for faster processing. While that is okay most of the times, it can be very irritating when the tools keep using cached information even after changes have been made, committed and compiled. Often times, a manual cache deletion becomes necessary, otherwise the changes are never actually "picked" up by 1IM.
Having said that, I still feel the tool is great and is certainly working towards great innovations in the IDM sphere. The GUI is very clean and informative and gives a great visual representation of objects, especially the 360-degree person view which shows person object connected to roles, departments/locations/cost centers, any connector accounts, any compliance violations etc. The tool offers some good reporting capabilities out of the box. A nice IT shop structure with a shopping cart based request/order flow. Robust out of box connectors for AD and SAP that are quite easy to set up. In all of the implementations, there have rarely been any cases where there was a requirement that 1IM couldn't implement.
One Identity Manager and ForgeRock are two prominent products competing in the identity and access management category. Based on feature richness, customization, and flexibility, One Identity Manager appears to have an upper hand. However, ForgeRock stands out in security and seamless third-party integration, making it a preferred choice for organizations prioritizing these aspects.Features: One Identity Manager is renowned for its robust logical schema naming, flexible reporting, and...
While I can't comment on Forgerock Identity Management, I can still share my two cents on 1IM based on my experience with it for the past few years:
1. Configurations - Mostly wizard based configurations, so it's not to complex in that sense. Configuration options are also plenty. Good out of box connector support for AD, SAP, LDAP etc.
2. Customization - Process orchestration is fairly flexible and allows for creation of custom processes that can invoke various actions. Scripts written within 1IM are in VB.NET.
3. Support - Average support experience so far. In some cases, we get prompt and thorough responses with good follow ups, whereas, sometimes the experience is quite the opposite. Some escalation engineers are very knowledgeable and it can be a really great experience troubleshooting with them.
4. Client implementations - Till now, I have been involved in 3-4 implementations. All of them had varying levels of complexity. While the product allows for a lot of customizations, from personal experience, I would say that it is always a better practice to promote out of box functionalities first even if they require some process changes. Customizations can often get out of hand very quickly and with constant revisions/upgrades happening to the tool, it may be so that customizations don't migrate that well when upgrading. Like the v6 to v7 was a major product upgrade and a lot of v6 customizations did not port over as expected.
Apart from that, I also have a few very specific complaints with the product:
- The DB queue behaves very inconsistently. Recently that caused a lot of grief in one of the implementations we were doing. The DB queue just gets stuck and doesn't process tasks and it has to be "pushed" manually. This happened in the Development environment so it wasn't the end of the world for us, but it was a major inconvenience nevertheless.
- v7 introduced the concept of Extensions on the Web designer (it allowed for re-usability of certain elements within a module/component without the need of copying entire module/component). While I appreciated the idea at first, in practice it did not perform that well. It may just be me, but it was just a convoluted implementation which made the already cumbersome Web designer tool even more confusing.
- Database Transporter issues - Transporting changes across environments can cause problems. Using change labels can sometimes lead to errors and can be a bit frustrating. As a practice, it's better to document changes stored within labels from the very beginning and store all transport files in a shared folder for hassle free migrations. Different kind of changes done (Designer changes, WebDesigner Changes, Sync Editor changes, Schema changes etc) all have different best practices and ways of transporting and it's better to know about that from the beginning.
- Synchronization editor issues - v7 introduced the Sync. editor which is a great tool no doubt, but it doesn't feel robust. I have faced several issues using CSV connectors. Changes made to the schema of the CSV are often not synced up to 1IM even after "Updating Schema" on 1IM end. This can cause the definition of the connector to remain outdated. In some cases, I had to reconfigure the connector from scratch, which in itself is pretty easy to do but it can certainly cause inconvenience.
- Cache issues - Like many tools, 1IM also caches a lot of information and makes use of that for faster processing. While that is okay most of the times, it can be very irritating when the tools keep using cached information even after changes have been made, committed and compiled. Often times, a manual cache deletion becomes necessary, otherwise the changes are never actually "picked" up by 1IM.
Having said that, I still feel the tool is great and is certainly working towards great innovations in the IDM sphere. The GUI is very clean and informative and gives a great visual representation of objects, especially the 360-degree person view which shows person object connected to roles, departments/locations/cost centers, any connector accounts, any compliance violations etc. The tool offers some good reporting capabilities out of the box. A nice IT shop structure with a shopping cart based request/order flow. Robust out of box connectors for AD and SAP that are quite easy to set up. In all of the implementations, there have rarely been any cases where there was a requirement that 1IM couldn't implement.