Identity and Access Management (IAM) Forum

Anonymous avatar x80
Feb 05 2018
What are the Major differences between Sailpoint IdentityIQ  and Oracle identity Governance? I want to know the differences between these identity management systems.
Anonymous avatar x30
Dim IT Ri Nokov IT ChWHERE DOES IT COMES FROM? 1. As representatives of SailPoint told me in 2008, SailPoint IQ was design in 2005 by reusing the functional and technical requirements of SocGen Corporate Investment Banking. 2. Oracle Identity Governance was formerly RBAC X purchased by Sun Microsystems then selected as the Identity Analytics components by Oracle. WHAT ARE THE FOUNDATIONS OF THAT? Both solutions are based on the Role Based Access Control model (RBAC) consisting into telling who occupies some business roles to be granted more or less consistent list of authorizations. This is a model of second generation while the NIST envisioned up to 6 generations in 2009! So… it’s a pretty old model. ABAC is also used by SailPoint but this corresponds to the 3rd generation and issues are the same than with RBAC. IF ONE ORGANIZATION SUCCEEDS TO MAKE IT WITH RBAC If one succeeds to implement this model, then it is possible to tell: 1. Who should have access to what by occupying a role that has to be mined with an half automated process that is pretty laboring and expensive, 2. Who has ‘’out role’’ entitlements to be terminated. Reviews of entitlements can be focused on ‘’Out roles’’ and even if they don’t understand the descriptions of authorizations, managers can take a decision. LABOR, TIME AND CASH BECAUSE OF HEAVY PREREQUISITES If one large organization is willing to satisfy the core prerequisite of these 2 solutions, it is necessary: 1. to spend 30 to 60 minutes for each department of an organization to mine User Roles and to associate a list of authorizations that are impossible to understand by any business analyst, 2. then spend about an hour with each manager to validate the roles and associated entitlements (impossible to understand by managers as well), 3. last but not least, implement the roles and lists of entitlements. REAL USE CASE IN THE USA Large organizations are totally unable to implement such an approach for following reasons: 1. ..X for example used SailPoint IQ and mined 1.500 roles instead of estimated 15.000 (low estimation), 2. ..X was unable to validate roles because managers could not understand labels of authorizations such as: ZZX00152, ZX215521, zz_top_group_senior,… 3. it would have been: a. too long to make it for 126.000 employees / 10 team members in average = 12.600 work units located in about 100 countries * 30 minutes in average = 787 man days without vacations, travels, coordination! b. too expensive: i. 1 role analyst * 30 minutes in average * 80$ per hour * 12.600 units = 504.000$ for role mining only ii. 1 role analyst + 1 manager * 220$ per hour * 12.600 units = 2.772 K$ for role validation iii. Implementation of roles into IAM solution such as Oracle Identity Manager or IBM SIM is a technical thing that costs more… IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE MANAGERS DON’T UNDERSTAND WHAT MEANS ‘’ZX023455`` SailPoint and Oracle have nice features to add translations to entitlements. The thing is that where you have several ten thousands labels to translate… • it takes time and lots of $ before to deliver. • People around a table will take time to come to a shared understanding (if they are very motivated) IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE IT’S IMPOSSIBLE TO TRANSLATE ‘’ZX023455`` • SailPoint proposes to use Risk Based approach and to add Risk Criteria to several ten thousands labels… (sic) to be considered from a Risk Standpoint… • Oracle proposes to use indicators and requests and to let managers think about a decision to be taken thanks to dashboards and reports. Some kind of Business Intelligence. WHAT IS THE OPTION? 1. ...X came to the conclusion that it was not possible to make it with SailPoint IQ alone. A custom algorithm is necessary to enhance SailPoint capabilities. 2. The Gartner Group exposed the issue for the last 3 years. Advanced analytics and Self Learning systems will make it. 3. We, propose to make it with Artificial Intelligence because: a. it takes about 5 seconds per work unit in average to deliver the answer to the question ‘’Who has access to what, why, whatever the circumstances’’ better and faster than any leader. b. we made it 3 times since 2013. The Federal Government of Canada will qualify it between April and July this year with 23.000 employees d. according to be this corresponds to the 6th generation anticipated by the NIST in 2009.
Anonymous avatar x80
Implementation Engineer at ManTech International Corporation
How are Privileged Users and Privileged Accounts differentiated clearly in CyberArk? Thanks.
E5161294 8cd4 4a63 8139 7432f79f6f55 avatar
Manager, Operations at a tech services company with 1,001-5,000 employees
Hello, We are planning to migrate from CA IDM R12.6 SP3 to R14. Does anyone know a reliable way to migrate task persistence database? Customer wants the historic events as it is in the system, so we have to migrate. Any leads would be really appreciated. 

Sign Up with Email