CA Identity Manager (CA IAM) Review

​It reduces a lot of the manual requests for on-boarding a new hire. We'd like to see improvements on the admin-side interface.


Valuable Features

The most valuable feature is probably the role-base access granting, so we actually control everyone's access through roles. There are ad hoc accesses, but for the most part by being on-boarded as an employee or as contractor, you get a different set of baseline accesses. Those are managed through the Identity Management suite. Those will give you things like email, active directory account, access to our remedy ticketing system, and access to CA PPM.

It also allows us to manage different types of users in different scenarios and different structures in active directory. For example, if you're a union warehouse employee, you don't need an email address. Or, if you're a contractor, it doesn't matter where your location is because you'll never be treated as an employee. All those different attributes are managed through Identity Manager.

Improvements to My Organization

Before we had this role-based control, we manually requested the security team to create a profile in the right place and to give individual access for each new hire. Now, Identity Manager reduces the manual requests for on-boarding someone. It helps ensure that when a new hire comes in, they automatically have the same access as everyone else on their team.

Room for Improvement

I saw some of the presentations here at CA world about the new interface for users to go in and request access and have their portal look really good. It's just a matter of us upgrading to that. The new user interface on the user side looks good, apparently it's not quite there yet on the admin side. To see something like that on the admin side would be amazing.

If we were to add a new active directory group for someone to request access to, we have to build account templates and things like that for it. It's a very manual process that needs to be done ahead of time. With the newer version, you can actually go from the requester view. The requester can type in the name of the AD group he wants access to, and it will add that to the system in real time. Then it'll go through whatever approval we've setup saying that if you add a new AD group you would get managed professionally.

Stability Issues

It has been stable. We do have an issue with the task persistence table that's an audit log in the data base. If unchecked it can grow to ridiculous sizes, which will cause the whole system to hang. The database will not be full, it's just that the table is so large that it can't write to old records anymore. It typically updates the status of old tasks. In the previous version that we had, there were issues with the clean-up task for that, which flat-out would not work. Since upgrading to 12.5, that task works. So we run it every week to keep only two, three weeks in that task persistence state-of-base. It's simpler from the actual audit data, so we don't need to keep very much of it, and if we keep too much operating data in there, it does cause issues.

It's a scheduled task, so even within the product we're able to schedule that task. The problem was that in the previous version it didn't actually work, it wouldn't actually feedback data.

Scalability Issues

We're currently running it for over 100,000 users in the system, but not all of them are active. Our active count is probably somewhere around 60,000. We're looking to take on more because we've acquired another company. We're looking to bring in their whole organization. We're going to be starting by bringing on their IT department, but we're looking to bring on their entire organization which will add another 40-50 thousand. We're currently talking with our account manager on licensing and costs for that.

Customer Service and Technical Support

Customer Service:

Technical Support:

CA technical support is usually pretty good. Just like any kind of support, it takes time for them to get back to you and to actually come up with a solution.

I don't do it myself directly as we have a team that supports it and they're the ones who'll engage CA.

Previous Solutions

We had a consultant firm come in and do the install originally in 2009. They did a very bad job. It was a proof-of-concept version of a connector, and they hacked it together to make it work. It did not work probably, along with a lot of other things in the way that they configured and setup the tool. It just was not installed probably and there were all kinds of issues. We knew we had to basically tear this down and rebuild from scratch.

Initial Setup

Actually what we're running right now was the result of a complete rebuild in 2011, for which I was a major part. Prior to that, we were running an older version.

It was complex because we wanted to migrate all of our data. It was a bit of a challenge to get everything moved from the old system to the new one. We did have problems outside of the scope of the software, but it was more of a business process issue. Just a week before we went live, our security manager over on the business side, decided he wanted to do an active directory account clean-up, which took us completely out of sync without data. Just before we went live, it took quite a bit to clean up, but it did make our go-live look bad.

Other Advice

Make sure you integrate with other CA solutions from day one. It can be a challenge to get buy-in from other teams if you want to integrate later on.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 Comment
Oracle Identity Manager SME /Access Management RBAC at a financial services firm with 1,001-5,000 employeesReal User

So the Role just automatically gets added according to their job title when the profile gets created?

03 February 16
Guest
Sign Up with Email