Improvements to My Organization:
We previously manually provisioned staff, but now Identity Manager allows us to do auto-provisioning. Auto-provisioning means that when there's any HR activity associated with an employee, it automatically, for example, de-provisions if the employee is fired or moves positions with different access privileges.
We used to have a manual for new hired instructing them to send and email or make a phone call. It used to take 7 days for this process, for example, if we hired a $200/hour consultant. It didn't matter from a security admin perspective because they knew the new hire was coming on board, but it took a lot of manual effort and time.
Now that we have auto-provisioning, we just define the provisioning rules for access privileges and defined, targeted endpoints.
Room for Improvement:
I'd like to see it better integrated with the other CA security products.
We've had no issues with deployment.
We're still executing Identity Manager, so far we haven't had a very bad experience. It looks like it's good, but we still have to learn a lot about how to use the product, but so far from what we've seen, it's a prominent product.
We scaled for fifteen targeted endpoints. We are still at six, so we are still within the scoping half of what we anticipated. So far, so good.
The initial setup was IDM v8, but we could not really upgrade to v12. I don't remember on top of my head what were the technical reasons because the product has changed quite dramatically. It's a completely different architecture and everything, but the migrations we are doing now, from one version of 12 to another is quite straightforward.
Have something in your mind, like a handful of targeted endpoints. Stick with them, implement it, then extend to the others. Don't just change your scope.