Symantec Identity Governance and Administration Reviews

The automation that it brings to the enterprise is one of the main things that we looked at.

We had a 20 year old provisioning system which was built primarily for manual activities. Identify Manager helped us move to a more automated model with fewer manual interactions. This definitely had a lot of added value for us.

Keeping up with the market and support for functionality and other core endpoints like Active Directory and Exchange that right now seems to be missing. So it needs a little more work around keeping up with what the industry is going.

We definitely had quite a few challenges getting up and running. Since the initial setup, it's been pretty good. We have some small issues, but overall it's not too bad. It was definitely a challenge getting to that state, though.

It is pretty scalable. We use it in the enterprise as a provisioning engine. We also use it in our external environment on the consumer side. For both these uses, it works pretty well.

One open challenge that I see with the provisioning engine is that there is something lacking in terms of pure high availability. The active-active model is pretty critical for that. Many of the components do support that model. There are subsets that don't. It would be valuable to get that into the product sometime.

There are some really good resources and support. Overall, I've had pretty decent luck with support. Sometimes we do have challenges, but that's getting better.

We are a big enterprise, which means that we’ve done things the old way for such a long time. We were long overdue for investing in a proper provisioning system.

In a way, we had been a big CA customer for a long time. It was a natural fit to leverage what we already had, rather than going and trying to find something else.

Some of the connectors are pretty flexible. It felt like there was a lack of understanding on the capabilities of the endpoints. This ended up being a point of contention. There was a lot of back and forth in discussions about how things should or should not work. That dragged out the project for longer than it should have taken.

We did have one vendor. I’d rather not say which one. They were pretty competent too. In comparison, we thought that CA Identity Manager would be a better fit for us. The skills that we have and our experience with this solution is what made it a better fit than the competition. The partnership and flexibility that CA offer were also pretty important factors in our decision.

Any solution that you pick will have its fair share of challenges. Understand and document what you really want done. You need to define what you want to accomplish in a provisioning solution scenario before you embark to try to achieve it.

The governance use case is to collect all the knowledge about the user profiles and rights and permissions they have and consolidate them with a unique view so we can manage them to grant more permissions or to remove some permissions.

I don't think there is a feature that I like most. It does what it has to do. It shows me the information I need, and I can manage it with ease.

The solution is user-friendly and easy to use. 

The initial setup is pretty simple.

The stability is good.

The scalability potential is there if a company needs to expand.

There is no preferable feature. It works well in general.

The performance could be better. Sometimes there is a problem with performance. There are times that it takes too long to generate reports and to run the assessment tools to collect the information. It could be faster.

The solution has been used for more than ten years in our company.

The stability of the product is great. There is a little bit of a performance in that sometimes it can take a while to pull reports, however, it doesn't crash or freeze and there are no bugs or glitches. 

The solution scales well. If a company needs to expand, it can do so.

Technical support is good. I find them to be helpful and responsive. In general, we are satisfied with the level of support on offer. 

Overall, the initial setup was pretty simple. I have not done it personally, however, from what I have seen, I believe it's easy.

We only need two people for deployment and maintenance. 

I have not personally seen an ROI.

We are a Symantec partner.

Our clients are using the most up-to-date version of the solution. I'm not sure of the exact version number. 

I would advise new users that there are a lot of good providers for all of these tools. I advise people to test them to make sure they have the best one for the organization's needs.

In general, I would rate the solution at a nine out of ten.

The primary uses cases are:
- The analysis of privileges to generate roles
- Revision of segregation of rights based on client rules
- Certification of privileges (compliance)
- Fulfill the cycle of existing privileges, under review / approval and delivery to the IM solution to materialize the changes and maintain the standard

In the processes where we need to analyze data, IG has enabled and facilitated the analysis of privileges, generation of roles to cover RBAC and integrate with the solution of Identity Manager, as well as the compliance aspect by the certification of privileges “Compliance”.

Additionally it helps us in analyzing predefined SoD rules for SAP and any others applications where the client defines their business policy rules.

• Identifies, debugs and models the privileges of your organization, adapting it to business strategies.
• Helps discover roles based on available patterns ("basic roles" / "Iterated Search" / "Characteristic Roles" / "Rule Hierarchies Roles" / "User Hierarchy Based Roles" / "Structured Search" / "Obvious Roles").
• Enables review campaigns to certify user privileges, roles and resources, activating the RACI model in the process.
• Identity Governance comes with Connector Xpress but if you have Identity Manager you can use the integration between them and import the information that comes from CA Identity Manager and its connectors.
• Allows the construction of segregation of rights (SoD) rules by definition of the client and enables “detective" and "corrective" levels for violations of business rules policies.
• Provides a set of SoD rules for SAP in order to apply "best practices" to this type of "endpoint" (more than 3,000 rules / Consult CA Technologies if available in last version).
• Helps to analyze privileges to find points of cleaning and improvement (Similar Roles / Roles Hierarchy / dual link / Suspect connections / Collectors, etc.).
• Regulatory compliance is one of the objectives of the solution.
• Covers the life cycle of enterprise privileges and maintains the role model "shallow" or "deep" / "functional" or "granular per application".
• Helps you take advantage of the Identity Governance on the portal but better if you integrate with Identity Suite (best user experience).
• You can enable LDAP authentication (AD/others) or integrate with CA Single Sign-On for portal access.
• Real integration between CA Identity Manager and CA Identity Governance for better use of compliance approved roles, data exchange, and improved customer experience.
• Data Transformation available using PDI (Pentaho Data Integration)
• New functionality when integrating with Identity Portal.

The administrative part is not very intuitive. Actually I think it is because it requires specialization and knowledge in what is done.

I found an option to import specific information, but the functionality was non-existent so they have to update the documentation or remove it from the menu (import from ITIM). Improve release updates when there is an obsolete function or it is not still supported.

No.

No.

When you open a ticket with priority-one, the technical support is excellent - 10/10. However, when the ticket is priority two, three, or four, then it's 7/10.

I did not use a previous different solution. 

The initial basic configuration is simple, but deploying the solution in greater depth and integration with high implementation reach requires expertise and certain complexities.

About prices when validated with other solutions where the "SAP" endpoint will be included, Identity Governance is a good option. But if you are going to integrate with Identity Manager it is better to acquire IDS, it will be more economical.

No.

Important to find someone with experience implementing this type of solution to ensure the success of its implementation.

We are using CA Identity Management product to provide an identity management service for the largest in the retail industry.

Performance is good, but the other side, the drawback with the CA Identity Manager is they don't have a connector to HR systems like SAP, or PeopleSoft, or Workday. That's a major drawback with the CA Identity Manager. For that we have to do lots of custom quoting to get data from HR systems.

The solution in which we have brought in CA Identity Manager, it is like combining multiple HR sources. It helps reduce thousands of hours of work.

Policy Xpress.

It needs to be connected to major HR systems. That is a major thing. And if they can connect it to GRC systems, that's good to have in an identity product.

Stability is very good. We have been using it the last three years. I haven't seen any issues.

I would evaluate them at five out of five. Every tech support guy who works at CA is good. I don't have any issues.

It was straightforward. Even when you're installing dependent software, like a database or something else, I consider it it straightforward.

When we are choosing a vendor we will go for whether they have the capability to connect to the target system. The basic feature would be connectivity. If the product doesn't have the capability to connect to that system, we will need to do something else to get or push this information to that system. Connectivity is the main thing.

I'd rate it seven out of 10. Those connectivity issues are the only reasons. Functionality-wise, it's good. The features that they have are good.

I would say the most valuable feature is provisioning where we are able to provide user access to all the resources they need in a uniform way that we can audit. We don't need to spend a month going to every individual server, every individual database granting user access. We can do it from one central place.

For SiteMinder, is the ability to bring applications under its protection very quickly and ability to partner with other companies through Federation and SAML using open standards to do authentication. We are able to partner with other vendors much more quickly no because before we had to do our home grown authentication things and they had to adapt to our non-standard way of doing things. Now, we have open standards. We publish a document to them with our SAML configuration, the documents we are going to be sending them and they code to it. We get on board very, very quickly.

For one, you don't have to remember a thousand passwords. You just remember one. You go to a dashboard and then you'll be given access to the environments you need. Two, there is more security because the passwords that it generates are very, very large. They change very often. It's not something that can easily be guessed and your infrastructure is more protected this way.

Something to help us migrate our code between environments from QA to UA to production in an easier way. That would probably be the big one.

They seem very, very stable. Ever since we put them in place we didn't have to do much in terms of bug fixes. They just work out of the gate. Part of the reason we had that is because we couldn't have the point from a single server so there is no fail over, even though the two supports that we have not configured this way yet.

We didn't have to face any scalability challenges yet because we only use it for our members, which are about 40,000 accounts, which is nothing for two of that size. We haven't had any issues, but we haven't had much load.

They have been very good to us. We also partnered with Simeio which is a preferred partner for them. They have been working very, very closely with us. They have been very responsive in communication. They have developed patches for us whenever we needed them.

We did use previous solutions. We used a very old Oracle SSO, Oracle OID, and Oracle IDAS, all of which were unsupported by the time we went to upgrade.

It was straightforward on the SiteMinder side. On the Identity Manager side, it was a little more complex because we had to maintain a certain legacy items. We have some authorization settings stored in databases that we need hook Identity Manager to and have it manage those. We had to create some custom code to do that. It wasn't too difficult.

We are looking at another tool from CA Advanced Authentication for our guest site, which is then millions of users. So far, we are still in QA, but it seems that it will scale just fine.

We rely on word of mouth. We try to see if anybody has experience with working with this vendor. We're looking, not just for a vendor or a partner, we're looking for somebody who could be open, who can truly collaborate with us where we can exchange information freely and have both parties benefit.

We really do not like having this vendor relationship where you throw something over the fence and you have this contract that tries to encompass everything. We want to have somebody that, even though our contract is limited to something, if it's something that either party is obviously responsible for, we can do it and we don't argue over little things.

I would say go for it. You won't regret it. I think they're a very good products, very mature products. SiteMinder is synonymous with single sign-on. Identity Manager - it's a great tool.

Identity Manager allows us to have a programmatic and paradigm shift in the way that we handle identities within our organization. What we had in the past was sort of a homegrown-built system to manage identities. That is individuals coming onto our systems and out of our systems. With the Identity Manager product, we're able to automate that in a way that we couldn't in the past. The single largest improvement has really been the ability to take what was a paper sort of process, e-mail sort of process, manager phone call process, down to an automated process which allowed us to go from one week to provision someone to ask the appropriate access down to about two hours.

We've met with the product development folks, and as far as improvements, we're really looking at them from a user experience. While all the key components are there to make the product work very well, what we're looking at is enhancing the product to have much more of a more modern approach and look and feel.

The actual application is very well designed and architected, and is very stable. We're very happy with the solution so far. The product is easily scalable and horizontally in that manner, so what that allows us to do is as we onboard more and more applications as endpoints for the Identity Manager, we're able to scale appropriately. Horizontal scaling is the ability to basically say, "Hey, I have ten more endpoints. I need two more instances of the application to manage those endpoints." It's easy to just instantiate them, as opposed to us having to buy bigger and bigger boxes to manage with more memory, more compute, more storage to manage those entities.

Technical support from CA comes in two forms for us. The first one was regard to their sort of, what we call, staff augmentation model. Well, they helped us to understand the paradigm for a using Identity Manager, while at the same time helping us to understand how to use the actual product. The support that comes afterwards, which is also excellent, comes in the fact that they have forums for us to interact with. They also have sort of escalation procedures that we have a chance to work with, and so that supports us from both ends of the project. The introduction as well as the ongoing maintenance.

In the past, we did sort of a simple sort of management of identities through, what we called, the manager calls you up and says, "I'm identifying the following person." It was sort of ad hoc, so to speak. With the Identity Manager product, in conjunction with the identity governance product, we were able to define roles, enterprise type roles, and then use the identity minder product to push those role's accesses out into the application world.

I think the actual product itself is fairly simple and straightforward. The difficulty comes in trying to understand what is a paradigm for identity management in the context of this particular product.

Selecting a vendor is important to us. We need to make sure to pick the right vendor. Firstly, we look at are they one of the vendors we currently work with. Consistency in approach, consistency in the technology, consistency in the style, is all important for us. The product in and of itself is good, but what you need is a holistic approach from your organization, because identity management is not just simply a one area focus. It is an organizational issue. Make sure to include all the areas of the organization. We had a sort of homegrown applications that we wrote. Scripts and programs that were wrote to manage in the context of our current applications.

It is really important that we find out what the community thinks of these products. They have been through the war, so to speak, and their ability to learn and understand what the shortcomings were, what lessons learned happened for them in their particular context, is really important for us. Simply getting a White Paper is great. It's a starting point, but I like to augment that with blog reviews and understand what the rest of world thinks about our product, especially when it comes to critical products like something like an identity management system.

We use Symantec Identity Governance and Administration for user creation, division, modulation, workflow, and giving access to managers. We also use the solution for reconciliation and recertification purposes.

What I found most valuable in Symantec Identity Governance and Administration is its simple GUI. It's also easy to deploy compared to other products. With other products, you have to install the Windows version inside the Windows machine on all units, but with Symantec Identity Governance and Administration, it can work offline, so the solution is a little bit easier than other systems.

There are several areas for improvement in Symantec Identity Governance and Administration. They have no proper documentation on how to do backups. They also have a lengthy workflow process where we have to make some configurations to manage automation in the rules and in our tasks which takes time. We have to manually configure all the configuration files, and we cannot export users because there's no export system in Symantec Identity Governance and Administration.

What we'd like to see in the next release of the solution is for them to make configuration and integration with other systems their top priorities. We have many API systems to manage, so hopefully, if they make these enhancements shortly, we can directly connect with our API systems when using Symantec Identity Governance and Administration.

We've been using Symantec Identity Governance and Administration since 2019, so three years now.

Symantec Identity Governance and Administration is a stable solution, though sometimes you'll experience an issue or a problem with it. Stability-wise and performance-wise, I would rate it three out of five.

Currently, my company has a license for two thousand two hundred users, so you could scale Symantec Identity Governance and Administration, but only a few use it, probably because the solution has a lengthy process where you have to make a lot of connections in the backend, and that's taking up a little bit of time.

Currently, the technical support for Symantec Identity Governance and Administration isn't as good as it used to be. Broadcom has introduced other support and my company also provides support to customers, but in terms of getting good support from Broadcom, my team hasn't been getting it.

The support team for Symantec Identity Governance and Administration is responsive, but there's a delay in the response.

On a scale of one to five, with five being the best and one being the worst, I'm rating support two out of five.

We didn't use a different solution before using Symantec Identity Governance and Administration, but currently, we're searching for other solutions that have similar features to Symantec Identity Governance and Administration. We haven't found a solution with the WSO2 identity feature. We didn't find a better product. We're trying to look for a new solution because Symantec Identity Governance and Administration has a lengthy configuration. Deploying the solution and configuring rules on it is lengthy as well. We have to do all these manually, which customers don't want, so we're planning on replacing Symantec Identity Governance and Administration.

The initial setup for Symantec Identity Governance and Administration was very easy. It took around thirty minutes to be fully deployed. Setting up the solution was quite simple, but configuring it was a little bit lengthy.

On a scale of one to five, with one being the worst and five being the best, I would rate the setup for Symantec Identity Governance and Administration four out of five.

In my company, I did the deployment of Symantec Identity Governance and Administration myself. My company also supports customers in terms of deploying the solution, but via vendors.

I'm not aware of the licensing cost for Symantec Identity Governance and Administration because I'm part of the technical team, not the sales team.

In my company, Symantec Identity Governance and Administration is deployed on-premises, but planning to deploy it on the cloud, though it hasn't been decided yet. I still need to learn how to use the cloud version of the solution.

Symantec Identity Governance and Administration doesn't require that much maintenance, and maintaining it is an easy process.

My company has between fifty to one hundred users of the solution.

I would recommend Symantec Identity Governance and Administration to others because it's a good product, particularly if you're okay with limited features. It also has a straightforward installation. The product is good enough to be used in a smaller environment, but if you want to automate more processes, then Symantec Identity Governance and Administration won't be as good. It utilizes the CPU and there could be some issues with a higher degree of automation.

I'm rating Symantec Identity Governance and Administration six out of ten.

My company has no partnership with Symantec Identity Governance and Administration.

The primary use we have for this product is dividing access into streams. We have to provide the client organization with group and directory structures. The technical part, or provisioning, always seems to be more of a problem because the client companies have some semi-manual processes that depend on human interaction. This is often for something like disabling users, creating new users or changing roles.  

Of course, provisioning takes a lot of time because it involves accurately defining and managing privileges. It includes accounting for all the access types from temporary access to agile access and also risk evaluation. All these things are often handled through a business process where a lot of the activity is done manually before a solution for automation — like CA Identity Manager — is in place. The agent for CA can handle criteria and rules and has templates for these activities. In short, it can handle these situations automatically starting from the HR Assistant included in the core suite to do recruitment or provisioning of users, and allowing basic access to things like email.  

Leveraging access depends on which group a user is in and which business rules should be applied. There are often a lot of access attempts on what should be restricted resources. The client has to provide the rules to define which users have access. If there is no rule in place the issue has to first be identified and then to go through a process of approval in an appropriate department. This may lead to a need to change the access process and maybe go back again to think further about the business rules. When all the right rules are in place the processing can be handled automatically by CA IDM.  

After you change something and test the process again, you can find that there are exceptions and we do not have all the rules in place to handle them. Then the identification and approval process needs to be adjusted on the system again. This, of course, is done with manager approval and the rules have to be examined. We need to repeat this process for the entire site. It is a business process improvement that takes time but will eventually save time by eliminating human intervention and errors.  

So the main use case is provisioning and access and implementation for security reasons. For example, if you request the use of an application and it is approved, the identity manager learns this and the user is then able to access this application.  

Out-of-the-box connectors have a lot of opportunities for configuration. The governance port and business rules are difficult. At a certain point, the product discovers dormant accounts because it monitors which accounts are active but which are not being used. So it will perform some service on these dormant accounts that are not active for six months or maybe never used before. This is a good feature. We also have a dynamic workflow, with approval stages which helps validate the ID.  

They have a form designer, which is good because you can create exactly what you want as far as access controls. They have value-added modules like the one they have for asset management. This means that when you are in the role of a manager in CA IDM, you are able to restrict access to certain types of laptops — maybe by mobile provider, maybe by core type. So if a user tries to access the system with an asset of a certain type, we can allow it. It is a value-add, not necessarily related to the user distinctly. But if you take it from the point of view of asset management, it also helps in tracking the assets, which is another interesting outcome.  

As far as improvements, the first thing I think CA needs to do is redesign the user interface. The functionality is good but the interface itself is not that user-friendly.  

I think also that there are some issues with the privileges of service accounts. For working with Oracle, we need some kind of service account with administrative privileges. Access works when we give the user account administrative privilege. But in some cases, particular access needs to work for user roles that have less than administrative privileges and these users and rules need to be stored in the database. I need the ability to directly configure users and rules store on databases.  

Maybe it is more complicated and related to Oracle services — I do not know the database side as well. But we need to read and write on the rules table and the users tables and store that data in the database.  

Otherwise, the product has good performance and it is a very capable solution. I can automate a lot of processes related to provisioning users and identity management, but the controls can be even more flexible with these few changes.  

The deployment cannot be pushed through the management console when you define the credentials for a user that can connect to the endpoint. It would be easier for deployment if the service could look at the endpoint or data center and detect what is needed to push this deployment based on the application version or based on whatever the operating system is. Things like that can make a difference at times.  

If they can customize by the customer, it means that if someone upgraded their environment, the client does not have to go back and request the version of an executable for a new OS. The result is that the correct executable will be deployed by the agent.  

The last time I used CA Identity Manager was in May of 2019. Actually I was not using the product, but I was working with it in implementation. My job sometimes gravitates to implementation in the form of policy implementation and technology implementation. In order to do implementation, I had to have a good knowledge of CA IDM technologies as far as the connectors, the components, and integration ports, et cetera.  

I was dealing with CA IDM for seven months. In the process, we had to go through the basic procurement, the deployment, the provisioning of the users, the integration of the second phase for the government and business rules, as well as other configurations. I have had to think through all of this with the available capabilities of the product and made sure everything would work. The last component that involved analytics was not something I was involved in. I did not work on that part, but I know the analytic features are good.   

My impression of the stability of CA IDM is that the product is very dependable. They have a good HA (High Availability) design and good DR (Disaster Recovery) for data transmission and security in all situations.  

The deployment is very good. After you set up a new component you just go to the console and access the component you need to make adjustments to it at the console. The high availability works on active-active so it does not require a switch automatically to the other component because they act simultaneously. And, of course, we can also work with active-passive mode if you make that choice.  

I am not sure that this type of node management is an advantage to most users or not because in IT management you may not need this type of high availability design depending on the industry. But the capability is there and it can add stability to the infrastructure.  

I did not specifically examine scalability during the implementation because I did not have the chance or the necessity. We were in the process of considering all that we needed and not what would happen if we needed to scale to expand the system. From what I remember, we also had plugins that we could have installed so maybe the availability of plugins is an example that it is scalable in the sense of functionality.  

But I think, with CA, that the scalability is fine and it is exactly what an organization will need as they grow. We are not involved in really scaling the product when we are deploying it.  

For availability, I think you can definitely scale up as much as you want because you deploy the clients and the endpoint or the console. So in this way scalability works from an availability standpoint.  

For scaling the functionality of the product itself, I think it will need some other kind of intervention or maybe new development. It depends on what you need and what they already have in the form of plugins. I know they have an API but we did not need to work with it for our purposes. With the API's you can extend the functionality outside the original identity.  

During the process with a particular client that I have in mind, we argued about the starting point for the verification and whether it should be the HR system or the identity. This is a business decision that has to comply with the rules and business processes as defined by the organization and any regulations that apply. The question has to be answered before a solution can be put in place. With this client, we agreed that the starting point was the HR system, and one of the proposed solutions was that the HR system would call an API to perform the provisioning for identity. That was one possible approach. The second approach to working with identity was to install an agent on the HR system that could be run on a schedule. This solution is what we settled on and we agreed that this would be scheduled to run once a day, which is more than enough for what they needed to accomplish.  

Because we chose the second approach we did not go for working with the APIs. The approach would be to run the process once a day on schedules like when most of the system resources would be in minimal demand — for example at the end of the workday. This would be done to check each employee for those that were added, transferred or changed privileges. And then an automated adjustment would be done for functionality and organization based on the established rules.  

This is the kind of flexibility you have in deciding processes for an enterprise business — even a very complex business with demanding requirements. It shows another type of scalability.  

I did not have a chance to contact support personally, so I can not talk about how my experience with them was from a personal point of view. However, the people on the team right now working on projects who have called support said they were helpful. They have a good understanding of the product and seemed to have a lot of experience. I do not know what kind of resolution the members of our team were looking for from the support people. It might have just been for more information or troubleshooting or some type of issue resolution. But our company has had experience with the CA technical support team and from what I know the experiences were good.  

The initial setup is not that difficult. We deployed the components and deployed the agents. This is just the basic framework.  

Our deployment took seven months because the design phase is very complicated. We need to collect information for the access matrix, we need to validate, and we need to do some kind of cleansing. So, it is a very intensive task. Mainly it is the design which takes most of the time, not the basic deployment. The difficulty is in the business logic, the business rules, and the cleansing of users.  

Working with the system is an ongoing process. When users request a type of access, there are only two paths. One of them is to grant access and the other is to deny access. For the denial, we may have to go through a long approval process which requires some justification for the requested access.  

The implementation team that we use is divided between different roles. It is not a very big team but it represents different functions in the operation. There are the technical people, the people responsible for identity management, those responsible for manual processes, the people responsible for revision to the business logic, the people responsible for validating the access matrix, the risk evaluation people, the IT people, the operations group, the compliance people, and, of course, HR. So we are talking about a sustainable team of maybe 12 people involved in the implementation activity, but up to as many as 20 may be needed for approvals or other consultation. A lot of parts of the company are involved with the implementation process and defining business rules, all for different reasons and functions.  

We are the ones who do the implementations, so we are the ones that others contact to perform this service.  

The advice I would give to others who are looking to implementing this product would be to define exactly what you need before the implementation of the solution. This is a key factor. If you need to change the deployment after it is deployed — such as the policies or structure — it is not a matter of just changing the configuration. It is more like you are starting from the beginning. If you have questions related to what needs to be addressed they need to be answered first. The way we deploy this is as a black box appliance. So it would be defined once. Even the IP cannot be changed. To make this type of change, it would have to be deployed again.  

The biggest lesson I have learned from working with Identity Manager is that despite the product you use, the implementation is a process. You have to understand the process to see what activities do not give you value and also what activities serve to complicate the process. If you take the easier route and work with the standard deployment as much as possible, it will be more secure and faster. You need to see everything as an activity. So despite the impact that the product has on working with identity management, it is a process because the result is not to be blamed on the product at the end.  

On a scale from one to ten where one is the worst and ten is the best, I would rate CA Identity Manager as an eight. To make this product closer to something like a ten they have to pay more attention to integrating with other solutions. Currently, CA is integrating is with CA products only. In some cases, there are categories that CA does not compete in, like Service Manager, so they should pay attention to out-of-the-box integrations with non-competing services.  

They definitely have a problem integrating with solutions that compete and this is really another problem. Really, this type of integration would allow users of their product to have more flexibility. They could choose their own solutions which may better fit their needs. In one instance, we had to end up using different solutions for managing internal personnel accounts and managing normal users. This is not convenient and can be expensive. So I think they have to be more open to broader integration and simplifying those processes.