Symantec Identity Governance and Administration Reviews

The primary use we have for this product is dividing access into streams. We have to provide the client organization with group and directory structures. The technical part, or provisioning, always seems to be more of a problem because the client companies have some semi-manual processes that depend on human interaction. This is often for something like disabling users, creating new users or changing roles.  

Of course, provisioning takes a lot of time because it involves accurately defining and managing privileges. It includes accounting for all the access types from temporary access to agile access and also risk evaluation. All these things are often handled through a business process where a lot of the activity is done manually before a solution for automation — like CA Identity Manager — is in place. The agent for CA can handle criteria and rules and has templates for these activities. In short, it can handle these situations automatically starting from the HR Assistant included in the core suite to do recruitment or provisioning of users, and allowing basic access to things like email.  

Leveraging access depends on which group a user is in and which business rules should be applied. There are often a lot of access attempts on what should be restricted resources. The client has to provide the rules to define which users have access. If there is no rule in place the issue has to first be identified and then to go through a process of approval in an appropriate department. This may lead to a need to change the access process and maybe go back again to think further about the business rules. When all the right rules are in place the processing can be handled automatically by CA IDM.  

After you change something and test the process again, you can find that there are exceptions and we do not have all the rules in place to handle them. Then the identification and approval process needs to be adjusted on the system again. This, of course, is done with manager approval and the rules have to be examined. We need to repeat this process for the entire site. It is a business process improvement that takes time but will eventually save time by eliminating human intervention and errors.  

So the main use case is provisioning and access and implementation for security reasons. For example, if you request the use of an application and it is approved, the identity manager learns this and the user is then able to access this application.  

Out-of-the-box connectors have a lot of opportunities for configuration. The governance port and business rules are difficult. At a certain point, the product discovers dormant accounts because it monitors which accounts are active but which are not being used. So it will perform some service on these dormant accounts that are not active for six months or maybe never used before. This is a good feature. We also have a dynamic workflow, with approval stages which helps validate the ID.  

They have a form designer, which is good because you can create exactly what you want as far as access controls. They have value-added modules like the one they have for asset management. This means that when you are in the role of a manager in CA IDM, you are able to restrict access to certain types of laptops — maybe by mobile provider, maybe by core type. So if a user tries to access the system with an asset of a certain type, we can allow it. It is a value-add, not necessarily related to the user distinctly. But if you take it from the point of view of asset management, it also helps in tracking the assets, which is another interesting outcome.  

As far as improvements, the first thing I think CA needs to do is redesign the user interface. The functionality is good but the interface itself is not that user-friendly.  

I think also that there are some issues with the privileges of service accounts. For working with Oracle, we need some kind of service account with administrative privileges. Access works when we give the user account administrative privilege. But in some cases, particular access needs to work for user roles that have less than administrative privileges and these users and rules need to be stored in the database. I need the ability to directly configure users and rules store on databases.  

Maybe it is more complicated and related to Oracle services — I do not know the database side as well. But we need to read and write on the rules table and the users tables and store that data in the database.  

Otherwise, the product has good performance and it is a very capable solution. I can automate a lot of processes related to provisioning users and identity management, but the controls can be even more flexible with these few changes.  

The deployment cannot be pushed through the management console when you define the credentials for a user that can connect to the endpoint. It would be easier for deployment if the service could look at the endpoint or data center and detect what is needed to push this deployment based on the application version or based on whatever the operating system is. Things like that can make a difference at times.  

If they can customize by the customer, it means that if someone upgraded their environment, the client does not have to go back and request the version of an executable for a new OS. The result is that the correct executable will be deployed by the agent.  

The last time I used CA Identity Manager was in May of 2019. Actually I was not using the product, but I was working with it in implementation. My job sometimes gravitates to implementation in the form of policy implementation and technology implementation. In order to do implementation, I had to have a good knowledge of CA IDM technologies as far as the connectors, the components, and integration ports, et cetera.  

I was dealing with CA IDM for seven months. In the process, we had to go through the basic procurement, the deployment, the provisioning of the users, the integration of the second phase for the government and business rules, as well as other configurations. I have had to think through all of this with the available capabilities of the product and made sure everything would work. The last component that involved analytics was not something I was involved in. I did not work on that part, but I know the analytic features are good.   

My impression of the stability of CA IDM is that the product is very dependable. They have a good HA (High Availability) design and good DR (Disaster Recovery) for data transmission and security in all situations.  

The deployment is very good. After you set up a new component you just go to the console and access the component you need to make adjustments to it at the console. The high availability works on active-active so it does not require a switch automatically to the other component because they act simultaneously. And, of course, we can also work with active-passive mode if you make that choice.  

I am not sure that this type of node management is an advantage to most users or not because in IT management you may not need this type of high availability design depending on the industry. But the capability is there and it can add stability to the infrastructure.  

I did not specifically examine scalability during the implementation because I did not have the chance or the necessity. We were in the process of considering all that we needed and not what would happen if we needed to scale to expand the system. From what I remember, we also had plugins that we could have installed so maybe the availability of plugins is an example that it is scalable in the sense of functionality.  

But I think, with CA, that the scalability is fine and it is exactly what an organization will need as they grow. We are not involved in really scaling the product when we are deploying it.  

For availability, I think you can definitely scale up as much as you want because you deploy the clients and the endpoint or the console. So in this way scalability works from an availability standpoint.  

For scaling the functionality of the product itself, I think it will need some other kind of intervention or maybe new development. It depends on what you need and what they already have in the form of plugins. I know they have an API but we did not need to work with it for our purposes. With the API's you can extend the functionality outside the original identity.  

During the process with a particular client that I have in mind, we argued about the starting point for the verification and whether it should be the HR system or the identity. This is a business decision that has to comply with the rules and business processes as defined by the organization and any regulations that apply. The question has to be answered before a solution can be put in place. With this client, we agreed that the starting point was the HR system, and one of the proposed solutions was that the HR system would call an API to perform the provisioning for identity. That was one possible approach. The second approach to working with identity was to install an agent on the HR system that could be run on a schedule. This solution is what we settled on and we agreed that this would be scheduled to run once a day, which is more than enough for what they needed to accomplish.  

Because we chose the second approach we did not go for working with the APIs. The approach would be to run the process once a day on schedules like when most of the system resources would be in minimal demand — for example at the end of the workday. This would be done to check each employee for those that were added, transferred or changed privileges. And then an automated adjustment would be done for functionality and organization based on the established rules.  

This is the kind of flexibility you have in deciding processes for an enterprise business — even a very complex business with demanding requirements. It shows another type of scalability.  

I did not have a chance to contact support personally, so I can not talk about how my experience with them was from a personal point of view. However, the people on the team right now working on projects who have called support said they were helpful. They have a good understanding of the product and seemed to have a lot of experience. I do not know what kind of resolution the members of our team were looking for from the support people. It might have just been for more information or troubleshooting or some type of issue resolution. But our company has had experience with the CA technical support team and from what I know the experiences were good.  

The initial setup is not that difficult. We deployed the components and deployed the agents. This is just the basic framework.  

Our deployment took seven months because the design phase is very complicated. We need to collect information for the access matrix, we need to validate, and we need to do some kind of cleansing. So, it is a very intensive task. Mainly it is the design which takes most of the time, not the basic deployment. The difficulty is in the business logic, the business rules, and the cleansing of users.  

Working with the system is an ongoing process. When users request a type of access, there are only two paths. One of them is to grant access and the other is to deny access. For the denial, we may have to go through a long approval process which requires some justification for the requested access.  

The implementation team that we use is divided between different roles. It is not a very big team but it represents different functions in the operation. There are the technical people, the people responsible for identity management, those responsible for manual processes, the people responsible for revision to the business logic, the people responsible for validating the access matrix, the risk evaluation people, the IT people, the operations group, the compliance people, and, of course, HR. So we are talking about a sustainable team of maybe 12 people involved in the implementation activity, but up to as many as 20 may be needed for approvals or other consultation. A lot of parts of the company are involved with the implementation process and defining business rules, all for different reasons and functions.  

We are the ones who do the implementations, so we are the ones that others contact to perform this service.  

The advice I would give to others who are looking to implementing this product would be to define exactly what you need before the implementation of the solution. This is a key factor. If you need to change the deployment after it is deployed — such as the policies or structure — it is not a matter of just changing the configuration. It is more like you are starting from the beginning. If you have questions related to what needs to be addressed they need to be answered first. The way we deploy this is as a black box appliance. So it would be defined once. Even the IP cannot be changed. To make this type of change, it would have to be deployed again.  

The biggest lesson I have learned from working with Identity Manager is that despite the product you use, the implementation is a process. You have to understand the process to see what activities do not give you value and also what activities serve to complicate the process. If you take the easier route and work with the standard deployment as much as possible, it will be more secure and faster. You need to see everything as an activity. So despite the impact that the product has on working with identity management, it is a process because the result is not to be blamed on the product at the end.  

On a scale from one to ten where one is the worst and ten is the best, I would rate CA Identity Manager as an eight. To make this product closer to something like a ten they have to pay more attention to integrating with other solutions. Currently, CA is integrating is with CA products only. In some cases, there are categories that CA does not compete in, like Service Manager, so they should pay attention to out-of-the-box integrations with non-competing services.  

They definitely have a problem integrating with solutions that compete and this is really another problem. Really, this type of integration would allow users of their product to have more flexibility. They could choose their own solutions which may better fit their needs. In one instance, we had to end up using different solutions for managing internal personnel accounts and managing normal users. This is not convenient and can be expensive. So I think they have to be more open to broader integration and simplifying those processes.  

I would say the most valuable feature is provisioning where we are able to provide user access to all the resources they need in a uniform way that we can audit. We don't need to spend a month going to every individual server, every individual database granting user access. We can do it from one central place.

For SiteMinder, is the ability to bring applications under its protection very quickly and ability to partner with other companies through Federation and SAML using open standards to do authentication. We are able to partner with other vendors much more quickly no because before we had to do our home grown authentication things and they had to adapt to our non-standard way of doing things. Now, we have open standards. We publish a document to them with our SAML configuration, the documents we are going to be sending them and they code to it. We get on board very, very quickly.

For one, you don't have to remember a thousand passwords. You just remember one. You go to a dashboard and then you'll be given access to the environments you need. Two, there is more security because the passwords that it generates are very, very large. They change very often. It's not something that can easily be guessed and your infrastructure is more protected this way.

Something to help us migrate our code between environments from QA to UA to production in an easier way. That would probably be the big one.

They seem very, very stable. Ever since we put them in place we didn't have to do much in terms of bug fixes. They just work out of the gate. Part of the reason we had that is because we couldn't have the point from a single server so there is no fail over, even though the two supports that we have not configured this way yet.

We didn't have to face any scalability challenges yet because we only use it for our members, which are about 40,000 accounts, which is nothing for two of that size. We haven't had any issues, but we haven't had much load.

They have been very good to us. We also partnered with Simeio which is a preferred partner for them. They have been working very, very closely with us. They have been very responsive in communication. They have developed patches for us whenever we needed them.

We did use previous solutions. We used a very old Oracle SSO, Oracle OID, and Oracle IDAS, all of which were unsupported by the time we went to upgrade.

It was straightforward on the SiteMinder side. On the Identity Manager side, it was a little more complex because we had to maintain a certain legacy items. We have some authorization settings stored in databases that we need hook Identity Manager to and have it manage those. We had to create some custom code to do that. It wasn't too difficult.

We are looking at another tool from CA Advanced Authentication for our guest site, which is then millions of users. So far, we are still in QA, but it seems that it will scale just fine.

We rely on word of mouth. We try to see if anybody has experience with working with this vendor. We're looking, not just for a vendor or a partner, we're looking for somebody who could be open, who can truly collaborate with us where we can exchange information freely and have both parties benefit.

We really do not like having this vendor relationship where you throw something over the fence and you have this contract that tries to encompass everything. We want to have somebody that, even though our contract is limited to something, if it's something that either party is obviously responsible for, we can do it and we don't argue over little things.

I would say go for it. You won't regret it. I think they're a very good products, very mature products. SiteMinder is synonymous with single sign-on. Identity Manager - it's a great tool.

We only need one pane of glass to see what users have access to, especially privileged accounts.

Once it's in place, it's easy to use. You definitely need insight into how your company provides access to users. Especially if it's going to be role based, which most of it is. It reduces the amount of time needed for analysts to provision users; new accounts, changes, and terms.

I'd like to see the user interface be a little bit better as far as deploying the infrastructure, the back end, but I hear that it's coming.

Most of the troubleshooting workflow is based on logs, so if the logs were consolidated we would need to just look at one particular log for all the servers to figure out what going on.

For example, if you get a fail when provisioning a user, you determine where it fails, and go to the logs to see where specifically the process stopped and what tasks were not completed.

We've had CA Identity Manager for three years now.

Stability needs some work. There are some issues with the back-end infrastructure. We've noticed that in our implementation, a lot of Java memory leaks are recurring. We've gone back and forth trying to discover the cause, and have to restart the systems and clear out the memories every couple weeks or so.

It scales fine. It's one of the better products out there. There is a limit to the amount of provisions you can keep in users accounts and you need to archive some things, but I haven't reached that limit; at least with our users.

We've opened up a few tickets with technical support and we've used our CA third-party consultants as well. They've been very helpful.

We had an in-house solution that was for a subset of our users. It wasn't robust enough to go scale to the entire corporation, so we went through a selection process to find out who's the best out there at the time. We've had CA Identity Manager for three years now, so it was pretty recent.

I was involved in the initial setup and it wasn't complex. The implementation after setup was difficult. The documentation in that area was lacking, but the implementation was as good as it's going to get.

Definitely understand your access base for your user from the business perspective. If you're made up of different companies, get a clear understanding of how those different companies get access to users, so you can make it easier when the roll out comes out and do role-based implementations.

We had a big problem with accounts synchronization provision as we used a very old identity manager solution, and we needed to change it. Then we acquired the new CA solution and we changed the solution. 

It was a big challenge to change in only four months to CA Identity Manager, but we did it. Now we have accounts synchronization and self-service password reset. 

Over the next two years, we will implement a new solution with CA for the accounts to put in Identity Governance. We need to implement 70 new systems inside Identity Manager.

We use CA products because we have specific programs. For example, we use IBM WebSphere, and Identity Manager works with it. We implement and both sides achieve development and production, and we consider higher capability.

My team doesn’t have much experience, so we need to hire a professional to work with us on site every day. This is difficult. I have 2700 servers and we have another project when 90% is obligated to use them but only 10% is a physical server.

At the moment, stability is so-so. We implemented this solution last month and the CA professional worked with us every day and made some configuration. I think our level of stability is normal for this stage.

We made a request for a proposal to which IBM, Oracle, ISA, and CA responded. CA and Oracle were proven because the other ones didn’t agree with the time, four months, which is a big challenge. When my architecture team and security team checked the solutions, CA has a better score than Oracle, and they had a better price.

You have to plan what you need. I had a bad experience in the past with an Oracle solution as my last company didn’t know what they needed. It's important to know what you need and where you can go. You need to have your systems and your integration prepared. We have had some surprises.

I used the solution in a test environment and used a couple of features. Then, I realized I couldn't do everything I wanted to.

It's good for having partial capabilities.

It offers a nice price. It's mid-range. 

It works well on-premises. 

Other products offer more features. 

Symantec is only on-premises, not on the cloud.

There are not a lot of connectors or integrations available out of the box. 

It doesn't do edge cases well.

The connectivity options are limited.

Reporting and monitoring are not very good or well organized. 

It needs more approval of workflows or modification options.

I have not directly worked on the solution. I have kind of reviewed them for another implementation that I was doing, and we went ahead with another product or another solution.

The solution's stability is difficult to gauge as I did not explore that in my use cases. 

I did not explore the scalability. Not a lot of capabilities were offered. It's not as flexible as others, such as SailPoint. 

I did not use any technical support services. 

Any on-premises solution will require some prerequisites to get it to a stage where we could work with it. The setup is a bit more complex as it needs to have a few extra steps before getting to the implementation phase. 

I'd rate the pricing at six or seven out of ten in terms of affordability. It's mid-range. 

There are other similar products in the market that do more than Symantec is doing. I'd rate the solution five out of ten.

The governance use case is to collect all the knowledge about the user profiles and rights and permissions they have and consolidate them with a unique view so we can manage them to grant more permissions or to remove some permissions.

I don't think there is a feature that I like most. It does what it has to do. It shows me the information I need, and I can manage it with ease.

The solution is user-friendly and easy to use. 

The initial setup is pretty simple.

The stability is good.

The scalability potential is there if a company needs to expand.

There is no preferable feature. It works well in general.

The performance could be better. Sometimes there is a problem with performance. There are times that it takes too long to generate reports and to run the assessment tools to collect the information. It could be faster.

The solution has been used for more than ten years in our company.

The stability of the product is great. There is a little bit of a performance in that sometimes it can take a while to pull reports, however, it doesn't crash or freeze and there are no bugs or glitches. 

The solution scales well. If a company needs to expand, it can do so.

Technical support is good. I find them to be helpful and responsive. In general, we are satisfied with the level of support on offer. 

Overall, the initial setup was pretty simple. I have not done it personally, however, from what I have seen, I believe it's easy.

We only need two people for deployment and maintenance. 

I have not personally seen an ROI.

We are a Symantec partner.

Our clients are using the most up-to-date version of the solution. I'm not sure of the exact version number. 

I would advise new users that there are a lot of good providers for all of these tools. I advise people to test them to make sure they have the best one for the organization's needs.

In general, I would rate the solution at a nine out of ten.

The most valuable features are role-based access and identity provisioning, which allow a single point of user access to multiple places.

It’s provided us a single point to create users and then provision them to different sources so that they have access to them without having to login in multiple locations.

It has a large footprint which you'd expect to be much, much smaller. Just to run basic services, we have 10 different servers. Also, if it were easier to manage, that'd be useful.

We had no issues deploying it.

We’ve uncovered some bugs while working in it. CA has -- and still is -- working with us to resolve those issues.

We haven't really had any issues with scalability, but we have an older version of it where we’ve had to customize it to an extent.

Their engineers know our environment very well. We're able to get personal support with specific engineers when we make such a request.

The initial setup is very complex. In fact, it took a while to get through the entire setup and we’re even adding to it now. CA has even been on site to help us.

CA is great to work with, but to use it, just learn the product suites and how the individual products interact. Make sure you have a good layout and you have everything you need.

The automation that it brings to the enterprise is one of the main things that we looked at.

We had a 20 year old provisioning system which was built primarily for manual activities. Identify Manager helped us move to a more automated model with fewer manual interactions. This definitely had a lot of added value for us.

Keeping up with the market and support for functionality and other core endpoints like Active Directory and Exchange that right now seems to be missing. So it needs a little more work around keeping up with what the industry is going.

We definitely had quite a few challenges getting up and running. Since the initial setup, it's been pretty good. We have some small issues, but overall it's not too bad. It was definitely a challenge getting to that state, though.

It is pretty scalable. We use it in the enterprise as a provisioning engine. We also use it in our external environment on the consumer side. For both these uses, it works pretty well.

One open challenge that I see with the provisioning engine is that there is something lacking in terms of pure high availability. The active-active model is pretty critical for that. Many of the components do support that model. There are subsets that don't. It would be valuable to get that into the product sometime.

There are some really good resources and support. Overall, I've had pretty decent luck with support. Sometimes we do have challenges, but that's getting better.

We are a big enterprise, which means that we’ve done things the old way for such a long time. We were long overdue for investing in a proper provisioning system.

In a way, we had been a big CA customer for a long time. It was a natural fit to leverage what we already had, rather than going and trying to find something else.

Some of the connectors are pretty flexible. It felt like there was a lack of understanding on the capabilities of the endpoints. This ended up being a point of contention. There was a lot of back and forth in discussions about how things should or should not work. That dragged out the project for longer than it should have taken.

We did have one vendor. I’d rather not say which one. They were pretty competent too. In comparison, we thought that CA Identity Manager would be a better fit for us. The skills that we have and our experience with this solution is what made it a better fit than the competition. The partnership and flexibility that CA offer were also pretty important factors in our decision.

Any solution that you pick will have its fair share of challenges. Understand and document what you really want done. You need to define what you want to accomplish in a provisioning solution scenario before you embark to try to achieve it.