Sailpoint IdentityIQ vs Oracle identity Governance
What are the Major differences between Sailpoint IdentityIQ and Oracle identity Governance? I want to know the differences between these identity management systems.
Sales Engineer - Identity and Access Management at Sailpoint
Real User
Top 20
2018-02-05T20:42:06Z
Feb 5, 2018
I have had the privilege to work both systems during my career. Below is my detailed response.
There are a number of differences in both products in terms of functionality and approach towards the Identity Governance and administration. Before i go into the details i would like to point out that SailPoint is a leading company that does business in identity Governance and nothing else. They are continued market leaders as per Gartner IGA MQ , Forrester IMG Wave and Kuppinger Cole.
The approach of SailPoint is different from all of the IGA systems out there in the market. The focus is to first analyze then get clean and stay clean and then move towards the user life cycle management. And this is a key factor for the success of SailPoint. On the other hand Approach of Oracle and every other vendor out there is very old school and conventional, which is focusing on automated provisioning. in this day and age this approach is not fruit full for the customers.
Lets talk about the Interface. In IdentityIQ there is only one interface to completely manage your Identity Governance (By which i mean Compliance and governance, life cycle management and password management) as well as to provide users with self service. In Orace there are separate consoles for Administration, Self service and Application connectivity.
Visibility: OIM has a very nice user's store where you can see all the organization's identities and their associated access. some reports are available out of the box. In SailPoint there is an Identity warehouse that gives you 360 degree view of the identities with information of not just Accounts and entitlements but risk scores, certification history and access request histories. In addition to that there are a number of out of the box reports available. the most interesting functionality in IdentityIQ is Advanced analytics, which allows the business users to build their own reports using the same UI without having the need of any help from technical personal.
Role management: Oracle has conventional Single tiered Role management. SailPoint Has two tiered Role model with the option that allows you to use single tier model as well. With this two tiered approach, you have the flexibility to create the roles that translate your business model and the roles that translate your IT Domain separately and on top of that create relationships between them to allow implementation of a more complex Role model.
Policy Management: In Oracle you have the options available for Access Policy management that allows you to create Policies for automated account provisioning (without the flexibility of retries) and segregation of duties policies. in IdentityIQ however, Provisioning is managed through the Roles but has a separate Policy management functionality that allow you to create a variety of SOD policies on Roles and entitlements. it also allows you to create policies for account activities, value changes and processes.
Dynamic Risk Management: Oracle has a Separate Product for risk management and i have not had any experience with that product. In IdentityIQ there is a comprehensive Dynamic Risk management module that enables the organizations to shift their focus on the users of interest i.e. with high risk scores. Around this risk model you can apply compliance and governance.
Access Certifications: In Oracle Identity Governance you have the option to define certification campaigns for Roles, Entitlements and user Accounts. Each type of certification allows a specific number of certifiers. These certifications can be launched or scheduled. In IdentityIQ you have the flexibility of defining the certification campaigns for Roles, Entitlements, Accounts, application Entitlement Permissions, role composition(Entitlements in a role) and policy violations. You can define the number of certifiers. you can launch the certification right away, you can schedule them or you can configure the automatic launch of certification at specific events in user life cycle for example crossing a threshold risk score.
User life Cycle management: In OIM user life cycle is managed through access policies. These access policies allow you to configure Automated provisioning, de provisioning of Entitlements and accounts in your IT applications. In IdentityIQ the life cycle of a user is managed by event based triggers. For example Joiner Event, Mover Event, Rehire Event and Leaver Event. These Events can be configured based on Attribute changes(Data Change), Create accounts or custom rules. These events then use the Role and Policy model in IdentityIQ to manage accesses of the users through out their life cycle.
Self Service Access Request management: OIM has a nice Access Request management module that uses shopping cart functionality to allow users to request accesses for themselves or others. These requests then initiate approval workflows based on approval policy assigned to the requested item. In IdentityIQ Access requests are managed through the Life Cycle manager Events. these events are treated as user initiated change events. Users can request Entitlements and accounts for themselves or others. The request-able Items are restricted by SOD policies with an option to submit requests as an exception allowing the aprrover visibility of the violations and risks associated with the request. Approval workflows are flexible to customization.
Connectivity: OIM has a limited number of connectors available out of the box and you have to buy additional license for some of those. in IdentityIQ there is a range of OOTB connectors available and you dont have to pay anything extra for any of them.
Customization: Oracle has never welcomed any customizations to its products unless it is identified as a Bug and the you would have to wait for the next patch or release. SailPoint on the other hand allows customers to customise each and every single of the functionalities to meet the customer's requirements and the customization is as simple as writing java code.
Client base: There are around a 170 clients worldwide who have migrated from OIM to IdentityIQ in the past 5 years.
My recommendation as it would have been clear by now from the above text, is to choose IdentityIQ because it always works :)
Here follow my inputs about your questions concerning SailPoint IQ and Oracle.
WHERE DOES IT COMES FROM?
1. As representatives of SailPoint told me in 2008, SailPoint IQ was designed in 2005 by reusing the functional and technical requirements of SocGen Corporate Investment Banking (I participated to the initial design in 2004 in Paris… we live in a small world).
2. Oracle Identity Governance was formerly RBAC X purchased by Sun Microsystems then selected as the Identity Analytics components by Oracle.
WHAT ARE THE FOUNDATIONS OF THAT?
Both solutions are based on the Role Based Access Control model (RBAC) consisting of telling who occupies some business roles to be granted more or less consistent list of authorizations.
This is a model of the second generation while the NIST envisioned up to 6 generations in 2009! So… it’s a pretty old model.
IF ONE ORGANIZATION SUCCEEDS TO MAKE IT WITH RBAC
If one succeeds to implement this model, then it is possible to tell:
1. Who should have access to what by occupying a role that has to be mined with a half automated process that is pretty laboring and expensive,
2. Who has ‘’out role’’ entitlements to be terminated. Reviews of entitlements can be focused on ‘’Out roles’’ and even if they don’t understand the descriptions of authorizations, managers can take a decision.
HEAVY PREREQUISITES TO MAKE IT
LABOR, TIME AND CASH BECAUSE OF HEAVY PREREQUISITES
If one large organization is willing to satisfy the core prerequisite of these 2 solutions, it is necessary:
1. to spend 30 to 60 minutes for each department of an organization to mine User Roles and to associate a list of authorizations that are impossible to understand by any business analyst,
2. then spend about an hour with each manager to validate the roles and associated entitlements (impossible to understand by managers as well),
3. last but not least, implement the roles and lists of entitlements.
REAL USE CASE IN THE USA
Large organizations are totally unable to implement such an approach for following reasons:
1. ..X for example used SailPoint IQ and mined 1.500 roles instead of estimated 15.000 (low estimation),
2. ..X was unable to validate roles because managers could not understand labels of authorizations such as: ZZX00152, ZX215521, zz_top_group_senior,…
3. it would have been:
a. too long to make it for 126.000 employees / 10 team members in average = 12.600 work units located in about 100 countries * 30 minutes in average = 787 man days without vacations, travels, coordination!
b. too expensive:
i. 1 role analyst * 30 minutes in average * 80$ per hour * 12.600 units = 504.000$ for role mining only
ii. 1 role analyst + 1 manager * 220$ per hour * 12.600 units = 2.772 K$ for role validation
iii. Implementation of roles into IAM solution such as Oracle Identity Manager or IBM SIM is a technical thing that costs more…
IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE MANAGERS DON’T UNDERSTAND WHAT MEANS ‘’ZX023455``
SailPoint and Oracle have nice features to add translations to entitlements.
The thing is that where you have several ten thousand labels to translate…
* it takes time and lots of $ before to deliver.
* People around a table will take time to come to a shared understanding (if they are very motivated)
IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE IT’S IMPOSSIBLE TO TRANSLATE ‘’ZX023455``
* SailPoint proposes to use Risk Based approach and to add Risk Criteria to several ten thousands labels… (sic) to be considered from a Risk Standpoint…
* Oracle proposes to use indicators and requests and to let managers think about a decision to be taken thanks to dashboards and reports. Some kind of Business Intelligence.
WHAT IS THE OPTION?
1. ...X came to the conclusion that it was not possible to make it with SailPoint IQ alone. A custom algorithm is necessary to enhance SailPoint capabilities.
2. The Gartner Group exposed the issue for the last 3 years. Advanced analytics and Self Learning systems will make it.
3. We, at EasyPatternZ:
a. are the first to make it with Artificial Intelligence.
b. take about 5 seconds per work unit in average to deliver the answer to the question ‘’Who has access to what, why, whatever the circumstances’’ better and faster than any leader.
c. made it 3 times since 2013. The Federal Government of Canada will qualify it between April and July this year with 23.000 employees.
d. Are watched by USCIS.
My experience in IAM is with HPE Aruba ClearPass & Cisco ISE. A couple of other competing products, such as the ForeScout and Auconet products that were evaluated at a high level, but didn’t progress further.
I’m not at all familiar with Sailpoint IdentityIQ and Oracle Identity Governance and couldn’t provide any meaningful insight into either of them.
IAM governance and Process expert at a energy/utilities company with 1,001-5,000 employees
Real User
2018-02-05T14:29:43Z
Feb 5, 2018
Basically the question is 'what will you achive ?'. I agree with the comment above, Oracle is known to have a high TCO due to complexity. The fact is also that Oracle claims to ease the end-user experience but this mean a mandatory extensive preparation in order to provide users with accurate and in context information. Sailpoint IIQ is probably easier to implement and indeed is efficient in respect of RBAC and ABAC or preferably some kind of hybrid modeling. Don't forget IAM needs a very good preparation (analysis, modeling, inventory, classification, process analysis etc.) From my experience, IIQ is able to respond to complex needs and is far cheaper than Oracle and this allows to invest in added value activities (extra licence). Sorry if this is not a factual response in terms of pros & conts between OIG and IIQ but IIQ is more affordable and from my point of view covers all needed capabilities to build a strong IAM solution.
I think at a high level, both are going to provide the same functions. You'll see the main differences in how one has to implement workflows, UIs, and rules. Where Oracle uses BPML, ADF and OES, respectively, SailPoint is more Java-centric, IMHO. I found OIG's SOD rule definition UI hard to use and some serious limitations in its hierarchal role model. I think SailPoint has surpassed OIG in its extensibility with the framework in its 7.0 release. I would definitely evaluate roadmap if you want to stay on-prem.
SailPoint Identity Security Cloud and Oracle Identity Governance compete in the identity management category. SailPoint appears to have the upper hand in intuitive layout and user-friendly implementation, while Oracle Identity Governance excels in identity lifecycle management and integration with Oracle's stack.Features: SailPoint offers automated provisioning, comprehensive compliance and governance tools, and efficient role management. Oracle provides identity lifecycle management,...
I have had the privilege to work both systems during my career. Below is my detailed response.
There are a number of differences in both products in terms of functionality and approach towards the Identity Governance and administration. Before i go into the details i would like to point out that SailPoint is a leading company that does business in identity Governance and nothing else. They are continued market leaders as per Gartner IGA MQ , Forrester IMG Wave and Kuppinger Cole.
The approach of SailPoint is different from all of the IGA systems out there in the market. The focus is to first analyze then get clean and stay clean and then move towards the user life cycle management. And this is a key factor for the success of SailPoint. On the other hand Approach of Oracle and every other vendor out there is very old school and conventional, which is focusing on automated provisioning. in this day and age this approach is not fruit full for the customers.
Lets talk about the Interface. In IdentityIQ there is only one interface to completely manage your Identity Governance (By which i mean Compliance and governance, life cycle management and password management) as well as to provide users with self service. In Orace there are separate consoles for Administration, Self service and Application connectivity.
Visibility: OIM has a very nice user's store where you can see all the organization's identities and their associated access. some reports are available out of the box. In SailPoint there is an Identity warehouse that gives you 360 degree view of the identities with information of not just Accounts and entitlements but risk scores, certification history and access request histories. In addition to that there are a number of out of the box reports available. the most interesting functionality in IdentityIQ is Advanced analytics, which allows the business users to build their own reports using the same UI without having the need of any help from technical personal.
Role management: Oracle has conventional Single tiered Role management. SailPoint Has two tiered Role model with the option that allows you to use single tier model as well. With this two tiered approach, you have the flexibility to create the roles that translate your business model and the roles that translate your IT Domain separately and on top of that create relationships between them to allow implementation of a more complex Role model.
Policy Management: In Oracle you have the options available for Access Policy management that allows you to create Policies for automated account provisioning (without the flexibility of retries) and segregation of duties policies. in IdentityIQ however, Provisioning is managed through the Roles but has a separate Policy management functionality that allow you to create a variety of SOD policies on Roles and entitlements. it also allows you to create policies for account activities, value changes and processes.
Dynamic Risk Management: Oracle has a Separate Product for risk management and i have not had any experience with that product. In IdentityIQ there is a comprehensive Dynamic Risk management module that enables the organizations to shift their focus on the users of interest i.e. with high risk scores. Around this risk model you can apply compliance and governance.
Access Certifications: In Oracle Identity Governance you have the option to define certification campaigns for Roles, Entitlements and user Accounts. Each type of certification allows a specific number of certifiers. These certifications can be launched or scheduled. In IdentityIQ you have the flexibility of defining the certification campaigns for Roles, Entitlements, Accounts, application Entitlement Permissions, role composition(Entitlements in a role) and policy violations. You can define the number of certifiers. you can launch the certification right away, you can schedule them or you can configure the automatic launch of certification at specific events in user life cycle for example crossing a threshold risk score.
User life Cycle management: In OIM user life cycle is managed through access policies. These access policies allow you to configure Automated provisioning, de provisioning of Entitlements and accounts in your IT applications. In IdentityIQ the life cycle of a user is managed by event based triggers. For example Joiner Event, Mover Event, Rehire Event and Leaver Event. These Events can be configured based on Attribute changes(Data Change), Create accounts or custom rules. These events then use the Role and Policy model in IdentityIQ to manage accesses of the users through out their life cycle.
Self Service Access Request management: OIM has a nice Access Request management module that uses shopping cart functionality to allow users to request accesses for themselves or others. These requests then initiate approval workflows based on approval policy assigned to the requested item. In IdentityIQ Access requests are managed through the Life Cycle manager Events. these events are treated as user initiated change events. Users can request Entitlements and accounts for themselves or others. The request-able Items are restricted by SOD policies with an option to submit requests as an exception allowing the aprrover visibility of the violations and risks associated with the request. Approval workflows are flexible to customization.
Connectivity: OIM has a limited number of connectors available out of the box and you have to buy additional license for some of those. in IdentityIQ there is a range of OOTB connectors available and you dont have to pay anything extra for any of them.
Customization: Oracle has never welcomed any customizations to its products unless it is identified as a Bug and the you would have to wait for the next patch or release. SailPoint on the other hand allows customers to customise each and every single of the functionalities to meet the customer's requirements and the customization is as simple as writing java code.
Client base: There are around a 170 clients worldwide who have migrated from OIM to IdentityIQ in the past 5 years.
My recommendation as it would have been clear by now from the above text, is to choose IdentityIQ because it always works :)
Here follow my inputs about your questions concerning SailPoint IQ and Oracle.
WHERE DOES IT COMES FROM?
1. As representatives of SailPoint told me in 2008, SailPoint IQ was designed in 2005 by reusing the functional and technical requirements of SocGen Corporate Investment Banking (I participated to the initial design in 2004 in Paris… we live in a small world).
2. Oracle Identity Governance was formerly RBAC X purchased by Sun Microsystems then selected as the Identity Analytics components by Oracle.
WHAT ARE THE FOUNDATIONS OF THAT?
Both solutions are based on the Role Based Access Control model (RBAC) consisting of telling who occupies some business roles to be granted more or less consistent list of authorizations.
This is a model of the second generation while the NIST envisioned up to 6 generations in 2009! So… it’s a pretty old model.
IF ONE ORGANIZATION SUCCEEDS TO MAKE IT WITH RBAC
If one succeeds to implement this model, then it is possible to tell:
1. Who should have access to what by occupying a role that has to be mined with a half automated process that is pretty laboring and expensive,
2. Who has ‘’out role’’ entitlements to be terminated. Reviews of entitlements can be focused on ‘’Out roles’’ and even if they don’t understand the descriptions of authorizations, managers can take a decision.
HEAVY PREREQUISITES TO MAKE IT
LABOR, TIME AND CASH BECAUSE OF HEAVY PREREQUISITES
If one large organization is willing to satisfy the core prerequisite of these 2 solutions, it is necessary:
1. to spend 30 to 60 minutes for each department of an organization to mine User Roles and to associate a list of authorizations that are impossible to understand by any business analyst,
2. then spend about an hour with each manager to validate the roles and associated entitlements (impossible to understand by managers as well),
3. last but not least, implement the roles and lists of entitlements.
REAL USE CASE IN THE USA
Large organizations are totally unable to implement such an approach for following reasons:
1. ..X for example used SailPoint IQ and mined 1.500 roles instead of estimated 15.000 (low estimation),
2. ..X was unable to validate roles because managers could not understand labels of authorizations such as: ZZX00152, ZX215521, zz_top_group_senior,…
3. it would have been:
a. too long to make it for 126.000 employees / 10 team members in average = 12.600 work units located in about 100 countries * 30 minutes in average = 787 man days without vacations, travels, coordination!
b. too expensive:
i. 1 role analyst * 30 minutes in average * 80$ per hour * 12.600 units = 504.000$ for role mining only
ii. 1 role analyst + 1 manager * 220$ per hour * 12.600 units = 2.772 K$ for role validation
iii. Implementation of roles into IAM solution such as Oracle Identity Manager or IBM SIM is a technical thing that costs more…
IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE MANAGERS DON’T UNDERSTAND WHAT MEANS ‘’ZX023455``
SailPoint and Oracle have nice features to add translations to entitlements.
The thing is that where you have several ten thousand labels to translate…
* it takes time and lots of $ before to deliver.
* People around a table will take time to come to a shared understanding (if they are very motivated)
IF ONE ORGANIZATION CANNOT MAKE IT BECAUSE IT’S IMPOSSIBLE TO TRANSLATE ‘’ZX023455``
* SailPoint proposes to use Risk Based approach and to add Risk Criteria to several ten thousands labels… (sic) to be considered from a Risk Standpoint…
* Oracle proposes to use indicators and requests and to let managers think about a decision to be taken thanks to dashboards and reports. Some kind of Business Intelligence.
WHAT IS THE OPTION?
1. ...X came to the conclusion that it was not possible to make it with SailPoint IQ alone. A custom algorithm is necessary to enhance SailPoint capabilities.
2. The Gartner Group exposed the issue for the last 3 years. Advanced analytics and Self Learning systems will make it.
3. We, at EasyPatternZ:
a. are the first to make it with Artificial Intelligence.
b. take about 5 seconds per work unit in average to deliver the answer to the question ‘’Who has access to what, why, whatever the circumstances’’ better and faster than any leader.
c. made it 3 times since 2013. The Federal Government of Canada will qualify it between April and July this year with 23.000 employees.
d. Are watched by USCIS.
My experience in IAM is with HPE Aruba ClearPass & Cisco ISE. A couple of other competing products, such as the ForeScout and Auconet products that were evaluated at a high level, but didn’t progress further.
I’m not at all familiar with Sailpoint IdentityIQ and Oracle Identity Governance and couldn’t provide any meaningful insight into either of them.
I am not an SC so my response is very salesy :).
Sailpiont is more of a next gen solution in the IAM space.
If an organization was a huge Oracle shop I would have them consider Oracle – if not I would be heading to Sailpoint.
*Sailpoint is as robust but does not have the legacy issues that Oracle has to deal with which makes it easier to implement/operate
Sailpoint will also be lower in price.
Basically the question is 'what will you achive ?'. I agree with the comment above, Oracle is known to have a high TCO due to complexity. The fact is also that Oracle claims to ease the end-user experience but this mean a mandatory extensive preparation in order to provide users with accurate and in context information. Sailpoint IIQ is probably easier to implement and indeed is efficient in respect of RBAC and ABAC or preferably some kind of hybrid modeling. Don't forget IAM needs a very good preparation (analysis, modeling, inventory, classification, process analysis etc.) From my experience, IIQ is able to respond to complex needs and is far cheaper than Oracle and this allows to invest in added value activities (extra licence). Sorry if this is not a factual response in terms of pros & conts between OIG and IIQ but IIQ is more affordable and from my point of view covers all needed capabilities to build a strong IAM solution.
I think at a high level, both are going to provide the same functions. You'll see the main differences in how one has to implement workflows, UIs, and rules. Where Oracle uses BPML, ADF and OES, respectively, SailPoint is more Java-centric, IMHO. I found OIG's SOD rule definition UI hard to use and some serious limitations in its hierarchal role model. I think SailPoint has surpassed OIG in its extensibility with the framework in its 7.0 release. I would definitely evaluate roadmap if you want to stay on-prem.