Symantec Identity Governance and Administration Reviews

We provide technical expertise for some of our clients. I've worked with thousands of clients.

I work with both small clients (1,000 users) and large clients (100,000 users). Our clients use this solution every day. With people constantly being hired and fired, user access is always being granted to new employees and taken from old employees. We use this solution to decipher and determine user access.

Our clients collect information surrounding the access that many of their users have. Different users are granted different access and rights. We have a process that monitors and plans user rights in accordance. From the information that we compile using this solution, we then release a report to the manager who then determines the type of access a user gets. 

It improves security. It's a very useful tool that has improved our client's security, from day one.  

This solution is very easy to use. Once it's been configured correctly, it's very easy to use, but it's not an easy tool to configure. Technically speaking, you need a lot of knowledge to make it run properly.

All software has room for improvement. There are some features that could be added to make it even more user-friendly.

Integration capabilities with other solutions and formats, including JSON, could be improved. Integration is not easy at all. 

I have been using Symantec Identity Governance and Administration since 2004.

The stability could be improved. It really comes down to proper monitoring — there are a lot of good replication processes behind the scenes. If there are problems with the monitoring, then there will be problems, stability-wise. 

On a scale from one to ten, scalability-wise, I would give this solution a rating of seven.

Personally, I don't think the technical support is very good. The technicians don't seem to have enough training and knowledge surrounding the solution — they don't have in-depth knowledge.

The installation is easy, but system integration for specific clients is very complex because each client has their own use case. You have to really understand what a client needs in their environment to master this solution. In short, installation is very easy but customization is not. 

In most cases, deployment takes roughly two to five days.

As the final decision comes down to our clients, they are the ones who evaluate other possible options.

I would recommend this solution, but only for small to medium-sized companies. It doesn't perform that well for large companies.

Overall, on a scale from one to ten, I would give Symantec Identity Governance and Administration a rating of seven.

The primary use we have for this product is dividing access into streams. We have to provide the client organization with group and directory structures. The technical part, or provisioning, always seems to be more of a problem because the client companies have some semi-manual processes that depend on human interaction. This is often for something like disabling users, creating new users or changing roles.  

Of course, provisioning takes a lot of time because it involves accurately defining and managing privileges. It includes accounting for all the access types from temporary access to agile access and also risk evaluation. All these things are often handled through a business process where a lot of the activity is done manually before a solution for automation — like CA Identity Manager — is in place. The agent for CA can handle criteria and rules and has templates for these activities. In short, it can handle these situations automatically starting from the HR Assistant included in the core suite to do recruitment or provisioning of users, and allowing basic access to things like email.  

Leveraging access depends on which group a user is in and which business rules should be applied. There are often a lot of access attempts on what should be restricted resources. The client has to provide the rules to define which users have access. If there is no rule in place the issue has to first be identified and then to go through a process of approval in an appropriate department. This may lead to a need to change the access process and maybe go back again to think further about the business rules. When all the right rules are in place the processing can be handled automatically by CA IDM.  

After you change something and test the process again, you can find that there are exceptions and we do not have all the rules in place to handle them. Then the identification and approval process needs to be adjusted on the system again. This, of course, is done with manager approval and the rules have to be examined. We need to repeat this process for the entire site. It is a business process improvement that takes time but will eventually save time by eliminating human intervention and errors.  

So the main use case is provisioning and access and implementation for security reasons. For example, if you request the use of an application and it is approved, the identity manager learns this and the user is then able to access this application.  

Out-of-the-box connectors have a lot of opportunities for configuration. The governance port and business rules are difficult. At a certain point, the product discovers dormant accounts because it monitors which accounts are active but which are not being used. So it will perform some service on these dormant accounts that are not active for six months or maybe never used before. This is a good feature. We also have a dynamic workflow, with approval stages which helps validate the ID.  

They have a form designer, which is good because you can create exactly what you want as far as access controls. They have value-added modules like the one they have for asset management. This means that when you are in the role of a manager in CA IDM, you are able to restrict access to certain types of laptops — maybe by mobile provider, maybe by core type. So if a user tries to access the system with an asset of a certain type, we can allow it. It is a value-add, not necessarily related to the user distinctly. But if you take it from the point of view of asset management, it also helps in tracking the assets, which is another interesting outcome.  

As far as improvements, the first thing I think CA needs to do is redesign the user interface. The functionality is good but the interface itself is not that user-friendly.  

I think also that there are some issues with the privileges of service accounts. For working with Oracle, we need some kind of service account with administrative privileges. Access works when we give the user account administrative privilege. But in some cases, particular access needs to work for user roles that have less than administrative privileges and these users and rules need to be stored in the database. I need the ability to directly configure users and rules store on databases.  

Maybe it is more complicated and related to Oracle services — I do not know the database side as well. But we need to read and write on the rules table and the users tables and store that data in the database.  

Otherwise, the product has good performance and it is a very capable solution. I can automate a lot of processes related to provisioning users and identity management, but the controls can be even more flexible with these few changes.  

The deployment cannot be pushed through the management console when you define the credentials for a user that can connect to the endpoint. It would be easier for deployment if the service could look at the endpoint or data center and detect what is needed to push this deployment based on the application version or based on whatever the operating system is. Things like that can make a difference at times.  

If they can customize by the customer, it means that if someone upgraded their environment, the client does not have to go back and request the version of an executable for a new OS. The result is that the correct executable will be deployed by the agent.  

The last time I used CA Identity Manager was in May of 2019. Actually I was not using the product, but I was working with it in implementation. My job sometimes gravitates to implementation in the form of policy implementation and technology implementation. In order to do implementation, I had to have a good knowledge of CA IDM technologies as far as the connectors, the components, and integration ports, et cetera.  

I was dealing with CA IDM for seven months. In the process, we had to go through the basic procurement, the deployment, the provisioning of the users, the integration of the second phase for the government and business rules, as well as other configurations. I have had to think through all of this with the available capabilities of the product and made sure everything would work. The last component that involved analytics was not something I was involved in. I did not work on that part, but I know the analytic features are good.   

My impression of the stability of CA IDM is that the product is very dependable. They have a good HA (High Availability) design and good DR (Disaster Recovery) for data transmission and security in all situations.  

The deployment is very good. After you set up a new component you just go to the console and access the component you need to make adjustments to it at the console. The high availability works on active-active so it does not require a switch automatically to the other component because they act simultaneously. And, of course, we can also work with active-passive mode if you make that choice.  

I am not sure that this type of node management is an advantage to most users or not because in IT management you may not need this type of high availability design depending on the industry. But the capability is there and it can add stability to the infrastructure.  

I did not specifically examine scalability during the implementation because I did not have the chance or the necessity. We were in the process of considering all that we needed and not what would happen if we needed to scale to expand the system. From what I remember, we also had plugins that we could have installed so maybe the availability of plugins is an example that it is scalable in the sense of functionality.  

But I think, with CA, that the scalability is fine and it is exactly what an organization will need as they grow. We are not involved in really scaling the product when we are deploying it.  

For availability, I think you can definitely scale up as much as you want because you deploy the clients and the endpoint or the console. So in this way scalability works from an availability standpoint.  

For scaling the functionality of the product itself, I think it will need some other kind of intervention or maybe new development. It depends on what you need and what they already have in the form of plugins. I know they have an API but we did not need to work with it for our purposes. With the API's you can extend the functionality outside the original identity.  

During the process with a particular client that I have in mind, we argued about the starting point for the verification and whether it should be the HR system or the identity. This is a business decision that has to comply with the rules and business processes as defined by the organization and any regulations that apply. The question has to be answered before a solution can be put in place. With this client, we agreed that the starting point was the HR system, and one of the proposed solutions was that the HR system would call an API to perform the provisioning for identity. That was one possible approach. The second approach to working with identity was to install an agent on the HR system that could be run on a schedule. This solution is what we settled on and we agreed that this would be scheduled to run once a day, which is more than enough for what they needed to accomplish.  

Because we chose the second approach we did not go for working with the APIs. The approach would be to run the process once a day on schedules like when most of the system resources would be in minimal demand — for example at the end of the workday. This would be done to check each employee for those that were added, transferred or changed privileges. And then an automated adjustment would be done for functionality and organization based on the established rules.  

This is the kind of flexibility you have in deciding processes for an enterprise business — even a very complex business with demanding requirements. It shows another type of scalability.  

I did not have a chance to contact support personally, so I can not talk about how my experience with them was from a personal point of view. However, the people on the team right now working on projects who have called support said they were helpful. They have a good understanding of the product and seemed to have a lot of experience. I do not know what kind of resolution the members of our team were looking for from the support people. It might have just been for more information or troubleshooting or some type of issue resolution. But our company has had experience with the CA technical support team and from what I know the experiences were good.  

The initial setup is not that difficult. We deployed the components and deployed the agents. This is just the basic framework.  

Our deployment took seven months because the design phase is very complicated. We need to collect information for the access matrix, we need to validate, and we need to do some kind of cleansing. So, it is a very intensive task. Mainly it is the design which takes most of the time, not the basic deployment. The difficulty is in the business logic, the business rules, and the cleansing of users.  

Working with the system is an ongoing process. When users request a type of access, there are only two paths. One of them is to grant access and the other is to deny access. For the denial, we may have to go through a long approval process which requires some justification for the requested access.  

The implementation team that we use is divided between different roles. It is not a very big team but it represents different functions in the operation. There are the technical people, the people responsible for identity management, those responsible for manual processes, the people responsible for revision to the business logic, the people responsible for validating the access matrix, the risk evaluation people, the IT people, the operations group, the compliance people, and, of course, HR. So we are talking about a sustainable team of maybe 12 people involved in the implementation activity, but up to as many as 20 may be needed for approvals or other consultation. A lot of parts of the company are involved with the implementation process and defining business rules, all for different reasons and functions.  

We are the ones who do the implementations, so we are the ones that others contact to perform this service.  

The advice I would give to others who are looking to implementing this product would be to define exactly what you need before the implementation of the solution. This is a key factor. If you need to change the deployment after it is deployed — such as the policies or structure — it is not a matter of just changing the configuration. It is more like you are starting from the beginning. If you have questions related to what needs to be addressed they need to be answered first. The way we deploy this is as a black box appliance. So it would be defined once. Even the IP cannot be changed. To make this type of change, it would have to be deployed again.  

The biggest lesson I have learned from working with Identity Manager is that despite the product you use, the implementation is a process. You have to understand the process to see what activities do not give you value and also what activities serve to complicate the process. If you take the easier route and work with the standard deployment as much as possible, it will be more secure and faster. You need to see everything as an activity. So despite the impact that the product has on working with identity management, it is a process because the result is not to be blamed on the product at the end.  

On a scale from one to ten where one is the worst and ten is the best, I would rate CA Identity Manager as an eight. To make this product closer to something like a ten they have to pay more attention to integrating with other solutions. Currently, CA is integrating is with CA products only. In some cases, there are categories that CA does not compete in, like Service Manager, so they should pay attention to out-of-the-box integrations with non-competing services.  

They definitely have a problem integrating with solutions that compete and this is really another problem. Really, this type of integration would allow users of their product to have more flexibility. They could choose their own solutions which may better fit their needs. In one instance, we had to end up using different solutions for managing internal personnel accounts and managing normal users. This is not convenient and can be expensive. So I think they have to be more open to broader integration and simplifying those processes.  

Our primary use case of this solution is for managing identities and environment controllers in order to make it more unified and standard. 

I like that it is easy to diagnose. It has a version of a virtual appliance so we can download it, run it, configure it, and it would take about 10 to 15 minutes to configure the cluster or so.

It's easy to deploy, it's two versions, the manual deployment version, if it can be prepared in clusters it'll take one or two days. But the software appliance will take from 15 to 20 minutes.

They should easier and better integration with other software. It's hard to create custom integration rules with other software, like Oracle. This needs to be improved to give the customer an easier way to integrate.

I have been using this solution for the past two to three years. 

It is stable. If I had to rate the stability from one to ten, I would give it an 8.5.

Technical support from CA is not very good. I would give them a seven out of ten for their assistance and their knowledge. They could use improvement. 

I would rate it an eight out of ten.

To make it a ten, it should have more remote capabilities. There should be better partnerships with remoting tools. They need more remote partners and better dashboards.

We use the private cloud deployment model of this solution. 

Word mining and risk campaigns are the most valuable features of this solution.

I would like to have differential campaigns. In the next release, there should be the provisioning of your certifications. When you remove access or grant extra access to someone, it would be good to have direct provisioning to different sources.

It's stable and runs well. 

Technical support is good and efficient. 

The initial setup was easy. Sometimes upgrades are a little bit complex. There are many components where you have to apply a patch to each component of the solution. For the installation, I would say it's a little bit complex. It's a little bit complex to set up but when it's okay, it runs fine.

My advice to someone implementing this solution is to take a few days to plan with professional services for the setup. 

I would rate it between a six and seven out of ten. Not a ten because of the complex setup and because we had some issues applying some patches. 

Ease of use for the configuration of provisioning accounts through an account template concept for an OOTB connector.

It does not requires an extensive programming or development background. The screen of the admin tool creates an account on the system to CA IAM, which provides it to the OOTB connector, then you can simply configure CA IAM to do the provisioning. CA IAM can help with the automation of user provisioning at the same level as the system admin. 

When comparing it to other products, you can set up CA IAM in a PoC very quickly to demonstrate its provisioning capabilities.

It fits for organizations having simple, basic provisioning requirements. If your organization has complex provisioning use cases and requirements, then you must have an architect and developer on the team to help bridge the gap that CA IAM cannot provide.

The product has a lot of need for improvement. Our issues are being raised back to the vendor as enhancements.

We have encountered issues with stability.

We have encountered issues with scalability.

Our experience with the technical support team is good. CA technical support is very keen to help their customers. 

Most issues are solved by the our team, but at least, their team has provided moral support to us.

We did previously use a different solution, and we switched for several reasons.

The initial setup can be both straightforward and complex. This is up to an organization's requirements of the CA Identity Manager solution.

This product is the same as other CA IDM product, which can help improve organizations, similar to the messaging on the product brochure.

In real life, it is up to the skill of the implementation team as to how they can configure the product to serve the business processes of the organization. The reason why some IDM projects have failed comes from implementation. The team must be good at the functional, technical, and designing of business processes. The product could be mediocre, but the implementation team must be top gun. Choose an implementation team wisely, especially when your requirements and processes are complex. A good product under a poor team cannot bring about the result seen on the product brochure.

The connector is free, and bundled with the product.

The product is considered good, in the top five. Looking at the product features carefully if your organization has complex provisioning requirements and business processes to find gaps.

Finally, always search for the best implementation team, who has skills and experience.

The primary uses cases are:
- The analysis of privileges to generate roles
- Revision of segregation of rights based on client rules
- Certification of privileges (compliance)
- Fulfill the cycle of existing privileges, under review / approval and delivery to the IM solution to materialize the changes and maintain the standard

In the processes where we need to analyze data, IG has enabled and facilitated the analysis of privileges, generation of roles to cover RBAC and integrate with the solution of Identity Manager, as well as the compliance aspect by the certification of privileges “Compliance”.

Additionally it helps us in analyzing predefined SoD rules for SAP and any others applications where the client defines their business policy rules.

• Identifies, debugs and models the privileges of your organization, adapting it to business strategies.
• Helps discover roles based on available patterns ("basic roles" / "Iterated Search" / "Characteristic Roles" / "Rule Hierarchies Roles" / "User Hierarchy Based Roles" / "Structured Search" / "Obvious Roles").
• Enables review campaigns to certify user privileges, roles and resources, activating the RACI model in the process.
• Identity Governance comes with Connector Xpress but if you have Identity Manager you can use the integration between them and import the information that comes from CA Identity Manager and its connectors.
• Allows the construction of segregation of rights (SoD) rules by definition of the client and enables “detective" and "corrective" levels for violations of business rules policies.
• Provides a set of SoD rules for SAP in order to apply "best practices" to this type of "endpoint" (more than 3,000 rules / Consult CA Technologies if available in last version).
• Helps to analyze privileges to find points of cleaning and improvement (Similar Roles / Roles Hierarchy / dual link / Suspect connections / Collectors, etc.).
• Regulatory compliance is one of the objectives of the solution.
• Covers the life cycle of enterprise privileges and maintains the role model "shallow" or "deep" / "functional" or "granular per application".
• Helps you take advantage of the Identity Governance on the portal but better if you integrate with Identity Suite (best user experience).
• You can enable LDAP authentication (AD/others) or integrate with CA Single Sign-On for portal access.
• Real integration between CA Identity Manager and CA Identity Governance for better use of compliance approved roles, data exchange, and improved customer experience.
• Data Transformation available using PDI (Pentaho Data Integration)
• New functionality when integrating with Identity Portal.

The administrative part is not very intuitive. Actually I think it is because it requires specialization and knowledge in what is done.

I found an option to import specific information, but the functionality was non-existent so they have to update the documentation or remove it from the menu (import from ITIM). Improve release updates when there is an obsolete function or it is not still supported.

No.

No.

When you open a ticket with priority-one, the technical support is excellent - 10/10. However, when the ticket is priority two, three, or four, then it's 7/10.

I did not use a previous different solution. 

The initial basic configuration is simple, but deploying the solution in greater depth and integration with high implementation reach requires expertise and certain complexities.

About prices when validated with other solutions where the "SAP" endpoint will be included, Identity Governance is a good option. But if you are going to integrate with Identity Manager it is better to acquire IDS, it will be more economical.

No.

Important to find someone with experience implementing this type of solution to ensure the success of its implementation.

We are using CA Identity Management product to provide an identity management service for the largest in the retail industry.

Performance is good, but the other side, the drawback with the CA Identity Manager is they don't have a connector to HR systems like SAP, or PeopleSoft, or Workday. That's a major drawback with the CA Identity Manager. For that we have to do lots of custom quoting to get data from HR systems.

The solution in which we have brought in CA Identity Manager, it is like combining multiple HR sources. It helps reduce thousands of hours of work.

Policy Xpress.

It needs to be connected to major HR systems. That is a major thing. And if they can connect it to GRC systems, that's good to have in an identity product.

Stability is very good. We have been using it the last three years. I haven't seen any issues.

I would evaluate them at five out of five. Every tech support guy who works at CA is good. I don't have any issues.

It was straightforward. Even when you're installing dependent software, like a database or something else, I consider it it straightforward.

When we are choosing a vendor we will go for whether they have the capability to connect to the target system. The basic feature would be connectivity. If the product doesn't have the capability to connect to that system, we will need to do something else to get or push this information to that system. Connectivity is the main thing.

I'd rate it seven out of 10. Those connectivity issues are the only reasons. Functionality-wise, it's good. The features that they have are good.

It has improved our user management. It is definitely streamlined.

Writing policies and provisioning are easy.

Policy writing and provisioning are easy, but should be improved. Provisioning has a dependency on Windows.

No, we have not.

No, we have not.

 I would say they are good, but there is always room to improve.

Yes, custom codes. It was not as reliable as CA Identity Manager.

It was complex with lots of requirements.

It is expensive, same as the other tools in the market.

I prefer Oracle Identity Manager, which is more stable. 

Get the latest version and good architecture before implementing the solution.

Managing identities at a financial services institution.

We're implementing it currently, so I have no real measure of how it's going to perform, but so far so good.

• Streamlines user access
• Consolidates applications
• Access in one place

User access control.

Customer reporting. One of the big things we had asked for is for the Identity tool to actually do more kinds of reporting for audit purposes. It doesn't really track any of the metrics that are useful to us, at this point.

Can't comment yet. Not up.

I've used Identity Manager before for a different client. The scalability is good.

Tech support is very good. We actually have a CA team onsite.

The client is using different solutions for different things. So they have instances of a number of different tools that have the same functionalities as CA, but for different items. So yes, they did have other solutions as well.

Most of the complexities are because of the business itself and the complexities that they have within their current infrastructure. The complexities are not really coming from CA's product.

I was not there when they made this selection. I'm sure they evaluated the normal ones, SailPoint, CA, Oracle.

It's early but so far I give it a seven out of 10. Most of the issues we've had with it are coming from business complexity rather than the product itself. The support's been good from CA.

In terms of advice to a colleague who is looking for a similar solution, that's difficult because I've done SalePoint and CA. It's up to them. It's based on the organization itself, so they have to do more evaluation than what I can provide for them. I'd recommend they do their research and pick what's best for them, but I'd say we have no problems with CA's software.

Provisioning. It has performed well.

It has been good to keep zero day. We have almost zero day provisioning, where the user shows up on the first day of work and he has the necessary access, birthright roles, and such. Therefore, there has been good, internal performance improvement and user experience.

It has good endpoint support and endpoint connectivity to different versioning endpoints.

Identity Manager has a lack of entitlement support, unlike other products that I have worked with. Other products have a focus on the entitlement that a user has, where you can pick and choose access as an entitlement, and add it to the user or remove from the user. With CA it is all role-based, that is kind of a sticking point with me, so we have to work around that.

It is pretty good. Relatively stable. We have definitely had some downtime, but overall it is good.

We just have a two node cluster, so we have not really scaled. However, I imagine it is easy enough to scale those nodes, so it is scalable since it is a clustered app.

Technical support is great.

The initial setup was very complex. The product is just basically a conglomerate of a bunch of other products that were bought and pieced together. So it is still my one main gripe of Identity Manager. It is too many moving pieces; too many parts that were kind of stuck together. It makes it very complex. 10 servers and 10 different apps running to make it happen, and it is only getting worse now that Identity Plural is on top, which is supposed to be making it better, but we will cross that bridge sometime next year.