This document was revised on 26 August 2008. For more information, see the Corrections page on gartner.com.

User provisioning continues to mature, delivering value for business requirements to make identity-focused security operations more efficient, and to comply with business-driven regulatory and legal reporting and auditing. It is entering a critical phase as the market begins to consolidate and enterprises' expectations rise for enhanced capabilities in meeting business requirements and engaging the business to use business-aware features of user provisioning.

Large-scale, user-provisioning projects remain complex initiatives and require experienced integrators and skilled project management on the part of the enterprise to improve the chances of success. Success rates for major user-provisioning initiatives continue to improve, but significant concerns remain, particularly for earlier customers disillusioned by poor implementations or lowered expectations after deployment. Although some of these concerns are related to project definition, process-to-workflow shortcomings or target-system connector availability, lessons learned about "adjacent" solutions (such as role life cycle management and their potential positive impact) are useful.

When selecting a user-provisioning solution, customers should consider key differentiators that include (but are not limited to):

• Price, including flexibility of pricing for deployment, maintenance and support programs
• Consulting and integrator performance, which remains vital to success
• Worldwide scope, depth, availability and extent of partnerships with consultants and system integrators to deliver the solution
• Delivery time of projects that match the business plan
• Ability to deliver subsidiary services that are not available in the core product through integrated features, custom development, or augmentation via partnerships or adjacent products (for example, role life cycle management, authorization management or federated provisioning)
• Level and extent of experience by vendor and integrator of customer industry segment to deliver successful projects
• Customer experience, including satisfaction with installed provisioning systems (that is, reference accounts)

Organizations must know which issues they are trying to address by deploying this technology. Thoroughly understanding the business issues and selecting the correct technology, project scoping and rigorous project management often prove to be the factors that help companies avoid a "quagmire" situation (see "Developing IAM Best Practices").

Role life cycle management is a prerequisite for many new user-provisioning initiatives, and should be considered (at a minimum) as a concurrent requirement during the evaluation process. Many enterprises that have already deployed user provisioning are discovering needs for role life cycle management. Ensure that the user-provisioning provider has a role life cycle management partner or comprehensive role life cycle management capabilities in its offerings. This ability will enhance user-provisioning integration to areas such as identity auditing; governance, risk and compliance management (GRCM); and authorization or entitlement management.

Ensure that planning for virtualization in the enterprise includes user provisioning, because it plays a key role for virtual machines (VMs); it provides account provisioning and auditing for partitions, hypervisors and VM monitors; and it enforces segregation of duties (SoD) for that environment.

Identity and access management (IAM) is a set of processes and technologies to manage across multiple systems:

• Users' identities — Each has an identifier and a set of attributes
• Users' access — Interactions with information and other assets

User provisioning remains a key identity administration technology. User-provisioning tools also have some, or most, of the following functions:

• Password management
• Role life cycle management
• User access administration
• Resource access administration
• Other credential management
• Identity auditing, including SoD support

User provisioning is part of an overall IAM technology offering. The four major categories of IAM are:

• Identity intelligence — Combines security information and event management (SIEM), SoD control and other monitoring tools to perform comprehensive activity, event and incident monitoring and reporting for auditing purposes.
• Identity administration — Where user provisioning exists along with role life cycle management and other administrative tools to provide the basic administration capabilities for handling identities and access, which includes resource access administration. It is also focused on providing the necessary service management capabilities to administer and manage identities effectively, from workflow to delegation, and from self-service to connector management.
• Identity verification — Focuses on identity proofing (that is, verifying identities, as well as authentication methods and infrastructure, various single sign-on [SSO] technologies, identity federation and personal identity frameworks).
• Access management — Focuses on authorization or entitlements management, and delivers Web access management, operating system access management and content access management, as well as network access control capabilities. Access management is also involved in encryption, digital rights management and data loss prevention.

These categories are based on a foundation of directory and repository technologies that include enterprise directories, virtual directories and metadirectories. Underlying directory services with Microsoft Active Directory to Unix/Linux integration are supported by a number of standards, including Lightweight Directory Access Protocol and X.500.

User-provisioning solutions are the main engine for identity administration activities. Gartner ranks vendors in the Magic Quadrant based on product capability, market performance, customer experience and overall vision to determine which vendors are likely to:

• Dominate sales and influence technology directions during the next one to two years.
• Be visible among clients through several marketing and sales channels.
• Generate the greatest number of information requests and contract reviews.
• Account for the newest and most-updated installations.
• Be the visionaries and standards bearers for the market.

• Most vendors made progress in user-provisioning execution, showing improvements in features and functionality, marketing and sales execution, and expanding their customer base. Some vendors showed improvements in completeness of vision and customer experience, although less so than in 2007. Concerns remain in large-scale implementations regarding areas such as workflow and connector management, as well as project duration. This year's Magic Quadrant reflects a higher baseline, so vendors must improve their standing just to stay in the same Magic Quadrant position as in 2007.
• Key changes for vendors in this research: HP has left the user-provisioning product business. BMC Software has refocused user provisioning as part of its "Business Service Management" (BSM) strategy and offering. M-Tech was acquired by Hitachi and renamed Hitachi ID. Omada A/S is a new vendor in the 2008 Magic Quadrant.
• Although most vendors showed improvements in their Magic Quadrant scores, a few showed substantial progress (such as Oracle, Novell and Quest Software) because of notable improvements in product functionality, market share, partner alliances or combinations thereof.
• Sun Microsystems slipped out of the No. 1 slot in the Leaders Quadrant, dropping to No. 3 because of more-aggressive competitor advances by Oracle and IBM Tivoli, rather than by any fundamental issues with its products or performance. Sun has, and retains, a strong history and presence in the market, and has addressed last year's concerns in areas such as organizational change impact.
• Oracle assumes the No. 1 position primarily because of momentum from an aggressive marketing and sales program, linkage to other Oracle product lines (that is, licensing) and product improvements. IBM Tivoli retains the No. 2 slot because of its depth of service-based orientation toward delivery, mature product sets and feature innovations, particularly with the latest product release. IBM Tivoli, Oracle and Sun remain close in rating of overall feature-function capabilities, although there are some differences enhanced by good integrators.
• Novell's position improved in the Leaders Quadrant based primarily on execution against a focused strategy of improving the customer experience, available integration partners, better and more-targeted marketing, and market growth through customer additions and competitor consolidation.
• Courion remains in the Leaders Quadrant through an expanding customer base, partnering and innovation.
• CA entered the Leaders Quadrant based on a more-coherent vision regarding its product sets in IAM and a revamped marketing and sales organization, but getting there cost the company time and momentum, which is reflected in its ability-to-execute scores. CA is better-positioned to compete and attract customers now, although some issues remain in areas such as Active Directory integration — an issue shared by several competitors.
• Voelcker Informatik moved from the Niche Players Quadrant to the Visionaries Quadrant because of significant innovation in its vision and servicing of its clients. Sentillion and Fischer International remain in the Visionaries Quadrant due to similar capabilities. All three of these vendors have a relatively small customer base and limited abilities to deliver through worldwide channels, but they are doing some of the more-advanced work in user provisioning in technology and approach.
• Microsoft has managed to hold its position in the Challengers Quadrant through custom engagements with strategic clients and price, although it remains cognizant of efforts by Quest Software and Omada in Microsoft-centric delivery solutions.
• HP has exited the user-provisioning product business, remaining in consulting and integration. Novell has picked up the licensing for HP's products and provides a migration program for HP customers, although other competitors are offering similar programs. BMC Software is ceasing direct sales of its user-provisioning solution as a separate offering, choosing instead to offer it as part of the company's BSM product suite. This affects its ability to execute, which reflects in its Magic Quadrant position.
• M-Tech was acquired by Hitachi and renamed Hitachi ID in 2Q08. Hitachi is (among other things) intent on expanding sales and marketing opportunities worldwide for the product set, and is starting that process.
• Siemens and Beta Systems continue to execute well, albeit at a lower growth rate than other competitors. Both have experienced organizational restructuring that has affected their user-provisioning offerings since the 2007 Magic Quadrant.
• Avatier, Bull Evidian and Quest showed improvement from 2007. Quest showed considerable improvement in execution and penetration of the Microsoft-dominant customer base. SAP continues to execute its strategy predominantly for SAP customers that have considerable investment in SAP offerings and a need for user provisioning. Avatier showed good progress in customer acquisition and feature improvements, and Bull Evidian showed good progress in name recognition and customer acquisition, particularly in Europe.
• Omada is a new vendor to the 2008 Magic Quadrant. It is small but rapidly growing in the Microsoft-centric delivery space.
• Most user-provisioning vendors reported healthy revenue increases since the 2007 Magic Quadrant, indicating a continued growth market (see Market Maturity section). Gartner expects user-provisioning revenue opportunities to continue growing through 2009 as the market matures and consolidates, with a peak occurring in 2010 as enterprises deploy new-generation solutions and upgrade existing deployments.
• Compliance continues to be a significant driver for global corporations for user provisioning, although this depends on the relative size of the enterprise, the market segment and geography. Security efficiency for cost containment and service-level targeting remains a strong driver worldwide. Interest in user provisioning continues to increase in Europe, the Middle East and Africa (EMEA), the Asia/Pacific region and Latin America, while remaining constant in North America.
• Significant contributors to the user-provisioning decision process in 2008 include:
  • Role life cycle management, which defines, engineers, maintains and reports on enterprise roles and rules as inputs to the provisioning process
  • GRCM support, driven primarily by enterprise application providers (such as SAP and Oracle) through ERP implementations and the need to support fine-grained authorization as part of the user-provisioning process
  • A desire to deliver an overall IAM governance program that identifies and supports the role of user provisioning in that program, and links it to information security policy and the establishment of controls
  • System integrator and/or consultant selection for project or program implementation
  • Privacy, which provides user control of what is provisioned and ensures that what is provisioned is adequately protected from a technical and regulatory perspective
  • Provisioning for card management tools as part of a security management environment
  • Identity audit and reporting (that is, the ability to report fully and accurately on the effects of user provisioning across the enterprise)
  • Specific industry segment strategies (for example, healthcare user-provisioning differentiation)
  • Specific industry segment size strategies (for example, small and midsize business [SMB] targeting)
• Customers increasingly evaluate user-provisioning solutions as part of a broader IAM suite or portfolio, depending on their specific requirements. This creates additional challenges for user-provisioning vendors that do not offer a portfolio solution. So far, these vendors have offered sufficient innovation and differentiation to compete effectively with portfolio vendors, and have addressed enterprises not aggressively pursued by portfolio vendors (for example, SMBs, specifically in industries such as healthcare). This strategy will not be sustainable in the long term as portfolio vendors become flexible in component offerings and in addressing specific market segments. Constant innovation will not be enough as the market matures, because many enterprises will seek "safe" solutions (that is, solutions that are less likely to be compromised by acquisition or departure from the market).
• At present, there are five vendors recognized as single providers of portfolios: Oracle, IBM Tivoli, Sun, Novell and CA. All five of these vendors are in the Leaders Quadrant.
• Vendors with major product offerings other than user provisioning use comprehensive licensing with customers and partners as competitive leverage to create opportunities, particularly in displacement strategies. This will have as great an impact on the future of the user-provisioning market as product features or system integrator partnerships.
• Some of the user-provisioning vendors are already selling their solutions to internal service providers, illustrating a design and configuration that would allow a managed or Internet-based service offering for user provisioning. Early indicators show that evaluations, particularly for SMBs, of user provisioning as part of broader software-as-a-service (SaaS) offerings are occurring in major service provider firms, although significant legal and logistical issues must be resolved before offering it as such.
• Although technical improvements in user provisioning continue, project and program complexity for large implementations is proving to be a challenge for customers, resulting in potentially long planning and deployment periods. Two distinct types of user-provisioning vendors exist: those that can address large-scale requirements, and those that can address SMB (1,500 to 25,000 users) requirements. The first group can also address small installations, but choose the large business market as its target. This will change over time as SMB-centric, user-provisioning providers move up the market, and large-scale, user-provisioning providers move down the market.
• User provisioning will play a key role in the virtualization movement. This is especially true of network-based appliances that, at one point, were separately managed machines, and are now consolidated into a single server, thereby potentially introducing SoD issues. Concerns such as the control of who can manage the virtual server host and each of the guest partitions will be critical, as will managing per-VM administrative accounts, protecting access to VM management tools and auditing all VM administrative activity.
• The role of identity intelligence (SIEM) will continue to grow in user-provisioning solutions as security and network events are correlated with identity events to provide a full picture of the network.

User provisioning grew in terms of revenue at a global rate of 16.7% (see "Market Share: Security Software, Worldwide, 2007"). North America exhibited revenue growth of 13.2%, Western Europe 21.6%, the Asia/Pacific region 16.7% and Latin America 26.4%, which is strong performance across most geographies. North America accounted for 49.4% of 2007 market share, Western Europe 30.4%, the Asia/Pacific region 7.3% and Latin America 3%.

By specific vendor, user provisioning showed a 17.3% growth rate in total software revenue purchased (excluding services) from 2006 through 2007, from approximately $700 million to $820 million. Of this amount, CA has the largest part, at 14.6%, down 6.3% from 2006. This reflects the changes in marketing and sales that CA was experiencing during 2007, and the aggressive sales strategies by its competitors. Microsoft had the second largest, with 13%, due, in part, by its strategic alliances with specific integrators on key accounts for Microsoft Identity Integration Server (MIIS) and Identity Lifecycle Manager (ILM). Oracle is third, with 11.9%, which represents a 48% increase from 2006. Sun is a close fourth, with 11.8%, a 6% increase over 2006. Novell is fifth, at 9.6% market share, a growth of almost 13% from 2006, and that underscores its improvements in marketing and partner relationships. IBM Tivoli is sixth, at 8.8% market share, and strong growth of almost 36% from 2006, representing the expansion of its channels and services, and competitiveness in marketing. The remaining vendors have relatively small market shares (below 4%), and growth rates vary among them. Courion's 4.5% drop in revenue from 2006 through 2007 is attributed to a change in the way that the company realizes revenue, not customer loss.

User provisioning is entering an early maturity cycle, with well-established vendors and well-defined IAM suites. Third-generation releases are now available, with most basic capabilities well-structured and configured. Gartner estimates that, as of mid-2008, approximately 20% to 25% of midsize to large enterprises worldwide, across all industries and sectors, have implemented some form of user provisioning. An additional 20% to 25% are evaluating potential solutions.

Structured and formal methods of planning and implementing user-provisioning solutions in enterprises remain elusive because of the quality of implementation. This is changing. The leading user-provisioning products are effective in 80% of situations presented by customers for the "basic" needs of provisioning, account workflow, identity storage, audit, reporting, and integration with existing platforms and the most-common applications. The problem remains in affecting implementation of properly defined business challenges that user provisioning must address. These include:

• Using a decision framework for planning IAM that includes identifying, prioritizing and organizing key resources in the implementation process for user provisioning
• Selecting an effective program partner (that is, consultant or system integrator) to lead the effort in a reasonable time frame, and one who understands the business issues of user provisioning and the technical implementation concerns required to be successful
• Addressing issues related to role life cycle management for effective account user provisioning
• Addressing critical issues in post-implementation customer environments related to fixes, integration or expansion

As a result of the estimated 20% of situations where user-provisioning implementations are less than effective, the user-provisioning Hype Cycle for 2008 shows a slight decrease in maturity on the curve. This is meant to reflect the lack of progress made in:

• Adequately addressing the problems above
• Providing robust role life cycle management capabilities working with the user-provisioning product in an integrated manner
• Addressing the SMB market with a suite, portfolio and/or services option

User provisioning has moved beyond just an IT project implementation issue to a business program concern, one that has broader implications across the enterprise or institution and requires cross-organization communication. Failure to address this is a primary inhibitor to established user-provisioning projects, and is the most-common cause of failure. Vendors that recognize this need and are able to effectively address it have been leaders in user provisioning and remain so. This remains a key decision criterion, with equal weighting for market share and revenue.

Role life cycle management addresses another user-provisioning concern. A comprehensive process for managing roles within an enterprise, it is considered an important element in user provisioning. Role life cycle management addresses user provisioning in four areas:

• Definition: The development of an initial role framework enables an enterprise to begin the definition phase of roles. The information required to construct the framework will exist in several areas throughout the enterprise as line-of-business and functional role definitions.
• Building: This includes the role mining, role discovery, entitlements discovery and role creation phases, which may require a tool or set of tools to enable an enterprise to build. Enterprises take the role and privileges framework already defined and, using a tool, perform correlation analyses that may deliver a recommended role set (sometimes called candidate roles) based on actual target entitlement assignments. These candidate roles may be vetted with business owners to create a set of roles that will subsequently be automated through user provisioning or through the role management tools.
• Maintenance: In this phase, fine-tuning is done for the constructed roles, as well as ongoing changes through systems or controls. Regular review and approval are required during this phase for those changes. This step can be successfully executed most often if the enterprise is using automation; otherwise, the enterprise usually reverts back to a manual process that won't be used.
• Compliance: The final life cycle phase involves verification, attestation (management's review and certification) and risk management steps for roles, supporting the growing proliferation of regulations and audits in that reports can be reviewed by management and auditors to ensure that the least privileges and SoDs are implemented.

Previous user-provisioning projects did not adequately account for role life cycle management. As such, new vendors in the IAM market have been introduced to supplement the user-provisioning process to ensure that this customer requirement is addressed. Some user-provisioning vendors have role life cycle management functionality as part of their portfolio. The use of such tools is projected to reduce the manual workload related to role discovery and mapping by up to 40% to 55%.

A third area of growing maturity is user-provisioning auditing and reporting. As compliance and regulatory needs grow more specific and are better defined, identity audit reporting continues to evolve (as separate products and as functionality included with user-provisioning products) to address the specific needs of the world user-provisioning community. This remains an ongoing process.

Although the user-provisioning market is maturing and vendors from any of the quadrants could potentially address your needs as a customer, particular characteristics of a good candidate vendor exist in every occasion:

• Good partners: Good user-provisioning vendors have good implementation partners, those with proven histories of performance, and the ability to understand and address customer industry requirements that are affected by business segment differences, region and size. Some vendors have direct integration experience, and industry expertise is a requirement.
• The ability to define deliverables, phases of the project, metrics and an "end state": When embarking on an initiative as potentially complex as user provisioning, it is critical that the program be defined with metrics that can be measured, and with projects that have an end. Many earlier user-provisioning experiences have lasted years because of the inability to know when the end has been reached (or even what the goal of "Phase 1" is). There must be an end to a business-critical implementation project (such as IAM), or at least those phases of technology and process implementation, to enable the ongoing program to continue.
• Coupling and uncoupling the suite: A world-class, user-provisioning vendor should be able to sell you only user provisioning and the associated user-provisioning services (for example, identity audit and reporting, or workflow) without requiring you to buy the entire IAM system that they sell. Integration is a good thing, but not when it is so tightly integrated that uncoupling it later on to purchase a complementary tool is impossible. This represents aggressive competition with pure-play, user-provisioning providers.
• Solution selling vs. making it fit: A leading vendor will provide user provisioning as part of a packaged solution tailored to your stated requirements, rather than forcing your requirements to fit the product. The corollary of this is that you must have a clear and comprehensive requirements definition before any formal evaluation of specific tools. Although there must always be some practical compromise, mature best-in-class solutions can look more like your business requirements, rather than a vendor's technical specifications.
• Modularity: Mature user-provisioning products show an awareness of enterprise architectures and the role of the product within them. These products also have quicker turnaround in feature and version release, because the product design allows smoother updates and follows a secure system development methodology. Mature product vendors in user provisioning show an awareness of the requirements for service-centric infrastructures, and move to accommodate them with service-centric solutions where possible.
• The post-implementation experience: User provisioning is a well-established market. As such, user-provisioning products should reflect those signs of maturity. If customers are unhappy and seek replacement solutions, there are serious issues with planning and requirements. The post-implementation experience, as a new customer and as an upgrade customer, will say a lot about world-class, user-provisioning vendors in this market.

This is not an exhaustive list, merely a representative one. It is relatively independent of vendor size or industry range in the user-provisioning market, and can provide an opportunity for even the smallest vendor to excel in a comparative view of customer experience.

Situations where customers might choose a user-provisioning suite vendor over a point vendor include:

• Customers constrained by the number of vendors whom they can choose, particularly for a multitool IAM solution — of which user provisioning is one
• An application or infrastructure requirement that specifies the product suite as optimal for integration with that application or infrastructure
• A licensing or cost advantage achieved by owning products or using services from the suite or portfolio vendor
• An agreement with a provider of outsourced services to a client where a consolidated contract with a preferred vendor is more acceptable

Situations where customers might choose a pure-play, user-provisioning vendor over a suite or portfolio vendor include:

• Policy-driven or IT concerns regarding vendor lock-in (that is, a "monoculture" for IAM solutions)
• Customers already have solutions for access management or component identity management solutions from a vendor whose user-provisioning solution does not meet their requirements
• Cost, time of implementation or industry-specific options

Although it's possible, for example, to choose a user-provisioning product from one suite/portfolio vendor even if you have an access management product from another vendor (pure play or suite/portfolio), this practice is occurring less often for a number of reasons:

• Aggressive licensing often makes the provisioning solution from the same vendor as access management more desirable from a cost perspective.
• Shared maintenance from the same suite vendor is often less expensive, and easier to manage and receive.
• The growing maturity of the IAM market is equalizing many of the basic function and feature sets of the individual point solutions. It is also lessening differentiation and negating some of the best-of-breed arguments that are technically based.

However, marketing adjacent products does not constitute integration. It must be demonstrated with real and legitimate levels of cooperation and mutual support between portfolio components.

Ironically, recent events in acquiring role life cycle management solutions run against the suite/portfolio practice. Because role life cycle management is in an earlier maturity phase than user provisioning, it is not uncommon to have a role solution from a pure-play provider or even one from a suite/portfolio provider. This will change as suite/portfolio vendors gradually incorporate role life cycle management capabilities, whether by design or by acquisition. Earlier editions of access management remain well-entrenched as well, and make it difficult to provide a suite/portfolio solution if that vendor cannot provide for the user-provisioning requirements of that customer.

For 2007, the average ratio of consulting/integration to product licensing costs was approximately 3 to 1. For some vendors and implementations, it was as high as 5 to 1, but in others, particularly pure-play vendors (where the scope of effort may be smaller if user-provisioning alone is addressed), the ratio approached 2 to 1 or even 1 to 1. The goal for vendors (and integrators) is to have as low a ratio as possible. As the market continues to mature and more-preconfigured packages are available, this is possible even for larger portfolio vendors.

User-provisioning solutions address an enterprise's need to create, modify, disable and delete identity objects across heterogeneous IT system infrastructure, including operating systems, databases, directories, business applications and security systems. Those objects include:

• User accounts associated with each user
• Authentication credentials — typically for information system access, and then most often just passwords, but sometimes for physical access control
• Roles — business level, provisioning level, line-of-business level
• Entitlements (for example, assigned via roles, groups or explicitly to the user ID at the target system level)
• Managing group membership or role assignments from which entitlements may flow
• Managing explicit entitlements
• User profile attributes (for example, name, address, phone number, title and department)
• Access policy/rule sets (for example, time-of-day restrictions, password management policies, how business relationships define users' access resources and SoD)

Key activities that are required for a successful identity management process include ensuring that a complete audit trail of administration activities for these objects exists, and reporting on these activities for compliance purposes — regulatory, internal and business relationship.

Gartner distinguishes user provisioning from identity management in that user-provisioning products are a subset of identity management products. All user-provisioning products offer the following capabilities for heterogeneous IT infrastructures:

• Automated adds/changes/deletes of user IDs at the target system
• Password management functionality (for example, simplified help desk password reset, self-service password reset and password synchronization, including bidirectional synchronization [sold as a separate product by some user-provisioning vendors because they had their start there])
• Delegated administration of the user-provisioning system
• Self-service request initiation
• Role-based provisioning through capabilities provided by role life cycle management features or partners
• Workflow — provisioning and approval
• HR application support for workforce change triggers to the user-provisioning product
• Reporting of the roles assigned to each user and the entitlements that each user has
• Event logging for administrative activities

A comprehensive user-provisioning solution has the following additional capabilities:

• SoD: Enterprises need to automate and manage application-level business policies and rules to identify SoD violations. They also need to quickly remove those violations from the application environment and ensure that new SoD violations are not introduced in the course of the ongoing management and identity administration of the application. Today, SoD tools exist primarily for ERP applications — ERP-specific, transaction-level knowledge is required to successfully enforce SoD in these environments. However, a generic SoD framework is required to address all SoD application needs in the enterprise. Typically, a role is used as the container to segregate conflicting business policies in the application environment. Many user-provisioning vendors deliver capabilities for this heterogeneous framework. It does not alleviate the need for an SoD for an ERP product because these tools have extensive integration with ERP applications. User-provisioning vendors will continue to partner with ERP vendors to deliver complete SoD solutions.
• Role life cycle management: Regulatory compliance initiatives are directing IAM efforts back to the role development drawing board. The role becomes a very important control point that enterprises need to manage in a life cycle manner — just as they do an identity. Enterprises need the ability to automate processes to:
  • Define existing roles through role-mining automation.
  • Manage formal and informal business-level roles for any view of the enterprise (for example, location, department, country, functional responsibility and so on), and feed user-provisioning products to ensure that the link is made between the business role and associated IT roles.
  • Establish a process by which new roles being developed in the enterprise follow the same management process used for existing roles, and tie those new roles to the automated role life cycle management solution.
  • Deliver a generic framework to address all role life cycle management needs. Most user-provisioning vendors are partnering with role life cycle management vendors, acquiring them or building that expertise with the user-provisioning solution.
  • Manage the role through its entire life cycle — role owner, role changes, role review, role assignment, role retirement — and role-based reporting options.
• Identity-auditing reports: Meeting regulatory compliance requirements of reporting on SoDs, roles, "who has access to what," "who did what" and "who approved and reviewed what" (referred to as "the attestation process," in auditing terms) for all IT resources is complex and expensive in the heterogeneous IT infrastructure. Reporting tools need to be in place that leverage the user-provisioning authoritative repository and all other repositories used for the authentication and authorization process to produce SoD, role, "who has access to what," and "who approved and reviewed what" reports that include the entire enterprise's IT assets. In addition, centralized event logs for all identity management activities — those from the user-provisioning and access management products, as well as all systems where authentication and authorization decisions are being made in real time — are needed to do a proper job of reporting "who did what." A new market called "identity auditing" is evolving; it addresses just the reporting needs of the enterprise. In this Magic Quadrant, we will evaluate the partnership that user-provisioning vendors are forging with this new market.
• Resource access administration: Not every enterprise manages access by roles, nor is it advisable to always do so. Rather, the need to administer access at the system/entitlement level is required for many users. Today's user-provisioning products only provision users to existing roles/groups in a supported system; they do not go deep enough into each system to create and administer roles/groups and associated privileges, nor do they explicitly assign privileges to a user outside the role/group structure. User-provisioning products also do not deliver an end-user or system view of IT resources and associated privileges. To do so, user-provisioning products need the view of the IT resource; system-specific knowledge built into their connector portfolio to administer and manage roles, groups and privileges; and a relationship between the identity and the IT resource to produce the required views. Today, these two functions are delivered via native system-level tools. The platform where most remote access administration capability is needed is Active Directory in Microsoft Windows. In addition, various mainframe-based Remote Access Control Facility (RACF) administrative tools enable you to provide remote access administration, administering access at the entitlement level in RACF (with greater ease than using native RACF commands and Interactive System Productivity Facility panels). Some user-provisioning vendors have remote access administration capabilities; others are partnering with Microsoft-specific vendors, such as Quest Software and NetPro, to deliver remote access administration capabilities.

No user-provisioning vendor provides all the identity management capabilities noted above. For most enterprises, additional products are required to do a complete IAM job. SIEM tools can be used for "who did what" reporting at the event level, with granularity by time of day, geography, network port and other details.

This update to the user-provisioning Magic Quadrant includes an additional focus on ease of deployment, ongoing operations, and maintenance and vendor management. It also puts additional emphasis on marketing vision and execution and evaluates sales and advertising execution as part of the overall experience:

• How do the user-provisioning vendors deliver core user-provisioning capabilities as an enterprise management system in support of an ongoing, changing business environment? Similar to the 2007 Magic Quadrant, in 2008, we evaluate how easy it is to change and maintain workflow and connectors, but we will also be evaluating software services (scripts) and other functionality, such as integrating the user-provisioning product with the HR application, and building the authoritative repository.
• Because user provisioning is a maturing market, we will also evaluate vendors' marketing and sales effectiveness, in terms of market understanding, strategy, communications and execution. We will evaluate a vendor's organization for such services, its ability to change to reflect customer demands and its overall success as measured by customers.

User-provisioning vendors are considered for the 2008 Magic Quadrant under the following conditions:

• Support for minimum, core user-provisioning capabilities across a heterogeneous IT infrastructure
• Automated adds/changes/deletes of user IDs at the target system
• Password management functionality
• Delegated administration
• Self-service request initiation
• Role-based provisioning supported by role life cycle management
• Workflow provisioning and approval
• HR application support for workforce change triggers to the user-provisioning product
• Reporting the roles assigned to each user and the entitlements that each user has
• An event log for administrative activities
• Products must be deployed in customer production environments, and customer references must be available
• Gartner considers that aspects of the companies' products, execution or vision are noteworthy.

User-provisioning vendors that are not included in this Magic Quadrant may have been excluded for one or more of the following reasons:

• Was invited to participate but did not reply to our request for information
• Did not meet the inclusion criteria
• Supplied user-provisioning capabilities for only one specific target system (for example, Windows, iSeries and so on)
• Had minimal or negligible apparent market share among Gartner clients, or no shipping products
• Were not the original manufacturer of a user-provisioning product — this includes value-added resellers (VARs) that repackage user-provisioning products that would qualify from their original manufacturers; other software vendors that sell IAM-related products but don't have a user-provisioning product of their own; and external service providers that provide managed services (for example, data center operations outsourcing)

Omada

HP

Econet: www.econet.de

Based in Munich, Germany since 1994, Econet has, since early 2006, entered the user-provisioning market with cMatrix — a service management, service-oriented offering targeted to service providers primarily in EMEA. In many respects, Econet's marketing and sales model is very similar to Fischer International. Early clients include Siemens and KPMG.

Fox Technologies: www.foxt.com

A Mountain View, California company, Fox Technologies has products that focus primarily on access control and service account management. However, BoKS Access Control for Applications addresses basic elements of password management, account administration (including basic provisioning) and audit reporting as part of an IAM package, including SoD enforcement, monitoring and reporting.

Ilex: www.ilex.fr/en

Based in Asnières-sur-Seine, France (a suburb of Paris), Ilex provides three major products: Sign&go (Web and enterprise SSO [ESSO]), Meibo (workflow, basic provisioning and some role management) and Meibo People Pack (extended reporting and audit for provisioning). Founded in 1989, Ilex has accumulated more than 50 customers since that time, predominantly in France. With features such as Service Provisioning Markup Language (SPML) support, a simple design and user experience interface, and good connector kits for provisioning and SSO, Ilex is able to compete in a number of banking/finance, telecommunications and transport industry segments with larger competitors.

Imanami: www.imanami.com

Based in Livermore, California, Imanami's Directory Transformation Manager v3.0 serves as a data synchronization engine for an Active Directory environment through custom scripting, enabling Microsoft-centric enterprises to leverage their infrastructure to some extent. Clients include AT&T (formerly Cingular Wireless) and Mervyn's.

Institute for System Management (ISM): www.secu-sys.com

Based in Rostock (near Berlin), Germany, ISM is a small company focused on German-speaking country markets for its product bi-Cube for provisioning, SSO, and process and role life cycle management. Privately funded, this 10-year-old enterprise takes a process-centric, business intelligence focus to delivering a series of preconfigured process and configuration modules (cubes) that can be linked together to provide user provisioning and role life cycle management functionality. It has a small customer base in Germany, Austria and Spain in large industries such as telecommunications and insurance. ISM continues to refine the modules to form a more-standardized user-provisioning and process management product offering.

NetPro: www.netpro.com

With headquarters in Phoenix, Arizona, and offices in other parts of the world, NetPro entered the user-provisioning market in late 2007 as a natural move from its core management and compliance services for Microsoft-centric systems, including Active Directory and Exchange. Building on MissionControl for MIIS and ILM, Access Manager provides basic access and user-provisioning capabilities as part of its total feature set. Given current trends and conditions, we believe that NetPro will become a formal part of the user-provisioning study in 2009.

Gartner evaluates technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability and success in capitalizing on their vision. For user provisioning, ability to execute hinges on key evaluation criteria. The specific definitions of those criteria are as follows:

Product/Service: Core goods and services offered by the technology provider that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Specific subcriteria are:

• Password management, including shared-account/service-account password management support
• User account management/role-based provisioning
• Management of identities
• Workflow: Persistent state, nested workflows, subworkflows, templates of common user-provisioning activities and change management
• Identity auditing reports
• Connector management
• Integration with other IAM components
• User interfaces
• Configure, deploy and operate
• Role life cycle management
• Resource access administration
• Impact analysis modeling for change
• SPML 2.0 support

Overall Viability (Business Unit, Financial, Strategy, Organization) Financials: Viability includes an assessment of the overall organization's financial health; the financial and practical success of the business unit; and the likelihood of the individual business unit to continue to invest in the product, continue offering the product and continue advancing the state-of-the-art in the organization's portfolio of products. Specific subcriteria are:

• History of investment in division
• Contribution of user provisioning to revenue growth

Sales Execution/Pricing: The technology providers' capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel. Specific subcriteria are:

• Pricing
• Market share
• Additional purchases (for example, relational database management system, application server, Web server and so on)

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider's history of responsiveness. Specific subcriteria are:

• Product release cycle
• Timing
• Take-aways

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities. Specific subcriteria are:

• Integrated communication execution
• Customer perception measurement

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, service-level agreements and so on. Specific subcriteria are:

• Customer support programs
• Service-level agreements

Operations: The organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Specific subcriteria are:

• Training and recruitment
• Number of major reorganizations during the past 12 months

Gartner evaluates technology providers on their ability to convincingly articulate logical statements about current and future market direction, innovation, customer needs, and competitive forces and how well they map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider. For user provisioning, completeness of vision hinges on key evaluation criteria. Those criteria are defined as follows:

Market Understanding: Ability of the technology provider to understand buyers' needs and translate these needs into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those wants with their added vision. Specific subcriteria are:

• Market research delivery
• Product development
• Agility to market change

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements. Specific subcriteria are:

• Integrated communications planning
• Advertising planning

Sales Strategy: The strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Specific subcriteria are:

• Business development
• Partnerships with system integrators
• Channel execution

Offering (Product) Strategy: A technology provider's approach to product development and delivery that emphasizes differentiation, functionality, methodology, and feature set as they map to current and future requirements. Specific subcriteria are:

• Product theme(s)
• Foundational or platform differentiation

Business Model: The soundness and logic of a technology provider's underlying business proposition. Specific subcriteria are:

• Track record of growth
• Frequency of restructuring
• Consistency with other product lines

Vertical/Industry Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Subcriteria are:

• SMB support
• Industry-specific support

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific subcriteria are:

• Distinct differentiation in features or services
• Synergy from multiple acquisitions or focused investment
• Role life cycle management (discovery, modeling, mining, maintenance, certification and reporting)
• Service-oriented provisioning

Geographic Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are:

• Home market
• International distribution

Leaders are high-momentum vendors (based on sales, world presence and "mind share" growth) with evident track records in user provisioning across most, if not all, market segments. Business investments position them well for the future. Leaders demonstrate balanced progress and effort in execution and vision categories. Their actions raise the competitive bar for all products in the market. They can and often do change the course of the industry. It cannot be emphasized enough that leaders should not be default choices for every buyer; as such, clients are warned not to assume that they should buy only from the Leaders Quadrant. Indeed, leaders may not necessarily offer the best products for every customer project. They provide solutions that offer relatively lower risk and provide effective integration with their own solutions as well as competitors. Every vendor included in this Magic Quadrant is here because they meet legitimate business/company needs.

Oracle, IBM Tivoli and Sun continue to dominate the user-provisioning market in presence and relative market share, with Novell and CA also representing significant presences. Courion is the only pure-play provider in the Leaders Quadrant. Fulfilling on 2007's prediction, Oracle's aggressive growth in total customers as well as market presence, its linkage of user provisioning to a broader services model, and integration with existing Oracle solutions in database and application platforms have all provided fulfillment of opportunities for the vendor. IBM Tivoli has continued to innovate across its broad security offerings, incorporating compliance and SIEM capabilities as part of a broad strategy for visibility into infrastructure and services, seeking to control and automate those areas for the customer. Sun, as one of the mature user-provisioning providers in the market, continues to expand and improve its offering, and exploit established relationships in its consulting and integration network. Novell continues to show that it is an aggressive and viable competitor in the leaders category through strategic marketing moves, leading product capabilities, continued leadership focus, and an improved integration and consulting partner list. Courion's continued innovation in "next stage" provisioning and role life cycle management, coupled with a loyal customer base and high track record for success, helps it earn its leadership status, although the company's market share is increasingly challenged by competitors.

Challengers have solid, reliable products that address the needs of the user-provisioning market, with strong sales, visibility and clout that add up to higher execution than niche players. Challengers are good at winning contracts, but they do so by competing on basic functions or geographic presence rather than specifically on advanced features. Challengers are efficient and expedient choices for more-focused access problems or for logical partnerships. Many clients consider challengers to be good alternatives to niche players, or occasionally even leaders, depending on the specific geography or industry. They are not second-place vendors to leaders and should not be considered as such in evaluations.

Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer production deployments than leaders. Business models vary, as does overall product strength, marketing strategy and business partnerships. This has kept some from moving to the Leaders Quadrant.

European provider Siemens has made some progress in user provisioning as a challenger, but has undergone significant organizational changes during this time that affect its ability to execute during the transition. Beta Systems has undergone significant organizational change as well. BMC has dropped in ability to execute because it's adopting a more integrated selling strategy for its user-provisioning offering and incorporating it into the company's broader BSM strategy. BMC's vision rating, however, has improved some with this mature approach. Microsoft's rating reflects some improvement in its vision and consistent execution through partners, but remains more of a custom solution than many of its competitors (for example, Microsoft IAM solutions require significant customization by integrators).

Visionaries are distinguished by technical and/or product innovation, but have not achieved the record of execution in the user-provisioning market yet to give them the high visibility of leaders, or that lack the corporate resources of challengers. Buyers should be wary of a strategic reliance on these vendors and should monitor the vendors' viability closely. Given the maturity of this market, visionaries represent good acquisition candidates. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of visionary vendors. As such, these vendors represent a higher risk of business disruptions.

Visionaries invest in the leading-edge features that will be significant in the next generation of products, and that will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver challengers and leaders. Clients pick visionaries for best-of-breed features, and in the case of small vendors, they may enjoy more-personal attention.

In this Magic Quadrant, Sentillion and Fischer continue to provide leading-edge capabilities in healthcare and service provider markets, respectively, showing innovation and vision in technology, as well as market execution, albeit on a small scale because of their scope and breadth. Their attention to innovation and customer experience is more mature than other competitors. A new entrant into the Visionaries Quadrant is Voelcker Informatik. This 14-year-old, German-based company consistently provides a combination of innovative architecture and features, as well as a high-touch customer model, to deliver in a number of quality, low-maintenance solutions.

Niche players offer viable, dependable solutions that meet the needs of buyers, especially in a particular industry, platform focus or geographic region, but they sometimes lack the comprehensive features of leaders or the market presence and/or resources of challengers. Niche players are less likely to appear on shortlists, but fare well when given a chance. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders.

Niche players may address subsets of the overall market, and often do so more efficiently than leaders. Clients tend to pick niche players when stability and focus on a few important functions and features are more important than a "wide and long" road map. Customers that are aligned with the focus of a niche vendor often find such providers' offerings to be "best of need" solutions.

Avatier continues to provide consistent leadership in midmarket and Windows-centric areas, with some larger account wins to its credit as well. Good password management, rapid deployment and customer experience remain key differentiators that keep Avatier a viable player in the user-provisioning market.

Bull Evidian's provisioning solution has adherents in EMEA, and addresses password and access management as a first priority, although the solution provides user provisioning and some role management functionality. Evidian's position as a niche player is primarily because of its geographic coverage and need for expanded administrator features.

Quest Software has shown significant improvement in the market since its introduction of ActiveRoles in 2006. A well-known Microsoft Windows, application and database management company, the ActiveRoles solution is a relatively new focused offering for user provisioning, primarily across Microsoft-centric environments, but with notable heterogeneous integration. Market and "mind share" have gradually increased for Quest in the market.

Omada enters the study for the first time with a vision and execution model tied tightly to Microsoft's ILM offering, and focusing primarily on customers with Microsoft-centric application portfolios and needs.

SAP's integration of MaXware into its portfolio as NetWeaver Identity Management represents a major step for the software giant. MaXware's provisioning and data synchronization capabilities are being linked with SAP's governance and controls offerings to provide a comprehensive approach to compliance-driven IAM.

Important Note Regarding Customer Statements: Any statements worded as "customers do not like," "customers are concerned" and so forth in the Vendor Strengths and Cautions section have been gleaned through survey responses and customer interviews. Note that they are customer perceptions; as such they represent the opinions of the specific customers surveyed or interviewed. The statements made are not representative of the vendor's comparison to other vendors — instead it is the vendor's performance weighed against the customer's expectations. Note also that some customers may be running back-leveled versions of the product, so some of the issues mentioned may not exist in the most-recent versions of products.

Avatier Identity Management (AIM) Suite v.7.1: Avatier User Provisioning Module (combines Account Creator and Account Terminator) and Avatier Identity Enforcer (updated February 2008)

• Avatier is a pure-play, user-provisioning vendor. Its technology features innovative Web services connector architecture for heterogeneous integration across different platform environments. Avatier has added SoD and attestation to identity audit reporting. The company has introduced Identity Enforcer to fulfill the multilevel approval process workflow requirement to match assets and applications to business processes. The product addresses account termination (named appropriately, Account Terminator) to match Account Creator.
• Avatier's roots are in password management for SMBs, where it has many customers; however, it also has a number of successful large-enterprise implementations. Within the U.S., Avatier sells AIM suites direct. Internationally, AIM suites are sold through a number of midtier services and consulting partners. Avatier has recently established integration partnerships with integrators such as Mycroft Talisen, Inc. and Identity Automation, and it is developing partnerships with major system integration and consulting providers.
• Avatier's technology and subfunctions (such as its password policies) are developed with service-oriented architecture (SOA) in mind and can be accessed through Web services and Simple Object Access Protocol. The client front end and target connectors also support SOA.
• Avatier provides ESSO and integration capabilities with AIM (the product), providing basic access functionality. Additional integration with some service management platforms, such as BMC Remedy, is possible as well. Pricing for the solution is very competitive, considering the markets Avatier targets.
• The typical industry ratio for provisioning costs when estimating deployment vs. licensing is 3 to 1. This means for every $1 spent on the product, $3 is spent on deploying it. Avatier's deployment ratio is very good, estimated at .33 to 1, where for every $1 spent on licensing, only $0.33 is spent on deployment.

• Avatier competes against large competitors, such as Sun, IBM Tivoli and Oracle. The company has made good progress, but it has difficulty gaining the attention of decision makers at larger enterprises, where larger competitors enjoy more access and exposure.
• Avatier must compete in proposals where the customers consider provisioning as part of a suite that may include Web access management, directory/metadirectory services or combinations of these components in addition to user provisioning. This requires partnering with a shrinking number of choices for vendors in the market and competing with aggressive licensing from suite competitors — which is possible, but challenging.
• Avatier seeks to empower nontechnical end users to perform complex tasks. As such, the sophistication of its customers is generally not that of a big IT organization, and IAM-related concepts and operations can be confusing to some customers — even if the product is technically easier to use/implement than some competitors' products.
• Some customers report that AIM templates and screens are limited and awkward, and that role setup is unnecessarily cumbersome. Customers would also like to see more out-of-the-box auditing reports.

SAM Jupiter product suite: SAM Jupiter v.3.4.3 Hotfix Level (HL) 2 (March 2007), SAM Jupiter v.4.2 (June 2007)

• Beta Systems focuses primarily on Europe for business, although it has some strategic U.S. activity. The company has implementations in financial services, insurance and IT services. Significant deployments on mainframe, z/OS and z/Linux platforms reflect SAM Jupiter's product heritage, which began product life on the mainframe. SAM Jupiter is available on Unix and Windows platforms, and has been for three years.
• Although most of its sales remain direct, partnerships and reseller agreements exist. Integrator partnerships with providers such as T-Systems and Accenture also ensure implementation options for customers. Beta Systems also has European-based VARs for reselling SAM Jupiter in EMEA.
• SAM Jupiter was one of the first IAM products to incorporate basic role life cycle management into a product's provisioning processes. In June 2007, Beta Systems announced an alliance with Israeli-based Eurekify to supplement its built-in role management delivery capabilities — adding upfront role mining and analysis — for full-cycle role life cycle management. From a standards perspective, Beta Systems provides SPML support for SAM Jupiter as well.
• Beta Systems' built-in role life cycle management supports unlimited role hierarchies, dynamic roles, SoD and role mining. Resource administration control creates/modifies/deletes groups in all target systems, including RACF. Target system attribute settings (such as password interval, log-on times and so on) are synchronized with role definitions. SAM Jupiter is also used by some service providers to host user provisioning primarily for internal customers.

• Beta Systems has implemented significant reorganization with product planning and development. Although this reorganization is likely to be a long-term benefit (because it is intended to bring additional resources to the company's IAM business), we believe that the reorganization has had a short-term-momentum impact.
• Customer growth has been modest. If Beta Systems expects to remain a viable player in the industry, then it must acquire more customers faster.
• Beta Systems is well-known in Europe, and has regional partnerships there. More partners are required worldwide to compete actively in the volatile system integration and consulting services arena for user provisioning. North American market presence remains small.
• SAM Jupiter needs additional support for third-party workflow systems, detailed historical auditing capabilities, and more integration with role modeling and analytics providers.

BMC Identity Management Suite: BMC User Administration and Provisioning v.5.5 (March 2008)

• BMC Software has been in the IAM market for a long time (and has one of the largest market shares, dating back to the late 1990s with BMC's original Control-SA user-provisioning solution). BMC is one of the first companies to recognize and leverage the value of process-centric user provisioning applied to solving compliance and audit issues.
• BMC formally recognizes IAM as a business enabler — as such it incorporates the product User Administration and Provisioning as part of its BSM portfolio.
• BMC has developed relationships with key system integration and consulting partners such as BT INS, Accenture, Avanade, Ilantus Technologies, Certified Security Solutions (CSS) and Oxford Computer Group. BMC's VAR channel partners include Dell-Ingram Micro and Logic Trends.
• BMC Identity Management Suite provides a fully integrated business process workflow and flexible application environment support. The workflow component can be exchanged for the company's Remedy IT Service Management module if customers so wish, instead of using the User Administration and Provisioning workflow.
• BMC's Information Technology Infrastructure Library (ITIL)-based BSM message and approach to provisioning is innovative and is a differentiator. It has broad and active industry standards support, and partners with Eurekify to extend role life cycle management life cycle functionality.

• BMC's product Web Access Management and Federation is no longer part of BMC's current strategy. BMC has replaced its existing Web access management solution (from its OpenNetwork Technology acquisition in 2005) with pure-play Web access management partnerships.
• BMC has ceased marketing and selling User Administration and Provisioning as a separate IAM offering. It will be included only as part of BSM. This is a concern for many customers that do not want to buy BSM, and that do not buy into BMC's linkage of the products, however innovative it may be.
• BMC competitors Sun, Oracle and IBM Tivoli have more-extensive networks of system integrator partnerships worldwide. Competitors have also developed sophisticated market positioning around service management themes for user provisioning, and challenge one of BMC's main marketing strengths with communications campaigns targeted at early BMC customers contemplating upgrades.
• Customer concerns include a complex configuration experience (more so than competitors), a lack of complete documentation, better user interfaces, poor role life cycle management capabilities, slow response to support questions and inconsistent post-deployment support.

Evidian IAM Suite (Evidian Provisioning Manager) v.8 (June 2007) — Provisioning Manager, Policy Manager and ID Synchronization

• Evidian is the independent French subsidiary of Groupe Bull, established in July 2000. EMEA-focused for Evidian's Enterprise SSO and Secure Access Manager products, the company leverages that installed base and experience to provide a business-process-centric provisioning solution, particularly for clients in telecommunications, financial services and technology markets.
• Evidian recently signed a resell agreement with Quest Software for broader distribution of its access management solutions in North America. This aids in name recognition for Evidian as an IAM player, and broadens its sales and marketing reach.
• Evidian's role life cycle management strategy uses a "reconciliation engine" — part of its Policy Manager product — to detect the gap between the ideal state of access entitlements (from Policy Manager) and their actual state (from User Provisioning). This engine can work in the background to produce difference reports for security officers and administrators. Automatic readjustments of entitlements or suspending unauthorized accounts is possible.
• Evidian uses a Customer Care and Expertise center to provide user-provisioning planning and implementation services for customers. Alliances exist with Steria, Bull and Value Partners for system integration; and Steria, T-Systems (Germany), Value Partners (Italy) and Nexantis (Japan) for reseller opportunities. Most Provisioning Manager sales are direct or through Bull.
• Customers like Evidian Provisioning Manager for ease of deployment, good support from Evidian Customer Care, and tight integration with Evidian Enterprise SSO and Web Access Manager.

• Evidian has a regional (EMEA) marketing focus. It has entered the user-provisioning market from its access management administration tool, and lacks core features to address non-Web application and broader platform environments. Evidian competes effectively in EMEA for simple provisioning needs and where integration with its successful access management products is a key criterion.
• Evidian's user-provisioning solution is marketed primarily in Europe, and directly by Bull Evidian. To directly compete with Siemens, IBM Tivoli and others, Evidian will require broader partnerships and markets.
• Ironically, Evidian's successful access management product line overshadows Evidian Provisioning Manager, diluting the company's marketing message about provisioning capabilities and successes.
• Established customers do not like the uncertain road map for provisioning, early state of administrator interfaces, lack of features in role life cycle management (such as role mining) and lack of attestation support in identity audit reporting.

CA Identity Manager release 12 (June 2008 release) — OEM of WorkPoint (workflow) v.3.3.2, CA Security Compliance Manager release 12 (compliance and audit reporting)

• CA enters the Leaders Quadrant for the first time because of better technology (in the r12 release), an improved partner model, and a revamped sales and marketing force that provides better education and awareness for product capabilities.
• CA Identity Manager is based on IdentityMinder (from 2002) and eTrust Admin (from 2000), and therefore has a long heritage in the IAM business. Acquisitions have accounted for expanded capabilities. CA Identity Manager is part of the company's broader security portfolio. CA is recognized as an IAM portfolio or suite vendor.
• CA's target market is primarily larger customers — 60% of CA's installed customer base is greater than 50,000 users per company. Although it does not market to SMBs, its capabilities, feature set and marketing are tailored for larger accounts.
• CA plays an active role in international identity/security standards for user provisioning. Technical standards (such as SPML) and service management standards (such as ITIL) are supported. Major integration and consulting partners include Deloitte, PricewaterhouseCoopers and Capgemini. Logic Trends, Rolta and Tata Consultancy Services are key VARs.
• CA Identity Manager has comprehensive features, such as integration capabilities, delegated administration, a Web services identity management interface, multiple open interfaces on the back-end for connectivity to target systems and entitlement certification capabilities. Agreements are in place with IDFocus and Eurekify to address role life cycle management issues. Identity Manager's use with CA Clarity for GRCM reporting is a differentiator.
• Customers like CA Identity Manager's ease of use post-implementation, broad functionality (particularly for workflow needs) and integration capabilities with service management.

• Although in the Leaders Quadrant, CA rates slightly lower on the ability to execute criteria in 2006 through 2007 because of the loss of some momentum and sales opportunities (attributed to a revamping of the company's sales and marketing strategy). Although Gartner believes the new release has substantial improvements in architecture and features, it remains to be proven with additional deployment experiences.
• Although notable improvements have been made in release 12, there are still some multiple user interfaces for similar administrator functions as a result of integrating eTrust Admin and IdentityMinder. The connector library, while very good, could use application support for environments such as HTTP calls and less customer builds.
• Established customers do not like the inconsistent responses to issues during deployment (attributed to communications within CA), the complexity of product configurations and the lack of robust role life cycle management capabilities without partners such as Eurekify.

Courion Enterprise Provisioning Suite (AccountCourier) v.7.8 (as of April 2008) — also see AccountCourier Rapid Development Kit, PasswordCourier, RoleCourier, ComplianceCourier and CertificateCourier

• Courion maintains its position in the Leaders Quadrant with this update, moving slightly up and to the right as product innovation, customer count and partnerships improve.
• Courion has weathered a competitive period with a good total cost of ownership model, improvements in integrated role life cycle management, solidifying a VAR channel network and strong visionary leadership. Courion's strategy regarding policy life cycle management and connector frameworks validates leadership in architectural innovation.
• Although approximately 70% of the company's customers are SMBs (up to 50,000 users), Courion is successfully extending its reach and winning larger customers. The company is attracting more attention from larger customers that are interested in its integrated role life cycle management and audit reporting capabilities. Courion has also had some notable customer proposal take-aways when bidding alongside larger competitors.
• Courion's design leverages established data stores, such as Microsoft Active Directory, or other identity repositories. The toolsets for workflow-to-business alignment and advanced compliance reporting for areas such as attestation and SoD remain best in class.
• Courion has a broad partnership model to deal with IAM portfolio requests. This model includes EMC/RSA for access management, Imprivata for ESSO, Citrix for enabling Citrix Presentation Server provisioning and others. Courion's participation in SaaS with its partner Identropy shows continued innovation.
• Customers like Courion's simple and compact architecture, quick deployment capabilities, focus on customer requirements, and flexibility in configuration and customization. They also like the low deployment-to-licensing cost ratio, estimated at 1 to 1 or lower.

• Courion is under increasing pressure from IAM portfolio competitors as competitor products improve. Although doing a good job addressing this as one of the remaining pure-play provisioning providers, it represents a balancing act with partners that can be challenging where portfolios are preferred, and focuses attention on licensing issues and situations where customers prefer fewer vendors in the enterprise.
• Courion lacks the global reach of major competitors in terms of marketing, sales and support, depending on a network of partners for those services. In many countries, the company is not well known, or uncertainty exists regarding the availability and depth of integration and support services.
• Established and potential customers do not like the complexity of custom connector construction (required despite the visionary framework) and the immaturity of administrative tools, and there are scalability concerns, although scalability is better in the latest release.

Fischer Identity Suite (Fischer Provisioning) v.2.4.2 (October 2007) — Fischer Workflow and Connectivity Studio, Model Connector, Fischer Password Manager, Fischer Provisioning, Fischer Policy Manager, Fischer DataForum, Fischer iFly, Fischer iComply, Fischer High Privilege Account Management, Fischer Global Provisioner and Fischer Global Identity Gateway

• Fischer International remains in the Visionaries Quadrant due to its continued execution of user provisioning through a partner model as a managed identity service (that is, SaaS) for cloud-based delivery. Although Fischer's competitors have made progress, the company has extended its lead with a multitenant, service-based architecture, enabling SaaS and hosting by service providers.
• Fischer permits service providers (and enterprises) to offer user provisioning as a service in several delivery models — perpetual, on premises, hosted and SaaS. Despite the customization involved, the company supports rapid end-user deployments as well, although it may be attributable to company size and customer base.
• Fischer's sales model is 100% through midtier service partners operating predominantly in North America. The company has a relationship with Eurekify for role life cycle management services. Fischer's system integrator (and reseller) partners include Applied Computer Solutions (ACS), Rolta and NetworkingPS.
• Fischer's technical architecture is a small footprint, Java-based SOA framework that produces a rapid, configurable delivery model for service providers. Fischer has built a small, but growing, customer base that is contemplating user provisioning in various delivery models — including, for example, SMBs reluctant to deploy and maintain their own user-provisioning solutions.
• Fischer delivers a simple cross-domain framework. It provides nonstop operations support, fault tolerance, high-privilege account management and connector management. The company has strong cross-industry standards support, resulting in cross-interoperability across systems.
• Customers like Fischer's adherence to open standards for heterogeneous platform and application support, its flexibility of workflow development and its support responsiveness.

• Fischer is a small company. It depends on its partner network for visibility and support; so much of its success in this market depends, in turn, on its partner relationships and the ability of its product to continue to deliver satisfactorily for those partners. The company's new business growth has been minimal as Fischer shifts from a direct-sales strategy and partner relationship building, to selling 100% via partnerships. Gartner expects Fischer's new business growth to resume as such partnerships solidify.
• Fischer's partners are primarily service providers that are also system integrators, rather than large-scale system integration and consulting firms. The battle for much of the user-provisioning market share is led by partner system integration and consulting firms. Competitors with key partnerships with such firms will have greater chances of broadening market share at a faster rate.
• Fischer remains a regional solution rather than international — global presence is needed for the same reasons as strategic partnerships for name recognition and growth. Fischer has recently started working with multiple partners that have the ability to extend Fischer's global reach.
• Customers express concern about user interface issues, such as how modifications to Web pages for administration are done and overall user friendliness.

Hitachi ID Management Suite (Formerly M-Tech IDM Suite) and ID-Synch v.4.3.0 (29 February 2008) — P-Synch/SSO v.6.4.2, ID-Certify v.4.3.0, ID-Org v.4.3.0, ID-Access v.4.3.0, ID-Archive v.5.1, ID-Telephony v.4.3.0 and ID-Telephony/Bio v.4.3.0

• Hitachi ID's recent acquisition of M-Tech — a Canadian-based, privately owned IAM company since 1992 — is one of the more-significant acquisitions of 2008. Known first for its P-Synch password management offering, the company has delivered Hitachi ID Identity Management Suite v.4.3.0. ID-Synch automatically provisions new users, extends self-service access requests to business users, and manages authorizations (entitlements) directly with built-in workflow. Other provisioning components include ID-Org (business process automation for organization chart maintenance), ID-Certify (for audit/compliance attestation reporting) and ID-Access (for request-based, self-service Active Directory group management).
• Hitachi ID has a user life cycle management vision for managing profiles and entitlements of users, terminating access rights and providing password management. To address this, ID-Synch consolidates provisioning and deprovisioning self-service automation, delegation and workflow. This is an expansion of the P-Synch product.
• Hitachi ID has an extensive professional services team to design and implement ID-Synch and to train customers on its use and maintenance. It has system integration and consulting partnerships with KPMG and AEM, although most integration is done by Hitachi ID's service team.
• Hitachi ID has reseller relationships with providers such as ACS, IBM Global Services, EDS (HP) and CSC. Partnerships with Eurekify for role life cycle management, and Approva for SAP GRCM integration and reporting. Hitachi ID also partners closely with Microsoft. Support is active in international standards for identity and security.
• Key product strengths include self-service login ID reconciliation for users to map logins to profiles, access certification to clean up dormant/orphan accounts and find/remove "stale" privileges; self-service workflow to request accounts and group memberships to automate authorization workflows, instead of or in addition to roles; and a managed user enrollment system.
• Hitachi addresses internationalization for 12 concurrently available languages, which makes it a differentiator.
• Customers like the easy configuration, lowering implementation costs and making it a good choice for outsourcing and managed service providers that need fast, multiple deployments.

• Although Hitachi ID has formidable sales and marketing resources, it will take time to train the current workforce worldwide in the former M-Tech product line, resulting in some delay in worldwide recognition of products and capabilities.
• ID-Synch is in the final phases of a redesign of its architecture (with an estimated time of arrival of December 2008) for greater flexibility and better heterogeneous support, as well as incorporating some of the numerous modules into the main offering. This will improve such areas as role life cycle management and identity auditing, but will take some time to complete, test and deliver.
• Hitachi ID customers do not like the lack of some key features — such as efficient user interfaces for navigation and forms use, a slow database and forms scripting challenges, and a lack of robust audit-reporting functions.

IBM Tivoli Identity Manager (TIM) v.5.0 (December 2007), TIM for z/OS v.4.6 (December 2006) and TIM Express v.4.6 (February 2006)

• IBM Tivoli is a global player in service management, and has successfully expanded that image into IAM during the past nine years. Service partners, tiered global partnerships (system integrators, VARs and technical partners), and its own global consultancy and integration organization are experienced in project management. IBM Tivoli's reach into business boardrooms and public-sector offices is unquestioned, giving it a decided advantage over competitors.
• IBM Tivoli's acquisition of Consul, a major z/OS security administration and audit vendor, resulted in the addition of Tivoli Compliance Insight Manager, broadening its IAM portfolio and bolstering its identity audit offering for addressing compliance and audit needs. IBM's additional acquisitions (for example, Internet Security Systems, Watchfire, Cognos, MRO Maximo and Encentuate) enhance the integration of Tivoli Identity Manager's provisioning, workflow, audit and reporting capabilities to the security event, application development and business intelligence environment.
• In marketing and sales, IBM Tivoli has a formidable foundation. Product management is part of the Tivoli product development model, which emphasizes external certifications and "voice of the customer," as well as considerable customer feedback, as part of that model. Additional emphasis is placed on GRCM and SIEM in the product, and its marketing.
• Tivoli Identity Manager supports all major platform environments for deployment. Product offerings also support the z/OS platform and a specific product offering for SMBs, Tivoli Identity Manager Express, as of February 2006.
• Provisioning and approval workflow technologies are full-featured. Connector libraries are extensive, as is the development kit for unique connectors. Password management functions and delegated administration are competitive, with established market players. Deployment, scheduler and rule generation functionality provide a starting point for businesses. Tivoli Identity Manager enables customers to create solutions that align with most customers' business requirements. Initial reports of release 5.0 show improvements over ease of use and user interface concerns.
• Policy simulation features in Tivoli Identity Manager enable customers to simulate role and/or provisioning policy scenarios to determine their effects on production environments before deployment.
• Certificate management capabilities exist as an option through third-party integration, and are capable and complete. For role life cycle management, IBM Tivoli partners with exclusive Tivoli solution provider SecurIT. Additional partners — Approva, Aveksa, Eurekify and SailPoint — are also available to enhance Tivoli Identity Manager role life cycle management capabilities and to provide core SoD support.

• IBM Tivoli's ability to address complex IAM issues for clients is occasionally challenged by its complexity of solution offerings. Tivoli's approach to addressing customer requirements in project planning sometimes generates project duration concerns. This can be managed with strong customer leadership to curtail "scope creep." Early deployment reports of Tivoli 5.0 are promising in correcting this issue.
• IBM Tivoli's approach to role life cycle management through its partnership with SecurIT isn't enough to complete a comprehensive, end-to-end IAM suite. Its two primary competitors (Oracle and Sun) have acquired former partners to fulfill client needs for single-source solutions, and remaining competitors have a better integration story and execution.
• IBM's rapid portfolio growth does not automatically translate into a fully integrated suite. Product replacements just as customers achieve full production (such as ESSO and TIM 4.6) leave customers with uncertainty and migration concerns.
• Customers remain concerned about the complexity of the product in configuration and deployment, the intensive prework necessary to accurately map workflows to business processes and the effects of version releases to established deployments.

Microsoft ILM 2007 Feature Pack 1 includes ILM Certificate Management, Management Agent Software Development Kit (SDK), Identity Manager Rule Generation, Password Management Application and Password Change Notification Service

• Few companies have more influence in the IAM market than Microsoft because of its role in server and desktop delivery. The company retains its positioning as a challenger because of global presence, partnerships, and organizational improvements in product development, management and road map.
• Microsoft Active Directory and associated technology component deployments have grown since the 2007 Magic Quadrant, as have identity repositories dependent on Active Directory. More customers seek information regarding Microsoft's response to primary IAM competitors in the market before selecting a solution.
• Microsoft has its own integration and consulting business, but also depends on a number of system integrators and consultants globally — Avanade, CSS and Oxford Computer Group are some of them. Microsoft also has key independent software vendor (ISV) relationships with Danish provider Omada, and French security and identity provider Bull Evidian. This partner network also extends to software and system providers such as Quest Software, Bhold and Gemalto in technology cooperation, standards support and alliances.
• The technical heart of Microsoft's offering remains metadirectory synchronization through Microsoft ILM 2007. ILM is the successor of MIIS, and the next-generation technical foundation for its user-provisioning services. Most Microsoft provisioning implementations are MIIS-based, but ILM deployment numbers are growing.
• ILM 2007 certificate and smart card management includes out-of-the-box auditing and reporting, and the ability to manage users by role. This is done through profile templates or managing certificates based on user role. Although the synchronization and user-provisioning component of the product does not include role life cycle management or out-of-the-box reporting, customers can use their established reporting products to get access to the data in the Microsoft SQL database. Partnerships are available for role life cycle management, like many competitors.
• Microsoft remains the absolute (licensing and startup) price leader, providing products for basic provisioning and identity audit reporting at 50% to 65% the price of leading competitors through a simple Windows server-based platform offering. Integrating other component technologies for workflow and role life cycle management (some from partners and integrators) adds additional costs, but most implementations still occur at 65% to 75% of current competitor prices.
• Customers like the rich and tightly integrated Active Directory/collaboration suite design of ILM, the balance between function/extensibility vs. complexity and startup pricing.

• Implementing ILM 2007 is a build process. The product includes an adapter set and SDK to connect link directories, databases, applications, mainframes and other enterprise systems. Microsoft historically has not provided equivalent adapter sets compared with competitors, but customers can use the SDK to build necessary adapters. Alternatively, some customers may choose (or require) a partner (such as Centrify, Omada or Quest) to add the needed functionality. Toolkit components come from different Microsoft product lines and are woven together to provide user provisioning, workflow, password management/reset and identity audit reporting together.
• Microsoft's user-provisioning solution has a pricing model that takes into account the life cycle maintenance costs of a customized solution using its component technologies or by using its partner program to bring provisioning, workflow, advanced password management and audit reporting together and to support the custom solution in the long term. Startup prices are still the best in the market, but consider total operational life cycle costs as well to maintain a custom system.
• Microsoft product planning prioritizes Microsoft-centric customer requirements for user provisioning first, and will continue to address any established or future solution feature set development that way. Customers should be aware that it can affect the degree or timeliness of heterogeneous support.
• Customers using the synchronization and user-provisioning component of the product report issues because of a lack of an end-user, self-service front end; limited heterogeneous customization; and weak reporting and audit logging.

Novell Identity Manager v.3.5.1 (5 October 2007) with Roles Based Provisioning Module 3.6 (18 January 2008) — Password Self-service for Identity Manager v.3.5.1, Designer for Novell Identity Manager v.3.5.1, Novell Sentinel v.3.6, Novell Audit v.2.0, Novell Identity Manager User Application v.3.5.1 and Novell Identity Assurance Solution v.3.0

• Novell has made significant progress since the 2007 Magic Quadrant, moving up in the Leaders Quadrant by effectively addressing issues with partnerships, sales and marketing, and competitive countermoves. The company combines these efforts with an innovative best-in-class product and a focused and consistent executive and team.
• Novell's product strategy centers on addressing unified policy and compliance management through role-based provisioning management and real-time validation, auditing and remediation. This includes addressing links between business governance and IAM governance.
• Novell's uniform horizontal architecture is a heritage of organic construction in past years that gives the company development and integration advantages. The latest upgrade addresses basic role life cycle management, but still leverages partnerships with Aveksa and other role life cycle management providers for role modeling and analytics. Improvements in resource recertification/attestation reporting, and tighter integration with SIEM logging and reporting via its Sentinel product, provide better forensics and monitoring capabilities to provisioning management.
• Novell's network of smaller, regional-based integration and consulting has been augmented with major integration providers, such as Atos Origin, Deloitte and Wipro Technologies, as well as global alliance partners, such as HP and SAP.
• Novell is a active participant in an open-source identity framework that includes provisioning through its membership in the Higgins project, which has attracted minimal interest thus far. The company is also active in international standards work with the role it plays in Linux, security and identity. Novell Identity Manager supports SPML.
• Novell customers like the tight integration of the product for different provisioning functions, the designer capabilities for configuration, and the ease of use and functionality of the deployed solution.

• Name recognition as a portfolio provider of IAM solutions remains an issue. Although widely recognized in its previous incarnation as a server platform provider, it remains less well known for its capabilities in user provisioning. This is more of an issue for Novell than the customer, but gives rise to the perception of its overall capabilities in IAM.
• Although the company has no cash concerns and has been very aggressive in addressing competitor moves, customers remain concerned about viability, longevity and continued progress — a view Gartner does not share.
• Integration between Novell Identity Manager and Sentinel are still in the early stages, and will require substantial refinement to realize marketing claims.
• Customers do not like the degree of customization required for solutions, as well as their complexity, licensing complexity and early state of role life cycle management capabilities.

Omada Identity Manager (OIM) v.6.0 (November 2007) — OIM Workflow Designer module, OIM Password Reset module, OIM Self Service module, OIM Base Server, OIM Advanced Role Based Access Control (RBAC) module, OIM Compliance Reporting module and OIM Compliance Attestation module

• Based in Denmark (with regional offices in London, England, Germany and California), Omada was established in 1999 to address Microsoft-centric user-provisioning needs. In the past two years, it has made significant progress as a key Microsoft ISV in user provisioning with OIM, doubling the number of customers and users served each year since 2004. Although the bulk of customers are from EMEA, Omada's sales increased in North America during 2007.
• Omada's vision and strategy stresses easier, simpler user provisioning and overall identity management for the lines of business. This is underscored with the goal of providing intuitive customer-centric interfaces, while delivering the technical depth and flexibility required to implement enterprise-scale IAM solutions.
• Omada has system integration and reseller partnerships that include, but are not limited to, Oxford Computing Group, Traxion, Avanade and LogicaCMG. A major part of Omada's staff is dedicated to consulting, integration and support as well. Solution support is offered directly to the customer or via partners.
• OIM addresses delegated administration, self-service access requests, SoD, workflows with approvals and compliance reporting with a .NET-based programming platform. It performs some role life cycle management capabilities with its Advanced RBAC module, applying roles over heterogeneous repository and access infrastructures via ILM Management Agents supplied out-of-the-box from Microsoft, as well as those custom-built by partners.
• Omada has a staging system that enables customers to transport configuration changes automatically between servers (development-test-production)
• Customers like the product customization flexibility, relative ease of setup for configuration and tight integration with Microsoft-centric environments.

• OIM depends entirely on Microsoft ILM for delivering its functionality — OIM uses it as a base framework. This means that Omada is entirely dependent on its relationship with Microsoft to be successful. Omada has committed to a provisioning delivery method using .NET and Microsoft-delivered infrastructure, so its product road map is dictated by Microsoft plans in IAM.
• Omada's product development upgrades are driven by its current customer base; and better product management must evolve to develop a standard, methodical approach to delivering updates and feature changes.
• Omada customers do not like the amount of integrator customization required for more-complex implementations, the degree of dependency on Microsoft frameworks and the early state of its role life cycle management features.

Oracle IAM Suite and Oracle Identity Manager v.9.1 (January 2008)

• Oracle is the leader in this Magic Quadrant. It is in the Leaders Quadrant because of significant new customer acquisitions, a broadening network of global partnerships to deliver and maintain its solution, and a refinement in product features and deployment strategy. Its notable momentum puts it slightly ahead of major competitors such as IBM Tivoli and Sun.
• Oracle's access to business boardrooms and public-sector decision making as a major database and enterprise applications provider is pervasive. The company uses that access for cross-selling opportunities with IAM. An aggressive and accelerated sales and marketing strategy has resulted in a growth rate in customers several times that of the general provisioning market, feeding global partnership opportunities.
• Oracle has improved its graphical workflow designer, generic technology connector, installation wizard for connector version control, and reconciliation manager capabilities with this release, emphasizing an improved customer configuration and implementation experience. These were issues with earlier versions of the product.
• Oracle has established a network of global partnerships (system integrators, VARs and technical partners) with companies such as Deloitte, Accenture, KPMG, PricewaterhouseCoopers and Wipro, and its own consultancy and services in user provisioning have become more experienced.
• Oracle possesses a portfolio and matching vision for IAM, including user provisioning. The message has moved from an earlier strategy of "application-centric" provisioning that addresses provisioning, workflow and reporting needs for a multiapplication environment to include a "service centric" view of IAM. This message underscores the increasing need for a portfolio that includes provisioning to address requirements in a modular, reusable manner (that is, SOA-centric) performed with a deployed, in-house implementation or a managed IAM service delivered via hosted solutions.
• Oracle acquired the role life cycle management firm Bridgestream, GRCM vendor LogicalApps, fraud prevention/authentication vendor Bharosa in 2007, and is acquiring BEA Systems as of this writing in 2008. Broadening its product suite and addressing key issues for OIM, particularly in role life cycle management (Bridgestream's offering is now Oracle Role Manager), GRCM and entitlement management show an aggressive, acquisitive trend for Oracle, which shows little signs of abating.
• Customers like the access to Oracle's development teams for changes, configurability during deployment, workflow and provisioning engine capabilities, and recent improvements in connector library additions.

• Rapid growth comes with a cost. There are mixed reviews for Oracle integration and deployment experiences attributed to uneven training and experience of consultants and system integrators for the product. Customers like the access to Oracle, not the inconsistency of experience. This should fade as integration experience and training become uniform.
• Oracle's integration strategy for SIEM with provisioning compliance and audit reporting is not as mature as that of competitors IBM Tivoli and Novell, although the vision of the company's IAM solution includes it. More evidence in market messaging and implementation are required to validate capability and intent.
• Although Oracle's pace in growing market share and establishing key partnerships has been impressive, it cannot be sustained. As new customer acquisitions subside to market levels, and feature sets move to maturity for key competitors, Oracle must maintain momentum through integrating a diverse portfolio built by acquisition. It must also build excellent customer experiences and execute on its vision. With only one or two of those successful, the company runs the same risks as Sun in maintaining momentum in this competitive market.
• Customers do not like the product's technical complexity. User interfaces need refinement, tighter integration with established Oracle products is desired (including those in the IAM solution) and additional connectors are needed for the library.

Quest ActiveRoles Server v.6.0.4 (March 2008) — ActiveRoles Quick Connect v.3.5.2 (March 2008), Quest Password Manager v.4.1.1 (January 2008), Quest InTrust v.9.5.6 (November 2007), Quest Reporter v.6.1 (May 2008), ActiveRoles Self-Service Manager v.6.0, Quest Access Manager v.1.0 and Vintela Authentication Services v.3.3

• Quest Software has made significant progress in the Niche Players Quadrant due to increased marketing (and interest in ActiveRoles as a Windows-centric user-provisioning solution), an expansion of partnerships and an extended vision of related tools in the Quest portfolio to support ActiveRoles.
• Quest Software is a major supplier of Windows management products, ActiveRoles v.6.0 is Quest's offering for user provisioning for enterprises. Quest provides user provisioning as a feature set of several Windows, application and database management solutions, and is sometimes used to supplement larger provisioning implementations that do not address Microsoft and Linux-centric administration effectively.
• Quest Software's marketing approach is direct sale. It possesses system integrator and resell relationships with IBM Global Services, EDS and Dell. Active Directory administration and Unix/Linux integration are central to Quest's solution. The company has a growing base of notable customers and deployment scenarios.
• ActiveRoles is primarily a solution for Microsoft-centric SMBs of up to 50,000 users, which account for almost 90% of Quest's sales. The system is integrated with MIIS and IBM's Tivoli, and is therefore capable of supporting heterogeneous provisioning. Quest also proposes InTrust and Quest Reporter for identity audit reporting and compliance, and user-provisioning audit reporting. Quest Password Manager has been updated, and ActiveRoles Self-Service Manager has been introduced for expanded password, group and attestation management capabilities.
• Customers like the customer support and knowledge of Microsoft systems from Quest; the consistency of the workflow solution and centralized script depot; the good deployment experiences; and the positive reports on user interfaces and workflow.

• ActiveRoles does not have a uniform look and feel, and some features (such as Quick Connect, a means to automate account creation without IT administration assistance) are not yet fully intuitive for customers.
• The Quest brand uses Microsoft as a delivery platform. For consideration by customers with heterogeneous requirements, Quest must reiterate ActiveRoles' heterogeneous capabilities.
• ActiveRoles is well-suited for SMBs, but it has fewer customer references in large industry segments above 50,000 customers. More will be needed if Quest is to be considered as more than a niche player.
• Customers do not like uneven post-deployment support, the lack of predefined scripts, the product's overall complexity and the lack of SharePoint support in provisioning.

SAP NetWeaver Identity Management v.7.0 (November 2007)

• SAP NetWeaver Identity Management highlights a vision of enterprise application providers that enhance provisioning capabilities and provide tools for extensive integration with GRCM products. Role life cycle management and fine-grained authorization management are key to fulfilling these requirements, and SAP possesses many of those capabilities in SAP application suites.
• SAP NetWeaver Identity Management maximizes NetWeaver's identity services capabilities for SAP customers. Key features include a provisioning and workflow engine; user self-service and password management; a reporting, auditing and logging capability; and a metadirectory and identity store. Virtual directory services and data synchronization capabilities address complex user provisioning, integration and some federation needs.
• SAP is active in cross-industry standard efforts, such as the Organization for the Advancement of Structured Information Standards (OASIS), and industry-specific standards bodies for NetWeaver Identity Manager — a reflection of its worldwide presence and desire for product positioning with the main SAP application suites.
• SAP's integration of acquisition MaXware into its marketing, sales, communications, and training plan and network, as well as its partnership program, has resulted in new customers. Aligning this offering with NetWeaver Access Control (formerly Virsa) to deliver the necessary foundation for GRCM and authorization management is progressing tighter integration. The results are critical for SAP (and customers) to realize acquisition value.
• SAP customers like the rapid implementation and customization capabilities of the product, the basic role life cycle management integration with provisioning, the deep integration with other SAP products and the virtual directory functionality.

• SAP's agenda for user provisioning is targeted specifically at established SAP customers. SAP application portfolio and integration needs are addressed first, then new customers. SAP views this as vital to counteracting efforts by Oracle to introduce Oracle solutions into a predominantly SAP customer environment. As a result of this SAP-centric strategy, customers in largely heterogeneous environments may find SAP's connector library selection lacking.
• SAP has few significant integration and consulting partners outside its organization. Although the company's resources are formidable, they are focused on other products besides provisioning. Broadening SAP's consulting services and establishing some integration partnerships will be needed if sales goals extend further than established SAP customers.
• Customers believe the workflow functionality of the product is too basic. They want better user interface customization abilities and they prefer more-extended role life cycle management and reporting.

Sentillion proVision v.3.0 (second quarter of 2008)

• Sentillion's user-provisioning solution is focused on one vertical industry — healthcare. It remains in the Visionaries Quadrant due to its continuing innovation in healthcare provisioning needs, its expanding growth in customers, and its expanding partner network for resale and system integration.
• Sentillion continues to use an open-source community — IdMPower — to share among its customer-members' provisioning software adapters for clinical and nonclinical applications, leveraging established Microsoft-centric customer infrastructures.
• Sentillion's strategy for user provisioning in a specialized, complex industry is built on the concept of "purpose-built" healthcare, and addresses role-based and fine-grained provisioning. Although customers are classified as SMBs by their user count, the complexity of healthcare role environments ensures that planning and implementation remain challenging. Sentillion delivers focused consulting and integration services, and also has some integration partners (for example, CTG Health Services and Logic Trends) to address those challenges.
• Because of Sentillion's healthcare focus, they provide out-of-the box connector ("bridge" in their nomenclature) support to a variety of healthcare-industry-specific systems (for example, McKesson-Horizon products, IDX products and ChartMaxx).
• Sentillion has a fixed fee for implementation services so customers know upfront the associated costs. The fixed fee implementation is at approximately a 1:1 software to services ratio. The lowest among the provisioning vendors.
• Sentillion has deployed a reseller network that includes companies such as Compudyne, Logic Trends and iSoft to expand product availability as recognition of Sentillion grows in the healthcare market.
• Customers like the personal customer support received during planning and implementation, the openness to feedback and the resulting product upgrades, and the fulfilling feature requirements specific to healthcare.

• Focusing just on healthcare comes with a price. Whether it is features or standards support, Sentillion is driven by its customers, and the product is customized for the healthcare industry. Sentillion does not sell proVision directly to other markets; however, it is sold in nonhealthcare markets by a network of channel partners. Organizations outside healthcare evaluating Sentillion should conduct a side-by-side comparison.
• Competitors such as IBM and Courion continue to develop specialized variants of their products for healthcare, attempting to challenge Sentillion's dominance in this market. Sentillion will need to continue innovating and establish other business partnerships to counter this challenge, expand awareness of the company and differentiate its offerings from more-generic competitor products.
• Role life cycle management capabilities are limited. Given the highly regulated industry that they are targeting, this may be seen as a lack of needed functionality.
• Customers do not like the lack of a tool to easily create "bridges" necessary for integration. They also do not like the poor graphical tools for workflow and provisioning configuration and product complexity.

Siemens DirX Identity v.8.0B (September 2007)

• Siemens is one of the largest and most-diverse corporations in the world, with businesses in energy, healthcare, communications and other industries. DirX Identity has extensive customer opportunities in the corporation itself, and has considerable resources available for research, marketing, consulting and system integration.
• Siemens industry customers are loyal, and DirX Identity customers continue that trend. This results in a good customer feedback loop for DirX Identity product developments.
• Restructuring with Siemens has moved the DirX product portfolio from Medical Solutions to IT Solutions and Services, eliminating some concern and confusion regarding Siemens' strategy and road map for IAM. IT Solutions emphasizes the organization's cross-system presence in authentication delivery mechanisms, such as smart cards and biometrics, to link access to identity management, physical with logical security needs. Siemens views itself as a one-stop shop for end-to-end identity products, as well as the integration services to install and maintain them.
• DirX Identity possesses an integrated role life cycle management capability to provisioning (without mining or attestation capabilities) based on its original MetaRole product first introduced in 2003, unlike several competitors that provide this via partnerships or acquisitions. Siemens also provides HR and user interface integration with SAP for provisioning services, although this partnership will change as SAP perfects features in this area with its own provisioning product.
• Siemens mainly uses its own Enterprise Communications and IT Solutions and Services divisions to resell DirX Identity. It also uses IT Solutions and Services as a dominant system integration provider, although it does have some relationship with T-Systems and HWS as well.
• Customers like the technical development and software support from Siemens, the role model support as part of role life cycle management, the previewing upgrades with a "virtual" upgrade feature to find potential problems before proceeding and identity audit-reporting capabilities.

• Although Siemens is well-known in Europe for DirX Identity, it remains a surprise to many potential customers that the company possesses a provisioning solution. Targeted, focused marketing will be required outside of EMEA if DirX is to be recognized as a viable contender in provisioning.
• Siemens depends almost entirely on Siemens for reselling, consulting and system integration of the product. Although this may be effective for established industry Siemens customers, it is less effective for new customers that want a choice in integration partners.
• Siemens' strong engineering and design expertise overshadows its messaging related to executive boardroom concerns of GRCM. Too much focus on access management messaging will attract more IT infrastructure decision makers in purchasing, rather than business decision makers.
• Customers do not like the complexity of workflow programming, the lack of role-mining capabilities and the lack of robust attestation reporting.

Sun Java System Identity Manager v.8.0 (June 2008) — Sun Role Manager v.4.1

• Sun is one of the top three leaders for solutions in user provisioning in the Leaders Quadrant through a combination of technical platform expertise, diverse and experienced partnerships in consulting and system integration, a growing customer base and consistent customer service. Sun's rating has decreased slightly from the previous study because of increasing competitive successes by IBM Tivoli and Oracle, reduced momentum in sales and marketing, and a restructuring of vision for the product.
• At the end of 2007, Sun acquired role life cycle management vendor Vaau to enhance provisioning capabilities and to create a more business-centric view for IAM in enterprises. Renamed Sun Role Manager, this feature set addresses basic, as well as advanced, requirements for delivering a role-based framework for better provisioning experiences. This integration is refined in Identity Manager v.8.0.
• Sun plays a leadership role with its commitment to open source, delivering open-source versions of its user-provisioning software, engaging proactively in the open identity community, and delivering a road map for deploying Sun Java System Identity Manager as a set of consumable Web services and policy abstraction abilities.
• Sun's Partner Advantage Program remains a model for covering consulting, system integration, VAR and ISV needs for user-provisioning offerings, particularly for large-scale vendors. Seventy percent of Sun deployments are with customers that have 50,000 users or more, making it one of the most-experienced vendors in delivering solutions for large enterprises.
• Identity Manager v.8.0 technical features include improved integration between provisioning and role life cycle management, more compliance and audit reporting options, and a refined user interface for implementation.
• Customers like the improved compliance reporting in the latest version, the availability of role life cycle management as part of the portfolio and the pragmatic technical foundation of the product.

• Sun completed its reorganization and streamlining of IAM product development and management, resulting in a better focus for vision and execution. This, however, also resulted in a loss of momentum and delivered mixed signals to customers and competitors in terms of direction and priorities.
• Equalization of the technical feature sets and partner availability for user provisioning among the major competitors highlight the maturation of the provisioning market. This means that compelling differentiators are necessary to help customers choose a solution. Although Sun continues to do well in the market, differentiators in vision and execution give a slim edge to its major competitors, IBM Tivoli and Oracle.
• Mainframe-centric and Microsoft Windows-centric integration by Sun have improved, but are perceived by customers as "lightweight" in configurability and capability when compared with some competitors.
• Customers do not like end-user administrator interfaces they characterize as inadequate, the lack of a more standard XML set for customization that developers and project managers can use, and a lack of a road map for addressing related areas, such as integrated SIEM.

Voelcker ActiveEntry v.3.2 (October 2007)

• Voelcker Informatik moves to the Visionaries Quadrant because of its architectural innovation, its high customer interaction model during development and deployment, its customer loyalty and its agility in executing its vision of provisioning.
• Founded in 1994, Voelcker Informatik has built a loyal customer base in public-sector, financial services and technology firms. The company has its own consulting and integration team, but has expanded it via European partners Fujitsu-Siemens, Computacenter and T-Systems.
• Eckhard Voelcker is a charismatic CEO with a mature executive team, skilled developers, and support staff that have created and maintained a detailed .NET and Mono-based delivery platform for user provisioning. Recent architectural changes have taken into account the need to establish a functional layer between enterprise control processes and delivery platforms, resulting in an SOA-ready, configurable provisioning offering.
• ActiveEntry's dual .NET/Mono architecture is appealing to institutions where heterogeneous platforms are pervasive, budgets are constrained and customization demands robust implementation tools. The architecture also leverages Microsoft's Active Directory and Certificate Lifecycle Management extensively.
• ActiveEntry's Workflow and Rule Designer are tightly integrated and full-featured, and integration with SAP is extensive at provisioning, role management and analytical levels. Role life cycle management (integrated with provisioning, but also available separately) fulfills most customer requirements.
• ActiveEntry customers like the quality customer interaction for requirements gathering and product customization, rapid deployment capabilities, and workflow features.

• Voelcker Informatik must compete against multinational competitors such as Siemens, IBM Tivoli and Bull Evidian on an equal basis, although the company is smaller in terms of employees. It remains difficult to gain the attention of decision makers because feature equalization enables decision makers to choose vendors already established in their enterprises. Voelcker remains focused on EMEA and has no plans currently to expand.
• Voelcker must compete in IAM portfolio proposals with a shrinking number of vendor partners or by proving that it can perform provisioning and role life cycle management, as well as a portfolio component (such as the best-of-breed strategy). Although some customers still believe this is viable, it remains challenging.
• Voelcker remains a potential acquisition target as the IAM market matures. Although some delay may occur in product updates, this isn't a major issue considering that most IAM offerings are delivered by acquired vendors.
• Customers express concerns related to the size of the company (due to concerns about support) and a lack of a standard management dashboard.