Magic Quadrant For User Prov 206614

Research
Publication Date: 30 September 2010 ID Number: G00206614
Magic Quadrant for User Provisioning

Perry Carpenter, Earl Perkins
User provisioning manages identities across systems, applications and resources.

Compliance remains the main driver of uptake, and identity and access intelligence and
role life cycle management are increasingly top-of-mind issues.
© 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although
Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors,
omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein
are subject to change without notice.
WHAT YOU NEED TO KNOW
This document was revised on 4 October 2010. For more information, see the Corrections
page on gartner.com.
User-provisioning solutions are maturing in function and capability, and the user-provisioning
market continues to consolidate. As some identity and access management (IAM) technologies
approach a commoditylike state, the boundaries between core IAM products, such as user
provisioning and companion product sets, are blurring.
Core provisioning functionalities are similar across most vendors (such as workflow engines,
approval processes, password management and "standard" connector sets). Therefore,
provisioning vendors seek to differentiate their product sets from those of competitors through
expanded IAM functionalities, such as:
Role life cycle management

Identity and access intelligence (IAI — that is, audit, log correlation and management,
analytics, monitoring, and reporting)
Improved workflow options to improve business process management (BPM) and

general governance, risk and compliance (GRC) integration
Better integration with "adjacent" and relevant security technologies, such as security
information and event management (SIEM), data loss prevention (DLP), network access
control (NAC), and IT GRC management (GRCM) tools
Improved integration with other suite components or IAM offerings from other vendors
Large-scale user-provisioning projects remain complex, requiring experienced integrators and
skilled project management for the enterprise. Most provisioning implementations succeed or fail
based on these integrators and on the relationship between customers and vendors. Most IAM
vendors realize that penetrating midmarket accounts — for instance, small or midsize businesses
(SMBs) — requires simple deployments at the product level. While success rates for complex
and/or major user-provisioning initiatives are improving, "horror stories" related to "failed"
implementations or poorly integrated replacements still abound.
Key differentiators when selecting user-provisioning solutions include, but are not limited to:
Price, including flexibility of pricing for deployment, maintenance and support programs.
Global scope, depth, availability and extent of partnerships with consultants and system
integrators (SIs) to deliver the solution.
Consultant and SI performance, which remains vital to success. Also vital are the level
and extent of experience of industry segment vendors and integrators to deliver
successful projects.
Time to value.
The ability to deliver subsidiary services that are not available in the core product
through:
Integration with component IAM features (for example, common user experience
and reporting).
Publication Date: 30 September 2010/ID Number: G00206614 Page 2 of 48

© 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Custom development.
Augmentation via partnerships or adjacent products or capabilities (for example, role
life cycle management, entitlement management, federated provisioning or IAI).
Other customer experiences, including satisfaction with installed provisioning systems

(that is, reference accounts).
Strategy, road map and alignment with other product offerings, including strategies for
addressing future cloud-computing and software as a service (SaaS) architectures.
Relevance in addressing identity-and-access-specific requirements in BPM and

business intelligence.
There is no "one size fits all" provisioning solution; as such, these differentiators will vary in
importance, given the specific organization, use cases, budget and business drivers.
Gartner recommends enterprises embarking on user-provisioning initiatives to:
Prioritize the key issues to be resolved, and provide clarity to the project being
implemented.
Document the project scope thoroughly, and seek outside review where possible.
Choose the specific technologies required for the specific requirements — Do not allow
a project to expand scope without a documented rationale.
Implement rigorous project oversight to ensure project scope integrity is maintained.
Establish a formal change process to bound project scope where possible.

Addressing these questions early can help companies avoid failure. For additional help, see
"Developing IAM Best Practices," "Q&A for IAM: Frequently Asked Questions," the IAM
Foundations series of research (starting with "IAM Foundations, Part 1: So You've Been Handed
an IAM Program ... Now What?"), and "How to Use 'Visioneering' Principles to Drive a Successful
Identity and Access Management Program."
Role life cycle management is increasingly viewed as a prerequisite (or, in more complex
initiatives, a parallel effort) for many new user-provisioning initiatives. Many enterprises that have
deployed user-provisioning systems have discovered that the access request process, such as
that provided by role life cycle management, is a missing element. Customers will find that user
provisioning and access request management are intricately connected, and planning for
provisioning will reflect that.
Gartner also recommends that enterprises planning for a virtualization architecture include user-
provisioning planning, because it plays an important role for virtual machines (VMs). User
provisioning provides the management of accounts and auditing for partitions, hypervisors and
VM monitors, as well as enforcing segregation of duties (SOD) for that environment.
Gartner believes that organizations facing compliance burdens are realizing that full provisioning
implementations (while still ultimately important and necessary for long-term compliance) can
actually be postponed or de-emphasized in the short term in favor of IAI solutions. For more
detail, see User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects.

STRATEGIC PLANNING ASSUMPTION
Through 2013, notable identity and access management project failures will cause 50% of all
companies to shift their IAM efforts to intelligence rather than administration.
MAGIC QUADRANT
Figure 1. Magic Quadrant for User Provisioning
Source: Gartner (September 2010)
Market Overview
Market Growth
Most user-provisioning vendors reported revenue increases in 2009 to 2010, thereby indicating
continued growth in the market (see the Market Maturity section below). However, growth for user
provisioning is slowing. In "Forecast: Security Software Markets, Worldwide, 2009-2014, 2Q10
Update," Gartner Dataquest reported a compound annual growth rate (CAGR) of 4.4% for the
user-provisioning market. User provisioning is now an approximately $940 million market, and
should become a $1 billion market in 2010.
The global 2009 CAGR of 4.4% for user provisioning is down from 17.4% in 2008. The notable
decline in growth is for two reasons: (1) there are ripples from the recent economic downturn; and
(2) clients are realizing that they can pursue compliance initiatives via technologies that promise
shorter-term "wins" (such as IAI, privileged-account activity management [PAAM], and Active
Directory to Unix bridging). For now, enterprises are shifting spending to those areas.

North America exhibited revenue growth of 4.2%; Western Europe, 4.0%; Asia/Pacific, 9.4%; and
Latin America, 5.0% — down significantly from 2008 across most regions. North America
accounted for 47.5% of 2009 market share; Western Europe, 28.1%; Asia/Pacific, 8.7%; and
Latin America, 3.1%.
Gartner expects user-provisioning revenue opportunities to continue growing through the end of
2010 as the market matures and consolidates, rebounding with a 9% CAGR in 2011. However,
Gartner believes that this will be the peak. Growth for the provisioning market will drop over the
next several years as enterprises deploy new-generation solutions and upgrade existing
deployments.
User-provisioning technologies and processes continue to mature, with well-established vendors,
well-defined IAM suites and a broad-based integrator market for them. Third-generation releases
are now available, with most basic capabilities well-structured and well-configured. Gartner
estimates that, as of mid-2010, approximately 30% to 35% of midsize to large enterprises
worldwide, across all industries and sectors, had implemented some form of user provisioning. An
additional 20% to 25% of them are evaluating potential solutions.
Significant Changes From Last Year's Magic Quadrant
The most notable year-over-year changes include the following:
Oracle clearly stands out in both vision and execution within the Leaders quadrant. This
is due to its rapid acquisition of new customers, internal innovation and improvements of
its IAM offerings, the acquisition of Sun Microsystems (which helps augment some of its
IAM capabilities), and a compelling road map.
Sun Microsystems is absent from the Magic Quadrant due to its acquisition by Oracle.
Since publication of the 2009 user-provisioning Magic Quadrant, Quest Software

acquired Voelcker Informatik. Both companies receive individual ratings in the 2010
Magic Quadrant, due to the recency of the acquisition, and because Quest intends to
keep Quest's ActiveRoles product and Voelcker's ActiveEntry product as separate
entities, selling one or the other based on specific customer use-case requirements.
Sentillion was acquired by Microsoft and is now part of Microsoft Health Solutions
Group. Sentillion proVision and Microsoft Forefront Identity Manager are being rated as
separate products, because they are developed, marketed and sold as distinct products.
All Leaders continued to improve (horizontally, vertically or both), based on:

Past velocity and trajectory
A continued commitment to meet road map commitments

A continued commitment to meeting customer needs proactively — via innovative
road maps — and/or reactively — via partnerships, internal development or
acquisitions
Many vendors in the Challengers, Niche Players and Visionaries quadrants are
beginning to "cluster" around the midpoint of the chart — a sign of overall market
maturity and commoditization of the core technologies being rated.
Microsoft made the most progress within the Challengers quadrant due to the release of
the long-awaited Forefront Identity Manager product, which improves the usability of its

provisioning solution, adds deep integration into many important Microsoft components,
and much improves the experience for both administrators and end users.
BMC Software moved from the Challengers quadrant to the Niche Players quadrant,
primarily based on shifting internal priorities, which impact its go-to-market strategy. This
is reflected in an overall slowing of its growth.
Ilex was dropped from the study this year due to minimal market presence.
User Provisioning Is (in the Short Term) Giving Way to Other, Easier Projects
As discussed in the What You Need to Know section of this research, Gartner sees a subtle shift
in the IAM market. That leads us to offer the following Strategic Planning Assumption for both end
users and vendors:
Through 2013, notable identity and access management project failures will cause 50% of
all companies to shift their IAM efforts to intelligence rather than administration.
Without a more formal and effective approach to delivering IAM solutions, enterprises will
continue to experience challenges in delivery. More importantly, the shift away from IT needs for
efficiency of operations, to enterprise needs for accountability, transparency and reliability, is
taking place. The business is taking a much more active role in the use of identity management
for critical business processes. As such, demands are decidedly different — IAI will be
increasingly required by the business for auditing and general compliance needs, analytics,
forensics investigations, and risk assessments and evaluations. Administration concerns that
require elements of monitoring and control do not go away, but attention will now be shared with
new analytics results for the business.
The inherent length and complexity of user-provisioning programs, combined with implementation
"horror stories," is at the heart of a notable trend. Specifically, Gartner believes that organizations
facing compliance burdens are realizing that full provisioning implementations (while still
ultimately important and necessary for long-term compliance) can be postponed or de-
emphasized in the short term in favor of IAI solutions. The reasoning is as follows:
Intelligence projects focus on auditing, log management and correlation, monitoring,

manual remediation, and analytics.
Implementing IAI tools is simpler compared with provisioning.
IAI tools deliver business value faster than provisioning does.

IAI tools more easily span all users and systems.
While real benefits can be realized with IAI, user provisioning cannot be delayed for a long time.
Consider the following:
User provisioning performs update and control functions, not just analysis.
Administration projects are becoming mainstream, and vendors are supporting more
"out of the box" solutions.
Implementing IAI tools provides insight — but does not remove the long-term need for
more efficient and effective identity administration.
Other Key Trends for 2010

Compliance continues to be a significant driver among global corporations for user provisioning,
although this depends on the relative size of the enterprise, the market segment and geography.
Security efficiency for cost containment and service-level targeting remains a strong driver
worldwide, and is being used to justify the expense for projects that may, in fact, be compliance-
driven. The most notable growth regions for provisioning are Western Europe, Asia/Pacific and
Latin America. Growth has slowed significantly in North America.
Significant contributors to the user-provisioning decision process in 2010 include:
Identity audit and reporting (that is, the ability to report fully and accurately on the effects
of user provisioning across the enterprise).
Role life cycle management, which defines, engineers, maintains and reports on
enterprise roles and rules as inputs to the provisioning process.
Total cost of ownership (TCO) and the time to value, which are of growing concern as
potential customers seek savings during times of economic uncertainty.
Specific industry segment size strategies (for example, SMB targeting).
Specific industry vertical strategies (for example, healthcare user-provisioning

differentiation).
GRCM support, driven primarily by enterprise application providers (such as SAP and
Oracle) through ERP implementations, and by the need to support fine-grained
authorization as part of the user-provisioning process. There is also a desire to deliver
an overall IAM governance program that identifies and supports the role of user
provisioning, and links it to the information security policy and the establishment of
controls.
SI and/or consultant selection for project or program implementation.
Privacy controls to ensure that what is provisioned is adequately protected from

technical and regulatory perspectives.
Provisioning for card management tools as part of a security management environment.

Many customers, especially large enterprises, continue to evaluate user-provisioning solutions as
part of a broader IAM suite or portfolio, depending on their specific requirements. This creates
additional challenges for user-provisioning vendors that do not offer a portfolio solution. Nonsuite
user-provisioning vendors still offer sufficient innovation and differentiation to compete effectively
with portfolio vendors, and still address customer needs that are not aggressively pursued by
portfolio vendors (for example, SMBs, specifically in industries such as healthcare). Continued
differentiation, agility and partnerships are critical for any nonsuite vendor to remain viable in the
long term. Differentiation, especially with regard to price (for example, fixed-cost engagements),
rapid deployment, "prepackaged" (that is, quick and proven) solutions, and ease of use, will be
key.
At present, four vendors are recognized as single providers of suites or portfolios — defined as
having at least directory services, user provisioning and Web access management. They are
Oracle, IBM Tivoli, Novell and CA Technologies, and all are in the Leaders quadrant. Many other
vendors, such as Courion, Siemens, Evidian and Quest, offer partial suites; they and many point
vendors are expanding their offerings to full suites through partnerships.
Nonsuite provisioning vendors typically partner with other vendors that offer other IAM component
products, and they offer comprehensive licensing with customers and partners as competitive

leverage to create relationships and opportunities, particularly in displacement strategies. This
has as great an impact on the future of the user-provisioning market as product features or SI
partnerships do.
Some of the user-provisioning vendors sell solutions to managed or hosted service providers,
illustrating a design and configuration that would allow a managed or Internet-based service
offering for user provisioning. Early indicators show that evaluations, particularly for SMBs, of
user provisioning as part of a broader SaaS offering, are occurring in major service provider firms.
Although technical improvements in user provisioning continue, project complexity for large
implementations remains a challenge for customers, and could result in long planning and
deployment periods. Structured and formal methods of planning and implementing user-
provisioning solutions in enterprises have improved, but are still evolving. Most IAM project
failures are related to issues in vision, governance and the project scoping/definition phase.
Customers embarking on an IAM initiative must spend time properly defining and prioritizing
specific business challenges and use cases that user provisioning must address. Success
practices include, but are not limited to:
Developing a clear and compelling vision of the IAM program, "selling" that vision to key
stakeholders, and communicating project status and successes/issues throughout the
program (see "How to Use 'Visioneering' Principles to Drive a Successful Identity and
Access Management Program"). This will embrace far more than user-provisioning
implementation projects, of course.
Using a decision framework for planning IAM that includes identifying, prioritizing and
organizing key resources in the implementation process for user provisioning (see "A
Decision Framework for Initial Identity and Access Management Planning").
Selecting a proven program partner (that is, consultant or system integrator) to lead the
effort in a reasonable time frame — one that understands the business issues of user
provisioning and the technical implementation concerns required to be successful.
Addressing issues related to role life cycle management for effective user provisioning.
Addressing critical issues in post-implementation customer environments related to

fixes, integration or expansion.
Before you select an IAM vendor or system integrator, we recommend that you review "Q&A for
IAM: Frequently Asked Questions," "Developing IAM Best Practices," "How to Use 'Visioneering'
Principles to Drive a Successful Identity and Access Management Program," "IAM Foundations,
Part 1: So You've Been Handed an IAM Program ... Now What?" and related research.
Further Trends
The role of IAI, SIEM and DLP continue to grow in user-provisioning solutions as security and
network events are correlated with identity and access events to provide a full picture of the
network (see "SIEM and IAM Technology Integration").
Commoditization of some aspects of IAM is evident, with smaller vendors offering appliance-
based solutions for low-volume, simple provisioning needs. In addition, traditional networking and
platform vendors (large and small) that provide such solutions will begin entering the provisioning
market, offering simple, basic provisioning for interested audiences and use cases.
While in its early stages, IAM as a service will expand to include provisioning for some clients,
although a significant market adoption is unlikely before 2012. Early predictions of IAM as a

service have been impacted by economic conditions — interest is high, but deployment is not
(see "IAM in a World of Services" and "Identity's Role in Cloud Architecture, 2010").
Market Maturity
User provisioning can be considered a "horizontal" function in the enterprise. Enterprises consist
of vertical functions, such as accounting, finance, human resources and functions specific to that
enterprise. Provisioning has an impact on all of them if they are part of the integrated IAM
solution. Failure to address this functional concept well inhibits success, and successful vendors
and integrators have learned this painful lesson.
A comprehensive process for assigning and tracking entitlements within an enterprise can be a
key criterion in user provisioning. Role life cycle management actually provides two primary
functions. One builds the necessary infrastructure of an access request system by discovering
existing entitlements and candidate roles and creating repositories for them. The other provides
an administration and reporting system for the access request process. Special tools can also
provide an experienced analyst with modeling and analytics tools for reporting on the process to
those who need such reports — for example, compliance and audit teams.
The market for role life cycle management consists of component solutions that are part of the
major vendor IAM suites (for example, Oracle and CA) and component stand-alone solutions (for
example, Aveksa and SailPoint). The use of such tools can reduce the manual workload related
to role discovery and mapping by 40% to 55%. However, the complexity of role life cycle
management efforts can rival those of user provisioning, particularly in enterprises with complex
IT systems. As with user-provisioning initiatives, rigorous planning and process work are vital to
success.
A third area of growing maturity is IAI. As compliance and regulatory needs become more specific
and are better defined, identity analytics, data correlation and audit reporting are evolving as
products and product functions to address specific enterprise needs. Although this remains an
ongoing process, many vendors offer compliance dashboards, identity and access log
management, or "canned" reports to address these needs as part of such IAI solutions, or as
input into GRCM vendor solutions.
Characteristics of Leading Vendors
Although the user-provisioning market has matured and vendors from any of the quadrants could
potentially address customer needs, particular characteristics of a good candidate vendor still
exist:
Price and service: As the market continues to move to maturity, price differentiation
and pricing options become more important to the vendor as well as to the customer.
This pricing extends to preimplementation and postimplementation experience.
Good partners: Good user-provisioning vendors have good implementation partners —

those with proven histories of performance, and the ability to understand and address
customer industry requirements that are affected by differences in business segment,
region and size. Some vendors have direct integration experience, and industry
expertise is a requirement.
The ability to define deliverables, phases of the project, metrics and an "end
state": When embarking on an initiative as potentially complex as user provisioning,
customers must ensure that the program is defined with metrics that can be measured,
and with projects that have an end. Many earlier user-provisioning experiences lasted
for years because of the inability to know when the end has been reached (or even what
the goal of Phase 1 is). There must be an end to a business-critical implementation

project (such as user provisioning), or at least those phases of technology and process
implementation, to enable the ongoing program to continue.
Coupling and uncoupling the suite: A world-class user-provisioning vendor should be
able to sell user provisioning and the associated user-provisioning services (for
example, identity audit and reporting, or workflow) without requiring customers to buy
the entire IAM suite that it sells. Integration is a good thing, but not when the system is
so tightly integrated that uncoupling it later on to implement a complementary third-party
tool is impossible. This represents an aggressive competition strategy for pure-play,
user-provisioning providers.
Solution selling vs. making it fit: A leading vendor will provide user provisioning as
part of a packaged solution that's tailored to the customer's stated requirements, rather
than forcing the customer's requirements to fit the product. The corollary of this is that
the customer must have a clear and comprehensive definition of requirements before
conducting any formal evaluation of specific tools. Although there must always be some
practical compromise, mature, best-in-class solutions are able to look more like the
customer's business requirements rather than a vendor's technical specifications.
Modularity: Mature user-provisioning products show an awareness of enterprise

architectures and the role of the products within them. These products also have a
quicker turnaround in feature and version release, because the product design allows for
smoother updates and follows a secure system development methodology. Mature
product vendors in user provisioning show an awareness of the requirements for
service-oriented and service-centric infrastructures, and move to accommodate them
with service-centric solutions, where possible.
Migration and upgrade: User-provisioning vendors should exhibit a formal plan for
migrating from a competitor's offering to their own, and be able to do so quickly and
effectively. This also applies to a vendor's ability to provide quick and effective upgrades
to their existing solutions.
The postimplementation experience: User provisioning is a well-established market.

As such, user-provisioning products (and integrators) should demonstrate signs of
maturity. If customers are unhappy and seek replacement solutions and services, then
there are serious issues with planning and requirements. The postimplementation
experience for a new customer and an upgrade customer will say a lot about world-class
user-provisioning vendors in this market.
While a single list cannot hope to capture all of the nuances of what makes a "leading vendor," it
does help develop the mind-set of what to look for. This is relatively independent of vendor size or
industry range in the user-provisioning market, and can provide an opportunity for even the
smallest vendor to excel in a comparative view of customer experience.
User Provisioning as Part of a Suite or Portfolio vs. Pure-Play Product
Situations in which customers might choose a pure-play user-provisioning vendor over a suite or
portfolio vendor include:
Policy-driven or IT concerns regarding vendor lock-in (that is, a "monoculture" for IAM
solutions)
Customers that already have solutions for access management or "point" identity
management solutions from a vendor whose user-provisioning solution does not meet
requirements

Price, time of implementation or industry-specific options
The product being just a better fit for customer needs
Situations in which customers might choose an IAM suite vendor over a point vendor include:
Customers constrained by the number of vendors that they can choose, particularly for a
multitool IAM solution — of which user provisioning is one
An application or infrastructure requirement that specifies the product suite as optimal

for integration with that application or infrastructure
A licensing or cost advantage achieved by owning products or using services from the
suite or portfolio vendor
An agreement between a provider of outsourced services and a client in which a

consolidated contract with a preferred vendor is more acceptable
The product being just a better fit for customer needs

Increasingly, IAM suite vendors are using the "relationship" to the customer as a strategic
advantage over a pure-play provider. Relationship includes any existing contracts or provider
agreements a customer may already have with that vendor, a desire to pursue a unified
maintenance agreement, or a wholesale adoption of that vendor's architecture and road map that
includes IAM. This constrains pure-play providers from participating in such an environment.
It is important to note that selling component IAM products does not constitute integration.
Instead, true user experience, workflow, and reporting and brokering functions, such as common
architecture and implementation, constitute customer views of integration. For an in-depth
discussion of the actual levels of integration within the major suite vendors, see "Comparing IAM
Suites, Part 1: Suite or Best of Breed?" and "Comparing IAM Suites, Part 2: Heterogeneous
Deployments" and "IAM Foundations, Part 2: Tools and Technologies."
Addressing the Vendor Viability Question
There is a perception that, if a vendor is small, then its long-term viability is questionable;
conversely, there is the perception that large vendors are a better bet because they should be
around for a long time.
This line of thinking, while somewhat reasonable, is fatally flawed. Reality intrudes on these
innocent perceptions. For example, in 2008, HP exited the IAM market; and in early 2010, Oracle
acquired Sun Microsystems. Further, BMC's focus has shifted its IAM strategy significantly from
being a mainstream IAM competitor to mostly being interested in selling to existing BMC
customers under its Business Service Management strategy. Other, less notable, examples exist
as well. As a result, choosing a large IAM vendor is not as "safe" as one might believe.
However, even with the above-mentioned facts, customers may begin to think something along
the following lines, "Well, I should just choose the largest company possible, and I'll be safe." As
such, many potential IAM purchasers begin to narrow their scope to vendors such as IBM and
Oracle. There is still another fatal flaw in that rationale — namely, these large companies cannot
promise product-level viability. Product-level viability is ultimately what customers are interested
in. Consider the following brief sampling of the history related to the lack of product-level viability
from large vendors:
IBM's discontinuance of Tivoli User Manager in favor of Access360 enRole, which

became Tivoli Identity Manager.

IBM's OEM (February 2006) and subsequent removal of Passlogix for enterprise single
sign-on (ESSO). It was replaced by acquiring ESSO vendor Encentuate in March 2008).
IBM's marketing of and subsequent sunset of Tivoli Privacy Manager. No full

replacement strategy ever existed.
IBM's marketing of and subsequent sunset of Tivoli Risk Manager. It was replaced via
the acquisition of Micromuse and Consul Risk Management.
Oracle's acquisition of Bridgestream for role management. Subsequently, it was sunset

and replaced by the functionality offered by Sun Role Manager (previously Vaau).
Quest's purchase of PassGo and sunset of its own SSO tool.
CA, Novell and Siemens have all changed focus or strategies in the past. What does
this have to do with viability? It shows how invested the vendor is in the IAM strategy.
Customers really need to understand how IAM fits into the overall corporate strategy,
whether investments are self-serving or customer-driven, and how important it is to the
vendor's success.
This history shows there is no guarantee of viability at a vendor level or a product level. Gartner
believes some diversification may be a prudent course of action. In addition, customers should:
Aggressively negotiate contracts related to long-term support.
Require proactive measures, such as source codes' escrow.

Review the vendor's history related to acquisitions.
Review the vendor's financial situation.
Acquire products that are based on well-understood standards and protocols.

Create detailed documentation of the processes that a product automates — that way, if
forced to change products, a customer will have a pre-established list of functional
requirements stating what the product must do.
Deployment Costs
In 2009, the average ratio of product licensing to consulting/integration costs was approximately
1-to-3 (for every $1 in software costs, the customer would spend $3 on consulting/integration).
For some vendors and implementations, it was as high as 1-to-5, but for others — particularly
pure-play vendors (where the scope of effort may be smaller if user provisioning alone is
addressed) — the ratio approached 1-to-2 or even 1-to-1. The goal for most vendors (and
integrators) is to have as low a ratio as possible. As the market continues to mature and more
preconfigured packages become available, this is possible even for larger portfolio vendors.
Market Definition/Description
Defining IAM
IAM is a set of processes and technologies to manage across multiple systems:
Users' identities — Each comprising an identifier and a set of attributes
Users' access — Interactions with information and other assets

User provisioning is a fundamental part of an overall IAM technology offering. The four major
categories of IAM are:
Intelligence: IAI is essentially business intelligence for IAM. IAM intelligence
technologies provide the means of collecting, analyzing, auditing, reporting and
supporting rule-based decision making based on identity and identity-related data. This
data helps organizations measure, manage and optimize performance to achieve
security efficiency and effectiveness and to deliver business value.
Administration: IAM administration technologies offer a means of performing identity-

related tasks (for instance, adding a user account to a specific system). In general,
administration tools provide an automated means of performing identity-related work
that would otherwise be performed by a human; examples include tasks such as
creating, updating or deleting identities (including credentials and attributes), and
administering access policies (rules and entitlements). User provisioning is an IAM
administration technology.
Authentication: IAM authentication technologies are deployed to provide real-time

assurance that a person is who he or she claims to be to broker authentication over
multiple systems and to propagate authenticated identities. Authentication methods
embrace many different kinds of credentials and mechanisms, often in combination with
various form factors (for instance, hardware tokens or smart cards). At the time of this
writing, passwords are still the most often used method of authentication (for more
information, see "A Taxonomy of Authentication Methods").
Authorization: IAM authorization technologies are a form of access control used to

determine the specific scope of access to grant to an identity; they provide real-time
access policy decision and enforcement (based on identities, attributes, roles, rules,
entitlements and so on). Users should be able to access only what their job functions
allow them to access. For instance, if a person is a "manager," he or she is granted the
access necessary to create or edit a performance review; if a person is not a manager,
then he or she should be able to review only his or her own performance review and
only at a specific stage of the review cycle. Web access management, entitlement
management, identity-aware networks and digital rights management tools are
examples of authorization management technologies.
These categories are based on a foundation of identity repository technologies that include
enterprise Lightweight Directory Access Protocol (LDAP) directories, virtual directories,
metadirectories, and (increasingly) relational databases. While standard LDAP directories remain
the identity repository of choice, limitations inherent in these directories relative to "fine-grained"
authorization and policy implementation may require database participation. LDAP directories are
optimized for fast reads and are optimal for large environments. However, there are limits,
because in these large-scale environments (that is, more than 500,000 users), there are
significant changes requiring replication or "writes." Traditional LDAP directories can experience
performance problems during synchronization events, resulting in "stale" or unreliable data.
Defining User Provisioning
User-provisioning solutions are the main engine of identity administration activities. User-
provisioning tools have some or most of the following functions:
Workflow and approval processes
Password management (with the ability to support self-service)

Other credential management
User access administration (with the ability to support self-service)
Resource access administration (with the ability to support self-service)

Basic IAI (analytics, auditing and reporting), including SOD support
User-provisioning solutions address an enterprise's need to create, modify, disable and delete
identity objects across heterogeneous IT system infrastructures, including operating systems,
databases, directories, business applications and security systems. Those objects include:
User accounts associated with each user
Authentication credentials — Typically for information system access, and then most
often just passwords, but sometimes for physical access control
Roles — Business level, provisioning level and line-of-business level
Entitlements (for example, assigned via roles or groups or explicitly assigned to the user
ID at the target system level)
Managing group membership or role assignments, from which entitlements may flow
Managing explicit entitlements
User profile attributes (for example, name, address, phone number, title and
department)
Access policies or rule sets (for example, time-of-day restrictions, password

management policies, how business relationships define users' access resources and
SOD)
User-provisioning products are a subset of identity administration products, which are a subset of
the broader IAM landscape (intelligence, administration, authentication and authorization). All
user-provisioning products offer the following capabilities for heterogeneous IT infrastructures:
Automated adds, changes or deletes of user IDs at the target system
Password management functionality — For example, simplified help desk password

reset, self-service password reset and password synchronization, including bidirectional
synchronization (sold as a separate product by some user-provisioning vendors
because they had their start there)
Delegated administration of the user-provisioning system

Self-service request initiation
Role-based provisioning through capabilities provided by role life cycle management

features or partners
Workflow — Provisioning and approval
HR application support for workforce change triggers to the user-provisioning product
Reporting the roles assigned to each user and the entitlements that each user has

Event logging for administrative activities
A comprehensive user-provisioning solution has the following additional capabilities:
SOD administration and reporting: Enterprises need to automate and manage
application-level business policies and rules to identify SOD violations. They also need
to quickly remove those violations from the application environment, and ensure that
new SOD violations are not introduced in the course of the ongoing management and
identity administration of the application. Today, SOD tools exist primarily for ERP
applications — ERP-specific, transaction-level knowledge is required to successfully
enforce SOD in these environments. However, a generic SOD framework is required to
address all SOD application needs in the enterprise. Typically, a role is used as the
container to segregate conflicting business policies in the application environment. Many
user-provisioning vendors deliver capabilities for this heterogeneous framework. It does
not alleviate an ERP product's need for SOD, because these tools have extensive
integration with ERP applications. User-provisioning vendors should continue to partner
with ERP vendors to deliver complete SOD solutions.
Role life cycle management: Regulatory compliance initiatives are directing IAM
efforts back to the drawing board for role development. The role becomes a very
important control point that enterprises need to manage in a life cycle manner — just as
they do an identity. Enterprises need the ability to automate processes to:
Define existing roles through role-mining automation.
Manage formal and informal business-level roles for any view of the enterprise (for
example, location, department, country and functional responsibility), and to feed
user-provisioning products to ensure that the link is made between the business role
and associated IT roles.
Establish a process by which the development process for new roles in the
enterprise follows the same management process used for existing roles, and ties
those new roles to the automated role life cycle management solution.
Deliver a generic framework to address all role life cycle management needs. Most
user-provisioning vendors are partnering with role life cycle management vendors,
acquiring them or building that expertise with the user-provisioning solution.
Manage the role throughout its life cycle — role owner, role changes, role review,
role assignment, role retirement and role-based reporting options.
IAI audit reporting: Meeting the regulatory compliance requirements of reporting on
SOD, roles, "who has access to what," "who did what," and "who approved and
reviewed what" (referred to as "the attestation process" in auditing terms) for all IT
resources is complex and expensive in the heterogeneous IT infrastructure. Reporting
tools need to be in place to leverage the user-provisioning authoritative repository, and
all other repositories that are used for the authentication and authorization process to
produce reports on SOD, role, "who has access to what," and "who approved and
reviewed what," which include the entire enterprise's IT assets. In addition, centralized
event logs for all identity management activities — those from the user-provisioning and
access management products, as well as all systems where authentication and
authorization decisions are being made in real time — are needed to do a proper job of
reporting "who did what."

No user-provisioning vendor (or suite vendor) provides all identity management capabilities noted
above without some partnering. For most enterprises, additional products are required to round
out the functionality set. Security information and event management (SIEM) tools can be used
for "who did what" reporting at the event level, with granularity by time of day, geography, network
port and other details; and we are seeing increased vendor interest in creating integration paths
between "core" IAM products and SIEM (and other) intelligence or analytics tools. DLP tools
provide "content awareness" for accessing files and databases, and will play a significant role in
delivering more-precise entitlement assignments (in role management — see "Introducing
Content-Aware IAM" and "SIEM and IAM Technology Integration").
The 2010 Magic Quadrant focuses on vendor delivery of ease of deployment, ongoing
operations, and maintenance and vendor management as a sign of maturity. The research also
emphasizes marketing vision and execution, and evaluates sales and advertising execution as
part of the overall experience:
How do the user-provisioning vendors deliver core user-provisioning capabilities as an

enterprise management system in support of an ongoing, changing business
environment? Similar to the 2009 Magic Quadrant, in 2010, we evaluated how easy it is
to change and maintain workflow and connectors, but we also evaluated software
services (scripts) and other functionality, such as integrating the user-provisioning
product with the HR application and building the authoritative repository.
Because user provisioning is a maturing market, we also evaluated vendors' marketing

and sales effectiveness in terms of market understanding, strategy, communications and
execution. We evaluated each vendor's organization for such services, its ability to
change to reflect customer demands and its overall success as measured by customers.
Increased attention was given to the vendor's role life cycle management vision, strategy
and road map — particularly in terms of IAI, compliance reporting and remediation.
We also increased attention on the IAI capabilities, their ease of use and their
"attractiveness" to end users (via relevant out-of-the-box reports, applicable dashboards
and so on).
Increased attention was given to "adjacent" technologies in GRCM, SIEM, network

access control (NAC) and DLP, and their ultimate impact on IAI functionality for
provisioning.
We focused on the early stages of "service-architected" user provisioning to prepare for

large-scale, large-volume provisioning requirements. Early uses of large-scale
provisioning are already evident.
Gartner ranks vendors in the Magic Quadrant based partly on product capability, market
performance, customer experience and overall vision to determine which vendors are likely to:
Dominate sales and influence technology directions during the next one to two years.
Be visible among clients through several marketing and sales channels.

Generate the greatest number of information requests and contract reviews.
Have the newest and most-updated installations.
Be the visionaries and standard bearers for the market.

Inclusion and Exclusion Criteria
The following criteria must be met for vendors to be included in the user-provisioning Magic
Quadrant:
Support for minimum, core user-provisioning capabilities across a heterogeneous IT

infrastructure
Automated adds, changes and deletes of user IDs at the target system
Password management functionality

Delegated administration
Self-service request initiation
Role-based provisioning supported by role life cycle management

IAI
Workflow provisioning and approval
HR application support for workforce change triggering to the user-provisioning product

Reporting the roles assigned to each user and the entitlements that each user has
An event log for administrative activities
Products deployed in customer production environments, and customer references

Vendors not included in the 2010 Magic Quadrant may have been excluded for one or more of
the following reasons:
They did not meet the inclusion criteria.
They support user-provisioning capabilities for only one specific target system (for
example, Microsoft Windows and IBM iSeries).
They had minimal or negligible apparent market share among Gartner clients, or
currently available products.
They were not the original manufacturers of a user-provisioning product — This includes
value-added resellers (VARs) that repackage user-provisioning products (which would
qualify for their original manufacturers); other software vendors that sell IAM-related
products, but don't have user-provisioning products of their own; and external service
providers that provide managed services (for example, data center operations
outsourcing).
Added
No new vendors were added to this year's study.
Dropped
Ilex — Dropped due to minimal market share and minimal client mentions.
Sun Microsystems — Dropped due to its acquisition by Oracle (see "Oracle and Sun:
Managing IAM Under a Single Identity").

Other Vendors of Note
econet (www.econet.de/english/default.htm)
Based in Munich, Germany, and founded in 1994, econet has, since early 2006, entered the user-
provisioning market with cMatrix — a service management, service-oriented offering targeted at
service providers primarily in EMEA. In many respects, econet's marketing and sales model is
very similar to Fischer International's. Early clients include Siemens and KPMG. econet continues
to market to the IAM-as-a-service candidate — either the provider of such services or the client
interested in developing a private IAM-as-a-service experience.
Fox Technologies (www.foxt.com)
A Mountain View, California, company, FoxT has products that focus primarily on access control
and service account management. However, FoxT ApplicationControl addresses basic elements
of password management, account administration (including basic provisioning), and audit
reporting as part of an IAM package — including SOD enforcement, monitoring and reporting.
Ilex (www.ilex.fr/en)
Based in Asnières-sur-Seine, France, near Paris, Ilex provides three major products: Sign&go
(Web and ESSO), Meibo (workflow, basic provisioning and some role management), and Meibo
People Pack (extended reporting and audit for provisioning). Founded in 1989, Ilex has
accumulated a small, yet solid customer base, predominantly in France. With features such as
Service Provisioning Markup Language (SPML) support, a simple design and user-friendly
interface, and good connector kits for provisioning and SSO, Ilex is able to effectively compete in
a number of banking and finance, telecommunications, and transportation industry segments
against larger competitors.
Imanami (www.imanami.com)
Based in Livermore, California, Imanami is a lesser-known company, but it has some notable
clients. Imanami's GroupID Synchronize serves as a data synchronization engine for an Active
Directory environment through custom scripting, enabling Microsoft-centric enterprises to
leverage their infrastructures to some extent. AT&T (formerly, Cingular Wireless) is a client.
Institute for System-Management (www.secu-sys.com)
Based in Rostock, Germany, near Berlin, iSM is a small company focused on German-speaking-
country markets with its bi-Cube product for provisioning, SSO, and process and role life cycle
management. Privately funded, this 10-year-old enterprise takes a process-centric, business
intelligence focus to deliver a series of preconfigured process and configuration modules
("cubes") that can be linked together to provide user-provisioning and role life cycle management
functionality. It has a small customer base in Germany, Austria and Spain, in large industries,
such as telecommunications and insurance. iSM continues to refine the modules to form a more
standardized user-provisioning and process management product offering.
Lighthouse Security Group (www.discoverlighthousegateway.com)
Headquartered in Lincoln, Rhode Island, Lighthouse Security Group established its SaaS-based
offering after building up experience developing a managed offering in the U.S. defense market.
Lighthouse's offering is unique, in that it has overlaid a common, easy-to-use graphical
administration capability onto IBM Tivoli's core IAM products to deliver a relatively complete set of
IAM functions as a multitenant, SaaS-based service.
Lighthouse's approach allows customers to take advantage of the multifaceted feature set of IBM
Tivoli's provisioning, Web access management and federation products, while being shielded

from many of those products' complexities. This provides integration hooks into many enterprise
identity repositories for automated provisioning and leverages these repositories as
authentication and entitlement sources. While extensive administrative and access control event
data is logged, reporting is the customer's responsibility. Several SaaS target applications have
been integrated with the service.
NetIQ (www.netiq.com)
NetIQ, a global enterprise software vendor headquartered in Houston, Texas, is perhaps best
known for its operations management and monitoring technologies and security monitoring
technologies. However, many organizations are unaware that NetIQ has also been quietly
growing a respectable IAM portfolio and a solid customer base for those tools. NetIQ is best
suited for organizations that have selected Active Directory as their core or one of their core
directories. The IAM solution components available from NetIQ include user provisioning (via
NetIQ Directory and Resource Administrator, Advanced Edition), compliance and audit
management, privileged-account activity management, Active Directory-Unix bridge (OEM of
Centrify), and user self-service (including password reset) capabilities.
OpenIAM (www.openiam.com [commercial] and www.openiam.org [open source])
Headquartered in Cortlandt Manor, New York, OpenIAM has created an integrated suite of
provisioning, access management and federation components, offered in professional open-
source and enterprise licensing models. Components use a common enterprise service bus for
integration. OpenIAM's Identity Manager product provides core capabilities found in other
commercial products, such as self-service, password management and audit, and it includes
SPML-based connectors to many commonly used targets.
The company's Access Manager product provides support for password- and certificate-based
authentication, coarse- and fine-grained authorization, XACML 2.0 support, and SAML identity
provider and service provider federation support, and it includes a security token service.
OpenIAM has been fortunate to receive support from early government and SI customers, who
have been pushing and funding OpenIAM to expand its capabilities. OpenIAM offers a very
attractive support and pricing model.
SailPoint (www.sailpoint.com)
SailPoint is based in Austin, Texas, and serves the Global 1000, with customers that include
seven top-tier global banks, four of the world's largest property and casualty insurers, the largest
global telecommunications provider, two of the largest biotechnology manufacturers in the world,
and three of the top healthcare insurers. SailPoint originally entered the market as a technology
innovator, augmenting customers' existing provisioning systems in order to meet needs in role
and compliance management and identity governance. SailPoint now also sells an access
request-based user-provisioning solution that is a fully integrated component of the IdentityIQ
solution.
Evaluation Criteria
Ability to Execute
Gartner evaluates technology providers on the quality and efficacy of the processes, systems,
methods or procedures that enable IT provider performance to be competitive, efficient and
effective, and to positively impact revenue, retention and reputation. Ultimately, technology
providers are judged on their ability to capitalize on their vision and succeed doing so. For user
provisioning, the ability to execute hinges on key evaluation criteria:

Product/Service: These are core goods and services offered by the technology provider that
compete in or serve the defined market. This includes current product or service capabilities,
quality, feature sets, skills and so on, whether offered natively or through OEM agreements or
partnerships, as defined in the market definition and detailed in the subcriteria. Specific
subcriteria are:
Password management, including shared account or service account password

management support
User account management or role-based provisioning
Management of identities
Workflow — persistent state, nested workflows, subworkflows, templates of common
user-provisioning activities and change management
Identity auditing reports
Connector management
Integration with other IAM components

User interfaces
Ability to configure, deploy and operate
Resource access administration
Impact analysis modeling for change

SPML 2.0 support
Overall Viability (Business Unit, Financial, Strategy, Organization): This includes an
assessment of the overall organization's financial health; the financial and practical success of
the business unit; and the likelihood of the individual business unit to continue investing in the
product, offering the product and advancing the state of the art in the organization's portfolio of
products. Specific subcriteria are:
History of investment in the division

Contribution of user provisioning to revenue growth
Sales Execution/Pricing: This is the technology provider's capabilities in all presales activities
and the structure that supports them. This includes deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel. Specific subcriteria are:
Pricing
Market share
Additional purchases (for example, relational database management system, application
server and Web server)
Market Responsiveness and Track Record: This is the ability to respond, change direction, be
flexible and achieve competitive success as opportunities develop, competitors act, customer

needs evolve and market dynamics change. This criterion also considers the provider's history of
responsiveness. Specific subcriteria are:
Product release cycle
Timing
Competitive replacements
Marketing Execution: This is the clarity, quality, creativity and efficacy of programs designed to
deliver the organization's message to influence the market, promote the brand and business,
increase awareness of the products, and establish a positive identification with the product or
brand and organization in buyers' minds. This "mind share" can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales activities. Specific subcriteria
are:
Integrated communications execution

Customer perception measurement
Customer Experience: This is the relationships, products, and services or programs that enable
clients to be successful with the products evaluated. Specifically, this includes the ways that
customers receive technical support or account support. This can also include ancillary tools,
customer support programs (and the quality thereof), the availability of user groups, SLAs, and so
on. Specific subcriteria are:
Customer support programs

SLAs
Operations: This is the organization's ability to meet its goals and commitments. Factors include
the quality of the organizational structure, such as skills, experiences, programs, systems and
other vehicles that enable the organization to operate effectively and efficiently on an ongoing
basis. Specific subcriteria are:
Training and recruitment
Number of major reorganizations during the past 12 months
Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting

Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Standard
Organization)
Sales Execution/Pricing Standard
Market Responsiveness and Track Record High
Marketing Execution High
Customer Experience High
Operations Standard

Completeness of Vision
Gartner evaluates technology providers on the ability to convincingly articulate logical statements
about current and future market directions, innovations, customer needs, and competitive forces,
and how well these map to the Gartner position. Ultimately, technology providers are rated on
their understanding of how market forces can be exploited to create opportunities for the provider.
For user provisioning, completeness of vision hinges on key evaluation criteria:
Market Understanding: This is the ability of the technology provider to understand buyers'
needs and translate them into products and services. Vendors that show the highest degree of
vision listen to and understand buyers' wants and needs, and can shape or enhance those
desires with their added vision. Specific subcriteria are:
Market research delivery
Product development
Agility in responding to market changes

Marketing Strategy: This is a clear, differentiated set of messages that is consistently
communicated throughout the organization and externalized through the website, advertising,
customer programs and positioning statements. Specific subcriteria are:
Integrated communications planning
Advertising planning
Sales Strategy: This is the strategy for selling products using the appropriate network of direct
and indirect sales, marketing, service, and communications affiliates that extend the scope and
depth of market reach, skills, expertise, technologies, services and the customer base. Specific
subcriteria are:
Business development
Partnerships with system integrators

Channel execution
Offering (Product) Strategy: This is a technology provider's approach to product development
and delivery that emphasizes differentiation, functionality, methodology and feature set as they
map to current and future requirements. Specific subcriteria are:
Product themes
Foundational or platform differentiation

Business Model: This is the soundness and logic of a technology provider's underlying business
proposition. Specific subcriteria are:
Track record of growth

Frequency of restructuring
Consistency with other product lines

Vertical/Industry Strategy: This is the technology provider's strategy to direct resources, skills
and offerings to meet the specific needs of individual market segments, including vertical
markets. Subcriteria are:

SMB support
Industry-specific support
Innovation: This is the direct, related, complementary and synergistic layouts of resources,
expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Specific
subcriteria are:
Distinct differentiation in features or services
Synergy from multiple acquisitions or focused investments

Role life cycle management (discovery, modeling, mining, maintenance, certification and
reporting)
Service-oriented provisioning
Geographic Strategy: This is the technology provider's strategy to direct resources, skills and
offerings to meet the specific needs of geographies outside the "home" or native geography,
directly or through partners, channels and subsidiaries, as appropriate for that geography and
market. Specific subcriteria are:
Home market
International distribution
Table 2. Completeness of Vision Evaluation Criteria
Evaluation Criteria Weighting

Market Understanding Standard
Marketing Strategy High
Sales Strategy High
Offering (Product) Strategy Standard
Business Model Standard
Vertical/Industry Strategy High
Innovation High
Geographic Strategy Standard
Leaders
Leaders are high-momentum vendors (based on sales, world presence and mind share growth),
and they have evident track records in user provisioning across most, if not all, market segments.
Business investments position them well for the future. Leaders demonstrate balanced progress
and effort in the Execution and Vision categories. Their actions raise the competitive bar for all
products in the market. They can and often do change the course of the industry.
Leaders should not be the default choice for every buyer; rather, clients are warned not to
assume that they should buy only from the Leaders quadrant. Leaders may not necessarily offer
the best products for every customer project, and may even prove to have a higher TCO than
some nonleading vendors. Leaders provide solutions that offer relatively lower risk, and provide
effective integration with their own solutions as well as with competitors' solutions. Every vendor

included in the Leaders quadrant is there because it meets legitimate business or company
needs.
Challengers
Challengers have solid, reliable products that address the needs of the user-provisioning market,
with strong sales, visibility and clout that add up to execution higher than that of Niche Players.
Challengers are good at winning contracts, but they do so by competing on basic functions or
geographic presence, rather than specifically on advanced features. Challengers are efficient and
expedient choices for more-focused access problems, or for logical partnerships. Many clients
consider Challengers to be good alternatives to Niche Players or, occasionally, even Leaders,
depending on the specific geography or industry. Challengers are not second-place vendors to
Leaders and should not be considered as such in evaluations.
Challengers in this Magic Quadrant all have strong product capabilities, but often have fewer
production deployments than Leaders do. Business models vary, as do overall product strength
and breadth, marketing strategy, and business partnerships. This has kept some Challengers
from moving into the Leaders quadrant.
Visionaries
Visionaries are distinguished by technical and/or product innovation, but have not yet achieved a
record of execution in the user-provisioning market to give them the high visibility of Leaders, or
they lack the corporate resources of Challengers. Buyers should be wary of a strategic reliance
on these vendors, and should closely monitor these vendors' viability. Given the maturity of this
market, Visionaries represent good acquisition candidates. Challengers that may have neglected
technology innovation and/or vendors in related markets are likely buyers of Visionary vendors.
As such, these vendors represent a higher risk of business disruption.
Visionaries invest in the leading-edge features that will be significant in the next generation of
products, and that will give buyers early access to improved security and management.
Visionaries can affect the course of technological developments in the market, but they lack the
execution influence to outmaneuver Challengers and Leaders. Clients pick Visionaries for best-of-
breed features, and in the case of small vendors, they may enjoy more personal attention.
Niche Players
Niche Players offer viable, dependable solutions that meet the needs of buyers, especially in a
particular industry, platform focus or geographic region. However, they sometimes lack the
comprehensive features of Leaders, or the market presence and/or resources of Challengers.
Niche Players are less likely to appear on shortlists, but they fare well when given a chance.
Although they generally lack the clout to change the course of the market, they should not be
regarded as merely following the Leaders.
Niche Players may address subsets of the overall market, and often do so more efficiently than
Leaders. Clients tend to pick Niche Players when stability and focus on a few important functions
and features are more important than a "wide and long" road map. Customers that are aligned
with the focus of Niche Players often find their offerings to be "best of need" solutions.

Vendor Strengths and Cautions
Avatier
Avatier Identity Management Suite (AIMS) v.8 (July 2009) — Avatier Account Creator, Avatier
Account Terminator, Avatier Identity Enforcer, Avatier Identity Analyzer, Avatier Password
Station, Avatier Compliance Auditor
Avatier is a pure-play identity management vendor focusing on user provisioning, password
management, audit and compliance reporting, and SOD/rule enforcement. It features an
innovative Web services connector architecture for heterogeneous integration across different
platform environments.
In the U.S., most Avatier sales are direct. Internationally, Avatier is sold through an expanding
number of midtier services and consulting partners.
Avatier's focus is on creating identity management products that are simple and easy to
understand for end users and administrators. The result is a very intuitive, graphical-user-
interface-driven environment that is understandable even by people with modest technical skills;
a resulting positive benefit is that implementations generally are extremely quick compared with
most competitors.
Strengths
Avatier demonstrates consistent execution on its innovative vision and significant
customer wins and satisfaction.
Avatier's roots are in password management, where it has traditionally picked up many
small and midsize enterprise customers; however, it also has a number of successful
large enterprise implementations and notable brand-name customers.
Avatier is directory-agnostic for its identity repository and supports multiple databases
for logging and other identity object storage.
Avatier's technology and subfunctions (such as its password policies) are developed
with service-oriented architecture (SOA) in mind, and can be accessed through Web
services. The client front end and target connectors also support SOA.
Avatier's deployment ratio is very good, estimated at 1-to-0.33, where for every $1 spent
on licensing, only $0.33 is spent on deployment.
Cautions
Avatier competes against large IAM suite vendors, such as Oracle and IBM Tivoli, and
has difficulty gaining the attention of decision makers at larger enterprises, where larger
competitors enjoy more access and exposure. As a pure-play provider, Avatier must
partner with a shrinking number of partners to provide suite-style solutions to clients who
want them.
Avatier's innovative approach of hiding IAM complexity (for example, its "shopping cart"
models for entitlements) doesn't always appeal to traditional "old school" technologists.
Beta Systems
SAM Enterprise Identity Manager v.1.1 (October 2009)

SAM Enterprise Identity Manager is Beta Systems' new "next generation" identity-provisioning
system. It replaces the older SAM Jupiter product, while retaining rich feature support for both the
mainframe and other systems. The user interface is also greatly improved from previous versions.
SAM Enterprise is one of the longest-lived role-based IAM solutions on the market.
Although most of its sales remain direct, partnerships and reseller agreements exist. Integrator
partnerships with providers such as T-Systems, IBM Global Services and Accenture also ensure
implementation options for customers. Beta Systems also has Europe-based VARs, and offers a
managed/hosted service for SAM Enterprise.
Beta Systems is, at present, undergoing a significant organizational and road map realignment for
IAM to position itself for better competitiveness in the market.
Strengths
SAM Enterprise's new interface for workflow creation focuses on simplifying IAM
concepts and process development for business users.
Beta Systems offers an entry package with fixed project prices for a defined function set.
SAM Enterprise is now platform-independent and supports multiple databases for its
identity repository and for the storage of other IAM-related data and objects.
Beta Systems showed early strength in the banking and financial services sector and is
attempting to expand in other industries. The new SAM Enterprise leverages mature
role-based design via its built-in role life cycle management support for unlimited role
hierarchies, dynamic roles, SOD and role mining.
Beta Systems offers customers more-flexible pricing options such as fixed-cost

implementations.
Cautions
Customer growth due to organizational and road map changes from 2007 to 2009 was
marginal, with a temporary drop in 2008 revenue.
Audit and reporting analytics and presentation capabilities lag those of competitor
offerings.
Beta Systems' customer base remains 78% concentrated in Europe. North American
market presence remains small (approximately 22%). Beta Systems is attempting to
expand its U.S. market share and expand into Latin America.
Current customers have complained about the quality and thoroughness of Beta
Systems' documentation; this is being addressed via documentation updates.
BMC Software
BMC Identity Management Suite — BMC User Administration and Provisioning v.5.5 (December
2009)
BMC Software is a long-standing IAM provider, still with significant market share dating back
more than a decade with the original Control-SA product. BMC is one of the first companies to
have recognized and leveraged the value of process-centric IAM (user provisioning).

BMC has relationships with technology partners to deliver IAM suite options, such as reduced
sign-on (Hitachi ID Systems), role engineering (SailPoint) and Web access management
(Symphony Services).
BMC's key system integration and consulting partners include Eclipse, Ilantus Technologies,
Logic Trends and Wipro Technologies. BMC's VAR channel partners include Accenture and
Capgemini, particularly in Europe.
Strengths
BMC's Service Request Management module can be used as provisioning workflow by
customers, as an option to BMC Identity Management Suite's User Administration and
Provisioning workflow.
Integration with BMC's Business Service Management (BSM) offering gives BMC's
provisioning product some unique capabilities in the areas of self-service, help desk,
change management and asset management.
BMC's BSM message and approach to provisioning, which is based on IT Infrastructure

Library (ITIL), is innovative and is a differentiator, for existing BMC customers as well as
new ones.
Cautions
BMC sells its user-provisioning solution as part of its BSM solution. There is reduced
marketing to audiences with specific IAM needs.
BMC has less-extensive SI partnerships than leading vendors do.
BMC's revenue from IAM has declined by nearly 20% from 2008 to 2009. This is likely
due to the change in IAM focus and active marketing of IAM. Customer concerns include
better user interfaces, slow response to support questions and inconsistent
postdeployment support.
CA Technologies
CA Identity Manager v.12.5 SP1, CA Role & Compliance Manager v.12.5 SP1, CA Enterprise Log
Manager v.12.5 SP1 (March 2010)
CA Technologies demonstrates customer momentum, a commitment to a role life cycle and
compliance management strategy (as evidenced by its Eurekify and IDFocus acquisitions, and
integration of these with CA Identity Manager), and audit and compliance reporting. CA Identity
Manager and CA Role & Compliance Manager are integral to CA's broader IAM content-aware
IAM strategy and delivering identity management to, for and from the cloud. CA Identity Manager
is based on IdentityMinder (from 2002) and eTrust Admin (from 2000), and has a long heritage in
the IAM business. Acquisitions and significant internal investment have accounted for expanded
capabilities, and CA continues to successfully pursue this strategy to fill out its IAM portfolio.
CA plays an active role in international identity and security standards (technical and process-
centric) for user provisioning.
CA Technologies has a cohesive and aggressive marketing, sales and integrator strategy. Major
integration and consulting partners include Deloitte, PricewaterhouseCoopers and Accenture.
Mycroft, Logic Trends, Northrop Grumman and Telecom Italia are key VARs.

Strengths
Since entering the Leaders quadrant in 2008, CA Technologies has consistently
demonstrated a strong IAM commitment, overcoming many past negative market
perceptions, and delivering competitive IAM solutions. CA has significantly increased
license revenue growth for its IAM products in the past year.
CA is demonstrating a commitment to simplifying IAM deployments and offering rapid

deployment strategies (based on a thorough scoping of customer needs) and fixed-cost
implementations.
CA Identity Manager has comprehensive features for policy modeling, integration

capabilities, delegated administration, Web services, multiple-connector design and
entitlement certification capabilities. CA Identity Manager's use with key components of
its broad IAM portfolio (CA Role & Compliance Manager, CA Enterprise Log Manager,
CA DLP, CA SiteMinder and CA Access Control) is a differentiator. Additionally, a
recently expanded relationship incorporates CA's monitoring of IT risk and compliance
metrics into SAP's business process risk management.
CA's acquisition of Eurekify is significant. Eurekify is generally regarded as an effective

product for statistical role mining and analysis. Customers like CA Identity Manager's
ease of use postimplementation, broad functionality (particularly for workflow needs) and
integration capabilities with service management.
Cautions
Administrative interfaces for CA's IAM products are well-suited to IT end users; however,
the overall richness of the interfaces for business-focused end users (such as those who
may be performing attestation and certification duties) is still maturing.
CA all but ignores the SMB market. While it actively markets to or solicits SMBs, feature
set messaging and support structures are generally tailored to larger accounts.
CA still needs to refine better presales scoping for fit, postsales implementation and
troubleshooting. Recent steps in CA's rapid deployment project strategy are showing
good signs that it is addressing postsales deployment issues.
Integrating multiple acquisitions takes time, and CA is committed to creating meaningful

integration; however, some customers still feel and comment on the disconnect between
products.
Courion
Courion Access Assurance Suite v.8.0 (as of December 2009) — Courion AccountCourier,
RoleCourier, PasswordCourier, ComplianceCourier and CertificateCourier
Courion is the only pure-play IAM vendor in the Leaders quadrant. It continues to innovate and
grow, in spite of challenging economic conditions. Courion focuses on simplicity and enabling
business users. It consistently performs well in proofs of concept compared with larger IAM
players.
Courion's focus is on simplifying IAM and making it more business-friendly through its "access
assurance" messaging and the increasing number of IAI products and integration options that it
offers.

While approximately 75% of its customers are those with less than 25,000 users, Courion has
delivered solutions for larger customers, scaling to over 1 million production users. To stay
competitive with large portfolio vendors (that is, Oracle, IBM, CA and Novell), Courion leverages a
partnership model that includes RSA, The Security Division of EMC, for access management;
Imprivata for ESSO; Cyber-Ark Software for shared account/privileged account management;
Citrix Systems for enabling Citrix XenApp provisioning; and others. Courion has extended its
integration capabilities to include data loss prevention and user activity management (SIEM and
log analysis) products from companies like RSA and Symantec. Courion continues to expand its
relationship with EMC and is adding new resellers worldwide. Courion's solutions work with
cloud-based applications, and it participates in SaaS with its partners Identropy and Accenture,
showing continued innovation.
Strengths
Courion has a fixed-cost implementation strategy. It requires rigorous preproject scoping
and customer interaction, and Courion's track record is good.
Courion usually demonstrates a low ratio of product cost to deployment cost —

generally in the 1-to-1 range. It has the lowest ratio of any vendor in the Leaders
quadrant.
Courion is innovating the provisioning connector market. Its fixed price per connector is
comparatively low, and it charges the same price for new custom connectors as it does
for already existing connectors.
Courion is one of the few vendors in the study to deliver an in-house-architected

solution. As a result, Courion customers are able to achieve "out of the box" integration
for many use cases.
Courion products are built with extensibility in mind, and they work well in complex,
heterogeneous environments.
Cautions
Courion's competitors continue to improve by adding many features similar to Courion's.
The competition is always a step or two behind, and maintaining innovation pace and
consistency in an increasingly commoditizing market will be challenging.
Courion still faces name recognition issues. Other larger and formative brand names
immediately come to mind when customers begin their IAM product searches. As such,
Courion may be inadvertently overlooked in an organization's RFI and/or RFP process.
Courion lacks the global reach of major competitors in terms of marketing, sales and
support, and it is increasingly dependent on a network of predeployment and
postdeployment partners outside of North America. Increased sales mean that Courion
will need to transfer its best-in-class planning and deployment skills to those partners.
Evidian
Evidian Identity & Access Manager (June 2010)
Based in France, Evidian has long been a respected provisioning vendor in Europe. With the
most recent release of its solution, version 9, in June 2010, Evidian introduces a major update in
terms of functionalities, packaging and deliveries. However, it remains compatible with its legacy
solution, which is a decade old. Evidian also offers a Web access management solution as part of
a broader IAM portfolio.

Strengths
Evidian is one of the few vendors in the user IAM market that natively constructs the
core systems of user provisioning, which are then integrated on a single architecture
that includes ESSO and Web access management.
Evidian is a serious regional player within European markets, where its name
recognition has greatly improved in the past few years.
Evidian provides most of the key functions expected of user provisioning, and has
particular strengths in the simplicity of deployment and good reporting features.
Evidian is committed to role life cycle management, moving from needing a third-party
vendor to supply role-mining functionality, to now offering it within the Evidian Policy
Manager product.
Evidian uses its access management solutions as a primary means of introducing user
provisioning to the enterprise.
Cautions
For access reconciliation, Evidian Identity & Access Manager doesn't yet leverage the
core provisioning application's workflow as much as it could; future releases are
expected to address this.
Many features that customers expect in audit and compliance reporting systems are not
yet available; however, they are slated for release in 2011.
Evidian is having difficulty acquiring market share in North America, which fell from 12%
in 2008 to 11% in 2009.
Password management functionality is basic when used independently from the access
management solutions.
Fischer International
Fischer Identity v.4.1 (January 2010) — Fischer Role & Account Management, Automated Role &
Account Management
Fischer International remains in the Visionaries quadrant primarily due to its innovation as a
managed IAM service provider, and as an "IAM as a service" (IaaS) delivery model through
partners in the SaaS and cloud-computing markets. The company has a scalable, multitenant,
service-based architecture to enable SaaS and hosting by itself and its service provider partners
in addition to on-premises delivery. Fischer has been a visionary in cloud-based IAM architecture
for several years. As such, it has even placed a trademark on the phrase "Identity as a Service."
Fischer's technical architecture is a small-footprint, Java-based SOA framework that produces
rapid, configurable delivery. Fischer's customer base is small, and growth has been slow.
However, it has been growing in both cloud-based and on-premises deployments due to a
refocused sales strategy and increased marketing investments. Fischer has also expanded
outside North America by signing global and Europe-based providers and resellers.
Strengths
Fischer permits service providers (and enterprises) to offer user provisioning as a
service in several delivery models — on-premises, remotely managed, hosted and
cloud-based (SaaS) — including highly customized enterprise deployments.

Fischer's technology is multitenant, and security is specified for each client organization
as well as for the master organization (service provider). As a result, only specified
people or roles are permitted to manage each component or process for each individual
client organization or the master organization.
Fischer delivers a simple cross-domain framework. It also provides nonstop support for
operations, fault tolerance, high-privilege account management and connector
management. The company has strong support for cross-industry standards, which has
resulted in interoperability across systems.
Fischer's customers consistently remark on: (1) Fischer's "ownership" of the success of
the project; and (2) the overall smoothness and swiftness of the implementation.
Fischer's cost model is created to be easily understood by current and potential clients.
For example, with the exception of custom connectors for homegrown applications, all
existing and new "custom" connectors are free (included in the overall product cost).
Customers like Fischer's adherence to open standards for heterogeneous platform and
application support, its flexibility of workflow development, and its support
responsiveness.
Cautions
Fischer's audit and reporting features are basic when compared with more-robust
dashboards and GRC-focused interfaces offered by other vendors. Currently, all
reporting data is stored in a database for retrieval, using auditor-recommended standard
reports as well as custom reports.
Fischer has limited out-of-the-box connectors, although most major systems are
represented. However, the solution allows new connectors to be constructed and
deployed at no cost to the client organization.
As the cloud-based model becomes more compelling and accepted, large vendors (such
as Oracle and IBM) will increasingly focus on SaaS models for identity management.
Fischer, like all small innovative vendors, risks being overtaken by those competitors.
Fischer is a small company. Its success depends on its partner network for visibility and
support, and on the ability of its product to continue to deliver satisfactorily for those
partners.
Hitachi ID Systems
Hitachi ID Identity Manager v.6.1.2 (February 2010), Hitachi ID Password Manager v.6.4.9 (June
2010)
In early 2008, Hitachi ID Systems acquired M-Tech Information Technology, a Canada-based,
privately owned IAM company founded in 1992. M-Tech was well-known first for its P-Synch
password management offering. M-Tech expanded into user provisioning, as well as other "point"
IAM products and compliance products over subsequent years.
Hitachi ID Identity Manager v.6.0 was a major rewrite, with a new back-end and automation
engine. The result is a substantially different product that doesn't sacrifice existing client upgrade
plans.
Hitachi ID Identity Manager performs general identity management tasks (that is, provisioning,
synchronization and deprovisioning), extending self-service access requests to business users. It

also directly manages authorizations (entitlements) with built-in workflow. Other components
include Hitachi ID Org Manager (business process automation for organization chart
maintenance), Hitachi ID Access Certifier (for audit and compliance attestation reporting), Hitachi
ID Group Manager (for request-based, self-service Active Directory group management), and
Hitachi ID Privileged Password Manager (providing shared-account password management
capabilities).
Hitachi ID has an extensive professional service team to design and implement its products, and
to train customers on their use and maintenance. It has system integration and consulting
partnerships with KPMG, HCC Consulting and ACS, although most integration is done by Hitachi
ID's service team.
Strengths
Hitachi ID has reseller relationships with providers such as CompuCom Systems, Insight
Enterprises and IBM Global Services. It has close active partnerships with HP, CSC and
BMC Software, providing Hitachi ID channels and bandwidth for global reach for sales
and implementation.
Key product strengths include: (1) It has many built-in components, including request
screens, access certification, authorization processes, and autodiscovery of IDs and
entitlements; (2) the base price includes all connectors and unlimited servers; (3) user
adoption is aided by a managed enrollment system and accessibility from Web
browsers, PC login screens and phones; and (4) it has multiple policy enforcement
engines, including SOD detection and prevention and role-based access control (RBAC)
enforcement with controlled scope. The identity repository is SQL-based, normalized
and replicated across servers.
Hitachi ID's sales and support staff undergoes an extremely rigorous training period,
thereby making its technical savvy and customer support record differentiators.
Hitachi ID has one of the lowest ratios of product cost to deployment cost (at about 1-to-
1). Like a few other competitors, Hitachi ID also offers fixed-cost implementations. This
strategy leads to better preproject scoping and increased customer confidence.
Cautions
Even though Hitachi is a global brand, and M-Tech was recognized for solid password
management and provisioning solutions, Hitachi ID is still somewhat unknown.
Hitachi ID currently lacks robust role-mining capabilities.

Hitachi ID must compete with larger suite vendors for deals in which the customer is
seeking a broad range of products. To compete effectively, Hitachi ID must partner with
a shrinking number of best-of-breed vendors.
Hitachi ID customers express concerns over the user interface, the need to use a
proprietary scripting language to accomplish customization, and a lack of robust audit-
reporting functions. Some of these concerns have been addressed in the current version
(6.1.3), and other versions are due for improvement in 2011.
IBM Tivoli
IBM Tivoli Identity Manager (IBM TIM) v.5.1 (June 2009)

IBM Tivoli is a global player in IT management (for example, service management and security
management), and has over a decade of IAM experience. For large organizations, IBM is
frequently a default "shortlist" choice. Its global reach, name recognition and staying power are
formidable.
IBM expands its IAM offerings via acquisitions as needed, based on market demands or to help
meet an IAM vision. IBM Tivoli acquired Consul, a major z/OS security administration and audit
vendor, and rebranded it as Tivoli zSecure suite and Tivoli Security Information and Event
Manager. This improved its identity audit solution for addressing compliance and audit needs.
The acquisition of Encentuate extended IBM's ability to provide enterprise single sign-on and
privileged-identity management capabilities. The acquisition of MRO Software provided the ability
to integrate with physical asset provisioning and service catalogs. Additional acquisitions (for
example, Internet Security Systems) provided integration of IBM TIM's provisioning, workflow,
audit and reporting capabilities to the security event, application development and business
intelligence environment. Managed services are offered via IBM Global Services and IBM's global
partner network. SaaS options are offered by partners such as Lighthouse Security Group and
Logica.
IBM has partnerships with global and regional system integrators around the world, such as IBM
Global Technology Services, Deloitte, Accenture, Unisys, Atos Origin, Saudi Business Machines,
SecurIT, Tata Consultancy Services, Wipro Technologies, Advanced Integrated Solutions, Vicom
Computer Services, Insight Enterprises, Softchoice, Forsythe Solutions Group, Arrow Enterprise
Computing Solutions, Sirius Computer Solutions, MSI Systems Integrators, Insight UK, Pirean,
Tectrade and Logicalis.
New development for IBM's user-provisioning tools has been slow during the past year (as
evidenced by the June 2009 release date for IBM TIM v.5.1), likely due to the market shift in
priorities — that is, moving from administration to compliance and IAI. However, IBM is providing
its customers with early access to new role management and modeling tools, prior to expected
general availability next year.
Strengths
IBM TIM supports major platform environments for deployment, including the mainframe
(Linux on IBM System z).
Provisioning and approval workflow technologies are rich, with extensive connector
libraries. IBM Tivoli Directory Integrator, a development kit for unique connectors, is also
included with the product. Password management functions and delegated
administration are competitive. The base product includes full runtime versions of DB2,
WebSphere Application Server and IBM Directory Server. Also included are 20
infrastructure (database, mail, OS and network) adapters (connectors).
Policy simulation features in IBM TIM help users simulate role and/or provisioning policy
scenarios to determine their effects on production environments before deployment.
Operational role management capabilities are embedded in the core IBM TIM product,
including recertification (attestation), SOD checks, and hierarchical role provisioning for
extended role management functions such as role modeling and approval. IBM has
partnerships with several third-party role management vendors to help mine and model
roles. Examples of partner offerings that are integrated and certified with IBM TIM
include Aveksa, SailPoint and SecurIT. IBM also has integrations with Approva and SAP
NetWeaver for ERP SOD checking.

Additional compliance capabilities are provided in the form of integration with the Tivoli
SIEM product for closed-loop access reporting and auditing.
Cautions
IBM lags in role analytics and mining, trailing every other IAM vendor in the Leaders
quadrant. At the time of this writing, IBM is addressing this by providing its customers an
early technology preview tool called the "Role Modeling Assistant," while the production-
ready capability is under development.
IBM Tivoli's ability to address complex IAM issues for clients is challenged by its
complexity of solution offerings, despite early indications of improvements in IBM TIM
v.5.1.
IBM would do well to better understand customers' specific requirements and to help
customers better shape their vision and goals for IAM during the sales and
implementation cycle in order to focus deployment efforts and improve time to value for
customers.
Customers remain concerned about the complexity of the product in configuration and
deployment, the intensive prework that's necessary to accurately map workflows to
business processes, and the effects of version releases on established deployments.
Microsoft
Microsoft Forefront Identity Manager (FIM) 2010 (April 2010)
Microsoft released a long-awaited new version of its IAM offering in April 2010. It also rebranded
the offering. Instead of Identity Lifecycle Manager (ILM), the company has incorporated the
offering as part of its Forefront brand and has labeled the new solution as Forefront Identity
Manager. FIM has several updates to ILM that have improved the overall function of the offering.
Strengths
Microsoft has added an improved password and credential functionality for FIM,
resulting in a better delegation and reset ability, and bringing up the function set to
industry par.
Microsoft's use of SharePoint, Exchange and SQL Server provide a means for business
users to directly participate in FIM through the use of existing collaboration and office
tools.
New workflow functions based on the work Microsoft is doing in the Windows Workflow
Foundation (WWF) allow improved options for automating specific IAM processes.
Windows Server 2008 has added Active Directory Federation Services (AD FS) 2.0 as
an update, providing improved and expanded functionality in federation, including
expanded support for industry standards in federation, such as SAML. While not part of
FIM, this can be used with FIM in combined access and provisioning deployments.
Some new connector options are offered to improve heterogeneous support for
synchronization and joining.

Cautions
While improved, Microsoft's connector architecture still does not have options that best-
in-class competitors possess.
Workflow in FIM has rudimentary functionalities, compared with those of best-in-class

competitors.
Pricing for FIM has changed somewhat to a per-server and per-user client access
license (CAL) basis, potentially resulting in increased costs for the customer based on
need. If a customer is using the FIM synchronization service only to synchronize identity
information or to provision users, then CALs are not required. However, if users take
advantage of any of the new FIM management tools and technologies, then CALs are
required to provision and manage them. So, similar to ILM, if customers use it only for
synchronization, no CAL charge is triggered.
Novell
Novell Identity Manager Roles Based Provisioning Module v.3.7, password self-service for
Identity Manager v.3.7, Designer for Novell Identity Manager v.3.7, Novell Sentinel v.7, (February
2010); Novell Identity Audit v.1.0 (October 2008), Novell Access Governance Suite v.3.6.2 (May
2009)
Novell is a solid technology innovator. Its IAM portfolio of products is well-respected by industry
experts, technology professionals, long-standing customers and enterprise users seeking a
complete solution for provisioning. Significant new customer wins, such as Verizon's cloud-based
security solution, and Novell's strategic partnership with VMware, further illustrate Novell's
innovation by moving into cloud-computing and IAM-as-a-service markets.
Novell continues to improve in the Leaders quadrant. Although Novell's IAM sales declined
overall in 2009, primarily due to the economy and organizational changes, Novell continues to
succeed via:
Innovative, enterprise-class products, and significant customer wins
Continued focus on partnerships, sales and marketing

Competitive countermoves and replacements
Gartner has seen a noticeable increase of customer interest in Novell during 2010. Some of this
is attributed to former Sun customers who are evaluating options, and some to a renewed focus
following organizational shifts and acquisition challenges. Although Novell had previously
experienced a drag on its business due to customers' past associations with its NetWare
business, this increased interest indicates that many customers have moved past these
perceptions. The market should not count out Novell.
Novell addresses role life cycle management via a combination of internal Novell development
integrated via license agreement with Aveksa's products. Improvements in resource
recertification and attestation reporting, and tighter integration with SIEM logging and reporting
via its Sentinel product, provide forensic and monitoring capabilities to provisioning management.
Novell's network of smaller, region-based integration and consulting continues to grow through
established integration providers such as Atos Origin, Deloitte and Wipro Technologies, as well
as global alliance partners such as HP and SAP.

Strengths
Novell's suite has significant compliance and intelligence functionality, addressing
unified policy needs through its combined role life cycle management and SIEM
solutions.
Novell's market share within the financial services and government verticals has
improved due to an improved compliance management functionality.
Integration among Novell's IAM portfolio products is homogeneous, and deployment

times and customer experience are improving.
Novell is an active participant in an open-source identity framework that includes

provisioning through its membership in the Eclipse Higgins project. Novell is also active
in international standards work with the role it plays in Linux, security and identity
standards. Novell Identity Manager supports SPML.
Novell customers like the tight integration of the product for different provisioning
functions, designer capabilities for configuration, and the deployed solution's ease of use
and functionality.
Cautions
Novell continues to battle a negative market perception; this is Novell's biggest enemy in
2010.
More often than not, all vendors are evaluated not solely on the merits of their solutions
but also on vendors' wallet share with a customer or their executive relationships.
Customers who understand the value of Novell's technology leadership need to fight for
the inclusion of Novell as a viable vendor for it to be considered. An effective way to do
this is to request a proof of concept at the outset.
Customers wish for a simpler licensing structure. Novell will address this issue with the
upcoming Identity Manager release 4 due in the fourth quarter of 2010.
Novell does not have the same financial resources, partner network or visibility as its
larger competitors do, and is at a disadvantage in new-customer acquisition as a result.
Omada
Omada Identity Suite (OIS) v.7 (March 2010)
Omada addresses compliance-centric user-provisioning needs based on Microsoft technologies,
resulting in enterprise solutions that can manage advanced business scenarios across
heterogeneous environments. It has a strategic partnership with Microsoft to extend Microsoft
Forefront Identity Manager 2010 (and the older ILM 2007) capabilities for customers. Omada has
a long history with SAP and recently enhanced its SAP integration capabilities such as integrating
into SAP BusinessObjects GRC. Omada is also focused on providing business-centric GRC
management solutions. This demonstrates its business-focused market approach and its ability to
provide products and services that are not purely based on its Microsoft relationship. Omada has
recently taken steps to enhance its attestation and recertification offering with high-end risk
management capabilities, such as risk assessment surveys.
Omada has system integration and reseller partnerships that include Logica, Traxion and
Avanade. A major part of Omada's staff is dedicated to consulting, integration and support.
Solution support is offered directly to the customer or via partners.

OIS addresses attestation and recertification, compliance reporting, and SOD management
workflows (and the ability to provide auditable approval paths to override SOD violations). It
performs role life cycle management capabilities with its advanced RBAC module, applying roles
over heterogeneous repository and access infrastructures via FIM management agents, which
are supplied out of the box from Microsoft, Omada and partners' custom builds.
Strengths
Omada is uniquely positioned to provide compliance modules for Microsoft Forefront
Identity Manager, such as attestation, role life cycle management and compliance
reporting.
Omada has introduced a SharePoint Governance Manager offering in conjunction with

FIM to apply RBAC functionality to SharePoint and deliver compliance reporting for
SharePoint. Omada provides granular role-based integration with SAP.
Omada's pricing for OIS is competitive, reflecting lower-cost alternatives to larger user-
provisioning offerings via Microsoft's "embedded" components in the enterprise (for
example, Active Directory and SQL Server).
While Omada is really an augmentation of Microsoft's user-provisioning functionality, it

integrates well into the FIM portal environment, providing an intuitive and natural work
environment for administrators and end users.
Customers like the emphasis on Microsoft IAM architecture, the expanded reporting
functionality for SharePoint, workflow improvements and good
preimplementation/postimplementation support.
Cautions
Omada uses Microsoft Forefront Identity Manager 2010 (and, for legacy customers, ILM
2007) as its foundation for delivering its functionality, thus underscoring Omada's
dependence on Microsoft's IAM direction.
While Omada does augment the functionality offered from Microsoft, it still does not
have the ability to offer role mining. Customers who desire that functionality will need to
integrate with another vendor, or wait until Omada realizes its plan to deliver role mining.
Omada's market penetration into North America and other non-European regions
continued to grow significantly in 2009, but at a slower rate than in 2008. More global
customers are needed before Omada can be considered a major contender in the IAM
marketplace. Early trends in its 2010 numbers indicate some growth in North America.
Omada is dependent on Microsoft continuing its investments in making Microsoft

Forefront Identity Manager an attractive provisioning platform with enterprise-ready
performance and scalability.
Oracle
Oracle Identity and Access Management Suite and Oracle Identity Manager v.9.1.0.2 BP10
(January 2010)
Oracle is the leader in this Magic Quadrant. It continues to execute on its vision of an integrated
and scalable IAM suite.

Via its acquisition of Sun, Oracle accomplished two things: (1) the obvious takeout of a
competitor; and (2) the acquisition and subsequent integration of many of Sun's competitive
technology differentiators — for example, Sun Role Manager, now Oracle Identity Analytics. (For
more-detailed analysis of the Sun acquisition, see "Oracle and Sun: Managing IAM Under a
Single Identity.") Some uncertainty is still felt by Sun customers; possibly, migrating from Sun to
Oracle is not welcome. Much hinges on the manner in which Oracle manages this transition.
Oracle is committed to delivering comprehensive IAM. While Oracle Identity Management 11g is
not rated in this Magic Quadrant due to its recent release, it should be stated that it (if it is
delivered as described) will be another competitive differentiator for Oracle.
Oracle's IAM can run on two different databases, seven different OSs, four different application
servers and multiple Java Development Kit vendors. The company continues to acquire other
companies as needed. It is also expanding a global network of resellers and implementation
partnerships. The Sun acquisition adds even more options.
Oracle's IAM portfolio provides solutions for user provisioning, password management, role life
cycle management, Web access management, federation, IAI, reporting, directory and virtual
directory, fraud prevention and authentication, entitlement management, and GRC capabilities.
Other IAM-related needs (for example, ESSO and SIEM) are addressed via partnerships. Oracle
continues to demonstrate a commitment to improving integration among the products in its IAM
portfolio.
Strengths
Risk-based user self-service decision making is possible through application
programming interface integration with identity-proofing services. Oracle Identity
Manager can integrate with proofing services by native API integration or when
codeployed with Oracle Adaptive Access Manager.
Oracle's database back end, the identity repository, is scalable and proven.
Oracle's access at all enterprise levels (business to IT) is pervasive. The company uses
that access for cross-selling opportunities with IAM. Aggressive sales and marketing
strategies have resulted in a new-customer acquisition that is several times the rate of
the general provisioning market. Oracle has comprehensive training for its network of
global integration partners. These partners (system integrators, VARs and technical
partners) include Deloitte, Accenture, KPMG, PricewaterhouseCoopers and Wipro, as
well as Oracle's consultancy and services in user provisioning.
Oracle possesses a portfolio and a matching vision for IAM, including user provisioning.
The message has moved from an earlier strategy of "application-centric" provisioning,
which addresses provisioning, workflow and reporting needs for a multiapplication
environment, to including a "service-centric" view of IAM. Customers like Oracle's
aggressive IAM road map, access to Oracle's development teams for changes,
configurability during deployments, workflow and provisioning engine capabilities.
Cautions
Oracle's SIEM and compliance/audit integration and reporting are less mature than
those of competitors IBM Tivoli and Novell. The introduction of Oracle Identity Analytics,
while positive, is still not competitive with leading vendors in this area.
IAM-related reporting is accomplished via Oracle BI Publisher. While capable and full-
featured, it can produce overly complex IAM reports.

Recent acquisitions and new product additions have caused confusion among some
current and new customers when comparing the pricing models for earlier software
packages with what is currently available.
There continues to be mixed reviews for Oracle integration and deployment

experiences, which is attributed to uneven training and experience of consultants and
system integrators for the product.
Quest Software
Quest ActiveRoles Server 6.5.0 (November 2009)
The most significant change Quest Software has made this year to its IAM solution ActiveRoles is
the acquisition in July of the German IAM provider Voelcker Informatik. Voelcker's ActiveEntry
solution provides Quest with extended functionality into the role management and IAI
management markets. Several feature updates to ActiveRoles have also occurred during this
period (see "Quest Software Acquires Voelcker Informatik: Standardizing Customization for
IAM").
Strengths
Quest's acquisition of Voelcker ActiveEntry signals a more aggressive move to engage
competitors and improve both the geographic reach and functionality of its offerings.
Quest's reputation in the Windows administration and management markets is

enhanced by new offerings in role and IAI management through the Voelcker
acquisition.
Quest has taken some steps to improve its partnerships with IAM integrators by
providing expanded services for its offerings.
Cautions
Quest still has some issues with name recognition as a viable IAM competitor, especially
beyond the Microsoft Windows-centric customer population. This is starting to change,
but is still evident.
Quest connector options for IAM synchronization and joining of applications and
repositories are rudimentary.
The combined Quest-Voelcker offering has some concerns to resolve about overlapping
functionality for both new and existing customers.
SAP
SAP NetWeaver Identity Management v.7.1 (June 2009)
SAP is a global leader in business management software. It enjoys strong name recognition and
is deployed widely in many of the world's largest organizations.
SAP has been in the provisioning market for a relatively short amount of time; its acquisition of
MaXware in 2007 serves as a formal kickoff of SAP's IAM strategy to integrate IAM deeply into
the SAP ecosystem. SAP has been consistently making progress toward that goal, and due to the
out-of-the-box SAP integration possibilities, there are definite benefits to choosing SAP
NetWeaver in order to manage identities in SAP-centric environments.

It should be noted, however, that SAP customers who use NetWeaver to manage their SAP
environment will typically end up deploying two provisioning systems: NetWeaver for granular
management of SAP, and then another vendor to manage the rest of their heterogeneous
ecosystem.
Key features of SAP NetWeaver Identity Management include:
User interface and management console

Runtime components (linked to external repositories via virtual directory)
An Identity Center database for logs, configuration and identity stores

Provisioning and workflow functionality
User self-service and password management
Reporting via SAP NetWeaver Business Warehouse

Metadirectory and identity store
Identity Provider for Web-based SSO and identity federation via SAML 2.0
Implementation projects at customer premises can be led by either SAP consultants or a
selection of solution integrators.
Strengths
The Identity Services framework of SAP delivers a virtual directory technology and
virtualization of target systems as part of connector management, and reflects a well-
structured, application-driven approach to provisioning.
SAP's GRCM solution, BusinessObjects Access Control, is coupled with SAP

NetWeaver Identity Management to augment the Identity Services framework, and to
deliver provisioning and SOD capabilities.
SAP views NetWeaver Identity Management as a significant contributor to the evolution

of SAP applications to a common process layer for management. The process modeling
layer delivered via SAP NetWeaver Business Process Management leverages a
common Identity Management layer to deliver security and context to business process.
SAP bundles Identity Provider with SAP NetWeaver Identity Management to allow for
Web-based SSO and identity federation via SAML 2.0. Identity Provider comes at no
additional cost.
SAP customers like the rapid implementation and customization capabilities of the
product, the basic role life cycle management integration with provisioning, the deep
integration with other SAP products via predefined scenarios, and the virtual directory
functionality.
Cautions
SAP's road map for user provisioning is targeted specifically at established SAP
customers, and is primarily for SAP application portfolio and integration needs. While
SAP customers may find this differentiating from other vendors, non-SAP customers will
not.

SAP views NetWeaver Identity Management as vital for counteracting efforts by Oracle
to introduce Oracle solutions into a predominantly SAP customer environment via an
Oracle IAM solution. Such a defensive approach may protect SAP assets, but adds little
for the customer.
NetWeaver Identity Management's reporting and compliance capability is robust;

however, the interface is geared more toward technical administrators rather than to
business users.
Sentillion (Microsoft)
Sentillion proVision v.3.5 (May 2010), proVision BridgeBuilder v.3.01 (May 2009)
Sentillion is solely focused on meeting the identity management needs of healthcare entities,
where it is a recognized brand name. Consistent innovation in healthcare provisioning needs,
continued customer growth and increasing name recognition within healthcare make Sentillion
the vendor to beat within the healthcare market.
Sentillion's strategy for user provisioning in a specialized, complex industry is built on the concept
of "purpose-built" healthcare, and addresses role-based and fine-grained provisioning. Although
many customers may be classified as SMBs by their user count, the complexity of healthcare role
environments ensures that planning and implementation remain challenging. Sentillion delivers
focused consulting and integration services, and has some integration partners to address these
challenges (CTG HealthCare Solutions, Vitalize Consulting Solutions and Logic Trends in North
America; E.Novation and VisionWare in Europe).
Sentillion leverages Active Directory as the identity repository to streamline the infrastructure
required to deploy its product.
At the end of 2009, Microsoft announced an intent to purchase Sentillion to combine the Sentillion
product line with its Amalga Unified Intelligence System (UIS) offering. The acquisition closed in
early 2010, and now Sentillion functions as part of the Microsoft Health Solutions Group.
Understandably, the Microsoft acquisition is a source of both excitement and uncertainty for
customers of each company (see "Sentillion Deal Will Bolster Microsoft's Healthcare Solutions").
Currently, Microsoft's intent is to keep the development of Sentillion and the Microsoft Forefront
Identity Manager solution separate. Sentillion will continue to focus on building solutions on its
own platform to meet the needs of the healthcare industry, and FIM will be Microsoft's premier
IAM solution. However, synergy between the two product lines is undeniable, and there will likely
be at least some sharing of knowledge and code logic between the two teams so that each can
more rapidly expand support to new systems.
Strengths
Sentillion has a fixed fee for implementation services so that customers know the
associated costs upfront. The fixed fee implementation is approximately a 1-to-1 ratio of
software to services, which is among the lowest of the provisioning vendors.
Because of Sentillion's healthcare focus, it provides more out-of-the box connector (that
is, "bridge" in Sentillion's nomenclature) support to healthcare-industry-specific systems
(for example, McKesson-Horizon, GE Healthcare and ChartMaxx products) than most of
its competitors do. In addition, Sentillion's industry focus gives it a strategic advantage
over its competition in areas where healthcare-specific industry policy, terminology or
use cases dominate the project or program needs.

Customers gain access to Sentillion's online open-source community — IdMPOWER —
which allows customers to share custom-built provisioning software adapters for clinical
and nonclinical applications.
Customers like the industry-specific focus, the personalized predeployment customer

support during planning and implementation, and the company's quick response to new
customer needs.
Cautions
Focusing only on healthcare comes with a price — whether it is support for features or
standards. Sentillion is driven by its customers, and the product is a custom solution for
the healthcare industry. This concern will be mitigated if or when there is knowledge
sharing between the Sentillion and Microsoft FIM teams.
Several other vendors (large and small) are beginning to focus their sights on the
healthcare market. As these vendors win healthcare accounts, they are able to develop
and commoditize healthcare-focused provisioning connectors, reports and other related
solutions — thus eating away at Sentillion's competitive advantage. At this point, it is
unclear what Microsoft has planned to alleviate that threat.
Role life cycle management and GRC capabilities remain limited, although Sentillion's
capability is generally "good enough" for many customers. However, given the highly
regulated industry that it targets, coupled with the increasing general market demand for
role management and GRC-focused solutions, we expect that Sentillion will continue
innovation in this area as needed.
Siemens
Siemens DirX Identity Business Suite v.8.1B (January 2010), DirX Identity Pro Suite v.8.1B
(January 2010), DirX Audit v.2.0B (April 2010)
Siemens, with its business division Siemens IT Solutions and Services, is a long-standing and
well-respected IAM vendor based in Germany. It has a solid IAM solution and has consistently
demonstrated the ability to attract and acquire new customers. The Siemens DirX suite includes
Audit, Identity (provisioning and account management), Access, Directory and Biometrics product
lines.
Strengths
Siemens is one of the world's largest multinational companies in energy, healthcare,
communications and other industries, and it has significant resources available for IAM
product development, management and delivery.
Siemens has a well-thought-through road map, which demonstrates a sound market

understanding and a commitment to ongoing investment in the DirX product line.
Siemens is a veteran at role-based provisioning. Role life cycle management (for

example, administration, certification and reporting) is part of DirX Identity, based on the
RBAC standard, and has been available since 2002. While role discovery is available in
the base product, business analytics as a result of discovery are provided via third-party
partnerships.
Siemens provides user-provisioning solutions with good role management functionality,

and a partnership model that provides predeployment and postdeployment coverage.

Cautions
While the DirX road map is comprehensive, some of the components, which are
becoming standard across many vendors (for instance, compliance dashboarding), are
slated for release in late 2011. This lags behind market need, and may reflect negatively
on Siemens in proof-of-concept environments.
Siemens' primary focus is on selling to its own customer base (which is large enough to
sustain steady growth of IAM sales). Siemens' DirX product line is worthy of
consideration in many circumstances, and Siemens will frequently win "net new"
accounts based solely on its IAM technology. However, more-aggressive sales and
marketing to non-Siemens customers are warranted.
Voelcker Informatik
Voelcker ActiveEntry 4.1 (February 2010)
Voelcker is a Berlin-based IAM provider that slowly built a reputation in Germany and Austria
during the past 13 years for a flexible service management and automation platform delivering
IAM functionality. In 2009 to 2010, the company enjoyed significant expansion, and in July 2010,
it was acquired by U.S.-based Quest Software (see "Quest Software Acquires Voelcker
Informatik: Standardizing Customization for IAM").
Strengths
Voelcker's ActiveEntry represents an advanced view of IAM as a customizable set of
service management and automation components, together with an advanced IAI
solution, resulting in a less painful deployment experience when compared with
competitor offerings.
ActiveEntry is a service-oriented-based solution using an object-oriented approach to

IAM data, resulting in a combined provisioning and role management capability where
needed.
Voelcker expanded its partner network to provide additional geographic availability,

expanding also to the U.S. prior to its acquisition by Quest.
Cautions
Until the Quest acquisition, Voelcker's name recognition and marketing remained
minimal, resulting in a slow but substantial growth rate.
ActiveEntry does not include a connector set in the same manner as competitors do.
ActiveEntry contains connectors for Active Directory, Exchange, SharePoint, Lotus
Notes, LDAP, SAP and FIM. It contains a "no coding required" wizard to build
connectors for XML-based protocols, as well as the ability to integrate with any
connector architecture.
ActiveEntry will undergo some changes in focus and direction due to its coexistence with
Quest's existing ActiveRoles offering.
RECOMMENDED READING
"Q&A for IAM: Frequently Asked Questions"
"Oracle/Sun Deal Is Not About IAM, but IAM Could Be Impacted"

"Oracle Agrees to Acquire Sun IAM Solutions: Sunrise or Sunset for the Sun Suite?"
"SIEM and IAM Technology Integration"
"Q&A: Role Life Cycle Management"
"Best Practices for Managing 'Insider' Security Threats"
"How to Use 'Visioneering' Principles to Drive a Successful Identity and Access Management
Program"
"Comparing IAM Suites, Part 1: Suite or Best of Breed?"
"Comparing IAM Suites, Part 2: Heterogeneous Deployments"
"Lessons From Novell and HP on Managing IAM Ownership Changes"
"Identity Services (in) the Cloud"
"A Decision Framework for Initial Identity and Access Management Planning"
"Tips for Negotiating Identity and Access Management Contracts"
"Developing IAM Best Practices"
"Managing Identity Matures"
"Introducing Content-Aware IAM"
"Identity and Access Management Defined in 100 Tweets (and Change)"
"IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What?"
"IAM Foundations, Part 2: Tools and Technologies"
"IAM Foundations, Part 3: Developing Your IAM Plan"
"Toolkit: IAM Visioneering and Visioncasting"
"Top-Five Issues and Research Agenda for the Identity and Access Management Professional,
2010-2011"
"IAM in a World of Services"
"Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management"
"Identity's Role in Cloud Architecture, 2010"
"Oracle Software Strategy After Sun: Product Recommendations for Users"
"Magic Quadrant for User Provisioning" — 2009
"Magic Quadrant for User Provisioning" — 2008
"MarketScope for Enterprise Single Sign-On"
"Sentillion Deal Will Bolster Microsoft's Healthcare Solutions"
"Hype Cycle for Governance, Risk and Compliance Technologies, 2010"
"Market Share: Security, Worldwide, 2009"

"Hype Cycle for Identity and Access Management Technologies, 2010"
"Virtual Directories: Where Do They Fit In?"
"Magic Quadrant for Security Information and Event Management"
"Oracle and Sun: Managing IAM Under a Single Identity"
"Quest Software Acquires Voelcker Informatik: Standardizing Customization for IAM"
"Automation Hype vs. Manual Reality With User Provisioning"
"User-Provisioning Market: Definition and Description, 1H06"
"User-Provisioning Market: What You Need to Know (Market, Project and Product), 1H06"
"User Provisioning Is a Sound Foundation for Identity and Access Management"
"BMC Ends New .NET Identity Management Development"
"SAP Will Add Identity Management With MaXware Acquisition"
"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"
Acronym Key and Glossary Terms

AIMS Avatier Identity Management Suite
API application programming interface
BSM BMC Software's Business Service Management
EMEA Europe, the Middle East and Africa
ESSO enterprise single sign-on
GRC governance, risk and compliance
GRCM GRC management
IAI identity and access intelligence
IAM identity and access management
ILM Microsoft Identity Lifecycle Manager
ITIL IT Infrastructure Library
NAC network access control
OIM Omada Identity Manager
PAAM privileged account activity management
RACF Resource Access Control Facility
RBAC role-based access control
RFI request for information
RFP request for proposal

SaaS software as a service
SI system integrator
SIEM security information and event management
SLA service-level agreement
SMB small or midsize business
SOA service-oriented architecture
SOD segregation of duties
SPML Service Provisioning Markup Language
SSO single sign-on
VAR value-added reseller
VM virtual machine
Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope
one year and not the next does not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or a change of focus by a vendor.
Evaluation Criteria Definitions

Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the
defined market. This includes current product/service capabilities, quality, feature sets, skills, etc.,
whether offered natively or through OEM agreements/partnerships as defined in the market
definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an
assessment of the overall organization's financial health, the financial and practical success of
the business unit, and the likelihood of the individual business unit to continue investing in the
product, to continue offering the product and to advance the state of the art within the
organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure
that supports them. This includes deal management, pricing and negotiation, pre-sales support
and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible
and achieve competitive success as opportunities develop, competitors act, customer needs

evolve and market dynamics change. This criterion also considers the vendor's history of
responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver
the organization's message in order to influence the market, promote the brand and business,
increase awareness of the products, and establish a positive identification with the product/brand
and organization in the minds of buyers. This "mind share" can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be
successful with the products evaluated. Specifically, this includes the ways customers receive
technical support or account support. This can also include ancillary tools, customer support
programs (and the quality thereof), availability of user groups, service-level agreements, etc.
Operations: The ability of the organization to meet its goals and commitments. Factors include
the quality of the organizational structure including skills, experiences, programs, systems and
other vehicles that enable the organization to operate effectively and efficiently on an ongoing
basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to
translate those into products and services. Vendors that show the highest degree of vision listen
and understand buyers' wants and needs, and can shape or enhance those with their added
vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated
throughout the organization and externalized through the website, advertising, customer
programs and positioning statements.
Sales Strategy: The strategy for selling product that uses the appropriate network of direct and
indirect sales, marketing, service and communication affiliates that extend the scope and depth of
market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature set as they map to current and
future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to
meet the specific needs of individual market segments, including verticals.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or
capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the "home" or native geography, either directly or through
partners, channels and subsidiaries as appropriate for that geography and market.

REGIONAL HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670
Latin America Headquarters

Gartner do Brazil
Av. das Nações Unidas, 12551
9° andar—World Trade Center
04578-903—São Paulo SP
BRAZIL
+55 11 3443 1509


Magic Quadrant For User Prov 206614

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Magic Quadrant For User Prov 206614

Hochgeladen von

Copyright:

Verfügbare Formate

Research

Publication Date: 30 September 2010 ID Number: G00206614

Magic Quadrant for User Provisioning

User provisioning manages identities across systems, applications and resources.

Role life cycle management

Improved workflow options to improve business process management (BPM) and

Publication Date: 30 September 2010/ID Number: G00206614 Page 2 of 48

Other customer experiences, including satisfaction with installed provisioning systems

Relevance in addressing identity-and-access-specific requirements in BPM and

Implement rigorous project oversight to ensure project scope integrity is maintained.

Establish a formal change process to bound project scope where possible.

Publication Date: 30 September 2010/ID Number: G00206614 Page 3 of 48

Figure 1. Magic Quadrant for User Provisioning

Source: Gartner (September 2010)

Publication Date: 30 September 2010/ID Number: G00206614 Page 4 of 48

Since publication of the 2009 user-provisioning Magic Quadrant, Quest Software

All Leaders continued to improve (horizontally, vertically or both), based on:

A continued commitment to meet road map commitments

Publication Date: 30 September 2010/ID Number: G00206614 Page 5 of 48

Intelligence projects focus on auditing, log management and correlation, monitoring,

Implementing IAI tools is simpler compared with provisioning.

IAI tools deliver business value faster than provisioning does.

Publication Date: 30 September 2010/ID Number: G00206614 Page 6 of 48

Specific industry segment size strategies (for example, SMB targeting).

Specific industry vertical strategies (for example, healthcare user-provisioning

SI and/or consultant selection for project or program implementation.

Privacy controls to ensure that what is provisioned is adequately protected from

Provisioning for card management tools as part of a security management environment.

Publication Date: 30 September 2010/ID Number: G00206614 Page 7 of 48

Addressing critical issues in post-implementation customer environments related to

Publication Date: 30 September 2010/ID Number: G00206614 Page 8 of 48

Good partners: Good user-provisioning vendors have good implementation partners —

Publication Date: 30 September 2010/ID Number: G00206614 Page 9 of 48

Modularity: Mature user-provisioning products show an awareness of enterprise

The postimplementation experience: User provisioning is a well-established market.

Publication Date: 30 September 2010/ID Number: G00206614 Page 10 of 48

An application or infrastructure requirement that specifies the product suite as optimal

An agreement between a provider of outsourced services and a client in which a

The product being just a better fit for customer needs

IBM's discontinuance of Tivoli User Manager in favor of Access360 enRole, which

Publication Date: 30 September 2010/ID Number: G00206614 Page 11 of 48

IBM's marketing of and subsequent sunset of Tivoli Privacy Manager. No full

Oracle's acquisition of Bridgestream for role management. Subsequently, it was sunset

Quest's purchase of PassGo and sunset of its own SSO tool.

Aggressively negotiate contracts related to long-term support.

Require proactive measures, such as source codes' escrow.

Review the vendor's financial situation.

Acquire products that are based on well-understood standards and protocols.

Users' identities — Each comprising an identifier and a set of attributes

Users' access — Interactions with information and other assets

Publication Date: 30 September 2010/ID Number: G00206614 Page 12 of 48

Administration: IAM administration technologies offer a means of performing identity-

Authentication: IAM authentication technologies are deployed to provide real-time

Authorization: IAM authorization technologies are a form of access control used to

Workflow and approval processes

Password management (with the ability to support self-service)

Publication Date: 30 September 2010/ID Number: G00206614 Page 13 of 48

User access administration (with the ability to support self-service)

Resource access administration (with the ability to support self-service)

User accounts associated with each user

Roles — Business level, provisioning level and line-of-business level

Managing explicit entitlements