IGA Capabilities Summary

Last modified 09 Nov 2021 15:08 +01:00
Capability Function Description Capability in midPoint 4.4 (current) Capability in midPoint 5.0 (planned) Eventual midPoint ambition Average capability in industry* Best capability in industry*
Identity Lifecycle Management Identity lifecycle state model Maintenance of identity state (candidate, active, archived), management of state transitions (on-boarding, off-boarding), handling user registration, profile maintenance and data erasure.
Basic identity lifecycle state model is implemented, however it is not completely supported in the user interface.
Automatic state transitions are not well supported, only simple onboarding/offboarding and registration cases are supported.
Maintenance of identity attributes Maintenance of identity model, schema and structure of identity attributes.
MidPoint is completely schema-based, schema definition is automatically reflected in all parts of the system. The schema is extensible.
Schema is defined in XSD.
Work is underway on Axiom modeling language, to replace XSD.
MidPoint 5 should be completely Axiom-based.
Identifier management Assignment of identifiers to identities, validation of the identifiers, maintenance of uniqueness constraints.
MidPoint can handle almost all identifier types, including uniqueness checks. Distinguishing primary and secondary identifiers.
Interactive selection of unique identifier is not yet supported.
Credential management Management of passwords and other credentials, cryptographic keys, biometric information and so on.
Basic password management is supported. MidPoint was designed to support other credential types, however, only password support was implemented so far.
Support for diverse identity types Supporting both person and non-person identities, allowing several identity types with separate lifecycles and policies.
Very flexible support for diverse identity types using archetypes, while still retaining useful amount of built-in functionality for each identity type.
User interface support for multiple archetypes, archetyp transition and archetype-specific schema is still somehow limited.
Organizational structure Maintenance of information regarding organizational units and their structure. Managing assignment of identities in the organizational units.
Very flexible organizational structure support, allowing multiple paralel organizational structures. Policies can be directly connected to organizational units.
User interface could be improved.
Personas Support for alternative identities of a person or other entity. Maintenance of relationship between personas representing the same entity.
Basic support for personas is available. It is quite Spartan, but it works.
Entitlement Management Entitlement lifecycle management Creation, modification and deletion of entitlements (such as groups).
Same mechanisms used as are used for identity lifecycle, hence same functionality level.
Same mechanisms used as are used for identity lifecycle, hence same functionality level.
Same mechanisms used as are used for identity lifecycle, hence same functionality level.
Maintenance of entitlement associations Maintenance of relation between user accounts and entitlements, such as maintenance of group membership. Interpretation of association attributes (e.g. group membership attributes).
Entitlement associations (e.g. group membership) are native, built-in concepts in midPoint. User interface takes advantage of that.
User interface could be improved. Entitlement concepts could be better integrated with reporting and analytics.
Fulfillment Identity resource management Maintenance of connection parameters and connector code for interaction with source/target systems. Inventory of identity resources and connectors, maintenance of state and schema. Identity schema discovery.
Very powerful provisioning engine. Possibility to specify many details about identity resources, that are used by all parts of midPoint (identity types, entitlements, capability simulation).
Management of large number of identity resources can be quite cumbersome.
Communication with remote systems Execution of create/read/update/delete (CRUD) operations in remote systems (identity resources). Implementation of communication protocols, adaptation of protocol differences, data type conversion. Execution of additional operations (e.g. provisioning scripts). Simulation of capabilities that remote systems do not support.
Very powerful provisioning engine, using ConnId framework to manage connectors.
Limited mostly by capabilities of ConnId framework. E.g. complex attributes are not supported.
Contributing to ConnId project, evolving the framework. Adding more connectors.
Handling of fulfilment failures Detection, interpretation and handling of communication and configuration errors, communication security violations and similar failures. Managing operation retries, delayed operations and similar corner cases.
Very good failure handling, incorporated deep into the system design. Operation retries, many consistency checks, immediate reaction to discovered inconsistencies.
Identity state tracking Tracking identity attributes, e.g. caching the attributes in the database of IGA system. Tracking of identity status, including identities that do not exist in identity resources (e.g. accounts that were not created yet or deleted recently).
MidPoint relies mostly on on-line access to source and target systems, which is both an advantage and limitation. Some attribute caching capabilities are available, yet they are still limited.
Management of manual fulfillment operations Managing the process of manual fulfillment, initiating manual operations, tracking operation state, communication with ITSM systems. Handling operation feedback (e.g. in case of semi-manual fulfillment).
Manual fulfillment is supported, well integrated with the rest of the system.
Interface modules to ITSM systems are still considered experimental.
Synchronization Data feed management Management of (inbound) data feeds from source systems to IGA platform. Real-time or almost-real-time detection and processing of changes. Handling of multiple data sources, making sure that information is properly merged.
Thorough synchronization, addressing all data inconsistencies.
Partial synchronization (updat from only one data source) is problematic.
Lightweight synchronization modes.
Reconciliation Comparing real state of things (in source/target systems) with the data and policies in IGA platform. Checks that fulfillment works (especially manual fulfilment), detection of account existence, attribute value checks, entitlement checks. Support for reconciliation of diverse identity types (users, applications, orgs, roles).
Thorough reconciliation, addressing all data inconsistencies.
Reconciliation is too "heavy", too resource-demanding.
Lightweight reconciliation modes.
Data consistency management Maintenance of data (eventual) consistency. Detection of discovered data inconsistencies, discovered by various methods (data feed, reconciliation, opportunistic discovery). Reaction to discovered inconsistencies, with an aim to correct them.
Systemic, "by design" approach to consistency management.
Support more exotic cases.
Most system are limited to simple error handling, without any considerable data consistency strategy.
Identity correlation Detection of data structures (accounts, entitlements) that represent the same identity. Execution of correlation rules or queries, probabilistic correlation and so on.
Flexible correlation queries.
Interactive identity correlation is very limited. Deterministic correlation only, probabilistic correlation is not supported.
Interactive and probabilistic correlation.
Most system support only very simple correlation expression, e.g. matching by value of one attribute.
Orphan detection Detection of accounts (and other data) without an owner or equivalent responsible entity. Reaction to such situations, usually leading to establishing an owner or deletion/disable of the account.
Functionality integrated with other synchronization functions.
Orphan detection relies on full reconciliation, which is quite heavyweight.
Lightweight synchronization modes.
Policy and Role Management Role-based policies Policy definition based on roles, such as role-based access control (RBAC) mechanism.
All the usual and non-usual mechanisms supported. Good extensibility.
User interface is very technical.
Role structure Organization of roles for easier access and definition. Using mechanisms such as role hierarchies, role catalogs and metaroles.
Very powerful mechanisms, such as metaroles.
User interface is very technical, mechanisms are somehow complex.
Role modeling and governance Creation and efficient maintenance of role definitions. Management of role lifecycle, role ownership, role model versioning and curation, review and approval process.
Roles are very powerful.
It is not easy to create and maintain role definitions. User interface is very technical. Roles are maintained individually, no concept of role model.
Segregation of Duties Policy prohibiting dangerous combination of privileges.
Taking advantage of a powerful mechanism of policy rules.
It is not easy to configure complex scenarios, e.g. class exclusion.
Automatic role assignment Automatic assignment and unassignment or roles, usually using a set of rules.
Re-using expression mechanism, that is used throgh the whole system.
No easy-to-use user interface to specify autoassignment rules.
Deputy management Ad-hoc delegation of rights from user to user, usually for a short period of time.
Users can specify ad-hoc deputy, for a specified duration.
User interface could be improved.
Access Request Access request user interface User interface for common users, allowing to compose a request, usually containing roles. User interface often follow electronic shopping (shopping cart) paradigm, organizing available roles in categories, user-friendly role search, request policy validation, and so on. Support for request state tracking after request submission. Requesting unassignment of roles.
Powerful user interface based on shopping cart paradigm, allowing many request options.
The user interface is somehow complex, user experience could be improved. Policy violations are not reported during selection.
Management of approval schemes Definition of approval schemes, definition of approval levels/stages, approver groups for each level/stage, optional approval levels/stages and so. Definition of schemes per role type or group, scheme variations for sensitive roles, risk-based approval schemes and so on.
Flexible policy-based approval mechanism, dynamically computing approval steps based on policy.
Administration user interface is very technical.
Execution of approval processes Execution of approval schemes: driving access request through approval levels/stages. Human interaction with approvers, presenting the request in human-friendly form to approvers. Handling of approver decisions (approve/deny), free-text communication (approver comments). Optional forwarding of requests to be processed by another person.
Approval mechanism integrated with case management mechanisms.
User interface can be improved. No option to integrate with workflow/ITSM systems.
Improve case management user interface.
Maintenance of approval accountability record Record of the access request and approval process for accountability (auditing) purposes. Recording the metadata (who has requested, who has approved, when and so on).
Approval decisions are recorded in unified audit log mechanism.
User interface for approval audit records can be improved.
Immediate fulfillment of approved requests Immediate creation of account, associating them with entitlements according to results of request and approval process.
Requests are fulfilled immediately, using the usual mechanisms, automatic or manual provisioning.
Identity Workflow Automation Remediation of policy violations An action taken to remedy a policy violation, getting system back to the state of full policy compliance. The action follows up on a detection of policy violation. Remediation actions are often manual actions taken by a human user.
Basic framework (policy rules) is present, some automatic remediation actions are available. However, manual remediation processes are not available.
Case management Keeping a record of cases, specifying a problem that needs to be resolved, usually in an unstructured way. Cases are usually used to record policy violations, role definition problems, high-risk situation and so on. The case often assumes that there is no pre-defined algorithm or workflow pattern that could be used to resolve the problem. The solution is provided by the users, cooperating and communicating on the case.
Approval mechanism integrated with case management mechanisms.
User interface can be improved. No option to integrate with workflow/ITSM systems.
Improve case management user interface.
Process management Keeping track of _processes_, with an aim to resolve a specific problem in a structured way. The processes are usually based on human interaction (workflow). This approach assumes that there is a structured, pre-defined pattern of interaction of specific users that leads to problem resolution.
Workflow engine was present in midPoint almost since the beginning, but it was deliberatelly removed.
Escalation Ability to re-assign a case or process step to a new assignee in case that the original assignee did not take action within a specified time. Escalation is often used to bring attention of managers and leaders to an issue that is not resolved within its usual time-frame.
Notifications Ability to inform a user that a specific action has taken place. E-mail message informing user about new accounts or entitlements is perhaps the most common form. Yet the notifications may be implemented by a variety of ways.
Configuration is not really user-friendly. No in-app notifications.
Access Certification Full certification campaign Certification done on large scale. Certifying access of a large group of users, typically distributed among many certifiers. Campaigns are usually executed periodically, they have a limited time duration.
User interface is slightly outdated and somehow complex.
While certification campaigns are necessary, bulk of certifications should be done by microcertifications.
Microcertification Certification done on a very small scale. Typically certifying access of a single user, done by one or just a couple of certifiers. Microcertifications are usually triggered by identity lifecycle events (such as organizational change) or changes in risk landscape.
Microcertifications are triggered by policy rules.
Integrated with very powerful policy rules mechanism, providing unified policy definition.
Only microcertifications based on assignment change (e.g. re-organizations) are working in practice. No support for risk-based microcertifications.
Risk-based microcertifications is definitely a way to go.
Certification of role definitions Process to certify role definition, to make sure their definitions are still applicable.
Certification of role definitions is using the same mechanism as access certification.
No support for role conditions, autoassignment rules and so on.
Auditing Recording audit trail Recording identity-related operations and events. Recording business-level information in a structured data format.
Recording every change in unified audit log, including all configuration and policy changes.
Audit log record is slightly complex, and may be quite big.
Basic audit trail access User interface to access audit trail records, using simple queries and filtering.
Complex audit reporting Advanced reporting, based on interpretation of audit records in context, correlating and computing values. Reports providing "time machine" functionality, computing values as they were in the past. Forensic reports and analytics.
Audit integration Moving data to external systems, such as security information and event management (SIEM) systems, data warehouses, etc. Providing functions to export, pump or access audit record data by external systems. Documentation of data structures and formats.
Audit database table is exposed as integration point.
Metadata maintenance Setting and maintaining auditing-related metadata, such as dates of object creation and modification. Maintaining summarized and automatically-computed data.
Identity Analytics and Reporting Customizable reports and visualizations Reports, selecting and summarizing identity data. Customization of report structure and look. Structured machine-readable reports, aimed at post-processing. Dashboards, providing quick data overview. Visualization, presenting the data in interactive, human-friendly form.
Risk assessment Definition, maintenance and automatic evaluation of risk model based on identity data. Evaluation of overall risk levels, per-user risk levels, and risk-based analytics.
Risk-based triggers Triggering events based on risk analysis, such as initiating remediation actions, microcertifications and notifications. Using risk information in processes, such as approval processes.
Anomaly detection Detection of data that stand out from their surrounding (_outlier detection_), such as users that have different privileges than their colleagues. Detection of suspicious combination of privileges, such as detection of over-privileged users.
Compliance management Organization of policies that represent compliance frameworks, evaluation of compliance levels, identification compliance violations. Monitoring progress of compliance (addressing policy violations). Partial enforcement of policies (enforcement modes), allowing gradual introduction of new policies. Evaluation and reporting of policy compliance. Initiating remediation of policy violations.
Taking advantage of a powerful mechanism of policy rules.
No easy-to-use user interface to specify the rules and create reports. No out-of-box configuration for compliance frameworks.
Simulation Simple preview of an effect of change (number of changed objects). Large-scale simulations, estimating results of many changes on many objects (such as role model changes, re-organizations). Thresholds, stopping operation if number of changes is unusually high. Interactive "what if" analysis.
Basic preview of single operation is available. However, complex simulation or analysis functions are not present.
Role mining Suggesting role definitions by analyzing similarities in attributes and entitlements.

* Most IGA platforms in the industry are closed-source software. Almost all the platforms are jealously guarded. It is almost impossible to get unlimited access to evaluation versions, documentation, or even a demo of the platform. Most of the information published by the vendors is marketing in nature. There is very limited amount of available technical documentation. This makes it very difficult to make any reliable evaluation of vast majority of IGA platforms, even for experienced IGA experts. Therefore please take the evaluation for what it really is: not much more than a wild guess.