What tools exist for identity management w/ Active Directory? [closed]

What products do you use to manage identity propagation in your environment?

For example, Joe gets hired at the company. HR inputs Joe's profile in the HR employee management application. A ticket is passed to IT to manually create Joe's Active Directory account, add a bunch of user groups for his job role. They will also manually create Joe's accounts in other disparate systems that don't authenticate with Active Directory. By the time Joe gets all his access, he's already wasted a week on company time twiddling his thumbs and surfing the webs.

Then one day, they found pr0n on Joe's PC, dated back to his first week on the job, and so they showed him the door. Now, all the same people have to repeat the work to undo Joe's access in all the systems he had access to.

The same process also repeats if someone changes job roles, such as to another department.

What I'm looking for is a tool designed for sysadmins to manage user accounts such that changes like these can be fully automated once they're changed in the master database (HR application, in this example).

I'm aware of Microsoft's ILM 2007, and its predecessor MIIS. I find these products poorly documented, entirely too difficult to manage, and I've found almost no support online.

What products might meet this criteria?


I work as a consultant doing Identity Management implementations.

There are a number of products out there. Oracle, Sun, IBM, Courion, Novell all make Identity Management products.

It always looks like an easy idea at the time, and each vendor makes it seem easy, but the back end business processes make it much harder than it ought to be. I.e. There is no such thing as a default install. Every body requires some silly customizations.

As for MS ILM, they have delayed ILM 2 till some time in 2010 now, and the version I did training on back in December was pretty darn weak at the time.

I primarily use Novell Identity Manager for customers, and we find it very effective. Others who do Oracle or Sun products usually feel and say the same thing.

You should identify what connected systems you want to link. (I.e. What is your HR program? Active Directory, and anything else? Any other systems store Identity?) Then with a list of the systems you want to connect you can look at products to see how well they handle them.


Wikipedia entry on Novell Identity Manager has several suggestions. http://en.wikipedia.org/wiki/Novell_Identity_Manager