NWC | Review | Business Applications | RFI: eProvision Has All the Right Moves |


				HOT PICKS • U.S. IT Salary Survey 2008 • Rolling Review: SOA Appliances • XKL Brings New Life To Dark Fiber

IMMERSE YOURSELF:

Storage & Servers

R E V I E W

RFI: Employee Provisioning Software: eProvision Has All the Right Moves

August 19, 2002
By Lori MacVittie

>> continued from previous page

Other Products Reviewed

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	Self-Service
	Business Layers eProvision Software 3.0
	Other Products Reviewed
	RFI Scenario: Stuff4U
	Full Responses To RFI
	ROI Chart
	Report Card

Waveset Technologies Lighthouse 2.0 | Access360 enRole 4.2 | Novell Identity Provisioning for Employees

Waveset Technologies Lighthouse 2.0

With a large number of production systems, we needed a nonintrusive provisioning solution. Waveset Technologies' Lighthouse 2.0 fills that bill. This technology is truly agentless and employs a flexible, J2EE architecture. The product's unique metadata storage approach, which stores limited authentication information centrally rather than replicating it locally, saved storage space, but we were concerned about synchronization efforts and the implications for a truly distributed deployment model. We also were more impressed with the escalation procedures found in the offerings from Business Layers and Access360.

Lighthouse 2.0 has an abundance of deployment platform choices. Although it has flexible, role-based functionality, it also provides for enterprises that are not yet ready to migrate to a completely role-based solution, such as Access360's product. Waveset's solution, like the rest of the competitors, can import account and resource information from managed systems to reduce the time to implementation.

Like Novell's Identity Provisioning for Employees, Lighthouse offers mapping features that can match accounts from disparate systems to a single identity automatically, based on information garnered from attributes. Given employee John Smith with a social security number of 123-45-6789 and a distinct phone number, for example, both systems can try to match accounts to a single employee identity. For accounts that cannot be mapped automatically because of differences in name-space policies, the admin can assign the accounts to an employee. Lighthouse also lets employees identify accounts manually, by specifying the location of the account and entering the correct user name and password, something its competitors don't do.

With its agentless architectural model, Lighthouse also offers gateways in situations where secure protocols are not available for remote resource management, such as Microsoft Active Directory Services (ADS). These gateways are remote agents that can be deployed on servers and can manage multiple ADS installations.

Waveset quoted a $450,000 list price for the Stuff4U rollout and offers a 30-day money-back guarantee program for up to 5,000 users.

Lighthouse 2.0, Waveset Technologies, (512) 338-1818, (866)-WAVESET. www.waveset.com

Access360 enRole 4.2

Another completely Web-based solution, Access360's enRole 4.2 has excellent integrated workflow tools. The drag-and-drop interface is easy to understand and manipulate, making the creation of an approval process a breeze. But at $600,000, this product was too rich for our blood.

All four vendors indicated that their products could interface with existing workflow products; Waveset adheres to the workflow interoperability standards established by the Workflow Management Consortium.

EnRole lets you configure teams and groups for integration into the approval process, as does Business Layers' eProvision. EnRole requires an agent to communicate with every system, but like Novell's and Business Layers' products, does not require that the agent reside on the managed system. This is important because it is often neither desirable nor feasible to install an agent on the managed system.

The downside to employing an agent that resides on the provisioning server to manage a remote host is that security is often compromised. Access360 uses PKI x.509 certificates between server and remote agents, but this security measure is lost when deploying server-side agents as opposed to remote agents. Waveset uses PKCS5 cell padding, 168-bit 3DES encryption and full CHAP-like bidirectional authentication. Novell says it does encrypt data but did not describe its methods, and Business Layers uses either SSL or SSH.

enRole 4.2, Access360, (949) 255-3100, (877) 742-6400. www.access360.com

Novell Identity Provisioning for Employees

Novell Identity Provisioning for Employees is perhaps the most flexible of the systems we reviewed, but the solution requires the use of XSLT (Extensible Stylesheet Language Transformations) and would have taken too long to implement. Because it would be necessary to write the transformations by hand, the training time would be greater with the Novell solution than the other products.

As our remote sites are retail stores with a high level of turnover, we liked having the flexibility to fully manage remote sites as independent entities with only minimal attribute flow between each site and headquarters.

Novell's distributed architecture and granularity of control would have served our scenario well in this respect. Not only does the product allow for distributed LDAP trees, but each tree can be managed individually while the solution manages only the configured pieces of the system. This architecture beats Business Layers' and Access360's centralized storage models.

Novell's Identity Provisioning for Employees is based on its eDirectory and DirXML products, and can be deployed on Windows 2000/NT, Linux, AIX and NetWare. We liked the flexibility of deployment options.

Unfortunately, Novell's solution is missing password self-service and reporting features, so we took it out of the running for Stuff4U. We were also looking for an easy-to-use workflow process. While Novell's use of XSLT provided the highest level of flexibility, this implementation would hamper implementation because nontechnical business users must be involved. We were impressed with Novell's honesty. For example, only Novell admitted that some business-process change might be necessary at some point.

Novell Identity Provisioning for Employees costs $35 per user for a Phase 1 implementation. For our scenario, 5,000 users on four target systems, Novell put the price at $175,000. Although the price is lowest, that factor could not make up for the product's lack of password self-service.

Identity Provisioning for Employees, Novell, (801) 861-7000, (800) 453-1267. www.novell.com

Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at lmacvittie@nwc.com.