A complicating factor is that you can't use one program to manage users and resources across multiple platforms; you need a suite of tools. Within these suites, user administration and resource management are treated separately. The best solutions enable these functions to share a data repository, a messaging system and a set of APIs--in other words, they provide a common framework for policy management. This approach pays off as other security tools join the mix. For example, intrusion-detection, user-management and security-policy management products can fall under a common event-management system that alerts appropriate personnel or takes direct action automatically.

We tested CA's ProtectIT and DirectIT, which are both built around the Unicenter TNG framework; PLATINUM's ProVision AutoSecure Enterprise Security Administration and ProVision AutoSecure Access Control for Unix and NT, built on the PLATINUM Open Enterprise Management Services (POEMS) integration technology; and Tivoli's Enterprise Management Framework, User Administration and Security Management.

All are large product suites, and the decision to adopt any one of them has far-reaching implications. As CA points out, "More than a product, ProtectIT is a strategy." That statement may sound like marketing claptrap, but it's true: Your selection commits your organization to rolling out a vendor's software for years to come.

In essence, these products are policy-creation and -enforcement tools. They augment or replace native tools, such as Windows NT's User Manager for Domains, Unix's /etc/password and NIS administration, and NetWare's NWAdmin utility. They move all associated data into their own centralized database and feed systems as needed, creating multiple user accounts on target platforms from one back-end user directory. They also control access to files and directories from the same common repository.

The systems can delegate administration to limited-capability managers on each platform. To take one simple example, they enable a helpdesk operator to reset user passwords without controlling the file system. This kind of hierarchical administration has been difficult to achieve under Unix, where the root account traditionally controls all aspects of the system, or on NT systems, which suffer from similar problems.

These framework-based suites also gather control over system resources (files, directories and system processes) into a common database, which is abstracted from the host operating system. For example, a Unix or NT directory with employee records for a New York branch office may be defined under the identifier "nyc-emprec" and individual user-access controls may be applied. To make these relationships more scalable, users are typically grouped into roles, with individual access-control lists applied to role members. Tivoli offers especially flexible grouping of both system resources and user roles.

Tivoli takes the most hands-off approach to native operating system security of the suites we tested, seeking to avoid altering base operating systems too much; the one exception is for Tivoli Access Control Facility (TACF), its own security-control mechanism for Unix. Only Computer Associates offers a custom WINLOGON screen for NT; CA also expects administrators to stop using NT's native User Manager for Domains. PLATINUM offers essentially the same Unix technology as Tivoli, but it makes dramatic alterations to Windows NT security to accommodate its own AutoSecure Access Control for NT. Regardless of the strategy, all three vendors keep local security databases updated for fallback should their own mechanisms be removed.

Although a detailed pricing comparison for these systems would be too subjective to be valuable, we asked vendors to submit pricing for four scenarios, ranging from very small (four servers and 100 clients) to very large (2,000 servers and 30,000 clients). In general, we found the Computer Associates products to be extremely affordable; prices begin at several thousand dollars and are substantially lower than the alternatives. Tivoli's offerings were the most expensive, but the vendor's approach to systems management goes far deeper than just the security suites we focused on here.