RFI: Employee Provisioning Software: eProvision Has All the Right Moves

In response to our RFI, four vendors brought samples of their EUA software into our labs for hands-on testing. Top honors went to Business Layers eProvision thanks to its flexibility

August 12, 2002

16 Min Read
Network Computing logo

Stuff4U needs self-service password management, workflow integration, and auditing and reporting capabilities. It also wants to implement a centralized zero-day start/stop provisioning environment. Given our scenario, we would likely choose Business Layers eProvision solution and gave that company our Editor's Choice award. Business Layers provided everything we wanted: password and resource self-management and integration with virtually any custom or off-the-shelf system. Its pricing offered an acceptable ROI of 19 months, according to our calculations.

Our Budget

As with everyone, Stuff4U's budget is limited this year. The solutions for our scenario ranged from $175,000 to $600,000--expensive even at the low end, and without including professional services costs--so we were forced to consider which vendor would provide the best functionality and highest return on investment. Self-service and automation features carry the most and quickest returns, so our calculations focused on those features.

Employee Provisioning Vendors at a GlanceClick here to enlarge

Because of Stuff4U's high turnover rate and the large number of nontechnical employees logging a high volume of password-related helpdesk calls, we calculated a potential 30 percent reduction in expenses in these areas with the automation of the provisioning process and reduction in helpdesk calls.

While Novell's solution was the least expensive to implement ($175,000 for our PeopleSoft, Novell 5, Windows NT 4.0 and Lotus Domino systems), only its automation features would provide us with any return because the product lacks integrated self-service management. Without that component, Stuff4U would need almost two years to get a return on investment. Meanwhile, Access360's enRole can address Stuff4U's helpdesk issues with self-service support, so at five times the cost of Novell's product ($600,000), it would take about 30 months to realize a full ROI. Both Business Layers' eProvision and Waveset's Lighthouse were more affordable initially, with implementations taking 20 and 26 months, respectively, to realize ROI. (For more on our ROI calculations, see our ROI Chart).Workflow Integration

Being able to provision an employee in less than a day is almost as important as the requirement that an employee be deprovisioned quickly and completely. Each of the products in our review can receive a feed from an HR system (such as PeopleSoft) and act upon the information received. When a new employee's data is entered into the HR system, it is fed into the product and the provisioning process begins. Changes to an employee's status are also picked up and applied throughout that person's career with the company.

Workflow and approvals are part of that process. While basic access across the enterprise may be provisioned automatically, administrators may still want control over some other systems. Or, while you may want the provisioning solution to manage the process, you may still want account creation and modification to remain manual. We desired flexibility in this area; some systems required approval from the system administrator, while others were provisioned without any intervention.

Stuff4U also needed to deal with situations in which the primary approver of a resource may be unavailable. We wanted to be able to escalate an approval that wasn't received in a specified period of time--a capability often found in network-management systems. We were pleased by enRole's ability to define team-based approvals and escalation support. This feature is especially helpful where a team of employees provides approval or authorization of resources. Waveset's Lighthouse also offered compelling support for this procedure but required us to define a specific role or employee for escalation and approval.

The tools available within enRole, Lighthouse and eProvision for defining the workflow process impressed us. All three products are Web-based and offer a robust, graphical method of capturing the business process and provisioning policies. A nontechnical business manager could use any of these solutions to define the process easily. Novell's Identity Provisioning for Employees is more flexible than the others, but nontechnical employees will have difficulty using it. To solve this shortcoming, Novell says it is developing a graphical way to construct rules.Before meeting with the vendors, we were concerned that Stuff4U would have to change its provisioning practices and policies. All the responses indicated that this would not be necessary; the products can handle both role- and rule-based provisioning policies. In later discussions, Novell said that though Stuff4U wouldn't need to change processes in the first phase of implementation, it may become necessary as custom and legacy applications are integrated with the system. Our instincts told us this might be true across the board, but only Novell admitted this might be the case. If we had a "straight-talking vendor award," Novell would win it hands down.

Self-service, which provides quick ROI and great convenience, includes password resets, synchronization of passwords across systems and requesting additional resources. With more than 5,000 employees, Stuff4U desired a solution that would reduce password-related helpdesk calls.

Because self-service is generally offered via a Web-based interface, tight security is required. For each solution, we evaluated the mechanisms for ensuring that employees are identified and authenticated before being allowed to manipulate their passwords. All but Novell's solutions provide extensive mechanisms for managing this process. Employees who forget their passwords can be challenged through a series of questions from a supplied list containing queries such as "What was your childhood pet's name?"

Requiring correct answers to specific questions coupled with correct answers to a number of randomly chosen questions affords Stuff4U adequate security surrounding the employee-driven reset of a forgotten password. Novell says the next release will include this feature.

Policy EnforcementNovell took the lead in policy enforcement and flexibility by offering extremely fine-grained control over the flow of information between systems. With a robust graphical interface and a manual creation method, Novell's solution lets you define authoritative sources of information and restrict the flow of data between systems down to the attribute level. We could allow specific attributes from a PeopleSoft system to flow into eDirectory--the backbone of Novell's solution--and restrict all other systems from modifying the HR-controlled attributes, such as the employee's name, title and date of birth.

Employee Provisioning Software FeaturesClick here to enlarge

Novell's solution restricts the information flow at the agent level, while other products require a workflow process within the provisioning system to act. Every solution let us reverse the changes, notify administrators or accept the changes, but Novell's approach offers the tightest control. In this regard, Novell's solution has the most secure method of maintaining resource integrity across all systems. This is one of the advantages of an agent-based system, which requires each managed system to have a small-footprint agent--deployed on the provisioning server or on the server hosting the managed system--that communicates with the provisioning server to provide policy enforcement and general provisioning functionality. Agentless systems, by comparison, use secure versions of common protocols, such as LDAP, ODBC or SSH, to communicate with the managed system.

With 80 stores, Stuff4U must keep account management centralized and automated, so users at remote locations can't create rogue accounts. We examined all solutions for their ability to notify administrators of unauthorized account creation or modification and reverse the changes automatically. All four solutions perform this task, so all integrated systems may be managed centrally while authoritative systems keep control of certain employee attributes. For example, Stuff4U's PeopleSoft maintained control of an employee's title and position; no other system could modify that information.

Auditing and Reporting

As is true of many retailers, Stuff4U has high employee turnover. Therefore, system administrators must stay on top of the activity regarding all aspects of provisioning--especially revocation. We evaluated each solution's audit logs and activity reports.Only Novell's product lacks integrated reporting tools. Novell's auditing logs are highly configurable but require third-party solutions, such as Crystal Reports, to analyze and report on the data. Business Layers provided an integrated Crystal Reports engine, with a large number of preconfigured reports offering plenty of views of provisioning activity. Access360 also provided a lengthy list of preconfigured reports and could specify reports tailored to Stuff4U's needs.

Business Layers' eProvision offers the easiest integration with both custom and off-the-shelf systems. Out of the box, its integrated workflow feature was one of the most flexible of the lot. EProvision offers password and resource self-service, and tops off its solution with a robust Web-based management system. At $237,000, eProvision's price comes in above Novell's, but it offers a much faster time to deployment and isn't missing any major features. This solution would be the first we would consider when bidding for EUA systems.

EProvision uses any LDAP directory as its local data store and requires a relational database for persistence of audit logs, transactions and workflow data. Its unique view of business and IT profiles as separate entities pushed it ahead of the competition. Rather than implementing a RBAC (role-based access control) solution, such as Access360's enRole does, eProvision defines business profiles and associates them with one or more IT profiles. A business profile comprises attributes such as the business unit, title and projects an employee is assigned to.

Using that information, the system applies the appropriate IT profiles, and correct resources can be provisioned for each employee. An IT profile is an associated set of resources and access rights that is particular to job position. This also lets nontechnical, business-focused employees be intimately involved in the provisioning process rather than relying on IT to manage the entire system.

Business Layers' architecture lets many types of systems be integrated into the provisioning process--far more than the PeopleSoft, Novell 5, Windows NT and Lotus Domino systems Stuff4U targeted. EProvision can be deployed with or without agents, depending on the systems being integrated. For legacy systems that store access rights in a relational database, eProvision can use ODBC and JDBC connectivity to poll the database and reconcile resource information. This is a common management method--all the solutions reviewed provide support for ODBC, JDBC and LDAP-based resource management. EProvision also offers XML and flat-file feeds to ensure easy integration with almost any custom application.EProvision's self-service features let you request additional resources, and reset and synchronize passwords. The password reset feature includes challenge/response queries, which the administrator can configure. Employees must answer these questions correctly before resetting their passwords.

Unlike the competition, Business Layers' solution supports the concept of projects and teams as part of the business process. You use projects for one-time changes to one or more employees--such as migration from one system to another or a physical move between buildings. Teams are more long-lived and can be configured to provision additional assets and resources while the team is in place. When the team is disbanded, all assets and resources associated with that team are then revoked.

We have only one complaint about Business Layers' outstanding solution: It can be deployed only on a Windows 2000 platform. Waveset and Access360, also Web-based solutions, as well as the Web-based interface to Novell's solution, support more platforms, including Linux and Sun Microsystems Solaris. Business Layers is planning additional platform support for future revisions.

Business Layers priced our scenario based on a server fee and a license fee based on managed accounts. With 5,000 users on each of Stuff4U's four target systems, the company quoted a price of $237,500. Three types of server licenses are available: single site, single server; single site, multiple server; and enterprise site. The vendor also offers two maintenance programs: standard support and expanded 24x7 support.

eProvision Software 3.0, Business Layers, (201) 291-8999, (877) 5-LAYERS (552-9377). www.businesslayers.comWaveset Technologies Lighthouse 2.0 | Access360 enRole 4.2 | Novell Identity Provisioning for Employees

Waveset Technologies Lighthouse 2.0

With a large number of production systems, we needed a nonintrusive provisioning solution. Waveset Technologies' Lighthouse 2.0 fills that bill. This technology is truly agentless and employs a flexible, J2EE architecture. The product's unique metadata storage approach, which stores limited authentication information centrally rather than replicating it locally, saved storage space, but we were concerned about synchronization efforts and the implications for a truly distributed deployment model. We also were more impressed with the escalation procedures found in the offerings from Business Layers and Access360.

Lighthouse 2.0 has an abundance of deployment platform choices. Although it has flexible, role-based functionality, it also provides for enterprises that are not yet ready to migrate to a completely role-based solution, such as Access360's product. Waveset's solution, like the rest of the competitors, can import account and resource information from managed systems to reduce the time to implementation.

Like Novell's Identity Provisioning for Employees, Lighthouse offers mapping features that can match accounts from disparate systems to a single identity automatically, based on information garnered from attributes. Given employee John Smith with a social security number of 123-45-6789 and a distinct phone number, for example, both systems can try to match accounts to a single employee identity. For accounts that cannot be mapped automatically because of differences in name-space policies, the admin can assign the accounts to an employee. Lighthouse also lets employees identify accounts manually, by specifying the location of the account and entering the correct user name and password, something its competitors don't do.With its agentless architectural model, Lighthouse also offers gateways in situations where secure protocols are not available for remote resource management, such as Microsoft Active Directory Services (ADS). These gateways are remote agents that can be deployed on servers and can manage multiple ADS installations.

Waveset quoted a $450,000 list price for the Stuff4U rollout and offers a 30-day money-back guarantee program for up to 5,000 users.

Lighthouse 2.0, Waveset Technologies, (512) 338-1818, (866)-WAVESET. www.waveset.com

Access360 enRole 4.2

Another completely Web-based solution, Access360's enRole 4.2 has excellent integrated workflow tools. The drag-and-drop interface is easy to understand and manipulate, making the creation of an approval process a breeze. But at $600,000, this product was too rich for our blood.

All four vendors indicated that their products could interface with existing workflow products; Waveset adheres to the workflow interoperability standards established by the Workflow Management Consortium.

EnRole lets you configure teams and groups for integration into the approval process, as does Business Layers' eProvision. EnRole requires an agent to communicate with every system, but like Novell's and Business Layers' products, does not require that the agent reside on the managed system. This is important because it is often neither desirable nor feasible to install an agent on the managed system.

The downside to employing an agent that resides on the provisioning server to manage a remote host is that security is often compromised. Access360 uses PKI x.509 certificates between server and remote agents, but this security measure is lost when deploying server-side agents as opposed to remote agents. Waveset uses PKCS5 cell padding, 168-bit 3DES encryption and full CHAP-like bidirectional authentication. Novell says it does encrypt data but did not describe its methods, and Business Layers uses either SSL or SSH.

enRole 4.2, Access360, (949) 255-3100, (877) 742-6400. www.access360.comNovell Identity Provisioning for Employees

Novell Identity Provisioning for Employees is perhaps the most flexible of the systems we reviewed, but the solution requires the use of XSLT (Extensible Stylesheet Language Transformations) and would have taken too long to implement. Because it would be necessary to write the transformations by hand, the training time would be greater with the Novell solution than the other products.

As our remote sites are retail stores with a high level of turnover, we liked having the flexibility to fully manage remote sites as independent entities with only minimal attribute flow between each site and headquarters.

Novell's distributed architecture and granularity of control would have served our scenario well in this respect. Not only does the product allow for distributed LDAP trees, but each tree can be managed individually while the solution manages only the configured pieces of the system. This architecture beats Business Layers' and Access360's centralized storage models.Novell's Identity Provisioning for Employees is based on its eDirectory and DirXML products, and can be deployed on Windows 2000/NT, Linux, AIX and NetWare. We liked the flexibility of deployment options.

Unfortunately, Novell's solution is missing password self-service and reporting features, so we took it out of the running for Stuff4U. We were also looking for an easy-to-use workflow process. While Novell's use of XSLT provided the highest level of flexibility, this implementation would hamper implementation because nontechnical business users must be involved. We were impressed with Novell's honesty. For example, only Novell admitted that some business-process change might be necessary at some point.

Novell Identity Provisioning for Employees costs $35 per user for a Phase 1 implementation. For our scenario, 5,000 users on four target systems, Novell put the price at $175,000. Although the price is lowest, that factor could not make up for the product's lack of password self-service.

Identity Provisioning for Employees, Novell, (801) 861-7000, (800) 453-1267. www.novell.com

Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at [email protected].Stuff4U, our fictional retail chain, operates 80 stores across the United States. The company employs more than 5,000 people, including 1,000 at the home office. Each store is connected to the home office through T1. All data and applications are at headquarters, whose network is a 10-/100-Mbps LAN, with separate segments for each department.

Stuff4U needs a complete employee provisioning solution. The company's management is concerned with physical and logical security, so Stuff4U recently added electronic access requirements to the departments at headquarters. Logically, the organization needs to provide provisioning, employee life-cycle tracking and revoking across multiple disparate systems for all employees from a single solution.

The Stuff4U chain uses the following systems:

• PeopleSoft human resources system (Microsoft Windows 2000)

• Elevon (formerly Walker Interactive Systems) financials (IBM ES9000, OS/390)• Legacy inventory and supplier feeds (IBM ES9000, OS/390)

• Check Point firewall (Windows NT 4.0)

• Novell 5.0 NDS for file sharing and printing services

• Windows NT Directory Services

• Sun Solaris 8.0• Netscape Directory Server intranet

• Helpdesk

• Netscape extranet servers

• Windows 98 SE corporate desktop

• Lotus Domino• AT&T WorldNet and Nokia VPN dial-up remote access

• Facilities management

• Physical security (electronic badge)

We invited Access360, Business Layers, Novell and Waveset Technologies to provide a solution for our fictitious retail store, Stuff4U, an 80-unit chain with 5,000 employees (see "RFI Scenario: Stuff4U"). We sent off a comprehensive RFI and asked the participants to bring samples of their solutions to our Real-World Labs® in Green Bay, Wis. All the vendors agreed to this.

The responses to our questionnaire are below in PDF format:


Employee Provisioning Software

your browser
is not Java

Welcome toNETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® iconabove. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights