To compare Imanami’s GroupID with Microsoft’s Forefront Identity Manager (FIM), it is essential to understand what each is and isn’t.
FIM is an Identity and Access Management suite. It provides policy management, credential management, user management and group management. What it is not is simple or cost effective.
GroupID is purpose-built software to manage Active Directory groups. It provides self service and dynamic group management combined with Active Directory synchronization to enable accurate dynamic groups. It is not a bloated franken-product built upon the infrastructure of MIIS.
Group Management Features
Both products have extensive well thought out group management capabilities. Being built specifically to manage Active Directory groups, GroupID has a more refined and focused feature set. Over 500 enterprise level customers have helped define what needs to be managed in Active Directory groups, including Microsoft itself (see March 2007 press release).
|Self service group management||X||X|
|Workflow on group membership||X||X|
|Workflow on group creation||X||X|
|Multiple group owners||X|
|Dynamic distribution lists||X||X|
|Dynamic security groups||X||X|
|Hierarchical nested groups (dynasties)||X|
|Self service with dynamic groups||X|
|External source dynamic groups||X|
|History of group changes||X|
Imanami’s singular focus on this segment of the market has made GroupID the leader in Active Directory group management. Our customers have driven GroupID to manage groups better than any solution on the market. GroupID does not do everything that FIM does but what it does do, Active Directory group management, it does better.
Complexity & Infrastructure
GroupID’s greatest advantage over FIM is its lack of complexity. GroupID prides itself on being light on the enterprise. The changes it makes to users and groups are stored directly where they are supposed to be: on that object in Active Directory. History and expiration information is stored in SQL, but everything that Active Directory needs to work is stored in the object itself. No intermediary databases or object stores necessary.
Notice how simple the GroupID architecture is.
By way of comparison, from a FIM training class:
From that same presentation, we learned that the underlying synchronization that is the same as ILM 2007, is in reality still MIIS.
What these two diagrams show is that to make a change to a group using FIM, a user will make the change which will be translated into a FIM “object store” which will have a FIM MA move it into the metaverse which will then be synchronized to Active Directory. Conversely, with GroupID, that same user makes a change, the GroupID service account then writes that change to Active Directory.
Price and total cost of ownership
With complexity comes custom coding and consultants. And FIM is complex; in fact one Imanami customer remarked that Microsoft should market a “consultant in a box” to come with every FIM deployment.
Imanami prides itself on being easy to install and administer. Our license to services ratio is about 100 to 1; very few customers need customizations that we cannot do with regular support line help. Customers often don’t need to touch the product once it’s up and running, and that can usually be accomplished in less than a week.
On top of the huge difference in external costs, GroupID’s licensing is less expensive than FIM.
Focus on group management
With Imanami’s focus on group management, GroupID will continue to be innovative and ahead of the market. Simple things like having our multiple group owners being able to understand Exchange 2010’s multiple group owners; dynasties to make your organizational, departmental and geographic groups accurate within 15 mouse clicks of installation; and the ability to track what Exchange distribution lists are being used all come as part of GroupID. We will continue to add features like this and innovate ahead of Microsoft.
All of this being said, there are situations that call for FIM, but if your project needs to be done on time and you have an overworked IT staff and your project scope is Active Directory group management and synchronization, check out GroupID.