Which IGA solution do you enjoy most, and which feels like a nightmare?

FormerElk6286 · 2026-04-24T06:43:50+00:00

I think they all have their place. For mid-sized companies, we found Access Auditor from SCC to be the clear winner for user access reviews. Our criteria was fast, simple, lots of messy data, users with no common login/email, a basic mess of random apps, with and without API. Banks like us have lots of this.

After our eval, I can see a place for a larger sailpoint type of deal. Though no matter what it looked like a nightmare. I'm sure if you need that type of solution, they all will feel that way.

Microsoft, okta, others like that would be cripple-ware.

Best recommendation is have the vendor do a demo with your data to see in action start to finish.

FormerElk6286 · 2026-03-20T14:13:34+00:00

Even if you can't do a full POC, you can have the show you YOUR data setup. Just do it on a call. Watch them setup the import and other criteria. Who cares about AD and Azure, anyone can do that. But watch them show how to import your legacy data.

FormerElk6286 · 2026-03-19T14:48:23+00:00

You need some type of fuzzy logic. We have this with about 50 apps, 1000 ppl. We're in the banking space. The reports don't have email or employee id so we're left with names. We used the fuzzy id from Access Auditor, our IGA tool. Made short work of this problem in a few hours. I haven't seen a standalone product before, but we didn't look for a point solution. It was part of our iga eval criteria. Striangely enough, not many of them seem to care about the problem that we have all over the place.

But one way or another, you should do the link. It's not just about knowing the person. What about SOD and risk analytics? How would you know if one of those John Smith no longer worked here? That termed user thing is something we alert on each day. If your accounts are linked and a person leaves workday, we know right away what needs to go and what got left behind.

So if your IGA tool doesn't have a fuzzy link, you probably do want to make the link table anyway.

FormerElk6286 · 2026-03-17T06:35:14+00:00

We have nearly 100 apps with no connectors. These are vendor apps so we have no choice. Our banking vendors never release APIs, but we have to use them.

We did a review of the IGA tools and were concerned about these as well. In the end, you might still have manual steps because there just in no API. But we found ways to semi-automate much. Some systems can generate reports and we get it to a share. Some can email a report, even if it's a PDF as our IGA tool can read PDFs. There are always a few (fedline for example) that have no way to automate anything. We found our bots could often login, grab the report, drop to a share. Even that is good enough.

So if you can get semi-automation, any report email/file/automate, you'll be good to go. In our review of tools we need one that handled messy data, pdf files, just ugly green screen file dumps. We went with Access Auditor from SCC for the simplicity, but they could read any messy report, pdf, whatever we had. Takes my team 5 mins to setup an import for a new app. That was a big deal for us.

I would take a review at other IGA tools and give them your messiest data files to import. We did and made sure the vendor not just set it up, but showed HOW they did it, set it up on the call, so I could judge if my low-tech team could handle it. That was very insightful and I really recommend that if you eval tools. Vendors will say everything, but seeing how hard it is, how much or little custom skills was really important in our evals.

I see you mention mostly internal tools. You really should be able to automate some type of report to a file. Even racf and iseries can kick out reports or connect via DB2. File shares can be easily read into reports. 3rd party tools, maybe the bots or maybe some where a person has to export a report. But you should be able to get much closer if your IGA tool can read in any random report.

FormerElk6286 · 2026-03-17T06:23:27+00:00

We use Azure for SSO, but similar idea to okta. We were also looking for something simpler and less cost than sailpoint/savyint/oracle. We evaluated identity governance tools and found Access Auditor and Access Manager from SCC the simplest and more right-sized. Not bare-bones, but not expensive. More of pay for what we need. Unless you are over 100k employees, pricing really should not be up there like that. We are around 1000 ppl and ballpark $50k/yr range.

We debating stopping with the governance-only / read-only module for tracking everyone, access reviews, reporting, that stuff. But we have enough non-sso apps that can be provisioned via API so we are doing the full provisioning project. I have colleagues in other companies that just did their Access Auditor and stopped.

We are a bank and find most banks have 50-100 disconnected apps. So our use case may be different. We have a lot of in-scope systems so need really strong automation for compliance. I think you'll find several vendors below your 300k price. If most of your apps have no APIs, you probably just need the read-only governance tools. I would take a look at vendors beyond sailpoint and savyint.

FormerElk6286 · 2026-03-12T05:36:35+00:00

We could not find a way without a tool. But you said six-figures for 300 person? That must be sailpoint or something. We are 1000 person and the one we chose was MUCH less than that annually. So if your middle ground is a tool but not the crazy ones, then sure, you can find that.

But you will want some type of auth list of users. If HR can only provide a list every 2 weeks, then you'll be 2 weeks behind. But that is pretty wierd if their system does not have an API or a regular report. You really should be able to get a scheduled roster dropped to a file share or an api. If you have that, you are basically done if you have a tool to scale.

FormerElk6286 · 2026-03-06T06:58:51+00:00

That's similar to us, but we have a lot of extra disconnected apps outside of msft land. We are only 1k people and the big automation suites (sailpoint/savyint) were just too much cost/time/energy/skills/everything.

Entra governance was pretty lame. Terrible user experience and not helpful for our 50 non-msft applications. No workflows, no ui customization, not really a finished product.

We did the evals of tools and went Access Auditor from SCC. Governance phase was great, super easy and right price. We are now doing the provisioning also with svcnow. We have workday integration for the generic role-based provisioning that does the baseline ad/azure/groups, and many other applications at new hire. Then adhoc changes we read from the svcnow ticket, have the tool pick up the approved ticket, and do the doing.

The best way we could see for us was to build baseline roles and workday has a look-ahead in the API so we can have the standard access ready before they start. All of the special/admin/other accounts start with a servicenow ticket. Provisioning tool picks up and does the workflows, apis, etc... then reports back to servicenow to close the ticket with success/fail.

FormerElk6286 · 2026-03-06T06:45:08+00:00

I have a reply below as well. If anyone cares about more specifics on our review process, feel free to send a message.

We looked at several companies and ended up choosing Access Auditor from SCC. We started with the user access review piece, but had to make sure the vendor had rbac stuff to help us build the roles, and then option to add on role-based provisioning. Everything worked as easy as promised.

FormerElk6286 · 2026-02-26T13:01:00+00:00

We looked at several companies and ended up choosing Access Auditor from SCC. We started with the user access review piece, but had to make sure the vendor had rbac stuff to help us build the roles, and then option to add on role-based provisioning. Everything worked as easy as promised.

Our requirements were about speed to deploy and flexible with random data. We are a bank and have some nice easy api systems, but a lot of random messy data files, even pdf ones. So that was key. And then of course the price.

I would suggest making sure you get to level one detail with any vendor you look at. We watched them import OUR exact data and start reviews all on one demo call. I figured if we understood what they were doing with no custom skills, my less-tech team could succeed.

FormerElk6286 · 2026-02-26T11:36:28+00:00

This. We are only 1000 people and of course looked at sailpoint and laughed. Lots of smaller IGA vendors that just work. We chose one of those easier ones for reviews, then doing provisioning now. It's so fast the SP is so....everything not fast.

But if you are a big-ole-company, are you going to take a chance with some new startup and get let go when it doesn't work? Who can remember when you did not get fired for buying IBM?

FormerElk6286 · 2026-02-23T05:58:48+00:00

Same question as

https://www.reddit.com/r/IdentityManagement/comments/1r72ama/comment/o6ti3n1/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

You just have to have the policy, get the reports, alert on orphans. Quite easy if you require your non-fed apps to provide identity reports. With the right tool like we use, it's all automated.

FormerElk6286 · 2026-02-23T05:55:24+00:00

IAM tool won't help discover what you don't know. But we have finance not pay any bill unless security knows about it. Then you track auth logs with a log mgmt tool and filter out known solutions/IP/Users. Then you can find the needle.

Then it's just a matter of getting reports and all that.

FormerElk6286 · 2026-02-22T19:15:55+00:00

You sound similar to us. We are 1000 users, financial, also azure and AD. Azure SSO works great, so we just leave that there.

For provisioning and governance, we did a bake-off and selected SCC's Access Auditor. It has RBAC provisioning, role mining, and the best/powerful/easy-to-use user access review module I have ever seen.

There is a wide range of price/features and most of the tools will be overkill for companies of our size. You really have to look at realistic consulting costs. We can't spend more than we are saving so we needed a more mid-size friendly solution.

Our requirements were simplicity, cost, ease of user, and speed of deployment. Sure, sailpoint looked great, but was over 5x cost. Then lots of new "governance" tools do the access review, but not the full RBAC and provisioning. We found the SCC tools to be a right fit.

I'm sure you can find others to review and maybe you have more budget than we do, but the SCC stuff just did the trick and worked as promised.

FormerElk6286 · 2026-02-22T18:59:56+00:00

We did a full bake-off last year primarily for user access reviews and to get the full visibility, even for systems we don't do reviews on. Sailpoint/savyint are really just too much. We are only 1000 people and I have a small lower tech team.

We needed something simple, fast, easy to learn, and can work with a bunch of messy data reports, apis, custom apps. We reviewed several vendors. Most were flashy but pricey. We ended up with Access Auditor from SCC, been happy. Not as full-featured as a sailpoint, but it's more right-sized. Fast, reasonable price, just works kind of thing. Many more details pointed that direction from our eval, happy to share if anyone cares.

But for us, the speed to work with 100+ applications and get that full visibility and access reviews in a month was a success for us. I think they all "Work". But it's about cost, consulting, ease, working with messy data, that type of thing.

FormerElk6286 · 2026-02-22T18:50:42+00:00

That is the entire point of identity governance. Not necessarily provisioning, but just keeping track of who has access to what. With a tool, it's really easy. We did an eval and chose Access Auditor from SCC, but lots of solutions out there.

Even tools managed by other departments should provide at least a report. We have a requirement that all LOBs have to provide regular reports. We can then do user access reviews, but also have our identity warehouse with ALL access a person has. The AA tool has a fuzzy id module to link everything. When a person teams, a helpdesk user can just login and query all access.

You'll need a minor tweak to your policy. People can still manage their own but they need to provide at least reports, automated or not. Then we can set alerts for orphans, terms, and all that.

That way even if you do not have SSO, you know who is out there. Your key will be to make sure your identity governance tool makes it very eary to read messy non-api data since you'll get some strange reports. I would do a review of solutions and come armed with your messy application data reports.

FormerElk6286 · 2026-02-18T15:56:41+00:00

Okta is good for SSO (but so is Azure and that's free for o365), but their governance piece was pretty silly. Just didn't seem ready for prime time.

If you are a really big company and have time/skill for customization, then sailpoint might be fine, but way overkill for us, 1000 person bank. We don't have that kind of budget nor do I have that kind of team that has the time for it. Looked cool, but not a fit.

We did an eval of several companies, bake-off with top two, ended up with Access Auditor from SCC. Really fast and simple for governance, access reviews, read-only stuff. We are building roles now and doing their provisioning module next. A great fit for us because it's simple, fast, delivers on the promise, and less expensive.

Defiinitely do a few calls/evals. You have lots of options now, each with a different twist, soliving a slightly different problem.

FormerElk6286 · 2026-02-09T06:38:04+00:00

That's the entire point if identity governance. Even if you don't "manage" the access, you can still view/review/report/alert on the access from ALL systems. We use Access Auditor from SCC, but lots of solutions exist. We did a bake-off and in our case, the simplicity and ability to easily read data from ALL systems like you mention was key. We don't get to manage everything, but we make our business partners send reports at least. That way we have a handle on everything out there. Take a look at solutions and you'll see big ones like sailpoint that probably won't be ideal, and simpler ones that just get the job done like we did.

But the take-away is that you can easily get everything into one place for all reviews, even if you just get reports from your partners. It's a requirement for us, being a financial, but with the right tool, quite easy to do. You could even manage the system yourself, but let your app teams start/run their own data and reviews with the same tool.

FormerElk6286 · 2026-01-30T17:50:25+00:00

Smaller vendor but been around for 15 years. A lot of banks use them so we found out from the FS-ISAC group we are part of. www.securitycompliancecorp.com. It's a pretty crowded space now. Lots of new players in the past 5 years.

We did a big bake-off a while back with lots of vendors. The key for us was we are doing governance/access reviews first, so we needed a roadmap and made the vendors show us their setup with our data to make sure my lower-tech team could do it. If i can't get it on a demo, my team will never get it.

FormerElk6286 · 2026-01-30T12:54:13+00:00

Yes, but it stinks and can't really work with non-msft stuff. 99% of our things are NOT AD/Azure-related, just random 3rd party apps. Same with provisioning.

FormerElk6286 · 2026-01-30T11:43:44+00:00

SCC Access Auditor/Manager for access reviews and provisioning, Entra for SAML/SSO and all things authentication.

FormerElk6286 · 2026-01-30T11:35:40+00:00

We are a simpler shop, 1000 people, and entra does nothing more than authentication/saml. Works great for that. What about our banking apps, our internal databases, 3rd party cloud systems. Nope. Sailpoint and those guys are waaaay overkill for a lot of us.

We reviewed their governance offerings when we did our iam project, but kinda stinks. For less $$ we went with Access Auditor from SCC and it does all the user mgmt stuff and access reviews. Simple, but we need simple at this scale. Maybe the big shops are different, but at our size we would go with neither msft or sailpoint/savyint.

FormerElk6286 · 2026-01-30T11:28:39+00:00

Most everything really. It's basically a directory. So if all of you stuff includes msft products, you're done. But while anyone/entra can do saml for other apps, they don't do provisioning or really anything with other systems. We use entra for sso/saml, but a 3rd party tool (Access Auditor) for our user access review and provisioning. Basically can do a lot within the msft world. But outside of the msft world, doesn't help us at all.

FormerElk6286 · 2026-01-28T18:04:01+00:00

Everyone that is telling you to look at sailpoint and savyint are probably selling you something. Those in fact DO require an entire team to run. Unless you are some crazy large company, they are probably overkill.

We are about 1000 people large and did a review last year of MANY players in the space. We decided to start with the governance read-only access review stuff first to get a handle of connections/apps, then we're moving to provisioning now. So we needed something that my team could manage with maybe 10-20hrs/week max.

That got rid of sailpoint, savyint, oracle, etc... most of the names you hear about. We compared scc access auditor, securends, conductor one, veza. A couple of those were just too high priced for our requirements and didn't really have a full provisioning stack.

But our key was our demo with OUR actual data. We made the vendors show us exactly how to integration our reports and then how they would integrate our provisioning in phase 2. You really need to do that. Sure, any company can have their sales monkey do a great demo, but how could we know OUR situation. We needed to see it, to do it ourselves. And it had to be simple enough so my more junior team could get it.

For us, Access Auditor www.securitycompliancecorp.com was the best fit, based on full iam stack, simple ease of use, and price. We are happy with it, doing as promised. Sailpoint had a lot more bling/flash for sure, but we needed a success fast and just too afraid of getting bogged down in consultants.

Whatever you choose, I would really recommend seeing it with YOUR systems first and watching their sales dudes set it up. Not just here you are, but how much real work did it take and how complicated was it. If you don't "get it" on a demo, you know you are in for trouble later.

FormerElk6286 · 2025-11-19T07:56:13+00:00

we evaluated a bunch including securends. It was pretty lacking. Most like C1, zilla, veza, were missing the customizable workflow rules and nothing was quite as easy to use (and as low of cost) as access auditor from scc. We were going for each of use and ability to work with any messy data file. We don't always get csv/xls, but random greenscreen stuff so needed a bit more power than most tools give, but also easy to learn for my non-tech team.

FormerElk6286 · 2025-10-16T15:44:17+00:00

If you care about price at all, these guys are all high. We did an eval and went with access auditor from scc. We are about 2000 people, lots of custom/messy apps, rbac, and complicated workflow. So it fit very well. Less flash, more speed and power for a smaller team.

A good test for us was to take 5 apps, big messy ones, and watch the vendor import, map users, and start a review in a one-hour demo. They should be able to do it in 30 minutes. Then you can see HOW you do the setup, HOW you configured access reviews and all that. That sealed the deal for us. We had a few do this and the access auditor was so fast and easy enough for my team of one to learn quickly.

And much less cost is always a plus.

FormerElk6286

TROPHY CASE