MIM/Saviynt: Is it “AND” or “OR”?
(Spoiler Alert: it’s “AND”)
As Saviynt’s only Microsoft-focused partner, we are often asked questions about MIM and Saviynt as our clients try to figure out if one replaces the other, or if the two technologies work well together. The questions include:
- “I’ve got MIM, and I need some identity governance. Saviynt seems to have a lot to offer – so is it a replacement for MIM?”
- “I want better identity lifecycle management, which I think MIM could do – but I’m also under pressure to deliver better identity governance, which I think Saviynt can do. Do I need both?”
- “We have spent years sorting out MIM so that it talks to all our key systems. I want what Saviynt has to offer, but can I use the plumbing I already have?”
These are great questions, and in this blog I will answer them – but first, let’s back up a little.
Identity, security, and governance
We at Oxford Computer Group (OCG) have been Microsoft identity specialists for many years. We have built identity lifecycle (automation) solutions for hundreds of organizations – streamlining their IT operations – but we also believe that identity is at the heart of security and governance.
There is a place where security, governance, and IT operations overlap, and that’s where identity sits. And none of these areas can function properly without automated identity lifecycle management.
What is MIM good at?
Microsoft Identity Manager (MIM) is great at combining multiple sources of truth (such as multiple HR systems that need to be merged and de-conflicted, or simply to co-exist), and then handling complex provisioning, de-provisioning and synchronization requirements. In this diagram note that Azure AD Connect is really just a special version of MIM:
MIM has the extensibility and flexibility to deal with:
- Multi-domain/multi-forest AD scenarios
- Complex data precedence
- Data provided by systems without formal APIs or delta capability
- Complex attribute mappings (including mapping international character sets)
- Complex joining requirements
- Complex joiner/leaver/transfer processes
- Unique value (name) generation, and data validation and clean-up.
As if that isn’t enough, MIM also offers self-service password reset, synchronization of passwords, lifecycle workflows, identity self-service, and simple group management. It is flexible enough that it can be configured to handle some governance requirements, but that is not its focus.
Many of our customers find MIM is already already bundled into their existing Microsoft licenses, and some customers have saved money by not renewing third party licenses.
What does Saviynt bring to the party?
Identity governance is a broad category. In the past we have seen systems (for example, BHOLD, which is actually part of MIM) that offer Role Based Access Control (RBAC), attestation/certification of permissions and/or roles, and simple analytics. Saviynt does all this, but it also does so much more.
Saviynt focuses on governance analytics and the management of fine-grained permissions, using risk-aware machine learning logic in complex line-of-business applications. It has major compliance frameworks built-in. This means that it can compare actual permissions with – for example – segregation of duty rules, and provide risk and compliance scores.
Saviynt can connect to a wide range of systems in order to manage permissions (in the form of groups, roles, or whatever). It can also handle some identity lifecycle requirements, but that is not the area of focus.
Putting the two together
Saviynt is acknowledged to be outstanding at its home game, just as MIM is outstanding at its home game. MIM and Saviynt each have their parts to play, and together they are very powerful.
There is not a one-size-fits-all architecture. It is clear that there is some overlap of capabilities; in particular, whether to connect MIM and Saviynt, just MIM, or just Saviynt to a given system. Such matters can only be resolved during formal requirements gathering, but this diagram captures the general idea:
MIM provides an aggregated source of truth for identity and some useful plumbing. Saviynt manages all the governance requirements – feeding back entitlement information where required – in the most effective manner.
MIM and Saviynt: a “better together” story
Saviynt is not a replacement for MIM. There is some overlap and there may be edge cases where one of them can do the whole job – but in the vast majority of cases, this is a “better together” story.
If you already have a MIM implementation, it will make a Saviynt implementation go more smoothly. If you have neither, you will almost certainly need both for a comprehensive identity solution. But every implementation needs analyzing and optimizing: minimizing duplication and cost, while maximizing effectiveness and efficiency.
Find out more about MIM and Saviynt with this webinar recording.
Oxford Computer Group has long been one of Microsoft’s leading identity and security partners. We’re also an award-winning Saviynt partner.
Want to know more about how Saviynt can help your organization? Contact Us.