This is an open call out to the AD Community asking for folks to comment (or email me) with a list of the Role Based Access Control Products that they are aware of. Specifically tools that do NOT use native AD ACLing but instead perform all access via proxy like can be done with Quest Active Roles Server.
joe
MS has FIM 2010 R2. You create “sets” based on some criteria or a static list of users. Those sets can be assigned permission to edit specific attributes on defined object types. This works from the portal and from powershell with the web service. I’m working on a way to replace NetIQ at our site with this very setup.
EmpowerID provides a sophisticated multi-tiered and polyarchical RBAC model used by large government and banking institutions to provide role-based and attribute-based access control.
http://www.empowerid.com/
Avencis provides Hpliance, an Organization-Based Access Control (OrBAC) solution that addresses the management of complex rights models very easily and efficiently.
NetIQ’s DRA & ADAXES is appears to be pretty similar to ARS in functionality. Since you mentioned ActiveRoles can we assume it is the incumbent being replaced?
Bob
Thanks for the input everyone.
Bob: Current solution is a home brew native very granular Security Group / ACL based RBAC solution. Multiple issues include but are not limited to complexity, token bloat issues in larger environments, fear from folks who don’t want to see all of those ACLs slammed into AD, people who built/supported the project moving on in their careers or being moved, etc.
ARS is mentioned because I have previous experience with it (as you know) and I know it to be cool and powerful but there is overall concern over complexity and cost; especially ongoing licensing / support costs. 😉 I think anything that is proxy based is going to have its own complexity components to it, but it will alleviate a lot of the other issues and is much easier to demo, install into and remove out of environments when the need arises.
joe