My company is going to use Oracle Identity Management (OIM) and Oracle Role Management (ORM) instead of FIM. The main reason that they are leaning towards the Oracle solutions is because of ORM. Does the new FIM have any Role Management UI's that a user can request Roles and have it go through a workflow for Role approval?

For me, a role is essentially a group. What you then with that group is up to you - ie one role may translate to complementary group memberships in a number of different systems and applications.The flexibility of FIM is that the groundwork is laid for you to configure it any way you want. No, there is no inbuilt object type called "Role", but by following the standard schema-modification methods you can set up your Role object type in any way that suits you. The workflow elements for approvals are all there for you to construct your approvals in the way you need. Youl could in fact just replicate most of the schema, workflows and MPRs that are already configured, out-of-the-box for groups.You have to look at FIM as more of a toolbox with which you can build a customised identity solution. Unfortunately this scares a lot of people off, and they want to see a whole lot of pre-built GUIs - not understanding that pre-built means it will be restricted in its flexibility, and you'll just end up with yet another product that answers only part of the problem.Thanks my 2c anyway!http://www.wapshere.com/missmiis

We have about 20,000 employees that we are going to be provisioning account to many differnt systems so we weren't looking to role our own interface. We are looking for more of an Enterprise solution.

Omada is working on a RBAC add-on to FIM (http://www.omada.net/Role-Engine---RBAC-144.aspx).. They already have one based on ILM...Eric

We have about 20,000 employees that we are going to be provisioning account to many differnt systems so we weren't looking to role our own interface. We are looking for more of an Enterprise solution. You have to look at the consequences of your actions - to solve the "we weren't looking to role our own interface" issue you are, in fact, having to deploy an entirely new directory (OID, which you may already have), and adapt applications to work against the Oracle authroization model which, in my opinion, is far more customization at the app level than adapting some processes in FIM. I've seen two customers recently adopt an OIM approach only to regret it a year later when they fully realized the overall cost and effort in entirely reforming their application authentication and authorization strategy - all in the holy quest for "roles".I think Carol expresses the problem very neatly, just because Microsoft doesn't call it a "Role" frightens people off into thinking they need an expensive solution. Roles in FIM can be expressed as Owner Approval Groups without the need for any schema modification or customization - everything is there out of the box to create, manage, and attest to membership in the "Role".Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

Omada is working on a RBAC add-on to FIM (http://www.omada.net/Role-Engine---RBAC-144.aspx).. They already have one based on ILM... Eric My understanding of the ILM implementation exposed a very nasty architecture incompatibility that required you do some expensive processing when translating the user based Role to the Group based approach that ILM/AD uses. I hope they have fixed this in their new product.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

We have about 20,000 employees that we are going to be provisioning account to many differnt systems so we weren't looking to role our own interface. We are looking for more of an Enterprise solution. One more comment - I've personally used ILM (the pre-cursor to FIM) to drive provisioning of over 300k accounts into multiple systems. That was with a 6 million object metaverse and a single data source including over 2.7 million objects, so rest assured, it IS an enterprise product. I also know that other people on this forum have dealt with even larger implementations. 20k accounts across multiple systems is cake.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com