Lighthouse V2 uses a role-based provisioning model to manage user access privileges to various enterprise systems and applications. Waveset touts its agent-less approach to identity management as a differentiator, noting that it takes advantage of existing protocols such as LDAP and JDBC to communicate with various systems instead of installing software on each one. The agent approach doesn't scale in a network with thousands of systems, says Sara Gates, director of product marketing for Waveset, based in Austin, Texas.

Among the new features in version 2 of Lighthouse is a rule-based provisioning system that allows users to build access control rules around applications that define which groups or individuals can access them. Previous versions focus mainly on role-based provisioning, meaning everyone in the marketing department, for example, can access a certain set of applications. That falls down in practice, such as in a health care environment where only certain individuals should have access to various patient records.

"It's pie in the sky thinking to say all I need is 45 roles for my 50,000-person organization," says Mark McClain, Waveset's president and co-founder. Lighthouse uses a series of if-then statements to get around the problem, such as if you are a physician and if you have clearance to access mental health records, you can see those records.

A new automation engine in version 2 automates workflow-driven approval and provisioning steps, using email and Web links. Coupled with a new auto-detection facility, the engine can save users money by offloading numerous routine tasks from support personnel while at the same time improving security.

Easing The IT Burden

The auto-detection facility can detect changes in enterprise applications such as PeopleSoft and Active Directory and kick off a series of resulting routines. If a new user is added to PeopleSoft, for example, Lighthouse can send off a series of emails to get the approvals required to establish a new email account.

"Thousands of these changes happen each day," Gates says. "It's a tremendous burden lifted off the IT group."

Auto-detection can also improve security, since the facility can detect changes made to individual systems. If a Unix administrator, for example, gives his friend in sales access to an accounting application, that will be reported to the appropriate administrator for approval or rejection.

Also new in version 2 is a smart forms facility, a Web interface meant to simplify the provisioning process such that administration can be pushed further out in the organization.