The Securities and Exchange Commission requires companies to document and test IT controls, including access to programs and data, as part of their compliance with the Sarbanes-Oxley Act. That's created a need for software to track who has access to enterprise-wide apps, says Sara Gates, Sun's VP of identity management.
Identity Auditor scans for policy violations such as unauthorized access-control changes, and sends alerts to system event-management software such as Symantec's Security Management System.
A distinguishing feature of the Sun product is its ability to define business rules for granting access privileges for enterprise systems such as human resource, payroll, and accounting applications. "It automates what security administrators have been doing for a long time," says Roberta Witty, an analyst at Gartner. She says those rules help maintain "separation of duties"--for example, prohibiting an individual from both submitting and approving an expense report.