EmpowerID Cloud SaaS Pricing
How to Buy EmpowerID’s Industry Leading Software
EmpowerID believes in being transparent around what we do, how we can help you (and we’ll even advise if we can’t), and what your best options are.
EmpowerID is providing flexible and mature IAM capabilities in the cloud, on-premise and in hybrid environments.
From our own point of view, we won’t ever make a major decision without evaluating all aspects of what’s required and, as such, we don’t expect you to either. That’s why we’re always open about our prices and how much each element costs.
For information regarding our on-premise licensing model and pricing, please contact our sales team.
We list all our SaaS licensing and pricing rates, below. If you have any questions about this, feel free to contact us and we’ll do our best to answer all your questions.Contact Sales
SaaS Licensing Models
EmpowerID uses 3 pricing models: per person, per admin, and per server.
These are self-explanatory, but it’s important to understand that, within EmpowerID, per person refers to a single human being, and not to the number of accounts any 1 person might have. We’ve seen instances where a person can have as many as 50+ accounts or roles across your organization, but within EmpowerID they’re classed as 1 person for each particular module.
Pricing modules are grouped as follows:
- Per Person Licensing Modules
- Not Per Person Licensing Modules
- Advanced Modules (all advanced modules are currently licensed on a per person basis).
Note: For ease of comparison, all prices are shown on a per month basis.
Full grid listing of modulesA consolidated listing of all modules and their prices is shown at the bottom of the page (click here).
Per Person Licensing Modules
The Password Management module is for organizations that want users to reset and synchronize their passwords across all systems on which a user has their password, i.e. Active Directory, LDAP, ServiceNow, and any system that is not enabled for SSO. The Password Management module also includes the workflow where helpdesk users can perform assisted helpdesk password resets and unlocks on behalf of users. They can validate the user’s identity, reset their password, and then have that change synchronized across all external systems.
The Group Management module allows EmpowerID to connect to external systems and inventory them. EmpowerID will inventory the groups or app roles from systems such as AD, Azure AD, SAP, and to monitor for changes in memberships. This also allows dedicated admin users to then manage these groups (create, manage, delete), and for end users to request access in a self-service manner to these groups.
Dynamic Group Management
The Dynamic Group Management module uses the EmpowerID Dynamic Group Engine to create policies based on any attribute in the Identity Warehouse. It dynamically creates groups in external systems, such as ServiceNow, Azure, SAP, etc., and then manages their membership through their entire lifecycle. When no-one matches these groups, to retire and deprovision them. One common example for enterprises is to have email distribution groups for, first, each country, and then a nested group for each city in that country. The engine then dynamically generates users who match both country and city. If the user moves location, the engine would then reassign accordingly. If, at a later they leave, the user is automatically deprovisioned based on your organization’s leave policies. However, if the office itself closed, then the engine would also detect that no-one matched/is in that group and act accordingly.
The Lifecycle Management module provides 2 key components. First, is the ability to automate the Joiner-Mover-leaver lifecycle process in Identity Management, and second is Identity Administration (the administration of identities).
EmpowerID inventories out of the box connected systems and pulls in the user account data, as follows:
- Joiner Events—dynamically determines if this account should be a new person identity or not. If so, it then provisions that identity and then determines which other accounts belongs to the same person and links them together for attribute flow, password synchronization, etc.
- Mover Events—EmpowerID monitors the account identities and detects mover events, such as role, manager, department, etc., and adjusts accordingly.
- Leaver Events—when the user’s contract expires and they leave the organization, EmpowerID detects and dynamically (and gracefully) deprovisions that person’s account.
All of this happens automatically. If your organization has customs HR systems, etc., and need more than what the Lifecycle Management offers, then the Advanced Lifecycle Management is what you need.
Advanced Lifecycle Management
If your enterprise requires custom connectors for custom HR systems, or if you desire to develop your own connectors for apps, or you want an HR driven identity lifecycle capability, then you will need EmpowerID’s Advanced Lifecycle Management module. This includes all the custom connectors that you will need, including the SCIM connector framework, and the ability to connect to out of the box HR systems.
Single Sign-On (Includes Basic MFA)
Single Sign-On (SSO) gives you the ability to perform standards-based, federated SSO to applications supporting OATH, OIDC, SAML, or WSFed or WSTrust. It allows users to log in once and to then seamlessly login to other apps without having to know their username or password. SSO also includes basic MultiFactor Authentication (MFA) using OATH or Google Authenticator and simple One-Time-Passwords (OTP) delivered by SMS.
Multi Factor Authentication
Multi Factor Authentication is for organizations that are serious about their security. MFA allows organizations to use advanced adaptive authentication rules to determine and validate their user’s identity and their risk score based on their device, IP address, and location. It also allows for advanced multifactor options, such as the EmpowerID Mobile Phone App for push-based approval of multifactor logins, RADIUS server and Passwordless WebAuthN.
The Recertification module allows you to evaluate the data in the Identity Warehouse and see who has access to what in external systems. From this, you can then schedule and generate audits. In these scheduled audits, access data is snapshotted and generated as recertification tasks for managers of the people or for owners of roles/applications to assess. These managers or owners can view who has access and can then either recertify or revoke access. The former will stamp approval and access will continue; whereas the latter will, first, revoke that access and, second, trigger the fulfilment process where this access will either be manually or auto removed from the external systems.
Price Starts at
Risk Management (SoD)
Risk Management (SoD) looks at the access data of who has access to what and allow organizations to define policies of which a combination of access will produce a risk to the organization. Such risks should be detected and prevented. Two ways in which SoD works are:
- SoD detects existing violations from inventoried data and generates violation tasks for the risk owners to mitigate or accept or revoke this risk. When EmpowerID initially inventories your system, it will detect existing SoD risks, such as purchase/authorize rights being assigned to the same user.
- SoD prevents violation of risk when users are requesting access in the IT shopping cart, i.e. if a user has purchase rights in your organization, then SoD will prevent them from requesting/being granted the entitlements to authorize such purchases.
In such cases, risks will be flagged, and violation tasks generated. Owners can then either approve and accept/mitigate or deny and revoke these risks.
Advanced Risk Management (ASoD)
Advanced Risk Management (ASoD) is for those organizations that use SAP or other systems where they need to go below the group or application role level. It allows you to drill-down into the fine-grained permissions, such as SAP TCodes, and if you need to base policies on these fine-grained, lower, transactional levels rather than course-grained, higher, groups and roles levels.
Policy-Based Access Control Engine
The Policy-Based Access Control (PBAC) Engine is for apps that require an external authorization source. This is where authorization/permissions are going to be managed in a central system. In such cases, the application asks the centralized system what the person has access to in this particular app and, if they can do what they’re attempting to do. For applications that don’t support this, the API Gateway can enforce this policy-based access control decision on their behalf. It does so by intercepting requests, asking the engine if the user has access to the resource they’re requesting, and then enforcing the decision.
Price Starts at
SharePoint Online Access Management
The SharePoint Online Access Management module includes the ability to connect to SharePoint Online tenants and Office 365. It allows the inventorying of site collections, sites, SharePoint groups, and the permissions of who has access to what resources across the Cloud SharePoint infrastructure. Via business policies, it also automates the granting and revoking of any access to this environment, provisioning of new sites based on workflow requests, and recertifying who has access to what. ]
File Share Access Management
With the File Share Access Management module, you can connect to Windows servers and inventory the shared folders. It does not inventory below the shared folders level. For the shared folders level, this module returns all the shared folders and the permissions of which users and groups have access and the permissions they have for recertification and reporting. It also includes the ability to provision new shared folders—including Home folders—and the ability for users to request access to shared folders and, via your own provisioning policy rules, to automate shared folder access.
The Role Mining module leverages the Identity Warehouse data of who has access to what. This includes all entitlements in every connected system or from any system from which you wish to upload information. It also allows your organization to create campaigns to snapshot this data (including user attributes), and to analyze this data using machine-learning algorithms to determine clusters of access. It does this by looking at the existing access in your environment and then generates clusters of people based on their current attributes and common access. After analysis, these will be the implicit roles that are currently present in your organization. This process speeds up the entire recertification process by allowing us to convert exception-based access into role-managed access. In addition to automating this role-based access, it helps your organization to understand why your people have the current access and roles that they do. One major benefit is you can use this information to enhance your Joiner-Mover-Leaver (JML) processes and policies. Another is that it permits you to reduce the number of recertification tasks for your managers. Role Mining also includes two analytical models. The first, our bottom-up machine-learning analytical model, which examines your business roles. The second, which is unique to EmpowerID (it’s out own model) and you will not find this process anywhere else, is our top-down analytical model, which looks at your organization’s existing structures of roles and locations. These can come from SAP, HR, or other HR systems and, together, they maps your entitlements to this structure to optimize ‘down the tree’ and then, those entitlements that are not analyzed ‘down the tree’, can be analyzed from the bottom-up approach.
Not Per Person Licensing Modules
The Password Vault module provides the ability to vault/store privileged usernames and passwords and to allow admin users to check them out. This includes setting a start to an end time, to see and have the username and password revealed, and have the system check it in at the appropriate time.
You can also:
- Check-in can scramble it to a new password, so that no-one knows that password.
- Set vaulted credentials to change on a rotation basis on all systems automatically, e.g. at 3 am every morning.
Privileged Session Management
The Privileged Session Management module gives you the ability to vault credentials and then associate them with either Windows or Linux computers. The credentials required to access these computers are never revealed to administrators and when checked out, an RDP session with these credentials is initiated. The admin user is then logged in and the start/end times are logged. In addition, these sessions can be recorded and/or monitored real-time, for training, termination, or other purposes.
Price Starts at
Computer Identity Management
The Computer Identity Management module allows management of local identities on Windows and Linux servers. CIM can connect to each server and inventory local users and groups and manage then in the same way as AD or LDAP users and groups, i.e. create/delete, automating membership, temporary access grants, etc. In addition, with Windows servers you can inventory Windows services and IS app pools and the identities each of them is using. These can then be managed and linked to vaulted credentials and their hidden passwords can be set to update on a rotation basis.
The Virtual Directory (LDAP) module exposes all connected systems as a single LDAP directory. All LDAP-supporting applications can point to this virtual directory and use a single username and password—in any system—to authenticate the user. Also, groups from any system can control authorization in the app, so you no longer need to synchronize or provision these systems. Users can log in using any person credential username and password, an AD username and password, or any system connected to EmpowerID.
In addition, EmpowerID can enforce multifactor application, as well as translate LDAP requests, such as user creation or add to group, into workflows and then fulfil these requests.
The Application Gateway is placed in front of all apps and APIs to intercept all requests and evaluate all EmpowerID RBAC, ABAC, or PBAC authorization policies to determine if the user is allowed access to the page or API under the current conditions. This module can also enforce Multi-Factor Authentication for access, additional login, as well as enforcing OIDC Federated SSO for any application, including legacy apps that don’t support this on their own.
The Application Gateway is built on Kong, which is a best of breed, lightweight, microservices API gateway and Reverse Proxy, and provides many additional benefits.
Consolidated List of Modules
Below is a consolidated list of the above modules:
|Modules - Per Person Licensing||Description||$/Month||$/Year|
|Cloud Directory (Required)||EmpowerID Cloud Person Identity||$2.00||$24.00|
|Password Management||End user and helpdesk password reset||$3.00||$36.00|
|Group Management||Group self-service and admin||$4.00||$48.00|
|Dynamic Group Management||Our Dynamic Hierarchies data-driven groups engine||$4.00||$48.00|
|Lifecycle Management||Out of the box connectors only (No HR)||$3.00||$36.00|
|Advanced Lifecycle Management||Includes HR-driven lifecycle and the ability to use SCIM connector framework for custom connectors||$6.00||$72.00|
|Single Sign-On (Includes Basic MFA)||Basic MFA includes OATH and OTP||$3.00||$36.00|
|Multi-Factor Authentication||Includes EmpowerID Mobile Phone App||$4.00||$48.00|
|Access Recertification||Audits and Recertification of access||$3.00||$36.00|
|Risk Management (SoD)||SoD policies at the role and group level||$3.00||$36.00|
|Advanced Risk Management (ASoD)||Advanced fine-grained SoD at permissions level for SAP and other systems||$8.00||$96.00|
|Policy-Based Access Control (PBAC) Engine||External authorization engine based on RBAC/ABAC hybrid PBAC to act as a Policy Decision Point (PDP)||$4.00||$48.00|
|SharePoint Online Access Management||Inventory and manage SharePoint Online sites and groups||$4.00||$48.00|
|Role Mining||Analytical Role Discovery and Optimization||$4.00||$48.00|
|Modules - Not Per Person Licensing||Description||$/Month||$/Year|
|Password Vault (Per Admin)||Password vaulting check-out/check-in||$10.00||$120.00|
|Privileged Session Management (Per Admin)||LDAP virtual directory for apps to use for authentication and authorization||$10.00||$120.00|
|Computer Identity Management (Per Server)||Management of local Windows Server or Linux server users and groups||$10.00||$120.00|
|Virtual Directory (LDAP) (Per Person)||LDAP virtual directory for apps to use for authentication and authorization||$6.00||$72.00|
|Application Gateway (Per Person)||On-premise API Gateway/Reverse Proxy to protect web apps and APIs (SSO and Access)||$6.00||$72.00|
|Azure License Manager||Policy-based management and reporting of Azure licenses. Licensed per Azure AD licensed user object.||$2.00||$24.00|
|Azure RBAC Manager||Inventory, management and reporting of Azure RBAC. Licensed per Azure AD user object.||$4.00||$48.00|
|Azure Identity Manager||Delegated Admin and self-service for Azure identities||$3.00||$36.00|
We do realize that there’s a lot to get through and absorb here. However, that’s what we’re here for. If you have any questions or queries about the services or software that we provide then please get in touch.
We’re happy to answer each and every question that you have and look forward to hearing, and being of service, to you.