NetIQ Identity Governance lineage
Two decades of regulated-IAM deployment. Established case law in financial services, government, and Fortune 500 SOX programs.
OpenText • Identity and access management
OpenText Identity Governance
OpenText Identity Governance carries the NetIQ Identity Governance lineage with access reviews, segregation-of-duties enforcement, and audit-ready entitlement reporting for SOX-aligned and regulated identity programs.
Through Merito, Identity Governance gets configured for the customer's quarterly or annual access-review cadence, SOD rules authored against SAP, Oracle EBS, and PeopleSoft entitlements, and the whole governance loop paired with NetIQ Identity Manager so rejected entitlements actually get removed.
- Best for
- Compliance and audit leaders running SOX section 404 controls, IAM leaders running quarterly or annual access-review cycles, Identity governance architects designing SOD policy
- Hosting
- Hybrid
- Time to value
- First access-review cycle live in four to eight weeks. SOD enforcement on regulated apps live in eight to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Identity Governance in the enterprise stack
OpenText Identity Governance carries the NetIQ Identity Governance lineage (formerly NetIQ Aegis). It is the access-review and SOD-enforcement product inside the OpenText IAM line, designed for SOX-aligned and regulated identity programs that require recurring entitlement attestation, audit-ready reporting, and segregation-of-duties analysis. The product reads from identity stores (NetIQ Identity Manager, AD, LDAP, HR systems), runs scheduled access-review cycles, and surfaces SOD violations across the entitlement landscape.
Access reviews are the load-bearing capability for SOX programs. Public companies subject to SOX section 404 controls run quarterly or annual access reviews on financially material applications, and auditors expect documented evidence that managers attested to direct reports' access. Identity Governance handles the review cadence, the manager workflow, the rejection-and-remediation loop, and the audit-evidence packaging. Programs running ad-hoc spreadsheet-based reviews struggle to scale and routinely fail audit on documentation gaps.
SOD enforcement is the second capability that pays back on regulated programs. Toxic combinations of access (employee can both create vendors and approve payments, employee can both modify code and deploy to production) need to be identified and either blocked or compensated by review. NetIQ has been doing SOD across SAP, Oracle EBS, and PeopleSoft for two decades; the rule library covers the patterns regulated finance and HR programs face. Programs running SOD enforcement get the catch; programs without it find out about toxic combinations during audit or after fraud incidents.
What kills Identity Governance adoption is data-quality drift. Access reviews are only as good as the entitlement data feeding them. Programs with stale provisioning (terminated employees retaining access), shared service accounts, and unmanaged contractor entitlements generate access reviews that look chaotic regardless of actual risk. The right pattern is to fix identity hygiene first (NetIQ Identity Manager) and then layer Identity Governance on top. Merito's engagement scopes both sides honestly.
Ideal use cases
- Quarterly and annual access-review cycles for SOX-aligned programs
- Segregation-of-duties enforcement across SAP, Oracle EBS, PeopleSoft, and other regulated apps
- Audit-ready entitlement reporting and access-attestation evidence
- NetIQ Identity Governance modernization
- Identity governance integrated with NetIQ Identity Manager provisioning
What it is best at
Where OpenText Identity Governance earns its seat
SOD rule depth across enterprise apps
SAP, Oracle EBS, PeopleSoft, and other ERP systems where toxic combinations live. NetIQ has been doing SOD on these stacks for two decades.
Access-review cadence and workflow
Quarterly and annual cycles with manager attestation, reject-and-remediate workflow, and audit-evidence packaging.
Native pairing with NetIQ Identity Manager
Provisioning data flows directly into governance. Programs running both get coordinated identity lifecycle and governance.
Audit-ready entitlement reporting
SOX, HIPAA, PCI DSS, and sector-specific entitlement evidence in the formats auditors expect.
Core capabilities
OpenText Identity Governance capabilities, grouped by outcome
Access reviews
Where Identity Governance does the work for SOX-aligned programs.
Manager attestation cycles
Scheduled quarterly or annual cycles with manager-led entitlement review. Audit-evidence packaging built in.
Reject-and-remediate workflow
Manager rejection flows into Identity Manager for entitlement removal. Closed-loop remediation.
Risk-aware review
Risk scoring per entitlement so high-risk access gets reviewed more frequently.
Multi-tier review
Application owner review plus manager review for entitlements that require both perspectives.
Segregation of duties
Toxic-combination enforcement on regulated apps.
SOD rule library
Pre-built SOD rules for SAP, Oracle EBS, PeopleSoft, and other ERP systems.
Custom SOD authoring
Custom SOD rules for proprietary applications and internal toxic combinations.
Detective and preventive enforcement
Detective (find existing toxic combinations) and preventive (block new toxic provisioning) enforcement.
Compensating controls workflow
Where toxic combinations are necessary, document compensating controls with audit-evidence trail.
Reporting and integration
Identity Governance output flowing into audit and the rest of the IAM line.
Audit-ready reporting
SOX, HIPAA, PCI DSS, and regulated entitlement reports in audit-expected formats.
Identity Manager integration
Provisioning data flows into governance; reject-and-remediate flows back into Identity Manager.
Access Manager integration
Access Manager-managed entitlements covered in access-review cycles.
Privileged Access Manager integration
Privileged-account entitlements covered with elevated review cadence.
Where it fits in the stack
How OpenText Identity Governance connects to the rest of your landscape
OpenText IAM line (native)
Native- OpenText Identity ManagerProvisioning data flows into governance; reject-and-remediate flows back into Identity Manager.
- OpenText Access ManagerAccess Manager-managed entitlements covered in access-review cycles.
- OpenText Privileged Access ManagerPrivileged-account entitlements covered with elevated review cadence.
- OpenText Data Access GovernanceUnstructured-data permissions reviewed alongside structured entitlements.
Enterprise applications (certified)
Certified- SAP, Oracle EBS, PeopleSoft, Microsoft DynamicsERP entitlement integration with SOD rule libraries.
- Active Directory, Azure AD/Entra ID, NetIQ eDirectoryDirectory-source integration for entitlement data.
- ServiceNow, Workday, SalesforceSaaS application entitlement integration.
- GRC platforms (RSA Archer, ServiceNow GRC)Audit-evidence integration with GRC platforms.
Custom integrations
Custom- Internal applications and proprietary entitlement storesCustom integration for non-standard applications and entitlement stores.
- Custom SOD rule authoringCustom toxic-combination rules for proprietary applications.
- Audit-evidence packagingCustomer-specific audit-evidence formats and reporting.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First access-review cycle live in four to eight weeks. SOD enforcement on regulated apps live in eight to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Prerequisites
- Identity store inventory and hygiene assessment
- Application landscape and entitlement-data quality
- Named compliance and IAM owner
- Access-review cadence policy framework
- SOD policy framework drafted or in progress
- What Merito usually handles
- OpenText Identity Governance runs on-prem or hybrid. Merito handles entitlement-data integration, access-review policy design, SOD authoring, NetIQ Identity Manager pairing, and audit-evidence packaging.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Identity Governance is licensed by user count, application scope, and deployment shape (on-prem, hybrid). Pricing depends on coverage breadth and SOD scope. Merito holds OpenText partner status; the access-review program is scoped under a separate engagement.
- Editions and modules
Identity Governance
Standard edition for access-review cadence and SOD enforcement.
Best for: SOX-aligned programs and regulated identity governance.
Identity Governance with Identity Manager
Bundled with NetIQ Identity Manager for coordinated provisioning and governance.
Best for: Programs running coordinated identity lifecycle and governance.
- Common expansion areas
- Add Identity Manager for identity lifecycle and provisioning
- Add Access Manager for SSO and federation coverage
- Add Privileged Access Manager for elevated entitlement review
- Add Data Access Governance for unstructured-data permission review
Merito services
How Merito helps you win with OpenText Identity Governance
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Identity Governance Implementation
Entitlement-data integration, access-review policy design, SOD authoring, NetIQ Identity Manager pairing, audit-evidence packaging.
Explore service02Upgrade and Migration
NetIQ Identity Governance version upgrades and access-review-cycle modernization.
Explore service03MAPS Assessment
IAM and governance program scoping for OpenText Identity Governance alongside SailPoint, Saviynt, and Microsoft Entra ID Governance.
Explore service04DevOps Consulting
Access-review automation, SOD enforcement integration, and audit-evidence packaging.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Identity Governance.
Explore service06Managed Services
Long-term run support including access-review-cycle operation, SOD policy maintenance, and audit-evidence packaging.
Explore service07Training and Enablement
Role-based training for compliance leads, identity governance architects, and audit teams.
Explore service08Staff Augmentation
Merito-placed identity governance engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Identity Governance licensing
License Identity Governance. Design the SOX-grade access-review cadence. Same engagement.
Identity Governance pricing arrives with entitlement-data integration, access-review policy design, SOD authoring, and audit-evidence packaging that turn quarterly attestation into defensible SOX evidence rather than spreadsheet click-through.
Merito point of view
SOX access reviews on spreadsheets are how programs fail audit.
Merito has audited SOX programs running quarterly access reviews on spreadsheets that managers click through without reading, and other programs running rigorous Identity Governance cycles with reject-and-remediate workflow and audit-evidence packaging. The difference shows up at audit time. Identity Governance is the right tool for SOX-aligned and regulated programs that take attestation seriously; programs that treat access reviews as a checkbox should not adopt it because the discipline is the value, not the product.
Merito recommends OpenText Identity Governance specifically for programs already running NetIQ, modernizing legacy NetIQ Identity Governance, or subject to SOX section 404 controls with mature compliance discipline. For greenfield cloud-native programs, SailPoint and Saviynt are competitive depending on the program shape. For programs running Microsoft-ecosystem-only IAM, Microsoft Entra ID Governance fits naturally. Merito surfaces those alternatives honestly during scoping.
The pairing with NetIQ Identity Manager is the load-bearing move on coordinated identity governance. Provisioning data flows into governance; reject-and-remediate flows back into provisioning. Programs running governance without provisioning integration find that rejected entitlements never actually get removed.
What buyers usually underestimate
- Running access reviews on spreadsheets that managers click through without reading.
- Adopting Identity Governance without identity hygiene, generating chaotic review queues.
- Skipping reject-and-remediate workflow integration with NetIQ Identity Manager, leaving rejected entitlements in place.
- Authoring SOD rules without running detective enforcement first, missing existing toxic combinations.
- Treating Identity Governance as a checkbox compliance product rather than a SOX-grade attestation capability.
Related from Merito
Continue exploring OpenText Identity Governance on Merito
Related solutions
Related services
Related products
- OpenText Identity ManagerIdentity lifecycle and provisioning paired with governance.
- OpenText Access ManagerSSO and federation entitlements covered in governance.
- OpenText Privileged Access ManagerPrivileged-account entitlements covered in elevated review.
- OpenText Data Access GovernanceUnstructured-data permissions paired with structured-entitlement governance.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Identity Governance FAQs
Consultation request
Talk to Merito about OpenText Identity Governance
Share your access-review cadence, SOX program posture, and OpenText IAM footprint. A Merito OpenText specialist follows up within one business day.
NetIQ governance depth
Two decades of SOX programs
Established case law in financial services, government, and Fortune 500 SOX programs.
Coordinated with provisioning
Reject-and-remediate closes the loop
Native pairing with NetIQ Identity Manager. Rejected entitlements actually get removed.
Next step
Run governance with discipline or expect audit gaps.
A Merito Identity Governance engagement starts with access-review policy design and SOD authoring. Programs that treat access reviews as a checkbox routinely fail audit.