When it comes to using a compliance product, in order to prove compliance - your identity data has to be in a compliant state.
(it can't have any role/rule-based SOD violations, Certifications must be completed without outstanding revocations, etc ...).
Once
your data is in order, opening up this quality type information to
outsiders through techniques of provisioning or ideally federation
could be the next step.
However, growing into a compliant state is a process and not just an action.
By
that I mean that a product such as Sun Java System Role &
Compliance Manager no only proves the compliant state, but helps you
get there from the early messy state your data is in.
By
using the ability to import external identity data, create, mine and
manage business & IT roles, repeat review cycles at role/user
and/or application level, the product allows you clean up your data,
ending up with proper roles and properly linked users and entitlements,
and manual workflow driven review mechanism that allows your data
owners and line managers to review current assigned entitlements and
verify the validity of them. In case of violations, remediation can
be triggered either via e-mail or via external provisioning solutions
such as Sun Java System Identity Manager.
Compliance is therefore a constant running process that ensures the quality of your data becomes optimal, and stays optimal through a typical set of lifecycle operations on the involved identities.
More information on the product can be found at : http://www.sun.com/software/products/rolemanager
My LinkedIn profile