How about a trick question? What is your most authoritative source for identity information? It's not that tricky....your HRIS. But your actual users are an awfully close second. They know themselves and if you give them a self service portal, they can make your life easier.
The real trick is what you allow them to update via self service. Most shops allow some limited Active Directory self service. But there is so much more that you can open up with a well designed self service identity management system...as long as you put controls, approvals and lifecycle into effect.
EmpowerID's HTML5 interface gives users a clean view into any application or identity store via a single interface from any device. Attributes, group and role memberships, and permissions for any identity store / application can be managed via the metadirectory with updates either pushed directly to the application or synchronized on a scheduled basis.
Any field can be hidden, read-only, or editable based on the user's role(s). Approval workflows are managed via EmpowerID's unique RBAR architecture (Rights Based Approval Routing), allowing you to easily manage who can and cannot make and approve changes. Lifecycle can be applied to any object or membership, allowing you to have full identity lifecycle and temporary privileged access.
But the most important factor is what your users have access to self-serve. Where most solutions stop at Active Directory, EmpowerID just starts there. If a user needs to change their home phone number, that information needs to filter to AD for the GAL, HR for contact information, the emergency notification system, and to benefits databases. Important information like this should not be left to scripts written by some contractor who won't work there in 3 months.
There are other glaring examples around group memberships which affect other systems. Dynamic group memberships that are driven off of identity information. Office locations that determine parking privileges. Mobile phone numbers for second factor authentication and device registration.
Think of all of the things your users know about themselves that you cannot find out. That is your list of attributes and systems that you allow self service for. Think of everyplace that those attributes need to be synchronized. That is your list of applications, databases and directories that you need to connect to. Think of everyone who can actually approve those changes, that is your RBAR structure.
Allowing self service for identity management does not replace the connectors, synchronization and metadirectory. It complements it and makes a more thorough identity management solution.