One Identity Active Roles Reviews

RBAC for AD and Exchange

Provisioning, Re-provisioning, De-provisioning and Undo-De-Provisioning of user accounts

User Self Service

Virtual AD firewall

• Heavily Automates - it will automate the entire provisioning, re-provisioning, de-provisioning and undo-de-provisioning tasks
• Complete Audit Trail - it gives an audit trail for each and every activity
• Increase in accountability – various tasks can be enabled for approval.
• Virtual Firewall against AD/Exchange - it helps protect Active Directory and Exchange exposure to administrators and engineers
• Escalations – it helps escalates tasks if not acted upon in a stipulated time frame
• Security –
  • it helps in increased security as every employee will have correct resource access depending upon the business policies
  • user account is disabled and user is removed from the security groups which prevent misuse of user credentials

• Role Based Access Control
• Provisioning, Re-provisioning, De-provisioning and Undo-De-provisioning policies
• Data validation policies
• Workflows
  • If Then Else statements
  • Approval Workflows
  • Schedule Workflows
  • Escalation
• Virtual Schema
• Virtual OU’s
• Web console with easy customization option
• Integration and data synchronization with SQL, Office 365, Lync etc.
• Event handlers

• Web console – it should have more customization options in terms of look and feel of the landing page
• Workflow policies – Additional policies for folder access provisioning
• Bring back attestation – Attestation feature is dropped from ARS. This should be brought back

More than five years.

No issues encountered.

No issues encountered.

Customer Service:

It's good.

Technical Support:

It's good. In fact, the One Identity (Quest) support team has easy access to the One Identity (Quest) product developers. In case of any technical issues which has something to do with the product architecture or a bug, the support engineer brings in the developer in a remote session so that the developer understands the issue. The developer(s) then work on a patch to address the issue.

I did not use any other solution.

The initial setup is pretty straightforward. It's not at all complex.

Our company, Amal IT Solutions, is a One Identity (Quest) partner. Our consultancy has 10+ years of experience with this solution.

I won’t be able to provide ROI from commercial perspective, but from the below points one should be able to figure it out:

1. User provisioning/De-provisioning – this activity, which takes anywhere from one day to three or four days manually, is done in minutes without any IT resource intervention and so increases efficiency and productivity


2. Notifications – respective stake holders/business owners are notified immediately upon an activity performed, and no follow-up emails or phone calls required


3. Data consistency – it helps to maintain data consistency in AD which eliminates a data clean-up activity which IT department has to undertake regularly


4. Data synchronization – it synchronizes data between HR application and AD/Exchange or other applications and AD/Exchange relieving HR and other application owners from day to day tasks of co-ordination or creating/modifying/deleting application user accounts


5. Automation – Most of the IT tasks are automated which in turn reduces work load on IT department. IT resources could be better utilized for some other useful activities

It’s a gentleman’s agreement.

Licensing is based on Enabled User Accounts in AD. This should include user accounts, application accounts and service accounts.Temporary accounts could be excluded, but no one from vendors really challenge the user count which the customer provides. Some customer’s find the price bit on higher side but, for me, the price is competitive compared to other products with similar functionality and considering the ROI.

The product functionality does not cease if the customer exceeds the license count. The vendor does not want to force the customer to stop using the product if the license count increases. Instead, customers can buy additional licenses without hampering the day to day work.

We didn't evaluate other products.

This product has tremendous potential. It can be used to automate a lot of day to day activities. I always tell my customers, list down all your requirements, pain areas, and day to day tasks. Prioritize them, and use this tool to automate these tasks as per priority.

When a new employee is hired, we create a new Active Directory (AD) user in a related department (Organizational Unit) with a random generated password, then give that user some AD rights. Also, we create an exchange mail user for this user on cloud or on-prem and inform that user by sending a notification mail or SMS. We did similar things in other systems and did all the process manually before Active Roles. That means lots of workload and manual processes. Active Roles provided us to do all these operations automatically and reduced our workload very significantly.

• It provides automatic provisioning/update/deprovisioning workflows from a source system to a target system.
• It allows you to easily monitor all workflow processes.
• It has very powerful native policies and scripts, which allow you to create your own custom policies, scripts, and virtual attributes.
• In addition to using the console (MMC interface), it also gives you management from the web interface.

For ActiveRoles, it would be good if the product supports multi-scripting language. You can use only VBScript.

VB.net , C#, or Powershell scripting would be a good choice for the product.

Almost five years.

No issues.

No issues.

Technical support replies really promptly. The support team is very experienced and focused on the product. On the other hand, there is a community portal and you can find every piece of knowledge on there.

We have not used any similar products before. We did all related operations manually.

It was very straightforward.

The licensing model is a simple user-based model, not that much complicated.

We evaluated and researched other options, such as NetIQ, FIM, Oracle, CA, IBM, and SailPoint.

However, Active Roles is most suitable for us.

It is very important to come together with system owners who will be integrated at the beginning of the project to clarify all the rules and determine the work to be done. Test environments of the systems to be integrated must be requested. Test environments are so necessary.

We use it to lock down the interface between helpdesks and Active Directory.

It's improved things because we don't have "cowboy changes" being made to AD without us knowing about it. People still have to do the things they need to do, but we can now make sure that they don't inadvertently do something they shouldn't.

It hasn't saved us time in terms of what needs to be done, but it has saved us time in terms of not having to go back and fix stuff when people have made mistakes.

It gives us attribute-level control and the AD management features work very well.

For what we use it for, there are no additional features it would need.

Most of the time it just works.

It works at the scale we use it at. I can't say whether it would work in much bigger enterprises or not.

I, personally, have never had cause to use technical support. My guys have interacted with them a few times and have been happy with the support they've received.

Previously, people were able to update AD directly. We have reduced that by pushing everything through Active Roles. Our decision to go with this solution was part of the need to lock things down, make things more secure.

We did the deployment ourselves.

My advice would be to certainly consider Active Roles and, depending on the size of the organization, consider integrating it with Starling as well.

I know the solution is extensible through cloud-delivered services but we don't use those currently.

I would rate Active Roles a nine out of ten, based on the convenience it's given us.

We use ARS to manage multiple domains. Our organization owns over thirty companies and we needed a tool that would give us the ability to apply consistent access rules across all of the businesses.

ARS gives us the ability to provide granular control that AD just doesn't offer. Having a tool to manage all changes to AD from a single pane of glass is awesome. It also allows Help Desk personnel to get up to speed very quickly without having a strong technical background.

The built-in templates within ARS allow you to create security groups without having to construct them on your own. It greatly simplifies the process and is also makes it much easier to review if you ever need to make changes.

The ability to send logs to a SIEM would be very beneficial.

We have been using this solution for five years.

• Automation of manual identity management operations (provisioning and deprovisioning).
• Solving security and compliance issues is easy.
• Operational issues are much easier and more reliable with Quest ActiveRoles's directory layer and portal.

It provides automatic provisioning for many applications and systems, including in-house applications and cloud applications. Also, it offers a virtual directory structure and a new directory layer between users and physical directories. Management and monitoring become easier.

Scripting options in different languages.

Under four years.

Not yet.

No.

It is excellent. Quick and useful answers.

They also have a large community portal where you can find a lot of information.

I didn't use any other solution, but I evaluated many solutions.

It was simple. I didn't have a problem. It took half a day.

There is a simple user-based licensing model. Not complicated.

Yes. NetIQ, FIM, Oracle, CA, IBM, and SailPoint.

Choose your project team well. Remember that analysis of all processes is very important. Don't forget that testing is also very important after each development.

My use case is for task automation, such as user provisioning, deprovisioning, delegation provisioning, and rights delegation. It simplifies the management of users and groups.

Currently, task automation, like provisioning, deprovisioning, and reprovisioning, is very effective. When a user moves from one organization to another, it automatically changes their group membership and performs similar functions. 

Secondly, the granular delegation feature is very nice and much simpler and easier than it is natively in Microsoft. 

Two years ago, One Identity Active Roles was under Dell. It was quite poor. However, now, there have been notable improvements, such as faster system processing, better logging, enhanced information, and a more user-friendly interface. Once it was sold by Dell, things got better. The interface became a bit more user-friendly.

The Angular user interface is much more flexible for adjusting to customer needs, and a completely new and customizable one can be created, aligning with all settings and scripts required by a customer.

The ease of managing on-prem and cloud-based directories through a single pane of glass is good. I'd rate it nine out of ten. 

The solution's ability to provision and deprovision resources and directories like Azure AD is very simple, especially when you can integrate with the HR system and grab some data from HR. It's actually fully automatic. I don't need to even touch it.

It's helped increase operational efficiency by 50%.

It's helped decrease security problems around privileged accounts. We were able to decrease the number of privileged accounts and have been able to delegate more effectively.

We decreased the number of high-level permissions that administrators had. For example, if someone is a DNS administrator, he has access only as far as the specific actions he needs to handle. We don't need to give away such high privileges for such a daily job. It's helped clarify roles and access.

It's helped reduce identity-based breaches. If someone leaves a company, we can easily undo provisioning and close accounts. We can generate reports to see which people have which permissions and at what times.  

We've just integrated with our HR system. It helps us follow activated and deactivated users. 

I'd rate the granular controls on offer ten out of ten.

We've saved on manpower in terms of the work of the administrators. There's good reporting and functionality, and it's very transparent. You can connect more than one directory and manage everything from one pane. You can do many things from one interface. 

The possibility to request group membership, similar to the past, was disabled and moved to Identity Manager. That would be coming back in six months.

Additional documentation about the Angular web interface is also needed.

I have used the solution for ten years.

I encountered some problems in the past with the system, not just with our infrastructure but also on the customer side. There were some software bugs. 

Overall, on a scale of one to ten, I would rate it at eight and a half to nine. There were no major problems with One Identity Active Roles.

I'd rate scalability ten out of ten. 

It's rate support ten out of ten. 

Positive

I've been working with the system for so many years, it's very simple and easy. It's one of the best solutions. There are a few things missing, however, I prefer it and if it fills in the existing gaps, it would be the best option on the market.

The installation is quite easy and involves only a few clicks to have One Identity Active Roles up and running. The hard part begins with the configuration: creating workflows, permissions, provisioning, deprovisioning workflows, policies, and so on. Nevertheless, it is quite straightforward, and the documentation is very clear and simple.

There is a bit of maintenance needed. It's not just install and forget. You need to check the logs and make sure services are up and running. It's not time-consuming. It's very simple. 

I am working on the partner side of One Identity. I have implemented One Identity Active Roles in several organizations. The longest implementation took two weeks, and the shortest was three days.

The solution saves manpower and time for network administrators, offering a significant return on investment. One Identity Active Roles provides excellent reporting and auditing functionality, allowing administrators to track permissions, actions, and responsibilities effectively.

We've likely seen a 30% ROI.

I would rate the setup cost ten out of ten. It is quite expensive, costing more than 50 euros per identity. While it is worth the price, not many companies are willing to pay such an amount of money.

I'm a One Identity partner. Our clients range from small to enterprises. Customers range from 50 to 30,000 people. 

If there is any mess in Active Directory, like excessive delegations and errors, One Identity Active Roles will help clean it up and simplify work. It allows administrators to confidently ensure everything is configured correctly in Active Directory, securing it effectively. 

I rate the product nine out of ten.

On-premises

The main use case is the Active Directory delegation. We have many different entities within our organization, and we needed to delegate some Active Directory capabilities, such as creating users, updating users, deleting users, groups, and computers.

The access templates help set up granular permissions and the web portal to manage Active Directory. Active Directory is usually managed through a heavy console, and using One Identity Active Roles allows it to be managed through any internet browser. Additionally, it helps in removing custom Active Directory delegation, which enhances security by eliminating unnecessary privileges, addressing identity-based breaches by reducing the number of Active Directory delegations.

One area for improvement would be the Entra ID side, including better delegation for Entra ID objects and more granular permissions. We would also like to see better Entra ID license management using virtual pool management, given that the current setup is custom-made, and having this feature built-in would be beneficial. The web interface could also be improved, though it's ongoing.

The solution has been in place for the last fifteen to seventeen years, but I have been using it for the last eight years since joining the company.

The stability of One Identity Active Roles is rated seven. There are performance issues sometimes, but restarting services usually resolves them.

The solution is scalable. It is rated nine in terms of scalability.

Customer support is rated six. Sometimes having a fix for a bug takes too much time. While in production, issues tend to take a while to resolve.

Neutral

The initial setup is quite easy. The deployment is not long, but the extensive customization, such as virtual pool licenses, takes a bit of time, about a week.

The product is expensive, but if you want to save money, the delegation set-up process is quite easy. After setting up Active Roles once, defining the delegation model, it is very efficient, almost like copy-paste.

CoreView offers better Entra ID delegation. They conducted a study and found that CoreView has better features than One Identity Active Roles in terms of Entra ID delegation.

I would definitely recommend One Identity Active Roles because it allows the delegation of Active Directory through a web portal instead of a console. Additionally, while the Entra ID part requires improvements, it can still delegate Entra ID objects. I rate the overall solution an 8 out of 10.

On-premises

We use One Identity Active Roles for the delegation of Active Directory administration to local entities.

It has helped improve our organization by delegating day to day tasks to entities, allowing gains in time to market for AD related tasks, and also allowing to reduce time and effort spent globally.

The most valuable features are the access templates, which allow for granular permissions, and the policies that provide a framework for usage and standardization across entities. The solution improved our organization's security posture by framing the end users and ensuring that capabilities that could cause mistakes are hidden from the web interface. It helps us ensure that entities do not make any mistakes by hiding those capabilities directly in the tools with the access templates.

There are areas for improvement in One Identity Active Roles that include updating the web interface, creating an API accessible from the web, and improving overall performance, as it can be slow at times. But all of those are already in the development roadmap.

We have been using One Identity Active Roles since 2011, which amounts to fourteen years.

I would rate the stability as a seven because there are sometimes performance issues, which require restarting the services. This affects stability.

The solution is highly scalable, with a scalability rating of nine. It effectively handles 150,000 users.

I rate customer service and support as a seven because, although they are helpful when needed, there can be delays in responding to tickets and finding necessary fixes.

Neutral

There was no previous solution in place before, as One Identity Active Roles was already implemented when I joined.

The initial setup was straightforward but took months due to the detailed design required for the access templates.

In house.

I estimate the return on investment (ROI) to be about fifteen percent.

The pricing of One Identity Active Roles is expensive, but the return on investment justifies the cost, allowing for savings in other areas.

I would recommend One Identity Active Roles due to its straightforward delegation capabilities, comprehensive management of Active Directory objects, an excellent PowerShell cmdlet suite for scripting, and a robust change history feature for auditing. The overall solution is rated as eight out of ten.

On-premises