One Identity Manager Reviews

This was for customers identity management, where there were a huge number of domains and the customer had unnecessarily complicated the system with a lot of parameters and attributes. 

Larger customization has made the system complex and confusing. The people who deployed it initially did little to document it. This has had a negative, delayed impact on the overall project and solution. 

The good part is Quest One IDM allows for large customization.

• Separated modules and integration allow for more capabilities 
• Graphical and tabular interfaces
• VB and SQL front-end and back-end

A detailed solution document to registered aspirants and interested people would help them achieve what they require before its tested and pushed to production. Quest Software should provide notes and documents to customers before they buy the product and license.

Everything (location, cost center, department, business role, etc.) is a role.

The Data Importer is a great tool to create an ETL. It generates code which is easy to maintain later without the tool.

The Attestation function lets you easily define grant/deny workflows based on constellations in the database.

We were able to connect 300+ SAP clients who were requesting access to SAP roles with the software. We also established an offboarding/onboarding process for SAP clients, as well as other target systems.

Some internal structures are in place because of already depreciated functions back from the time when the solution was used for software deployment and as a help desk.

Four years.

Versioning requires a lot of customizing effort.

No issues.

Web Designer consumes a lot of memory based on certain queries that could let the IIS run short on memory. This could be mitigated with more memory.

Very good.

Very good.

No.

No, it is wizard driven. If something went wrong we had to restart from the beginning.

The vendor team had a mixed level of experience, but there were enough excellent engineers.

Unmeasured.

Start with an operations team that is motivated to learn a lot in a short period of time. The longer you wait, the more expensive it will be to get the right level of expertise in this area.

I was not involved.

Great product, which I would recommend. It has a huge learning curve, but could solve all your IAM challenges. Make sure to have a good team and support from the vendor.

The data is easy to manipulate using SQL queries and commands.

The product was initially brought in to replace an unsupported solution. Later on, it became a partner self-service portal, reducing service desk calls to create accounts for business partners.

There are too many configuration interfaces. They could simplify the design to not require VB/PS coding to draw the workflows.

I have used this solution for three years.

The initial connection to the domain and LDAP trees was painful. However, once configured, it was stable.

The product scaled well. We had approximately 8000 users at the time of implementation.

There is great technical support. No issues there.

We used Novell's DirXML 1.1a. The client opted to migrate instead of upgrading.

The initial setup was complex due to the customer’s complex environment. A third-party service provider was required for deployment.

Licensing can be high. Quest usually bundles with other products, so you can get a better deal.

We only upgraded from the same vendor, Novell at the time.

The product has its challenges, but when well configured, it can provide good results.

In Q1IM, at least the version I worked with, it wasn't very intuitive to create processes and you need to actually add code to the boxes in order to customize. I always compare with NetIQ/Microfocus as they have the designer which is easier to elaborate rules.

About the interface, they have multiple applications, such as report designer, webdesigner, designer, object browser, import tool, manager, identity manager, jobqueue info. Its a suit of apps. It takes time to get familiar with them and know which does what.

The out-of-the-box connectors (SAP, LDAP, MS Active Directory, CSVs, etc.), and the one-stop-shop portal for user requests and authorizations which can be customized to display corporate logos and color schemes.

Additionally, certain “out-of-the-box” features can be configured to not be displayed or affect specific behaviors through the Project Configurator.

Additional customization requiring coding is possible, but requires additional planning, coding, and testing and is out of scope for this project.

In D1IM there are different ways of connecting with targeted systems. Out-of-the-box Connectors could be with:

• Connected system modules which allow interaction between D1IM and third party systems, with their specific schema extensions, dedicated synchronization templates and business logic. They allow deeper out-of-the-box target system management.
• Connectors which are predefined synchronization interfaces, developed by Dell, and are highly configurable but cannot be customized!

Interfaces are developed during IdM projects as an additional, customer specific feature of D1IM. This enables the connection of more proprietary or less common systems. Interfaces are easily changed in their functional behavior and implementation.

With this tool, you can easily orchestrate automation user access provisioning and implement multiple layers of authorizations (4 eyes or 6 eyes principles).

• Implementation of skip logic in user access request forms - this topic cannot been explained easily because it requires a deep dive within the functionality of the Web Portal.
• Lack of integration with RestAPI - the lack of out-of-the-box RestApi connectors creates some difficulties in integration running infrastructure as code, with DevOps operation (CI, CD, VCS etc.) and managing On Premise and external clouds.

We have been using this solution since 2006.

We have not encountered any stability issues. The system is rock solid.

We have not encountered any scalability issues.

The Dell technical support is good enough.

The D1IM gives a rare opportunity to integrate multiple authorizations and authentication platforms into a single portal.

The configuration is complex and requires a good understanding of your existing infrastructure and related protocols for communications.

We have no specific advice about licensing issues.

We evaluated Ping One Identity, SAP IDM, Oracle Access Manager, Net IQ Identity Manager, and RSA Access Manager.

Clarify what level of automation is needed in a user access request. Authorization and provisioning is achievable while comparing company needs and objectives.

Some valuable features are:

• Easy to configure, as it is mostly UI based
• Reporting
• Dashboard

It has improved the user life cycle operations and IT shop functionalities for our organization.

There is a need to improve the use case documentation and coding templates. This product has some limitations when it comes to use case documentation. Generally, when we have any different scenario, we need to post in the blog and only then we will get answers.

I have been using this product for the last two years. I have been using the Quest One Identity Manager (version 7.0, 7.1), Authentication Services (latest version), Password Manager (version 5.6.3), Privileged Access Management (latest version).

I have not encountered any stability issues.

I have not encountered any scalability issues.

Technical support replies within 1-2 business days. The Quest blog is very useful where the experts will answer the queries mostly on the same day.

Previously, we were using more complicated solutions.

The initial setup, installation and basic configuration are straightforward.

The pricing/licensing policy is less when compare to other leading other solutions.

We evaluated other options such as SailPoint, CA and Oracle.

This product is very effective and has more capabilities than any other.

• The GUI is very impressive and clean (even cleaner and minimalistic in v7).
• JobQueueInfo does an amazing job tracking all processes.
• Synchronizations are easy to set up.
• Reporting capabilities are fantastic once you get the hang of using Report Editor.
• WebDesigner allows a lot of customizations to be added to the web project.
• Schema and table names are very logical. It is very easy to find something in the database just because of the fact that the naming convention in the schema is very logical and consistent.
• It's a feature-rich product: a suite of very powerful tools with a lot of functionalities once you get the knack of them.

• Auditing becomes easier from an admin perspective.
• There is more control over everything.
• Processes are much better defined.
• People tend to take some functional roles much more seriously. There were some roles that were very old in the organization but the legacy implementations did not grant much value to them. Q1IM's implementation of those roles really enhanced the value and the role members had clear responsibilities/tasks defined that they had to abide by.

• DBQueue processes can bottleneck the system at times. In v7, its apparently re-architectured, and is better. There can be too many of them and they process very slowly, causing actual processes to take a lot more time to complete.
• There should be a way to define fail-over job servers in process steps. Job servers can become a single point of failure.
• Better support for Oracle back end databases. SQL support is good and KBs are easy to find. The same level of support should be available for Oracle if the product claims to support it.
• A better migration tool for v6 to v7 upgrade, especially for the Oracle back end.
• There should be a way to separate out the front end (IT Shop) from the back-end processes. If the submission of a request through the web portal is done and it gets stuck computing something in the back end, the front end control should still be granted back so that the user can continue navigating freely across the site. Currently, if a request is submitted and it is taking time to process, the front end just gets stuck on a spinning wheel (loading wheel).

I have used it for ~2 years.

If the requirements can be met through product configuration, then issues don't arise as often. Customizations (depending on complexity) can be problematic at times.

Transporting change labels across environments can be confusing. It should be noted that the content contained in change labels should be documented right from the beginning of the project and all team members should be on the same page.

It's more about getting used to the correct way of working with the product rather than issues with deployment.

I have not encountered any stability issues.

We implemented the tool in an environment with roughly 35,000 active employees and over 2,000 service accounts. A few things I noted were:

• The web portal (IT Shop) tends to get a bit slow loading information for certain roles that have access to lookup all employees.
• The admin tools can also get a bit slow while loading too much information at once. For example: Loading user account information under the Active Directory tab in Manager can take a long time.
• We had various rules defined in our scripts for central account generation. One of those included a check in a history table to avoid granting a user name which has already been used in the past thus avoiding collisions. This caused our contractor account requests through the web portal to become extremely slow. Submitting a user account request from the IT Shop could take up to four minutes at times. We had all necessary columns indexed and the code to generate CentralAccount was written by the vendor team itself but the slowness could not be tackled.
• There was always a direct relation between the slowness we faced and the number of employees the environment managed. For example: Account requests used to take roughly 20 seconds in our development environment which had roughly 15k users and almost 25k entries in the history table we maintained to avoid username collision. In our production environment, it took way longer since the number of employees increased to ~35k and entries in our history table exceeded 150k records.

Customer service was just average during implementation phase.

Technical support is decent overall. However, some SRs took way too much time to resolve for the value they provided.

Some escalation engineers are very knowledgeable and troubleshooting sessions with them can be really worthwhile and informative.

We previously used legacy scripts with Microsoft FIM as the backend. FIM was too old and not user friendly at all. It was ancient in terms of IDAM and there were far better products with a lot more capabilities.

Setup was straightforward. Initial JobService configurations ends up being a bit confusing.

It was a hybrid implementation: We had an in-house team and a vendor team during the time of development for the first phase of the project. The second phase was done purely in-house.

The vendor team was not good. It was just average. There were a lot of times when we felt communication was lacking from the vendor side and at times, there were mistakes in the implementation, also. We recognized some errors long after the product had gone live. Overall quality delivered during development was not up to the mark. Average experience during the first phase with the vendor caused us to stick to a complete in-house implementation for the second phase.

Vendor teams (at least in the US) should be trained more about the tool's capabilities. I have heard that European vendor teams are much better with a lot more knowledge about the product.

Before choosing this solution we also evaluated TIM, OpenIAM, OIM, and SailPoint. All had week-long PoCs with us. We chose Q1IM (at the time, D1IM). SailPoint was a close second.

It is certainly a leading product in the IAM sphere.

• GUI
• Reporting capabilities

Allows the delegation of permissions related to identity management and also visual representation of the configuration as opposed to having to go through loads of scripts which was the case with our previous solution.

Job server engine -

• Performance
• Loadbalancing

One year.

Not yet.

Not yet.

More than one job server cannot be allocated per target/source system which can be a performance bottleneck,

Good.

Good.

Previous solution was an in house written application. We switched due to support reasons as well as outdated technology and a lack of functionality.

Configuration and implementation is a complex process as we had complex requirements, but could quite easily be done in a simple way.

We implemented via a combination of an in house team and a vendor partner. Their level of expertise was very good.

Yes we chose Dell One over Oracle IDM, IBM, NETIQ, and MS FIM.

Have a team of dedicated staff for the implementation who are given enough time to understand the many dimensions of the tool.