One Identity Manager Reviews

I have been in various roles. I have been a developer, an operational manager on this One Identity tool, and also a product analyst. We have used it in various phases.

I'm an official partner. The consultants I work with have provided me with a consultancy license, and the clients have their own licenses, but we work with our own licenses. Whenever there is a vendor bug or something is needed, we use our license to raise a ticket on behalf of our client. 

The consultancy that I work with has been One Identity's Partner of the Year for the last five years. We have offices in Europe, the Middle East, Asia, Africa, and the Americas. In Europe, the Middle East, and Africa, we have been the top partner for the last three years, and in Asia-Pacific, we have been the top partner for the last year.

We have a license program with them. When we sell the product, it's a partnership between One Identity and us. They get a share of the profit, and we get a share. The client pays the full price of the product. 

One Identity is cost-effective compared to the market. It offers functionalities and features at a very low price relative to ForgeRock or SailPoint. The first advantage you see is the heavily reduced cost. 

There are also some other aspects. For example, it provides a lot of functionality out of the box. You don't need to spend money on external developers to customize or do some special configuration that requires a person for additional maintenance. Other than that, there are some additional security features like attestations and approval features that are intuitively made inside. 

These features give you an advantage immediately, and in the long run, they simplify the audits. You don't have to be around the auditors every time to explain things. You give them a specific account to use for the audit and allow them to play around with the tool. 

One Identity Manager helps minimize gaps in governance coverage among test, dev, and production servers. We have four or five environments. Based on that, there are configuration parameters with which you can segregate between every environment. It's quite easy and configurable. 

Depending on which modules you install, it helps to close the security gap between privileged and standard users. In Identity Manager, there is a module called Application Governance. If you install that module, you get that functionality or features, but many clients prefer a custom implementation. IGA is not supposed to provide PAM-related functionalities. That's why they sometimes push clients to take a bundle of IAM and PAG solutions together, which is One Identity Safeguard.

With Safeguard, you can cover your privilege and identity access management. In fact, you can control the access governance of who has what access in your PAM environment through the Identity Manager itself. They are interconnected, but Identity Manager can't independently give you this functionality. 

One Identity Manager helps us consolidate procurement and licensing. Who has what permissions and their validity is well maintained. Most of them get attested every three or four months, depending upon the configuration. You can see which licenses are needed. In fact, in the newer version, since version 9.x, they have a new field showing when the license was last used or how actively it is being used. 

Sometimes, if it senses that it has not been used for one year or one and a half year based on the configuration parameters, it will send an email that we have not used it for this much time, so we will remove it. It will remove it with no questions asked. So it is quite smart enough to handle those licensing decisions.

The solution helps streamline application access decisions. Every application has the necessary groups and entitlements assigned to it, so you can independently streamline their workflows. It's a highly customizable tool that lets you group together workflows for, say, 10 Active Directory applications because they are all in the AD domain. You can assign a single workflow for them. 

However, if you want every application to have a different workflow or access management, you can assign that. From inside the application governance module, you can assign the privilege level and how privileged or sensitive the accesses are. Depending on that, it will provide the threat and fraud level or what approvals might be needed. So all these are quite intuitive and smartly managed.

The application compliance is handled quite well. It isn't great because it tends to create performance issues in the system. Compliance issues are calculated reactively and proactively. There are two types of SODs: prevention and detective. It's smart enough to detect it, but this can lead to performance issues because of the size of the system you are working with. This is something that has to be done by the manager. You can make your system digest the performance degradation to keep the SOD at an expected level.

Application auditing is pretty much what is called attestation, and it's mostly provided out of the box, but a lot of customization is possible here. In most cases, I have seen customization being done also here. Depending upon that, you can configure it in various ways. You can have multiple attestation policies attesting various things, or you can have a single attestation policy handling multiple things. You can configure and schedule it accordingly and define the approval workflows of those attestations. If an attestation is rejected, what should be the action? If it's missed or raised, no one decides how it should be handled. These are well handled.

Many governance decisions can be made without IT intervention. Most things are pretty self-explanatory in the web portal. You get an email or a notification on the web portal. At most, what happens is that people get so many notifications because they are a backup owner for so many things that sometimes too many notifications come down to them. Other than that, I haven't seen anyone complaining that they don't understand what they need to do when it comes to approval.

My favorite feature is the ease of customization. You can change, optimize, and update it at your convenience. I haven't seen that in many other products available.

We use One Identity Manager to connect to SAP IDM. SAPconnect target systems are integrated into One Identity Manager, and we've made several SAP connections we have made with One Identity Manager. The solution connects with Snow, which you can use to manage your disconnected systems. 

Most clients I have worked with prefer a custom approach. So some prefer Snow, some prefer some other IDM tool with which they want to manage their disconnected systems. So, yeah, you can say yes and no, to be honest. Like, yes, there is a functionality that has been provided, but it's not very matured enough. So that's why I believe clients tend to be a little customized on that front.

One Identity Manager connects SAP accounts to employee identities under governance. That's completely autonomous. Once the target system connection is made, the product is available in the IT shop web frontend. You can order it from there. One Identity Manager handles it by itself. You can customize, but usually the vendor has created an out-of-the-box functionality to do all these operations.

The solution provides IGA for the aspects of SAP that are more difficult to manage. With One Identity Manager, the good thing is that you can customize. In most of the clients I have worked with, the T codes or different custom SAP tables were later introduced in a greenfield project, you don't see these custom tables more often. Out of the box, the SAP connector gives you around 32 to 36 tables in the SAP target system that are more generic tables, but there are custom tables about the T roles or the special attributes. You can customize your connector accordingly, so there is an XML parser provided in the sync editor. You can use it to achieve all those operations.

I'm unfamiliar with SAP-related workflows because clients don't have any specific SAP workflow. They have their own workflows, and One Identity Manager is configured for various product approvals. That's how they are managed. If you want to create a customized workflow, whether it's SAP HANA or any other product-specific workload, you can easily create it.

One Identity Manager provides a connection with Snow, where you can manage your disconnected systems. Most of the clients I have worked with prefer a custom approach. Some prefer Snow or another IDM tool to manage their disconnected systems. There is functionality that has been provided, but it's not mature enough. I believe clients tend to be a little customized on that front.

It connects SAP accounts to employee identities under governance. It's completely autonomous. Once the target system connection is made, the product is available in the IT shop web front end. You can order it from there and everything. One Identity Manager handles it by itself, so you don't need to customize it, but the vendor is given an out-of-the-box functionality to do all those operations.

One Identity offers a single platform for enterprise-level administration and governance of users' data on privileged accounts. The good thing is that much of the functionality comes out of the box. You don't need to customize if you don't want. In a greenfield project, this tool is optimal for those purposes. If the user number is around 1 million or under that data scale, it's a good tool to run on from the IGA perspective. With One Identity, they don't want to focus on IGA. They want to expand the horizon of cybersecurity. There are native tools like Safeguard and others. You can even integrate your PAM accordingly with your IGA and IAM.

There are two types of interfaces in One Identity. One is the phased-out interface, which was known as a web designer. This is getting phased out with Angular now. Angular was one of the lagging points where the user interface was not up to the mark with the out-of-the-box functionalities. Many customers had to customize heavily to get a level of intuitiveness. Now, Angular's web portal has been notched up. You get AI suggestions, IntelliSense, and lots of fraud detection out of the box, like threat level. It's been improved in the recent version, and it's been working phenomenally well.

Business roles are used extensively, and custom implementations are done over business roles. The number of cloud apps I would be telling is a little less because their Starlink connector still hasn't matured enough. It's still not a high-performance tool, but it has the capability to do so.

Nowadays, every organization has almost at least a few apps in the cloud. It's important even if the organization is heavily based on on-premises infrastructure. With this tool, you get so many things that work with this cloud infrastructure, it doesn't let you down completely. When you compare the performance of this with a native PowerShell connector or SAP connector, for example, you feel that the performance could be enhanced a little bit. It's something that is becoming mature in the latest versions. I'm confident they will improve it further in the upcoming versions.

One area for improvement is zero trust. Besides that, performance is a big factor. I've heard from multiple clients that One Identity's front end is not so performance-optimistic. It depends on how you have configured and deployed the system. At the end of the day, I would say that's something they need to improve.

Still, whenever a critical bug is released, they address the defect pretty quickly compared to any other competitors in the market. At the same time, there is a problem with support. They have limited knowledge about things that may affect their tool. You are deploying this tool in a client's environment, and multiple things would impact it, like proxy servers, load balances, other infra technologies. 

Because their company is so focused on just their tool and related technology,  they can't support you much. At times, it becomes frustrating. While you are paying a little less than your competitors, you expect some support, compliance, or expertise from the company. If a certain load balancer is unable to handle your tool, you should know what load balancer would be perfect or what configuration you should use.

We have used One Identity Manager for five and a half years. 

I rate One Identity Manager eight out of 10 for stability. 

I rate One Identity Manager nine out of 10 for scalability. 

I rate One Identity support seven out of 10. I have done multiple tickets. I am in touch right now because I'm in the middle of an upgrade for a major client for One Identity. I have been closely in touch with them. At times, there are things that can impact their product, like load balances that are part of the product when you deploy it in a matured environment. 

In those cases, they can't support you much because they just say that load balances or these things are not something we support. You have to get the support from the necessary vendors they have, and those vendors say, "We are the load balancer. We don't support your tool. You need to go back to your vendor." 

You're between two things. At times, it seems like a big company that is not very new to the market should have the basic knowledge or idea of how to get these things up. There are performance issues for so many clients of One Identity, but they can't give you a concrete answer. They can tell you that there is an infrastructure issue, but they lack the knowledge of the infrastructure issue, that knowledge is quite lacking in them. I would say that is something they need to improve.

We don't use the premier support. There are two types of support: one support is between the partner and the firm, and another is between the client and the product company. For the premium support, One Identity provides certain employees, developers, or consultants from their own company. It's the most exclusive contract you can have with them. 

The second type of support involves giving you the product, the support portal, and some sort of knowledge. Then, maybe you can hire someone from them for a limited period of time. The predominant work that you need to do with the product, like deployment, maintenance, development, or bug fixes, you do via some partner companies like us. 

Neutral

I have used SailPoint Identity. One Identity Manager is much better. One Identity Manager is better on a smaller scale of employees. It can handle a scale of half a million or one million, but beyond that, SailPoint is a better tool.

Deploying One Identity Manager is easy and standardized. If it's a greenfield project, the initial deployment should not be difficult if you know your stuff. A proper runbook would be helpful. In our consultant's company, we usually share these runbooks with new consultants who join and who will deploy it into a new client's location. 

These come in handy. Otherwise, it can be a little tricky, especially if you are upgrading an existing environment. At that time, it depends upon what sort of data situation is present in the database that you are upgrading. It can become tricky if the consistency checks are not matched or there are some weird data scenarios. Otherwise, it's quite a smooth process.

If it's a standardized deployment, one person is more than enough to handle it. The deployment has two parts. One is the database upgrade, which takes between 30 minutes to two hours. Then, there's the app and web server installation. If it's an upgrade, you can upgrade it in 10 to 15 minutes, but a new installation takes 30 minutes. 

The pricing of One Identity Manager is competitive. Compared to its competitors, One Identity is priced quite brilliantly. ForgeRock and Sailpoint cost about 1.5 times, making One Identity quite economical. 

I rate One Identity Manager nine out of 10. 

We are currently using One Identity Manager for identity management, but not for access management. I have extensive experience with One Identity through previous work with large insurance and utility clients, both of which heavily utilized the platform for identity and governance.

One Identity Manager connects SAP accounts to employee identities under a governance framework. Many companies utilize SAP SuccessFactors for HR and customer management, including onboarding contractors. Since the HR data originates from SAP, seamless integration with the chosen product is crucial for efficient operations.

One Identity Manager delivers the subspecialized workflows and business logic.

In both of my organizations, One Identity Manager was not the primary interface for users. ServiceNow typically served as the front-end portal, while One Identity Manager functioned as the backend engine to fulfill requests. Consequently, primarily managers and administrators interacted with One Identity Manager for testing purposes, and their satisfaction with it was generally positive. Our current organization uses a request-based portal. In contrast, my previous organization employed six versions of One Identity Manager, which has since evolved to nine, indicating significant progress. While earlier versions required extensive customization, the current iteration is more functional.

Our SAP Security team manages several internal roles, each requiring specific access controls. To determine user access based on their position or SAP role, we need a mapping system, which is why we implemented business roles. We also utilize business roles for user onboarding lifecycle management. However, some applications remain disconnected and reliant on AD groups, necessitating additional rules for access control. The functionality of the business role is crucial for effectively managing these access requirements.

We use One Identity Manager to extend governance to cloud applications like ServiceNow. This is achieved through Starling Connect, a One Identity product that allows us to deploy connectors. While we can use generic connectors and APIs for connectivity, Starling offers pre-built connectors for specific platforms, such as SuccessFactors and ServiceNow, simplifying the onboarding process for these cloud applications. We leverage this capability to streamline our governance efforts.

Some of the benefits we have seen from One Identity Manager include its ability to streamline user lifecycle management and the use of attestation for verification. Additionally, request-based calls from ServiceNow have been significantly improved, providing a seamless user experience.

One Identity Manager helps minimize governance gaps across test, development, and production servers, particularly for Active Directory and SAP. We've developed attestation policies that enable regular verification of all accesses, effectively bridging these gaps.

Creating and managing admin accounts, including managing inactive users and potentially disabling their access, has significantly reduced the AD team's operational workload. Similarly, onboarding applications onto the SAP system has streamlined operations and minimized administrative effort.

One Identity Manager's structure is much cheaper than any other product in the market.

One Identity Manager helps streamline application access decisions, compliance, and auditing.

One Identity Manager helps application owners or line-of-business Managers make application governance decisions without IT. Many reports can be used daily, weekly, and quarterly to manage and validate user access.

Being able to manage access without the need for IT has helped reduce the workload of the Operations team.

The SAP integration is One Identity Manager's most valuable feature. It offers a strong, out-of-the-box integration that is easy to implement, a significant advantage over many other products that often lack this integration component.

While we are not currently using privileged accounts, data governance is a concern. Reports and customization are expensive, and the user interface reflects this complexity. We've encountered issues with the cumbersome user interface and slow performance. Unlike products like SailPoint, we have limited control over customizing performance and the user interface. The tools provided for UI customization are not user-friendly.

The UI customization is tricky. The web interface product that One Identity Manager offers is a bit tricky to use, and no extensive documentation is available on how to do the customization.

Their support is inadequate. Raising a query often results in days-long waits for responses. Even when tickets are acknowledged, cases progress slowly toward resolution. Overall, the product lacks sufficient support.

While generic connectors exist, some specialized connectors require additional capabilities. Simplifying the connector process would be a valuable improvement.

I have been using One Identity Manager for five years.

One Identity Manager remains stable as long as the environment doesn't change.

One Identity Manager is scalable by increasing the capacity of the servers. 

The technical support response time is lacking. It can take days to hear back from them.

Neutral

I've worked with IBM Tivoli, SailPoint, and RSA Aveksa.

The optimal identity manager depends entirely on a company's specific requirements. If a company primarily utilizes SAP and Active Directory, One Identity is suitable and easy to implement. However, for extensive customization, a product like IBM or SailPoint might be preferable due to their flexibility and ability to create a completely custom user interface. These platforms also excel in complex workflows, such as those found in banking, and offer robust CI/CD integration through Java scripting. In contrast, One Identity's change label system falls short of modern development practices, making it less appealing for organizations that prioritize agile methodologies.

The initial deployment is straightforward.

One Identity Manager requires a primary database to store all information. A secondary, optional history database can be used for archiving data to manage database size. We can combine the web server and job server functions on a single server, or use separate servers for each.

Provided all necessary requirements are met, a deployment can be completed within two days. While one person suffices for moderate deployments, larger or more complex projects necessitate a team of two or three individuals.

We have seen a return on investment.

One Identity Manager's pricing is reasonable.

I would rate One Identity Manager seven out of ten.

When we upgrade to the latest version, it includes three years of support.

We currently have 4,000 users and 20 applications that utilize One Identity Manager. We also have one team that manages it.

One Identity Manager is a suitable choice for simple implementations, but if your customizations are extensive, consider other solutions. Additionally, if your environment is not heavily reliant on SAP or Active Directory, or if you have Linux-based servers, carefully evaluate the feasibility of implementing One Identity Manager.

I use One Identity Manager for RBAC in my current project. We do provisioning and de-provisioning. After running certification campaigns, it automatically aggregates. I also onboard several applications in One Identity Manager. We also use it for audits, recordings, and activities like entitlements or policies with segregation of duties.

We use out-of-the-box connectors for SAP to automate account provisioning and de-provisioning and ensure the right access based on roles and responsibilities. For access governance, we also handle detecting and resolving conflicts. It reduces administrative overhead related to provisioning, de-provisioning, and role authorizations. When it comes to password synchronization with SAP systems, it ensures a smooth user experience. For disconnected SAP accounts, it helps to align the business processes and data flows. We have centralized dashboards providing a holistic view of identities, roles, and privileged access.

We also have Active Directory, Azure AD, and other enterprise applications. It serves as a single source of truth to ensure roles and privileges align with organizational policies. We can view policies and conflicts and also have custom rules.

It provides centralized administration through a single pane of glass. We can manage users' roles and entitlements, identity lifecycle management, and access review management. We can connect both on-premises and cloud systems, ensuring centralized provisioning. With automation for tasks like provisioning and password resets, we can efficiently manage a large user base in complex organization structures.

The analytics provide real-time insights into access, policy violations, and system health. We can also identify potential risks or inefficiencies.

One Identity Manager provides pre-built connectors, requiring minimal effort for standard user cases and workflows. All the common attributes are preconfigured. However, for customized and more complex use cases involving dynamic rules or unique compliance requirements, we need to use PowerShell scripts or APIs.

Business roles help map company structures for dynamic application provisioning. There are predefined templates for common business roles. It supports hierarchical roles and dynamic assignments. The drop-and-drag interface simplifies role creation and assignments and policy integrations. For example, when a new employee joins the finance department, the system dynamically assigns the required role containing the required access and privileges.

It has pre-built connectors for popular cloud apps such as Azure AD. It helps with policy enforcement for implementing RBAC and ABAC for governance across cloud and on-premises systems. We can automate access reviews and certifications for cloud applications ensuring ongoing compliance. We can also dynamically assign and revoke access to cloud apps based on the lifecycle events, such as onboarding, promotion, or termination. It supports monitoring user activities within the cloud apps, providing detailed audit logs and reports for compliance. It also helps with user access requests via self-service portals with automated approval workflows for cloud apps like Salesforce.

It helps with better license management and reduces over-provisioning. We can also track user licenses for cost-saving opportunities, audit reports for compliance, and vendor agreements. We can also create business rules to automatically revoke licenses with a role change. When it comes to the cloud application platform, it synchronizes license date and usage.

Its benefits were seen immediately after the deployment.

One Identity Manager offers identity-centric security, acting as a single source of truth by centralizing identity data for users, devices, and applications. It supports role-based access control and automatically assigns and reworks roles to minimize privileges. 

The solution integrates multi-factor authentication, enforcing stronger measures and requiring identity verification for accessing critical resources. It continuously monitors user behavior in real-time, triggering automated responses, and manages secure access for both on-premises and cloud applications using protocols such as SAML.

Additionally, it facilitates RBAC, provisioning and de-provisioning, certification campaigns, onboarding various applications, audits, and reporting with segregation of duties.

It can have a clearer navigation map of the user interface and user provisioning. The documentation lacks step-by-step details on common tasks like creating roles, running action reviews, and version control. Enhancements could also be made to feedback mechanisms. In development, understanding workflows and integrating ORDM skills with SAP could be improved.

I have been using One Identity Manager for approximately two to three years. I previously worked with an organization in India, where I utilized One Identity Manager. Currently, in my project in the US, I am working in the retail domain, and I am using One Identity Manager here as well.

I have worked a lot with SailPoint, so its deployment was easy for me. The deployment duration varies from project to project.

In terms of maintenance, it sometimes requires updates.

Pricing depends on licensing models, such as per-user licensing and feature-based pricing. Additional models like governance, provisioning, and reporting increase costs. Cloud or on-premises models follow different pricing approaches. On-premises might incur higher costs.

The cost also depends on integration systems like Active Directory, SAP, and custom connector requirements. Scalability influences costs, with larger organizations potentially benefiting from cloud setups. Cloud setups might be more cost-efficient compared to on-premises solutions.

I would rate One Identity Manager a seven out of ten.

We are a system integrator and used One Identity Manager for our client.

One Identity has many built-in features. It's a highly suitable platform for enterprise-level organizations to integrate with existing systems for complete account management and other related functions.

Although someone new to One Identity may initially find it a little difficult, the intuitive interface is easy to navigate for experienced users.

Due to its many built-in features, customizing the solution to meet our customers' specific needs is straightforward. With sufficient knowledge of the platform and tool, we can easily tailor the solution according to our customers' preferences. Simply exploring the available features will help us uncover the possibilities.

Without One Identity Manager, we would need multiple platforms to connect our source and target identity systems. However, One Identity allowed us to consolidate role management, access management, identity management, and other functions into a single platform, significantly streamlining our processes.

One Identity Manager simplifies application governance by streamlining access decisions, ensuring compliance, and facilitating auditing. Previously, users required individual interactions with application teams to gain access. However, with One Identity integrated into multiple applications, users can now submit access requests through a dedicated portal. This initiates an automated workflow that grants access directly through One Identity, significantly reducing users' and administrators' time and effort.

We successfully implemented an identity-centric zero-trust model, but its effectiveness depends on the people and the architecture used to implement the solution. The platform provides the necessary tools, but the success of its application hinges on the users' ability to leverage its features effectively within their specific use cases. If users can successfully implement these features, One Identity proves to be a valuable platform. However, the underlying architecture within the platform and our processes also play a crucial role in overall success.

One Identity Manager provides a wide range of features that enable connection to numerous target systems. It also includes built-in capabilities to automate user onboarding and offboarding processes.

One Identity Manager offers numerous features, including role management. We can create custom bot-specific roles, integrate with external systems, and grant users access upon onboarding within our system. The tool's automation capabilities are particularly valuable. They allow us to schedule tasks for execution at specific times, eliminating the need for manual intervention.

The platform's user experience presents several challenges. Its complex features and numerous tools make it difficult to understand without significant effort. The web portals and documentation are also not user-friendly, hindering knowledge acquisition.

We must create business roles specifically for the platform rather than due to architectural requirements. While this is unnecessary additional work, it is mandated by the platform. We believe utilizing system roles to grant application access would be more efficient. However, the platform necessitates the creation of business roles on top of system roles for access control, which we find challenging.

The documentation I found in their repository is neither interactive nor engaging. They should include simple examples or sample use cases demonstrating how to use the product for specific features.

For most applications, we must configure connections. One Identity Manager lacks a robust built-in connection system or connectors for diverse target systems. This area could be improved. Consequently, for built-in applications, we must define connections ourselves.

We are using an on-demand version for our client and have encountered some database agent issues. Therefore, the number of database agent issues needs to be reduced.

I have been using One Identity Manager for one and a half years.

The stability of One Identity Manager hinges on the project's specific implementation or architecture. We must analyze project requirements to select the appropriate One Identity version; in this case, the on-demand version is necessary due to our high user count. This choice will help maintain platform stability. While One Identity itself is not inherently flawed, its success relies heavily on the architecture team's design.

One Identity Manager's scalability depends on the specific implementation or architecture.

SailPoint is a platform similar to One Identity Manager that we also use, both offering identity management solutions. While One Identity Manager offers more features, making it a strong choice for us given our expertise, it has limitations regarding target system integration and user interface. One Identity should expand its default integration options to include popular systems and enhance the user interface with a more intuitive and visually appealing design to maximize its potential, improving the overall user experience for extended work sessions.

We engaged our One Identity Partner, Quest Global, to provide post-implementation support, and we are pleased with their responsiveness. The issue's priority level determines their response time. High-priority issues receive immediate attention with a scheduled troubleshooting call, while medium-priority issues are addressed within hours. Lower-priority issues will also be resolved promptly. Overall, we are satisfied with their support.

I would rate One Identity Manager eight out of ten.

I participated in a one-week training session provided by the partner, and it was exhausting because we had to listen to the trainer for eight hours each day and then work.

The support that our One Identity partner provides is valuable.

Due to our implemented automation, One Identity Manager requires ongoing maintenance. Constant monitoring is necessary to ensure the workflow operates as intended. This monitoring demands individuals with expertise in the tool to comprehend the process and identify potential issues.

Our One Identity partner helped us implement the customized features that our client required.

We currently have 100,000 users and have connected with around 15 target systems.

I recommend One Identity Manager to others. I suggest the on-demand version for organizations with a high user count.

We use One Identity Manager as our primary solution for identity and access management. We use it for multiple functions including identity lifecycle, access management, provisioning, segregation of duties (SODs), and attestations. It is being used for the core IM functions.

We are a large insurance company based in Germany. We are compliance-driven. We have to fulfill BaFin requirements. BaFin is a governmental body that oversees banks and insurance. They have a big list of requirements that each financial institution needs to fulfill to stay on the market as a bank or as an insurance provider. One Identity Manager helps us to meet those requirements.

We differentiate between two types of accounts, personal and non-personal accounts. Personal accounts are accounts or usernames assigned to people, and then we have non-personal accounts, which are technical or service accounts used by software or machines. One of the BaFin requirements is that we have control of each and every account within the system. The sync editor is able to read each and every account into IAM. It discovers every account if you have given it the right to see everything in the SAP or any other system. The tool fulfills the base needs so that we can traverse every account available in the system and then match it to digital identities there, meaning that we get a linkage between each account and each digital identity that we get from the HR system. So, we do not have orphaned accounts or the ones that we are not able to match. It is up to each customer to utilize this. They can develop their own processes to handle this. They need to have their own processes to connect them, identify them, or report on them. There is not much that the vendor does there. It discovers them, and that is it. I am satisfied with what it offers. It fulfills our needs.

When it comes to core IGA, the functionality that we use is the life cycle of accounts. We use the life cycle of membership of these accounts into SAP roles, the membership of these SAP users, and the membership life cycle of SAP users in the SAP structural profile. These three are what we cover. There are also SAP groups and SAP profiles, but we do not actively manage them. From the access control structures, we use only this subset. That is all that we need. It is currently sufficient for our needs.

We use several objects to represent company structures. We use the department object and the location object, and we also use business roles pretty extensively. We have thousands of business roles in the system. If I traverse the table org, which is the technical name of the table, I will find thousands of entries there.

Compliance and automation are two reasons for implementing an IM solution. Automation helps save money. For compliance, even if we do not like it, we must install such a solution because we have to fulfill law obligations. We work actively on that and have a big team covering it. It will keep us busy over the next few years. The second one is automation. We have automated the whole onboarding process of employees within this company. Instead of having 50 different administrators, we have less than 10 administrators. It saves us money. We definitely save lots of effort for administrators of different systems. We save people and resources by automating and not having several dozen administrators for different systems. That saves us lots of money.

Another advantage is that it saves us time. We can onboard the person within a day in our company. As soon as the HR types in a new employee there and pushes it to us, we can provision the employee to all necessary systems roughly within a day. Without such a solution, it will probably take weeks.

It helps streamline application access governance. When you have different applications, such as Active Directory-based ones, SAP-based ones, and cloud-based ones, they all have different GUIs. They all have different approval processes. Once you connect them to a solution like One Identity, you have to order all of their entitlements through the IM WebShop, which is a web interface. There is a very homogeneous look and feel to how you order access to these applications. Otherwise, from the administration point of view as well as from the approval point of view, it is a very heterogeneous experience. Once you integrate applications with One Identity Manager, you get the same experience for your AD-based and SAP-based tools. Other competing products like SailPoint and Verix also provide a uniform experience.

It also helps with application auditing. That is one of the core features of the tool. We use it to audit the access to different applications and impose governance on these applications. The application life cycle is also one of the core features that we use. There is one package called the application onboarding package (AOB). We developed our own mechanism there about 15 years ago, so the tool does offer steps, and we utilize it.

I like the provisioning feature of One Identity Manager. It is very powerful and flexible. It works at a very high level, but it can also be tailored as per needs. They have something called Sync Editor. I personally like that one because I have a developer background. Currently, I have more responsibility within the company for this feature. I am one of the six subject matter experts (SMEs). My area is the reconciliation part. 

Compliance with BaFin requirements is very important for us. If we do not fulfill them, our license can be retracted. If we do not fulfill these requirements, it is not good for the company. We use the identity life cycle. We use provisioning extensively. We use attestations, recertifications, and SODs. We need all these equally to fulfill the BaFin requirements.

In terms of user experience or intuitiveness, it is in the middle. I personally find it good. Based on the complexity, the vendor seems to have done a good job of providing a web shop kind of experience, similar to eBay or Amazon. You order something in the shopping cart and submit it. Another one approves it and it gets provisioned. It is in the middle because I have seen better and more lightweight interfaces. They are now introducing the Angular portal. There is a new design. It is better, but certain things are still a little bit hidden. It is not yet ideal. Things like attestations or segregation of duties are not that intuitive. People take time to learn. We need to train them on what they need to do. When we generate attestations, the guy who needs to attest does not intuitively know what to do. When it comes to SODs, it is even harder. People are unsure what exactly things mean there. We need to train these people. For core processes like ordering entitlements, they know what to do without any training or reading materials from us. For example, you order a group, somebody approves it, and then you get it provisioned. For such simple scenarios, we do not need to support them, but for the other cases, such as attestations and SODs, we need to write articles on the Internet. We need to do training. We need to actively support them and hold their hands.

The biggest complaint we get from the end users is the performance. When they click or submit something in the shopping cart, all the compliance checks for SOD rules are run. Sometimes, it takes two to three minutes for something to be submitted. It is slow. It has a bit of a bad reputation within the company because it is a slow product. That is the biggest drawback in terms of user experience. Performance has been a problem in the last 10 to 15 years. It is sometimes good and sometimes bad. Every now and there, you hear that performance is an issue.

The user interface could be more streamlined. The overlapping functionality among tools like the Sync Editor, Designer, Object Browser, and Manager needs better delineation. Currently, you have Sync Editor for synchronization. You have the Designer for scripts, procedures, and SQL development, and then you have the Object Browser for raw or low-level data adjustment there. You also have the Manager which is a user or operations management tool. These four tools overlap in their functionality. For example, you can administer schedules in Manager, Object Browser, and Designer. I see a little bit of overlapping there. You also have the Transporter that transports the code. If you open the binaries folder for tool installation, you will see 20,30, or even 40 files there. There are so many small tools for different things. They might have grown over time. They should differentiate a little bit between operations, development teams, and test teams. For operations, they have done a good job of centralizing things in the Manager tool, but for developers and testers, there is a little bit of overlap between Designer and Object Browser. There is one other tool called Web Designer. That one will become obsolete soon with Angular. Currently, some things can be customized by the operations teams in prod and some of the things need to come from the developers. The borderline is not very clear. There are gray areas. They might have fixed these things in the Angular portal.

Another thing that I do not like is that they are mixing useful data and code data in the same data model. Other tools such as SailPoint or Verix Identity are stronger in terms of the separation of useful data and code data, although they have worse data models than One Identity. There should be a cleaner separation between the actual usage data and code data.

I have been using One Identity Manager since 2009, although back then it was known as Active Entry. I have been using it actively since 2011.

I would rate it a five out of ten for stability. As with all other products, it has bugs. It is buggy. When a new version comes out, there are issues with it. It then takes them some months or patches to make the version stable. If you take 8.0 or 9.0, those versions are usually buggy. I have spent 15 years with this product. There were always issues after they made some major release. It then gets stabilized. The product is buggy, but they work on it. After six to twelve months, they sort out everything, and then you get a more robust version.

It has its advantages and disadvantages, but it is definitely scalable.

It is a good tool for enterprise-level management. It fulfills its role. In the Gartner Magic Quadrant, this tool has gone from the lower left corner to the upper right corner in the last ten or so years. It is definitely an enterprise-level tool. It is powerful, but it is slow. As soon as the company becomes very big and different scenarios need to be managed, it tends to be slow. Two years ago, there was a conference in Hagen, Germany. The vendor asked everyone about their thoughts about the product. They asked us the good or bad things about the product, and every second customer said that they had performance issues with the product. The product is very powerful. It is an enterprise-level software, but it is slow. As soon as you have a larger number of users or a larger number of systems connected to it or you have heavyweight scenarios, it becomes slow. Of course, it depends on how each customer customizes it and implements the features in it, but every second customer complained about the performance.

We have about 30,000 users. We have only one centralized instance for the whole company. We have four environments, and there are several different teams here. We have testing, development, and operations teams. We also have the requirements scoping team where the SMEs are. It has grown pretty big. In the beginning, there were just two to four of us doing everything, but now there are quite a lot of people. Different departments are doing different aspects of it.

Their technical support is pretty good. We use standard customer support, which allows us to open tickets and receive fixes for bugs. While it is not state-of-the-art, I would rate their service as being in the better half, providing positive support experiences.

Neutral

I have worked with two other competing products. One is SailPoint, and another one is DirX Identity. All of these products have their advantages and disadvantages. There is no perfect product, but I find One Identity Manager to be the most powerful and flexible of the three.

I have a developer and IM architect background. When it comes to customization, One Identity Manager is very powerful and very flexible. It is not very easy, but it is definitely better than DirX Identity or SailPoint. The amount of energy that you need to invest is less compared to the other two products.

We have a separate solution for PAM or privileged account management, and that is CyberArk. I know that One Identity has its own safeguard solution, but I am not sure if that one is used in our company. Another team might be using it but not us. We are a big company. I know that this was one of the solutions that they were evaluating, but in the end, they decided to use CyberArk. 

Back in 2010, we had six months of evaluation. We did evaluate Tivoli and other products. We had a prototype. It took about six months before we went to production. We first started only with Active Directory and SAP, and then we kept growing it with additional target systems and additional features. It is comparable to other products in terms of ease of deployment. It is not simple. All these products are complex. It takes time to understand what they do. As compared to others, there is a middle complexity level to bring it live. Overall, it took about six to nine months.

We have the operations team to maintain it. There are several people in that team.

During the evaluation phase, we considered other solutions like Tivoli.

I would definitely recommend this solution. I have influenced two companies in the direction of adopting it in Germany. They were evaluating this, which takes lots of money and time. One company even booked me and a colleague of mine and asked which one to go for between this solution and SailPoint. I definitely recommend this one.

I would rate One Identity Manager an eight out of ten.

One Identity Manager's primary use is managing employee identities, encompassing the entire lifecycle from onboarding and role changes to offboarding, including lifecycle management, certification, segregation of duties, and identity retirement.

One Identity Manager offers a comprehensive platform for enterprise-level administration and governance of user data and privileged accounts. The platform includes features like Safeguard for securing high-privileged accounts and a unified login for access management. Essentially, it provides a complete suite of identity management, privileged access management, and access management within a single platform.

The user interface provides a comprehensive graphical view of identities and entitlements across various systems, offering a clear and accessible overview of user accounts and permissions. This allows users to quickly and easily view their accounts and entitlements in each system, enhancing the overall user experience.

One Identity Manager is easily customizable to our needs due to its built-in Visual Basic editor, accessible through Visual One. This allows for customization by utilizing their comprehensive API documentation to build or modify functions as required. The integrated editor within the product enables us to readily access and write custom logic, streamlining the customization process.

It utilizes business roles, which are mapped to technical roles and then further mapped to entitlements. This structure streamlines access requests for end-users, as a single business role can encompass multiple technical roles, granting access to multiple systems upon approval. The system also allows for customized approval workflows with multiple levels of authorization. Additionally, a cart feature enables users to select and apply for various business or technical roles, combining them as needed before submitting their request.

One Identity Manager employs a governance framework that utilizes a certification process to verify identities based on client-defined intervals, typically every six to eight months, aligning with their audit requirements. This governance feature is seamlessly integrated into the platform, eliminating the need for separate installations. Furthermore, the system allows for the customization of attestation processes, including certification campaigns, email templates, and recipient lists, providing extensive flexibility. This functionality is crucial for ensuring data security and regulatory compliance within cloud applications, as granting access to unauthorized individuals can lead to severe financial and legal repercussions. By managing access privileges effectively, organizations can mitigate risks and maintain control over sensitive information.

One Identity Manager can help to minimize gaps in governance coverage among tests, dev, and product servers.

It establishes a privileged governance framework, mitigating the security risks associated with highly privileged user accounts. These accounts, if compromised or accessed without authorization, can cause extensive damage to servers and applications, potentially jeopardizing the entire company. By implementing One Identity Manager, organizations can effectively address these vulnerabilities and enhance overall security.

One Identity Manager streamlines application access decisions for compliance, especially in large companies with hundreds of applications. Without a centralized solution like One Identity Manager, managing access and ensuring compliance becomes nearly impossible. This tool provides a single point of reference for application access, offering a complete audit trail of who has access to what, when it was granted, and when it was revoked. This simplifies application management across the enterprise and ensures comprehensive auditing capabilities.

It empowers application owners to align with business managers in making application governance decisions independent of IT, thereby reducing operational costs by around 25 percent. The platform offers various connectors to onboard applications as endpoints, enabling automated provisioning, creation, deletion, and access control for user accounts. This automation minimizes manual intervention, streamlines operations, and ultimately contributes to cost reduction.

One Identity Manager helps achieve an identity-centric Zero Trust model. Without a proper approval process, granting access based on simple email requests compromises the Zero Trust model and introduces significant security risks. The Zero Trust model mitigates these risks by requiring multiple approval levels for any access, emphasizing its importance in maintaining a secure environment.

One Identity Manager is a comprehensive identity management system that encompasses employee identity lifecycle management, certification, and segregation of duties. It ensures high security through multiple approval processes, preventing unauthorized access and enhancing compliance by providing time-based access for privileged accounts with proper audit trails. Additionally, it streamlines application access decisions and extends governance to cloud applications.

The support model has room for improvement, especially when compared to competitors like Omada and SailPoint, which offer a more extensive global presence and support network.

I have been working with One Identity Manager for six months.

One Identity Manager is stable.

One Identity Manager is scalable.

I believe the support model could be better.

Neutral

I worked on platforms like Broadcom and IGA before using One Identity Manager. I did not switch on my own; it depends on what the client uses.

One Identity Manager offers superior reporting capabilities compared to dot com IGA. While dot com IGA requires significant time, financial investment, and server resources to configure reporting, One Identity Manager provides an intuitive and user-friendly interface that allows for easy report generation directly from the GUI. This streamlined approach simplifies the reporting process and enhances efficiency.

The return on investment in compliance is clear because inadequate identity management can result in substantial financial penalties for data breaches.

Investing in One Identity Manager is necessary for regulatory compliance. Although it might not directly bring in business, it prevents issues like tool compliance. The pricing is reasonable compared to other solutions.

I would rate One Identity Manager nine out of ten.

My customer uses their custom HR system. On the backend, data is sent from the NS SQL server to One Identity Manager.

If you want to save on infrastructure costs without extensive customization, opt for the SaaS model. If you require significant customization, consider the on-premise model of One Identity Manager.

We are using One Identity Manager to change our previous old identity access management platform. Currently, the separation of duties is the most important aspect.

It delivers SAP-specialized workflows and business logic. It meets the needs of the most common use cases. It also supports customization for special cases.

Its biggest benefit as well as its biggest problem is that it is highly customizable. Usually, customers do too much customization, and then it is not great performance-wise.

We started to see how to optimize or support audit processes with One Identity Manager about a year ago. It has been helpful there. It saved quite a lot of time.

It did not help us to achieve an identity-centric Zero Trust model, but that is because we need more push from the business or management.

It helps automate processes. Our company uses One Identity as an enabler, which would be nice to change. It helps us save on license costs through effective license management.

It is highly customizable, a feature that influenced our company's decision. We can easily customize it.

I find it user-friendly. Once you have some experience, it demonstrates best practices and guides you on the correct way to use the tool. 

Default connectors work fine, but certain connectors, such as SCIM to SAP Cloud Identity Services connector, have quite a few bugs. They are not so great.

Their support can be better. They can also improve testing of their product before releasing new versions. We have had a few critical issues after upgrading to a newer version, which also caused problems with auditing.

Our company has been using One Identity Manager for around seven years, but I have personally used it for four years. I became its developer four years ago.

We are using it at one location. We have about 30,000 active identities. We have five people working with this solution.

There is room for improvement. For each ticket, they require logs or traces from the system, even when the issue shows no logs. This requires sending the information back and forth, which consumes a lot of time. After submission, they contact the product team, which often takes one or two months to respond.

Neutral

I have not worked with other solutions.

I was not involved when they started implementation, but it was complex. This complexity was not due to the difficulty of implementing One Identity Manager, but rather a lack of business support for our process decisions.

Deploying the One Identity Manager solution itself is easy. The documentation is clear.

You can do customizations. It can be customized, but it is hard to customize correctly without affecting the system.

IPG is our partner. They have helped customize the solution for our needs.

Their support was alright. It is important that the partner advises to follow the standards because customizations can cause issues. It is better to change the process instead of going for customization.

We received very good support from them post-implementation. It is of high level. I would rate our One Identity Partner a ten out of ten in terms of value.

I would recommend One Identity Manager for sure. It is quite easy to use as long as you find a good partner who can facilitate changes in the process rather than customize it for every single case. Many issues arise from the misuse of the system due to extensive customizations. If used correctly, there would be fewer issues, and it would be a fast, quick system.

It can be a bit complex to learn for new users when there is a lot of customization.

It has a lot of potential. We try to use it as much as possible, but we are not using it to its full potential. The problem is business support. 

Overall, I would rate One Identity Manager an eight out of ten.

We use One Identity Manager for access management and provisioning, as well as onboarding target system applications. It focuses on identity management and providing access. 

We use different tools like Web Designer and Synchronization Editor, and we do implementation, customization, and configuration based on our requirements.

I can see many benefits, including granting the right access to the right people at the right time. It helps with enhancing security, validating identity types, and assigning initial rights based on the defined processes. Users follow request workflows inside the system to access, which is validated for correctness.

We use One Identity Manager to manage SAP target system applications. We generally use the SAP connector. We create the SAP onboarding project in Synchronization Editor. It is like a bridge between One Identity Manager and the target SAP system applications. It is able to meet our requirements.

It has had a Windows-based UI, and they are also moving to a web-based portal. One Identity Manager helps manage identities and accounts, and we can also see the pictorial representation of the identities there.

We do a lot of customization. It supports customization based on our needs. However, when it comes to Web Designer, customization can be a bit challenging.

We have onboarded 30 to 40 applications, including SuccessFactors, ServiceNow,. We are about to complete SuccessFactors' integration with One Identity. Previously, we used to get the identities in the form of a CSV file where the data was inserted inside One Identity to create the identities of new joiners and do the onboarding. It is now connected to the SuccessFactors application. It is also integrated with ServiceNow. If any incidents get raised, they can be routed to the respective operations or engineering teams for resolution.

One Identity Manager helps minimize gaps in governance coverage among test, dev, and production servers.

One Identity Manager helps streamline application access decisions, application compliance, and application auditing. We have dedicated teams focused on compliance and auditing.

One Identity Manager has helped us achieve an identity-centric Zero Trust model.

In One Identity Manager, I appreciate the Synchronization Editor for onboarding different target system applications. We have various connectors that allow customization. For instance, the Windows PowerShell connectors can connect to different services such as RESTful services, SOAP services, and Windows services. I like how data flows from the target system applications to One Identity. We explore technical aspects, write functions in PowerShell, and connect with APIs. 

Another interesting feature is attestation, where we review and re-attest existing employees' rights. We create attestation policies, workflows, and schedules.

A major area for improvement is Web Designer. If One Identity Manager advances this, it will greatly benefit all customers. Web Designer is based on legacy Microsoft technologies like ASP.NET and HTML. I believe future improvements will resolve performance issues.

I have been using One Identity Manager for the last six years.

It is stable but need more improvements.

It is scalable. I would rate it an eight out of ten for scalability.

We use their regular support. Could be rate 7 or 8 out of ten.

Positive

We do not handle the initial setup, but from what I have heard, it is not complex.

In terms of maintenance, mostly it requires monitoring and health checks to ensure everything in the infrastructure is working properly.

I would definitely recommend One Identity Manager. It offers many opportunities for technical learning, implementation, and customization. One Identity Manager is a good solution for identity and access management, provisioning, and other IAM aspects. 

I would rate it an eight out of ten.