One Identity Manager Reviews

One Identity Manager simplifies user operations and provides security features, including automatic blocking of inactive accounts and timely access revocation.

My user experience with One Identity Manager involves using Identity Access Management to provide security, compliance, and visibility. We have implemented RBAC, where we define roles and responsibilities based on job functions or permissions. We have SoD (segregation of duties), ensuring that no single user has permissions that could lead to conflicts or fraud. The benefits include reduced security risks, lower costs with SSO solutions, enhanced user experience compared to other solutions, and improved compliance with regulations.

Customization for One Identity Manager is based on client inputs. We can detail and break down the inputs for customization, including user interface customization, where we include manager and launch pad features. For example, we implemented the Genesys application for the service desk, where we can monitor daily calls, frequency, and agent performance. This implementation helps showcase to customers our multiple checks and background processes internally. We provide recording sessions to users for review and daily improvement. Configuration parameters come under several aspects based on system behavior. One Identity Manager provides default parameters for particular solutions, allowing an overview of the tool.

In my experience, the best features in One Identity Manager are under SSO (single sign-on), where we can save passwords and don't need to authenticate each time when accessing applications. This extends to the creation of privileged IDs and account creation in AD. 

Perhaps support could be improved. The knowledge base articles and wiki resources we currently use may not be applicable in every situation, as they often depend on the specific inputs or problems presented by users.

I have been using One Identity Manager for six years.

It is stable. 

We provide solutions for enhancing access governance with One Identity Manager, including identity verification and improving system security procedures. This includes designing and implementing IAM solutions for legacy systems, cloud migrations, and multifactor authentications. We implement MFA solutions for applications with larger audiences. We manage roles and responsibilities in IAM technology and conduct risk assessments to identify potential vulnerabilities. The identity verification process comes as an automatic solution, streamlining user onboarding and offboarding in the organization.

Our clients are enterprises. We have more than 50 specialists.

We use their regular support. I would rate their support an eight out of ten.

Positive

For identity access management, we have used multiple tools. When I was working on a banking project, we used a right modeling tool and Sphere and AD to create users in AD and Nsphere, which is an internal tool of a particular project. Whatever we handle in AD and the right modeling tool reflects in Nsphere, which serves as a portal where all users are displayed, and we can see which level of access is required for a particular application. Being in the banking sector, we have an N-3 approval format. Based on approvals, such as line manager approval, we make changes accordingly. We worked with privileged IDs where particular users want different sets of privileges for their accounts. For example, with my particular account in the banking sector, I can give third-party users access to my entire bank for read, write, and edit capabilities. For some users, I can give only read access, allowing me to segregate the privileged IDs and privileges for users who can access my application or banking portal.

In another project for insurance, we used applications in SAML and OIDC. For OIDC applications, we asked the end user to provide the client ID and based on that, we shared the configuration directly to their email IDs. They could copy-paste the same configuration to make the portal easily accessible. With SSO and One Identity Manager implementing that configuration for OIDC applications, they can easily access their portal without multiple authentications. Through single sign-on, users can sign in once and access the portal without passwords.

From my knowledge, One Identity Manager makes customer operations easier compared to other solutions. When customers have different applications or solutions but want to migrate to One Identity Manager, it's because of enhanced security and the convenience of the SSO process.

The setup is somewhat tricky because providing on-premises ID access requires following specific justifications and naming conventions, with different sets of servers to be added for users. We must be conscious while providing access to servers. For instance, if a user requests access to 10 servers, we need to evaluate whether they truly need all server access and can segregate permissions for cost and security reasons after consulting with line managers.

The cost is handled by customers, but it doesn't seem to be very expensive. It seems fairly priced.

We use One Identity Manager for business roles, implementation capabilities, SSO bypass, and automation deployment with guidelines. The licensing helps consolidate procurement when generating audit reports. We follow basic steps such as end-user satisfaction and improvement in regulatory functions to reduce business risk. We implement changes according to the system lifecycle and role-based access control. 

Privileged users receive separate access, enabling them to access cloud applications. With a privileged ID account, users can access CyberArk, Entra, and Office 365 to manage licenses. One Identity Manager provides good security through SSO and MFA implementations. While there can be dependencies during new configuration creation, we work to provide better user satisfaction and support. 

I would rate One Identity Manager a ten out of ten.

On-premises

We use this solution to enable a lifecycle for all the accounts we have in our Active Directory. One Identity Manager helps us enforce rules and renewal periods. It assists in tracking useless accounts to ensure that we do not retain people's accounts once they leave the company. We are extending the solution, highly customizing it to associate almost every object in our Active Directory with an identity. Every identity has a lifecycle and specific rules enforced by One Identity Manager.

The benefits are significant for us. We had no real central governance before implementing One Identity Manager. Being a large organization operating in 60 countries, it has helped us regain control over Active Directory. By enforcing rules, processes, workflows, and account lifecycles, it aids in cleaning our Active Directory and enforces strong workflows in user management.

One of the best features of One Identity Manager is its high level of customization. Since deployment, the solution has been tailored extensively to fit our specific needs. Its out-of-the-box capabilities are commendable, allowing for evolution and integration within an on-premise environment. For us, being able to customize the product to our requirements has been incredibly valuable, turning it almost into an in-house solution.

The new portal is in a specific technology that is more difficult to program. While it is a specific decision, the customization will become harder. A real SaaS solution could be provided rather than an on-premise product deployed on One Identity Cloud. Although we are not the target for this kind of improvement, a pure web-based SaaS solution could be beneficial for smaller companies.

The solution started deployment in 2018. My personal experience as a Functional Analyst with the solution is approximately two and a half years.

I was not part of the company during the initial deployment. However, it was relatively easy because it came out of the box. Upgrading is more challenging due to the extensive customizations we have, but this difficulty is more related to our use of the solution rather than the solution itself.

We have not experienced many issues with the tool itself. The problems we face are more related to our database consumption due to the high number of users. In terms of stability, I would rate it highly.

We have not needed to increase scalability much, and One Identity Manager supports a large number of users effectively. I would rate its scalability as strong since we have not experienced any significant challenges.

The technical support could be improved, particularly for architects with advanced knowledge. I have heard that the forums, moderated by One Identity experts, are helpful. Although sometimes support can take time, we have not raised any serious alerts about the quality of support from One Identity.

Neutral

We had no Identity Management solution before One Identity Manager. Compared to our previous situation, the solution provides significant benefits in terms of automation.

The initial setup was straightforward as the solution came out of the box.

We are working with a consulting company that provides specific support and resources for us, but they are not direct partners of One Identity.

One Identity Manager saved us approximately thirty to forty percent in terms of time, money, and resources compared to our pre-deployment setup. It significantly improved our control and management efficiency.

We have a global ELA, which means we do not have licensing issues. The price is correct and the relationship with the sales team is excellent. They are open to discussions whenever savings are needed.

I have no other experience besides Okta. Okta is more of an out-of-the-box solution with less customization opportunity, while One Identity Manager is a full product.

I would recommend One Identity Manager due to its customization capabilities. It allows you to adapt the solution to your specific needs. However, for smaller companies without high-level expertise, a pure SaaS solution may be less intimidating. I would rate One Identity Manager at a seven out of ten overall.

On-premises

We are currently using One Identity Manager for identity management, but not for access management. I have extensive experience with One Identity through previous work with large insurance and utility clients, both of which heavily utilized the platform for identity and governance.

One Identity Manager connects SAP accounts to employee identities under a governance framework. Many companies utilize SAP SuccessFactors for HR and customer management, including onboarding contractors. Since the HR data originates from SAP, seamless integration with the chosen product is crucial for efficient operations.

One Identity Manager delivers the subspecialized workflows and business logic.

In both of my organizations, One Identity Manager was not the primary interface for users. ServiceNow typically served as the front-end portal, while One Identity Manager functioned as the backend engine to fulfill requests. Consequently, primarily managers and administrators interacted with One Identity Manager for testing purposes, and their satisfaction with it was generally positive. Our current organization uses a request-based portal. In contrast, my previous organization employed six versions of One Identity Manager, which has since evolved to nine, indicating significant progress. While earlier versions required extensive customization, the current iteration is more functional.

Our SAP Security team manages several internal roles, each requiring specific access controls. To determine user access based on their position or SAP role, we need a mapping system, which is why we implemented business roles. We also utilize business roles for user onboarding lifecycle management. However, some applications remain disconnected and reliant on AD groups, necessitating additional rules for access control. The functionality of the business role is crucial for effectively managing these access requirements.

We use One Identity Manager to extend governance to cloud applications like ServiceNow. This is achieved through Starling Connect, a One Identity product that allows us to deploy connectors. While we can use generic connectors and APIs for connectivity, Starling offers pre-built connectors for specific platforms, such as SuccessFactors and ServiceNow, simplifying the onboarding process for these cloud applications. We leverage this capability to streamline our governance efforts.

Some of the benefits we have seen from One Identity Manager include its ability to streamline user lifecycle management and the use of attestation for verification. Additionally, request-based calls from ServiceNow have been significantly improved, providing a seamless user experience.

One Identity Manager helps minimize governance gaps across test, development, and production servers, particularly for Active Directory and SAP. We've developed attestation policies that enable regular verification of all accesses, effectively bridging these gaps.

Creating and managing admin accounts, including managing inactive users and potentially disabling their access, has significantly reduced the AD team's operational workload. Similarly, onboarding applications onto the SAP system has streamlined operations and minimized administrative effort.

One Identity Manager's structure is much cheaper than any other product in the market.

One Identity Manager helps streamline application access decisions, compliance, and auditing.

One Identity Manager helps application owners or line-of-business Managers make application governance decisions without IT. Many reports can be used daily, weekly, and quarterly to manage and validate user access.

Being able to manage access without the need for IT has helped reduce the workload of the Operations team.

The SAP integration is One Identity Manager's most valuable feature. It offers a strong, out-of-the-box integration that is easy to implement, a significant advantage over many other products that often lack this integration component.

While we are not currently using privileged accounts, data governance is a concern. Reports and customization are expensive, and the user interface reflects this complexity. We've encountered issues with the cumbersome user interface and slow performance. Unlike products like SailPoint, we have limited control over customizing performance and the user interface. The tools provided for UI customization are not user-friendly.

The UI customization is tricky. The web interface product that One Identity Manager offers is a bit tricky to use, and no extensive documentation is available on how to do the customization.

Their support is inadequate. Raising a query often results in days-long waits for responses. Even when tickets are acknowledged, cases progress slowly toward resolution. Overall, the product lacks sufficient support.

While generic connectors exist, some specialized connectors require additional capabilities. Simplifying the connector process would be a valuable improvement.

I have been using One Identity Manager for five years.

One Identity Manager remains stable as long as the environment doesn't change.

One Identity Manager is scalable by increasing the capacity of the servers. 

The technical support response time is lacking. It can take days to hear back from them.

Neutral

I've worked with IBM Tivoli, SailPoint, and RSA Aveksa.

The optimal identity manager depends entirely on a company's specific requirements. If a company primarily utilizes SAP and Active Directory, One Identity is suitable and easy to implement. However, for extensive customization, a product like IBM or SailPoint might be preferable due to their flexibility and ability to create a completely custom user interface. These platforms also excel in complex workflows, such as those found in banking, and offer robust CI/CD integration through Java scripting. In contrast, One Identity's change label system falls short of modern development practices, making it less appealing for organizations that prioritize agile methodologies.

The initial deployment is straightforward.

One Identity Manager requires a primary database to store all information. A secondary, optional history database can be used for archiving data to manage database size. We can combine the web server and job server functions on a single server, or use separate servers for each.

Provided all necessary requirements are met, a deployment can be completed within two days. While one person suffices for moderate deployments, larger or more complex projects necessitate a team of two or three individuals.

We have seen a return on investment.

One Identity Manager's pricing is reasonable.

I would rate One Identity Manager seven out of ten.

When we upgrade to the latest version, it includes three years of support.

We currently have 4,000 users and 20 applications that utilize One Identity Manager. We also have one team that manages it.

One Identity Manager is a suitable choice for simple implementations, but if your customizations are extensive, consider other solutions. Additionally, if your environment is not heavily reliant on SAP or Active Directory, or if you have Linux-based servers, carefully evaluate the feasibility of implementing One Identity Manager.

On-premises

I use One Identity Manager for RBAC in my current project. We do provisioning and de-provisioning. After running certification campaigns, it automatically aggregates. I also onboard several applications in One Identity Manager. We also use it for audits, recordings, and activities like entitlements or policies with segregation of duties.

We use out-of-the-box connectors for SAP to automate account provisioning and de-provisioning and ensure the right access based on roles and responsibilities. For access governance, we also handle detecting and resolving conflicts. It reduces administrative overhead related to provisioning, de-provisioning, and role authorizations. When it comes to password synchronization with SAP systems, it ensures a smooth user experience. For disconnected SAP accounts, it helps to align the business processes and data flows. We have centralized dashboards providing a holistic view of identities, roles, and privileged access.

We also have Active Directory, Azure AD, and other enterprise applications. It serves as a single source of truth to ensure roles and privileges align with organizational policies. We can view policies and conflicts and also have custom rules.

It provides centralized administration through a single pane of glass. We can manage users' roles and entitlements, identity lifecycle management, and access review management. We can connect both on-premises and cloud systems, ensuring centralized provisioning. With automation for tasks like provisioning and password resets, we can efficiently manage a large user base in complex organization structures.

The analytics provide real-time insights into access, policy violations, and system health. We can also identify potential risks or inefficiencies.

One Identity Manager provides pre-built connectors, requiring minimal effort for standard user cases and workflows. All the common attributes are preconfigured. However, for customized and more complex use cases involving dynamic rules or unique compliance requirements, we need to use PowerShell scripts or APIs.

Business roles help map company structures for dynamic application provisioning. There are predefined templates for common business roles. It supports hierarchical roles and dynamic assignments. The drop-and-drag interface simplifies role creation and assignments and policy integrations. For example, when a new employee joins the finance department, the system dynamically assigns the required role containing the required access and privileges.

It has pre-built connectors for popular cloud apps such as Azure AD. It helps with policy enforcement for implementing RBAC and ABAC for governance across cloud and on-premises systems. We can automate access reviews and certifications for cloud applications ensuring ongoing compliance. We can also dynamically assign and revoke access to cloud apps based on the lifecycle events, such as onboarding, promotion, or termination. It supports monitoring user activities within the cloud apps, providing detailed audit logs and reports for compliance. It also helps with user access requests via self-service portals with automated approval workflows for cloud apps like Salesforce.

It helps with better license management and reduces over-provisioning. We can also track user licenses for cost-saving opportunities, audit reports for compliance, and vendor agreements. We can also create business rules to automatically revoke licenses with a role change. When it comes to the cloud application platform, it synchronizes license date and usage.

Its benefits were seen immediately after the deployment.

One Identity Manager offers identity-centric security, acting as a single source of truth by centralizing identity data for users, devices, and applications. It supports role-based access control and automatically assigns and reworks roles to minimize privileges. 

The solution integrates multi-factor authentication, enforcing stronger measures and requiring identity verification for accessing critical resources. It continuously monitors user behavior in real-time, triggering automated responses, and manages secure access for both on-premises and cloud applications using protocols such as SAML.

Additionally, it facilitates RBAC, provisioning and de-provisioning, certification campaigns, onboarding various applications, audits, and reporting with segregation of duties.

It can have a clearer navigation map of the user interface and user provisioning. The documentation lacks step-by-step details on common tasks like creating roles, running action reviews, and version control. Enhancements could also be made to feedback mechanisms. In development, understanding workflows and integrating ORDM skills with SAP could be improved.

I have been using One Identity Manager for approximately two to three years. I previously worked with an organization in India, where I utilized One Identity Manager. Currently, in my project in the US, I am working in the retail domain, and I am using One Identity Manager here as well.

I have worked a lot with SailPoint, so its deployment was easy for me. The deployment duration varies from project to project.

In terms of maintenance, it sometimes requires updates.

Pricing depends on licensing models, such as per-user licensing and feature-based pricing. Additional models like governance, provisioning, and reporting increase costs. Cloud or on-premises models follow different pricing approaches. On-premises might incur higher costs.

The cost also depends on integration systems like Active Directory, SAP, and custom connector requirements. Scalability influences costs, with larger organizations potentially benefiting from cloud setups. Cloud setups might be more cost-efficient compared to on-premises solutions.

I would rate One Identity Manager a seven out of ten.

We are a system integrator and used One Identity Manager for our client.

One Identity has many built-in features. It's a highly suitable platform for enterprise-level organizations to integrate with existing systems for complete account management and other related functions.

Although someone new to One Identity may initially find it a little difficult, the intuitive interface is easy to navigate for experienced users.

Due to its many built-in features, customizing the solution to meet our customers' specific needs is straightforward. With sufficient knowledge of the platform and tool, we can easily tailor the solution according to our customers' preferences. Simply exploring the available features will help us uncover the possibilities.

Without One Identity Manager, we would need multiple platforms to connect our source and target identity systems. However, One Identity allowed us to consolidate role management, access management, identity management, and other functions into a single platform, significantly streamlining our processes.

One Identity Manager simplifies application governance by streamlining access decisions, ensuring compliance, and facilitating auditing. Previously, users required individual interactions with application teams to gain access. However, with One Identity integrated into multiple applications, users can now submit access requests through a dedicated portal. This initiates an automated workflow that grants access directly through One Identity, significantly reducing users' and administrators' time and effort.

We successfully implemented an identity-centric zero-trust model, but its effectiveness depends on the people and the architecture used to implement the solution. The platform provides the necessary tools, but the success of its application hinges on the users' ability to leverage its features effectively within their specific use cases. If users can successfully implement these features, One Identity proves to be a valuable platform. However, the underlying architecture within the platform and our processes also play a crucial role in overall success.

One Identity Manager provides a wide range of features that enable connection to numerous target systems. It also includes built-in capabilities to automate user onboarding and offboarding processes.

One Identity Manager offers numerous features, including role management. We can create custom bot-specific roles, integrate with external systems, and grant users access upon onboarding within our system. The tool's automation capabilities are particularly valuable. They allow us to schedule tasks for execution at specific times, eliminating the need for manual intervention.

The platform's user experience presents several challenges. Its complex features and numerous tools make it difficult to understand without significant effort. The web portals and documentation are also not user-friendly, hindering knowledge acquisition.

We must create business roles specifically for the platform rather than due to architectural requirements. While this is unnecessary additional work, it is mandated by the platform. We believe utilizing system roles to grant application access would be more efficient. However, the platform necessitates the creation of business roles on top of system roles for access control, which we find challenging.

The documentation I found in their repository is neither interactive nor engaging. They should include simple examples or sample use cases demonstrating how to use the product for specific features.

For most applications, we must configure connections. One Identity Manager lacks a robust built-in connection system or connectors for diverse target systems. This area could be improved. Consequently, for built-in applications, we must define connections ourselves.

We are using an on-demand version for our client and have encountered some database agent issues. Therefore, the number of database agent issues needs to be reduced.

I have been using One Identity Manager for one and a half years.

The stability of One Identity Manager hinges on the project's specific implementation or architecture. We must analyze project requirements to select the appropriate One Identity version; in this case, the on-demand version is necessary due to our high user count. This choice will help maintain platform stability. While One Identity itself is not inherently flawed, its success relies heavily on the architecture team's design.

One Identity Manager's scalability depends on the specific implementation or architecture.

SailPoint is a platform similar to One Identity Manager that we also use, both offering identity management solutions. While One Identity Manager offers more features, making it a strong choice for us given our expertise, it has limitations regarding target system integration and user interface. One Identity should expand its default integration options to include popular systems and enhance the user interface with a more intuitive and visually appealing design to maximize its potential, improving the overall user experience for extended work sessions.

We engaged our One Identity Partner, Quest Global, to provide post-implementation support, and we are pleased with their responsiveness. The issue's priority level determines their response time. High-priority issues receive immediate attention with a scheduled troubleshooting call, while medium-priority issues are addressed within hours. Lower-priority issues will also be resolved promptly. Overall, we are satisfied with their support.

I would rate One Identity Manager eight out of ten.

I participated in a one-week training session provided by the partner, and it was exhausting because we had to listen to the trainer for eight hours each day and then work.

The support that our One Identity partner provides is valuable.

Due to our implemented automation, One Identity Manager requires ongoing maintenance. Constant monitoring is necessary to ensure the workflow operates as intended. This monitoring demands individuals with expertise in the tool to comprehend the process and identify potential issues.

Our One Identity partner helped us implement the customized features that our client required.

We currently have 100,000 users and have connected with around 15 target systems.

I recommend One Identity Manager to others. I suggest the on-demand version for organizations with a high user count.

Public Cloud

Microsoft Azure

My use case with One Identity Manager is both access management and identity management. The main tasks I perform involve solving issues when users receive roles but cannot access applications. During these situations, I debug within One Identity Manager to find and resolve the issues according to required actions. This is my daily use case.

The best features of One Identity Manager are the synchronization project, the mapping, onboarding using CSV, and the designer tool which allows us to write our own custom workflows. 

Once it's set up, One Identity Manager helps with provisioning and continues to work effectively. When anyone leaves the organization, they can be un-provisioned, and all access is removed instantly.

The UI of One Identity Manager is adequate, but there is room for improvement. They should publish more development documents to help users of One Identity Manager, as there are limited resources available.

I have been using One Identity Manager for one year.

The stability of One Identity Manager is good.

I don't have extensive experience comparing One Identity Manager with other market solutions, but I have heard about SailPoint, which has its own advantages and disadvantages. For large organizations, One Identity Manager is more scalable and secure.

We have 8,000 people.

The technical support for One Identity Manager rates a seven out of ten, which is average. When we raise tickets, they are directed to the respective team for response. We have two support connections from One Identity Manager itself and the partner, allowing direct communication. Issues are typically resolved within 24 hours through the ticket system.

Neutral

While I didn't work with SAP, I worked with Segregation of Duties (SoD) in One Identity Manager. It is flexible, and customization is neither particularly easy nor difficult. There are certain theories and concepts to keep in mind for successful customization.

I use the business roles in One Identity Manager, which is essentially the RBAC (role-based access system), and for the target system, we use the FRIC business role. Though I haven't used One Identity Manager to extend governance to cloud apps yet, I would if given the opportunity.

For production management, we have the packager tool, which allows setup of various environments including development, test, ultra-test, and production. We can export from lower environments and import into production using the packager tool.

I would rate One Identity Manager a nine out of ten.

Public Cloud

Microsoft Azure

I have worked on various European projects where we mainly use this tool as an Identity and Access Management (IAM) solution rather than its Privileged Access Management (PAM) features. Specifically, it serves as a central IAM tool for governance, compliance, and managing access requests across all the companies and projects I've been involved with. Most of these access requests were processed through Microsoft tools. They were onboarding applications and managing access to them via One Identity Manager through the portal it offers.

Every identity management tool has its unique features, and I believe that One Identity Manager performs quite well. From a developer's perspective, its interface provides excellent information. It includes appealing visuals and a user-friendly design, allowing you to clearly see how software accounts correlate or match with an identity. This gives you a comprehensive view of what an identity encompasses. You can establish specific rules to determine if access is fully managed by One Identity, which acts as the authoritative source for system access. Additionally, it offers a range of capabilities and customization options for managing access across various applications. Overall, I think One Identity Manager does a commendable job in this area.

One Identity Manager can be set up to have accounts synced from the SAP system and have them as orphaned in the system. The intended way is to link them to an identity, and when clicking the identity of the employee, you will see underneath the AD accounts, other application accounts, and different SAP accounts. For each SAP system, you can have specific rules. It has this capability out of the box, SOD rules, different roles, and bundles.

When users request access for a SAP system and do not have an account already, an account is created based on specific criteria that can be defined. From an end user point of view, they go to the portal and request access. If they do not have an account, they get one. If they already have an account, the access will be added and provisioned properly. The account will be connected to their identity with all the access in the downstream application in SAP. It requires a good architect to think through all the different cases for the business. Many connectors must be built because some companies use upwards of 200 SAP systems.

One Identity Manager offers governance for cloud apps through its cloud framework. The logic remains similar to on-premise applications: build a connector, import data, create business roles, enable requests, and implement approvals. The governance framework is particularly strong with application approval workflows and recertification processes.

The solution provides technical options to distinguish between different types of accounts per system. For AD, different rules can identify and manage various account types differently. It offers strong reporting capabilities and can detect policy violations.

For application management, One Identity Manager has a built-in risk framework that helps businesses with approvals and recertifications. Full application management without IT involvement requires building custom frameworks.

It helps to streamline application access decisions, application compliance, and application auditing for customers. When auditors come in, they require that access be managed using an IGA tool. It's quite easy to set up; you just need to build a connector to facilitate this access. In addition, a business analyst can identify the business rules needed. You publish the business rules and set up an approval process—usually requiring two approvals if it's related to the application. Once the business rule is published, a user can request access through the portal, and someone will approve it—standard procedure. You can also run certifications and set up different approval processes for employees who need access for one year or for those who are moving (like shifts). Certification can involve various terms, including access reviews or access refusals. It's a straightforward process. It's strong and reliable. I've seen hundreds of applications successfully managed and compliant because of this process, which includes approval requests and access refusals. You simply onboard the application, and you're set—it all becomes remote for you. All the audit trails are available. You can see who approved what, why they approved it, when the access was granted, and when it was revoked, among other details. It truly helps to maintain compliance.

The solution offers some out-of-the-box capability to manage profiles, but I have not worked with other aspects. In the companies where I was working, they were not using this from a SAP point of view.

One of the most significant advantages is its strong security around identity management when compared to other tools; it's quite robust. However, it does come with a high learning curve, making it difficult to implement and operate without a dedicated IAM team. You need people with substantial experience—likely several years—in order to navigate the complexities effectively. It's not something you can easily outsource entirely to a consultancy. In the past couple of years, they released a new version, Version 9, building on the previous version 8.02. This new version introduced a revamped portal where end users can request access. The previous version had a built-in portal that was quite complex to configure. In the new Version 9, they developed a new portal based on Angular, which offers many capabilities. If someone knows how to utilize it and learn its features, they can make API calls to interact with other systems. Some consulting firms are already developing custom frameworks around this to leverage these capabilities. 

This new portal is where end users go to request access. It provides good out-of-the-box functionalities, allowing users to request access to various applications, and managers can approve these requests. In addition to the default functionalities, the use of APIs is enabled through the portal. However, the general market lacks expertise regarding this tool; only a few companies are actively investing in understanding how it works and offering their services based on that knowledge. Many businesses are migrating to this new portal as the older versions are being phased out of support and are eager to learn how to maximize its capabilities.

Overall, One Identity Manager is a robust tool designed for large enterprises and is still an on-premise solution.

One Identity Manager does not offer much in terms of delivering SAP-specialized workflows and business logic. Custom workflows can be built, but it is limited in that regard. Comparing it to SailPoint, One Identity Manager is less advanced around SAP, particularly regarding the flexibility to build custom flows. While customizations are possible through processes in One Identity Manager where you can build PowerShell code or make API calls, this is not the intended way and requires heavy customization that might become unmanageable.

They could offer more out-of-the-box connectors so that custom PowerShell connectors would not need to be built. 

The support could be improved. They could add more AI to help with role mining. The new portal documentation needs improvement as some partners are more advanced in understanding how the Angular portal works than One Identity itself.

I'm not currently working with it. I stopped working with it three to four months ago. Before that, I worked with it for about three years and seven months.

Regarding support, they prioritize resolving escalated issues. However, their response can be slow. Whenever I open a ticket, the reply often includes a request for the specifications of the server I am using. For instance, they frequently ask, “How many gigabytes of RAM are you running on the server?” If I'm not using the maximum recommended specifications, they immediately suggest that there is a problem. They don’t always consider that the issue may not be related to performance at all.

I haven’t had the best experience with them, but I understand that they do eventually respond. However, there have been instances where we had tickets open for months without any resolution. Sometimes, they would either go quiet or eventually respond and help us find a solution. I’ve faced many similar situations across various projects.

At the end of the day, I’m not a customer, so I’m not too concerned about the experience. However, the application owners of One Identity in these companies have expressed dissatisfaction with the responses they received. They wanted more immediate assistance and access to more skilled resources. That's understandable. Overall, I would rate the experience as a six out of ten.

Neutral

It depends on the situation. If you're starting from scratch, in a greenfield scenario, where you have nothing set up and don't have an IGA tool, then you can begin by establishing an Active Directory. You start with the basics: take employee data and import it into One Identity Manager to create Active Directory accounts for each employee. This setup can typically be completed in about three to four months. It’s not overly complicated. However, it’s important to note that most businesses have complex processes that don’t easily translate into the tool. To effectively monitor applications and manage these processes, you really need technical expertise.

For a large enterprise that has the capability to support an on-premise solution and is willing to find reliable partners to assist with this new portal, along with the technical know-how to match the tool's capabilities, it can be a highly effective solution. This tool offers a wide range of features out of the box. However, the biggest challenge is the steep learning curve; it's essential to have experts with many years of experience and strong technical expertise to maximize the tool's potential. This solution is not suitable for small companies or those seeking a quick implementation. It requires a significant investment initially, but it pays off in the long run due to its extensive features compared to other tools.

I don't have information on the costs associated with the tools or the specific deals they offer. However, I do know that it's challenging to find technical expertise, and these professionals often command high salaries.

In addition to purchasing the tool and its licenses, it's important to account for the need for a dedicated team, especially if you're a large enterprise. There are significant costs involved in maintaining the solution and ensuring it operates effectively. Unfortunately, I don't have details on the licensing fees or per-user costs, among other specifics.

My recommendation is that you really need to understand the realm of identity and access management. It's important to consider the alternatives available, and I believe that for some companies, One Identity is the best solution out there. For specific enterprises, it could indeed be the ideal choice, but for others, it may not be suitable. For instance, a small business with fewer than 25,000 employees, which may not prioritize governance and compliance, might find One Identity unnecessary. It really depends on the landscape of the company using the tool—what their requirements are, what applications they have, and what they're aiming to achieve.

One Identity is quite beneficial for finance-related entities that have strict compliance and security needs. However, One Identity should invest more in AI and enhance their documentation on the new portal. This improvement would help customers and developers better understand what they are building.

The business roles functionality is a very standard part of the access model. Typically, you would start with an application. You gather all the users and their entitlements, which include the accesses they have. Then, you need someone, such as a business analyst or consultant, to help identify bundles or groups of this low-level access. Instead of managing each access individually, you can group them together and create a role for each application, or possibly a combination of different applications. This approach greatly simplifies management. A user doesn’t need to know all the low-level accesses required in a system or across different systems. By creating bundles of access with accompanying business rules, it becomes easier to understand. For example, if I am a DevOps member working with AWS, there’s already a pre-defined access bundle for me. My colleague can tell me to request this specific access, which provides everything I need. Alternatively, access can be automatically assigned based on department—whenever someone joins a specific department, they receive all associated accesses. 

Moreover, you can build dynamic rules around these business rules. While technically speaking, in the One Identity Manager, an application role is part of a business role. However, it’s important to note that you can have a business role defined by specific criteria. Anyone who meets this criterion receives the business role, which is beneficial for management. For instance, if you want to grant access to new hires for applications like Teams, all relevant accesses can be bundled into a business role. If someone leaves the company, their status would change to inactive, and they would lose their access. This streamlines the access lifecycle management process.

From an end-user perspective, it simplifies requests for specific applications or accesses per department. Depending on your chosen architecture and access model, this organization is crucial. However, a key requirement is to have a business analyst involved; otherwise, you risk ending up with scattered entitlements and groups that lack clarity regarding their business association. Finally, don't forget to set up an approval process.

From an end-user perspective, with the new Angular portal in version 9 and upwards, it has improved significantly. However, not all companies have migrated because they have custom logic in the old portal that needs to be translated to the new Angular portal. The new portal is better as it is easy to navigate with straightforward navigation bars. Previously, sometimes custom queries behind the portal really slowed down end-user performance, with users reporting waiting 15-20 minutes for a page to load, especially during approvals or attestations. This was particularly frustrating for users needing high-level managerial approvals for various tasks. In the new portal, you can customize tasks to address some of these performance issues, making it a more efficient experience.

Overall, I would rate it a seven out of ten.

On-premises

We use One Identity Manager as our primary solution for identity and access management. We use it for multiple functions including identity lifecycle, access management, provisioning, segregation of duties (SODs), and attestations. It is being used for the core IM functions.

We are a large insurance company based in Germany. We are compliance-driven. We have to fulfill BaFin requirements. BaFin is a governmental body that oversees banks and insurance. They have a big list of requirements that each financial institution needs to fulfill to stay on the market as a bank or as an insurance provider. One Identity Manager helps us to meet those requirements.

We differentiate between two types of accounts, personal and non-personal accounts. Personal accounts are accounts or usernames assigned to people, and then we have non-personal accounts, which are technical or service accounts used by software or machines. One of the BaFin requirements is that we have control of each and every account within the system. The sync editor is able to read each and every account into IAM. It discovers every account if you have given it the right to see everything in the SAP or any other system. The tool fulfills the base needs so that we can traverse every account available in the system and then match it to digital identities there, meaning that we get a linkage between each account and each digital identity that we get from the HR system. So, we do not have orphaned accounts or the ones that we are not able to match. It is up to each customer to utilize this. They can develop their own processes to handle this. They need to have their own processes to connect them, identify them, or report on them. There is not much that the vendor does there. It discovers them, and that is it. I am satisfied with what it offers. It fulfills our needs.

When it comes to core IGA, the functionality that we use is the life cycle of accounts. We use the life cycle of membership of these accounts into SAP roles, the membership of these SAP users, and the membership life cycle of SAP users in the SAP structural profile. These three are what we cover. There are also SAP groups and SAP profiles, but we do not actively manage them. From the access control structures, we use only this subset. That is all that we need. It is currently sufficient for our needs.

We use several objects to represent company structures. We use the department object and the location object, and we also use business roles pretty extensively. We have thousands of business roles in the system. If I traverse the table org, which is the technical name of the table, I will find thousands of entries there.

Compliance and automation are two reasons for implementing an IM solution. Automation helps save money. For compliance, even if we do not like it, we must install such a solution because we have to fulfill law obligations. We work actively on that and have a big team covering it. It will keep us busy over the next few years. The second one is automation. We have automated the whole onboarding process of employees within this company. Instead of having 50 different administrators, we have less than 10 administrators. It saves us money. We definitely save lots of effort for administrators of different systems. We save people and resources by automating and not having several dozen administrators for different systems. That saves us lots of money.

Another advantage is that it saves us time. We can onboard the person within a day in our company. As soon as the HR types in a new employee there and pushes it to us, we can provision the employee to all necessary systems roughly within a day. Without such a solution, it will probably take weeks.

It helps streamline application access governance. When you have different applications, such as Active Directory-based ones, SAP-based ones, and cloud-based ones, they all have different GUIs. They all have different approval processes. Once you connect them to a solution like One Identity, you have to order all of their entitlements through the IM WebShop, which is a web interface. There is a very homogeneous look and feel to how you order access to these applications. Otherwise, from the administration point of view as well as from the approval point of view, it is a very heterogeneous experience. Once you integrate applications with One Identity Manager, you get the same experience for your AD-based and SAP-based tools. Other competing products like SailPoint and Verix also provide a uniform experience.

It also helps with application auditing. That is one of the core features of the tool. We use it to audit the access to different applications and impose governance on these applications. The application life cycle is also one of the core features that we use. There is one package called the application onboarding package (AOB). We developed our own mechanism there about 15 years ago, so the tool does offer steps, and we utilize it.

I like the provisioning feature of One Identity Manager. It is very powerful and flexible. It works at a very high level, but it can also be tailored as per needs. They have something called Sync Editor. I personally like that one because I have a developer background. Currently, I have more responsibility within the company for this feature. I am one of the six subject matter experts (SMEs). My area is the reconciliation part. 

Compliance with BaFin requirements is very important for us. If we do not fulfill them, our license can be retracted. If we do not fulfill these requirements, it is not good for the company. We use the identity life cycle. We use provisioning extensively. We use attestations, recertifications, and SODs. We need all these equally to fulfill the BaFin requirements.

In terms of user experience or intuitiveness, it is in the middle. I personally find it good. Based on the complexity, the vendor seems to have done a good job of providing a web shop kind of experience, similar to eBay or Amazon. You order something in the shopping cart and submit it. Another one approves it and it gets provisioned. It is in the middle because I have seen better and more lightweight interfaces. They are now introducing the Angular portal. There is a new design. It is better, but certain things are still a little bit hidden. It is not yet ideal. Things like attestations or segregation of duties are not that intuitive. People take time to learn. We need to train them on what they need to do. When we generate attestations, the guy who needs to attest does not intuitively know what to do. When it comes to SODs, it is even harder. People are unsure what exactly things mean there. We need to train these people. For core processes like ordering entitlements, they know what to do without any training or reading materials from us. For example, you order a group, somebody approves it, and then you get it provisioned. For such simple scenarios, we do not need to support them, but for the other cases, such as attestations and SODs, we need to write articles on the Internet. We need to do training. We need to actively support them and hold their hands.

The biggest complaint we get from the end users is the performance. When they click or submit something in the shopping cart, all the compliance checks for SOD rules are run. Sometimes, it takes two to three minutes for something to be submitted. It is slow. It has a bit of a bad reputation within the company because it is a slow product. That is the biggest drawback in terms of user experience. Performance has been a problem in the last 10 to 15 years. It is sometimes good and sometimes bad. Every now and there, you hear that performance is an issue.

The user interface could be more streamlined. The overlapping functionality among tools like the Sync Editor, Designer, Object Browser, and Manager needs better delineation. Currently, you have Sync Editor for synchronization. You have the Designer for scripts, procedures, and SQL development, and then you have the Object Browser for raw or low-level data adjustment there. You also have the Manager which is a user or operations management tool. These four tools overlap in their functionality. For example, you can administer schedules in Manager, Object Browser, and Designer. I see a little bit of overlapping there. You also have the Transporter that transports the code. If you open the binaries folder for tool installation, you will see 20,30, or even 40 files there. There are so many small tools for different things. They might have grown over time. They should differentiate a little bit between operations, development teams, and test teams. For operations, they have done a good job of centralizing things in the Manager tool, but for developers and testers, there is a little bit of overlap between Designer and Object Browser. There is one other tool called Web Designer. That one will become obsolete soon with Angular. Currently, some things can be customized by the operations teams in prod and some of the things need to come from the developers. The borderline is not very clear. There are gray areas. They might have fixed these things in the Angular portal.

Another thing that I do not like is that they are mixing useful data and code data in the same data model. Other tools such as SailPoint or Verix Identity are stronger in terms of the separation of useful data and code data, although they have worse data models than One Identity. There should be a cleaner separation between the actual usage data and code data.

I have been using One Identity Manager since 2009, although back then it was known as Active Entry. I have been using it actively since 2011.

I would rate it a five out of ten for stability. As with all other products, it has bugs. It is buggy. When a new version comes out, there are issues with it. It then takes them some months or patches to make the version stable. If you take 8.0 or 9.0, those versions are usually buggy. I have spent 15 years with this product. There were always issues after they made some major release. It then gets stabilized. The product is buggy, but they work on it. After six to twelve months, they sort out everything, and then you get a more robust version.

It has its advantages and disadvantages, but it is definitely scalable.

It is a good tool for enterprise-level management. It fulfills its role. In the Gartner Magic Quadrant, this tool has gone from the lower left corner to the upper right corner in the last ten or so years. It is definitely an enterprise-level tool. It is powerful, but it is slow. As soon as the company becomes very big and different scenarios need to be managed, it tends to be slow. Two years ago, there was a conference in Hagen, Germany. The vendor asked everyone about their thoughts about the product. They asked us the good or bad things about the product, and every second customer said that they had performance issues with the product. The product is very powerful. It is an enterprise-level software, but it is slow. As soon as you have a larger number of users or a larger number of systems connected to it or you have heavyweight scenarios, it becomes slow. Of course, it depends on how each customer customizes it and implements the features in it, but every second customer complained about the performance.

We have about 30,000 users. We have only one centralized instance for the whole company. We have four environments, and there are several different teams here. We have testing, development, and operations teams. We also have the requirements scoping team where the SMEs are. It has grown pretty big. In the beginning, there were just two to four of us doing everything, but now there are quite a lot of people. Different departments are doing different aspects of it.

Their technical support is pretty good. We use standard customer support, which allows us to open tickets and receive fixes for bugs. While it is not state-of-the-art, I would rate their service as being in the better half, providing positive support experiences.

Neutral

I have worked with two other competing products. One is SailPoint, and another one is DirX Identity. All of these products have their advantages and disadvantages. There is no perfect product, but I find One Identity Manager to be the most powerful and flexible of the three.

I have a developer and IM architect background. When it comes to customization, One Identity Manager is very powerful and very flexible. It is not very easy, but it is definitely better than DirX Identity or SailPoint. The amount of energy that you need to invest is less compared to the other two products.

We have a separate solution for PAM or privileged account management, and that is CyberArk. I know that One Identity has its own safeguard solution, but I am not sure if that one is used in our company. Another team might be using it but not us. We are a big company. I know that this was one of the solutions that they were evaluating, but in the end, they decided to use CyberArk. 

Back in 2010, we had six months of evaluation. We did evaluate Tivoli and other products. We had a prototype. It took about six months before we went to production. We first started only with Active Directory and SAP, and then we kept growing it with additional target systems and additional features. It is comparable to other products in terms of ease of deployment. It is not simple. All these products are complex. It takes time to understand what they do. As compared to others, there is a middle complexity level to bring it live. Overall, it took about six to nine months.

We have the operations team to maintain it. There are several people in that team.

During the evaluation phase, we considered other solutions like Tivoli.

I would definitely recommend this solution. I have influenced two companies in the direction of adopting it in Germany. They were evaluating this, which takes lots of money and time. One company even booked me and a colleague of mine and asked which one to go for between this solution and SailPoint. I definitely recommend this one.

I would rate One Identity Manager an eight out of ten.

On-premises