One Identity Manager Reviews

The overall purpose for using this product is for identity management, which is our core requirement.

We adjusted the number of authorizations given to a person. Before, it used to just collect and collect under people. Now, we can adjust and remove authorizations so they don't just stack up. It's reduced the number of authorizations assigned. 

The workflow has improved from request to assignment. We've been able to accelerate the speed significantly. 

I like the workflow engine and the deep integration with SAP products, including SAP authorizations. In the market, there aren't many products that can deliver this feature. The possibility of customizations is a significant aspect that makes this product stand out from others. 

Additionally, the number of connectors they support is commendable. Reducing the number of authorizations given to people on average is beneficial. Previously, individuals had accumulated authorizations as they moved between departments over their careers. 

Now, there's an attestation process when a person moves to a new department, allowing managers to decide on reassigning authorizations. This has led to fewer authorizations being assigned, which is one of its most important benefits. Moreover, the time taken from an authorization request to an assignment has also been accelerated.

One Identity Manager connects SAP accounts to employee identities under governance. We have an HCM connector, and we have built up the complete life cycle of an identity. TThis means when a person leaves the company or has a transition to another department, we also have processes implemented that we take care that they lose the authorization.

The solution provides IGA for difficult-to-manage aspects of SAP, like profiles, rules, etc. We use transaction codes and activities, and so on, on the lowest sub-authorization level for segregation and security checks. We assign roles, composite roles and single roles.

In terms of user experience and intuitiveness, there is always an issue from one product to another. In the beginning, the users may find it a bit complicated. However, they get new functions and a fancier UI. Overal, it provides a good impression.

It's easy to customize. The product has a huge number of possibilities or ways you could go. That said, you need good knowledge of the product. It's complex. This product needs a deep understanding of how the product works and how the implementation needs to be done. You need an external partner with good experience.

We make use of the product's business roles. We try to catch 80% of the authorizations so only 20% of authorization would need to be requested. 

We have connected cloud applications, including SAP cloud systems. These extensions to governance are very important. They need to be integrated. Our aim is to integrate every system where management takes place under one solution. 

One Identity Manager helps minimize gaps in governance coverage among test, dev, and production servers. Now, we can identify when users have no need anymore to have certain authorizations on a special system or special groups. Our user life cycle takes care of this. When they are not in the department anymore, they won't have access. It makes access to special systems more secure. 

It does help with licensing. If two licenses are similar, we can look at the settings and make sure that users are getting more licenses than we need, and when they leave, the license can be removed. It helps save license costs. 

The solution helps with application auditing and compliance as well as access decisions. 

We've been able to achieve an identity-centric zero-trust model. We have other applications around this, however, we are able to give authorizations only to one person and so that no one has more than they need to avoid security risks. People only get authorizations to that which is a user's core functions. 

We have more complex approval processes for normal authorizations. 

The user interface is good, however, there is space for improvement. Specifically, the way information is presented in the system could be refined so that users are not overwhelmed with technical details. They require more business information. We believe there is substantial room for enhancement in this area. 

There is also room for improvement in how we integrate systems. In some instances, we could achieve deeper integration. However, it requires effort, and we must decide if it makes financial sense.

The downside of the product is it is complex and you need an implementation partner to help you develop it. You can't do it on your own. 

I have used the solution for over four years.

We missed functions in SAP, and there was no further development to meet our needs. There was also no future strategy, and they have discontinued the development of this product. This made us decide that this was not the product for the future.

The deployment was easy in some aspects and complex in others.

There is maintenance needed in the form of upgrades and daily maintenance of one to two hours a day. 

Our partner helped with the implementation. It was, at points, a complex migration and implementation, and we are satisfied with the collaboration.

We are in the upper quarter regarding cost, so it's expensive. However, it is definitely a product with the best future perspective. In terms of function and support, it offers a fair price yet remains an expensive product.

We're a medium-sized company with locations across several countries. We have around 50,000 external and internal users.

One Identity Manager was the right decision in comparison to other market products. With other products, we would not have made such a good decision. 

We had a partner that provided training, coaching and implementation assistance. They were more focused on integration and helped with complex customizations and post-implementation support. We don't need as much support anymore. 

Overall, I rate the product an eight out of ten. I'd recommend it to other users. It was the right decision for us to go with this product in the end. 

On-premises

I configured One Identity Manager's Sync Manager tool and connected using that tool. One Identity Manager synced the data from different platforms, after which we arranged access management through access request forms. We defined workflows and policies based on these requests and created reports using Report Editor.

Business roles represent one of the important use cases I worked with. When you have a workflow, there should be approval policies in place. For example, if certain reports or functionalities should only be visible to the HR department, we define business roles and give access to those particular people. This allows us to segregate the duties of different teams and departments, providing particular access to each department.

One Identity Manager was utilized to achieve what was called an identity-centric zero trust model, which was built by an One Identity partner. The concept involves not trusting anyone and validating everyone who comes to the tool. We implemented something around this, although I was not heavily involved in that particular aspect.

Managing business roles and assigning them from business users is what I appreciate most about One Identity Manager. This is a simplified process that we can manage easily in the Manager tool. The primary drawback of One Identity Manager is the customization of the WebGUI.

One Identity Manager provides everything in a single place, which is beneficial. Before One Identity Manager, we used to manage every certification, onboarding, and syncing of data between platforms separately, which was difficult. Having everything in one location gives us a better understanding and allows us to maintain data more effectively. We can maintain entitlements properly, reduce duplicates and redundancy, and have better overall organization.

The primary drawback of One Identity Manager is the customization of the WebGUI. The customization uses web scripts and drag-and-drop for elements and configuring elements, which was somewhat complicated for a few colleagues. They received training initially from One Identity representatives, but found it was not easy to understand. In comparison, I am using SailPoint in my current organization, and it is less customized than One Identity Manager. It is not that easy to define the GUI in One Identity Manager. Apart from GUI customization, the other tools are fine, and configuration and building everything is straightforward.

When we configured all the platforms including ACF2, RACF, and AS/400 initially, we attempted to integrate with Active Directory after HSBC's huge data set was processed. We encountered some issues while doing the Active Directory integration because of the large data volume. Jobs might process for a long time or there could be timeout issues. This was the major concern we saw in the initial stages. As of now, this appears to be resolved. There is not much drawback remaining. One Identity may have enhanced several things.

Overall, I worked on One Identity Manager for over five years now.

In the initial stages, we did not see any issues when working with less data, such as with RACF, AS/400, and similar platforms. However, when we connected with Active Directory, we noticed some lagging issues while syncing data or submitting requests. After fine-tuning and making adjustments to the data, it began working properly.

One Identity Manager is good regarding scalability. It has separate tools for everything, which allows us to scale to whatever extent we need based on requirements. One Identity Manager is a scalable application.

I contacted technical support for One Identity Manager when we had issues with the request center and the access request manager WebGUI. In the initial stages, we experienced some issues with concepts called cart items and separate items. To understand the process and resolve these issues, I worked with customer support.

One Identity Manager's Premier Support was used initially because in the first couple of years, the response was very immediate and they could easily solve issues. After that, the company may have implemented some licensing policies, and we transitioned to using a ticketing tool. Whenever we found issues, we submitted a ticket, and they responded based on the timeline.

I do not remember the specific details that stand out in Premier Support, but the service was very quick. Whenever issues arose, the response was immediate and they solved them quickly. They assigned resources who worked with us, and we were able to resolve issues very quickly. I would rate the support at a nine out of ten. The support was good, though it sometimes took time to resolve issues.

Positive

The initial deployment of One Identity Manager is very straightforward. Syncing data is straightforward as we need to map the columns between the target system and One Identity Manager. However, it is not that easy, as we encountered some difficulties with version mismatches. One Identity provided support that helped us achieve everything. In the initial stages, they supported us for a couple of years, and we were able to achieve all syncing of data and everything with their help. It is an easy process but not without difficulty.

We managed the solution ourselves with One Identity Manager. Initially, during the first couple of years, One Identity Manager provided solution partners. After two years of contract, they departed. From that point forward, we have been building enhancements and maintaining the project ourselves. If we encounter issues, we raise tickets and move forward.

We continue to perform maintenance on One Identity Manager with ongoing enhancements. Since we work for a bank, we continue getting enhancements and maintenance. Some jobs fail in the job editor, so we need to perform maintenance and address whatever issues we encounter.

On-premises

My use case for One Identity Manager is mostly for identity management and application onboarding, including joiner, mover, leaver, and application onboarding through the IT shopping cart and role-based access provisioning and privileged account provisioning, along with all the aspects including recertification.

I use One Identity Manager to help manage SAP, and it has the best SAP connector in place, allowing me to manage their identities through provisioning SAP roles, SAP groups, SAP authorities, and all the systems. It also connects with SAP GRC and performs segregation of duties very efficiently with the SAP application, enabling various types of implementations we can do with SAP.

One Identity Manager is a very robust tool with plenty of out-of-the-box features in the identity and access management space, and it is very easy to customize and fits for very complex platforms. 

For multinational companies or those with various locations managing their identities and applications, it is very easy and very robust in nature. 

It also helps streamline aspects of application governance, including access decisions, compliance, and auditing. 

It has a module called access recertification or attestation for recertification and a robust segregation of duties engine, as a governance platform that collects data and provides a variety of dashboards for management.

One Identity Manager provides IGA for difficult-to-manage aspects of SAP, and I can manage by assigning profiles, roles, and groups. There's also a role-in-role concept where I can assign a role to another role.

One Identity Manager delivers SAP-specialized workflows and business logic. For example, if my SAP solution is integrated with SAP GRC and I want to request a segregation of duties check with GRC before provisioning an SAP role, all those tasks can be done in One Identity Manager.

It is easy to manage and provides a single platform for enterprise-level administration and governance of users' data and privileged accounts, but one must know the product. Learning One Identity Manager takes some time, around four to five months, but once learned, managing applications such as SAP or Active Directory becomes easy.

One Identity Manager helps minimize gaps in governance coverage for test, dev, and production servers, and it provides internal deployment tools that make it straightforward to manage code across different environments.

One Identity Manager could be improved by offering a more low-code experience, as it still requires a fair amount of coding knowledge. Compared to other cloud-based tools, the learning curve is quite steep; it can take six months to a year to master, while similar tools may only require one to two months. Earlier versions also lacked robust web UI enhancements and API support, but recent updates have shown notable progress in these areas.

I have been using One Identity Manager for around 15 years, starting in 2010.

The solution is scalable; I would rate it a seven to eight out of ten. It is suitable for medium-level enterprises, but a user base exceeding one million may require heavier infrastructure.

I would rate One Identity Manager's technical support at around 9.5 out of ten. Compared to my experiences with other tools, their support is exemplary.

Positive

Most of the One Identity implementations are on-premises. They also have a now the popular approach is being in hybrid approach is getting popular now.

One Identity Manager is easy to customize, however, the person customizing it needs basic .NET programming and SQL skills. With these skills, anyone can customize it according to their needs.

During the patches or during the core deployments, it does not require any downtime.

I've looked into SailPoint and Saviynt. One Identity Manager is comparatively faster to deploy than SailPoint, although not as fast as Saviynt since Saviynt has a more low-code approach. 

One Identity Manager is highly customizable and allows for extensive UI and backend modifications, which tools such as Saviynt do not readily support. SailPoint allows for similar customizations on-premise but not on the cloud version.

The solution is identity-centric, and we consider it as identities linked to an account structure for each application, linking all the accounts to the identities. 

I recommend One Identity Manager to other users as the license comparison with the market leader SailPoint is very favorable, and it offers all the functionalities at a lower price. 

For medium-level organizations, One Identity Manager rates as a nine out of ten. For larger organizations facing performance issues, it would rate around an eight out fo ten. On a scale of one to ten, I rate One Identity Manager a nine.

On-premises

Other

I am a consultant for One Identity Manager and implement it for clients. They use it for ordering permissions, attestation of permissions, and reporting on permissions.

Customers use One Identity Manager to manage SAP. SAP integration is very important because clients have critical business processes in SAP systems. Governance of SAP users and permissions is important.

One Identity Manager is a good solution for providing a single platform for enterprise-level administration and governance of users, data, and privileged accounts. You have a view of all the users, permissions, and connected systems, and you can have a whole range of connected systems such as Active Directory, SAP, Entra ID, Exchange Online and others. You can import identities from HR systems or create them manually and join them with their accounts and permission. It gives you a view of the permissions and roles people have in different target systems. You can combine that with roles that are automatically populated through inheritance. You can also combine it with attestation so that you have an approval process for those rights. You can basically check that they are not assigned forever or when not needed.

Customers use One Identity Manager's business roles to assign permissions based on membership in organizational structures, such as departments, locations, job functions. This functionality is very important because you can model your business as a hierarchy and inherit permissions and accounts along with this hierarchy. It is a good solution to assign permissions automatically. For example, if you have different locations for your business, you can model those locations in the business roles and assign people to those roles automatically through HR import. That makes life easy and gives you a graphical view of that structure in One Identity Manager. For people who are not too technical, it makes it easy to understand how permissions are inherited.

It gives an overview of licenses. For example, in One Identity Manager, you can have an overview of Office 365 licenses being used. Apart from that, you can see how many and which accounts are being used, but it is not a license management tool.

Attestations help you determine if someone should have a certain permission or not. You can also have recurring attestation where, for example, a manager can decide if certain permissions are needed for certain people. For compliance, you can implement segregation of duties where you can specify that if you have permission A, the users cannot have permission B.

For auditing, you can see the permissions and the accounts people have, but it is a view from a certain point in time. There might be some gaps or synchronization delays between One Identity Manager and the target system, such as SAP. For auditing or a tracing without any gaps, you need tools that monitor permissions in those systems in real-time, similar to Change Auditor from Quest.

It helps to create a privileged governance stance to close the security gap between privileged users and standard users. You can have different types of identities. You can have a person with a non-privileged identity and also a privileged identity. It helps to separate those, but at the same time, you can see what kind of permissions a person has in total. You have a view of both the non-privileged and privileged identities.

It is very comprehensive. There are a lot of features in the product. The strong points are that you can model your organization in One Identity Manager and create roles. There is a Webshop where end users can order permissions and accounts. These are its strong points.

What is missing is a mobile user interface for the end-users so that they can do simple things on their mobile phones on the go. 

The time it takes to synchronize a large target system is often significant, often taking multiple hours. That is something that could be improved. I am aware that it is often due to the performance of the target systems, but it is a problem in day-to-day operations to have slow synchronization.

I have been using it for 12 years now.

It is stable. I would rate it a nine out of ten for stability.

One Identity Manager has improved in terms of performance and added functionality. There is better stability. They have invested in more modern web interfaces and are moving to the cloud as well. You can run it on prem, in your own private cloud, or you can have a SaaS solution nowadays.

It is scalable. I would rate it an eight out of ten for scalability. I have seen it work well in large environments.

There are different support tiers, some with 24/7 support and a dedicated technical account manager.  

If you have outages or critical production problems, you can count on the manufacturer to help resolve the situation. Minor questions are not always treated as fast as one would wish, but for the critical stuff, you can rely on them.

Positive

Its implementation effort depends on what you want to achieve, but it is not straightforward. You need solid knowledge of One Identity Manager. You also need a good strategy and information about what you want to achieve with One Identity Manager, how you want to connect to your target system, and what kind of processes you want to have in One Identity Manager.

But you can rely on the manufacturer and partners to help you with that.

In terms of maintenance, you have to update it regularly to be in support. Otherwise, after some time, there would not be any support from the manufacturer. Also, the manufacturer is fixing bugs and extending the product, so it makes sense to be current with the software.

As a consultant, I help the in-house team deploy the solution.

It saves an enormous amount of time. If you do not see it as purely an Identity Management tool but as a possibility to automate processes in the company, it provides a huge amount of value. If you use it the right way and think of which processes in terms of Identity Management you can automate, it will save a whole lot of time. 

The time savings depend a bit on what you are automating. For example, if you can automate assigning accounts and permissions by making use of the organizational structure and let managers order permissions through the web shop, you accelerate your business processes and reduce the amount of manual labour involved. 

My clients have been using it for a long time now. They have looked at other products as well, so it seems worth the price.

One Identity Manager is the most complete offering because you have the connection to the target systems and you have inheritance, which is powerful and not something every other vendor has. They have a Webshop with approval processes for ordering accounts and permissions. It is a complete package, and you get all this in one product. In terms of functionality, it is very good compared to other products on the market.

If you are a user, it is not too difficult to get into it. You have to be familiar with the concepts of Identity Management, as well as inheritance of roles and permissions and how to use the tools. It is manageable. If you want to be a developer in Identity Manager, that is a different thing because it takes way longer to get into. For example, the new web portal has an Angular web front. If you have Angular web development skills, you can more or less get straight into it.

One Identity Manager has a certain complexity, and it is not always easy. From an end-user perspective, there is a web interface to request permissions, reset your password, or manage your account in some aspects. However, when you get into the management of One Identity Manager itself, you need some knowledge, and it is not always straightforward. It is complex.

When it comes to customization, the ease depends on what you want to customize. Certain aspects of the product are easy to customize. You do not need programming knowledge, or you can do it with minimal programming knowledge. For some aspects, you need programming expertise in Angular or other programming languages, such as .net. You need to have a good grasp of how the Identity Manager works.

My recommendation is to first determine your needs and then look for a product that addresses them. One Identity Manager is a big product that provides lots of functionality. If you do not need lots of features, you could go for a SaaS solution, maybe also from One Identity.

Set up a strategy and do a proof of concept. Validate some of the requirements to see if it is a good fit and implement One Identity Manager if you are satisfied with the PoC.

Overall, I would rate One Identity Manager a nine out of ten.

On-premises

I work in the operations part with One Identity Manager, specifically with incident management. On a day-to-day basis, I work with the Manager, Object Browser, Job Queue, and Designer and web designer. These are the most commonly used tools. My work involves administrative tasks such as provisioning, de-provisioning, and ILC.

Currently, I use One Identity Manager on demand. I have seen many companies, and even after joining my current company, I can observe calls from different projects where everyone is using One Identity Manager as an IGA solution. I can see it has good demand in the market. However, I could say it is about 50/50 because many people are preferring cloud solutions nowadays.

One Identity Manager handles a very large amount of data, which is one of the good things about the tool. Everything is customizable and easily customizable, which is another strong point. For every configuration, a different tool is available. For example, if I need to set any configurations, I can do it in the Web Designer. I can use Object Browser for SQL-related tasks and mostly for database management.

One Identity Manager has role-based access management. For instance, if I need to work with different applications, I need a specific role. I need to request that role from the application, such as an admin role or any other role. It will be processed in the back end, and I can check everything in the Manager tool as well as Object Browser.

One Identity Manager has business rules such as internal administration, external administration, and security admin. I have seen those kinds of business roles in my project. These are utilized through birthrights. Some roles are assigned during joining itself, while a few business roles are assigned based on a request and are approved by the managers as well as the product owners based on role and demand in the project.

Business rules in One Identity Manager are administrative in nature. One Identity Manager provides users for administration roles, and roles are provided during joining and based on role and demand in the project. Different criteria are available, and based on that, business roles will be provided.

One Identity Manager minimizes gaps through the Manager application, which is part of everything including governance, audits, certifications, and attestations, all available in the same application.

Application-related information is all available in the Manager tool in One Identity Manager. For a specific application, there are different groups or different roles. Everything is audited and has attestations. Attestations occur yearly or twice yearly for compliance purposes with different applications.

As an owner, I receive attestations yearly or twice yearly. For example, if user A has a specific role, I verify whether that role should be with that user. During the request itself, it goes to the product owner at the last approval level. After approval, we have attestations, and that governance part is covered for every role based on product owner approvals.

Privileged users are different from other users in One Identity Manager. Privileged users have specific configurations and are provided with different roles to access only specific applications. Privileged users are not treated as normal users. That part is also covered in One Identity Manager. From my project point of view, I did not see that much privileged user solutions because we have other tools in place to manage privileged access management. However, based on my previous experience, I can speak to this capability.

One Identity Manager is an IGA tool with everything available in the same tool. For example, Identity Lifecycle, attestation, certifications, and role-based access management are all available in one tool. Everything can be customized based on customer requirements. Everything can be managed in the job servers as a separate process, so there is no dependency for different jobs inside the processes. Each job works as a different process. One Identity Manager has a Designer application where I can customize everything based on requirements such as jobs, different application connectors, and different tables. The web application is built in Angular, which is another feature that can be utilized for better user experience.

User experience with One Identity Manager is somewhat difficult compared to cloud SaaS solutions like Saviyent and SailPoint. As an on-premises tool, it is comparatively harder to explore, and lagging sometimes occurs while loading data from the backend. These are the minor drawbacks regarding One Identity Manager user experience. However, I can see there are many improvements, and they have introduced a new version with some improvements, but my project has not implemented it yet.

Comparing One Identity Manager with other tools, the customization is very simple. I have a Web Designer tool where I can connect with different applications, create connectors, create customized processes, or create different tables. Everything is possible in the Designer, and documentation is also available on One Identity Manager's website.

From an improvement point of view, the user experience and UI are somewhat lagging. That is one thing One Identity Manager should improve. Additionally, there are many tools in this space, so I have to check each tool for different purposes, though I am not sure how that could be improved. One Identity Manager runs thousands of jobs daily. Sometimes jobs get stuck and processing is slow, though not every time. One Identity Manager could provide a solution to improve that performance as well.

I believe One Identity Manager should focus on cloud solutions. Everyone is nowadays preferring cloud solutions, so that would be another improvement. Moving some of the things to the cloud would definitely improve the performance of the on-premises solution.

I have worked with NetIQ and Saviyent before One Identity Manager.

I started working with One Identity Manager approximately three months ago.

I do have premier support for One Identity Manager.

With premier support, I can see they are directly connecting with our team and providing tool training from One Identity Manager people. They come to our company and provide trainings based on new requirements. That is a good thing. If a new feature comes up, they provide us approaches to implement in our solutions.

I have previous experience with SQL and database management. I was working with NetIQ, which is also a legacy tool. I wanted to switch to a different tool with a different project. I had SQL knowledge before that. If someone has SQL-related knowledge, it will be very easy to work with One Identity Manager, and there will be many opportunities. Because of the opportunities, I chose One Identity Manager. In NetIQ, there was nothing like SQL. One Identity Manager has IGA, but NetIQ did not have that many opportunities at that time. I also have experience with .NET. One Identity Manager has a VB.NET solution, which was another factor in my decision based on the opportunities available.

I have been involved in a few implementations of One Identity Manager. I can see it is a long process. I have to create a transport, create a package, and build in Jenkins. There are many things involved, and it is not a straightforward process in One Identity Manager. Deployment is definitely a complex thing in One Identity Manager, and it is longer than other tools.

I did not get a chance to work with partners because I am still in the learning phase with One Identity Manager. I am exploring the tools in my project. However, in the future, there are platforms available to connect with One Identity Manager partners, and I will connect for sure.

I did not work on SAP implementations with One Identity Manager.

I have not seen cloud implementations with One Identity Manager in my project. However, we do have plans to implement some cloud solutions in the future. We have Entra ID with our projects, and that is the only cloud solution I have seen so far.

I do not have knowledge about zero trust models.

Privileged accounts are not managed in One Identity Manager. I am just creating those accounts, but they are completely managed in a different IM solution. For PAM, there are different applications managing those responsibilities. Currently, I am not working with those privileged users.

Since I am very new to One Identity Manager, I am still on the learning curve and exploring different things. One Identity Manager is a very huge platform with many tools, and the architecture is quite complex.

I give One Identity Manager an overall rating of eight out of ten.

The JML process, which stands for Joiner, Leaver, Mover, is my main use case for One Identity Manager, where we focus on synchronizing between different directories.

In our environment, the synchronization works by having different Active Directories in different countries, and we are reading based on a predefined extension attribute, user, and security groups.

Regarding my main use case, we solve the governance and compliance part.

The best features One Identity Manager offers for us come from the sync projects, which are our way to keep data from different sources in one single place, giving us the possibility to simplify the process and to have a clear overview over the products and data.

One Identity Manager has positively impacted our organization by adding more visibility on what we have, what we need, and what compliance features or compliance requirements we need to fulfill while allowing us to provide audit records on time and in a very useful way.

The main functionality that I expect from One Identity Manager is to include more possibilities to use a custom interface and a more user-friendly interface, as this is one of the major topics. There are a few other things which I think could be easier to implement, and another feature which is really helpful.

These are my main pain points regarding additional improvements that One Identity Manager needs.

Regarding the reporting and analytics features in One Identity Manager, the analytics and reporting part is a place where improvements are really helpful, making it more user-friendly.

The performance and speed of One Identity Manager in my environment show that they consume a lot of resources, so the speed depends on the resources assigned for each component.

We started working with One Identity Manager around nine years ago.

In my experience, One Identity Manager is stable, and it can be easily added back to the system.

The scalability of One Identity Manager is quite good, but the growth can be quite expensive.

One Identity Manager's customer support is satisfactory, as they provide us support every time we open an incident or a ticket.

I previously used an in-house solution, and the reason for switching to One Identity Manager was that the cost for maintaining and implementing new features in the in-house product was over the price for implementing a new product.

My experience with pricing, setup cost, and licensing is that this is something where every company decides in the first phase of the project when they decide to work with One Identity Manager, and it can be improved.

Implementing One Identity Manager in my environment was quite difficult because it requires specialized persons.

I have seen a return on investment with One Identity Manager, as the number of resources required increased, but the main benefit for us came from being compliant with the regulators, where we fulfill a lot of regulations with the product.

My experience with pricing, setup cost, and licensing is that this is something where every company decides in the first phase of the project when they decide to work with One Identity Manager, and it can be improved.

Before choosing One Identity Manager, I evaluated other options, and it was a discussion with ForgeRock, but ultimately, One Identity Manager was chosen.

I find the integration capabilities with other systems or applications work really fine with the standard products.

I find the role-based access control and permissions management in One Identity Manager meet our requirements, as they are standard implementations and are really fine.

I would describe the upgrade and patching process for One Identity Manager as difficult when upgrading from version 6 to version 8, but quite easy from version 8 to version 9; now we are planning to upgrade to version 10.

I find the documentation and training resources for One Identity Manager quite helpful for specialized persons, although I still consider the trainings to be too expensive.

My advice for others looking into using One Identity Manager is to ensure they have the capabilities, resources, and knowledge to do whatever they want before they start.

I really want to have access to more documentation and data regarding One Identity Manager.

I would rate this review a 7 out of 10.

Private Cloud

Other

We use this solution to enable a lifecycle for all the accounts we have in our Active Directory. One Identity Manager helps us enforce rules and renewal periods. It assists in tracking useless accounts to ensure that we do not retain people's accounts once they leave the company. We are extending the solution, highly customizing it to associate almost every object in our Active Directory with an identity. Every identity has a lifecycle and specific rules enforced by One Identity Manager.

The benefits are significant for us. We had no real central governance before implementing One Identity Manager. Being a large organization operating in 60 countries, it has helped us regain control over Active Directory. By enforcing rules, processes, workflows, and account lifecycles, it aids in cleaning our Active Directory and enforces strong workflows in user management.

One of the best features of One Identity Manager is its high level of customization. Since deployment, the solution has been tailored extensively to fit our specific needs. Its out-of-the-box capabilities are commendable, allowing for evolution and integration within an on-premise environment. For us, being able to customize the product to our requirements has been incredibly valuable, turning it almost into an in-house solution.

The new portal is in a specific technology that is more difficult to program. While it is a specific decision, the customization will become harder. A real SaaS solution could be provided rather than an on-premise product deployed on One Identity Cloud. Although we are not the target for this kind of improvement, a pure web-based SaaS solution could be beneficial for smaller companies.

The solution started deployment in 2018. My personal experience as a Functional Analyst with the solution is approximately two and a half years.

I was not part of the company during the initial deployment. However, it was relatively easy because it came out of the box. Upgrading is more challenging due to the extensive customizations we have, but this difficulty is more related to our use of the solution rather than the solution itself.

We have not experienced many issues with the tool itself. The problems we face are more related to our database consumption due to the high number of users. In terms of stability, I would rate it highly.

We have not needed to increase scalability much, and One Identity Manager supports a large number of users effectively. I would rate its scalability as strong since we have not experienced any significant challenges.

The technical support could be improved, particularly for architects with advanced knowledge. I have heard that the forums, moderated by One Identity experts, are helpful. Although sometimes support can take time, we have not raised any serious alerts about the quality of support from One Identity.

Neutral

We had no Identity Management solution before One Identity Manager. Compared to our previous situation, the solution provides significant benefits in terms of automation.

The initial setup was straightforward as the solution came out of the box.

We are working with a consulting company that provides specific support and resources for us, but they are not direct partners of One Identity.

One Identity Manager saved us approximately thirty to forty percent in terms of time, money, and resources compared to our pre-deployment setup. It significantly improved our control and management efficiency.

We have a global ELA, which means we do not have licensing issues. The price is correct and the relationship with the sales team is excellent. They are open to discussions whenever savings are needed.

I have no other experience besides Okta. Okta is more of an out-of-the-box solution with less customization opportunity, while One Identity Manager is a full product.

I would recommend One Identity Manager due to its customization capabilities. It allows you to adapt the solution to your specific needs. However, for smaller companies without high-level expertise, a pure SaaS solution may be less intimidating. I would rate One Identity Manager at a seven out of ten overall.

On-premises

It is mainly an identity governance tool. It is being used to collect, for example, any new employee records or employee records in general from HR systems, such as Oracle, SAP, and Workday, and then push it downstream for systems such as Active Directory, Exchange, etc. This is the main functionality of it. 

The other functionality for it is to have a request platform, such as a web portal, for requests for access, approval, and user-based grants and reviews.

It helps the organization to simplify its control over enterprise access and makes the new joiner's process easier. In a small organization with 40 to 50 users, it is not a big deal. You can have one IT guy who is responsible for creating an email account, Active Directory account, Azure account, etc. It will take him one or two days to do it, but in a big corporation with more than 500 employees in different time zones, doing that is a big challenge. One Identity, and IGA products in general, excel at onboarding and offboarding employees with the linking and synchronization with the HR system. This is what they are best at. They remove the complexity because you have your Active Directory created, updated, and disabled on time, and there is no issue with that.

There is one fabric for identity lifecycle management, and the access is based on that identity lifecycle management. This is applicable to the whole market for identity governance. It is not just One Identity. You have SailPoint, Saviynt, and others. All of them are good in this aspect. They do improve the organization like that.

We can customize it to integrate with any system or application, and we can go deeper in analyzing people's access, creating roles, dynamic roles, and RBAC. They have a very strong RBAC offering, which is a role-based access model offering. If you structure it right, you can do an RBAC with One Identity. I use it for two customers. One is in the Middle East and one is in Europe. I represent the client side, and mostly I see a robust onboarding and offboarding operation with this product. It is very good for both experiences. It is a very structured way of doing things. Movements across the departments and things like that can be handled. It is quite customizable. It is quite good.

When it comes to intuitiveness, the clients using IT Shop people are complaining. I have had a client in the Middle East, and then I have had a client in Europe. They all say that IT Shop is not intuitive. It is the same feedback. One Identity is trying to make it better with Angular, but there is a fifty-fifty split. One aspect is how the vendor has designed the portal and the other aspect is how you structure the request and approval process. We are as guilty as the vendor. The vendor has a bad portal, but most of us also have a bad way of thinking as clients. People are not advised well because the adoption and the usage should be driven by the vendor. Instead of doing that, the vendor is just selling. If you talk to a partner, they might advise you, but if you have the wrong partner, you are in trouble. So, people complain about the intuitiveness of the portal, but they are confused because the process is being showcased in a very bad way.

To customize IT Shop, they had a strange tool called Web Designer. It is one of the seven tools or seven clients they had. It was not easy to find anyone worldwide who knew how to handle it. You can find developers who have One Identity skill set, but only one out of ten of them would know how to handle the designer tool. In case you need to customize, it was a tough journey. That is why One Identity flipped the narrative by saying that they are going with Angular. We need to run Angular, and they have the REST API. I told them that this is a bad approach because they are assuming that clients have Angular developers, but some clients or some small clients do not have Angular developers. Some clients might have Angular developers but they are assigned to all business units. They are asking us to start hiring an Angular developer or rely on a partner, but is their partner certified to do Angular or not? To me, they did this conversion without any proper thinking or from a very narrow perspective.

I do not have complaints about the backend of this tool. Frontend is a major issue. Their roadmap has no consideration for the clients. In the CAB meetings, I have seen how they manage relationships in general. The company mindset is a bit strange. They look at big clients for feedback and opinions, but they do not look at small and medium businesses. They do not care about hearing us, but when it comes to big companies, you see their engineering team circling around them. They have this cultural problem in the company. They are not only selling the products to just a few big companies worldwide. They are selling it to everyone, but there is a lack of inclusiveness. They assume that all the clients have the same technical skill sets to operate this tool, but that is not true. There is an issue with their roadmap and way of thinking. I have also provided this feedback to the head of the company, Mark Logan, during a cab meeting. I told him that they need to fix how they collect feedback and maintain customer relationships.

We use business roles to map company structures for dynamic application provisioning. It is very good for that. It works very well. If you implement it right and you are advised very well, it can be magic. It can make people very happy about the tool in the company, which was the case when I was working in the Middle East for my first employer. If you do it wrong or are not advised well about it, it can lead to disaster, which is the case with my new employer where I have been working for two years. We have reached a point where we have 50 roles with the same entitlements, and people do not know which one is which. It is not the fault of the tool. The lack of advice on how to structure and design it well can lead to issues. It is not a technical issue. From a technical perspective, it is very flexible. It can do whatever you want. Partner implementation is the main issue.

It can help minimize gaps in governance coverage among test, dev, and production servers, but I have not seen it in practice. Some people do it where you can connect One Identity to One Identity Manager with a direct connection. You can have that. That is one option. The second option is something called transport packages, so it has a good change management label and transport package solution. They have a partner called Intragen, which is a Dutch partner, that created a new product called Deployment Manager. That product does the release management process and testing for CI/CD to a very good level and in an automated fashion. You can buy a product like that and hook it up to One Identity. The tool has the framework to handle this. It is okay in that sense. From a change management and release management perspective, the product has principles. It is not lacking there, but it needs modernization for complete CI/CD.

It is very good at helping you streamline application compliance and application auditing if you know how to integrate applications. Most IAM programs or projects focus on users and users in groups, but handling single entitlements or a cluster of entitlements is a different board game. However, I cannot say that it is a One Identity problem. One Identity is customizable, and it is equipped to do that. You can do that. It is an investment issue rather than a One Identity issue.

The best feature of this solution is its flexibility to be customized. It is like a framework. You can customize it very far from its core functionality, and it will still work.

The second best thing about the product is that it is rich in concepts of orchestration and event-driven architecture. It works well if you have a development team. For a team that has developers with VB, .NET, or C# skills, it is a very good product.

Another thing that is good about this product is its stability. In general, it is very stable. It does not go down that easily. It does not crash frequently. Especially since version 7 or 8, accessibility has been a very good factor. These are the main aspects that make it one of the best products.

In terms of providing a single platform for enterprise-level administration and governance of users, data, and privileged accounts, One Identity is not yet there. One Identity recently bought OneLogin. They already had Safeguard and One Identity Manager. They have started integrating these three tools. I am also on the customer advisory board (CAB) of One Identity, so I have more insight into these things. I know that they started to integrate OneLogin and One Identity just recently. OneLogin is their access management tool. They use it for authentication and for SSO. It is a competitor for Entra and Okta, whereas Safeguard is competing with CyberArk, Delinea, and BeyondTrust. One Identity has indeed done good integration between their three products. However, the platform is not unified. You still need three URLs, which is not optimal. They are going there, but it will take them time.

The second thing they are not yet good at is their SaaS offering. They are behind in the market. They started with something in Safeguard, but it is a pretty basic offering. It is still a new baby. They have Safeguard On Demand, but it is just a hosted PAM solution. I did PoC for Safeguard twice. This is how I know this, but I have not used it. As PAM, Safeguard is a good product, but it is not a full-featured PAM like CyberArk or BeyondTrust. They are lacking in that aspect.

The integration between One Identity's products is similar to BMC's integration. I used to work with BMC products such as BMC Remedy ten years ago. I used to be an ITSM or Control-M guy. When BMC integrated its products, the integration was not well done. It was like two different entities trying to integrate with each other rather than one company giving you a fully-fledged platform. The same thing is happening with One Identity Manager at the moment. They are selling it as a unified platform, but in my opinion, it is not yet good. It is also not bad. There are things that I can take from it, but there is no complete picture. The problem nowadays is that vendors are getting into each other's areas. For example, CyberArk used to be just a PAM provider, so people would integrate with it, but now, CyberArk wants to do the identity bit. It has now become a competitor for other vendors, so they will stop integrating with it. SailPoint, at some point, stopped integrating with CyberArk. SailPoint and CyberArk's integration was good. This is what is happening in the market or between vendors. All of them are getting into each other's area. If you happen to buy another product from a competitor, you need to integrate it on your own. There is no integration plug-in concept between them. This is a bit hard for companies that already have a PAM and they want to buy a new IGA, for example, or vice versa.

They are trying to shift towards an Angular-based platform for their web portal or for IT Shop. That has been very long overdue because they did not modernize their web portal for almost three versions. They are doing it, but there is no feature parity till version 9.3, which is the upcoming version. This is a problem. For example, data governance is not included in 9.2 if you want to upgrade, but if you do not upgrade, you lose support. They have these issues with the roadmap in general. They give you options, but they are not always the complete options. To me, it seems that this company is going to suffer in the long run.

Another issue is that for admin requests, we have to configure the tool at least in seven different clients, which is unacceptable. We are in 2024, not in 1981 or 1985. Having seven clients for the same tool, or more, is just unheard of. To me, that is a very old design idea. I am on the newest version 9.2, and I am still doing that. To me, that is a big problem as an admin. 

The relationship with the customers is extremely bad. That is not a technical problem. That is a company problem. They tried to fix that, but it seems they failed. They do not have the personnel. They have a hiring problem. They now rely on partners. They are a type of company where the partner is more of a vendor to you as a client rather than the company itself. If you want to pick any solution by One Identity, you need a very strong partner with you. If you do not, you will struggle with this product's adoption, roadmap, vision, and implementation. We struggle a lot as a client. I have been there. I have seen that. It is not easy with them. One Identity is based in Europe. Our account manager at One Identity resigned in May and till now, just to show how bad they are, we do not know who our new account manager is. We are in August.

Their Starling Connect roadmap or flagship is a failure. We had to withdraw from using it with SuccessFactors, for example. It had a lot of stability issues. Now, my understanding is better, but it caused a bad implementation, so we are not using it. They are not investing a lot in enhancing or extending Starling Connect. They are using Starling Connect as a propagation gateway to SaaS apps so that you have One Identity Manager on-prem talking to Starling Connect which is handling all SaaS apps. However, the roadmap for Starling Connect is not clear. Now that they have bought OneLogin, OneLogin can do that as well as an IAM tool. You can now bring any IAM or CIAM tool such as Entra, Okta, or OneLogin. They can be your propagation gateway. OneLogin and Starling Connect are competing products, and they need to unify them. They cannot have both products doing the same thing. When I discussed this with the head of engineering from their side, they were still defending having Starling Connect. I do not understand why because if you have a proper IAM such as Entra or Okta, that is your propagation gateway. That is it. You can do everything you want with it. You can merge the functionality, and that is it. You do not need Starling Connect. To me, this is confusing. You use a propagation gateway like Starling Connect because it has ready plug-ins to connect to SaaS apps and you do not need to create a custom connector every time. If you look at the number of apps that One Identity supports with Starling Connect, there are not more than 50, which is not a lot. There is a big difference when you compare it to Okta Marketplace or Entra Marketplace. You will immediately understand the difference. OneLogin's marketplace is better than Starling Connect, but OneLogin was not a part of One Identity before, so they had their own marketplace. Overall, the Starling Connect roadmap does not make sense to me.

They need to remove the dependency on VB.NET for backend development and they need to unify the front end. If they are selling it as a unified product, they need to give me a unified UX. This is something I have mentioned to Mark Logan himself. This is how ServiceNow won over Remedy. Having a unified UX and being able to turn on or off a feature is better than trying to connect three or four different products with different contracts. To me, the main thing is that they need to modernize their application. Once we do that, making it SaaS is doable.

I have been using this solution since 2018.

It is very stable. I would rate it a nine out of ten for stability.

I would rate it a six out of ten for scalability.

About 25% of the company uses this solution. If the company has 4,000 people, at least 1,000 people use it. It is quite a well-known product. It is not just a niche one. It is a mainstream product. People use it. We have 30 branches all around the world, and all of them use it. We are hosting it centrally in Switzerland.

I use their regular support because their premium support is useless to me. Their support, in general, is useless most of the time.

Negative

The main thing that makes this solution stand out as compared to others is the ability to customize it, especially when it is on-prem. It is cheap from a licensing perspective. Once you pay, it is very cheap to operate if you have a good development team. It is also extremely stable. At the backend, it is well-designed. However, it lacks AI. When you go SaaS, you can put AI and all of that stuff, but if you are on-prem, you do not have AI.

It is deployed on-prem. Its deployment is complex.

By design, it is well-engineered. The idea is that the database pushes everything, so you need to focus while updating or installing the database. If the database is installed correctly with schemas, it has DLLs. Whenever you install a client, it distributes to the connecting client, so it is designed with this centric approach. However, sometimes, you end up with situations related to encryption, a missing component, or a missing instruction that you did not account for. 

Recently, I upgraded from version 8 to 9, it took 14 hours of work to do an in-place upgrade. It was not a migration. That is too much. We had a team of five people including developers. It was not easy. It took us two months to do the upgrade. It is always like that because you need to do complete testing. A small problem with One Identity is that they remove a functionality but do not tell you about it, so you need to test. If you are giving me this product that can be customized, I will use the methods that you have. If you change how a method behaves and do not tell me, I get into trouble. Only a very strong partner would know about all this. With a small partner, you will have an issue.

It does not require much maintenance or patching. That is not an issue with One Identity. You do not need to restart it once a month. It is very stable. From time to time, you might have some issues that require a restart but not all the time. It is not like some Java applications that require a restart every month.

On-premises, it is cheap. It is way cheaper than others. The cost of the hosted one varies. They do offer a hosted one, and its cost varies, but it is not that expensive. You have a license for employees and a license for support.

The problem is that people try to compare it with an IAM solution such as Okta or Entra, but they are different products. It should not be compared to them. The only ones you can compare it with are SailPoint or Saviynt. In my head, the rest are not even IGA products. SailPoint is much more expensive to operate than One Identity. If you go SaaS, SailPoint is way more expensive, but that is the whole point of SaaS. SaaS is more expensive anyway.

I would recommend this solution only if you have a very strong partner. Otherwise, do not go close to this solution.

We use One Identity Manager to manage SAP, but in our case, we have connected with CUA, so we have one single point of interface with SAP. That helps a little bit to make the management less complex. If we did not have CUA, we would have had to connect individually. CUA is straightforward. We connect to it. We push through CUA, and we sync everything. We have thousands of roles.

It provides IGA to some extent for the difficult-to-manage aspects of SAP. At the moment, with CUA, we do clients, profiles, etc. They recently added something called behavior-driven governance on SAP. We have not used it, but we can basically check if someone is using his account in SAP or not, and then we can do a user-based access review for his access. We can see what he used within SAP, which is good. We can also do combinations where if we have this role, we should not have that role in SAP, which is very good.

One Identity gives you a lot of features, but you need a proper program to drive it. If you do not know how to use it, you will stay at the basic level. Technically, the product is well-capable, but the caveat is that it is a framework product. You need to have a development team. You cannot just do it with a normal admin. You need a development team for this product.

Versions 9.2 and above have something for assisted approval. I have not used it, but from what I have read, you can see who in the same team has the same access. It will tell you whether it is an anomaly or a common request. The same thing is there for user baseline reviews. That is a good thing.

Overall, I would rate this solution a five out of ten.

On-premises