What needs improvement with One Identity Active Roles?

I do not see anything that needs to be changed as of now concerning the organization's needs because it is working very well and it is providing great features with great processes. The initial setup could be simpler because sometimes it feels like it should be more straightforward.

There are no features missing; however, the initial setup could be simpler. Apart from this, everything is smooth.

The initial setup is a bit complex for new engineers, so that could be simplified.

Even though I advocate for One Identity Active Roles, there are areas for improvement, particularly in hybrid integration experiences where it feels a bit clunky compared to its capabilities for on-premises AD management. The user interface feels dated compared to modern SaaS applications, making it less intuitive for non-technical business managers. I would like to see One Identity Active Roles lean more toward an API-first and Identity-as-a-Code approach. The current REST API feels like an afterthought, and my developers want the ability to operate through CI/CD pipelines instead of logging into the GUI.

One Identity Active Roles can be improved by simplifying the setup process since a small team in a small business requires implementation without extensive IT support. Additionally, the pricing could be more flexible or tiered to better fit the budget of a smaller organization.

Integration capabilities are somewhere in the middle; it is not easy to integrate, but it is not the hardest thing out there. Certain automations, possibly web apps, could be improved or simplified to make them easier. These automations are what I think could be improved. I do not use the comprehensive group membership management feature and have not utilized the fine-grained permission control feature deeply. The process of streamlining directory security for on-premises and cloud-based directories is not particularly applicable to my organization.

One Identity Active Roles can be improved by updating the interface as it seems to have been static for quite some time, and I feel there could certainly be improvements made. Similarly, with the automation, I feel an updated user interface would make it slightly easier to use and understand for people who are not necessarily familiar with things such as the Active Directory Users and Computers interface. Modernization is needed for those improvements.

One of the things I would like to see more robust is the change history. One Identity Active Roles can only monitor changes that happen in the console, and the logs don't go back longer than thirty days, maybe sixty days. The change history, when we've seen accounts get modified, we leverage a container domain that funnels accounts into our Active Directory console. I would like to see from an initial user provisioning perspective, for them to isolate the workflow and say that this came in on X date and account was created. If anyone were to modify that account from an external resource, I would like to be able to read that as well. One Identity Active Roles is strictly limited to the console. If someone makes a change, the history of those changes is not as long as I would prefer.

One area where One Identity Active Roles can be improved is by having deeper native connectors with existing and more ITSM and identity tools, which would simplify automation across multiple cloud and customer locations. I would also suggest enhancing the reporting flexibility; while audit reporting is strong, customizable dashboards and visuals could help non-technical stakeholders gain insight faster. Some users find the admin console and workflow designer to be somewhat complex, so making the interface more modern could reduce the learning curve.

If One Identity Active Roles has to be positioned for all customers, not just the entities which are being regulated, then the pricing has to be normalized. There are many solution providers in the market who can do it at a much lesser price. India is a price-sensitive market, and I can speak only for India; I cannot speak for the other part of the world. We have many local vendors who can provide these kinds of solutions. But since One Identity Active Roles is a much more mature product and has been in the market for a very long time, customers have some respect for that and they can pay the premium. But that premium cannot be three times, two times, or beyond three times. So the pricing has to be normalized based on the market. Every market has its own constraints, so the One Identity team should work on that aspect.

The interface appears outdated. Once logged in, everything inside remains unchanged from years ago. Additionally, when they release new features, they should provide training or webinars at least once or twice a year. This would help users stay updated and aware of new features. When I requested a demo session with One Identity, the presenter didn't provide complete details, making it difficult for non-technical managers to understand. The demo should be planned based on the customer's knowledge level. Regarding visibility in the directory ecosystem, while it is very good, there are limitations. When we add numerous domains, it becomes slow. With around 60 domains, attempting to add approximately 30 caused significant performance issues. We had to remove and decrease the number of domains, indicating room for improvement in managing multiple domains from a single interface.

One area for improvement would be the Entra ID side, including better delegation for Entra ID objects and more granular permissions. We would also like to see better Entra ID license management using virtual pool management, given that the current setup is custom-made, and having this feature built-in would be beneficial. The web interface could also be improved, though it's ongoing.

There are areas for improvement in One Identity Active Roles that include updating the web interface, creating an API accessible from the web, and improving overall performance, as it can be slow at times. But all of those are already in the development roadmap.

The user interface needs to be more modern and scalable. There are certain screen resolutions where the product is unusable. In today's environment, where we work with different sizes of monitors and screen resolutions, it is problematic if connecting to a certain monitor renders One Identity Active Roles unusable due to resolution issues. This should not be a concern in modern times, as the interface should automatically scale based on the resolution. This is the most significant drawback of the user interface.

The possibility to request group membership, similar to the past, was disabled and moved to Identity Manager. That would be coming back in six months. Additional documentation about the Angular web interface is also needed.

There is always room to improve the user interface for increased clarity. I believe enhancements to the console are also necessary because it is more confusing than the web interface.

I know they have increased support for Entra ID and mentioned providing support for AWS. A way to connect to various directories and integrate with cloud directories would be beneficial.

Active Roles can fix many little problems that have never been resolved and have lingered for years, continuing to annoy people. For example, you can't search by object GUIDs. The manual says you can, but it hasn't worked in five years.

Active Roles could add more options for web customization. Our requirements are exceedingly specific. We'd like to get the web interface down to just five buttons, but in some cases, we can only get to six. The web interface in the current version is less customizable than in the previous one.

The solution has not enabled us to reduce password reset times. It has not automated provisioning. The group attestation could be improved. It was a feature that was available in version 5. You can configure it, however, it's no longer out of the box. My understanding is that they will put that feature back in again. However, right now, it's a feature that is lacking. The way you can search groups could be better. When a company has a large number of groups it's very difficult to search the groups and assign the different columns.

The Group Family feature is okay, but there are some issues around its use for creating objects automatically, based on HR attributes. Another issue is that it doesn't look like the hybrid connections are particularly mature. We haven't really used it much. We have a couple of guys setting it up who don't really like the way it's working. It uses a synchronization tool to do that. Native integration with the cloud would be better. Also, we're trying to manage Office 365 mailboxes and although it will create a mailbox in the cloud, it won't do shared mailboxes. That means we're having to write custom solutions for that. Another issue we have with the product is that we run a lot of custom tasks. You have to program them to run on one particular host and there's no automatic failover to a second host. If that host is down when a task is supposed to run, it has to wait until the next time it runs when that host is up. Some of their built-in functions will work off of both servers and I don't see why this shouldn't as well. Another similar gripe is that when you run custom Active Roles policies, they'll actually trigger on both hosts, not on one. In that scenario, it would be better if they would trigger on one host, unless it wasn't available. For example, if you're writing to the event log, you have a custom task and it will show up multiple times because it's being processed by multiple front-end hosts.

The solution needs an attestation process that includes certification and recertification attestation. The pricing is high and has room for improvement.

The user and group management in Azure AD could be better. Our focus these days is dynamic sharing with several on-prem Microsoft applications like SharePoint.

We would like to see * extension of change-tracking auditing capabilities, especially in relationship to the virtual attributes * more flexibility with group families * integration with cloud database path solutions * better integration with Azure AD; it integrates, but it could be better. These are all things that our tech team has talked to their tech team about. And they're extremely responsive. In addition, there are some features that we think should be included in their next release. We think these things would take them to the next level: the ability to completely force or limit any dynamic group processing to specific servers, change-tracking reporting of virtual attributes, and the ability to use files as inputs to automation workloads. These things have also been talked about. Knowing One Identity, they're probably working on them.

In terms of improvement, it could be made even more user-friendly for administrators when they need to create new workflows and rulesets. It's a bit difficult. I'm not the technical person that uses it, it's my team, but I heard comments that it is quite difficult for them to get to know the product and set up the tasks that are required.

The overall UI needs a refresh; the web interface requires some modernization. We would also like to have a SaaS version of Active Roles. Rather than implementing it in our data center, it would have been nice having a SaaS-delivered solution. The third area for improvement, which is the weakest portion of ARS, is the workflow engine, which was introduced a few years ago. It's slow and not very intuitive to use, so I would like to see improvement there.

When doing a workflow, we would like a bit better feedback on the screen, as we're trying to get it to work. For example, there is a "Find" function that you need set up in a workflow to do some of the automation. It is not the easiest to get a result from those finds when you're trying to do that. In the MMC, they have a couple different types of workflows. In this particular case, we use their workflow functionality to find all of X within the environment, then if you find it, do X, Y, and Z. You can have multiple steps. When you do that search function within that workflow, it's really hard to find out, "Is my search working?" It would be nice if there was some feedback on the screen so you could see if your search is working properly within the workflow. There are other finds, like when you just simply go look in Active Directory, and say, "Find." I absolutely love that we can export the results from that one. It's only the search function within the workflow that could be a little bit better. In version 7.4.1, they added support for SAML authentication to the web pages and the documentation was quite lacking. The documentation for that, in particular, needs a lot of work. I ended up having to work with support over multiple sessions to try and get that to work properly. This was a newer function for 7.4.1, so I had never used it before in the previous versions. When you downloaded their product, the documentation was the same as they had posted on their website. It was the same in both places. It was very broken up and wasn't complete. It needed to be reworded and flow better so somebody new could follow it a bit better. Because even after following all the solutions, even the tech support said to do it differently than what was in the document before we could get it to work. Therefore, I would definitely like to see some work on the documentation for that area.

The ability to send logs to a SIEM would be very beneficial.

For the AAD management feature, it needs to improve the objects that we can manage and the security. I know that they have everything in road map, so they probably will include everything in a year or a year and a half. I would like them to support a cloud solution. This is important for us. They have it on their roadmap. For now, they only have basic options for cloud-delivered services. We are in the prospect of looking for a customer who wants a cloud-only solution, but will wait for the new features, which will probably be available in one year. The should try to move everything to a web interface. More solutions are trying to use a web interface. They need batch processing, but that is in the road map, and that's okay. They need better language support. While they have a language pack, it's not always available at the same time as the product. Sometimes, when we install it in other countries, they don't have the language pack, then our customers complain about this.

For what we use it for, there are no additional features it would need.

Active Roles allows policies and there are a lot of example policies that come with it. It has Access Templates and there are a lot of Access Template examples in it. It also has workflows and those are really powerful, but there are no built-in workflows. When it comes to them, it's empty. I would personally love for it to come with ten, 15, or 20 workflows where each achieves a certain task but that are not enabled. I could just look at how each is done, clone them, copy them, modify them the way I want them, and be good to go. Right now we have to invent things from scratch.

* Web console – it should have more customization options in terms of look and feel of the landing page * Workflow policies – Additional policies for folder access provisioning * Bring back attestation – Attestation feature is dropped from ARS. This should be brought back