External reviews are not included in the AWS star rating for the product.
My main use case for One Identity Active Roles is delegations and limiting access based on least privilege principles.
A specific example of how I use delegations and least-based access in my environment is that for cases where people only need a password reset, I can grant that capability without granting the ability to unlock accounts, or I can grant the ability to unlock without granting people password reset permissions.
The best features One Identity Active Roles offers are that it can be used across multiple domains and forests.
In our company, we have 85 different domains, and it would be cumbersome to have a separate instance of One Identity Active Roles for each domain. One Identity Active Roles allows us to give people in one domain access through One Identity Active Roles to all these other domains without them needing an account in each of those other domains, even though there does not have to be a trust between those domains.
One Identity Active Roles has positively impacted my organization by helping speed up delegations and helping us find permissions and generate reports more quickly on who has what access where.
One Identity Active Roles takes us less time, probably half the time, to complete delegations that are very granular and complex, compared to having to use native tools and scripts.
One Identity Active Roles can be improved because schemas sometimes differ between domains, and One Identity Active Roles does not behave very well with that inconsistency. We have an open case with Quest on this issue, but so far they do not have a solution for it.
I would also like to request that their support be more detailed, as we are finding difficulties getting to the correct people.
I give it an eight mainly because if we have to undo it for a divestiture, it is very difficult to strip off just the permissions easily because they are done via domain groups. We have to go back and find them all and remove them individually, so there should be an easier way to do that.
I have been using One Identity Active Roles for six years.
One Identity Active Roles can be buggy at times, and we have to restart the server.
One Identity Active Roles can handle growth in my environment, but the downside is that when we have domains that are further away from the server, it takes longer to bring up the console.
I am not really satisfied with the customer support for One Identity Active Roles as the support is pretty limited.
Positive
We do run into challenges with managing upgrades and patches for One Identity Active Roles, but we have a test instance that we try to do it on first.
My advice to others looking into using One Identity Active Roles is to plan out in advance and think about the big picture before you dive in. I give One Identity Active Roles an overall rating of eight out of ten.
One Identity Active Roles is used for delegated access. It helps with RBAC controls and allows us to manipulate across our facilities which OUs in Active Directory they can manage, along with dynamic groups and keeping the ability where folks don't have to use ADUC and they can just use a delegated management overlay tool to not delete groups and not delete OUs and not inappropriately move objects across containers.
Regarding the ease or difficulty of managing on-premises and cloud-based identity directories through a single pane of glass, we leverage One Identity Active Roles from strictly the on-premises space. Being able to leverage it from a delegated access perspective, the console itself is very clean. It looks very similar to Active Directory Users and Computers, which legacy, long-time IT people are used to. So that outline from a UI perspective makes things seamless. People don't even know that One Identity Active Roles is actually a product and not just a built-in native solution for Windows, which is very key for us.
Regarding One Identity Active Roles' ability to provision and de-provision resources in directories such as AD and Azure AD, it is very seamless. From a permission standpoint, it is a right-click de-provision user and having that recycle bin to quickly uncover or recover is very useful. It is very seamless. It is not the best from a change history standpoint as far as quantifying those logs, but it is nice to see that this object was de-provisioned on X day by a user, and it can quickly be restored in the event that was a mistake.
About group membership management in One Identity Active Roles, I have already discussed how you can delegate groups with OUs and naming conventions through the complex IT teams that we have in our organization. From a group membership standpoint, we can manage groups and delegate that access across the organization from our enterprise service level that can do password resets versus our identity engineering team who has full domain admin in the console that can manipulate those access templates and make adjustments accordingly.
The favorite feature of One Identity Active Roles is definitely the granularity and specifics on the access templates. You can dive deep into controls all the way down to manage individual objects, all the way from not just at the OU level, but how granular delegated access is with One Identity Active Roles is definitely the most useful feature to my organization.
One Identity Active Roles absolutely helps reduce identity-based breaches. It is from an identity governance perspective, being able to ensure that folks that are in specific positions have the least privileged access possible. One Identity Active Roles makes that very seamless for our user base. We are a for-profit healthcare conglomerate with thirty states, over fifty community hospitals across that are all in a single pane of glass under our LifePoint Health Active Directory domain. Being able to say that your facility can only manage these objects in this OU and delegating that from their core IT engineering staff versus their help desk versus an application owner makes it all very seamless.
One Identity Active Roles has absolutely helped our organization reduce its number of erroneous privileged accounts. We can quickly evaluate those accounts. You can see the same features within ADUC, but you can quickly isolate those and validate where they are and adjust them however you want.
One of the things I would like to see more robust is the change history. One Identity Active Roles can only monitor changes that happen in the console, and the logs don't go back longer than thirty days, maybe sixty days. The change history, when we've seen accounts get modified, we leverage a container domain that funnels accounts into our Active Directory console. I would like to see from an initial user provisioning perspective, for them to isolate the workflow and say that this came in on X date and account was created. If anyone were to modify that account from an external resource, I would like to be able to read that as well. One Identity Active Roles is strictly limited to the console. If someone makes a change, the history of those changes is not as long as I would prefer.
Our company has used One Identity Active Roles for over five years. I have been with them for the last four years. Personally, I have been a user and managed the team that controls One Identity Active Roles for four years.
Regarding stability, One Identity Active Roles is mostly stable. The only times it is not is when we have the eight-point-zero long-term service release. I have not seen any sort of hiccups in connectivity. If anything, it is on our side from a networking standpoint. It is a very stable product, at least recently.
One Identity Active Roles is more beneficial to a large corporation. I am sure that licensing can vary in cost, but it is definitely very beneficial to complex Active Directory environments from a control perspective and being able to grant least privileged access that folks need to do their job.
We don't get a lot of communication from the One Identity side. I don't know who our account representative is, and that is kind of not good since we have had some turnover there.
Neutral
I have not used any alternatives to One Identity Active Roles. From an on-premises AD standpoint, delegated access has been with LifePoint as long as in my career. That is what we have leveraged. It has been useful. We have rolled it out across several Active Directory domains as our management overlay, but that has been our main one.
When I first started using One Identity Active Roles, it is intuitive. It is not super complex. The management of it, we used it from a user provisioning standpoint before we switched human capital management systems. I was not really involved in that, but from an end user standpoint, you pick your web database server. The thick client is much easier from a UI perspective looking through it because it looks very similar to ADUC if you have any experience in IT. The web portal is fine. I think it is a little more clunky, and that is what most folks use, but it is intuitive. You pick your web or database server, log in with your credentialed account, and it synchronizes and loads. It is seamless, and from an intuitive standpoint, it is on the higher end.
Regarding the pricing of One Identity Active Roles, it is definitely on the expensive side compared to solutions for what it does. It is a necessary need for us. I don't know One Identity Active Roles' business model, but it is very niche in the sense that they are going to target complex environments like mine that have a need for delegated access. There are other IGA platforms that do delegated access and offer a much larger suite of solutions, but it is definitely on the expensive side. I think our total was in the seven-figure range for a couple of years of service.
Overall, I would give One Identity Active Roles a rating of nine out of ten. The main pain point I have is not huge because I know there are AD audit solutions out there individually. But with the control that One Identity Active Roles has, being as intuitive as it is, I think it is a nine out of ten. I would recommend it to any healthcare conglomerate that has multiple hands in an Active Directory environment. There are many components that I think our team is not touching the surface on from a dynamic group perspective, and we just use it for what it is today, but I think there are more components that we could explore.
I am one of the resellers for One Identity Active Roles, so that is the reason I downloaded it.
One Identity Active Roles is generally used in complex IT setups where Active Directory plays a critical role and organizations have many compliances and mandates to be followed. For example, in India, we have many banking customers who are governed by the Reserve Bank. In the US, you have the Central Bank or Federal Bank; in India, we have something called a Reserve Bank. All the big financial sectors have to follow the mandates and compliance provided by them. Identity solutions come into that part as well. So to make sure that everybody has the right amount of access and nobody has all access, One Identity Active Roles plays a critical role over there.
In India, this kind of requirement mainly comes from regulated entities or regulated enterprises. So they prefer the on-premises solution for One Identity Active Roles. We have not had a customer in the past who has gone through the cloud solution. They want everything to be hosted on their premises. Since I have not come across the cloud-based installation yet, I cannot comment on that piece, but on-premises is what they look for in the current setup which we provide.
One Identity Active Roles brings significant value through its lifecycle management capabilities, which are very good with no complaints or problems at all.
With the inclusion of One Login, which One Identity acquired three or four years back, One Identity Active Roles has gained complete coverage. Earlier, One Identity lacked an IAM solution. They always have had the Active Directory management solution in the form of One Identity Active Roles or through the IGA solution. But with the inclusion of One Login, that has really fulfilled the requirement which customers need from a single vendor. The competition includes SalePoint, Saviynt, and others, including Ping Identity, who is also coming up with an IGA kind of solution. One Identity has been providing it for a very long time, longer than these competitors who have just started realizing all those things and providing a similar kind of solution to the customer. One Login and One Identity provide complete coverage to the customer, which is really helpful.
One Identity Active Roles brings a positive impact to organizations in that they will start realizing the ROI in a much faster manner because the implementation time is very short and it is easy to use. Additionally, since there are many regulated entities which need this kind of solution and in the market there are very few solution providers who can provide this kind of coverage, that is the advantage which One Identity Active Roles has.
If One Identity Active Roles has to be positioned for all customers, not just the entities which are being regulated, then the pricing has to be normalized. There are many solution providers in the market who can do it at a much lesser price. India is a price-sensitive market, and I can speak only for India; I cannot speak for the other part of the world. We have many local vendors who can provide these kinds of solutions. But since One Identity Active Roles is a much more mature product and has been in the market for a very long time, customers have some respect for that and they can pay the premium. But that premium cannot be three times, two times, or beyond three times. So the pricing has to be normalized based on the market. Every market has its own constraints, so the One Identity team should work on that aspect.
I have been reselling One Identity Active Roles for almost seven to eight years.
I have not had a challenge working with One Identity technical support so far. Everything is good, and I can give One Identity technical support a rating of ten.
Positive
I have worked with Microsoft earlier. I started my career with Active Directory, which is the base of providing identity in the older days. Twenty years back, when we talk about identity, it was always Active Directory from Microsoft. So I have worked with them. Now even Microsoft has come up with their own offering called Entra ID, and they are also competing with One Identity or SalePoint in a similar segment.
From the product perspective, deploying One Identity Active Roles is not that much cumbersome or troublesome. It is a very easy deployment. The only thing which we have to generally figure out is the kind of Active Directory infrastructure the customer has, and based on that, we will have to configure the rules or the policies in the tool.
From the product perspective, the installation of One Identity Active Roles will not take much time and the integration with Active Directory itself will not take much time. Installation is hassle-free and not complex at all. The only thing which takes time is the configuration part. When I say configuration, it is mainly from the policies perspective because we have to understand the customer requirement and based on that we have to create all the rules and policies so that we can fulfill all the use cases.
When I say the configuration of One Identity Active Roles, it is basically because of the customer setup and not because of the tool itself. Because you have to create a lot of policies, and those policies need to be created because the customer has that kind of complexity in their setup. Otherwise, this is an easy tool to manage. If the environment is well-configured or well-managed by the customer, then One Identity Active Roles will not take much time.
I do provide deployment for my customers. For deploying One Identity Active Roles, you need one person, and that is more than enough to manage the solution. We have a different team who does the installation of One Identity Active Roles.
One Identity Active Roles has helped my organization increase operational efficiency. Now only the right person has the right access. Not everybody can go and log into Active Directory or the identity management solution which they have directly. One Identity has a theme that they want the right people to have the right set of access, and this is what they are able to provide with their tool.
One Identity Active Roles has helped to reduce the number of erroneous privileged accounts. That is what they want to achieve. When I talk about customers, they do not want any intruders or hackers to get access to their data. This can happen even from a legitimate user if their credentials are compromised. These kinds of solutions always prohibit those kinds of activities by a hacker or a mischievous character in the organization to take advantage of the system.
One Identity Active Roles helps to reduce identity-based breaches.
Right now, a lot of the discussion is centered on agentic AI for One Identity Active Roles. An agentic AI who can do most common tasks on its own would really help.
To be very honest, the ability to provision and de-provision resources in directories needs to be handled by my technical person, since I do not belong to that field.
I feel with the kind of use cases which One Identity Active Roles addresses and the kind of market we play into, then I think nine is a good rating for them. There is always room for improvement, so hence I am not giving it a ten at this time.
I use One Identity Active Roles primarily for identity management. We use it for managing multiple domains from a single interface, and the domains do not have trust between them. It has been used by multiple support teams, such as the service desk or the identity access management team for account creation, modification, and management of accounts. It is mostly focused on account creation, modification, deletion, and AD objects.
One Identity Active Roles has helped my organization reduce the number of incorrect privileged accounts through the management unit feature. It helps us identify accounts that are not in use, and while creating admin accounts, we use it to set policies regarding which required fields must be filled during account creation. This helps us keep the process clean and ensures all required attributes are filled before account creation. We have scheduled scripts on One Identity Active Roles that check if activity meets criteria. If it doesn't, it will move the account to a specified OU, disable it, or delete it, as per the defined process.
One Identity Active Roles helps us keep accounts consistent. For instance, when somebody leaves the company, all associated accounts get removed, which helps us eliminate unwanted accounts.
For Active Directory, the provisioning and de-provisioning capabilities work exceptionally. The de-provision feature allows account disconnection without disabling it, enabling quick reconnection with automatic group additions. This feature significantly speeds up the process compared to disabling and re-adding to groups.
The comprehensive group membership management feature is exceptional because it offers two features not available in Active Directory directly: adding multiple secondary owners and dynamic groups. The latter is only available for Azure AD, not for on-premise AD.
Using One Identity Active Roles enables temporary group additions. For instance, if a group provides access, we can temporarily add a member, and when the time period expires, the member gets removed automatically.
The granular control is exceptional; we can give the least control required by the team. For modifying any group, we don't have to give create and delete roles; we can just give them the move role.
The delegation of administrative access impacts IT operations positively through access templates, which are usually created based on the team.
One Identity Active Roles has increased operational efficiency despite occasional slowdowns. Solution consolidation is part of our identity and access management strategy, eliminating the need for direct Active Directory access for the help desk and IAM team.
The best features of One Identity Active Roles include managing multiple domains from a single interface. I don't need to log into jump servers, making it very easy to log in from the web and manage it. Dynamic groups are also one of the best features, eliminating the need to add or manage members manually. The management unit is another excellent feature, which we can use as a virtual OU to identify missing elements.
The approval process and group approval process can include adding multiple secondary owners.
The interface appears outdated. Once logged in, everything inside remains unchanged from years ago.
Additionally, when they release new features, they should provide training or webinars at least once or twice a year. This would help users stay updated and aware of new features. When I requested a demo session with One Identity, the presenter didn't provide complete details, making it difficult for non-technical managers to understand. The demo should be planned based on the customer's knowledge level.
Regarding visibility in the directory ecosystem, while it is very good, there are limitations. When we add numerous domains, it becomes slow. With around 60 domains, attempting to add approximately 30 caused significant performance issues. We had to remove and decrease the number of domains, indicating room for improvement in managing multiple domains from a single interface.
I have been using One Identity Active Roles for approximately 11 or 12 years.
I would rate the stability as eight out of ten. I have already discovered approximately three defects in the new version.
While One Identity Active Roles has improved operational efficiency, there are occasional challenges with system slowdowns.
The scalability is excellent, rated around nine or ten out of ten. It can be expanded or decreased based on the SQL server requirements.
In our organization, the solution is open to all users with read-only access, with approximately 200 users having admin access.
I would rate their support a nine out of ten.
Positive
I've personally deployed systems from scratch, from planning through to completion.
Deployment is not overly complicated. We do need to ensure that the required ports are open and that we have the necessary permissions. However, it does vary from company to company regarding how they manage to get those ports opened and permissions granted. Based on my experience, I would rate the complexity of deployment as about a seven or eight out of ten. In the new version, we did encounter some issues related to system slowness, but other than that, most aspects look good.
The deployment duration depends on your company's processes. If you manage to get the ports opened and the permissions granted quickly, the deployment can be completed in about two months. For us, it took approximately six months because acquiring the necessary permissions and opening the ports took time. Additionally, post-deployment, we needed to conduct some testing as well. So, while I wouldn’t say it takes excessively long, it does depend on your circumstances. If everything is in place, meaning if the ports are open and permissions are set, you could deploy a basic version within two days.
The solution requires regular maintenance, including server patching and routine updates. We monitor alerts and check the website regularly as part of business-as-usual support.
When comparing One Identity Active Roles with other solutions in the market, there are no direct competitors. Having explored alternatives in my previous company, I found it to be more user-friendly and to have more secure features around Active Directory than other available solutions.
Regarding integration, I have not yet integrated One Identity with other One Identity products as this process is ongoing with our recent upgrade. While we have multiple One Identity products, this integration remains a future project.
Regarding lifecycle management capabilities via the workflow engine, we have not fully utilized it because most workplaces have used third-party tools such as Microsoft MIM. At my previous workplace, SailPoint was used for complete account lifecycle management. We primarily used One Identity Active Roles for account management after creation and for modification of admin accounts.
I would recommend One Identity Active Roles based on its ability to manage domains from a single interface and provide minimal-required access based on work requirements. The web interface login and MMC console are very user-friendly.
I would rate this solution an eight out of ten.
The main use case is the Active Directory delegation. We have many different entities within our organization, and we needed to delegate some Active Directory capabilities, such as creating users, updating users, deleting users, groups, and computers.
The access templates help set up granular permissions and the web portal to manage Active Directory. Active Directory is usually managed through a heavy console, and using One Identity Active Roles allows it to be managed through any internet browser. Additionally, it helps in removing custom Active Directory delegation, which enhances security by eliminating unnecessary privileges, addressing identity-based breaches by reducing the number of Active Directory delegations.
One area for improvement would be the Entra ID side, including better delegation for Entra ID objects and more granular permissions. We would also like to see better Entra ID license management using virtual pool management, given that the current setup is custom-made, and having this feature built-in would be beneficial. The web interface could also be improved, though it's ongoing.
The solution has been in place for the last fifteen to seventeen years, but I have been using it for the last eight years since joining the company.
The stability of One Identity Active Roles is rated seven. There are performance issues sometimes, but restarting services usually resolves them.
The solution is scalable. It is rated nine in terms of scalability.
Customer support is rated six. Sometimes having a fix for a bug takes too much time. While in production, issues tend to take a while to resolve.
Neutral
The initial setup is quite easy. The deployment is not long, but the extensive customization, such as virtual pool licenses, takes a bit of time, about a week.
The product is expensive, but if you want to save money, the delegation set-up process is quite easy. After setting up Active Roles once, defining the delegation model, it is very efficient, almost like copy-paste.
I would definitely recommend One Identity Active Roles because it allows the delegation of Active Directory through a web portal instead of a console. Additionally, while the Entra ID part requires improvements, it can still delegate Entra ID objects. I rate the overall solution an 8 out of 10.
We use One Identity Active Roles for the delegation of Active Directory administration to local entities.
It has helped improve our organization by delegating day to day tasks to entities, allowing gains in time to market for AD related tasks, and also allowing to reduce time and effort spent globally.
The most valuable features are the access templates, which allow for granular permissions, and the policies that provide a framework for usage and standardization across entities. The solution improved our organization's security posture by framing the end users and ensuring that capabilities that could cause mistakes are hidden from the web interface. It helps us ensure that entities do not make any mistakes by hiding those capabilities directly in the tools with the access templates.
There are areas for improvement in One Identity Active Roles that include updating the web interface, creating an API accessible from the web, and improving overall performance, as it can be slow at times. But all of those are already in the development roadmap.
We have been using One Identity Active Roles since 2011, which amounts to fourteen years.
I would rate the stability as a seven because there are sometimes performance issues, which require restarting the services. This affects stability.
The solution is highly scalable, with a scalability rating of nine. It effectively handles 150,000 users.
I rate customer service and support as a seven because, although they are helpful when needed, there can be delays in responding to tickets and finding necessary fixes.
Neutral
There was no previous solution in place before, as One Identity Active Roles was already implemented when I joined.
The initial setup was straightforward but took months due to the detailed design required for the access templates.
In house.
I estimate the return on investment (ROI) to be about fifteen percent.
The pricing of One Identity Active Roles is expensive, but the return on investment justifies the cost, allowing for savings in other areas.
I would recommend One Identity Active Roles due to its straightforward delegation capabilities, comprehensive management of Active Directory objects, an excellent PowerShell cmdlet suite for scripting, and a robust change history feature for auditing. The overall solution is rated as eight out of ten.
My use case is to gain better visibility into what has happened in One Identity Active Roles. It is to automate processes. When people are leaving, joining, or changing roles in our business, it is done automatically without manual work.
We've eased the burden on the support desk and limited the risk on them. We've also limited the need for domain administrators. We now have a better view of what is going on in Active Directory. If there's an inside malicious user, we can root them out.
The feature I appreciate most about the solution is the ability to lock down Active Directory Roles granularly. For instance, our support personnel can only change passwords for users; the only thing they can change in the user object is the password. They cannot alter anything else. This allows us to manage multiple One Identity Active Roles from a single pane of glass. We're very satisfied with the granularity.
We have eased the burden on the support desk and reduced the risk of them doing something they shouldn't. We have limited the use of domain administrators and gained a better view of what is happening in One Identity Active Roles. It is easier to find rogue and malicious users, and end users can now request access through the web interface instead of creating a ticket.
We've lowered the amount of privileged accounts. We can have support staff that have privileged access however, we've limited privileges so that they can only do what they are meant to do in the directory.
Active Roles helped reduce our identity-based breaches. I don't have a number of how many. It's maybe between 10% and 20%. Now, we know what users we actually have in our IT directory. It has helped us to find the dormant users that we don't need anymore.
It's improved our security posture. It has limited access to our crown jewels, where all our identities lie within Active Directory. It's not a stand-alone product. It doesn't fix everything. However, it does help to the overall security posture. Before, we had domain admins logging directly into our directory user's computers, and doing stuff. They don't do that anymore. We've limited priveledges. The directory is more secure today and we have better visibility.
The user interface needs to be more modern and scalable. There are certain screen resolutions where the product is unusable. In today's environment, where we work with different sizes of monitors and screen resolutions, it is problematic if connecting to a certain monitor renders One Identity Active Roles unusable due to resolution issues. This should not be a concern in modern times, as the interface should automatically scale based on the resolution. This is the most significant drawback of the user interface.
I have used the solution for less than a year.
We haven't had any glitches. If I rate it out of ten, there is no room for improvement, so I will keep it at nine.
It is satisfactory for our needs. I would assume that if you are a major enterprise customer, it is a matter of scaling out on resources with more memory, disk, and CPU power. We haven't seen any issue with scalability.
We have less than 100 people using the solution. We are in a singular location.
We used native Microsoft Active Directory. We just used native solutions.
Implementing it was straightforward, and it depends on how much you want to do. It was easier than I imagined. Also, the visibility into the deployment and whatever has been enabled is excellent.
There is some maintenance. Whenever there are new updates, we can look in to see if there are any new features we would like to have, and then we can update it. The update is rather straightforward. We simply download the installation file and then click next, next, next, and then we're up and running with the new version. It's rather straightforward.
It has saved 90% of the time compared to before. It is not expensive, yet not as cheap as I would prefer. I see it as insurance, and I have peace of mind, knowing that I pay an insurance price with a lower premium. We have a better security posture, with better feedback from end users requesting access. Although we have higher spending costs and haven't reduced staff, wrongdoing is reduced, uptime is better, and users can still use the systems. We have made operations more efficient, made end users happier, and improved our IT environment.
The solution is not expensive, yet not as cheap as I would like it to be.
We used One Identity from the beginning. We chose them due to a one-vendor strategy, as we also use Safeguard, and they integrate very well.
If there is a colleague who wants to manage Active Directory without an identity and access management solution, I would ask: "do you actually know what's going on in the Active Directory? What delegated control have you given, and what is the visibility of the delegated controls? What naming standards do you have for departments, for office locations, for cities? How do you make sure that you can only select the already predefined locations? Also, what kind of business are you in? Are you hit by we're not hit by dollar, but are you hit by dollar? Are you hit by NIST two? Are you hit by SOX? What compliance requirements do you actually have?" Roles fits very nicely in that role with some of these regulations and compliance issues you need to address.
Depending on company size, even with fewer identities, it might be essential for highly regulated industries like finance. Having a product like One Identity Active Roles allows centralized management and limits what delegated users can do. In native Active Directory, delegation could grant too many rights, but now it permits granular delegation, such as allowing a support user to change passwords only. This level of control is beneficial for multiple companies, as harming the directory can hurt the business.
I rate the product nine out of ten.
My use case is for task automation, such as user provisioning, deprovisioning, delegation provisioning, and rights delegation. It simplifies the management of users and groups.
Currently, task automation, like provisioning, deprovisioning, and reprovisioning, is very effective. When a user moves from one organization to another, it automatically changes their group membership and performs similar functions.
Secondly, the granular delegation feature is very nice and much simpler and easier than it is natively in Microsoft.
Two years ago, One Identity Active Roles was under Dell. It was quite poor. However, now, there have been notable improvements, such as faster system processing, better logging, enhanced information, and a more user-friendly interface. Once it was sold by Dell, things got better. The interface became a bit more user-friendly.
The Angular user interface is much more flexible for adjusting to customer needs, and a completely new and customizable one can be created, aligning with all settings and scripts required by a customer.
The ease of managing on-prem and cloud-based directories through a single pane of glass is good. I'd rate it nine out of ten.
The solution's ability to provision and deprovision resources and directories like Azure AD is very simple, especially when you can integrate with the HR system and grab some data from HR. It's actually fully automatic. I don't need to even touch it.
It's helped increase operational efficiency by 50%.
It's helped decrease security problems around privileged accounts. We were able to decrease the number of privileged accounts and have been able to delegate more effectively.
We decreased the number of high-level permissions that administrators had. For example, if someone is a DNS administrator, he has access only as far as the specific actions he needs to handle. We don't need to give away such high privileges for such a daily job. It's helped clarify roles and access.
It's helped reduce identity-based breaches. If someone leaves a company, we can easily undo provisioning and close accounts. We can generate reports to see which people have which permissions and at what times.
We've just integrated with our HR system. It helps us follow activated and deactivated users.
I'd rate the granular controls on offer ten out of ten.
We've saved on manpower in terms of the work of the administrators. There's good reporting and functionality, and it's very transparent. You can connect more than one directory and manage everything from one pane. You can do many things from one interface.
The possibility to request group membership, similar to the past, was disabled and moved to Identity Manager. That would be coming back in six months.
Additional documentation about the Angular web interface is also needed.
I have used the solution for ten years.
I encountered some problems in the past with the system, not just with our infrastructure but also on the customer side. There were some software bugs.
Overall, on a scale of one to ten, I would rate it at eight and a half to nine. There were no major problems with One Identity Active Roles.
I'd rate scalability ten out of ten.
It's rate support ten out of ten.
Positive
I've been working with the system for so many years, it's very simple and easy. It's one of the best solutions. There are a few things missing, however, I prefer it and if it fills in the existing gaps, it would be the best option on the market.
The installation is quite easy and involves only a few clicks to have One Identity Active Roles up and running. The hard part begins with the configuration: creating workflows, permissions, provisioning, deprovisioning workflows, policies, and so on. Nevertheless, it is quite straightforward, and the documentation is very clear and simple.
There is a bit of maintenance needed. It's not just install and forget. You need to check the logs and make sure services are up and running. It's not time-consuming. It's very simple.
I am working on the partner side of One Identity. I have implemented One Identity Active Roles in several organizations. The longest implementation took two weeks, and the shortest was three days.
The solution saves manpower and time for network administrators, offering a significant return on investment. One Identity Active Roles provides excellent reporting and auditing functionality, allowing administrators to track permissions, actions, and responsibilities effectively.
We've likely seen a 30% ROI.
I would rate the setup cost ten out of ten. It is quite expensive, costing more than 50 euros per identity. While it is worth the price, not many companies are willing to pay such an amount of money.
I'm a One Identity partner. Our clients range from small to enterprises. Customers range from 50 to 30,000 people.
If there is any mess in Active Directory, like excessive delegations and errors, One Identity Active Roles will help clean it up and simplify work. It allows administrators to confidently ensure everything is configured correctly in Active Directory, securing it effectively.
I rate the product nine out of ten.
We use it for various purposes, such as automating tasks in an Active Directory environment.
It assists the help desk in doing certain tasks in a more controlled manner, for instance, setting up new users. We enforce required fields to prevent setting up users without them, ensuring that certain fields meet specific requirements. It also facilitates easier management of various security features than Active Directory.
It has helped increase operational efficiency in our organization. We have a clear structure. There is a reduction in the mistakes.
It is an easier way for me to manage Active Directory with more advanced features.
The console helps with granular control.
There is always room to improve the user interface for increased clarity. I believe enhancements to the console are also necessary because it is more confusing than the web interface.
I have used the solution for a bit more than three years.
It is stable. I would rate it an eight out of ten for stability.
It seems scalable.
It is good. I would rate them a nine out of ten.
Positive
It is good, and I would recommend it, but you should do a proof of concept and see if it works for your environment.
Overall, I would rate the solution an eight out of ten.
We use it extensively. Our help desk and all the end users or administrators use it. It was being used for user provisioning, but we have now automated some of the functions. Earlier, when it was being manually done, we had set up all the templates for the end-user provisioning and de-provisioning.
The granular control has been very helpful for us. We want to be able to control what level users have access to. It is possible to control access levels at the organizational unit or even the attribute level, making it helpful for us.
Active Roles helped increase operational efficiency in our organization. We have delegated user provisioning to the help desk so they can create users or manage accounts. We have delegated group management to identified group owners who can manage their groups. Some of them just need read-only access to AD; they do not need to download the native tools. They can just do it via a browser.
Active Roles has helped our organization reduce the number of erroneous privileged accounts. We have set the templates, and we have set the standards. It helps standardize all the naming conventions and how they are provisioned with the rules. That is definitely very helpful.
We use the change history to see who might have modified what object. We have that tracking, but we use a tool from Quest called Change Auditor that can do the auditing to figure out who did what type of thing for auditing.
It is very intuitive and close to the native tools. Since it is web-based, it does not require extensive training for our end users. If users are familiar with native tools, they should be able to use the web-based tools with minimal training.
I know they have increased support for Entra ID and mentioned providing support for AWS. A way to connect to various directories and integrate with cloud directories would be beneficial.
We have used this solution for about 15 years.
It is very beneficial for large and complex environments. For mid-sized to small companies, I do not know if it would be that useful, considering the tool's purpose. For us, with a complex AD environment, it is incredibly useful, but for smaller companies, where there are not many users or roles needing identification, it may not be as beneficial or cost-effective.
We have more than 65,000 users.
One Identity's support is great. I would rate them a nine out of ten.
Positive
We have been using Active Roles since I have been on the team. We rolled it out and have been using it for the last 15 years or so. They were using native tools earlier.
I have not used other vendor solutions, just native tools.
We deployed it and recently upgraded it. We received support from One Identity for consulting, but we did the upgrade ourselves. It was not too bad.
I would rate it a five out of ten for the ease of use. We were trying to do some load balancing and things like that, which did not work out the first time. There were also some issues with the dynamic groups. The first time, we had to roll it back, but we were successful the second time.
The pricing is high. I have not been involved with the renewal or cost aspect, but I know it is not cheap by any means. However, it is very useful for our environment.
I would rate One Identity Active Roles an eight out of ten.