One Identity Active Roles Reviews

I use it primarily for granting, managing, and auditing access.

The ways Active Roles has improved the way we operate are through workflows and user onboarding, automatic user management, group permissioning, adding users to the right groups based on the department, and distribution list creation based on dynamic group membership and active users.

And because of the single interface and workflows, it has simplified AD and Azure AD management efficiency and security.

The most valuable features include

• auditing
• dynamic grouping
• creating dynamic groups based on AD attributes.

Also, as part of the cloud identity, meaning expanding identity to the cloud, it gives me a single workflow to expand on-prem. I can create a user in the cloud and give them access to resources through a single workflow.

And for regulatory, auditing, and security requirements, it's critical that the solution enables Zero Trust security with hybrid AD fine delegation and role-based access control.

I have been using One Identity Active Roles for eight months.

It's a stable product.

It's also a scalable product. We have about 14,000 users.

The best thing about their Premier Support is their assistance with customization and resolving issues that arise.

Positive

Our company chose One Identity Active Roles rather than something else because of the auditing capabilities and workflow capabilities.

The initial setup was quite easy, but it was time-consuming. It took about three months.

It's expensive.

Compared to native Active Directory tools, in terms of accuracy and security, Active Roles is a nine out of 10.

Understanding the requirements and the key areas on which you want to focus before deploying it is vital to making sure it caters to your needs.

Overall, it enables a lot of automation and workflow-type processes. It also allows for human intervention and has auditing and reporting capabilities that include generating an automated report on a periodic basis for management review.

We are using Active Roles for provisioning Active Directory objects and we also use it to connect, through Active Roles Synchronization Service, to our HR system and to provision and deprovision employees. 

In general, we use it to provision any object: security groups and computer objects, in a delegated manner. Active Roles Server allows the security of Active Directory to be changed to delegate access for provisioning to different IT teams, without changing the actual security of Active Directory.

The solution is co-located in our data centers.

With delegated access to Active Directory, it allows us to revoke a lot of the admin rights. It gives us a better lockdown and a more secure environment than we used to be.

It has eliminated tasks that were bogging down our IT department, especially in certain workflow automations. Through Active Roles Synchronization Service, we can process data coming from HR and automatically update those attributes and data fields straight into Active Directory, versus doing it on a manual basis or through bulk imports. Also, the fact that we can enforce data formats and policies saves us time since we don't have to go back and do a cleanup. 

In addition, because we are able to remove the main admin rights, there are fewer uncontrolled changes, and when you have fewer uncontrolled changes you have a higher availability of the service, overall, and fewer audit findings.

The solution automates provisioning. In our HR system we are automating the creation, termination, and ongoing management of all of our employee base. We have between 5,000 and 6,000 employees, and all those processes are fully automated, with IT being completely hands-off. It saves a lot of hours, easily on the order of hundreds of hours per year.

The fact that we have decreased certain operational costs, by means of automation, of course means we have been able to reallocate the time of some of our resources for more value-added activities. Because we implemented this 10 years ago, things have changed over time. It has become an established practice, process, and technology so it's hard to estimate how many FTEs we have been able to reallocate, but it would probably be at least one.

One Identity Active Roles has also improved the accuracy of our onboarding process. As a company, our onboarding process for people is subjected to SOX audits. Ten years ago we were in a situation where we had hundreds of nonconformities. Today, we essentially have zero nonconformities.

Another benefit is that the solution most definitely reduces risk for our organization. By avoiding changes to the native Active Directory security, and the fact that there is role-based access control to manage Active Directory itself through the application, there has been a dramatic reduction in risk.

The most valuable feature is the ability to delegate by using permissions and workflows. 

Another good feature is the Change History. It's centralized in a single place and allows us to manage people's Active Directory domains from a central location. We can also drill down into individual objects in a troubleshooting or even an auditing situation. We can show evidence to auditors by drilling down into the individual history. It gives you all the history of what happened around an individual object. That is something that would be almost impossible to do in Active Directory, or extremely complicated. 

We can also enforce data formats. That creates a higher quality in the data that we store in the directory by enforcing naming conventions and data formats. 

In addition, we can reach the data set by using virtual attributes, rather than extending that, so we can put schema attributes in ARS that live in AR without actually impacting the Active Directory environment.

One other thing that I really like about this product, as an engineer, is the design of it, meaning not how it looks, but how it was designed architecturally. This is one of the greatest strengths of the product. It's just designed right.

The overall UI needs a refresh; the web interface requires some modernization.

We would also like to have a SaaS version of Active Roles. Rather than implementing it in our data center, it would have been nice having a SaaS-delivered solution. 

The third area for improvement, which is the weakest portion of ARS, is the workflow engine, which was introduced a few years ago. It's slow and not very intuitive to use, so I would like to see improvement there.

We have been using One Identity Active Roles for about 10 years.

The scalability of the solution relies on the environment where it is deployed. We are a smaller company, but we are using the same design and architecture that we used initially, where we have about 15,000 to 20,000 users. We have added multiple domains, four or five, and we have never seen any issue from a scalability standpoint. I don't know if it scales to hundreds of thousand users, but for our environment, scalability has never been an issue.

We have a very good adoption rate, from a user standpoint. I can't see many areas where it could be expanded. We are leveraging the tool at a very good capacity. I don't foresee any expansion because we are using it pretty heavily.

The support service provided by the vendor on this product is pretty solid. It is an excellent support service. I would rate them a solid nine out of 10. They always have a solution or a workaround. They're very responsive and very knowledgeable. Sometimes I wish that we had the same level of support from other vendors.

We used the Microsoft native tools. We switched to Active Roles because the Microsoft native tools were really for managing the core components and didn't have all the capabilities of provisioning, deprovisioning, role-based access control, and change history. They didn't have the proxy approach to manage Active Directory in a centralized way. With Microsoft, Active Directory is distributed by nature, versus ARS which centralizes it.

One of the strengths of Active Roles is that it is easy to implement, easy to upgrade, and very intuitive, except for the workflow engine. And it's not even resource-heavy. It works on a very lightweight infrastructure and doesn't need multiple servers or any complex architecture. It's a very lean, robust, and effective tool, with low maintenance costs.

Our deployment took a couple of months, maybe less.

The tool is so straightforward that the approach was very simple. We analyzed the requirements that we had, back in the day, especially in terms of access and provision, and we just mapped them into Active Roles Server. The overall first phase of installation was very simple.

In terms of maintenance of the solution we need a part-time person, a security engineer who specializes in access technologies. The maintenance of it is super-lightweight. It's really just a few hours a month.

ROI is a very tough question because we implemented it 10 years ago. I don't have a number. But I would say that, in a large organization, Active Roles is probably something that pays back quickly. It's so integrated into our processes today, that we couldn't even think about doing without it, and replacing it with manual work.

If you have a need to put controls on your Active Directory environment, and there is significant manual work to put those controls in place, regardless of their effectiveness, or you have a risky native configuration that has to be addressed, my advice is that a solution like this is going to do the job pretty brilliantly.

It is a great solution with a lot of capabilities. It provides different types of value for each of the capabilities that it has. Over a decade, this solution has done its job.

It's a very stable system, easy to implement, easy to upgrade, and has very low operation maintenance costs. We are a very happy customer of Active Roles.

I am an implementer for the product. I install Active Roles for companies.

Active Roles helps my clients by reducing erroneous privileged accounts, often cutting them in half. It also reduces IT administrators' time spent on these tasks by 5 to 10 percent.

My clients can save money on licensing. We can bundle Active Roles with other IGA solutions and save on overall service renewal. The solution improves user experience for most users. The end-users generally only use the self-service portion, which they like. It's easy for them to use. Unfortunately, there is one annoying setting that they initially set, but that could easily be remedied in the future. For IT users, it's a mixed bag. Administrators love it. I think it's wonderful. Depending on how the administrators deploy it, the help desk users either think it's great or hate it because they want to use a console.

The best part of this Active Roles is the workflow engine. It features an industry-leading workflow automation feature. It's a visual PowerShell that allows task interruption. 

It offers single-pane-of-glass management to a degree. Right now, the Azure side can only be done from the web UI, not the console. The administrative side can only be done from the console, not the web UI. 

Conditional access works well. Combined with RBAC, it always works well with Active Roles because Active Roles can do access based on dynamic implementation.

The permission management feature is also excellent, clearly showing delegated permissions. Active Roles tells you when any permissions are done without going into this crazy fine-grained permission strategy that is horrible compared to Active Roles' template-based permissions. You can design on your own. It easily shows where all the permissions are delegated.

Unfortunately, you can't do much with zero trust and Active Roles at the moment unless you combine them with Safeguard. It lines up with using zero trust if you combine a couple of different workflows together.

Active Roles can fix many little problems that have never been resolved and have lingered for years, continuing to annoy people. For example, you can't search by object GUIDs. The manual says you can, but it hasn't worked in five years. 

I have been using Active Roles for about 15 years.

I would rate the stability of the Active Roles eight out of 10. It's a fairly stable product but not perfectly reliable.

Active Roles is super easy to scale.

I rate One Identity support 10 out of 10. Customer service and support are fantastic. The support team is very responsive. I love those guys.

Positive

I have used KAOSoft and AD Access previously. Active Roles has PowerShell modules and a whole PowerShell backend that none of the other solutions do. That's where they lose the most. PowerShell makes a considerable difference compared to those other applications.

The initial setup is generally straightforward. It takes a week or two for an inexperienced organization to set it up, but I can do it in a day or less. It could involve multiple teams, depending on what you're doing. For example, if you're integrating Exchange, you need Exchange admins to be involved.

Active Roles always saves my clients money, mostly in licensing and service renewal.

The pricing for Active Roles is expensive but not as expensive as other solutions like Okta.

I have evaluated KAOSoft, AD Access, and Okta, among others.

I rate One Identity Active Roles 10 out of 10. Managing singular identities without a management suite is difficult. Active Roles is not an identity and access management solution. It's an Active Directory management suite.

We're using it for identity management, including the creation of accounts and synchronizing them with our HR system. 

It improves things in many ways. You have control over what attributes the service desk analyst can change and you can provide them with lists of changes. You can build in the integrity rules. It also definitely simplifies management on-prem. It definitely is a plus to use this tool.

We do automated provisioning and it's set from HR through this tool. It's all instant. If it had to be done manually it would probably take a couple of hours per user, but we've had it set up like this for 10 years so I'm not sure how much time it's saving us.

It has so many features. Dynamic Groups are good and the ease of delegation is useful as well.

The Group Family feature is okay, but there are some issues around its use for creating objects automatically, based on HR attributes.

Another issue is that it doesn't look like the hybrid connections are particularly mature. We haven't really used it much. We have a couple of guys setting it up who don't really like the way it's working. It uses a synchronization tool to do that. Native integration with the cloud would be better.

Also, we're trying to manage Office 365 mailboxes and although it will create a mailbox in the cloud, it won't do shared mailboxes. That means we're having to write custom solutions for that.

Another issue we have with the product is that we run a lot of custom tasks. You have to program them to run on one particular host and there's no automatic failover to a second host. If that host is down when a task is supposed to run, it has to wait until the next time it runs when that host is up. Some of their built-in functions will work off of both servers and I don't see why this shouldn't as well.

Another similar gripe is that when you run custom Active Roles policies, they'll actually trigger on both hosts, not on one. In that scenario, it would be better if they would trigger on one host, unless it wasn't available. For example, if you're writing to the event log, you have a custom task and it will show up multiple times because it's being processed by multiple front-end hosts.

I've been using One Identity Active Roles for 10 years.

It's a stable solution.

It's scalable, but I don't know how scalable. A lot of it is running off of custom scripts and the question is how scalable those are in large environments. We don't have a massive environment, but we have no issues with it for our 2,000 employees. I'm guessing that if you get up to 100,000 to 200,000 employees, it would start struggling.

It's used in our organization for management of any objects inside Active Directory, so anyone who manages anything in Active Directory uses the tool.

We use the vendor's Premier Support. We wouldn't run any product like this without vendor support. It's quite critical to our company, so it would be crazy to do that with support that wasn't working. At the times we've had to deal with them, they have usually been pretty responsive.

Positive

The solution we had before Active Roles was custom-made for the company and it was written about 13 years ago.

The initial setup of the solution was straightforward. It took a few hours. I'm the only person on our IT team who handles this product, in terms of deployment and maintenance. 

We haven't measured ROI, but given that it provides automation and does save quite a bit of time, there is definitely a return on investment.

It's fairly priced.

In comparison to native Active Directory tools, using Active Roles for delegation is so much better. It uses an access template and that makes it easy to see who can access what.

In fact, you can do that for many objects as well. You can see what that object can manage and who can manage the objects. You can answer an auditor's questions fairly quickly. It's just much clearer than it is in Active Directory.

I don't believe the solution enables you to create a user in the cloud and give them access to resources through a single workflow; not out of the box. You could certainly create that, but we don't do that. We use Azure AD Connect for that. We create the user account on-prem, and Azure AD Connect will create that user in the cloud for us.

Definitely do a PoC, but I would recommend Active Roles for a small company. I don't know if it would actually scale. You have to write custom scripts for a lot of it, whereas built-in functionality would generally be quicker. But for small companies of 2,000 employees, and maybe a little bit bigger, it's a great product. It's so much easier and cheaper than any of its rivals.

We primarily use it for delegation access permissions, to helpdesks for example. We use it to automate certain things, like onboarding new users, deprovisioning leaving users, or when we add somebody to a group it triggers some kind of automation workflow. Lastly, we use it to sanitize data entry, to make sure that the first letter of the street name is capitalized, certain zip codes are allowed, others aren't; it's a type of data control.

It helps mitigate risks. With traditional, native Active Directory delegation, it can become really messy, really fast. You lose oversight on who has access where. We are an acquisitions and mergers company so we let go of certain companies and we onboard new ones. With native delegating, we can lose track of who has access and to what. With Active Roles, we can always see who has access, what they can do, in a very granular way. A user can modify the street name, but can't modify the city, for example; or can modify the picture, but not the names. That granularity is not normally available.

It has eliminated a lot of tedious IT tasks, especially when people leave. There are ten or 15 scripted actions that Active Roles does, always the same way and at the same time. Before, there would literally be a list of things that the admin would have to do, like hide the mailbox, disable the user, remove the groups, etc. Also, the auditing history that it keeps is very handy for us. It gives us a change record of what's been done to a user, who did it, when they did it, and that really helps out.

And now that we are outsourcing a lot of activities, we're dealing with a changing audience. Tools like this make sure that they do everything in a structured manner, that everybody does the same thing at the same time.

It's valuable to us in that it resembles the native tools that most people have grown accustomed to. Most people come from another company where they may have not used Active Roles. Active Roles resembles traditional tools, such as from Microsoft. That is really good because it eases the way people to interact with the tool.

The AD and AAD management features of this solution are really good. They're better than the native tools. They offer added value by showing more fields such as password age and the statuses of some things that we normally wouldn't see. What I really like is the fact that we have the mailbox and the user information all on one screen. With native tools, you need two tools to show that information.

Active Roles allows policies and there are a lot of example policies that come with it. It has Access Templates and there are a lot of Access Template examples in it. It also has workflows and those are really powerful, but there are no built-in workflows. When it comes to them, it's empty. I would personally love for it to come with ten, 15, or 20 workflows where each achieves a certain task but that are not enabled. I could just look at how each is done, clone them, copy them, modify them the way I want them, and be good to go. Right now we have to invent things from scratch.

It's very stable. Even if components lose connectivity or the database dies, as soon as they come back up, it just reconnects and goes.

It covers everything we want. It's scalable. We can make it redundant, we can replicate databases. We don't use a lot of those features, but it's very scalable.

The reason we went with this solution - and it was ten or 15 years ago - was the Active Directory delegation. We could not allow everyone to have native access to our Active Directory. The delegation feature was really the trigger. In addition, the automation was attractive. There was so much room for human error that we wanted to script activities, rather than relying on the admin knowing what to do.

It requires a bit of getting used to, where you set what. But once you get the hang of it, it's really straightforward.

The ROI is in the mitigation of risks: The risk of leaving unauthorized access behind, the risk of having Active Directory pollution. With that comes risks of people getting access they shouldn't have. There is the risk of having multiple accounts for the same thing; that's the biggest part. There's no actual money there, but risk management is really what you pay for.

We considered using the Microsoft solution because it's free and built-in, and already there. That's what everybody does. But when you grow beyond a certain size, you find out that it just does not cut it anymore. 

We also considered using other tools, but at the time, Active Roles was very much alone in this world. I have to admit, now there are other vendors available, which I don't have any personal experience with, but on paper, they seem to do some of the same things. But at the time, there was simply nothing else that could even come close.

I would give this solution a nine out of ten. There's always room for improvement. With every product, nothing is completely done. But this product is definitely up there.

The solution is used for lifecycle management and can be deployed on-prem or cloud.

The solution enables us to create a user in the cloud and give them access to resources through a single workflow which is important to all our clients.

The solution enables zero trust security with hybrid AD fine-grained delegation and role-based access control which is important to all our clients. 

The solution acts as a firewall against Active Directory, requiring our IT team to go through active roles and get approval to make changes. It has also reduced our onboarding time from one or two weeks to five or ten minutes.

The solution reduces the time it takes to reset a password to under one minute.

The solution simplifies Active Directory and Azure Active Directory management efficiency and security. It has a proxy layer, which means that no one talks to the connecting platform directly. All requests go through the active roles, which act as a proxy layer. We can set all kinds of policies, rules, and business enforcement policies on the proxy layer. This means that nothing flows to the platforms without proper information or proper data standardization. The solution manages and streamlines everything in this proxy layer.

The automated provisioning can be completed in under ten minutes.

Secure access is the most valuable feature.

The solution needs an attestation process that includes certification and recertification attestation.

The pricing is high and has room for improvement.

I have been using One Identity Active Roles for 20 years.

The solution is extremely stable. I give the stability a ten out of ten.

The solution is highly scalable and used by customers worldwide.

The technical support is responsive and helpful.

Positive

I previously used ManageEngine ADManager Plus, but I switched to One Identity Active Roles because it is more robust and highly scalable. ManageEngine is lightweight and it slows down when the number of users increases.

The initial setup is straightforward. Deployment takes around 20 minutes and depends on the type of deployment: integration, application, life cycle management, or RMAD management. However, there is usually a design and discovery phase that we conduct. Based on the discovery phase, we finalize the scope of the implementation that the end user wants to implement. This may include RMAD integration or both.

We implement the solution for our customers.

Customers typically see a return on investment within one or two months of using One Identity Active Roles.

The pricing is on the higher end.

I give the solution an eight out of ten.

Although small companies can use the solution, it is not essential for them. However, it is recommended for medium and large organizations.

One Identity Active Roles exist because of the shortfalls in Active Directory.

Before implementing One Identity Active Roles, it is important to identify the pain areas and challenges that the solution can address. This solution provides a lot of options and is highly customizable, so it is important to start with the key pain areas and challenges that the organization is facing. By doing so, the organization can gradually increase the scope of the implementation and reduce delays in automating or executing certain tasks.

It is common for people in organizations to resist change. They often prefer to work in the same way they have always worked, with the same tools and processes. In order to get people to adopt a new solution, such as One Identity Active Roles, it is important to convince them of the benefits of the change. This can be done by demonstrating how the new solution will improve efficiency, reduce costs, or increase security. It is also important to get buy-in from both the top management and the technical staff. Once everyone is on board, the change is much more likely to be successful.

We use Active Roles as a single point to manage all our users. We're using all of the system's management capabilities, like setting group policies and delegating roles. We have around 1,400 users and 25 or 30 admins.

The company uses Active Roles as a standalone solution because we don't have HR or ERP systems connected to applications. We aren't using it to migrate from Active Directory to Azure AD. We use a Microsoft solution called AD Sync. We had this functionality before implementing Active Roles, but we hope to get that improved connectivity to Azure AD and Exchange Online.

Active Roles improved the management of users, groups, and AD objects in the organization. It reduces the time we spend on password resets by 50 percent and speeds up other administrative tasks by providing a faster channel to do these things.

We can use it everywhere in the organization. It centralizes and distributes IT functions to our sub-IT administrators, making everything more efficient. It makes us more productive because users don't need to submit a ticket to our service desk.

The solution makes AD management simpler and more secure. Security is a priority here because we are using lots of GDPR data. It's more specific because users can see what things mean. We can manage all our users in a more granular way than before. 

We can create a user in the cloud and give them access to resources through one workflow. I rate this feature eight out of 10 in terms of importance. Active Roles enables zero-trust security with hybrid ID fine delegation and role-based access control, which is our primary purpose for using the solution.

The user and group management in Azure AD could be better. Our focus these days is dynamic sharing with several on-prem Microsoft applications like SharePoint.

I have used Active Roles for around four years.

I don't think we've ever contacted One Identity support. We might contract with Advania or another company called SolidTrust for those things.

We had a homebrewed system, but we adopted Active Roles because we needed a more standardized product. It was cheaper for our organization to use a standard product. 

Deploying Active Roles was straightforward and took about two years. 

It was a fight against time to implement because we needed to get all the applications in our organization into Active Roles. We were dealing with a wide range of applications and functional roles at the time. 

We contracted with a Swiss company to build the solution for us. We were very satisfied with their work. 

I believe we've seen a return.

The price is reasonable. It costs us about 1 million Danish kroner annually, and we also spend about half as much on consultants. 

I rate One Identity Active Roles eight out of 10. It has an unattractive web UI. If they could fix that and make it more configurable, I would give it a 10. My advice to future users is to integrate as many applications as you can into this and use all the dynamic groups. 

We use it for various purposes, such as automating tasks in an Active Directory environment. 

It assists the help desk in doing certain tasks in a more controlled manner, for instance, setting up new users. We enforce required fields to prevent setting up users without them, ensuring that certain fields meet specific requirements. It also facilitates easier management of various security features than Active Directory.

It has helped increase operational efficiency in our organization. We have a clear structure. There is a reduction in the mistakes.

It is an easier way for me to manage Active Directory with more advanced features.

The console helps with granular control.

There is always room to improve the user interface for increased clarity. I believe enhancements to the console are also necessary because it is more confusing than the web interface.

I have used the solution for a bit more than three years.

It is stable. I would rate it an eight out of ten for stability.

It seems scalable.

It is good. I would rate them a nine out of ten.

Positive

It is good, and I would recommend it, but you should do a proof of concept and see if it works for your environment. 

Overall, I would rate the solution an eight out of ten.