One Identity Active Roles Reviews

We are using Active Roles for provisioning Active Directory objects and we also use it to connect, through Active Roles Synchronization Service, to our HR system and to provision and deprovision employees. 

In general, we use it to provision any object: security groups and computer objects, in a delegated manner. Active Roles Server allows the security of Active Directory to be changed to delegate access for provisioning to different IT teams, without changing the actual security of Active Directory.

The solution is co-located in our data centers.

With delegated access to Active Directory, it allows us to revoke a lot of the admin rights. It gives us a better lockdown and a more secure environment than we used to be.

It has eliminated tasks that were bogging down our IT department, especially in certain workflow automations. Through Active Roles Synchronization Service, we can process data coming from HR and automatically update those attributes and data fields straight into Active Directory, versus doing it on a manual basis or through bulk imports. Also, the fact that we can enforce data formats and policies saves us time since we don't have to go back and do a cleanup. 

In addition, because we are able to remove the main admin rights, there are fewer uncontrolled changes, and when you have fewer uncontrolled changes you have a higher availability of the service, overall, and fewer audit findings.

The solution automates provisioning. In our HR system we are automating the creation, termination, and ongoing management of all of our employee base. We have between 5,000 and 6,000 employees, and all those processes are fully automated, with IT being completely hands-off. It saves a lot of hours, easily on the order of hundreds of hours per year.

The fact that we have decreased certain operational costs, by means of automation, of course means we have been able to reallocate the time of some of our resources for more value-added activities. Because we implemented this 10 years ago, things have changed over time. It has become an established practice, process, and technology so it's hard to estimate how many FTEs we have been able to reallocate, but it would probably be at least one.

One Identity Active Roles has also improved the accuracy of our onboarding process. As a company, our onboarding process for people is subjected to SOX audits. Ten years ago we were in a situation where we had hundreds of nonconformities. Today, we essentially have zero nonconformities.

Another benefit is that the solution most definitely reduces risk for our organization. By avoiding changes to the native Active Directory security, and the fact that there is role-based access control to manage Active Directory itself through the application, there has been a dramatic reduction in risk.

The most valuable feature is the ability to delegate by using permissions and workflows. 

Another good feature is the Change History. It's centralized in a single place and allows us to manage people's Active Directory domains from a central location. We can also drill down into individual objects in a troubleshooting or even an auditing situation. We can show evidence to auditors by drilling down into the individual history. It gives you all the history of what happened around an individual object. That is something that would be almost impossible to do in Active Directory, or extremely complicated. 

We can also enforce data formats. That creates a higher quality in the data that we store in the directory by enforcing naming conventions and data formats. 

In addition, we can reach the data set by using virtual attributes, rather than extending that, so we can put schema attributes in ARS that live in AR without actually impacting the Active Directory environment.

One other thing that I really like about this product, as an engineer, is the design of it, meaning not how it looks, but how it was designed architecturally. This is one of the greatest strengths of the product. It's just designed right.

The overall UI needs a refresh; the web interface requires some modernization.

We would also like to have a SaaS version of Active Roles. Rather than implementing it in our data center, it would have been nice having a SaaS-delivered solution. 

The third area for improvement, which is the weakest portion of ARS, is the workflow engine, which was introduced a few years ago. It's slow and not very intuitive to use, so I would like to see improvement there.

We have been using One Identity Active Roles for about 10 years.

The scalability of the solution relies on the environment where it is deployed. We are a smaller company, but we are using the same design and architecture that we used initially, where we have about 15,000 to 20,000 users. We have added multiple domains, four or five, and we have never seen any issue from a scalability standpoint. I don't know if it scales to hundreds of thousand users, but for our environment, scalability has never been an issue.

We have a very good adoption rate, from a user standpoint. I can't see many areas where it could be expanded. We are leveraging the tool at a very good capacity. I don't foresee any expansion because we are using it pretty heavily.

The support service provided by the vendor on this product is pretty solid. It is an excellent support service. I would rate them a solid nine out of 10. They always have a solution or a workaround. They're very responsive and very knowledgeable. Sometimes I wish that we had the same level of support from other vendors.

We used the Microsoft native tools. We switched to Active Roles because the Microsoft native tools were really for managing the core components and didn't have all the capabilities of provisioning, deprovisioning, role-based access control, and change history. They didn't have the proxy approach to manage Active Directory in a centralized way. With Microsoft, Active Directory is distributed by nature, versus ARS which centralizes it.

One of the strengths of Active Roles is that it is easy to implement, easy to upgrade, and very intuitive, except for the workflow engine. And it's not even resource-heavy. It works on a very lightweight infrastructure and doesn't need multiple servers or any complex architecture. It's a very lean, robust, and effective tool, with low maintenance costs.

Our deployment took a couple of months, maybe less.

The tool is so straightforward that the approach was very simple. We analyzed the requirements that we had, back in the day, especially in terms of access and provision, and we just mapped them into Active Roles Server. The overall first phase of installation was very simple.

In terms of maintenance of the solution we need a part-time person, a security engineer who specializes in access technologies. The maintenance of it is super-lightweight. It's really just a few hours a month.

ROI is a very tough question because we implemented it 10 years ago. I don't have a number. But I would say that, in a large organization, Active Roles is probably something that pays back quickly. It's so integrated into our processes today, that we couldn't even think about doing without it, and replacing it with manual work.

If you have a need to put controls on your Active Directory environment, and there is significant manual work to put those controls in place, regardless of their effectiveness, or you have a risky native configuration that has to be addressed, my advice is that a solution like this is going to do the job pretty brilliantly.

It is a great solution with a lot of capabilities. It provides different types of value for each of the capabilities that it has. Over a decade, this solution has done its job.

It's a very stable system, easy to implement, easy to upgrade, and has very low operation maintenance costs. We are a very happy customer of Active Roles.

We use the solution for managing access to, shared drives and access for Active Directory.

We like that we can manage our groups and access. You can get granular in terms of the access control.

The solution enables us to create a user in the cloud and give them access to resources through a single workflow. That's very important for our organization. It allows us to assign access accordingly for the file shares for admin access to servers.

It enables zero trust security with hybrid, AD, delegation, and role-based access control. It's extremely important for us.

The solution has not enabled us to reduce password reset times.

It has not automated provisioning.

The group attestation could be improved. It was a feature that was available in version 5. You can configure it, however, it's no longer out of the box. My understanding is that they will put that feature back in again. However, right now, it's a feature that is lacking.

The way you can search groups could be better. When a company has a large number of groups it's very difficult to search the groups and assign the different columns.

I've used the solution for many years. It's likely been ten to 15 years. 

The solution is stable. 

The solution is scalable. 

We have about 2,000 users using the solution at this time. 

It's being used quite extensively and we have plans to increase the use to manage the Active Directory.

We use the vendor's regular support. Sometimes the response time is slow. Sometimes we don't feel the answers they give are correct. It seems like they don't really know what the cause of the issue is, so they tell us it's not available in the version. 

Neutral

I do not recall us using a different solution previously. 

The initial setup was quite straightforward. I'm not sure how long it took to deploy. It was too long ago. 

There isn't maintenance needed. It just needs upgrading. There's a team of three or four people that manage that. 

I have witnessed an ROI while using the product over the last ten years. Resource-wise, we've saved about 20% of resources in comparison. 

The solution is fairly priced. That said, I have nothing to compare it to. 

I'm a project manager.

I can't compare the solution to anything else. We don't use anything else, and we've not used anything else for many years. 

I'd recommend the solution to others. It's a great tool. I'd rate the solution seven out of ten.

We use Active Roles to facilitate the synchronization between our Active Directory environment, SAP, and our school information system which is Trillium. Trillium and SAP feed data for employees and students into the Active Directory.

We use password managers to manage passwords and provide us with three sets of passwords and options for our users.

Because of Active Roles, we're able to synchronize on an even more regular basis. It enables us to provide even more information to the Active Directory, which helped us to group our users in a more consistent manner.

The way it captures data and transforms it into ways that will be usable for the Active Directory is the most valuable feature. 

We haven't found a different solution that is able to do this. We have been relying on manual scripting, which proved to be very unreliable. Active Roles is definitely much better.

It also improved our automation. It was already automated, but it improved it. It was able to capture more data out of Trillium and SAP and populate the Active Directory in an open-minded manner.

We have two staff members and so per staff member, Active Roles saves us 0.2 FTE.

Active Roles has improved the accuracy of our onboarding process. There are fewer errors during the sync.

In terms of improvement, it could be made even more user-friendly for administrators when they need to create new workflows and rulesets.

It's a bit difficult. I'm not the technical person that uses it, it's my team, but I heard comments that it is quite difficult for them to get to know the product and set up the tasks that are required.

I have been using Active Roles for three years. 

It's very stable.

I would call it scalable because we look at over a quarter of a million students' data but not on a day-to-day basis. It is pretty scalable.

Right now we have two system administrators that are using it effectively. We are still deploying further automation and optimizations.

Previous to Active Roles, we had an in-house scripting solution.

We switched because of their better support and because of the succession of old, unsupported manual build scripting. This way we have a product that we know has a future and we have proper support.

In comparison to native Microsoft, Microsoft tools are basically non-existent for what we are using it for. The connectors for user federation and synchronization with the other solutions are non-existent.

The initial setup was very complex. There's a steep learning curve to get to know the product and to start using it. The deployment took almost two years. 

We started first with students and then with employees for the deployment. 

We used One Identity and we also had external resources, a contractual workforce, for the deployment. We had a positive experience. I appreciate the help that we got.

We don't see ROI in a monetary way. We are a public organization, so we don't sell anything, but I definitely have a better user experience, fewer incidents, and, therefore, better user satisfaction. From that perspective, we have absolutely seen ROI. 

Active Roles is above average on pricing compared to similar solutions. There are no additional costs to the standard licensing fees. 

My advice would be to make sure that you have a full-time team assigned to the solution. Take your time for the onboarding. It takes more time than we initially thought.

I would rate One Identity Active Roles a seven out of ten. 

The solution is used for lifecycle management and can be deployed on-prem or cloud.

The solution enables us to create a user in the cloud and give them access to resources through a single workflow which is important to all our clients.

The solution enables zero trust security with hybrid AD find delegation and role-based access control which is important to all our clients. 

The solution acts as a firewall against Active Directory, requiring our IT team to go through active roles and get approval to make changes. It has also reduced our onboarding time from one or two weeks to five or ten minutes.

The solution reduces the time it takes to reset a password to under one minute.

The solution simplifies Active Directory and Azure Active Directory management efficiency and security. It has a proxy layer, which means that no one talks to the connecting platform directly. All requests go through the active roles, which act as a proxy layer. We can set all kinds of policies, rules, and business enforcement policies on the proxy layer. This means that nothing flows to the platforms without proper information or proper data standardization. The solution manages and streamlines everything in this proxy layer.

The automated provisioning can be completed in under ten minutes.

Secure access is the most valuable feature.

The solution needs an attestation process that includes certification and recertification attestation.

The pricing is high and has room for improvement.

I have been using One Identity Active Roles for 20 years.

The solution is extremely stable. I give the stability a ten out of ten.

The solution is highly scalable and used by customers worldwide.

The technical support is responsive and helpful.

Positive

I previously used ManageEngine ADManager Plus, but I switched to One Identity Active Roles because it is more robust and highly scalable. ManageEngine is lightweight and it slows down when the number of users increases.

The initial setup is straightforward. Deployment takes around 20 minutes and depends on the type of deployment: integration, application, life cycle management, or RMAD management. However, there is usually a design and discovery phase that we conduct. Based on the discovery phase, we finalize the scope of the implementation that the end user wants to implement. This may include RMAD integration or both.

We implement the solution for our customers.

Customers typically see a return on investment within one or two months of using One Identity Active Roles.

The pricing is on the higher end.

I give the solution an eight out of ten.

Although small companies can use the solution, it is not essential for them. However, it is recommended for medium and large organizations.

One Identity Active Roles exist because of the shortfalls in Active Directory.

Before implementing One Identity Active Roles, it is important to identify the pain areas and challenges that the solution can address. This solution provides a lot of options and is highly customizable, so it is important to start with the key pain areas and challenges that the organization is facing. By doing so, the organization can gradually increase the scope of the implementation and reduce delays in automating or executing certain tasks.

It is common for people in organizations to resist change. They often prefer to work in the same way they have always worked, with the same tools and processes. In order to get people to adopt a new solution, such as One Identity Active Roles, it is important to convince them of the benefits of the change. This can be done by demonstrating how the new solution will improve efficiency, reduce costs, or increase security. It is also important to get buy-in from both the top management and the technical staff. Once everyone is on board, the change is much more likely to be successful.

We started using Active Roles because we wanted protection against user errors by our frontline service desk.

We have an on-premises solution.

Instead of deleting accounts, we like the deprovision option so that we can reverse any accidental deletions. It also gives a higher level of quality control in terms of enforcing any number of variables, such as making sure that an account has a description entered before the account can be created. We can backtrack and know the history of it that way.

It has also eliminated admin tasks that were bogging down our IT department. Before we started using Active Roles, if one of our frontline staff members deleted a user or group, it could take several hours to try to reverse that mistake. Whereas now, the most our frontline staff can do is a deprovision, which just disables everything in the background, but it's still there. We can go in and have it back the way it was two minutes later. Instead of it taking two hours, it only takes two minutes.

In addition, it reduces risk by enforcing stronger and more complex passwords that not only conform but go above and beyond the default recommendations from our Microsoft policy. It makes sure that there's a certain level of completion with anything created or provisioned through ARS. It enforces compliance, and that is definitely helpful.

I've been using One Identity Active Roles for about five years.

It's a stable product. We have very few issues with it.

Up until our migration to Office 365 and Azure, our Active Roles architecture was very static. We didn't really have to scale it out at all during that time. The only scalability exercise that we've done is trying to adapt to Azure in Office 365, and it's a challenging process to do that.

The product itself is fine and works well. I've had a difficult time getting it to cooperate with Azure in the cloud and, while the support staff are very good and very knowledgeable, what they assist with just on a call doesn't go deep enough to help with a number of issues. The answer that comes back is that we'd have to start an engagement with Professional Services, which is fine but that takes time to schedule and it takes budget. And during all that, you have a delay in getting a particular part of the platform working properly.

I've worked with several One Identity support folks and they're all very knowledgeable and pleasant to deal with. But sometimes I get the feeling that their hands are tied with how much support they can give me for a specific task because it gets into that gray area of what's break/fix and what goes off to Professional Services. If it falls in that gray area, it's hit or miss whether you're going to get support from your first call or whether you have to wait until you can dedicate a whole day to it.

Support could benefit from helping with a broader area of ideas on a first-call-resolution type of model, rather than just focusing on break/fix issues. They should also help with configuration issues.

The process was complex. We had the help of an integrator from Quest, back then. We had him come onsite and work with us. There is definitely a learning curve when it comes to setting up templates. It's a complex product, but it's good once you get the hang of it.

The initial deployment took about a couple of weeks, but that was when everything was still on-premises. There wasn't any Office 365 or Azure back then. In terms of getting our Active Roles to cooperate with Azure now, I've been struggling with that, on and off, for over a year now. That's not necessarily a fault of One Identity. Their support is partially to blame for that, but a lot of it is on my shoulders too, due to the fact that I have other responsibilities at my workplace.

We have about eight admin staff who use Active Roles daily, and pretty much all day, for user functions. We don't have end-users with any control over delegation through Active Roles, although that might be something that we explore later; we might allow some office administrators to do various functions.

There are a lot of other benefits that we take advantage of that are above and beyond the native Active Directory functions that Microsoft provides. There's no comparison between Active Roles and the native Microsoft tools. You can customize the interface so that you can create a user account much more quickly. Active Roles also gives you a really nice audit log of when a user account was created and of any changes that happen to that account after the fact, as long as you do those changes within Active Roles. It's a really nice way to have a full view of the lifetime of an object created through Active Roles. It's much better than the native tools.

We researched various solutions before we narrowed in on what was Quest, back then. At that time we were going through a migration from an old Microsoft domain to a new Microsoft domain and we are using a different Quest product, but we haven't evaluated any other products.

It is a good tool and anybody who works with Microsoft Active Directory and Azure can definitely benefit from using Active Roles. But it can be challenging to get Active Roles and Azure to play nicely together, depending on how your company is configured.

For some organizations, I could see that the product could help move staff to more important IT initiatives, but we don't use it at a level that it would help us in that capacity.

The big lesson learned—and it would depend on various people's skill levels or proficiency— for a new implementation where you're working with Azure and not Office 365, would be to budget for at least a one- or two-day session with Professional Services. That would save you a lot of time, and in terms of hourly costs, you would actually probably end up saving money by buying the Professional Services session.

I am in the process of scheduling a meeting with One Identity Professional Services to start using Active Roles for migration from AD to Azure AD. We've tried to mesh our Active Roles implementation with our new Azure setup and it's been challenging. Added support is definitely needed to get over the last few humps there.

I do find it a very useful tool. I have researched other players in the field and there's not a lot out there. Active Roles has the edge. I don't see us moving to a different product, but the biggest frustration has been getting enough support out of support.

1. It is mainly for delegation of permissions inside the domains for large companies.
2. It is for provisioning and deprovisioning users in the Active Directory (AD) and their licenses in Office 365.

We are working with a customer now who is having some problems with their permissions and delegations, because a lot of users have to do administration activities in the Active Directory. Now, they have been given domain administrators. However, with this solution, they are skipping all the domain administrators and keeping the normal users, which is fantastic for them because some of the personnel are basic IT technicians without the knowledge of AD advance features. Our customers were afraid of errors being caused by these people, so they can avoid these errors in the new environment.

This solution eliminated tedious IT tasks with provisioning. We have a lot of customers who prefill, or have only a list of values, for some fields.

The delegation feature is really important. It is one of the most valuable features that our customers appreciate about the solution. 

The provisioning and deprovisioning saves a lot of time and skips a lot of errors.

For the AD management feature, it is perfect. It covers everything. 

For the AAD management feature, it needs to improve the objects that we can manage and the security. I know that they have everything in road map, so they probably will include everything in a year or a year and a half.

I would like them to support a cloud solution. This is important for us. They have it on their roadmap. For now, they only have basic options for cloud-delivered services. We are in the prospect of looking for a customer who wants a cloud-only solution, but will wait for the new features, which will probably be available in one year.

The should try to move everything to a web interface. More solutions are trying to use a web interface. 

They need batch processing, but that is in the road map, and that's okay. 

They need better language support. While they have a language pack, it's not always available at the same time as the product. Sometimes, when we install it in other countries, they don't have the language pack, then our customers complain about this.

It is pretty stable.

You can add more servers for some functionalities. For now, I haven't found any issues with the scalability, even with large organizations (more than 80,000 employees).

While I don't open many cases, when I do open one, normally the response is quick. They either give me a solution or put it in the queue to do it. So, for now, it is okay.

The initial setup is straightforward and easy: Install the product and connect the domains. The configuration can be complex or easy depending on the customer.

The solution has saved our customers time by automating tasks that could take from half an hour to 45 minutes.

Test it. Whenever you test it in your real environment, you normally want it. 

If you talk with an AD administrator about this solution and you display the features: How you save time, how you avoid errors, etc. It's a really good product. The main problem is getting companies to pay money for the product, but all AD administrators want to have this solution.

RBAC for AD and Exchange

Provisioning, Re-provisioning, De-provisioning and Undo-De-Provisioning of user accounts

User Self Service

Virtual AD firewall

• Heavily Automates - it will automate the entire provisioning, re-provisioning, de-provisioning and undo-de-provisioning tasks
• Complete Audit Trail - it gives an audit trail for each and every activity
• Increase in accountability – various tasks can be enabled for approval.
• Virtual Firewall against AD/Exchange - it helps protect Active Directory and Exchange exposure to administrators and engineers
• Escalations – it helps escalates tasks if not acted upon in a stipulated time frame
• Security –
  • it helps in increased security as every employee will have correct resource access depending upon the business policies
  • user account is disabled and user is removed from the security groups which prevent misuse of user credentials

• Role Based Access Control
• Provisioning, Re-provisioning, De-provisioning and Undo-De-provisioning policies
• Data validation policies
• Workflows
  • If Then Else statements
  • Approval Workflows
  • Schedule Workflows
  • Escalation
• Virtual Schema
• Virtual OU’s
• Web console with easy customization option
• Integration and data synchronization with SQL, Office 365, Lync etc.
• Event handlers

• Web console – it should have more customization options in terms of look and feel of the landing page
• Workflow policies – Additional policies for folder access provisioning
• Bring back attestation – Attestation feature is dropped from ARS. This should be brought back

No issues encountered.

No issues encountered.

Customer Service:

It's good.

Technical Support:

It's good. In fact, the One Identity (Quest) support team has easy access to the One Identity (Quest) product developers. In case of any technical issues which has something to do with the product architecture or a bug, the support engineer brings in the developer in a remote session so that the developer understands the issue. The developer(s) then work on a patch to address the issue.

I did not use any other solution.

The initial setup is pretty straightforward. It's not at all complex.

Our company, Amal IT Solutions, is a One Identity (Quest) partner. Our consultancy has 10+ years of experience with this solution.

I won’t be able to provide ROI from commercial perspective, but from the below points one should be able to figure it out:

1. User provisioning/De-provisioning – this activity, which takes anywhere from one day to three or four days manually, is done in minutes without any IT resource intervention and so increases efficiency and productivity


2. Notifications – respective stake holders/business owners are notified immediately upon an activity performed, and no follow-up emails or phone calls required


3. Data consistency – it helps to maintain data consistency in AD which eliminates a data clean-up activity which IT department has to undertake regularly


4. Data synchronization – it synchronizes data between HR application and AD/Exchange or other applications and AD/Exchange relieving HR and other application owners from day to day tasks of co-ordination or creating/modifying/deleting application user accounts


5. Automation – Most of the IT tasks are automated which in turn reduces work load on IT department. IT resources could be better utilized for some other useful activities

It’s a gentleman’s agreement.

Licensing is based on Enabled User Accounts in AD. This should include user accounts, application accounts and service accounts.Temporary accounts could be excluded, but no one from vendors really challenge the user count which the customer provides. Some customer’s find the price bit on higher side but, for me, the price is competitive compared to other products with similar functionality and considering the ROI.

The product functionality does not cease if the customer exceeds the license count. The vendor does not want to force the customer to stop using the product if the license count increases. Instead, customers can buy additional licenses without hampering the day to day work.

We didn't evaluate other products.

This product has tremendous potential. It can be used to automate a lot of day to day activities. I always tell my customers, list down all your requirements, pain areas, and day to day tasks. Prioritize them, and use this tool to automate these tasks as per priority.

When a new employee is hired, we create a new Active Directory (AD) user in a related department (Organizational Unit) with a random generated password, then give that user some AD rights. Also, we create an exchange mail user for this user on cloud or on-prem and inform that user by sending a notification mail or SMS. We did similar things in other systems and did all the process manually before Active Roles. That means lots of workload and manual processes. Active Roles provided us to do all these operations automatically and reduced our workload very significantly.

• It provides automatic provisioning/update/deprovisioning workflows from a source system to a target system.
• It allows you to easily monitor all workflow processes.
• It has very powerful native policies and scripts, which allow you to create your own custom policies, scripts, and virtual attributes.
• In addition to using the console (MMC interface), it also gives you management from the web interface.

For ActiveRoles, it would be good if the product supports multi-scripting language. You can use only VBScript.

VB.net , C#, or Powershell scripting would be a good choice for the product.

No issues.

No issues.

Technical support replies really promptly. The support team is very experienced and focused on the product. On the other hand, there is a community portal and you can find every piece of knowledge on there.

We have not used any similar products before. We did all related operations manually.

It was very straightforward.

The licensing model is a simple user-based model, not that much complicated.

We evaluated and researched other options, such as NetIQ, FIM, Oracle, CA, IBM, and SailPoint.

However, Active Roles is most suitable for us.

It is very important to come together with system owners who will be integrated at the beginning of the project to clarify all the rules and determine the work to be done. Test environments of the systems to be integrated must be requested. Test environments are so necessary.