One Identity Active Roles Reviews

Our primary use case has definitely evolved since our very first use case, which was for delegation of rights within Active Directory without having to give folks native rights through Active Directory. That was our biggest driving factor into the use of Active Roles. All the other stuff that it does is a benefit, and we use it all heavily. However, we're very big into using the least privileged model and having the least amount of Active Directory native rights out there, as this cuts down on issues later. By having less people with native Active Directory rights, this cuts down on potential issues that we have to troubleshoot.

It is used in our on-prem Active Directory, but the servers themselves are hosted out of Azure. So, we use IaaS, which is just having VMs in the cloud versus having our VMs on-prem. The only cloud aspect is that VMs are hosted in the Azure IaaS instance. It's a normal VM, which is part of our on-prem Active Directory, but it just happens to be hosted in Azure.

The biggest thing for us is Active Roles saves a lot of man-hours, from keeping groups up-to-date manually or trying to write some sort of script that you have to run, so we don't have to reinvent the wheel. Instead of when every time somebody joins a department, then somebody has to remember to put in a request to add "meet user Joe" to this group, the solution does it automatically for us. Therefore, it saves our business and IT staff time because they do not have to process requests since Active Role can do it for them. 

We have about 2000 of these groups in a pretty substantial company of 55,000 employees. Active Roles cuts down on a good number of these tickets every time somebody is brought onboard.

We are a large company who does a lot of department codes. People are coming and going from the company daily. Active Roles probably saves us an upwards of 500 requests a week.

The solution has eliminated admin tasks that were bogging down our IT department. Now, nobody from IT has to take action to update the group in cases when someone joins or leaves the company.

Active Roles has assisted us greatly in provisioning and deprovisioning accounts as folks come and leave the company. We have automation in place that utilizes Active Roles to create and deprovision accounts as folks leave. ActiveRoles Server (ARS) has been instrumental in making sure accounts get cleaned up when they get deprovisioned. Other features of Active Roles, such as Dynamic Groups, have helped us to streamline the process. It's not taking everything away for us, but it's provided us a lot of streamlining. It probably saves, on a per user basis, a half an hour of man-hours between different tasks once you put everything together. This saves us about 40 hours of work for somebody a week.

When our HR department terminates an account, we have a script that talks to Active Roles and sends Active Roles a provisioning command. We have Active Roles set up to do a variety of tasks where deprovisioning is requested. The most important one for us is that after so many days of that account still being disabled and the person being gone, Active Roles will clean that account up for us and delete it out of AD. Therefore, we don't have to manually go in, terminate folks, clean up the accounts, and all that other stuff that happens when someone leaves.

Between the automation of using Active Roles to do our onboarding, policies, and workflows, we can ensure that the data that gets put into Active Directory during the onboarding of any type of object for Active Directory is accurate, meeting our standards so we don't get junk put in there. This has helped streamline things. One of the hardest things from an Active Directory management perspective, without a tool like Active Roles, is controlling how people do something. How I would want to install or set up a new user might be different than the person next to me, e.g., you can give somebody a set of policies to follow when you're not using a product like Active Roles, then it's up to them to interpret that and follow them. Active Roles allows us to enforce those policies so the data that gets put into Active Directory is cleaner and consistent. Having consistent data allows us to do a lot more automations and ensuring people and objects are set up properly.

It definitely improves our security. We are a larger company, so we have a lot of IT staff who are responsible for different parts. Someone does new groups while someone else does servers. There are a lot of hands touching Active Directory. Using a product such as Active Roles, we can delegate those rights to the hundreds of accounts for people to do their jobs. This reduces our risk for somebody's account being compromised. If they have native rights in Active Directory and an account is compromised, that is a higher security risk than just using Active Roles, because the only way somebody can make a change in Active Directory when ARS is involved is to use the Active Roles interface. If someone hacks in and tries that, they're not going to be able to do that. So, it definitely improves our security posture. We have only a handful of people with highly privileged accounts in our environment because of Active Roles.

Active Roles has a PowerShell interface that allows us to let other parts of our environment and other applications, which might need to interface with it, make changes within the Active Directory by utilizing PowerShell commands. We can apply the same principle as our security rights so they have to use Active Roles, reducing our risk from a security perspective.

We use it extensively. Our help desk and all the end users or administrators use it. It was being used for user provisioning, but we have now automated some of the functions. Earlier, when it was being manually done, we had set up all the templates for the end-user provisioning and de-provisioning.

The granular control has been very helpful for us. We want to be able to control what level users have access to. It is possible to control access levels at the organizational unit or even the attribute level, making it helpful for us.

Active Roles helped increase operational efficiency in our organization. We have delegated user provisioning to the help desk so they can create users or manage accounts. We have delegated group management to identified group owners who can manage their groups. Some of them just need read-only access to AD; they do not need to download the native tools. They can just do it via a browser.

Active Roles has helped our organization reduce the number of erroneous privileged accounts. We have set the templates, and we have set the standards. It helps standardize all the naming conventions and how they are provisioned with the rules. That is definitely very helpful.

We use the change history to see who might have modified what object. We have that tracking, but we use a tool from Quest called Change Auditor that can do the auditing to figure out who did what type of thing for auditing.

We use Active Roles to bring our decentralized environment into a single pane of glass. Our entire customer base is in a single directory, and they can manage their objects without interfering with other entities in our environment. 

We saw benefits immediately. We must have these roles in place in our environment, or we'd be in big trouble. The solution improved our operational efficiency. Instead of manually applying permissions in Active Directory to thousands of OUs, we can do it in five minutes with a command in PowerShell.

It prevents us from erroneously assigning permissions. Active Roles improves our security posture by ensuring permissions are consistent and applied to the correct target every time. By taking the manual work out of the equation, we ensure we don't have any credential leaks.   

Our primary use case for ARS is for the ease of delegating administrative access and the ability to limit direct access to the domain controllers. Those were the primary purposes for purchasing it. We do much more with it now, probably more than anyone else.

We're still working through that primary use case. But in addition to that, over the course of the last seven years, we've been able to leverage ARS to allow us to do a lot more and be more efficient. We use it for dynamic groups. We automatically group users together by department, reporting structure, etc., to leverage them for access, authorization, and authentication. And we automatically group computer objects for management authorization.

We have also started leveraging ARS as an identity platform. It was an interim solution until we move over to our final solution, for which we're going through vendor selection right now. The way we use it for identity is that we use custom scripts and workflows and scheduled tasks. We were able to migrate off of our legacy identity platform and move everything we currently do into ARS.

While migrating to ARS, we also implemented role-based access for the administrative users and customized views for each role in ARS, in the web interface. So if you're a level-one support, you only see the tasks that you are allowed to do, versus if you're a full-blown administrator, you see everything.

In addition, we use it for account creation at the university. We expose native Azure AD user group properties to assist with support increase. We provision and de-provision applications, and we create the necessary reports.

We reduced the development cycle for modifications to code, which enabled us to easily integrate and onboard services, applications, and areas of the university that were not previously centralized. We just centralized Law, for instance. 

We also have real-time alerting for failed tasks, which has reduced the troubleshooting tickets, user frustration, and allowed us to, in some cases, address the issue before it's even realized by the customer. In our previous system, if a task failed, we didn't know about it until the next day. Now, if a task fails, we're immediately notified by the system. That's how we're often able to clear it before the user ever even knows anything impacted them.

In addition, with the use of workflows and the scheduled tasks, we were able to automate and centrally manage a number of the processes as well as utilize them to work around other product limitations. Those include, but are not limited to syncing larger groups, which have 50,000-plus members, to Azure AD.

We sync up to Azure AD using ARS. If we had not already had ARS in place, it would have been impossible for us to have done so in the time period we did it in. We did it in under six months. If we had been migrating to a whole new platform, or an identity system, the way that things were, we would not have been able to do that in six months. ARS saved us. It was our bridge between an outdated solution, one that had not been matured. It gave us that time to breathe so that we could find the right solution for us. ARS won't go away, it will just stop doing the identity pieces. We will continue to use ARS.

ARS probably saves us at least two weeks out of every month. It's reduced our workload by 50 percent, easily.

We were able to introduce automated role-based provisioning for the first time, because we had ARS. We introduced role-based access. We introduced birthright access. Those had never been done before. We took ARS and turned it into an identity platform as our interim solution. That enabled us to eliminate Oracle Identity Manager completely. Per user, automated provisioning saves a couple of hours per week.

It has enabled staff to focus on more important IT initiatives. Because it is dependable, and because there aren't any issues with it, it allows the operational staff to also be development staff. A lot of our time has been freed up so that we can do things like interview vendors, come up with a logical strategy, and things of that nature. So ARS has certainly assisted in us being able to do that. We didn't reduce resources. Rather, time was freed up so that we could focus on more important things.

It also reduces risk because we use it to leverage dynamic groups, and with a dynamic group, if the person is no longer in the feed coming from the HR system, then that person is immediately and automatically removed from the group. We don't have to wait for a human being to go and look in every single group to see if that person is in there. It's a matter of internal best practice, ensuring that we meet the requirement to have least access.

I use it primarily for granting, managing, and auditing access.

The ways Active Roles has improved the way we operate are through workflows and user onboarding, automatic user management, group permissioning, adding users to the right groups based on the department, and distribution list creation based on dynamic group membership and active users.

And because of the single interface and workflows, it has simplified AD and Azure AD management efficiency and security.

We are using Active Roles for provisioning Active Directory objects and we also use it to connect, through Active Roles Synchronization Service, to our HR system and to provision and deprovision employees. 

In general, we use it to provision any object: security groups and computer objects, in a delegated manner. Active Roles Server allows the security of Active Directory to be changed to delegate access for provisioning to different IT teams, without changing the actual security of Active Directory.

The solution is co-located in our data centers.

With delegated access to Active Directory, it allows us to revoke a lot of the admin rights. It gives us a better lockdown and a more secure environment than we used to be.

It has eliminated tasks that were bogging down our IT department, especially in certain workflow automations. Through Active Roles Synchronization Service, we can process data coming from HR and automatically update those attributes and data fields straight into Active Directory, versus doing it on a manual basis or through bulk imports. Also, the fact that we can enforce data formats and policies saves us time since we don't have to go back and do a cleanup. 

In addition, because we are able to remove the main admin rights, there are fewer uncontrolled changes, and when you have fewer uncontrolled changes you have a higher availability of the service, overall, and fewer audit findings.

The solution automates provisioning. In our HR system we are automating the creation, termination, and ongoing management of all of our employee base. We have between 5,000 and 6,000 employees, and all those processes are fully automated, with IT being completely hands-off. It saves a lot of hours, easily on the order of hundreds of hours per year.

The fact that we have decreased certain operational costs, by means of automation, of course means we have been able to reallocate the time of some of our resources for more value-added activities. Because we implemented this 10 years ago, things have changed over time. It has become an established practice, process, and technology so it's hard to estimate how many FTEs we have been able to reallocate, but it would probably be at least one.

One Identity Active Roles has also improved the accuracy of our onboarding process. As a company, our onboarding process for people is subjected to SOX audits. Ten years ago we were in a situation where we had hundreds of nonconformities. Today, we essentially have zero nonconformities.

Another benefit is that the solution most definitely reduces risk for our organization. By avoiding changes to the native Active Directory security, and the fact that there is role-based access control to manage Active Directory itself through the application, there has been a dramatic reduction in risk.

I am an implementer for the product. I install Active Roles for companies.

Active Roles helps my clients by reducing erroneous privileged accounts, often cutting them in half. It also reduces IT administrators' time spent on these tasks by 5 to 10 percent.

My clients can save money on licensing. We can bundle Active Roles with other IGA solutions and save on overall service renewal. The solution improves user experience for most users. The end-users generally only use the self-service portion, which they like. It's easy for them to use. Unfortunately, there is one annoying setting that they initially set, but that could easily be remedied in the future. For IT users, it's a mixed bag. Administrators love it. I think it's wonderful. Depending on how the administrators deploy it, the help desk users either think it's great or hate it because they want to use a console.

We're using it for identity management, including the creation of accounts and synchronizing them with our HR system. 

It improves things in many ways. You have control over what attributes the service desk analyst can change and you can provide them with lists of changes. You can build in the integrity rules. It also definitely simplifies management on-prem. It definitely is a plus to use this tool.

We do automated provisioning and it's set from HR through this tool. It's all instant. If it had to be done manually it would probably take a couple of hours per user, but we've had it set up like this for 10 years so I'm not sure how much time it's saving us.