One Identity Manager Reviews

• The GUI is very impressive and clean (even cleaner and minimalistic in v7).
• JobQueueInfo does an amazing job tracking all processes.
• Synchronizations are easy to set up.
• Reporting capabilities are fantastic once you get the hang of using Report Editor.
• WebDesigner allows a lot of customizations to be added to the web project.
• Schema and table names are very logical. It is very easy to find something in the database just because of the fact that the naming convention in the schema is very logical and consistent.
• It's a feature-rich product: a suite of very powerful tools with a lot of functionalities once you get the knack of them.

• Auditing becomes easier from an admin perspective.
• There is more control over everything.
• Processes are much better defined.
• People tend to take some functional roles much more seriously. There were some roles that were very old in the organization but the legacy implementations did not grant much value to them. Q1IM's implementation of those roles really enhanced the value and the role members had clear responsibilities/tasks defined that they had to abide by.

• DBQueue processes can bottleneck the system at times. In v7, its apparently re-architectured, and is better. There can be too many of them and they process very slowly, causing actual processes to take a lot more time to complete.
• There should be a way to define fail-over job servers in process steps. Job servers can become a single point of failure.
• Better support for Oracle back end databases. SQL support is good and KBs are easy to find. The same level of support should be available for Oracle if the product claims to support it.
• A better migration tool for v6 to v7 upgrade, especially for the Oracle back end.
• There should be a way to separate out the front end (IT Shop) from the back-end processes. If the submission of a request through the web portal is done and it gets stuck computing something in the back end, the front end control should still be granted back so that the user can continue navigating freely across the site. Currently, if a request is submitted and it is taking time to process, the front end just gets stuck on a spinning wheel (loading wheel).

I have used it for ~2 years.

If the requirements can be met through product configuration, then issues don't arise as often. Customizations (depending on complexity) can be problematic at times.

Transporting change labels across environments can be confusing. It should be noted that the content contained in change labels should be documented right from the beginning of the project and all team members should be on the same page.

It's more about getting used to the correct way of working with the product rather than issues with deployment.

I have not encountered any stability issues.

We implemented the tool in an environment with roughly 35,000 active employees and over 2,000 service accounts. A few things I noted were:

• The web portal (IT Shop) tends to get a bit slow loading information for certain roles that have access to lookup all employees.
• The admin tools can also get a bit slow while loading too much information at once. For example: Loading user account information under the Active Directory tab in Manager can take a long time.
• We had various rules defined in our scripts for central account generation. One of those included a check in a history table to avoid granting a user name which has already been used in the past thus avoiding collisions. This caused our contractor account requests through the web portal to become extremely slow. Submitting a user account request from the IT Shop could take up to four minutes at times. We had all necessary columns indexed and the code to generate CentralAccount was written by the vendor team itself but the slowness could not be tackled.
• There was always a direct relation between the slowness we faced and the number of employees the environment managed. For example: Account requests used to take roughly 20 seconds in our development environment which had roughly 15k users and almost 25k entries in the history table we maintained to avoid username collision. In our production environment, it took way longer since the number of employees increased to ~35k and entries in our history table exceeded 150k records.

Customer service was just average during implementation phase.

Technical support is decent overall. However, some SRs took way too much time to resolve for the value they provided.

Some escalation engineers are very knowledgeable and troubleshooting sessions with them can be really worthwhile and informative.

We previously used legacy scripts with Microsoft FIM as the backend. FIM was too old and not user friendly at all. It was ancient in terms of IDAM and there were far better products with a lot more capabilities.

Setup was straightforward. Initial JobService configurations ends up being a bit confusing.

It was a hybrid implementation: We had an in-house team and a vendor team during the time of development for the first phase of the project. The second phase was done purely in-house.

The vendor team was not good. It was just average. There were a lot of times when we felt communication was lacking from the vendor side and at times, there were mistakes in the implementation, also. We recognized some errors long after the product had gone live. Overall quality delivered during development was not up to the mark. Average experience during the first phase with the vendor caused us to stick to a complete in-house implementation for the second phase.

Vendor teams (at least in the US) should be trained more about the tool's capabilities. I have heard that European vendor teams are much better with a lot more knowledge about the product.

Before choosing this solution we also evaluated TIM, OpenIAM, OIM, and SailPoint. All had week-long PoCs with us. We chose Q1IM (at the time, D1IM). SailPoint was a close second.

It is certainly a leading product in the IAM sphere.

Our primary use case was to onboard certain applications for a customer.

One Identity Manager helps minimize gaps in governance coverage among various servers. If you are trying to do an access review, or want to grant access to someone, these generally require a review process. Those kinds of reviews are done manually if there are no governance tools. This tool makes that process smoother. It sends automatic reminders and will automatically discard a request if someone does not approve it. We can even configure it so that if someone has not approved it five times, it can be auto-approved. It streamlines the whole governance process and reduces a lot of manual activity with automation.

It also helps streamline application governance when it comes to application access decisions, application compliance, and application auditing. Previously, these processes required a lot of manual work, but that work has now been discarded.

Another benefit is that One Identity Manager definitely helps application owners make application governance decisions without IT. It sends regular notifications and anyone can see what is pending on their plate. They can take action on what should be a part of their application and what should not be a part of their application, and make informed decisions.

An outstanding feature of One Identity Manager, compared to SailPoint, is the dashboard where they present everything. With the dashboard, the customer can see how the integrations have happened. It is more presentable than what we have with SailPoint. The user experience is good because everything is exposed on the dashboard. They can tweak it a little bit if they want.

Also, using its business roles to map company structures is fairly easy and good, similar to SailPoint. It is handy. This function is very important because today, most organizations rely on RBAC, role-based access control. If a tool offers identity management capabilities, it must also offer role-based access control. Both One Identity Manager and SailPoint offer good role-based access controls. It's easy to configure and use.

I have used One Identity Manager for S/4HANA from SAP, and that was a very complex integration. S/4HANA has a very complex permission structure, and you cannot find the segregation of duty. That means you cannot do policy violations and policy checks. One Identity Manager does not provide a very flexible way to do segregation of duty based on the permission structure of S/4HANA. Doing so is beautiful in SailPoint, which has a more robust way of doing it.

Also, integration with various applications should be made smoother. It is very difficult right now for regular implementers.

Access reviews are another thing that is not that good in the solution. It needs improvement.

Entitlement management is another area where I have struggled a lot, wherein you try to manage the access of users to various applications. It is not that smooth in the solution.

These last three items need to be improved on a very urgent basis.

I used One Identity Manager for about six months.

On a scale of one to 10, where 10 is the best, if I look at the stability equally across all features, One Identity Manager is an eight and SailPoint is a nine.

The solution is very scalable.

I have not interacted with their support.

Onboarding certain applications for a customer was something that gave us difficulty with SailPoint. And the primary driver for switching was cost. SailPoint was very costly and One Identity Manager was a little bit cheaper.

The user experience is good, but the implementer's experience is not that great. As an administrator, when I'm trying to implement a solution, it is a hectic job.

The time it takes to implement depends on the requirements. If you want, for example, to integrate Active Directory, it will take two to four hours because it is an out-of-the-box application and very common. When it comes to complex applications like SAP, HRM, or ERP solutions, they have complex infrastructures. Integrating such applications takes no less than five to six working days.

The number of people involved is based on how big the project is. If it involves implementing 100 applications, you definitely need a team of 15 to 20 people to complete it within one year. But if you only have to onboard five applications with One Identity Manager from scratch, where you have to install the product, it will take six to seven months. With SailPoint, it takes a little bit less time.

We used the help of One Identity partners because we don't have expertise in One Identity Manager. We are SailPoint experts. They were involved in architecting the whole solution from the beginning as well as in customizing it.

The partners struggled a bit because some of the features are not that flexible in One Identity Manager. The product has all the capabilities required, but it is not that implementer-friendly.

In terms of the training that the partners provided to our customers, I was not present, but the feedback from the customers was that it was okay. They understood things.

Overall, the value provided by One Identity Partners was a seven out of 10.

The price of One Identity Manager is cheaper than SailPoint. When we initially suggested SailPoint to some customers they were surprised at the price, so we then suggested One Identity Manager and they went with that.

In addition to the licensing fees, there are costs for customization if you want to build custom modules.

In addition to SailPoint, I have worked with ForgeRock, Microsoft FIM a long way back, and others.

SailPoint has a lot of advantages as compared to One Identity Manager. First, the installation time is very short, and the process is very smooth. Second, it is an implementer's tool, meaning an implementer enjoys developing applications with SailPoint. SailPoint may not be that user-friendly, but it is very implementer-friendly. Implementation is easier with it. And because it is implementer-friendly, implementers can add value to the product, meaning its capabilities can be enhanced based on customer requirements, which is something that is lacking with One Identity Manager. And compared to SailPoint, One Identity Manager has fewer features.

Most of my customers in the region where I work, The Middle East, prefer on-prem solutions. They don't like the cloud. SailPoint and One Identity Manager both have on-prem solutions, so I am focusing my comparison on them.

I have also worked on cloud-based solutions but they have their challenges.

For enterprise-level administration and governance of users, data, and privileged accounts, One Identity Manager is average. Its privileged account management is lacking in capabilities. You have to integrate it with various other PAM tools and only then can it be used for that.

One problem with almost all identity managers today is that the implementation is based on certain information. After that, if certain big changes happen in the organization, you have to reflect all of those changes in the identity management solutions by doing certain customizations or implementation activities. That takes a good amount of time. That complexity is present in almost all identity managers today. It is not very quick when it comes to making changes.

Regarding Zero Trust, that is a buzzword as well as a big word. One Identity Manager alone cannot achieve an identity-centric Zero Trust model. It has to start at the network level through the identity management level, and we have to integrate it with multiple different solutions. We have not achieved Zero Trust for any organization yet.

One Identity Manager is mostly suitable for identity governance capabilities but is not that suitable for access management or privileged account management. If you are evaluating this product for access management or privileged access management, you should not go with it. If you want a governance product, go ahead and use this one.

One Identity Manager is a central identity provider and authorization provider, and I've been using it for multiple customers who use it as a central identity provider.

In terms of the most valuable feature of One Identity Manager, it's not like one feature is useful without the other features. It's not a tool, but it's more an overall integrated solution that is helpful and not specifically one solution on its own. The best points of One Identity Manager would be its process orchestration and synchronization manager.

The philosophy behind One Identity Manager has always been that there's not one way of working and that you can set it up according to your own identity and access management philosophy, but what would make it better is by shortening the setup time and the learning curve time. If the team could create some best practices with a wizard to set the solution up within companies, that would be a killer feature and would help make identity access management more approachable. That would also help companies that don't have the resources or a dedicated team to set up One Identity Manager.

What I'd like to see in the next release of the solution is the addition of just released application governance parts. That would sound promising. It would also be interesting if the team sets up best practice startup wizards, so you could set up One Identity Manager according to selectable best practice wizards instead of setting it up completely by yourself.

I've been working with One Identity Manager and its predecessor Quest since 2014.

One Identity Manager is a stable solution, although like any vendor bugs occur. It is frustrating there's no bug tracker available of known issues. It would be very helpful to know what bugs are currently acknowledged to prevent continuity issues and wasted troubleshooting time. 

In terms of the scalability of One Identity Manager, I mostly had experience with companies that had five to ten thousand identities in place, and now, I've been working with a setup in a larger enterprise environment with tens of thousands of users, and my impression is that everything is going much slower than what I was used to on the smaller scale, but I'm not completely familiar how it was set up. I know too little about the setup to judge the scalability of One Identity Manager.

I've contacted the technical support team for One Identity Manager multiple times. Sometimes support is excellent, and sometimes, it's just okay. Support asks for a lot of information that's not always necessary.

Neutral

Installing One Identity Manager nowadays is getting more and more straightforward, but in terms of configuration and setup, that's complex.

The time it takes to deploy the solution would depend on the organization. I've been involved in multiple projects and there were projects where One Identity Manager was deployed faster than others, so deployment time would depend a bit on the complexity of the organization and internal processes, but in theory, you could set it up within a week. Mostly it would take companies months to get the solution up and running.

I'm aware there's a license cost for One Identity Manager, but I'm not part of the team who handles licensing, so I'm unable to give pricing information.

I'm a freelancer, so I work for multiple customers and I work for three customers that are using One Identity Manager, so I can't give the exact number of users, but big teams use it.

I'm using One Identity Manager because it's what my customers selected.

My advice to anyone looking into using One Identity Manager is to start playing around on the virtual setup to get familiar with it, in particular, make a small domain, set some target systems up, and get familiar with the setup.

I would rate One Identity Manager eight out of ten because it's very stable and very customizable. For the last two years, the solution has improved and cut back on technical depth, and it can stand on its own two feet, but there's still space to improve. Overall, One Identity Manager is one of the best in the market.

I'm an identity and access management consultant, so I'm not a partner or a reseller of One Identity Manager.

This solution creates the roles for the NDSS, including onboarding of accounts. It's an end-to-end solution in that the customer will request some permissions, and it will enter treatment for that user, then push the data or automatically onboard admin accounts for that user.

The most valuable features are that it has a lot of capabilities, can integrate with a lot of systems, including automated onboarding like CyberArk, and allows you to integrate different entities.

One area that could be improved is the speed of performance - it's often a bit slower because of the size of its database.

I've been using this solution since 2017.

It's a stable solution.

OIM can be scaled.

We subscribe to premium support from Dell IBM. It's pretty good but can take a while to respond with a solution, sometimes up to a week if it's a major issue.

It depends on the expectations and scope, but OIM is easy to deploy and can be completed for a medium organization in six months to a year.

I used a consultant integrator for deployment.

Licenses are available on a three or five-year basis.

I would recommend OIM to other users and would score it seven out of ten.

We used One Identity Management for 15,000 employees of a financial services firm. In addition to the IM functionality, we leveraged One ID for Identity Governance - including access certifications.

We had automated provisioning of users based on HR data. This automatically created 4-5 base accounts and birthright access for users. In addition to that, we leveraged the IT shop to request roles for users which, for the most part, automatically provisioned access to users.

In addition to this, we used the Attestation features of the product to aid in our User Access Reviews.

There were significant productivity benefits over our previous platform with the increased automation which took the process of onboarding staff down from days to minutes. It allowed user self-service for additional access. The approval process was tracked and auditable.

It also improved our security controls with tighter de-provisioning, where we would automatically terminate a user's access when they left the company. In addition, regular user access certification campaigns were undertaken to review staff access and to ensure staff only had the access required to perform their role.

As the team supporting the platform, one of the key features One Identity Manager has that was very valuable was the administration interface which allowed a quick easy overview of staff, their entitlements, and how they had were entitled to access.

Centralizing identity management allowed for a centralized governance model. 

The IT shop is a great tool that allows a simple interface for users to see their access, be able to request additional access, and view the workflow approval process to understand where their request is and what any hold-ups may be. 

The blessing and curse with One Identity Manager was its flexibility and the ability to solve business problems in a number of ways. We fell into that trap of over-customization which made upgrading the product difficult. An improvement would be to offer guides on how you should set up a base configuration. There should also be integration guides to key systems like Active Directory.

In addition to that, we had some slowness with the IT shop when we had significant amounts of data, users, etc., in the system and there were some slow database queries that needed to be optimized and patched. This caused some slowness when running Attestation campaigns. 

I used the solution for over 6 years.

Overall, the tool was stable. Our issues were mostly around customizations and bad data.

The tool is scalable and can include a number of the usual infrastructure scalability options.

Technical support was good, for the most part, especially when the local support team understood our level of expertise. If we were raising a problem it was a real problem and we were put through to the level 3 support quickly.

We had a previous Identity Management Solution and we swapped it out as the old solution had little investment in its user interface and we needed a better interface for our users to be able to self-service effectively.

It was a complex setup process, however, it was the first time it was done in the country 7 years ago. Getting the product installed was straightforward. It would be important to follow a proper SDLC with requirements being a key initial piece of the puzzle to help you maintain costs.

We used a mix of vendor and in-house resources on the project. Like the in-house resources, the vendor at the time had no prior knowledge of the tool so it was a learning journey for both sets of resources.

When we started the journey 7+ years ago, there was a limited skill set in the market, and that is still the case today. 

Like all Identity Management projects, setting firm requirements upfront is important to maintain costs.

We did evaluate other options, however, I wasn't involved in that process.

Look to limit customizations where you can; it can be easier to customize the tool in the short term, however, it can result in significant technical debt and effort in the future.

Access governance related to audits.   

BAAN, AX, AS400, AD, Exchange, Footprints, several home-grown applications.

We had a relatively small AD (about 5,000 users) but our primary challenge was that all of the legacy systems in place, including multiple instances of BAAN that came from different M&A deals, each with their own configurations and entitlements. 

The short version is that we gained significant insight into the issues of access governance. One of our largest challenges was lacking insight into who had what access and where. For years access had been granted in an ad-hoc manner, mostly as "I need access like Sally" situations resulting in a mess of too much access son nearly every account in our organization.  Implementing an IAM system allowed us to turn this auditing nightmare into praise from our auditors, eliminating fines and cutting operational costs, paying for the implementation within a year. 

Additionally, we found all sorts of questionable activity that we were able to address. Using the built in policy tools we were able to identify those who went around controls and address them both stopping their unapproved activities as well as getting feedback to improve the IAM interaction with the company. The loss of unapproved access also stopped a few cases of potentially criminal activity that came to light because of our new found trove of data but further details cannot be shared. 

The amount of useful data we were able to gain immediately after a basic implementation was exceptional. Within days of installing the product in production and well before the official go-live we were able to create meaningful reports of all sorts and start correcting missing and wrong data as well as access control issues. We had tried system cleanup projects before and had some success but correcting our data in earnest began once we could see everything in one place.  

As the project matured we were able to move more and more out of the hands of IT and into the hands of the LOB representatives. Which in turn both improved the business' view of IT as a whole and allowed IT to focus on other projects and trim staffing levels on low tier work, moving those employees to more important work and helping some of them grow their careers. 

The value gained by taking control of your access data and walking the path towards governance is immense and the progress we made inspired me to pursue a career helping other companies achieve the same success. I would recommend that every company undergo an IAM project especially if they have nothing in place now. 

In dollars: access reviews. In QoL: Entitlement requesting, Approval workflow, and Attestations. 

At the start of our project, IT was considered a burden by most of the company. One Identity's easy to set up requestable items and the associated smart approval workflows gave IT the power to become a hero to the company. Eventually we had lines of business coming to us with requests to integrate more and more into the self-service portal. Then on top of that, the existing attestation cycles allowed us to confidently know for certain that correct access was issued and maintained across the company. 

My largest issue with the product is the ability to customize the web portal. There is a tool that allows this to happen but it is difficult to use (except for minor changes like logo, color scheme, or basic edits, such as displayed columns on an object. Then, to make it worse, the documentation is not helpful at all in describing what pieces do or how to use them. Even after training, I would not be confident in attempting any large change to the portal. 

For certain, this is the area that I think needs the most improvement from the current state. 

I have been using One Identity Manager for six years.

The stability is fantastic. 

Your real stability issues are going to come from SQL and not the product itself. There are redundancies built into any general implementation and always-on availability is expected. If you are already running your SQL in an always-on way, the chance of downtime with One Identity is essentially zero. 

Upgrading from one version to another is the only potential issue. You have to have an outage to perform it. There are ways to make this smooth but it is the one area where stability could be an issue. 

The solution scales very well. I have experienced issues when attempting to scale to the largest companies. However, when we did encounter issues, One Identity did a fantastic job of providing the resources and fixes needed to scale the system to millions of identities. 

The support team could be improved on. The first level of support essentially looks up knowledge base articles and often can't provide the answer needed. This could be skewed because any issue we couldn't solve with our implementation partner was certainly not a level 1 issue. However, even with One Identity knowing that we would have to deal with bad level 1 before we could get someone who could actually help on the line. 

However, to give a positive side, any time there was an emergency they were very quick to get the right resources on the issue, even when it meant waking people up in the middle of the night.  

We did not have a solution in place. This was a greenfield project. 

The initial setup was very, very easy. 

Our complexity all came from integrating outside systems. The out-of-box experience with One Identity was genuinely fantastic.

We used a 3rd party partner of One Identity as well as trained an in-house team to administrate and extend the system.

The partner was extremely knowledgeable and in a couple of cases more so than the vendor. We were extremely happy with the outcome of their work. 

Our ROI is very, very large. 

We eliminated ongoing SOX violations and associated fines.

Additionally, and without including the above, we were able to see savings in IT costs greater than the cost of our implementation within one year. A significant portion of this came from moving our most common help desk requests into self-service. 

The example I would give as the largest of these is Baan. Traditionally, a ticket was submitted, then tier 1 moved it to the Baan team who was responsible for both access and troubleshooting. Baan was significantly understaffed and the turnaround was slow. When they did address the ticket it would require calling managers and attempting to figure out what access they actually needed. Turn around was 2 to 3 weeks PER REQUEST. By defining roles with the business (a huge task in itself), creating self-service requestable items, creating approval flows, and automatically producing formatted tickets to Baan (direct connection to add access was not available to us) we were able to reduce the turn-around time to less than a day. Freeing up resources to do more important work. 

Finally, we were able to change the perception of IT nearly company-wide. While this has no dollar amount attached this is probably the most significant return we experienced. 

One Identity genuinely provides one of the lowest costs for the initial setup of any product while still being a robust suite of tools. Price was a major driving factor in or choice to use One Identity. 

We did evaluate multiple other options before choosing. Hitachi ID, Salesforce (they really do have an IAM offering), Oracle.

My advice would be to implement the out-of-box product and pull in your initial data sooner rather than later. Planning is needed but I assure you that you likely don't know how much of a mess you're in, especially if you have no IAM solution already in place. 

The OOB data collection will help shed light on the issue you have and have yet to discover then you can craft robust solutions to tackle them.

Involve HR, involve your process owners, involve your business unit leads. Ultimately, you want to use a tool like this to empower your business to make decisions and engage in self-service. It may be difficult at first but if you involve them and try to meet their needs you can turn IT from a burden into the hero of your company. 

Work with a partner. While the vendor has great staff and is very knowledgeable, ultimately the partners are the ones who can really help you make the magic happen. All partners have the ability to engage the vendor directly should the need arise. You can save a significant amount of cost by going this route. 

It manages our Active Directory and SAP user accounts according to HR data and assigns permissions via request or rules.

We create business roles with permissions in different systems and employees can either request those bundles or get them automatically via rules. User creation in all connected systems has been automated. Employees can request permissions through the IT Shop, their manager and permission owners approve the request and the system assigns it - we don't have to wrangle with excel lists of permission assignments anymore.

It is very flexible and adaptable to our needs and the ootb features are also quite comprehensive. The overview sheets are great.

Make logging and debugging easier to find, I never quite know which log to turn on for which use case (just for my tools, for the job service user, etc).

Setting up permissions inside the admin tools could be easier, maybe have some roles already created and configurable, like helpdesk needs to view persons, accounts, requests, but not change anything, maybe be able to set delegations etc. 

More than five years.

Had no major problems. Support is great and quick to help.

Technical support is usually great.

We had a vb script for Active directory user provisioning from HR data. It was outdated and prone to errors. We wanted one solution that could manage Active Directory and SAP accounts.

The initial setup was complex because the product is complex, there's usually more than one way of doing something. It's a steep learning curve. Our project didn't leave lots of time for our internal admins to familiarize themselves with the tools. Support was a great help in the first few months after it went live and without a consultant...

For the migration from 6.1.4 to 8.0.1 we used IT Concepts. Migration went smoothly as our expert and theirs worked closely together.

Provisioning users and permissions has been automated. The IT shop helps spread the load of permission requests and IT personnel can focus on other things than manually assigning those permissions in various systems.

We looked at a few different solutions. Most of them were better suited for only one target system and some had poor add-ons for the other targets we needed. OIM seemed the most balanced and also has connectors for other targets we were planning on using.

The primary use case is to handle identities.

We have seen a slight reduction in help desk calls, as this solution is a self-service product.

• To get an overview.
• To get a good structure.
• To get a good automation process.

The tool to develop the web portal needs improvement.

We are pushing out a cloud strategy, but running this on-premise solution, and do not know what steps to take.

The stability depends a lot on the infrastructure, but it is pretty slow. For us, it is stable, but slow.

I haven't used the technical support yet.

We are using a self-built solution. It would cost too much to get that up to the standard of what we need. In the long-term, it is cheaper to buy a solution that has what we need. Though, we are still running the previous solution, as we are still in the implementation phase. One Identity Manager is very limited in what we have live; we are not using it fully yet.

The initial setup was complex. It is an extremely complicated thing to replace an entire self-built solution.

We are using an implementer for the deployment.

Think through what is most important and your strategy, especially your cloud strategy. Look at the different competitors in the market, including this one.

Our cloud strategy is impacting what we decide to roll out.

We have not implemented the privileged account governance features yet.