What is our primary use case?
We use One Identity Manager as our primary solution for identity and access management. We use it for multiple functions including identity lifecycle, access management, provisioning, segregation of duties (SODs), and attestations. It is being used for the core IM functions.
How has it helped my organization?
We are a large insurance company based in Germany. We are compliance-driven. We have to fulfill BaFin requirements. BaFin is a governmental body that oversees banks and insurance. They have a big list of requirements that each financial institution needs to fulfill to stay on the market as a bank or as an insurance provider. One Identity Manager helps us to meet those requirements.
We differentiate between two types of accounts, personal and non-personal accounts. Personal accounts are accounts or usernames assigned to people, and then we have non-personal accounts, which are technical or service accounts used by software or machines. One of the BaFin requirements is that we have control of each and every account within the system. The sync editor is able to read each and every account into IAM. It discovers every account if you have given it the right to see everything in the SAP or any other system. The tool fulfills the base needs so that we can traverse every account available in the system and then match it to digital identities there, meaning that we get a linkage between each account and each digital identity that we get from the HR system. So, we do not have orphaned accounts or the ones that we are not able to match. It is up to each customer to utilize this. They can develop their own processes to handle this. They need to have their own processes to connect them, identify them, or report on them. There is not much that the vendor does there. It discovers them, and that is it. I am satisfied with what it offers. It fulfills our needs.
When it comes to core IGA, the functionality that we use is the life cycle of accounts. We use the life cycle of membership of these accounts into SAP roles, the membership of these SAP users, and the membership life cycle of SAP users in the SAP structural profile. These three are what we cover. There are also SAP groups and SAP profiles, but we do not actively manage them. From the access control structures, we use only this subset. That is all that we need. It is currently sufficient for our needs.
We use several objects to represent company structures. We use the department object and the location object, and we also use business roles pretty extensively. We have thousands of business roles in the system. If I traverse the table org, which is the technical name of the table, I will find thousands of entries there.
Compliance and automation are two reasons for implementing an IM solution. Automation helps save money. For compliance, even if we do not like it, we must install such a solution because we have to fulfill law obligations. We work actively on that and have a big team covering it. It will keep us busy over the next few years. The second one is automation. We have automated the whole onboarding process of employees within this company. Instead of having 50 different administrators, we have less than 10 administrators. It saves us money. We definitely save lots of effort for administrators of different systems. We save people and resources by automating and not having several dozen administrators for different systems. That saves us lots of money.
Another advantage is that it saves us time. We can onboard the person within a day in our company. As soon as the HR types in a new employee there and pushes it to us, we can provision the employee to all necessary systems roughly within a day. Without such a solution, it will probably take weeks.
It helps streamline application access governance. When you have different applications, such as Active Directory-based ones, SAP-based ones, and cloud-based ones, they all have different GUIs. They all have different approval processes. Once you connect them to a solution like One Identity, you have to order all of their entitlements through the IM WebShop, which is a web interface. There is a very homogeneous look and feel to how you order access to these applications. Otherwise, from the administration point of view as well as from the approval point of view, it is a very heterogeneous experience. Once you integrate applications with One Identity Manager, you get the same experience for your AD-based and SAP-based tools. Other competing products like SailPoint and Verix also provide a uniform experience.
It also helps with application auditing. That is one of the core features of the tool. We use it to audit the access to different applications and impose governance on these applications. The application life cycle is also one of the core features that we use. There is one package called the application onboarding package (AOB). We developed our own mechanism there about 15 years ago, so the tool does offer steps, and we utilize it.
What is most valuable?
I like the provisioning feature of One Identity Manager. It is very powerful and flexible. It works at a very high level, but it can also be tailored as per needs. They have something called Sync Editor. I personally like that one because I have a developer background. Currently, I have more responsibility within the company for this feature. I am one of the six subject matter experts (SMEs). My area is the reconciliation part.
Compliance with BaFin requirements is very important for us. If we do not fulfill them, our license can be retracted. If we do not fulfill these requirements, it is not good for the company. We use the identity life cycle. We use provisioning extensively. We use attestations, recertifications, and SODs. We need all these equally to fulfill the BaFin requirements.
What needs improvement?
In terms of user experience or intuitiveness, it is in the middle. I personally find it good. Based on the complexity, the vendor seems to have done a good job of providing a web shop kind of experience, similar to eBay or Amazon. You order something in the shopping cart and submit it. Another one approves it and it gets provisioned. It is in the middle because I have seen better and more lightweight interfaces. They are now introducing the Angular portal. There is a new design. It is better, but certain things are still a little bit hidden. It is not yet ideal. Things like attestations or segregation of duties are not that intuitive. People take time to learn. We need to train them on what they need to do. When we generate attestations, the guy who needs to attest does not intuitively know what to do. When it comes to SODs, it is even harder. People are unsure what exactly things mean there. We need to train these people. For core processes like ordering entitlements, they know what to do without any training or reading materials from us. For example, you order a group, somebody approves it, and then you get it provisioned. For such simple scenarios, we do not need to support them, but for the other cases, such as attestations and SODs, we need to write articles on the Internet. We need to do training. We need to actively support them and hold their hands.
The biggest complaint we get from the end users is the performance. When they click or submit something in the shopping cart, all the compliance checks for SOD rules are run. Sometimes, it takes two to three minutes for something to be submitted. It is slow. It has a bit of a bad reputation within the company because it is a slow product. That is the biggest drawback in terms of user experience. Performance has been a problem in the last 10 to 15 years. It is sometimes good and sometimes bad. Every now and there, you hear that performance is an issue.
The user interface could be more streamlined. The overlapping functionality among tools like the Sync Editor, Designer, Object Browser, and Manager needs better delineation. Currently, you have Sync Editor for synchronization. You have the Designer for scripts, procedures, and SQL development, and then you have the Object Browser for raw or low-level data adjustment there. You also have the Manager which is a user or operations management tool. These four tools overlap in their functionality. For example, you can administer schedules in Manager, Object Browser, and Designer. I see a little bit of overlapping there. You also have the Transporter that transports the code. If you open the binaries folder for tool installation, you will see 20,30, or even 40 files there. There are so many small tools for different things. They might have grown over time. They should differentiate a little bit between operations, development teams, and test teams. For operations, they have done a good job of centralizing things in the Manager tool, but for developers and testers, there is a little bit of overlap between Designer and Object Browser. There is one other tool called Web Designer. That one will become obsolete soon with Angular. Currently, some things can be customized by the operations teams in prod and some of the things need to come from the developers. The borderline is not very clear. There are gray areas. They might have fixed these things in the Angular portal.
Another thing that I do not like is that they are mixing useful data and code data in the same data model. Other tools such as SailPoint or Verix Identity are stronger in terms of the separation of useful data and code data, although they have worse data models than One Identity. There should be a cleaner separation between the actual usage data and code data.
For how long have I used the solution?
I have been using One Identity Manager since 2009, although back then it was known as Active Entry. I have been using it actively since 2011.
What do I think about the stability of the solution?
I would rate it a five out of ten for stability. As with all other products, it has bugs. It is buggy. When a new version comes out, there are issues with it. It then takes them some months or patches to make the version stable. If you take 8.0 or 9.0, those versions are usually buggy. I have spent 15 years with this product. There were always issues after they made some major release. It then gets stabilized. The product is buggy, but they work on it. After six to twelve months, they sort out everything, and then you get a more robust version.
What do I think about the scalability of the solution?
It has its advantages and disadvantages, but it is definitely scalable.
It is a good tool for enterprise-level management. It fulfills its role. In the Gartner Magic Quadrant, this tool has gone from the lower left corner to the upper right corner in the last ten or so years. It is definitely an enterprise-level tool. It is powerful, but it is slow. As soon as the company becomes very big and different scenarios need to be managed, it tends to be slow. Two years ago, there was a conference in Hagen, Germany. The vendor asked everyone about their thoughts about the product. They asked us the good or bad things about the product, and every second customer said that they had performance issues with the product. The product is very powerful. It is an enterprise-level software, but it is slow. As soon as you have a larger number of users or a larger number of systems connected to it or you have heavyweight scenarios, it becomes slow. Of course, it depends on how each customer customizes it and implements the features in it, but every second customer complained about the performance.
We have about 30,000 users. We have only one centralized instance for the whole company. We have four environments, and there are several different teams here. We have testing, development, and operations teams. We also have the requirements scoping team where the SMEs are. It has grown pretty big. In the beginning, there were just two to four of us doing everything, but now there are quite a lot of people. Different departments are doing different aspects of it.
How are customer service and support?
Their technical support is pretty good. We use standard customer support, which allows us to open tickets and receive fixes for bugs. While it is not state-of-the-art, I would rate their service as being in the better half, providing positive support experiences.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have worked with two other competing products. One is SailPoint, and another one is DirX Identity. All of these products have their advantages and disadvantages. There is no perfect product, but I find One Identity Manager to be the most powerful and flexible of the three.
I have a developer and IM architect background. When it comes to customization, One Identity Manager is very powerful and very flexible. It is not very easy, but it is definitely better than DirX Identity or SailPoint. The amount of energy that you need to invest is less compared to the other two products.
We have a separate solution for PAM or privileged account management, and that is CyberArk. I know that One Identity has its own safeguard solution, but I am not sure if that one is used in our company. Another team might be using it but not us. We are a big company. I know that this was one of the solutions that they were evaluating, but in the end, they decided to use CyberArk.
How was the initial setup?
Back in 2010, we had six months of evaluation. We did evaluate Tivoli and other products. We had a prototype. It took about six months before we went to production. We first started only with Active Directory and SAP, and then we kept growing it with additional target systems and additional features. It is comparable to other products in terms of ease of deployment. It is not simple. All these products are complex. It takes time to understand what they do. As compared to others, there is a middle complexity level to bring it live. Overall, it took about six to nine months.
We have the operations team to maintain it. There are several people in that team.
Which other solutions did I evaluate?
During the evaluation phase, we considered other solutions like Tivoli.
What other advice do I have?
I would definitely recommend this solution. I have influenced two companies in the direction of adopting it in Germany. They were evaluating this, which takes lots of money and time. One company even booked me and a colleague of mine and asked which one to go for between this solution and SailPoint. I definitely recommend this one.
I would rate One Identity Manager an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.