One Identity Active Roles Valuable Features
Currently, task automation, like provisioning, deprovisioning, and reprovisioning, is very effective. When a user moves from one organization to another, it automatically changes their group membership and performs similar functions.
Secondly, the granular delegation feature is very nice and much simpler and easier than it is natively in Microsoft.
Two years ago, One Identity Active Roles was under Dell. It was quite poor. However, now, there have been notable improvements, such as faster system processing, better logging, enhanced information, and a more user-friendly interface. Once it was sold by Dell, things got better. The interface became a bit more user-friendly.
The Angular user interface is much more flexible for adjusting to customer needs, and a completely new and customizable one can be created, aligning with all settings and scripts required by a customer.
The ease of managing on-prem and cloud-based directories through a single pane of glass is good. I'd rate it nine out of ten.
The solution's ability to provision and deprovision resources and directories like Azure AD is very simple, especially when you can integrate with the HR system and grab some data from HR. It's actually fully automatic. I don't need to even touch it.
It's helped increase operational efficiency by 50%.
It's helped decrease security problems around privileged accounts. We were able to decrease the number of privileged accounts and have been able to delegate more effectively.
We decreased the number of high-level permissions that administrators had. For example, if someone is a DNS administrator, he has access only as far as the specific actions he needs to handle. We don't need to give away such high privileges for such a daily job. It's helped clarify roles and access.
It's helped reduce identity-based breaches. If someone leaves a company, we can easily undo provisioning and close accounts. We can generate reports to see which people have which permissions and at what times.
We've just integrated with our HR system. It helps us follow activated and deactivated users.
I'd rate the granular controls on offer ten out of ten.
We've saved on manpower in terms of the work of the administrators. There's good reporting and functionality, and it's very transparent. You can connect more than one directory and manage everything from one pane. You can do many things from one interface.
The feature I appreciate most about the solution is the ability to lock down Active Directory Roles granularly. For instance, our support personnel can only change passwords for users; the only thing they can change in the user object is the password. They cannot alter anything else. This allows us to manage multiple One Identity Active Roles from a single pane of glass. We're very satisfied with the granularity.
We have eased the burden on the support desk and reduced the risk of them doing something they shouldn't. We have limited the use of domain administrators and gained a better view of what is happening in One Identity Active Roles. It is easier to find rogue and malicious users, and end users can now request access through the web interface instead of creating a ticket.
We've lowered the amount of privileged accounts. We can have support staff that have privileged access however, we've limited privileges so that they can only do what they are meant to do in the directory.
Active Roles helped reduce our identity-based breaches. I don't have a number of how many. It's maybe between 10% and 20%. Now, we know what users we actually have in our IT directory. It has helped us to find the dormant users that we don't need anymore.
It's improved our security posture. It has limited access to our crown jewels, where all our identities lie within Active Directory. It's not a stand-alone product. It doesn't fix everything. However, it does help to the overall security posture. Before, we had domain admins logging directly into our directory user's computers, and doing stuff. They don't do that anymore. We've limited priveledges. The directory is more secure today and we have better visibility.
View full review »All of the features have been valuable, and that is not often so. We use probably 90 to 95 percent of the features of Active Roles. The only one we don't use right now is the plugin to Azure because we just use Active Roles for on-prem management of our Active Directory.
My favorite feature is probably the Dynamic Groups and the fact that Dynamic Groups are built pretty much on the fly and kept up-to-date. That is huge for us. There are so many features, if I had to pick one, then Dynamic Groups would be my favorite. We routinely will get requests from our business, saying, "We need a group that contains everybody in this particular department," whether it be a distribution list just for emails, a group to secure a file server, etc. With Active Roles, we can create this group and tell Active Roles, "Every user account that you find that has department equaling whatever 'this is', then put them in this group."
The way Active Roles works: As soon as somebody gets the value in that department field changed to something that matches, then Active Roles puts it into that group in almost real-time. As soon as it replicates through Active Directory and Active Roles, the DC that Active Roles is using sees that change, then Active Roles take action and keeps those groups up-to-date for us.
One feature that we use a lot is temporal group membership. It allows us to put somebody in a group on a time basis. We can say, "You get put in this group," then you will automatically come out on this date at this time. We can either put them in on a date and time or take them out on a date and time. It's a great teacher, and it's also one of those things that native tools doesn't allow us to do.
View full review »Buyer's Guide
One Identity Active Roles
April 2025

Learn what your peers think about One Identity Active Roles. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
850,760 professionals have used our research since 2012.
JD
Jeremy Dhuit
Head of Global Digital Identity Services at a hospitality company with 10,001+ employees
The access templates help set up granular permissions and the web portal to manage Active Directory. Active Directory is usually managed through a heavy console, and using One Identity Active Roles allows it to be managed through any internet browser. Additionally, it helps in removing custom Active Directory delegation, which enhances security by eliminating unnecessary privileges, addressing identity-based breaches by reducing the number of Active Directory delegations.
View full review »JM
Joffrey Meyer
IAM Product owner at a hospitality company with 10,001+ employees
The most valuable features are the access templates, which allow for granular permissions, and the policies that provide a framework for usage and standardization across entities. The solution improved our organization's security posture by framing the end users and ensuring that capabilities that could cause mistakes are hidden from the web interface. It helps us ensure that entities do not make any mistakes by hiding those capabilities directly in the tools with the access templates.
View full review »It is very intuitive and close to the native tools. Since it is web-based, it does not require extensive training for our end users. If users are familiar with native tools, they should be able to use the web-based tools with minimal training.
Active Roles is easy to configure. It isn't a plug-and-play solution, and you need expertise to set it up. However, once you have your templates, it's easy to deploy in a highly decentralized environment. The custom configuration for our customers is fantastic, especially the web interface.
The solution gives us granular control, allowing us to build highly customized roles and apply them across our environment. We have 500,000 separate OUs.
View full review »BP
Becky Phares
Sr Business Analyst at George Washington University
With the use of the sync service we were able to import information from multiple external systems and populate them within our space and leverage them for downstream systems.
ARS also gives you a single pane of glass to manage AD and Azure AD. One of the things that we really like is that we can get to everything from ARS if we need to. So unless you are a system admin, there's no reason for you to go into Azure AD, because we have it set up so that everything syncs up with Azure AD. It gives us a level of confidence that things are matching from a governance perspective. We're trying to mature. I don't know that ARS will get us to our final destination, but it is helping us govern what we can see.
View full review »The most valuable features include
- auditing
- dynamic grouping
- creating dynamic groups based on AD attributes.
Also, as part of the cloud identity, meaning expanding identity to the cloud, it gives me a single workflow to expand on-prem. I can create a user in the cloud and give them access to resources through a single workflow.
And for regulatory, auditing, and security requirements, it's critical that the solution enables Zero Trust security with hybrid AD fine delegation and role-based access control.
View full review »The most valuable feature is the ability to delegate by using permissions and workflows.
Another good feature is the Change History. It's centralized in a single place and allows us to manage people's Active Directory domains from a central location. We can also drill down into individual objects in a troubleshooting or even an auditing situation. We can show evidence to auditors by drilling down into the individual history. It gives you all the history of what happened around an individual object. That is something that would be almost impossible to do in Active Directory, or extremely complicated.
We can also enforce data formats. That creates a higher quality in the data that we store in the directory by enforcing naming conventions and data formats.
In addition, we can reach the data set by using virtual attributes, rather than extending that, so we can put schema attributes in ARS that live in AR without actually impacting the Active Directory environment.
One other thing that I really like about this product, as an engineer, is the design of it, meaning not how it looks, but how it was designed architecturally. This is one of the greatest strengths of the product. It's just designed right.
View full review »The best part of this Active Roles is the workflow engine. It features an industry-leading workflow automation feature. It's a visual PowerShell that allows task interruption.
It offers single-pane-of-glass management to a degree. Right now, the Azure side can only be done from the web UI, not the console. The administrative side can only be done from the console, not the web UI.
Conditional access works well. Combined with RBAC, it always works well with Active Roles because Active Roles can do access based on dynamic implementation.
The permission management feature is also excellent, clearly showing delegated permissions. Active Roles tells you when any permissions are done without going into this crazy fine-grained permission strategy that is horrible compared to Active Roles' template-based permissions. You can design on your own. It easily shows where all the permissions are delegated.
Unfortunately, you can't do much with zero trust and Active Roles at the moment unless you combine them with Safeguard. It lines up with using zero trust if you combine a couple of different workflows together.
View full review »It has so many features. Dynamic Groups are good and the ease of delegation is useful as well.
View full review »MS
Michiel Simon
Technical Manager of Security at Liberty Global
It's valuable to us in that it resembles the native tools that most people have grown accustomed to. Most people come from another company where they may have not used Active Roles. Active Roles resembles traditional tools, such as from Microsoft. That is really good because it eases the way people to interact with the tool.
The AD and AAD management features of this solution are really good. They're better than the native tools. They offer added value by showing more fields such as password age and the statuses of some things that we normally wouldn't see. What I really like is the fact that we have the mailbox and the user information all on one screen. With native tools, you need two tools to show that information.
View full review »Secure access is the most valuable feature.
View full review »FJ
Finn Jacobsen
Architectural specialist at HK/Midtvest
We can create a user in the cloud and give them access to resources through one workflow. I rate this feature eight out of 10 in terms of importance. Active Roles enables zero-trust security with hybrid ID fine delegation and role-based access control, which is our primary purpose for using the solution.
View full review »It is an easier way for me to manage Active Directory with more advanced features.
The console helps with granular control.
View full review »The way it captures data and transforms it into ways that will be usable for the Active Directory is the most valuable feature.
We haven't found a different solution that is able to do this. We have been relying on manual scripting, which proved to be very unreliable. Active Roles is definitely much better.
It also improved our automation. It was already automated, but it improved it. It was able to capture more data out of Trillium and SAP and populate the Active Directory in an open-minded manner.
We have two staff members and so per staff member, Active Roles saves us 0.2 FTE.
Active Roles has improved the accuracy of our onboarding process. There are fewer errors during the sync.
View full review »We like that we can manage our groups and access. You can get granular in terms of the access control.
The solution enables us to create a user in the cloud and give them access to resources through a single workflow. That's very important for our organization. It allows us to assign access accordingly for the file shares for admin access to servers.
It enables zero trust security with hybrid, AD, delegation, and role-based access control. It's extremely important for us.
DF
David-Fernandez
CTO at BeClever
The delegation feature is really important. It is one of the most valuable features that our customers appreciate about the solution.
The provisioning and deprovisioning saves a lot of time and skips a lot of errors.
For the AD management feature, it is perfect. It covers everything.
View full review »SP
Sameer Palav
Managing Director at a tech services company with 51-200 employees
- Role Based Access Control
- Provisioning, Re-provisioning, De-provisioning and Undo-De-provisioning policies
- Data validation policies
- Workflows
- If Then Else statements
- Approval Workflows
- Schedule Workflows
- Escalation
- Virtual Schema
- Virtual OU’s
- Web console with easy customization option
- Integration and data synchronization with SQL, Office 365, Lync etc.
- Event handlers
- It provides automatic provisioning/update/deprovisioning workflows from a source system to a target system.
- It allows you to easily monitor all workflow processes.
- It has very powerful native policies and scripts, which allow you to create your own custom policies, scripts, and virtual attributes.
- In addition to using the console (MMC interface), it also gives you management from the web interface.
It gives us attribute-level control and the AD management features work very well.
View full review »WC
Willie Clemons
Director Identity & Access Management at a tech services company with 1,001-5,000 employees
The built-in templates within ARS allow you to create security groups without having to construct them on your own. It greatly simplifies the process and is also makes it much easier to review if you ever need to make changes.
View full review »It provides automatic provisioning for many applications and systems, including in-house applications and cloud applications. Also, it offers a virtual directory structure and a new directory layer between users and physical directories. Management and monitoring become easier.
View full review »Buyer's Guide
One Identity Active Roles
April 2025

Learn what your peers think about One Identity Active Roles. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
850,760 professionals have used our research since 2012.