We started using Active Roles because we wanted protection against user errors by our frontline service desk.
We have an on-premises solution.
We started using Active Roles because we wanted protection against user errors by our frontline service desk.
We have an on-premises solution.
Instead of deleting accounts, we like the deprovision option so that we can reverse any accidental deletions. It also gives a higher level of quality control in terms of enforcing any number of variables, such as making sure that an account has a description entered before the account can be created. We can backtrack and know the history of it that way.
It has also eliminated admin tasks that were bogging down our IT department. Before we started using Active Roles, if one of our frontline staff members deleted a user or group, it could take several hours to try to reverse that mistake. Whereas now, the most our frontline staff can do is a deprovision, which just disables everything in the background, but it's still there. We can go in and have it back the way it was two minutes later. Instead of it taking two hours, it only takes two minutes.
In addition, it reduces risk by enforcing stronger and more complex passwords that not only conform but go above and beyond the default recommendations from our Microsoft policy. It makes sure that there's a certain level of completion with anything created or provisioned through ARS. It enforces compliance, and that is definitely helpful.
I've been using One Identity Active Roles for about five years.
It's a stable product. We have very few issues with it.
Up until our migration to Office 365 and Azure, our Active Roles architecture was very static. We didn't really have to scale it out at all during that time. The only scalability exercise that we've done is trying to adapt to Azure in Office 365, and it's a challenging process to do that.
The product itself is fine and works well. I've had a difficult time getting it to cooperate with Azure in the cloud and, while the support staff are very good and very knowledgeable, what they assist with just on a call doesn't go deep enough to help with a number of issues. The answer that comes back is that we'd have to start an engagement with Professional Services, which is fine but that takes time to schedule and it takes budget. And during all that, you have a delay in getting a particular part of the platform working properly.
I've worked with several One Identity support folks and they're all very knowledgeable and pleasant to deal with. But sometimes I get the feeling that their hands are tied with how much support they can give me for a specific task because it gets into that gray area of what's break/fix and what goes off to Professional Services. If it falls in that gray area, it's hit or miss whether you're going to get support from your first call or whether you have to wait until you can dedicate a whole day to it.
Support could benefit from helping with a broader area of ideas on a first-call-resolution type of model, rather than just focusing on break/fix issues. They should also help with configuration issues.
The process was complex. We had the help of an integrator from Quest, back then. We had him come onsite and work with us. There is definitely a learning curve when it comes to setting up templates. It's a complex product, but it's good once you get the hang of it.
The initial deployment took about a couple of weeks, but that was when everything was still on-premises. There wasn't any Office 365 or Azure back then. In terms of getting our Active Roles to cooperate with Azure now, I've been struggling with that, on and off, for over a year now. That's not necessarily a fault of One Identity. Their support is partially to blame for that, but a lot of it is on my shoulders too, due to the fact that I have other responsibilities at my workplace.
We have about eight admin staff who use Active Roles daily, and pretty much all day, for user functions. We don't have end-users with any control over delegation through Active Roles, although that might be something that we explore later; we might allow some office administrators to do various functions.
There are a lot of other benefits that we take advantage of that are above and beyond the native Active Directory functions that Microsoft provides. There's no comparison between Active Roles and the native Microsoft tools. You can customize the interface so that you can create a user account much more quickly. Active Roles also gives you a really nice audit log of when a user account was created and of any changes that happen to that account after the fact, as long as you do those changes within Active Roles. It's a really nice way to have a full view of the lifetime of an object created through Active Roles. It's much better than the native tools.
We researched various solutions before we narrowed in on what was Quest, back then. At that time we were going through a migration from an old Microsoft domain to a new Microsoft domain and we are using a different Quest product, but we haven't evaluated any other products.
It is a good tool and anybody who works with Microsoft Active Directory and Azure can definitely benefit from using Active Roles. But it can be challenging to get Active Roles and Azure to play nicely together, depending on how your company is configured.
For some organizations, I could see that the product could help move staff to more important IT initiatives, but we don't use it at a level that it would help us in that capacity.
The big lesson learned—and it would depend on various people's skill levels or proficiency— for a new implementation where you're working with Azure and not Office 365, would be to budget for at least a one- or two-day session with Professional Services. That would save you a lot of time, and in terms of hourly costs, you would actually probably end up saving money by buying the Professional Services session.
I am in the process of scheduling a meeting with One Identity Professional Services to start using Active Roles for migration from AD to Azure AD. We've tried to mesh our Active Roles implementation with our new Azure setup and it's been challenging. Added support is definitely needed to get over the last few humps there.
I do find it a very useful tool. I have researched other players in the field and there's not a lot out there. Active Roles has the edge. I don't see us moving to a different product, but the biggest frustration has been getting enough support out of support.
Our primary use case for ARS is for the ease of delegating administrative access and the ability to limit direct access to the domain controllers. Those were the primary purposes for purchasing it. We do much more with it now, probably more than anyone else.
We're still working through that primary use case. But in addition to that, over the course of the last seven years, we've been able to leverage ARS to allow us to do a lot more and be more efficient. We use it for dynamic groups. We automatically group users together by department, reporting structure, etc., to leverage them for access, authorization, and authentication. And we automatically group computer objects for management authorization.
We have also started leveraging ARS as an identity platform. It was an interim solution until we move over to our final solution, for which we're going through vendor selection right now. The way we use it for identity is that we use custom scripts and workflows and scheduled tasks. We were able to migrate off of our legacy identity platform and move everything we currently do into ARS.
While migrating to ARS, we also implemented role-based access for the administrative users and customized views for each role in ARS, in the web interface. So if you're a level-one support, you only see the tasks that you are allowed to do, versus if you're a full-blown administrator, you see everything.
In addition, we use it for account creation at the university. We expose native Azure AD user group properties to assist with support increase. We provision and de-provision applications, and we create the necessary reports.
We reduced the development cycle for modifications to code, which enabled us to easily integrate and onboard services, applications, and areas of the university that were not previously centralized. We just centralized Law, for instance.
We also have real-time alerting for failed tasks, which has reduced the troubleshooting tickets, user frustration, and allowed us to, in some cases, address the issue before it's even realized by the customer. In our previous system, if a task failed, we didn't know about it until the next day. Now, if a task fails, we're immediately notified by the system. That's how we're often able to clear it before the user ever even knows anything impacted them.
In addition, with the use of workflows and the scheduled tasks, we were able to automate and centrally manage a number of the processes as well as utilize them to work around other product limitations. Those include, but are not limited to syncing larger groups, which have 50,000-plus members, to Azure AD.
We sync up to Azure AD using ARS. If we had not already had ARS in place, it would have been impossible for us to have done so in the time period we did it in. We did it in under six months. If we had been migrating to a whole new platform, or an identity system, the way that things were, we would not have been able to do that in six months. ARS saved us. It was our bridge between an outdated solution, one that had not been matured. It gave us that time to breathe so that we could find the right solution for us. ARS won't go away, it will just stop doing the identity pieces. We will continue to use ARS.
ARS probably saves us at least two weeks out of every month. It's reduced our workload by 50 percent, easily.
We were able to introduce automated role-based provisioning for the first time, because we had ARS. We introduced role-based access. We introduced birthright access. Those had never been done before. We took ARS and turned it into an identity platform as our interim solution. That enabled us to eliminate Oracle Identity Manager completely. Per user, automated provisioning saves a couple of hours per week.
It has enabled staff to focus on more important IT initiatives. Because it is dependable, and because there aren't any issues with it, it allows the operational staff to also be development staff. A lot of our time has been freed up so that we can do things like interview vendors, come up with a logical strategy, and things of that nature. So ARS has certainly assisted in us being able to do that. We didn't reduce resources. Rather, time was freed up so that we could focus on more important things.
It also reduces risk because we use it to leverage dynamic groups, and with a dynamic group, if the person is no longer in the feed coming from the HR system, then that person is immediately and automatically removed from the group. We don't have to wait for a human being to go and look in every single group to see if that person is in there. It's a matter of internal best practice, ensuring that we meet the requirement to have least access.
With the use of the sync service we were able to import information from multiple external systems and populate them within our space and leverage them for downstream systems.
ARS also gives you a single pane of glass to manage AD and Azure AD. One of the things that we really like is that we can get to everything from ARS if we need to. So unless you are a system admin, there's no reason for you to go into Azure AD, because we have it set up so that everything syncs up with Azure AD. It gives us a level of confidence that things are matching from a governance perspective. We're trying to mature. I don't know that ARS will get us to our final destination, but it is helping us govern what we can see.
We would like to see
These are all things that our tech team has talked to their tech team about. And they're extremely responsive.
In addition, there are some features that we think should be included in their next release. We think these things would take them to the next level: the ability to completely force or limit any dynamic group processing to specific servers, change-tracking reporting of virtual attributes, and the ability to use files as inputs to automation workloads. These things have also been talked about. Knowing One Identity, they're probably working on them.
We've been using One Identity Active Roles since around 2013.
Maintenance is standard and periodic. There may be a release or update that comes along, but other than that it's a very stable tool and doesn't require much maintenance at all. It's probably one of those grunt tools that most would typically consider ubiquitous. However, we think about it because we're using it for more than what it was intended to be used for.
We haven't had any problem at all, so far, with scalability. The only thing that we really saw was that syncing larger groups is a problem when we try to sync to Azure.
ARS went from just being our AD management tool to being our identity system, and it will continue to be that for the next 12 months. When we pick up and move the identity pieces out of ARS, it will remain the workhorse to keep all these things in sync.
We're pulling the identity components out because ARS is not an identity platform. It's not meant to be one. It's not robust enough to handle it all. If we continue to customize and build it out, we'd be building our own identity tool and that's not a good path to go down.
At last count we had around 50 users of ARS. They're either our middleware tech team, the CIS admins, including AD, Azure, etc., or it's our level-one support team. They use it to reset 2FA and to reset passwords. We built a custom interface for them.
Excellent support. They truly are a partner. They want to be a partner, a collaborator. Their number-one goal is to solve people's problems, in the space of identity. That's really good.
In all of these years, we've never had any problems. As a matter of fact, they are very proactive and always reaching out saying to us, "How can we help? How can we help?" We've had excellent service from them.
We eliminated Oracle Identity Manager from our environment. Unfortunately, OIM was stood up about nine years ago but proved to require a lengthy life cycle to onboard applications and move to role-based provisioning, so we never moved beyond the first phase. We picked everything up out of that system and we created, if you will, a brand new ARS to handle everything that used to be in there. If OIM would choke, we would have to do constant reboots. We don't have any of that anymore now that we are in ARS. We haven't put a ticket in for a reboot in over a year, since we migrated.
We've been using ARS for our identity platform for a little over a year, and it was the right thing to do at the time. It could handle what we were doing, because what we're doing is actually very limited.
I wasn't here for the initial setup in 2013, so I can't speak to that. I'm not part of the technical team that is in the process of doing the upgrade to 7.4.
But you can do deployment with two to three people. I know that from knowing the size of our team and who's doing it. If you've got two to three knowledgeable, skilled people, that's all it takes.
There has been return on investment in the time savings, although I can't put a number on it.
We looked into other options. The problem was that we needed to move quickly because OIM was out of maintenance. As a team we decided, "We have a tool here that can do this. We just need to make it do it". This provided the additional time we needed to decide on the right solution for access management and governance.
ARS is very clean and very easy to use. Sometimes, getting down to the level of detail that you need to see can be challenging, but its ease of use is comparable to any Microsoft tool or any other tool that's out there.
If you're going to implement it out-of-the box, off-the-shelf, exactly as it's meant to be, you should be able to do it on your own. It's pretty straightforward. If you intend to do anything else with it, a good integrator is key.
The biggest lesson we've learned is that the flexibility and the extensibility of this platform allowed us to achieve far more efficiencies than we ever expected. What became the short-term certainly isn't going to be the long-term, but it proved credibility here, and that was what was really important. It gave us the credibility that we could do what we said we were going to do: take us off of a legacy tool that was broken, make things more efficient, and close the gaps until we could put in the full-blown solution.
We are using Active Roles for provisioning Active Directory objects and we also use it to connect, through Active Roles Synchronization Service, to our HR system and to provision and deprovision employees.
In general, we use it to provision any object: security groups and computer objects, in a delegated manner. Active Roles Server allows the security of Active Directory to be changed to delegate access for provisioning to different IT teams, without changing the actual security of Active Directory.
The solution is co-located in our data centers.
With delegated access to Active Directory, it allows us to revoke a lot of the admin rights. It gives us a better lockdown and a more secure environment than we used to be.
It has eliminated tasks that were bogging down our IT department, especially in certain workflow automations. Through Active Roles Synchronization Service, we can process data coming from HR and automatically update those attributes and data fields straight into Active Directory, versus doing it on a manual basis or through bulk imports. Also, the fact that we can enforce data formats and policies saves us time since we don't have to go back and do a cleanup.
In addition, because we are able to remove the main admin rights, there are fewer uncontrolled changes, and when you have fewer uncontrolled changes you have a higher availability of the service, overall, and fewer audit findings.
The solution automates provisioning. In our HR system we are automating the creation, termination, and ongoing management of all of our employee base. We have between 5,000 and 6,000 employees, and all those processes are fully automated, with IT being completely hands-off. It saves a lot of hours, easily on the order of hundreds of hours per year.
The fact that we have decreased certain operational costs, by means of automation, of course means we have been able to reallocate the time of some of our resources for more value-added activities. Because we implemented this 10 years ago, things have changed over time. It has become an established practice, process, and technology so it's hard to estimate how many FTEs we have been able to reallocate, but it would probably be at least one.
One Identity Active Roles has also improved the accuracy of our onboarding process. As a company, our onboarding process for people is subjected to SOX audits. Ten years ago we were in a situation where we had hundreds of nonconformities. Today, we essentially have zero nonconformities.
Another benefit is that the solution most definitely reduces risk for our organization. By avoiding changes to the native Active Directory security, and the fact that there is role-based access control to manage Active Directory itself through the application, there has been a dramatic reduction in risk.
The most valuable feature is the ability to delegate by using permissions and workflows.
Another good feature is the Change History. It's centralized in a single place and allows us to manage people's Active Directory domains from a central location. We can also drill down into individual objects in a troubleshooting or even an auditing situation. We can show evidence to auditors by drilling down into the individual history. It gives you all the history of what happened around an individual object. That is something that would be almost impossible to do in Active Directory, or extremely complicated.
We can also enforce data formats. That creates a higher quality in the data that we store in the directory by enforcing naming conventions and data formats.
In addition, we can reach the data set by using virtual attributes, rather than extending that, so we can put schema attributes in ARS that live in AR without actually impacting the Active Directory environment.
One other thing that I really like about this product, as an engineer, is the design of it, meaning not how it looks, but how it was designed architecturally. This is one of the greatest strengths of the product. It's just designed right.
The overall UI needs a refresh; the web interface requires some modernization.
We would also like to have a SaaS version of Active Roles. Rather than implementing it in our data center, it would have been nice having a SaaS-delivered solution.
The third area for improvement, which is the weakest portion of ARS, is the workflow engine, which was introduced a few years ago. It's slow and not very intuitive to use, so I would like to see improvement there.
We have been using One Identity Active Roles for about 10 years.
The scalability of the solution relies on the environment where it is deployed. We are a smaller company, but we are using the same design and architecture that we used initially, where we have about 15,000 to 20,000 users. We have added multiple domains, four or five, and we have never seen any issue from a scalability standpoint. I don't know if it scales to hundreds of thousand users, but for our environment, scalability has never been an issue.
We have a very good adoption rate, from a user standpoint. I can't see many areas where it could be expanded. We are leveraging the tool at a very good capacity. I don't foresee any expansion because we are using it pretty heavily.
The support service provided by the vendor on this product is pretty solid. It is an excellent support service. I would rate them a solid nine out of 10. They always have a solution or a workaround. They're very responsive and very knowledgeable. Sometimes I wish that we had the same level of support from other vendors.
We used the Microsoft native tools. We switched to Active Roles because the Microsoft native tools were really for managing the core components and didn't have all the capabilities of provisioning, deprovisioning, role-based access control, and change history. They didn't have the proxy approach to manage Active Directory in a centralized way. With Microsoft, Active Directory is distributed by nature, versus ARS which centralizes it.
One of the strengths of Active Roles is that it is easy to implement, easy to upgrade, and very intuitive, except for the workflow engine. And it's not even resource-heavy. It works on a very lightweight infrastructure and doesn't need multiple servers or any complex architecture. It's a very lean, robust, and effective tool, with low maintenance costs.
Our deployment took a couple of months, maybe less.
The tool is so straightforward that the approach was very simple. We analyzed the requirements that we had, back in the day, especially in terms of access and provision, and we just mapped them into Active Roles Server. The overall first phase of installation was very simple.
In terms of maintenance of the solution we need a part-time person, a security engineer who specializes in access technologies. The maintenance of it is super-lightweight. It's really just a few hours a month.
ROI is a very tough question because we implemented it 10 years ago. I don't have a number. But I would say that, in a large organization, Active Roles is probably something that pays back quickly. It's so integrated into our processes today, that we couldn't even think about doing without it, and replacing it with manual work.
If you have a need to put controls on your Active Directory environment, and there is significant manual work to put those controls in place, regardless of their effectiveness, or you have a risky native configuration that has to be addressed, my advice is that a solution like this is going to do the job pretty brilliantly.
It is a great solution with a lot of capabilities. It provides different types of value for each of the capabilities that it has. Over a decade, this solution has done its job.
It's a very stable system, easy to implement, easy to upgrade, and has very low operation maintenance costs. We are a very happy customer of Active Roles.
We use Active Roles to facilitate the synchronization between our Active Directory environment, SAP, and our school information system which is Trillium. Trillium and SAP feed data for employees and students into the Active Directory.
We use password managers to manage passwords and provide us with three sets of passwords and options for our users.
Because of Active Roles, we're able to synchronize on an even more regular basis. It enables us to provide even more information to the Active Directory, which helped us to group our users in a more consistent manner.
The way it captures data and transforms it into ways that will be usable for the Active Directory is the most valuable feature.
We haven't found a different solution that is able to do this. We have been relying on manual scripting, which proved to be very unreliable. Active Roles is definitely much better.
It also improved our automation. It was already automated, but it improved it. It was able to capture more data out of Trillium and SAP and populate the Active Directory in an open-minded manner.
We have two staff members and so per staff member, Active Roles saves us 0.2 FTE.
Active Roles has improved the accuracy of our onboarding process. There are fewer errors during the sync.
In terms of improvement, it could be made even more user-friendly for administrators when they need to create new workflows and rulesets.
It's a bit difficult. I'm not the technical person that uses it, it's my team, but I heard comments that it is quite difficult for them to get to know the product and set up the tasks that are required.
I have been using Active Roles for three years.
It's very stable.
I would call it scalable because we look at over a quarter of a million students' data but not on a day-to-day basis. It is pretty scalable.
Right now we have two system administrators that are using it effectively. We are still deploying further automation and optimizations.
Previous to Active Roles, we had an in-house scripting solution.
We switched because of their better support and because of the succession of old, unsupported manual build scripting. This way we have a product that we know has a future and we have proper support.
In comparison to native Microsoft, Microsoft tools are basically non-existent for what we are using it for. The connectors for user federation and synchronization with the other solutions are non-existent.
The initial setup was very complex. There's a steep learning curve to get to know the product and to start using it. The deployment took almost two years.
We started first with students and then with employees for the deployment.
We used One Identity and we also had external resources, a contractual workforce, for the deployment. We had a positive experience. I appreciate the help that we got.
We don't see ROI in a monetary way. We are a public organization, so we don't sell anything, but I definitely have a better user experience, fewer incidents, and, therefore, better user satisfaction. From that perspective, we have absolutely seen ROI.
Active Roles is above average on pricing compared to similar solutions. There are no additional costs to the standard licensing fees.
My advice would be to make sure that you have a full-time team assigned to the solution. Take your time for the onboarding. It takes more time than we initially thought.
I would rate One Identity Active Roles a seven out of ten.
Our primary use case has definitely evolved since our very first use case, which was for delegation of rights within Active Directory without having to give folks native rights through Active Directory. That was our biggest driving factor into the use of Active Roles. All the other stuff that it does is a benefit, and we use it all heavily. However, we're very big into using the least privileged model and having the least amount of Active Directory native rights out there, as this cuts down on issues later. By having less people with native Active Directory rights, this cuts down on potential issues that we have to troubleshoot.
It is used in our on-prem Active Directory, but the servers themselves are hosted out of Azure. So, we use IaaS, which is just having VMs in the cloud versus having our VMs on-prem. The only cloud aspect is that VMs are hosted in the Azure IaaS instance. It's a normal VM, which is part of our on-prem Active Directory, but it just happens to be hosted in Azure.
The biggest thing for us is Active Roles saves a lot of man-hours, from keeping groups up-to-date manually or trying to write some sort of script that you have to run, so we don't have to reinvent the wheel. Instead of when every time somebody joins a department, then somebody has to remember to put in a request to add "meet user Joe" to this group, the solution does it automatically for us. Therefore, it saves our business and IT staff time because they do not have to process requests since Active Role can do it for them.
We have about 2000 of these groups in a pretty substantial company of 55,000 employees. Active Roles cuts down on a good number of these tickets every time somebody is brought onboard.
We are a large company who does a lot of department codes. People are coming and going from the company daily. Active Roles probably saves us an upwards of 500 requests a week.
The solution has eliminated admin tasks that were bogging down our IT department. Now, nobody from IT has to take action to update the group in cases when someone joins or leaves the company.
Active Roles has assisted us greatly in provisioning and deprovisioning accounts as folks come and leave the company. We have automation in place that utilizes Active Roles to create and deprovision accounts as folks leave. ActiveRoles Server (ARS) has been instrumental in making sure accounts get cleaned up when they get deprovisioned. Other features of Active Roles, such as Dynamic Groups, have helped us to streamline the process. It's not taking everything away for us, but it's provided us a lot of streamlining. It probably saves, on a per user basis, a half an hour of man-hours between different tasks once you put everything together. This saves us about 40 hours of work for somebody a week.
When our HR department terminates an account, we have a script that talks to Active Roles and sends Active Roles a provisioning command. We have Active Roles set up to do a variety of tasks where deprovisioning is requested. The most important one for us is that after so many days of that account still being disabled and the person being gone, Active Roles will clean that account up for us and delete it out of AD. Therefore, we don't have to manually go in, terminate folks, clean up the accounts, and all that other stuff that happens when someone leaves.
Between the automation of using Active Roles to do our onboarding, policies, and workflows, we can ensure that the data that gets put into Active Directory during the onboarding of any type of object for Active Directory is accurate, meeting our standards so we don't get junk put in there. This has helped streamline things. One of the hardest things from an Active Directory management perspective, without a tool like Active Roles, is controlling how people do something. How I would want to install or set up a new user might be different than the person next to me, e.g., you can give somebody a set of policies to follow when you're not using a product like Active Roles, then it's up to them to interpret that and follow them. Active Roles allows us to enforce those policies so the data that gets put into Active Directory is cleaner and consistent. Having consistent data allows us to do a lot more automations and ensuring people and objects are set up properly.
It definitely improves our security. We are a larger company, so we have a lot of IT staff who are responsible for different parts. Someone does new groups while someone else does servers. There are a lot of hands touching Active Directory. Using a product such as Active Roles, we can delegate those rights to the hundreds of accounts for people to do their jobs. This reduces our risk for somebody's account being compromised. If they have native rights in Active Directory and an account is compromised, that is a higher security risk than just using Active Roles, because the only way somebody can make a change in Active Directory when ARS is involved is to use the Active Roles interface. If someone hacks in and tries that, they're not going to be able to do that. So, it definitely improves our security posture. We have only a handful of people with highly privileged accounts in our environment because of Active Roles.
Active Roles has a PowerShell interface that allows us to let other parts of our environment and other applications, which might need to interface with it, make changes within the Active Directory by utilizing PowerShell commands. We can apply the same principle as our security rights so they have to use Active Roles, reducing our risk from a security perspective.
All of the features have been valuable, and that is not often so. We use probably 90 to 95 percent of the features of Active Roles. The only one we don't use right now is the plugin to Azure because we just use Active Roles for on-prem management of our Active Directory.
My favorite feature is probably the Dynamic Groups and the fact that Dynamic Groups are built pretty much on the fly and kept up-to-date. That is huge for us. There are so many features, if I had to pick one, then Dynamic Groups would be my favorite. We routinely will get requests from our business, saying, "We need a group that contains everybody in this particular department," whether it be a distribution list just for emails, a group to secure a file server, etc. With Active Roles, we can create this group and tell Active Roles, "Every user account that you find that has department equaling whatever 'this is', then put them in this group."
The way Active Roles works: As soon as somebody gets the value in that department field changed to something that matches, then Active Roles puts it into that group in almost real-time. As soon as it replicates through Active Directory and Active Roles, the DC that Active Roles is using sees that change, then Active Roles take action and keeps those groups up-to-date for us.
One feature that we use a lot is temporal group membership. It allows us to put somebody in a group on a time basis. We can say, "You get put in this group," then you will automatically come out on this date at this time. We can either put them in on a date and time or take them out on a date and time. It's a great teacher, and it's also one of those things that native tools doesn't allow us to do.
When doing a workflow, we would like a bit better feedback on the screen, as we're trying to get it to work. For example, there is a "Find" function that you need set up in a workflow to do some of the automation. It is not the easiest to get a result from those finds when you're trying to do that. In the MMC, they have a couple different types of workflows. In this particular case, we use their workflow functionality to find all of X within the environment, then if you find it, do X, Y, and Z. You can have multiple steps. When you do that search function within that workflow, it's really hard to find out, "Is my search working?" It would be nice if there was some feedback on the screen so you could see if your search is working properly within the workflow.
There are other finds, like when you just simply go look in Active Directory, and say, "Find." I absolutely love that we can export the results from that one. It's only the search function within the workflow that could be a little bit better.
In version 7.4.1, they added support for SAML authentication to the web pages and the documentation was quite lacking. The documentation for that, in particular, needs a lot of work. I ended up having to work with support over multiple sessions to try and get that to work properly.
This was a newer function for 7.4.1, so I had never used it before in the previous versions. When you downloaded their product, the documentation was the same as they had posted on their website. It was the same in both places. It was very broken up and wasn't complete. It needed to be reworded and flow better so somebody new could follow it a bit better. Because even after following all the solutions, even the tech support said to do it differently than what was in the document before we could get it to work. Therefore, I would definitely like to see some work on the documentation for that area.
I have been using it for 10 or 11 years: a long time. I've been around since version 6.1. Though, my experience mostly started at version 6.7 and up.
I have used so many different versions of it. Some of them were better than others. This current version seems to be very stable for us, so we're very happy with version 7.4.1.
It is very scalable. We are an unusual environment. We have multiple Active Directories that we support and the product has been great in supporting those multiple directories. I would imagine a large majority of folks who might go to use this are going to have just a couple Active Directory domains. We have seven on our original instance, and we'll have those seven plus a few more on our other one when we're finished. We're doing some consolidation, but we're not quite there yet.
Active Roles is used for every change to Active Directory in our environment. Our usage is extensive. If there's a scale of one to 10, it might be over a 10 for how much we use this product. We're always adding to it. We find a need for something, and if we can automate something in Active Roles, we will use Active Roles to do that automation. What we really like about that is that it gives us one place to go whenever we need to do automation for Active Directory. We don't need to have multiple things all over the place. ARS can do all of it.
We have over 900 staff who don't all use it at the same time. However, at any given time, about 900 people could be using it. We have help desk staff who use it along with our One Identity staff. They're in there constantly all day, every day, 10 hours a day, for each person. They could be doing anything from password resets, creating new accounts, updating accounts, granting access to somebody for a new program, etc. We also have our end user support staff and our data center staff who use it to stage and get new servers and workstations setup. Those are probably our four main groups that use it. We have some other users, but those are the main ones who use it.
The technical support is generally very responsive. There are a few that I know by name because we work with them quite a bit. Over the years, we have set up different products. If they can't get you going, they don't hesitate to involve their programming staff to get things going.
Prior to using Active Roles, we were just using native Active Directory tools.
Active Roles is a thousand times better than native Microsoft tools. There is so much that this tool brings that the native Microsoft tool does not, such as Dynamic Groups and the ability for us to enforce policies. So, when we say, "Fill in this field," we make sure it gets filled in and it gets filled in with these values, because that's what we're expecting. We're getting clean data put into Active Directory. Automation doesn't come with the native tools either.
I have set up this product many times, including our current one. Because I have done the setup so many times, it is now pretty straightforward for me. For someone who has never done the setup before, they might consider it complex. However, because I have had so much experience doing the setup before, I didn't hardly even look at the document on it.
The deployment time depends on how many servers that I'm cloning. I can get an initial version of Active Roles up and running, if I have all my OS and everything ready to go, in under a workday.
Going back a number of versions, we did have Quest come in and work with us on our initial setup. This is many years ago, probably nine, when I personally was just getting involved with it. I found it very helpful. I got a lot of very helpful tips, as I was still learning the product back then. I would maybe recommend for somebody who really wants to do a lot of the automation and use the product to the fullest to bring in somebody who could help add those parts to it and get them going faster.
I do the deployment myself. I also have a couple folks that we brought in who are coming up to speed and learning Active Roles from me now. I think it depends on the size of the environment. In our environment, we have 12 servers because we have to support a pretty large IT staff who will be using it. We're trying to get three to four subject-matter experts on Active Roles from a support perspective because we want one person to be the only person who knows the product. Because if something happens, they're out of luck if that person's not around. However, the deployment and maintenance can be done with just one person. It's not a huge product to worry about.
We have seen ROI. We did an initial look at Active Roles when we first started using it. We were smaller at that time and have sine gone through an acquisition, growing in size. At that time, we saw a reduction of about 150 tickets.
Last year, when we had just gone through a merger, we did do an evaluation. We had a consultant come in and do the evaluation for us.
If you are very new to the product and want to get your money's worth out of it when you utilize it, because it has a lot of features, use an implementer or get some consulting time to make sure that you're utilizing it to its full potential.
Biggest lesson learnt: Our IT staff, prior to using this, never really followed instructions.
We're not using Azure Active Directory with Active Roles in any way. We do love that we can manage multiple Active Directories from one console and have that single pane of glass on-prem. We have multiple Active Directory environments, so we can manage them and see them all in one place.
It's not integrated with a PAM solution at this time. We've thought about it, but we're not there yet.
I would rate this solution a 10 out of 10.
We use ARS to manage multiple domains. Our organization owns over thirty companies and we needed a tool that would give us the ability to apply consistent access rules across all of the businesses.
ARS gives us the ability to provide granular control that AD just doesn't offer. Having a tool to manage all changes to AD from a single pane of glass is awesome. It also allows Help Desk personnel to get up to speed very quickly without having a strong technical background.
The built-in templates within ARS allow you to create security groups without having to construct them on your own. It greatly simplifies the process and is also makes it much easier to review if you ever need to make changes.
The ability to send logs to a SIEM would be very beneficial.
We are working with a customer now who is having some problems with their permissions and delegations, because a lot of users have to do administration activities in the Active Directory. Now, they have been given domain administrators. However, with this solution, they are skipping all the domain administrators and keeping the normal users, which is fantastic for them because some of the personnel are basic IT technicians without the knowledge of AD advance features. Our customers were afraid of errors being caused by these people, so they can avoid these errors in the new environment.
This solution eliminated tedious IT tasks with provisioning. We have a lot of customers who prefill, or have only a list of values, for some fields.
The delegation feature is really important. It is one of the most valuable features that our customers appreciate about the solution.
The provisioning and deprovisioning saves a lot of time and skips a lot of errors.
For the AD management feature, it is perfect. It covers everything.
For the AAD management feature, it needs to improve the objects that we can manage and the security. I know that they have everything in road map, so they probably will include everything in a year or a year and a half.
I would like them to support a cloud solution. This is important for us. They have it on their roadmap. For now, they only have basic options for cloud-delivered services. We are in the prospect of looking for a customer who wants a cloud-only solution, but will wait for the new features, which will probably be available in one year.
The should try to move everything to a web interface. More solutions are trying to use a web interface.
They need batch processing, but that is in the road map, and that's okay.
They need better language support. While they have a language pack, it's not always available at the same time as the product. Sometimes, when we install it in other countries, they don't have the language pack, then our customers complain about this.
It is pretty stable.
You can add more servers for some functionalities. For now, I haven't found any issues with the scalability, even with large organizations (more than 80,000 employees).
While I don't open many cases, when I do open one, normally the response is quick. They either give me a solution or put it in the queue to do it. So, for now, it is okay.
The initial setup is straightforward and easy: Install the product and connect the domains. The configuration can be complex or easy depending on the customer.
The solution has saved our customers time by automating tasks that could take from half an hour to 45 minutes.
Test it. Whenever you test it in your real environment, you normally want it.
If you talk with an AD administrator about this solution and you display the features: How you save time, how you avoid errors, etc. It's a really good product. The main problem is getting companies to pay money for the product, but all AD administrators want to have this solution.
We use it to lock down the interface between helpdesks and Active Directory.
It's improved things because we don't have "cowboy changes" being made to AD without us knowing about it. People still have to do the things they need to do, but we can now make sure that they don't inadvertently do something they shouldn't.
It hasn't saved us time in terms of what needs to be done, but it has saved us time in terms of not having to go back and fix stuff when people have made mistakes.
It gives us attribute-level control and the AD management features work very well.
For what we use it for, there are no additional features it would need.
Most of the time it just works.
It works at the scale we use it at. I can't say whether it would work in much bigger enterprises or not.
I, personally, have never had cause to use technical support. My guys have interacted with them a few times and have been happy with the support they've received.
Previously, people were able to update AD directly. We have reduced that by pushing everything through Active Roles. Our decision to go with this solution was part of the need to lock things down, make things more secure.
We did the deployment ourselves.
My advice would be to certainly consider Active Roles and, depending on the size of the organization, consider integrating it with Starling as well.
I know the solution is extensible through cloud-delivered services but we don't use those currently.
I would rate Active Roles a nine out of ten, based on the convenience it's given us.
We primarily use it for delegation access permissions, to helpdesks for example. We use it to automate certain things, like onboarding new users, deprovisioning leaving users, or when we add somebody to a group it triggers some kind of automation workflow. Lastly, we use it to sanitize data entry, to make sure that the first letter of the street name is capitalized, certain zip codes are allowed, others aren't; it's a type of data control.
It helps mitigate risks. With traditional, native Active Directory delegation, it can become really messy, really fast. You lose oversight on who has access where. We are an acquisitions and mergers company so we let go of certain companies and we onboard new ones. With native delegating, we can lose track of who has access and to what. With Active Roles, we can always see who has access, what they can do, in a very granular way. A user can modify the street name, but can't modify the city, for example; or can modify the picture, but not the names. That granularity is not normally available.
It has eliminated a lot of tedious IT tasks, especially when people leave. There are ten or 15 scripted actions that Active Roles does, always the same way and at the same time. Before, there would literally be a list of things that the admin would have to do, like hide the mailbox, disable the user, remove the groups, etc. Also, the auditing history that it keeps is very handy for us. It gives us a change record of what's been done to a user, who did it, when they did it, and that really helps out.
And now that we are outsourcing a lot of activities, we're dealing with a changing audience. Tools like this make sure that they do everything in a structured manner, that everybody does the same thing at the same time.
It's valuable to us in that it resembles the native tools that most people have grown accustomed to. Most people come from another company where they may have not used Active Roles. Active Roles resembles traditional tools, such as from Microsoft. That is really good because it eases the way people to interact with the tool.
The AD and AAD management features of this solution are really good. They're better than the native tools. They offer added value by showing more fields such as password age and the statuses of some things that we normally wouldn't see. What I really like is the fact that we have the mailbox and the user information all on one screen. With native tools, you need two tools to show that information.
Active Roles allows policies and there are a lot of example policies that come with it. It has Access Templates and there are a lot of Access Template examples in it. It also has workflows and those are really powerful, but there are no built-in workflows. When it comes to them, it's empty. I would personally love for it to come with ten, 15, or 20 workflows where each achieves a certain task but that are not enabled. I could just look at how each is done, clone them, copy them, modify them the way I want them, and be good to go. Right now we have to invent things from scratch.
It's very stable. Even if components lose connectivity or the database dies, as soon as they come back up, it just reconnects and goes.
It covers everything we want. It's scalable. We can make it redundant, we can replicate databases. We don't use a lot of those features, but it's very scalable.
The reason we went with this solution - and it was ten or 15 years ago - was the Active Directory delegation. We could not allow everyone to have native access to our Active Directory. The delegation feature was really the trigger. In addition, the automation was attractive. There was so much room for human error that we wanted to script activities, rather than relying on the admin knowing what to do.
It requires a bit of getting used to, where you set what. But once you get the hang of it, it's really straightforward.
The ROI is in the mitigation of risks: The risk of leaving unauthorized access behind, the risk of having Active Directory pollution. With that comes risks of people getting access they shouldn't have. There is the risk of having multiple accounts for the same thing; that's the biggest part. There's no actual money there, but risk management is really what you pay for.
We considered using the Microsoft solution because it's free and built-in, and already there. That's what everybody does. But when you grow beyond a certain size, you find out that it just does not cut it anymore.
We also considered using other tools, but at the time, Active Roles was very much alone in this world. I have to admit, now there are other vendors available, which I don't have any personal experience with, but on paper, they seem to do some of the same things. But at the time, there was simply nothing else that could even come close.
I would give this solution a nine out of ten. There's always room for improvement. With every product, nothing is completely done. But this product is definitely up there.
RBAC for AD and Exchange
Provisioning, Re-provisioning, De-provisioning and Undo-De-Provisioning of user accounts
User Self Service
Virtual AD firewall
No issues encountered.
No issues encountered.
It's good. In fact, the One Identity (Quest) support team has easy access to the One Identity (Quest) product developers. In case of any technical issues which has something to do with the product architecture or a bug, the support engineer brings in the developer in a remote session so that the developer understands the issue. The developer(s) then work on a patch to address the issue.
I did not use any other solution.
The initial setup is pretty straightforward. It's not at all complex.
Our company, Amal IT Solutions, is a One Identity (Quest) partner. Our consultancy has 10+ years of experience with this solution.
I won’t be able to provide ROI from commercial perspective, but from the below points one should be able to figure it out:
It’s a gentleman’s agreement.
Licensing is based on Enabled User Accounts in AD. This should include user accounts, application accounts and service accounts.Temporary accounts could be excluded, but no one from vendors really challenge the user count which the customer provides. Some customer’s find the price bit on higher side but, for me, the price is competitive compared to other products with similar functionality and considering the ROI.
The product functionality does not cease if the customer exceeds the license count. The vendor does not want to force the customer to stop using the product if the license count increases. Instead, customers can buy additional licenses without hampering the day to day work.
We didn't evaluate other products.
This product has tremendous potential. It can be used to automate a lot of day to day activities. I always tell my customers, list down all your requirements, pain areas, and day to day tasks. Prioritize them, and use this tool to automate these tasks as per priority.
When a new employee is hired, we create a new Active Directory (AD) user in a related department (Organizational Unit) with a random generated password, then give that user some AD rights. Also, we create an exchange mail user for this user on cloud or on-prem and inform that user by sending a notification mail or SMS. We did similar things in other systems and did all the process manually before Active Roles. That means lots of workload and manual processes. Active Roles provided us to do all these operations automatically and reduced our workload very significantly.
For ActiveRoles, it would be good if the product supports multi-scripting language. You can use only VBScript.
VB.net , C#, or Powershell scripting would be a good choice for the product.
Technical support replies really promptly. The support team is very experienced and focused on the product. On the other hand, there is a community portal and you can find every piece of knowledge on there.
We have not used any similar products before. We did all related operations manually.
It was very straightforward.
The licensing model is a simple user-based model, not that much complicated.
We evaluated and researched other options, such as NetIQ, FIM, Oracle, CA, IBM, and SailPoint.
However, Active Roles is most suitable for us.
It is very important to come together with system owners who will be integrated at the beginning of the project to clarify all the rules and determine the work to be done. Test environments of the systems to be integrated must be requested. Test environments are so necessary.
It provides automatic provisioning for many applications and systems, including in-house applications and cloud applications. Also, it offers a virtual directory structure and a new directory layer between users and physical directories. Management and monitoring become easier.
Scripting options in different languages.
It is excellent. Quick and useful answers.
They also have a large community portal where you can find a lot of information.
I didn't use any other solution, but I evaluated many solutions.
It was simple. I didn't have a problem. It took half a day.
There is a simple user-based licensing model. Not complicated.
Yes. NetIQ, FIM, Oracle, CA, IBM, and SailPoint.
Choose your project team well. Remember that analysis of all processes is very important. Don't forget that testing is also very important after each development.