One Identity Active Roles Review

ARS has been instrumental in ensuring accounts get cleaned up when they get deprovisioned


What is our primary use case?

Our primary use case has definitely evolved since our very first use case, which was for delegation of rights within Active Directory without having to give folks native rights through Active Directory. That was our biggest driving factor into the use of Active Roles. All the other stuff that it does is a benefit, and we use it all heavily. However, we're very big into using the least privileged model and having the least amount of Active Directory native rights out there, as this cuts down on issues later. By having less people with native Active Directory rights, this cuts down on potential issues that we have to troubleshoot.

It is used in our on-prem Active Directory, but the servers themselves are hosted out of Azure. So, we use IaaS, which is just having VMs in the cloud versus having our VMs on-prem. The only cloud aspect is that VMs are hosted in the Azure IaaS instance. It's a normal VM, which is part of our on-prem Active Directory, but it just happens to be hosted in Azure.

How has it helped my organization?

The biggest thing for us is Active Roles saves a lot of man-hours, from keeping groups up-to-date manually or trying to write some sort of script that you have to run, so we don't have to reinvent the wheel. Instead of when every time somebody joins a department, then somebody has to remember to put in a request to add "meet user Joe" to this group, the solution does it automatically for us. Therefore, it saves our business and IT staff time because they do not have to process requests since Active Role can do it for them. 

We have about 2000 of these groups in a pretty substantial company of 55,000 employees. Active Roles cuts down on a good number of these tickets every time somebody is brought onboard.

We are a large company who does a lot of department codes. People are coming and going from the company daily. Active Roles probably saves us an upwards of 500 requests a week.

The solution has eliminated admin tasks that were bogging down our IT department. Now, nobody from IT has to take action to update the group in cases when someone joins or leaves the company.

Active Roles has assisted us greatly in provisioning and deprovisioning accounts as folks come and leave the company. We have automation in place that utilizes Active Roles to create and deprovision accounts as folks leave. ActiveRoles Server (ARS) has been instrumental in making sure accounts get cleaned up when they get deprovisioned. Other features of Active Roles, such as Dynamic Groups, have helped us to streamline the process. It's not taking everything away for us, but it's provided us a lot of streamlining. It probably saves, on a per user basis, a half an hour of man-hours between different tasks once you put everything together. This saves us about 40 hours of work for somebody a week.

When our HR department terminates an account, we have a script that talks to Active Roles and sends Active Roles a provisioning command. We have Active Roles set up to do a variety of tasks where deprovisioning is requested. The most important one for us is that after so many days of that account still being disabled and the person being gone, Active Roles will clean that account up for us and delete it out of AD. Therefore, we don't have to manually go in, terminate folks, clean up the accounts, and all that other stuff that happens when someone leaves.

Between the automation of using Active Roles to do our onboarding, policies, and workflows, we can ensure that the data that gets put into Active Directory during the onboarding of any type of object for Active Directory is accurate, meeting our standards so we don't get junk put in there. This has helped streamline things. One of the hardest things from an Active Directory management perspective, without a tool like Active Roles, is controlling how people do something. How I would want to install or set up a new user might be different than the person next to me, e.g., you can give somebody a set of policies to follow when you're not using a product like Active Roles, then it's up to them to interpret that and follow them. Active Roles allows us to enforce those policies so the data that gets put into Active Directory is cleaner and consistent. Having consistent data allows us to do a lot more automations and ensuring people and objects are set up properly.

It definitely improves our security. We are a larger company, so we have a lot of IT staff who are responsible for different parts. Someone does new groups while someone else does servers. There are a lot of hands touching Active Directory. Using a product such as Active Roles, we can delegate those rights to the hundreds of accounts for people to do their jobs. This reduces our risk for somebody's account being compromised. If they have native rights in Active Directory and an account is compromised, that is a higher security risk than just using Active Roles, because the only way somebody can make a change in Active Directory when ARS is involved is to use the Active Roles interface. If someone hacks in and tries that, they're not going to be able to do that. So, it definitely improves our security posture. We have only a handful of people with highly privileged accounts in our environment because of Active Roles.

Active Roles has a PowerShell interface that allows us to let other parts of our environment and other applications, which might need to interface with it, make changes within the Active Directory by utilizing PowerShell commands. We can apply the same principle as our security rights so they have to use Active Roles, reducing our risk from a security perspective.

What is most valuable?

All of the features have been valuable, and that is not often so. We use probably 90 to 95 percent of the features of Active Roles. The only one we don't use right now is the plugin to Azure because we just use Active Roles for on-prem management of our Active Directory. 

My favorite feature is probably the Dynamic Groups and the fact that Dynamic Groups are built pretty much on the fly and kept up-to-date. That is huge for us. There are so many features, if I had to pick one, then Dynamic Groups would be my favorite. We routinely will get requests from our business, saying, "We need a group that contains everybody in this particular department," whether it be a distribution list just for emails, a group to secure a file server, etc. With Active Roles, we can create this group and tell Active Roles, "Every user account that you find that has department equaling whatever 'this is', then put them in this group." 

The way Active Roles works: As soon as somebody gets the value in that department field changed to something that matches, then Active Roles puts it into that group in almost real-time. As soon as it replicates through Active Directory and Active Roles, the DC that Active Roles is using sees that change, then Active Roles take action and keeps those groups up-to-date for us.

One feature that we use a lot is temporal group membership. It allows us to put somebody in a group on a time basis. We can say, "You get put in this group," then you will automatically come out on this date at this time. We can either put them in on a date and time or take them out on a date and time. It's a great teacher, and it's also one of those things that native tools doesn't allow us to do.

What needs improvement?

When doing a workflow, we would like a bit better feedback on the screen, as we're trying to get it to work. For example, there is a "Find" function that you need set up in a workflow to do some of the automation. It is not the easiest to get a result from those finds when you're trying to do that. In the MMC, they have a couple different types of workflows. In this particular case, we use their workflow functionality to find all of X within the environment, then if you find it, do X, Y, and Z. You can have multiple steps. When you do that search function within that workflow, it's really hard to find out, "Is my search working?" It would be nice if there was some feedback on the screen so you could see if your search is working properly within the workflow.

There are other finds, like when you just simply go look in Active Directory, and say, "Find." I absolutely love that we can export the results from that one. It's only the search function within the workflow that could be a little bit better. 

In version 7.4.1, they added support for SAML authentication to the web pages and the documentation was quite lacking. The documentation for that, in particular, needs a lot of work. I ended up having to work with support over multiple sessions to try and get that to work properly. 

This was a newer function for 7.4.1, so I had never used it before in the previous versions. When you downloaded their product, the documentation was the same as they had posted on their website. It was the same in both places. It was very broken up and wasn't complete. It needed to be reworded and flow better so somebody new could follow it a bit better. Because even after following all the solutions, even the tech support said to do it differently than what was in the document before we could get it to work. Therefore, I would definitely like to see some work on the documentation for that area.

For how long have I used the solution?

I have been using it for 10 or 11 years: a long time. I've been around since version 6.1. Though, my experience mostly started at version 6.7 and up.

What do I think about the stability of the solution?

I have used so many different versions of it. Some of them were better than others. This current version seems to be very stable for us, so we're very happy with version 7.4.1.

What do I think about the scalability of the solution?

It is very scalable. We are an unusual environment. We have multiple Active Directories that we support and the product has been great in supporting those multiple directories. I would imagine a large majority of folks who might go to use this are going to have just a couple Active Directory domains. We have seven on our original instance, and we'll have those seven plus a few more on our other one when we're finished. We're doing some consolidation, but we're not quite there yet.

Active Roles is used for every change to Active Directory in our environment. Our usage is extensive. If there's a scale of one to 10, it might be over a 10 for how much we use this product. We're always adding to it. We find a need for something, and if we can automate something in Active Roles, we will use Active Roles to do that automation. What we really like about that is that it gives us one place to go whenever we need to do automation for Active Directory. We don't need to have multiple things all over the place. ARS can do all of it.

We have over 900 staff who don't all use it at the same time. However, at any given time, about 900 people could be using it. We have help desk staff who use it along with our One Identity staff. They're in there constantly all day, every day, 10 hours a day, for each person. They could be doing anything from password resets, creating new accounts, updating accounts, granting access to somebody for a new program, etc. We also have our end user support staff and our data center staff who use it to stage and get new servers and workstations setup. Those are probably our four main groups that use it. We have some other users, but those are the main ones who use it.

How are customer service and technical support?

The technical support is generally very responsive. There are a few that I know by name because we work with them quite a bit. Over the years, we have set up different products. If they can't get you going, they don't hesitate to involve their programming staff to get things going.

Which solution did I use previously and why did I switch?

Prior to using Active Roles, we were just using native Active Directory tools.

Active Roles is a thousand times better than native Microsoft tools. There is so much that this tool brings that the native Microsoft tool does not, such as Dynamic Groups and the ability for us to enforce policies. So, when we say, "Fill in this field," we make sure it gets filled in and it gets filled in with these values, because that's what we're expecting. We're getting clean data put into Active Directory. Automation doesn't come with the native tools either. 

How was the initial setup?

I have set up this product many times, including our current one. Because I have done the setup so many times, it is now pretty straightforward for me. For someone who has never done the setup before, they might consider it complex. However, because I have had so much experience doing the setup before, I didn't hardly even look at the document on it.

The deployment time depends on how many servers that I'm cloning. I can get an initial version of Active Roles up and running, if I have all my OS and everything ready to go, in under a workday.

What about the implementation team?

Going back a number of versions, we did have Quest come in and work with us on our initial setup. This is many years ago, probably nine, when I personally was just getting involved with it. I found it very helpful. I got a lot of very helpful tips, as I was still learning the product back then. I would maybe recommend for somebody who really wants to do a lot of the automation and use the product to the fullest to bring in somebody who could help add those parts to it and get them going faster.

I do the deployment myself. I also have a couple folks that we brought in who are coming up to speed and learning Active Roles from me now. I think it depends on the size of the environment. In our environment, we have 12 servers because we have to support a pretty large IT staff who will be using it. We're trying to get three to four subject-matter experts on Active Roles from a support perspective because we want one person to be the only person who knows the product. Because if something happens, they're out of luck if that person's not around. However, the deployment and maintenance can be done with just one person. It's not a huge product to worry about.

What was our ROI?

We have seen ROI. We did an initial look at Active Roles when we first started using it. We were smaller at that time and have sine gone through an acquisition, growing in size. At that time, we saw a reduction of about 150 tickets.

Which other solutions did I evaluate?

Last year, when we had just gone through a merger, we did do an evaluation. We had a consultant come in and do the evaluation for us. 

What other advice do I have?

If you are very new to the product and want to get your money's worth out of it when you utilize it, because it has a lot of features, use an implementer or get some consulting time to make sure that you're utilizing it to its full potential.

Biggest lesson learnt: Our IT staff, prior to using this, never really followed instructions.

We're not using Azure Active Directory with Active Roles in any way. We do love that we can manage multiple Active Directories from one console and have that single pane of glass on-prem. We have multiple Active Directory environments, so we can manage them and see them all in one place.

It's not integrated with a PAM solution at this time. We've thought about it, but we're not there yet.

I would rate this solution a 10 out of 10.

Which deployment model are you using for this solution?

On-premises
**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More One Identity Active Roles reviews from users
Add a Comment
Guest