What is our primary use case?
We are using Active Roles for provisioning Active Directory objects and we also use it to connect, through Active Roles Synchronization Service, to our HR system and to provision and deprovision employees.
In general, we use it to provision any object: security groups and computer objects, in a delegated manner. Active Roles Server allows the security of Active Directory to be changed to delegate access for provisioning to different IT teams, without changing the actual security of Active Directory.
The solution is co-located in our data centers.
How has it helped my organization?
With delegated access to Active Directory, it allows us to revoke a lot of the admin rights. It gives us a better lockdown and a more secure environment than we used to be.
It has eliminated tasks that were bogging down our IT department, especially in certain workflow automations. Through Active Roles Synchronization Service, we can process data coming from HR and automatically update those attributes and data fields straight into Active Directory, versus doing it on a manual basis or through bulk imports. Also, the fact that we can enforce data formats and policies saves us time since we don't have to go back and do a cleanup.
In addition, because we are able to remove the main admin rights, there are fewer uncontrolled changes, and when you have fewer uncontrolled changes you have a higher availability of the service, overall, and fewer audit findings.
The solution automates provisioning. In our HR system we are automating the creation, termination, and ongoing management of all of our employee base. We have between 5,000 and 6,000 employees, and all those processes are fully automated, with IT being completely hands-off. It saves a lot of hours, easily on the order of hundreds of hours per year.
The fact that we have decreased certain operational costs, by means of automation, of course means we have been able to reallocate the time of some of our resources for more value-added activities. Because we implemented this 10 years ago, things have changed over time. It has become an established practice, process, and technology so it's hard to estimate how many FTEs we have been able to reallocate, but it would probably be at least one.
One Identity Active Roles has also improved the accuracy of our onboarding process. As a company, our onboarding process for people is subjected to SOX audits. Ten years ago we were in a situation where we had hundreds of nonconformities. Today, we essentially have zero nonconformities.
Another benefit is that the solution most definitely reduces risk for our organization. By avoiding changes to the native Active Directory security, and the fact that there is role-based access control to manage Active Directory itself through the application, there has been a dramatic reduction in risk.
What is most valuable?
The most valuable feature is the ability to delegate by using permissions and workflows.
Another good feature is the Change History. It's centralized in a single place and allows us to manage people's Active Directory domains from a central location. We can also drill down into individual objects in a troubleshooting or even an auditing situation. We can show evidence to auditors by drilling down into the individual history. It gives you all the history of what happened around an individual object. That is something that would be almost impossible to do in Active Directory, or extremely complicated.
We can also enforce data formats. That creates a higher quality in the data that we store in the directory by enforcing naming conventions and data formats.
In addition, we can reach the data set by using virtual attributes, rather than extending that, so we can put schema attributes in ARS that live in AR without actually impacting the Active Directory environment.
One other thing that I really like about this product, as an engineer, is the design of it, meaning not how it looks, but how it was designed architecturally. This is one of the greatest strengths of the product. It's just designed right.
What needs improvement?
The overall UI needs a refresh; the web interface requires some modernization.
We would also like to have a SaaS version of Active Roles. Rather than implementing it in our data center, it would have been nice having a SaaS-delivered solution.
The third area for improvement, which is the weakest portion of ARS, is the workflow engine, which was introduced a few years ago. It's slow and not very intuitive to use, so I would like to see improvement there.
For how long have I used the solution?
We have been using One Identity Active Roles for about 10 years.
What do I think about the scalability of the solution?
The scalability of the solution relies on the environment where it is deployed. We are a smaller company, but we are using the same design and architecture that we used initially, where we have about 15,000 to 20,000 users. We have added multiple domains, four or five, and we have never seen any issue from a scalability standpoint. I don't know if it scales to hundreds of thousand users, but for our environment, scalability has never been an issue.
We have a very good adoption rate, from a user standpoint. I can't see many areas where it could be expanded. We are leveraging the tool at a very good capacity. I don't foresee any expansion because we are using it pretty heavily.
How are customer service and technical support?
The support service provided by the vendor on this product is pretty solid. It is an excellent support service. I would rate them a solid nine out of 10. They always have a solution or a workaround. They're very responsive and very knowledgeable. Sometimes I wish that we had the same level of support from other vendors.
Which solution did I use previously and why did I switch?
We used the Microsoft native tools. We switched to Active Roles because the Microsoft native tools were really for managing the core components and didn't have all the capabilities of provisioning, deprovisioning, role-based access control, and change history. They didn't have the proxy approach to manage Active Directory in a centralized way. With Microsoft, Active Directory is distributed by nature, versus ARS which centralizes it.
How was the initial setup?
One of the strengths of Active Roles is that it is easy to implement, easy to upgrade, and very intuitive, except for the workflow engine. And it's not even resource-heavy. It works on a very lightweight infrastructure and doesn't need multiple servers or any complex architecture. It's a very lean, robust, and effective tool, with low maintenance costs.
Our deployment took a couple of months, maybe less.
The tool is so straightforward that the approach was very simple. We analyzed the requirements that we had, back in the day, especially in terms of access and provision, and we just mapped them into Active Roles Server. The overall first phase of installation was very simple.
In terms of maintenance of the solution we need a part-time person, a security engineer who specializes in access technologies. The maintenance of it is super-lightweight. It's really just a few hours a month.
What was our ROI?
ROI is a very tough question because we implemented it 10 years ago. I don't have a number. But I would say that, in a large organization, Active Roles is probably something that pays back quickly. It's so integrated into our processes today, that we couldn't even think about doing without it, and replacing it with manual work.
What other advice do I have?
If you have a need to put controls on your Active Directory environment, and there is significant manual work to put those controls in place, regardless of their effectiveness, or you have a risky native configuration that has to be addressed, my advice is that a solution like this is going to do the job pretty brilliantly.
It is a great solution with a lot of capabilities. It provides different types of value for each of the capabilities that it has. Over a decade, this solution has done its job.
It's a very stable system, easy to implement, easy to upgrade, and has very low operation maintenance costs. We are a very happy customer of Active Roles.
Which deployment model are you using for this solution?