IDM Light with Active Roles

An “IDM Light” solution refers to a simplified identity management (IDM) approach that provides core identity and access management capabilities without the complexity, cost and implementation effort of a full-scale enterprise IDM suite.

What does IDM Light typically include?

  • Basic identity lifecycle management
    • Joiner, mover and leaver processes (to create, update and disable accounts)
  • Password management
    • Self-service password reset and password policies
  • Basic provisioning
    • Automated account creation in AD and Entra ID and other few key systems
  • Role or group management
    • Simple, role-based access control (RBAC) or group assignments based on mostly Active Directory or Entra ID groups and roles
  • Audit and reporting
    • Basic compliance reports for user accounts and permissions

What does it NOT include?

  • Complex workflows or multi-step approvals
  • Advanced governance features (e.g., access certification, entitlement management)
  • Deep integrations with dozens of applications
  • Full-scale identity governance and administration (IGA)

White check mark Why choose IDM Light?

  • Faster implementation (weeks instead of months)
  • Lower cost compared to full IDM suites
  • Ideal for small to mid-sized organizations or as a first step toward full IAM maturity
  • Manual process reduction without overwhelming IT teams and business

One Identity offers a complete solution with Active Roles and Password Manager, providing even more functionality than typical IDM Light solutions.

Active Roles is exceptionally easy to use as it comes with numerous standard features and is supported by a large global community.

All essential features of an IDM Light solution are included in Active Roles by default, such as:

Identity lifecycle management

Joiner, mover and leaver processes can be fully implemented using defined provisioning and deprovisioning policies. This allows user accounts, groups and computer accounts to be automatically created, modified and deleted based on established policies.

The JML process can be executed manually or automated through the Synchronization Engine. Input data can be validated and adjusted within the synchronization settings. Validation and automatic population of additional attributes is possible even during manual entry.

For example, calculating the login name can be based on first and last name. To ensure data quality, dropdown lists can be displayed instead of free-text fields. For instance, the “Department” attribute can show a real-time list from an external source such as a database or file, preventing incorrect entries. This is particularly important when using dynamic rules and groups.

Just as objects can be provisioned, they can also be deprovisioned or deleted. Specific policies define how each object should be handled, such as user accounts.

Additionally, the self-service portal allows users to edit their own data and manage responsibilities such as Active Directory groups, including accepting or rejecting membership requests.

Another key feature is the ability for users to reset MFA settings for their Entra ID account without contacting an administrator or helpdesk—ideal when switching mobile devices and re-enrolling the authenticator.

Password management

The One Identity Password Manager provides end users with a simple and fast way to reset their password or unlock a locked account without IT support or additional hardware such as kiosks.

The solution is multi-domain capable and supports both Microsoft Active Directory and AD LDS. It also integrates directly with the Windows Hello login screen, enabling password resets without prior sign-in.

Different password and password-change policies can be defined for various user groups to ensure maximum flexibility and security. Integration with One Identity Defender for multi-factor authentication (MFA) is also available. Using the Capture Agent, all password changes in Active Directory are captured and distributed to all defined systems via the Active Roles Synchronization Engine.

Basic provisioning

One Identity Active Roles offers multiple options for simple and efficient provisioning of all objects in both Active Directory and Entra ID.

With One Identity Defender for two-factor authentication, Safeguard Authentication Services for integrating Unix, Linux and macOS systems into Active Directory, and the Active Roles Synchronization Engine, provisioning can be extended to numerous other systems and applications.

Role or group management

One Identity Active Roles can manage Entra ID and Active Directory roles and groups in various ways. In addition to traditional manual methods, the solution allows conversion of any group—whether security or distribution lists—using static or dynamic rules. Simplified segregation of duties (SoD) rules can also be created by defining criteria to include or exclude specific objects.

Another powerful feature is the automatic creation of groups based on search criteria such as new values in a user’s department attribute. This can automatically generate a new distribution list for the department and can add all relevant users as members.

Audit and reporting

One Identity Active Roles includes numerous standard features to support audits and provide required data in report format.

The Check Policy function verifies whether all objects comply with defined rules, ensuring data consistency and preventing missing or incorrect information. If needed, authorized users can correct data immediately.

All actions performed through Active Roles are recorded in the Change History, allowing you to see who made changes, when and to which object. The status of changes, such as whether approval is required and still pending, is also displayed.

Information can be periodically written to a dedicated reporting database via the Report Collector. More than 60 standard reports are available in Power BI, which can be exported as PDFs or in other formats. Power BI integration also enables custom reports and dashboards for tailored analysis.

Additional advanced features

Workflows and multi-step approvals

The graphical workflow editor allows you to design simple or multi-step approval processes, including escalation paths. Any action in Active Directory or Entra ID can be controlled through approvals. Complex sequences can also be defined, such as sending notifications or automatically updating attributes based on a request.

External actions are supported as well: Through PowerShell integration, you can trigger processes like creating tickets in ITSM solutions such as ServiceNow. At each workflow step, email notifications can be sent to designated recipients—or to operations teams if a workflow or step encounters an error.

Workflows can be executed based on actions, scheduled or triggered via PowerShell, providing maximum flexibility for automation.

Governance features

The integrated workflow and automation functionality not only supports complex approval processes but also enables efficient implementation of simple recertifications. For example, user accounts, groups or roles can be automatically forwarded to responsible individuals for review at regular intervals. These individuals receive a notification and can confirm the objects directly or make necessary changes. This ensures that only authorized access remains in place and that compliance requirements are consistently met.

Recertification can be handled manually via the self-service portal, or fully automated, including escalation in case of missing confirmations. Additionally, reports can be generated to document the status of reviews and provide evidence for audits.

Integration with other applications

One Identity Active Roles includes a powerful synchronization engine that offers numerous built-in connectors to various systems and applications such as SAP, databases, mainframe systems and more.

The solution also supports real-time updates with industry-leading connectors, including SCIM 2.0, ServiceNow, Entra ID (Azure AD), Salesforce, Workday, LDAP and others. This enables seamless integration into hybrid and complex IT environments.

Integration capabilities are further extended through the Starling Connect platform, which provides access to more than 70 additional connectors for leading applications like SAP SuccessFactors, Salesforce, Workday and many other cloud services. This allows organizations to centralize and automate their identity and access management processes—regardless of the diversity of systems in use.

https://www.cloud.oneidentity.com/products/connect/connectors

Secure privileged access management for AD, Entra ID and Microsoft 365

In addition to traditional IDM functions, the proxy feature in One Identity Active Roles enables the implementation of a Zero Trust or Least Privilege concept. Instead of granting permissions through broad group memberships such as “Domain Admin,” permissions are assigned granularly via delegations for specific tasks.

To further secure Active Directory and Entra ID, these delegations are not necessarily stored directly in AD or Entra ID but are maintained within Active Roles. This ensures that no user receives excessive or incorrect permissions at any time. The solution provides a wide range of predefined delegations that can be used immediately or customized as needed.

Furthermore, permissions for managing local server functions can also be delegated. For example, support staff can restart servers or individual delegated services without logging directly into the system. This increases security and reduces the risk of misuse.

Another important feature is temporary group membership: Users can be added to a group for a defined period. After the time expires, they are automatically removed. This allows organizations to consistently implement a Zero Trust or Least Privilege approach without compromising productivity.