What if I don’t have Active Roles?


Pluto Mortgages Inc. is a hypothetical mortgage brokerage firm. Due to economic events, a large number of margin calls was sent across the mortgage banking industry, which forced bankers and brokerage firms to severely downsize staff. Now that the market has leveled off and the economy has regained strength there is a need to hire back 5,000 mortgage specialists spread across different lines of businesses with various entitlements, while ensuring separation of duties.

Angelo is the IT director at Pluto Mortgages. The AD environment consists of 10,000 accounts of which 5,000 were hastily disabled in a previous action. While none of these accounts are active, many have not been properly deprovisioned and all these disabled accounts still have permissions and entitlements associated with them. It’s messy and risky. These accounts were moved to a ‘Terminated Accounts’ OU. Corporate Security informs Angelo that to mitigate risk on these user accounts, they need to be more than just disabled.

Angelo gets approval to implement Active Roles and assigns John the IT Administrator to deploy it in the environment.

John is one of five admins on a team that is tasked with deploying Active Roles while ensuring the following is maintained:

  1. All IT administrators are managed under role-based access control (RBAC) policies
  2. Administration of on-premises and cloud-based accounts must be managed centrally
  3. All new account creation must contain automation of the following:
    • Azure hybrid account creation
    • Unique logon naming convention
    • Adherence to complex passwords
    • One Drive provisioning for home folders
    • Access to LOB security groups and file folders
    • A corresponding account to the SaaS database linked to the on-prem account
  4. All existing deleted accounts to be deprovisioned in an automated fashion to mitigate risk by removing all entitlements associated with the identity
  5. All future deprovisioning procedures meet per line-ofbusiness needs


John quickly gets to work installing One Identity Active Roles.


After following the guide on how to install Active Roles, John addresses the mandated items one by one.

  1. John configures RBAC by means of the built-in the access templates
  2. Next, John makes use of the built-in user-creation policiesand configures them to satisfy the mandates for the automated user-creation processes
  3. By using the Group Families feature of Active Roles, John automatically creates groups by departments. Once completed, he sees the various groups created and all the appropriate members are automatically added to their respective departments.
  4. John next creates the deprovisioning policy and names it ‘Pluto Inc – Deprovisioning Policy’ the policy includes the following:
    • Makes account ineligible for logon
      • Disables the account
      • Setting the account password to a random value
      • Rename the user account
      • Update applicable user attributes
    • Removes account from all security and distribution groups
    • Prevents user from accessing mailbox
      • Hide mailbox from the GAL
      • Grant the user’s manager full access to the mailbox
    • Prevents user from accessing home folder
      • Remove user’s permissions
      • Grant user’s manager read-only access
      • Delete the home folder when the user account is deleted.
    • Moves account to specified ‘To Be Removed’ LOB Sub OU.
    • Deletes account after 30 days.
    • Sends Deprovisioning-Related Report to the individual department managers
  5. John copies this policy and applies it to the existing ‘Terminated OU’ and kicks off a bulk deprovisioning of all 5,000 existing disabled users


The complete install of Active Roles using all the built-in policies and workflow modules has taken less than one week.


By using Active Roles, Pluto Mortgages sees a large benefit by mitigating risk and closing security gaps on the existing 5,000 disabled users. With Active Roles’ deprovisioning policy, John removed permissions, groups, home-folders and other entitlements all with the click of a button.

Furthermore, now that Pluto Mortgages is in a position to hire back its workforce of 5,000 employees, it can do so in a much more efficient and expedient manner. With the deployment of Active Roles, they have saved time and money as the automation processes within Active Roles doesn’t require more IT workers to manage and run. What generally would take Pluto Mortgages 20 minutes per user account to create, now takes seconds. A saving of 1,600+ work hours (roughly $79,000 USD)

The Pluto Mortgages example is based on 10,000 User Objects, 5 IT Administrators, 1 Exchange administrator and 10 helpdesk personnel. It highlights a rough savings of approximately $1.1 million over three years with Active Roles versus continuing to use native AD tools. An average annual ROI of 98 percent and a cumulative ROI over three years of 194 percent.



The above examples, although illustrative and approximate do represent the challenges of real-life scenarios that many organizations face today.

As highlighted, Active Roles enables organizations to mitigate risk and close security gaps by automating tasks, such as provisioning and deprovisioning. Done manually, these tasks would take enormous amounts of time and effort, and they would be prone to delays and mistakes.

Active Roles enables organizations to save time and money without hiring additional IT personnel, as well as delivers stability in a dynamic world economy.

Learn more about how Active Roles can help your organization automate AD/AAD processes, regulate admin access with RBAC roles, overcome native tool limitations and expand AD control beyond Windows.


You could be also interested in: Corporate Compliance

Back to blog