One Identity Manager Identity Governance REST API

One Identity Manager identity governance and administration REST API for enterprises to manage user lifecycle, access certification, role management, provisioning, and compliance governance — with deep Active Directory and Microsoft ecosystem integration — enabling automated identity lifecycle management, access request and approval, recertification campaigns, and entitlement management through One Identity's enterprise IGA platform. Enables AI agents to manage identity lifecycle for user onboarding/offboarding and attribute management automation, handle provisioning for AD, Azure AD, and enterprise app account provisioning automation, access certification for access review campaign scheduling and decision automation, retrieve role management for business role and IT role assignment automation, manage access request for self-service access portal and approval automation, handle SOD management for segregation of duties policy and violation automation, access compliance reporting for GDPR, SOX, and compliance reporting automation, retrieve password management for self-service password reset and synchronization automation, manage privileged access for privileged account discovery and governance automation, and integrate One Identity with HR, Active Directory, and enterprise applications for identity governance automation.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Other one-identity IGA identity-governance access-management Active-Directory Quest
⚙ Agent Friendliness
48
/ 100
Can an agent use this?
🔒 Security
74
/ 100
Is it safe for agents?
⚡ Reliability
60
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
10
Documentation
62
Error Messages
60
Auth Simplicity
66
Rate Limits
54

🔒 Security

TLS Enforcement
97
Auth Strength
72
Scope Granularity
66
Dep. Hygiene
66
Secret Handling
70

Enterprise IGA. SOC2, GDPR, HIPAA. OAuth2. US/EU. Identity and Active Directory data.

⚡ Reliability

Uptime/SLA
60
Version Stability
64
Breaking Changes
58
Error Recovery
60
AF Security Reliability

Best When

An enterprise with significant Active Directory, Microsoft 365, and on-premises application complexity wanting AI agents to automate identity lifecycle, access certification, and role-based access control governance through One Identity Manager.

Avoid When

ON-PREMISES OR CLOUD OPTIONS: One Identity Manager deploys on-premises or via IDaaS; automated cloud-only assumption creates deployment_mismatch for on-premises customers with self-hosted architecture; automated must configure correct deployment endpoint. ACTIVE DIRECTORY SPECIALIZATION: One Identity has deep AD/Azure AD integration; automated generic-ldap assumption creates connector_configuration_required for AD-specific governance features requiring AD connector setup; automated must configure AD connector for AD-specific operations. API SCHEMA IS COMPLEX: One Identity API reflects complex identity object model; automated simple-user assumption creates schema_mismatch for API operations requiring understanding of One Identity's complex person/identity/account object hierarchy; automated must understand One Identity object model. ENTERPRISE AGREEMENT REQUIRED: One Identity serves enterprise customers; automated open-developer assumption creates license_required; automated must have One Identity license.

Use Cases

  • Automating user provisioning and deprovisioning tied to HR system changes for IT automation agents
  • Running access certification campaigns for SOX and GDPR compliance automation agents
  • Managing Active Directory and Azure AD group membership governance for identity automation agents
  • Implementing role-based access control with segregation of duties for compliance automation agents

Not For

  • Consumer identity and access management (One Identity is workforce IGA, not consumer CIAM)
  • Authentication and SSO (One Identity Manager governs access; authentication is a separate product line)
  • Small organizations without Active Directory complexity (One Identity is enterprise-grade; simpler tools serve SMB identity needs)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: oauth2 basic
OAuth: Yes Scopes: Yes

One Identity uses OAuth2 for Identity Manager REST API. REST API with JSON. Aliso Viejo, CA HQ. Quest Software subsidiary (Francisco Partners). One Identity founded 2012 as Quest Software spinoff. Products: One Identity Manager (IGA), One Identity Safeguard (PAM), One Identity Active Roles (AD management), One Identity SIEM (identity threat detection). 7,500+ enterprise customers in 135 countries. AD management in 40% of Fortune 1000. Competes with SailPoint, Saviynt, and IBM for enterprise IGA.

Pricing

Model: subscription
Free tier: No
Requires CC: No

Aliso Viejo CA. Quest/Francisco Partners. 7,500+ customers. 40% of Fortune 1000. Enterprise IGA platform.

Agent Metadata

Pagination
page
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • OBJECT MODEL HAS COMPLEX HIERARCHY: One Identity Manager's data model distinguishes Person (person record) from Identity (system identity) from Account (system account); automated flat-user assumption creates wrong_object_type for operations using wrong object type; automated must use correct object type in the One Identity hierarchy
  • PROVISIONING IS PROCESS-DRIVEN: Provisioning in One Identity Manager uses workflow processes; automated instant-provisioning assumption creates provisioning_queued for changes not yet processed through workflow; automated must account for process engine execution time
  • APPROVAL WORKFLOWS BLOCK REQUESTS: Access requests may require multi-level approval; automated auto-approve assumption creates request_pending for requests awaiting approver decisions; automated must handle approval workflow states and timeouts
  • SCRIPTING IS VBSCRIPT-BASED: One Identity Manager customization uses VBScript; automated javascript assumption creates script_incompatibility for custom business logic written in JavaScript instead of VBScript; automated must use VBScript for One Identity customization
  • SYNCHRONIZATION PROJECTS REQUIRE MAPPING: Directory synchronization requires configured sync projects with attribute mapping; automated auto-sync assumption creates missing_sync_project for AD synchronization without configured sync project; automated must set up sync projects before running directory synchronization

Alternatives

sailpoint-isc-api saviynt-api forgerock-api cyberark-pam-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for One Identity Manager Identity Governance REST API.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered