AnsweredAssumed Answered

What is the capability of IG&L 7.1.x to collect groups in ADC and roles in RDC in terms of load and performance?

Question asked by Cristy Sy

on May 31, 2019
Latest reply on Jun 11, 2019 by Edward Bertsch

Like • Show 1 Like1
Comment • 6

Platform: 7.0.2 P07

Soft-Appliance, Wildfly, Remote DB

In the past, customer had an issue in IG&L 7.0.0 where collecting groups in an ADC took a long time and they decided not to collect the groups at that time. This was during their initial setup and they did not log a case with RSA. They tried to collect groups in an ADC, however it took forever as they had >100,000 groups and these translated to several millions of group-account-user relationships and IGL could not handle the load. So they stopped collecting groups and started to collect only accounts and account mappings.

Now, customer is evaluating if they want to go to IG&L v7.1.1 and they want to understand the capability of both collecting the groups in ADC and the roles in RDC in the newer versions (IG&L v7.1.0 and v7.1.1) to help them make important business decisions.

What is the capability of IG&L 7.1.x to collect groups in ADC and roles in RDC in terms of load and performance?

What were the improvements done on IG&L 7.1.x with regard to collection of collect groups in ADC and roles in RDC in terms of functionality, load and performance?

How many ? How fast is the collection?

Thank you.

No one else has this question

Outcomes

6 Replies

Mostafa Helmy May 31, 2019 10:32 AM
Mark Correct
Correct Answer
I don't know the direct answer to your question, however I believe they need assistance from RSA Professional Services. Not to speed up collections but to look into whether they really need to collect all the data they have or not. In most cases where customer want to collect such large datasets, they don't really need all that data for whatever their use case is.

For example, in your case 100,000 groups sounds like a DAG use case to me, where the groups might be controlling access to certain resources (just a guess). If they want to collect all data related to that, you would end up with a lot of un-needed stuff that would hide the really important things. As Edwin used to say, you might end up collecting information about who has access to files such as the cafeteria food pictures posted every day.

So in the end, the key to such problems is always Data Classification. Once large datasets are properly classified pre-collection, then you know exactly which classifications you need to collect and don't bloat the system with useless data.
1 person found this helpful
Like • Show 2 Likes2
Actions
Russell Waliszewski Jun 2, 2019 2:50 PM
Mark Correct
Correct Answer
The collection of any object and relationship (through a collector) should not have any significant performance impact. I am assuming you are talking about the Indirect Relationship Processing. There we have seen customers with performance impact and it all depends on the amount of nesting they have. While 100,000 groups does not sound like a lot, my first question is how much nesting is there. I have seen one customer with 11 levels of nesting and only about 20,000 groups so they had performance issues with the Indirect processing. With the Indirect processing we have to process all those levels now consider an account that is a member of the top level group and having to then give all those entitlements through all 11 levels of groups. That is typically where we have seen problems arise.
Like • Show 2 Likes2
Actions
- Cristy Sy @ Russell Waliszewski on Jun 2, 2019 8:04 PM
  Mark Correct
  Correct Answer
  Please see feedback from customer:
  
  "Please note that we do have a lot of nested groups. Also we cannot afford a collection to run for hours as collection is a single threaded model and all our other collections will be queued up causing significant business impact.
  
  I understand the comment regarding engagement with Professional Services - We did engage with RSA when we were bringing the application live and have their recommendations in the past. However we still have a lot of groups with several nested groups that are critical and want to understand if any changes were made in 7.1 and 7.1.1. to collection of these using ADC or Role collector."
  
  Thank you.
  Like • Show 0 Likes0
  Actions
  - Russell Waliszewski @ Cristy Sy on Jun 3, 2019 3:57 PM
    Mark Correct
    Correct Answer
    We continually look to make performance improvements in the product and without knowing the details of your prior performance problems it is difficult to say if we have addressed the issues you had in past versions.
    
    Collections are still a single threaded process.
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
    - Cristy Sy @ Russell Waliszewski on Jun 5, 2019 7:45 PM
      Mark Correct
      Correct Answer
      Customer is asking if there were any significant changes made to ADC (for group collection) or RDC in 7.1.0 or 7.1.1 ?
      Also, if there is any enhancement planned for future IG&L versions to be able to do collection as a multi-threaded process?
      Thank you.
      Like • Show 1 Like1
      Actions
Edward Bertsch Jun 11, 2019 1:05 PM
Mark Correct
Correct Answer
"No one else has this question" is not true.

Most of us probably have this question. The speed of collection and the lack of collectors to run more than one at a time is a long-standing issue for many customers and one we probably all would like to see be given more attention by the RSA IGL development team.
Like • Show 0 Likes0
Actions

What is the capability of IG&L 7.1.x to collect groups in ADC and roles in RDC in terms of load and performance?

Outcomes

Related Content

Recommended Content