Aye, that was our understanding.
We try and push things like that upstream. If a student shouldn't be getting an account, why are we seeing them? 😉
Our SITS feed is a separate database table that student systems populate.
Cheers
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Tim Purkiss
Sent: 05 February 2020 09:57
To: [log in to unmask]
Subject: Re: Rules extensions, in or out?
Yes - disconnectors are always evaluated every sync, even if it's a Delta and they haven't changed, so if you have large numbers of disconnectors in an MA, it'll always be slow.
Ideally filter them out either before they reach the connector space. We're looking at changing our SITS (student feed) MA for this reason as we currently have thousands of disconnectors - past students who don't need accounts but are still exposed from the source system. The Delta Sync for this MA runs at c10mins per cycle, even if only a handful of records have changed.
As it means a re-write to parts of the SITS custom MA, it's not the highest of priorities at the moment. More of a nagging ache than a sharp pain.
Tim
Tim Purkiss
---------------
Technical Architect: Identity & Applications IT Service Operations IT & Digital Services University of London
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Andy Swiffin (Staff)
Sent: 05 February 2020 09:26
To: [log in to unmask]
Subject: Re: Rules extensions, in or out?
We do a few things, particularly in the AD export, where we have no need anywhere else of the value and haven't really seen a big performance hit. At our peak we had a metaverse with 130,000 user objects.
Not rules extension related (there isn't one on this MA) but we did see something recently that did cause a significant performance hit on every delta sync from a sql ma. For reasons I'm not sure of (upstream issues) we import the two Talis attributes from a separate sql feed from the ordinary student/staff feeds. The logic on this was resulting in them supplying 7000 user objects (out of a total of 70,000) with no attributes who were not in the metaverse (ineligible to have accounts), these are then disconnectors. Getting the logic tightened up, that was reduced from 7000 to 2000 (even they shouldn't be there!) but this reduced the average delta sync time from 20+ minutes to 3 minutes...
Cheers
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Ian Bassi
Sent: 04 February 2020 10:39
To: [log in to unmask]
Subject: Re: Rules extensions, in or out?
The performance impact of export rules extensions is greater than using import rules, so trying to avoid export rules is considered good practice.
Display Name is a good example of something which would be a good rule extension, the import rule would be configured on the HR\Student source, and when the first or last name is changed, it would update the display name in the Metaverse which then gets exported to other systems such as AD or MIM Service. You can also extend the logic to include other attributes, so you might decide if the user is a student, you want to add the students course to the end of the Display Name. The more complex you make them, the more time it will take to run the sync cycle.
It is worth noting, the FIM MA does not support rule extensions.
The rule extensions within MIM make it the most extensible IAM product on the market, but as the saying goes, with great power comes great responsibility.
Ian
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 04 February 2020 10:11
To: [log in to unmask]
Subject: Rules extensions, in or out?
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Looking at rules extensions, they seem very powerful and just what we need. What would be best practice for using them? Would they be used as a "translator" of attributes. e.g. if displayName is a portal defined rule (I think this is called declarative?) built from first+" "+surname, would that be a candidate for a rules extension instead?
Or would it be invoked "on the way out" to AD, for example. Perhaps not, now I type about it.
I get the impression rules extensions are gatekeepers between the connector space and the metaverse. So extend the schema via the portal and use a rules extension to create those new attributes from CS attributes.
thanks,
Alistair
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
ThirdSpace is Microsoft's leading partner for identity and security. Grab some time with one of our senior architects at our monthly roundtables<https://thirdspace.net/events/?utm_source=signature&utm_medium=internal&utm_campaign=events>.
ThirdSpace Limited is the new name for Oxford Computer Group Limited. ThirdSpace Limited is a company registered in England and Wales (number 04574934) whose registered office is at 6th Floor, Seacourt Tower, West Way, Oxford, OX2 0JJ.
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
|