We do a few things, particularly in the AD export, where we have no need anywhere else of the value and haven't really seen a big performance hit. At our peak we had a metaverse with 130,000 user objects.
Not rules extension related (there isn't one on this MA) but we did see something recently that did cause a significant performance hit on every delta sync from a sql ma. For reasons I'm not sure of (upstream issues) we import the two Talis attributes from a separate sql feed from the ordinary student/staff feeds. The logic on this was resulting in them supplying 7000 user objects (out of a total of 70,000) with no attributes who were not in the metaverse (ineligible to have accounts), these are then disconnectors. Getting the logic tightened up, that was reduced from 7000 to 2000 (even they shouldn't be there!) but this reduced the average delta sync time from 20+ minutes to 3 minutes...
Cheers
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Ian Bassi
Sent: 04 February 2020 10:39
To: [log in to unmask]
Subject: Re: Rules extensions, in or out?
The performance impact of export rules extensions is greater than using import rules, so trying to avoid export rules is considered good practice.
Display Name is a good example of something which would be a good rule extension, the import rule would be configured on the HR\Student source, and when the first or last name is changed, it would update the display name in the Metaverse which then gets exported to other systems such as AD or MIM Service. You can also extend the logic to include other attributes, so you might decide if the user is a student, you want to add the students course to the end of the Display Name. The more complex you make them, the more time it will take to run the sync cycle.
It is worth noting, the FIM MA does not support rule extensions.
The rule extensions within MIM make it the most extensible IAM product on the market, but as the saying goes, with great power comes great responsibility.
Ian
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 04 February 2020 10:11
To: [log in to unmask]
Subject: Rules extensions, in or out?
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Looking at rules extensions, they seem very powerful and just what we need. What would be best practice for using them? Would they be used as a "translator" of attributes. e.g. if displayName is a portal defined rule (I think this is called declarative?) built from first+" "+surname, would that be a candidate for a rules extension instead?
Or would it be invoked "on the way out" to AD, for example. Perhaps not, now I type about it.
I get the impression rules extensions are gatekeepers between the connector space and the metaverse. So extend the schema via the portal and use a rules extension to create those new attributes from CS attributes.
thanks,
Alistair
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
ThirdSpace is Microsoft's leading partner for identity and security. Grab some time with one of our senior architects at our monthly roundtables<https://thirdspace.net/events/?utm_source=signature&utm_medium=internal&utm_campaign=events>.
ThirdSpace Limited is the new name for Oxford Computer Group Limited. ThirdSpace Limited is a company registered in England and Wales (number 04574934) whose registered office is at 6th Floor, Seacourt Tower, West Way, Oxford, OX2 0JJ.
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
|