Implementation GuideOptimizing Identity ManagerRole OptimizationsGuidelines for Policy Rule Creation › Limit Policy Objects and User Store Searches

Previous Topic: Guidelines for Policy Rule Creation

Next Topic: Select Scalable Policy Rule Types
Limit Policy Objects and User Store Searches

Each rule in a role policy requires a set of objects in the object store. When Identity Manager evaluates a rule, it loads these objects and performs any required user store searches.

The following example shows a member policy that includes three member rules. Each rule includes four scope rules.

Three member rules

In this example, Identity Manager creates the objects and performs the user store searches described in the following table when evaluating and applying the member policy.

Rule

Policy Objects

Potential User Store Searches
  • Member rule: where (Department = "Administration")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

10 (one for each rule definition object, one for each rule data object)

5 (one for each rule definition object)
  • Member rule: where (Department = "Engineering")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

10

5
  • Member rule: where (Department = "Human Resources")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

10

5

In this example, Identity Manager creates 30 objects and executes 15 directory searches to determine membership and scope.

To limit the number of policy objects and user store searches that Identity Manager performs, combine rules into complex expressions. The following example specifies the same entitlements in the first example as one member rule.

One member rule with three expressions

In this example, Identity Manager creates only ten policy objects and performs only five user store searches.

Rule

Policy Objects

Potential User Store Searches
  • Member rule:
    where (Department = "Administration") OR
    where (Department = "Engineering") OR
    where (Department = "Human Resources")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

10

5