Previous Topic: Guidelines for Policy Rule CreationNext Topic: Select Scalable Policy Rule Types

Implementation GuideOptimizing CA IdentityMinderRole OptimizationsGuidelines for Policy Rule CreationLimit Policy Objects and User Store Searches

Limit Policy Objects and User Store Searches

Each rule in a role policy requires a set of objects in the object store. When CA IdentityMinder evaluates a rule, it loads these objects and performs any required user store searches.

The following example shows a member policy that includes three member rules. Each rule includes four scope rules.

Three member rules

In this example, CA IdentityMinder creates the objects and performs the user store searches described in the following table when evaluating and applying the member policy.

Rule

Policy Objects

Potential User Store Searches
  • Member rule: where (Department = "Administration")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

5

5 (one for each rule definition object)
  • Member rule: where (Department = "Engineering")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

5

5
  • Member rule: where (Department = "Human Resources")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

5

5

In this example, CA IdentityMinder creates 15 objects and executes 15 directory searches to determine membership and scope.

To limit the number of policy objects and user store searches that CA IdentityMinder performs, combine rules into complex expressions. The following example specifies the same entitlements in the first example as one member rule.

One member rule with three expressions

In this example, CA IdentityMinder creates only ten policy objects and performs only five user store searches.

Rule

Policy Objects

Potential User Store Searches
  • Member rule:
    where (Department = "Administration") OR
    where (Department = "Engineering") OR
    where (Department = "Human Resources")
  • User scope: City = "Boston"
  • Group scope: Group Name = "Product Team"
  • Provisioning role scope: Name = "Employee"
  • Access Task Scope:Name = "Development"

5

5