Implementation Guide › Optimizing CA IdentityMinder › Guidelines for Group Member/Administrator Optimizations

Guidelines for Group Member/Administrator Optimizations

To improve performance of searches for group members and administrators, consider the following:

• Define well-known attributes in the directory configuration file (directory.xml), which describes the user store structure and contents to CA IdentityMinder.

  A well-known attribute is an attribute that has a special meaning in CA IdentityMinder.

  To improve group member\administrator searches, define the following well-known attributes for the user object:

  %MEMBER_OF%

  Identifies an attribute on the user object that stores a list of groups where the user is a member.

  When defined, this attribute can prevent CA IdentityMinder from searching all of the members in all of the groups in the user store. Group searches can significantly affect performance in very large groups.

  %ADMINISTRATOR_OF%

  Identifies an attribute on the user object that stores a list of groups where the user is an administrator.

  Like the %MEMBER_OF% attribute, this well-known attribute can eliminate lengthy group searches.

• Specify the Group Type in the directory configuration file

  CA IdentityMinder supports three types of groups: standard groups, nested groups, and dynamic groups.

  When you define the group object in the directory configuration file, you can specify the type of groups that the user store supports. If your implementation does not support nested or dynamic groups, set the Group Type attribute as follows:

  GroupType = NONE

  The setting NONE specifies support for standard groups.

  The default Group Type setting is ALL, which may impact performance.

  Note: For more information about well-known attributes and group types in the directory configuration file, see the Configuration Guide.

• Set the Provisioning Directory cache indices to improve GlobalGroup performance

  For CA IdentityMinder implementations that include a combined user store and Provisioning Directory, GlobalGroup membership can be optimized for policy rule evaluation for roles and identity policies.

  To enable this optimization, you index the following attributes, which the Provisioning Server uses to resolve group membership, in the Provisioning Directory cache:

  eTID

  The unique object ID attribute. For group membership lookups, the value is a specific user or group involved in the lookup.

  eTPID

  The parent ID of the object used when searching for membership relationships.

  eTCID

  The child ID of the object used when searching for membership relationships.

  Additionally, add the following hash entries:

  eTSuperiorClass

  The type of the parent object in a membership lookup

  eTSubordinateClass

  The type of the child object in a membership lookup

  Note: For more information about the Provisioning Directory cache, see the Installation Guide.