CA Identity Manager Implementation Guide - CA Technologies

More documents

Recommendations

Info

Identity Policy OptimizationsLimit the Tasks that Trigger User SynchronizationIdentity policies are evaluated and applied during the user synchronizationprocess. You can configure automatic synchronization by specifying one of thefollowing user synchronization options for a task:On Task CompletionCA Identity Manager starts the user synchronization process after all of theevents in a task have completed.On Every EventCA Identity Manager starts the user synchronization process when eachevent in a task completes.For best performance, limit the number of tasks that trigger automatic usersynchronization.Consider the following when configuring user synchronization:■Disable user synchronization for password tasksIn most cases, passwords are not used in identity policy conditions.■Disable user synchronization for the Synchronize User taskSince the Synchronize User task triggers identity policy evaluations, CAIdentity Manager performs the evaluations again if the user synchronizationoption is enabled for this task.■Create specialized tasksWhen possible, create tasks that execute modifications that trigger identitypolicy conditions and enable user synchronizations for those tasks only.Optimize Identity Policy Rule EvaluationTo reduce the evaluation time for identity policy conditions that includeuser-attributes, you can enable an in-memory evaluation option. When thein-memory evaluation option is enabled, Identity Manager retrieves informationabout a user to be evaluated from the user store and stores a representation ofthat user in memory. Identity Manager uses the in-memory representation tocompare attribute values against policy conditions. This limits the number ofcalls Identity Manager makes directly to the user store.Note: For more information about the in-memory evaluation option, see theConfiguration Guide.88 Implementation Guide
User Store TuningUser Store TuningUser store tuning involves a number of steps, including the following:■■■Optimizing the structure of the user storeTuning underlying storesImplementing load balancing and replicationThese steps depend on the type of user store that you are using. For tuninginformation in these areas, see the documentation for the database or directorythat contains the user store.In addition to the general tuning considerations, the following tuningconsiderations are specific to CA Identity Manager:■Measure user store search performanceFor optimum performance, CA Identity Manager policy evaluation searchesshould complete within 10-20 milliseconds.To ensure that CA Identity Manager can consistently complete thesesearches in the recommended time, consider testing search performanceunder multiple load conditions.You can also use this measurement to determine when a user store reachesits physical limits and additional servers are required for load balancing.■Index attributesIndex each attribute that is used in a role policy or identity policy. Indexingattributes can provide significant performance improvements.Note: For information about indexing attributes, see the documentation forthe LDAP directory or relational database that contains the user store.■Cache LDAP BindsIn CA Identity Manager, all directory LDAP binds are executed by the proxyuser defined on the Identity Manager Directory object. For each connection,the same LDAP bind occurs for this same user repeatedly.If you are using an LDAP directory as a user store, configure the directory tocache LDAP binds (or sessions), if the directory supports it.■Enable user store cachesWhen CA Identity Manager evaluates the policy decisions for a user, thatinformation is stored in an authorization cache. When the cachedinformation expires, CA Identity Manager evaluates all policies for that useragain.To improve performance of user store searches in subsequent policy ruleevaluations, enable the user store to cache searched data, if your user storesupports it.Chapter 6: Optimizing Identity Manager 89
Page 1 and 2:
CA Identity ManagerImplementation G
Page 3:
CA Product ReferencesThis document
Page 7 and 8:
Task Processing and Performance ...
Page 9 and 10:
Chapter 1: Managing Identities andA
Page 11 and 12:
Admin Roles for User Account Manage
Page 13 and 14:
Admin Roles for User Account Manage
Page 15 and 16:
Password ManagementThe account temp
Page 17 and 18:
CA RCM Integration■■Notificatio
Page 19:
CA Enterprise Log Manager Integrati
Page 22 and 23:
Complying with Business PoliciesThe
Page 24 and 25:
Complying with Business PoliciesRep
Page 26 and 27:
Transforming Data in the User Store
Page 28 and 29:
Approving Business ChangesBusiness
Page 31 and 32:
Chapter 3: Identity ManagerArchitec
Page 33 and 34:
Identity Manager ComponentsFor exam
Page 35 and 36:
Identity Manager ComponentsWhen you
Page 37 and 38: Identity Manager ComponentsCertain
Page 39 and 40: Identity Manager ComponentsWorkPoin
Page 41: Sample CA Identity Manager Installa
Page 44 and 45: Decide What to ManageHow to Configu
Page 46 and 47: Decide What to ManageAccount Templa
Page 48 and 49: Determine Audit RequirementsYou vie
Page 50 and 51: Decide User Store RequirementsCapab
Page 52 and 53: Decide Hardware RequirementsDecide
Page 54 and 55: Choose a Method to Import UsersAddi
Page 56 and 57: Choose a Method to Import UsersExec
Page 58 and 59: Develop a Deployment PlanSynchroniz
Page 60 and 61: Develop a Deployment PlanTo deploy
Page 62 and 63: Develop a Deployment PlanEnvironmen
Page 65 and 66: Chapter 5: Integrating with SiteMin
Page 67: Password Policies with SiteMinderCA
Page 70 and 71: Role OptimizationsRole Optimization
Page 72 and 73: Role OptimizationsObjectTypeBaseObj
Page 74 and 75: Role Optimizations■■Tune the us
Page 76 and 77: Role OptimizationsTo limit the numb
Page 78 and 79: Task Optimizations■A user accesse
Page 80 and 81: Task OptimizationsRelationship Tabs
Page 82 and 83: Task OptimizationsGuidelines for Op
Page 84 and 85: Guidelines for Group Member\Adminis
Page 86 and 87: Identity Policy Optimizations■An
Page 90 and 91: Tuning for Provisioning ComponentsC
Page 92 and 93: Runtime Components TuningIdentity M
Page 94 and 95: Runtime Components TuningTuning JMS
Page 97 and 98: Chapter 7: Creating a Disaster Reco
Page 99 and 100: Define Disaster Recovery Requiremen
Page 101 and 102: Develop Backup PlansMulti-Site Conn
Page 103 and 104: Develop Restore ProceduresComponent
Page 105 and 106: Develop Restore ProceduresRestore C
Page 107 and 108: Test the Recovery PlanTest the Fail
Page 109 and 110: Chapter 8: Transitioning From eTrus
Page 111 and 112: eTrust Admin Management Interfacese
Page 113 and 114: Batch Processing in Identity Manage
Page 115: Next Steps■etautilYou use the eta
Page 118 and 119: How Role Evaluation Affects Perform
show all

CA Identity Manager Implementation Guide - CA Technologies

Create successful ePaper yourself

Delete template?

Save as template?