• No results found

Dell One Identity Manager Scalability and Performance

N/A
N/A
Protected

Academic year: 2021

Share "Dell One Identity Manager Scalability and Performance"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

Dell One Identity Manager —

Scalability and Performance

Scale up and out to ensure simple, effective governance for users.

Abstract

For years, organizations have had to be able to support user communities beyond their own employee populations.

Commonly, identity governance and administration (IGA) products have been used to support both employees and third-party users who require user access to an organization’s IT infrastructure. Today, however, potentially millions of external users may need to be registered and have their access carefully managed — a significant scalability challenge for many IGA tools.

Dell One Identity Manager, however, delivers the scalability you need to manage both your employees and millions of external users — throughout the entire identity lifecycle, now and into the future. This technical brief presents the solution’s unique architecture and explains how you can scale key components both horizontally and vertically. To help you further improve performance, it also explains best practices for reducing the impact of network latency and limited bandwidth and for best customizing the solution to meet your governance requirements.

(2)

With Identity

Manager, identity

governance and

administration is

driven by business

needs, not IT

capabilities.

Architecture

Functional architecture

Identity Manager streamlines the process of managing user identities, access privileges and security enterprise- wide. With Identity Manager, identity governance and administration is driven by business needs, not IT capabilities.

Identity Manager is based on an automation-optimized architecture that addresses all the key identity and access governance challenges, including provisioning, access request, attestation and recertification — at a fraction of the complexity, time and expense of traditional solutions.

Figure 1 illustrates the functional architecture of the solution. Identity Manager aggregates user identities from a variety of sources to simplify both the user experience and identity management tasks. It provides a range of tools to facilitate governance, including automated approval workflows and self-service options for users. Critically, it empowers business users, rather than IT, to easily control the process of granting and recertifying access rights, which helps ensure that each user has access to exactly the right set of resources.

Access is role-based and closely governed by the policies you configure using the intuitive, web-based interface.

Identity Manager components

Figure 2 illustrates the components of Identity Manager. They include:

Identity Manager database

The database is the nerve center of Identity Manager. It stores employee properties, information about user accounts and organizational data, as well as configuration data, such as access permissions, workflow definitions, parameters for controlling system behavior and configuration data for Identity Manager administration tools.

Identity Manager supports the following database server platforms:

• Microsoft SQL Server

• Oracle

• Oracle Real Application Cluster (RAC)

Web portal

The web portal is a web-based application that provides end-user workflows for Identity Manager. For example, using the web portal, users with the appropriate permissions can:

• Change employee profile data and passwords

• Enter or edit employee profile data for staff or external users

• Request, search for, cancel or renew products in the ITShop, an integrated business portal that provides self-service request functionality, reporting, profile

• Risk

• SoD

• History

• Workflow

• Simulation

• Modeling

• Attestation

• Service catalog

• RBAC/ABAC/PBAC

• Privileged account

• Data governance

• Data classification

• Rules/Roles/Policy

• Dashboards/Reporting

Governance

Identity aggregation

• Cloud applications

• Connected applications

• Disconnected applications

• Data warehouse

AD LDAP Email SAP Other Self reg. Business user Admin

Web portal Tools

Org structure HR

ERP OM

Person Cost center

Figure 1. Functional architecture of Identity Manager

(3)

Identity Manager

provides rich

configuration

tooling for managing

identities, controlling

processes and

configuring the

product.

management, compliance and access governance management, and risk scoring

• Delegate responsibilities

• Assign approvals or certification instances

• Audit rule violations

Administrative front ends Identity Manager provides rich configuration tooling for managing identities, controlling processes and configuring the product. It maintains all the data required for the administration of employees, their user accounts, permissions and company-specific roles, and it enables users with the appropriate permissions to easily view and manage that data.

Job servers

One or more job servers ensure that the data managed by Identity Manager is distributed within the network. Job servers perform data synchronization between the Identity Manager database

and connected target systems, and also execute internal actions within the database and at a file level.

All endpoints communicate with the central database through an object layer that is implemented in Microsoft .NET.

The object layer generates an audit trail of all operations and stores it in the central database.

Scaling options

Broadly speaking, there are two types of scaling: vertical and horizontal (see Figure 3).

• To scale vertically (or scale up) means to add resources to a single node in a system.

This typically involves adding CPUs or memory to a single computer.

• To scale horizontally (or scale out) means to add more nodes to a system, such as adding a new computer to a distributed software application. For example, you might scale out from one web server to four.

Other target systems Connector

Web portal

Admin front end D1IM

database Job server Target systems

IIS

Interface

AD SAP LDAP SAMBA

SP Exch NOTES

Scale out

Scale up

Figure 2. Identity Manager components

Figure 3. Scaling up versus scaling out

(4)

Identity Manager has three major components that can be scaled up or scaled out to optimize performance:

• Database tier

• Identity Manager web application

• Job servers

Scaling the database tier

Scaling up

Identity Manager uses one main central database, which can be scaled up for maximum performance. Typically this involves adding more CPUs or memory to the database server. Keep in mind that in addition to storing enormous amount of data, the database tier has to also process data asynchronously to prevent waiting time at the end points.

Identity Manager is a true online

transactional processing (OLTP) application.

Its concurrency controls guarantee that two users accessing the same data in the database system will not both be able to change that data — one user will have to wait until the other user has finished processing before being allowed to change that piece of data. And its atomicity controls guarantee that all the steps in transaction are completed successfully as a group. Accordingly, three parameters can affect the overall scalability:

• The number and speed of available processors for optimizing processing time

• The amount of memory available (so as much data as possible can be held in memory instead of on disk)

• I/O throughput, which determines the speed of reading data from and writing data to disk

The first two parameters are easy to adjust, since processor and memory cost are no longer deterring factors to any application deployment.

I/O can have a significant influence on the overall scalability — in fact, we recommend taking at least as much care in optimizing disk I/O as processors or memory. Specific recommendations include:

• Choose an appropriate number of spindles. More spindles mean more

parallel I/O processing.

• Use solid state disk technology or fusion I/O technology to improve speed.

• Separate I/O channels for different database data. In particular, use different file groups or tablespaces, at least for log data, temp data and effective load data.

Scaling out

To reduce the amount of historical data stored in the audit trail of the database tier, Identity Manager can export the audit trail data to a separate history database. As long as a history database is online, Identity Manager’s object layer can access this data for reporting, auditing or restoring objects.

For horizontal scalability, Identity Manager supports more than one history database. We recommend you plan for using a history database right from the beginning of the project. Depending on your auditing requirements and the related growth of audit data, you may need to add new history databases over time (for instance, one per year).

Database capacity planning and sizing Of course, before beginning any application deployments, you should perform capacity planning and sizing for your databases. Dell offers advisor tools to help:

• SQL Server

• Oracle

Scaling the Identity Manager

web application

The Identity Manager web application is implemented a standard ASP.NET web application. Scaling out web applications is an easy task: simply install as many web applications as you like. For best load distribution, a load balancing solution is highly recommended.

When implementing a load balancing solution, however, beware of using a

“sticky session” configuration. A sticky session ensures that all the subsequent requests will be send to the server that handled the first request corresponding to that request.

Identity Manager

uses one main

central database,

which can be scaled

up for maximum

performance.

(5)

Scaling the job server

An Identity Manager job server is a Windows Server Service or Linux daemon that executes tasks (reads or writes data) on other systems. In identity management, this is typically called synchronization or provisioning;

however, Identity Manager Job Services can handle other tasks as well, including changing file systems, creating tickets in service desk solutions, triggering a software installation and much more.

Identity Manager can scale out to handle as many job services as are needed for optimized throughput of data. You can add as many job services as you like to one instance of Identity Manager. Job services can be run on multiple machines, or multiple instances of job services can run on one machine to satisfy deployment requirements or to optimize use of available hardware resources.

Out of the box, a single job service is configured to allow up to 15

simultaneous tasks (called “slots”), which read or write data to other systems in parallel. This default is based on a minimum server hardware configuration (specifically, two processor cores and 4 GB memory). If you have more CPU and memory), you can increase the number of slots per job service instance.

Other factors to consider

Other factors that can influence the performance and scalability of the Identity Manager ecosystem include:

• Network latency

• Bandwidth

• Product configuration

Network latency

Network latency is the time required for a packet of data to get from one designated point to another. Network latency will result in performance penalty and can affect users, particularly when they are:

• Performing batch updates for large amounts of data — The overall latency will

increase the time it takes to store the data in the database.

• Using a user front end — Whether the front end is a web application or a Windows fat client, the overall application behavior will feel slow.

If you encounter these performance issues, be sure to check for latency on the network. Often the problems are due to improper routing configuration or overloaded network components.

In particular, if your database is in a corporate storage area network (SAN), ensure the minimum latency for storing data packets in the SAN.

Bandwidth

Bandwidth is the amount of data that can be transmitted in a fixed amount of time. Limited bandwidth can be a problem in two places:

• If the bandwidth between the database server and an endpoint (user front end or service) is too small, then it will take more time to transport data packages from the database server to the endpoint and vice versa.

• Limited bandwidth between a job service and a target system will impact the job service’s ability to collect data from the target system when performing a full synchronization.

Increasing bandwidth is not always an option, especially when you are forced to use WAN connections. One option for tackling bandwidth bottlenecks is to find the best position for core components. We recommend that you position endpoints with the best possible bandwidth to the database. In case of a job service, that means ensuring that the job service has better bandwidth to the database than to the target system.

In case of a user connecting to a web application, make sure that the web server has better bandwidth with the database than the user’s machine has with the web server. Other situations might call for other choices.

Identity Manager

can scale out to

handle as many

job services

as are needed

for optimized

throughput of data.

(6)

Identity Manager configuration Identity Manager provides a lot of functionality right out of the box, but it can also easily be customized to meet your specific identity and access management and governance requirements. However, to ensure the best performance problems when making configuration changes, keep the following recommendations in mind:

• Set appropriate indexing on any extensions — Identity Manager’s database model is extensible. In fact, the model is extended in most customer environments, often for storing attributes and searching objects like users or accounts. For better performance, be sure to set appropriate indexing on any extensions.

• Use asynchronicity wisely — Asynchronicity is a core architectural concept of Identity Manager. It allows for simply storing a change to the database and then using the event-based asynchronous architecture for performing related tasks decoupled. For example, this enables you to use the scale-out options of job services: saving a single change to the database results in a “successfully executed” task to the end user, even though the task may have triggered a large process that is still being executed in the background. When automating such background processes, be sure to:

• Minimize the number of heavy scripts — Breaking scripts down into smaller pieces will reduce the time required to process each script.

• Leverage the appropriate job task — Identity Manager provides two separates tasks for executing a script: ScriptExec and ScriptExecSingle.

ScriptExecSingle makes sure execution is broken and serialized. This is needed, for example, when many processes try to change a central file and every change must be saved before the next change can take place.

• Keep performance in mind when creating custom processes — Through process automation, a single change might result in a huge number of post processes. The number of asynchronous post processes can be influenced by your implementation choices. For example, items in the ITShop are organized into shelves for users to find and request. When a change happens to a shelf in ITShop, the smallest unit of recalculation that might be required after the change is the shelf itself. Therefore, the larger the number of products in a shelf, the larger the number of post calculations, so be sure to watch the size of the shelves in your ITShop, not only in your initial configuration, but as they change over time.

Conclusion

Identity governance and administration requirements are growing every day.

You need a solution that can scale up and out to meet them, today and into the future. Identity Manager delivers that scalability, enabling you to manage the entire identity lifecycle not only for your employee population, but also for the thousands or millions of external users who need properly governed access to your network. To learn more, please visit software.dell.com/products/

identity-manager.

Identity Manager

delivers the

scalability you

need, enabling

you to manage

the entire identity

lifecycle not only

for your employee

population, but also

for the thousands or

millions of external

users who need

properly governed

access to your

network.

(7)

© 2015 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).

Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products.

EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,

DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.

About Dell Software

Dell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs:

data center and cloud management, information management, mobile workforce management, security and data protection.

This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.

If you have any questions regarding your potential use of this material, contact:

Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com

Refer to our Web site for regional and international office information.

For More Information

References

Related documents

The following antimicrobials were tested: penicillin (Sigma Aldrich, Yongin, Korea), piperacillin-tazobactam (Yuhan, Seoul, Korea), cefoxitin (Merck Sharp & Dohme, West Point,

Quest One Identity Manager’s license management capabilities are particularly useful to üstra because of the broad range of software used in various departments—from basic

and administration framework like Identity Manager, your organisation can simplify and speed your migration project while ensuring proper structure and governance in your

CA Privileged Identity Manager provides file monitoring and network security capabilities analogous to Tripwire, IPTables and TCP Wrappers, but also provides additional

To integrate the applications with the VMware Identity Manager service, you add each application to the VMware Identity Manager catalog and enable SAML authentication in AirWatch

The Mobile Food Rodeo agrees to provide space for (1) mobile food truck/cart, food, or craft booth at the Mobile Food Rodeo in exchange for an agreed-upon non-refundable

Special ASCII characters in Application Name cause broken HTML tag to appear on IE9 449575 Social authentication login is possible against the wrong Front End Authenticator 449744

DirXML-AccessRun Start and stop Identity Manager drivers and jobs DirXML-AccessMigrate Manage migration operations into the Identity Vault DirXML-AccessSubmitCommand Manage the