Environments configured with large numbers of groups and nested groups required extensive processing by Identity Manager as it evaluates the directory policies. If, for example, there are a few dozen directory policies that need to be evaluated as part of the IDM security model, and this evaluation is triggered for the Modify My Profile task, the security model needs to determine if the admin has adequate privileges to run the task – so different types of policies are evaluated to figure this out.
The directory policies comprise member policies that include directory attributes. One such member policy (out of the dozens) could be like this one:
[<AttributeExpression attribute="%GROUP_TYPE%" comparator="EQUALS" value="abc"/>, <AttributeExpression attribute="objectclass" comparator="EQUALS" value="myGroup"/>]
The search unit IDM will build based on this member policy is as follows:
DN: dc=dir,dc=answers,dc=mycorp,dc=com + children
Group DN: uniqueIdentifier=005430870a38559dc9bcaea17776de0,ou=Groups,dc=abc,dc=dir,dc=answers,dc=mycorp,dc=com
Group DN: uniqueIdentifier=0029004d8e13d8d7759da787617776de0,ou=Groups,dc=abc,dc=dir,dc=answers,dc=mycorp,dc=com... etc.
I have omitted all the groups from this list, but you get the picture.
This is still fairly quick – the real time consumption is when IDM attempts to probe for nested groups within these groups – that takes the bulk of the time.
So in this environment, we can ask IDM to not search through the nested groups – We can do this by setting <GroupTypes type="NONE"/> instead of <GroupTypes type="ALL"/> in the directory xml.
Once We do that, the Modify My Profile task returns in about 2 or 3 seconds instead of the 2 mins+ with the original setting. However, the above directory.xml setting is global for all tasks and will prevent any nested group searches from occurring at all. The solution is to use the DisableNestedGroupEvaluation=TRUE property/value only on tasks that do not require nested group searches.
This can still leave long search times when nested group searches are required (and large numbers of groups are configured) therefore you sure ensure that you've also implemented the appropriate well-known group attributes in the directory.xml.