Hi,
What is the optimum number of roles that we can have in IDM 7.0? We are looking at role based provisioning solution. Per the requirements, we might end up having more than 7000 (7K) roles. Would there be any performance issues with these many number of roles? For best performance, is there any limit on the recommended number of roles in IDM?
Thanks,
kIDMan.
kIDMan,
I would suggest that you re-design/re-think your role model since 7000 roles would be a nightmare to maintain. What you should have in mind when you are designing the roles, is from a provisioning perspective and not so much professional title.
A common scenario i have seen at customers is that they "almost" end up with one role per employee. When you got that scenario - according to my opinion - you are designing your role model incorrectly. Try determine if a number of employees have similar resources, similar settings and bundle that into a role. There is likely to be an employee role with mail, calender etc that is the same for all employees whether its the CEO or a desk-slave.
Try building a matrix of roles e.g. geographical specific settings, business unit, company wide - you get the idea.
But typically 7000 is big no-no - 700 could be big no-no, 70 your are getting there.
Only address the roles that are necessary - a big US bank implented 1 role and that covered 80 % of their needs...
Well just my 2 cents.
/A
We are provisioning resources based on roles. Or provisioning logic then just toggles roles based on various requirements. Currently we seem to have about two roles per resource we provision. One granting access to the resource, and one to display that access is disabled. Our resources authenticate against a central LDAP data store. So our roles basically toggle values in attributes in LDAP. We have a disabled role because when a user moves to a disabled state for us, we don't want them to authenticate against the old resource, but we also don't want to delete their account (files, etc.) yet.. Once the disable role is removed, and no more roles require a resource, then the IDM handles removing the account at the resource. Currently we have a little under 20 roles. So far it seems to be working fine.
