Transcription
Dell One Identity Manager —Scalability and PerformanceScale up and out to ensure simple, effective governance for users.AbstractFor years, organizations have had to be able to supportuser communities beyond their own employee populations.Commonly, identity governance and administration (IGA)products have been used to support both employees andthird-party users who require user access to an organization’sIT infrastructure. Today, however, potentially millions of externalusers may need to be registered and have their access carefullymanaged — a significant scalability challenge for many IGA tools.Dell One Identity Manager, however, delivers the scalability youneed to manage both your employees and millions of externalusers — throughout the entire identity lifecycle, now and intothe future. This technical brief presents the solution’s uniquearchitecture and explains how you can scale key componentsboth horizontally and vertically. To help you further improveperformance, it also explains best practices for reducing theimpact of network latency and limited bandwidth and for bestcustomizing the solution to meet your governance requirements.
GovernanceSelf reg. Business userAdminWeb portalHRPersonERPCost centerOMOrg structureToolsIdentity aggregationADWith IdentityManager, identitygovernance andadministration isdriven by businessneeds, not ITcapabilities.LDAPSAPOther Cloud applications Connected applications Disconnected applications Data warehouseFigure 1. Functional architecture of Identity ManagerArchitectureIdentity Manager componentsFunctional architectureIdentity Manager streamlines the processof managing user identities, accessprivileges and security enterprisewide. With Identity Manager, identitygovernance and administration is drivenby business needs, not IT capabilities.Figure 2 illustrates the components ofIdentity Manager. They include:Identity Manager is based on anautomation-optimized architecturethat addresses all the key identity andaccess governance challenges, includingprovisioning, access request, attestationand recertification — at a fraction ofthe complexity, time and expense oftraditional solutions.Figure 1 illustrates the functionalarchitecture of the solution. IdentityManager aggregates user identitiesfrom a variety of sources to simplifyboth the user experience and identitymanagement tasks. It provides a range oftools to facilitate governance, includingautomated approval workflows andself-service options for users. Critically, itempowers business users, rather than IT,to easily control the process of grantingand recertifying access rights, whichhelps ensure that each user has accessto exactly the right set of resources.Access is role-based and closelygoverned by the policies you configureusing the intuitive, web-based interface.2Email Risk SoD History Workflow Simulation Modeling Attestation Service catalog RBAC/ABAC/PBAC Privileged account Data governance Data classification Rules/Roles/Policy Dashboards/ReportingIdentity Manager databaseThe database is the nerve center ofIdentity Manager. It stores employeeproperties, information about useraccounts and organizational data, aswell as configuration data, such asaccess permissions, workflow definitions,parameters for controlling systembehavior and configuration data forIdentity Manager administration tools.Identity Manager supports the followingdatabase server platforms: Microsoft SQL ServerOracleOracle Real Application Cluster (RAC)Web portalThe web portal is a web-basedapplication that provides end-userworkflows for Identity Manager. Forexample, using the web portal, userswith the appropriate permissions can: Change employee profile dataand passwordsEnter or edit employee profile data for staffor external usersRequest, search for, cancel or renewproducts in the ITShop, an integratedbusiness portal that provides self-servicerequest functionality, reporting, profile
InterfaceWeb portalOther target systemsIISConnectorADSPSAPExchLDAPNOTESSAMBAAdmin front endD1IMdatabaseTarget systemsJob serverFigure 2. Identity Manager components management, compliance and accessgovernance management, and risk scoringDelegate responsibilitiesAssign approvals or certification instancesAudit rule violationsAdministrative front endsIdentity Manager provides richconfiguration tooling for managingidentities, controlling processes andconfiguring the product. It maintains allthe data required for the administrationof employees, their user accounts,permissions and company-specific roles,and it enables users with the appropriatepermissions to easily view and managethat data.Job serversOne or more job servers ensure thatthe data managed by Identity Manageris distributed within the network. Jobservers perform data synchronizationbetween the Identity Manager databaseScale upFigure 3. Scaling up versus scaling out3and connected target systems, andalso execute internal actions within thedatabase and at a file level.All endpoints communicate with thecentral database through an object layerthat is implemented in Microsoft .NET.The object layer generates an audit trailof all operations and stores it in thecentral database.Scaling optionsBroadly speaking, there are two typesof scaling: vertical and horizontal (seeFigure 3). To scale vertically (or scale up) means toadd resources to a single node in a system.This typically involves adding CPUs ormemory to a single computer.To scale horizontally (or scale out) means toadd more nodes to a system, such as addinga new computer to a distributed softwareapplication. For example, you might scaleout from one web server to four.Scale outIdentity Managerprovides richconfigurationtooling for managingidentities, controllingprocesses andconfiguring theproduct.
Identity Manager has three majorcomponents that can be scaled up orscaled out to optimize performance: Database tierIdentity Manager web applicationJob serversScaling the database tierIdentity Manageruses one maincentral database,which can be scaledup for maximumperformance.Scaling upIdentity Manager uses one main centraldatabase, which can be scaled up formaximum performance. Typically thisinvolves adding more CPUs or memoryto the database server. Keep in mind thatin addition to storing enormous amountof data, the database tier has to alsoprocess data asynchronously to preventwaiting time at the end points.Identity Manager is a true onlinetransactional processing (OLTP) application.Its concurrency controls guarantee thattwo users accessing the same data in thedatabase system will not both be able tochange that data — one user will haveto wait until the other user has finishedprocessing before being allowed tochange that piece of data. And its atomicitycontrols guarantee that all the steps intransaction are completed successfully asa group. Accordingly, three parameters canaffect the overall scalability: The number and speed of availableprocessors for optimizing processing timeThe amount of memory available (so asmuch data as possible can be held inmemory instead of on disk)I/O throughput, which determines thespeed of reading data from and writingdata to diskThe first two parameters are easy toadjust, since processor and memory costare no longer deterring factors to anyapplication deployment.I/O can have a significant influenceon the overall scalability — in fact,we recommend taking at least asmuch care in optimizing disk I/O asprocessors or memory. Specificrecommendations include: 4Choose an appropriate number ofspindles. More spindles mean more parallel I/O processing.Use solid state disk technology or fusionI/O technology to improve speed.Separate I/O channels for differentdatabase data. In particular, use differentfile groups or tablespaces, at least for logdata, temp data and effective load data.Scaling outTo reduce the amount of historical datastored in the audit trail of the databasetier, Identity Manager can export theaudit trail data to a separate historydatabase. As long as a history databaseis online, Identity Manager’s objectlayer can access this data for reporting,auditing or restoring objects.For horizontal scalability, IdentityManager supports more than one historydatabase. We recommend you plan forusing a history database right from thebeginning of the project. Dependingon your auditing requirements and therelated growth of audit data, you mayneed to add new history databases overtime (for instance, one per year).Database capacity planning and sizingOf course, before beginning anyapplication deployments, you shouldperform capacity planning and sizing foryour databases. Dell offers advisor toolsto help: SQL ServerOracleScaling the Identity Managerweb applicationThe Identity Manager web application isimplemented a standard ASP.NET webapplication. Scaling out web applicationsis an easy task: simply install as manyweb applications as you like. For bestload distribution, a load balancingsolution is highly recommended.When implementing a load balancingsolution, however, beware of using a“sticky session” configuration. A stickysession ensures that all the subsequentrequests will be send to the server thathandled the first request correspondingto that request.
Scaling the job serverAn Identity Manager job server isa Windows Server Service or Linuxdaemon that executes tasks (readsor writes data) on other systems. Inidentity management, this is typicallycalled synchronization or provisioning;however, Identity Manager Job Servicescan handle other tasks as well, includingchanging file systems, creating ticketsin service desk solutions, triggering asoftware installation and much more.Identity Manager can scale out to handleas many job services as are needed foroptimized throughput of data. You canadd as many job services as you like toone instance of Identity Manager. Jobservices can be run on multiple machines,or multiple instances of job servicescan run on one machine to satisfydeployment requirements or to optimizeuse of available hardware resources.Out of the box, a single job serviceis configured to allow up to 15simultaneous tasks (called “slots”), whichread or write data to other systemsin parallel. This default is based on aminimum server hardware configuration(specifically, two processor cores and 4GB memory). If you have more CPU andmemory), you can increase the numberof slots per job service instance.Other factors to considerOther factors that can influence theperformance and scalability of theIdentity Manager ecosystem include: Network latencyBandwidthProduct configurationNetwork latencyNetwork latency is the time requiredfor a packet of data to get from onedesignated point to another. Networklatency will result in performancepenalty and can affect users, particularlywhen they are: 5Performing batch updates for largeamounts of data — The overall latency will increase the time it takes to store the datain the database.Using a user front end — Whether the frontend is a web application or a Windows fatclient, the overall application behavior willfeel slow.If you encounter these performanceissues, be sure to check for latency onthe network. Often the problems aredue to improper routing configurationor overloaded network components.In particular, if your database is in acorporate storage area network (SAN),ensure the minimum latency for storingdata packets in the SAN.BandwidthBandwidth is the amount of data thatcan be transmitted in a fixed amountof time. Limited bandwidth can be aproblem in two places: If the bandwidth between the databaseserver and an endpoint (user front end orservice) is too small, then it will take moretime to transport data packages from thedatabase server to the endpoint andvice versa.Limited bandwidth between a job serviceand a target system will impact the jobservice’s ability to collect data from thetarget system when performing a fullsynchronization.Increasing bandwidth is not always anoption, especially when you are forcedto use WAN connections. One optionfor tackling bandwidth bottlenecksis to find the best position for corecomponents. We recommend that youposition endpoints with the best possiblebandwidth to the database. In case ofa job service, that means ensuring thatthe job service has better bandwidth tothe database than to the target system.In case of a user connecting to a webapplication, make sure that the webserver has better bandwidth with thedatabase than the user’s machine haswith the web server. Other situationsmight call for other choices.Identity Managercan scale out tohandle as manyjob servicesas are neededfor optimizedthroughput of data.
Identity Manager configurationIdentity Manager provides a lot offunctionality right out of the box,but it can also easily be customizedto meet your specific identity andaccess management and governancerequirements. However, to ensure thebest performance problems whenmaking configuration changes, keep thefollowing recommendations in mind: Identity Managerdelivers thescalability youneed, enablingyou to managethe entire identitylifecycle not onlyfor your employeepopulation, but alsofor the thousands ormillions of externalusers who needproperly governedaccess to yournetwork.6 Set appropriate indexing on anyextensions — Identity Manager’s databasemodel is extensible. In fact, the model isextended in most customer environments,often for storing attributes and searchingobjects like users or accounts. For betterperformance, be sure to set appropriateindexing on any extensions.Use asynchronicity wisely —Asynchronicity is a core architecturalconcept of Identity Manager. It allowsfor simply storing a change to thedatabase and then using the event-basedasynchronous architecture for performingrelated tasks decoupled. For example, thisenables you to use the scale-out optionsof job services: saving a single changeto the database results in a “successfullyexecuted” task to the end user, eventhough the task may have triggered alarge process that is still being executed inthe background. When automating suchbackground processes, be sure to: Minimize the number of heavyscripts — Breaking scripts down intosmaller pieces will reduce the timerequired to process each script. Leverage the appropriate jobtask — Identity Manager providestwo separates tasks for executing ascript: ScriptExec and ScriptExecSingle. ScriptExecSingle makes sure executionis broken and serialized. This is needed,for example, when many processestry to change a central file and everychange must be saved before the nextchange can take place.Keep performance in mind whencreating custom processes — Throughprocess automation, a single changemight result in a huge number ofpost processes. The number ofasynchronous post processes can beinfluenced by your implementationchoices. For example, items in theITShop are organized into shelvesfor users to find and request. When achange happens to a shelf in ITShop,the smallest unit of recalculation thatmight be required after the change isthe shelf itself. Therefore, the largerthe number of products in a shelf, thelarger the number of post calculations,so be sure to watch the size of theshelves in your ITShop, not only in yourinitial configuration, but as they changeover time.ConclusionIdentity governance and administrationrequirements are growing every day.You need a solution that can scale upand out to meet them, today and intothe future. Identity Manager deliversthat scalability, enabling you to managethe entire identity lifecycle not only foryour employee population, but also forthe thousands or millions of externalusers who need properly governedaccess to your network. To learn more,please visit software.dell.com/products/identity-manager.
For More Information 2015 Dell, Inc. ALL RIGHTS RESERVED. This documentcontains proprietary information protected by copyright. Nopart of this document may be reproduced or transmitted inany form or by any means, electronic or mechanical, includingphotocopying and recording for any purpose without thewritten permission of Dell, Inc. (“Dell”).Dell, Dell Software, the Dell Software logo and products—asidentified in this document—are registered trademarks of Dell,Inc. in the U.S.A. and/or other countries. All other trademarksand registered trademarks are property of their respectiveowners.The information in this document is provided in connectionwith Dell products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted bythis document or in connection with the sale of Dell products.EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS ASSPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,About Dell SoftwareDell Software helps customers unlock greater potential throughthe power of technology—delivering scalable, affordable andsimple-to-use solutions that simplify IT and mitigate risk. The DellSoftware portfolio addresses five key areas of customer needs:data center and cloud management, information management,mobile workforce management, security and data protection.This software, when combined with Dell hardware and services,drives unmatched efficiency and productivity to acceleratebusiness results. www.dellsoftware.com.If you have any questions regarding your potential use ofthis material, contact:Dell Software5 Polaris WayAliso Viejo, CA 92656www.dellsoftware.comRefer to our Web site for regional and internationaloffice -25589DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMSANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NOEVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTALDAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGESFOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSSOF INFORMATION) ARISING OUT OF THE USE OR INABILITYTO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISEDOF THE POSSIBILITY OF SUCH DAMAGES. Dell makes norepresentations or warranties with respect to the accuracy orcompleteness of the contents of this document and reservesthe right to make changes to specifications and productdescriptions at any time without notice. Dell does not makeany commitment to update the information contained in thisdocument.
Identity Manager administration tools. Identity Manager supports the following database server platforms: Microsoft SQL Server Oracle Oracle Real Application Cluster (RAC) Web portal The web portal is a web-based application that provides end-user workflows for Identity Manager. For example, using the web portal, users
