Deleting roles takes a lot of time

Hi,

On IdM 4.7.4 (netiq-DXMLrrsd-4.7.4-1) edir 9.2.1

Perhaps someone can come up with an idea here.
The client has a lot of roles, which need to be "remade".
The are using resources/entitlements, which joins users to groups via dynamic resources.


The steps involved
1) Make sure the driver with entitlements does not disjoin users from the group (disabled the rule that does that)
2) Delete the old roles
3) Make the new role with a new resource entitlement combination
4) Join group members to the new role

The issue is in step 2
When a role is deleted, we see a modify event on the RRS driver:

<modify cached-time="20210125111656.652Z" class-name="nrfResourceAssociation" event-id="idv04#20210125111656#1#18:17f20282-f4c9-41e8-83e8-8202f217c9f4" qualified-src-dn="O=top\OU=system\CN=IDMDriverSet01\CN=ua01\CN=AppConfig\CN=RoleConfig\CN=ResourceAssociations\CN=20160516183428-8ccb947e3e3b42a59a753f180b150568" src-dn="\IDVTREE\top\system\IDMDriverSet01\ua01\AppConfig\RoleConfig\ResourceAssociations\20160516183428-8ccb947e3e3b42a59a753f180b150568" src-entry-id="77623" timestamp="0#0">
<modify-attr attr-name="nrfRole">
<remove-value>
<value timestamp="1463416468#74" type="dn">\T=IDVTREE\O=top\OU=system\CN=IDMDriverSet01\CN=ua01\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=requestable\CN=admnetrequestable\CN=application\CN=1DBFEF65F539B2D646F6D9C39A792D01</value>
</remove-value>
</modify-attr>
</modify>

This event typically takes around 2-3 minutes to process, even when the role has only been assigned to 2 users.
On top of that, the process of handling the delete value on the users and deleting the roles themselves comes on top of this.
We have a lot more than 1000 roles we need to do this with.
For 1000 roles, it will take several days to process.
The main issue being the modifyResource association event.
The transactions will sort of stack up, no one else will be able to get any events through the RRS driver, which is devastating for the clients business.

Does anyone have an idea on how this could be done in a sane way, without compromising the clients system for weeks?

  • With 2 assigned Users this should be faster.

    Have you looked at an LDAP trace to see what is going on - RRSD uses LDAP for a few things.

     

  • When you do this remove value using an LDAP browser? Does that take the same time? That is the remove action, if so it is your tree that cannot handle this remove fast. If it is fast the role and resource driver is the bottleneck. Doing a LDAP trace might work as well as high trace level on the RR driver.

  • Are these Roles assigned to LDAP Dynamic Groups?  In which case, RRSD is evalauting the dynamic group membership, possibly multiple times.

  • Thanks for the replies.

    Although there is a lot of nested groups, the specific roles in question are directly assigned to the users.

    I will try to see what an LDAP trace says.

    In the meantime, being the scoundrel that I am, I did the following and wonders if that idea is good at all (it sure is fast though)?

    The new stuff is 2a-2d

    1) Make sure the driver with entitlements does not disjoin users from the group (disabled the rule that does that)
    2) Delete the stuff

      2a) Find the role

      2b) Find the exact resouce association for that assignment

      2c) Delete resource assignment directly from edir.

      2d) Delete the role


    3) Make the new role with a new resource entitlement combination
    4) Join group members to the new role

     

  • Resonding to self:

    Bad idea to directly delete the resourceassociation object.

    DirXML-EntlementRef for the resource in question stays on the users. We cannot have that.

  • Although it is actually corrected if the user is migrated through the RRS driver.

  • How do do "delete" roles? Via UserApp oder as a direct LDAP delete?

  • Have you tried to remove the role assignment on the user and then when you have done that on all the user who have the role, then delete the role. 

    You can also (as Norbert says) delete the role using ldap ... 

  • Norbert and Casper.

    1)

    I suppose that deleting the role from a driver is more or less the same as using ldap (except that NCP and LDAP are two different protocols)

    This is what is done

    <do-delete-src-object class-name="nrfRole"> <arg-dn> <token-src-attr name="xAttrAssocRole"/> </arg-dn> </do-delete-src-object>

    Where xAttrAssocRole is the FDN of the role

    2) Perhaps I can try to delete the assignments before I delete the role. I will try that

    3) The LDAP traces... I didn't see anything that I would consider out of the ordinary. I might however have totally missed imortant details. Does anyone have an idea about what to look for?

  • Never directly delete nrfRole objects! Be it from a driver or via LDAP.

    If you do that, the RRSD doesn't know to which users the role was assigned. It therefore needs to re-calculate role and ressource assignments for all users. That will take time.

    Always use the proper API to remove roles. The RRSD can then cleanup permissions for just the affected users and deletes the nrfRole object itself when the process is done.