User App 4.5 - Role Catalog - Relocating request placement


When we assign roles (to users/groups/containers) in User App 4.5 /
Roles and Resources tab / Role Catalog, by default all the (role)
requests are created in User App (i.e.,
cn=Requests,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet...)
If the Roles have associated resources, the corresponding resource
requests are also created in User App (i.e.,
cn=ResourceRequests,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet...)

Questions:

A. If there are many such (role/resource) requests, the size of the User
App driver will grow a lot. Would it be an issue in the long run?

B. If question A's answer is yes, can we relocate the requests (during
creation) in other places outside the user app (e.g.,
cn=Requests,ou=C,ou=B,ou=A,o=MyCompany), if yes, how?

Thanks a lot in advance for your time and reply.


--
samiranmd
------------------------------------------------------------------------
samiranmd's Profile: https://forums.netiq.com/member.php?userid=11549
View this thread: https://forums.netiq.com/showthread.php?t=55481

  • samiranmd <samiranmd@no-mx.forums.microfocus.com> wrote:
    >
    >
    > A. If there are many such (role/resource) requests, the size of the User

    App driver will grow a lot. Would it be an issue in the long run?

    If it was a reality issue, the vendor would have come up with an
    alternative solution. Like they have done with associations. In idm 4.5 you
    can chose to switch to another type of association which scales better once
    you get up to really large numbers of identities (not exactly sure where
    the point is where this becomes a problem, think it is somewhere around
    5-10 million identities.

    >
    > B. If question A's answer is yes, can we relocate the requests (during

    creation) in other places outside the user app (e.g.,
    cn=Requests,ou=C,ou=B,ou=A,o=MyCompany), if yes, how?
    >


    I don't believe this is supported or a good idea.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...
  • On 3/7/16 4:20 AM, Alex Mchugh wrote:
    > samiranmd <samiranmd@no-mx.forums.microfocus.com> wrote:
    >>
    >>
    >> A. If there are many such (role/resource) requests, the size of the User

    > App driver will grow a lot. Would it be an issue in the long run?
    >
    > If it was a reality issue, the vendor would have come up with an
    > alternative solution. Like they have done with associations. In idm 4.5 you
    > can chose to switch to another type of association which scales better once
    > you get up to really large numbers of identities (not exactly sure where
    > the point is where this becomes a problem, think it is somewhere around
    > 5-10 million identities.
    >
    >>
    >> B. If question A's answer is yes, can we relocate the requests (during

    > creation) in other places outside the user app (e.g.,
    > cn=Requests,ou=C,ou=B,ou=A,o=MyCompany), if yes, how?
    >>

    >
    > I don't believe this is supported or a good idea.
    >

    Greetings,
    It is not possible to change where Role and Resource definitions,
    Associations, and Role/Resource Requests are contained.

    There is a setting on the Role and Resource Service driver that
    outlines how long to keep "completed" requests. The default value is
    seven (7) days. Which means that once a request for a Role or Resource
    has completed (either successfully or with failure) and it is more then
    seven days old, the clean-up thread will remove it.


    This is similar to the clean-up thread for completed workflows.

    --
    Sincerely,
    Steven Williams
    Lead Software Engineer
    Micro Focus

  • Steven Williams;265805 Wrote:
    > On 3/7/16 4:20 AM, Alex Mchugh wrote:
    > > samiranmd <samiranmd@no-mx.forums.microfocus.com> wrote:
    > >>
    > >>
    > >> A. If there are many such (role/resource) requests, the size of the

    > User
    > > App driver will grow a lot. Would it be an issue in the long run?
    > >
    > > If it was a reality issue, the vendor would have come up with an
    > > alternative solution. Like they have done with associations. In idm

    > 4.5 you
    > > can chose to switch to another type of association which scales better

    > once
    > > you get up to really large numbers of identities (not exactly sure

    > where
    > > the point is where this becomes a problem, think it is somewhere

    > around
    > > 5-10 million identities.
    > >
    > >>
    > >> B. If question A's answer is yes, can we relocate the requests

    > (during
    > > creation) in other places outside the user app (e.g.,
    > > cn=Requests,ou=C,ou=B,ou=A,o=MyCompany), if yes, how?
    > >>

    > >
    > > I don't believe this is supported or a good idea.
    > >

    > Greetings,
    > It is not possible to change where Role and Resource definitions,
    > Associations, and Role/Resource Requests are contained.
    >
    > There is a setting on the Role and Resource Service driver that
    > outlines how long to keep "completed" requests. The default value is
    > seven (7) days. Which means that once a request for a Role or Resource
    > has completed (either successfully or with failure) and it is more then
    > seven days old, the clean-up thread will remove it.
    >
    >
    > This is similar to the clean-up thread for completed workflows.
    >
    > --
    > Sincerely,
    > Steven Williams
    > Lead Software Engineer
    > Micro Focus



    Thank you very much guys for your prompt and valuable reply. My
    confusion is clear now.


    --
    samiranmd
    ------------------------------------------------------------------------
    samiranmd's Profile: https://forums.netiq.com/member.php?userid=11549
    View this thread: https://forums.netiq.com/showthread.php?t=55481