Identity Applications REST API slow response based on Administrator assignments

I do the following GET

/IDMProv/rest/catalog/resources/listV2?nextIndex=1&q=*&sortOrder=asc&sortBy=name&size=100

-If I do this with a user who is a 'resourceManager' it takes 16 seconds to reply. (for more than 4000 resource)
-When I change the Administrator assignments to 'resourceAdministrator' the same command takes only 400ms.


In both cases I get the same correct answer and a status "200 Ok". Only the response times are drastically different.

Any idea how this is possible? I've set com.netiq.idm.rest.access to TRACE and no errors show up in the localhost_access.log

  • Think about what the difference is between a query with Full Admin permission vs restricted permissions might mean....  You should only return the object you have permissions to see in both cases.

    So as resource Admin, you have permission to all, and in fact I think it follows a different code path and just returns all values as you request (page/sorting stuff).

    Whereas resource Manager, needs to query for the objects, then check if THIS user has effective rights in eDir to the srvrMgrAccess* attributes.  As you can imagine, a direct query is faster than a query then a loop over to query them as well.

    A better permission model would be to remove Browse/Compare permissions on all of them, and for Resource Admin add BC, then for Resourfce Manager add BC to see it as well.  However, there is more to Roles/resources than simply seeing them, you need more flexibility and thus the current model.

  • Also, there is something in how the Teams code path works that avoids this pitfall, and if you can define the permissions you have access in a Team, it can be significantly faster in large environments.  But I do not understand how it works on the Teams side. (Anyone who has some insight, I would love to hear it.)

  • I have given the user "resource manager" and admin rights to the eDir. But it's still slow response.
    Also cannot find major differences in the access token.

    Indeed it looks like it's doing a different query under the hood.

    Will look at the Teams option, and see if we can work around it that way.

  • So Resource Admin and Resource Manager are magic roles in UA.  They are hard coded and 'magic'.

    So when you are a Resource Admin, you definitionally can see all, ergo no need to check permissions.

    When you are a Resource Manager, you are defihitionally NOT able to see all (if you could, you would have been a Reource Admin) so you MUST check permissions.

    As described the permission check is not inefficient, it just takes time with tens of thousands of roles.  (Should really implement paging better for this case is all).

    Side note: That suggests that a Resource Manager who has permissions on all Resources is NOT the same as a Resource Admin in this regard.

  • This also explains why you can set the 'All Permissions' switch once when creating a new Administrator assignment,
    but you cannot change this switch for an existing assignment.

    It's basically a switch to choose whether the assignment will be an administrator or a manager.

  • Its Maaaaggggiiiiiccccc!  I dislike that sort of thing, but tis what it tis...