Caching == 'good'

We have been looking for all possible updates to improve perfomance of our reconcilation passes. Lo and behold, the "Best Practices Guide" in the OIM Doc set. In there it references enabling caching of various objects and definitions for best performance. Do it! We saw over 50% per user performance just by turning these setting on as recommended in the docs.

Building Rules for OIM Group Determination

For each rule defined that is linked to an OIM Group for Membership determination, the recon engine runs it tests. So if you have 100 groups with 100 rules, it will run through all 100 rules for each person reconciled. This can get painful in terms of perfomance. After experimentation we found that defining all conditions on a rule with the most restrictive condition first gives the best performance. The rule engine stops checking conditions at the first failed condition on an 'AND' rule.

For example:

Person is Location:X, Dept: 2, Gender: M

Your organization has 5 Locations, 100 Departments, obviously I hope 2 Genders.

The best way to organize your rules is:

Department == 5
Location == X
Gender == M

Department == 5
Location == X
Gender == F

This way when the determination engine runs through the rules more people will fall out at the first rule and prevent testing of the subsequent rules.

Also Rule Caching as configured in xlconfig.xml greatly improves performance on rules processing as it cuts down on the DB read for each and every rule for each and every person.

This Blog

As we work to implement the Oracle Identity Manager product to handle our account provisioning and security, I have learned and continue to learn a great deal about this somewhat poorly documented but very powerful tool. This blog will be my attempt to provide some of the insights and knowledge I have learned to help others better understand and implement this system.