I’ve been creating lots of Sets lately. Lots and lots. I created over 400 of them and there are around 40k objects in the system.
At TEC I found out that no one else seems to have created quite so many Sets so here are my observations.
The FIMService database grew 10-20%
I wish I could give a more accurate figure but I wasn’t looking out for a big growth in the DB. I noticed it had jumped in size the next time I replicated the DB to my test server and there hadn’t been any other big increase in object numbers.
The FIM MA really slowed down
I was doing around 3500 exports through the FIM MA per hour. Everyone knows the FIM MA is not the fastest, but it slowed down so much it started running into the next hour’s sync cycle.
Discussing this with David Lundell made me understand that each change to an object in the FIM Portal causes a re-evaluation of all possible Sets to see if it has now fallen into the scope of any of them. No wonder it slowed down!
As it happens the vast majority of those hourly changes were “Last Contact Time” attributes, which it has now been agreed only need updating daily. So I’m back to a low number of hourly exports and the problem, while not solved, is at least side-stepped.
But there are advantages
The reasons I have all these Sets are as follows:
- I want to be able to delegate very specifically which Administrators can modify which Users, and
- I want to target my MPRs to exact scenarios.
So for example I end up with a lot of Sets named things like “Paris BPOS Active with forwarding address”.
And in fact this part of it is working great. IT Admins only have access to change things under the right circumstances, for the right users, and triggering the right Workflows.
Why don’t you use “Relative to Resource”
At TEC I was asked why I didn’t cut down the number of Sets by using “Relative to Resource”. While I’d still need “BPOS Active with forwarding address” perhaps this would reduce the need to have a seperate version of the Set for each delegation zone.
Unfortunately I don’t see how it would be possible. Users may be administered by multiple IT admins – including their own local support person/team, a backup support person/team from another site, and then the global administrators. All these possible people would have to be stamped on each user object and then kept up to date somehow. I honestly think that would be much harder to work with than using Sets, and would probably lead to performance problems of its own.
And how do I keep all these Sets up to date?
See my earlier post: A script to create Sets and MPRs from Templates.