Sailpoint IdentityIQ: IdentityIQ Aggregation Using Multi Threading and target resource mapping

Aggregation Using Multi Threading:

Introduction:

SailPoint IdentityIQ supports partitioning of various jobs so that data processing can not only be split across multiple hosts but also across multiple threads per host. The overall goal with partitioning is to increase processing throughput and speed. Specifically, partitioning is supported for account aggregation tasks, for identity refresh tasks, for generation of manager certifications, and for role propagation. This blog describes the steps required to configure partitioning for account aggregation tasks and Target resource mapping.

In the following presentation, I will be providing a brief introduction of IdentityIQ Aggregation Using Multi Threading and target resource mapping

Partitioning Settings:

The Server, ServiceDefinition, and RequestDefinition objects defined for the installation specify important parameters that affect partitioning.

Server Object:

SailPoint IdentityIQ automatically creates a Server object for each host which connects to an IdentityIQ database. A maxRequestThreads value can be specified in the Server object’s attributes map to designate the maximum number of threads which can be used for request processing on this host at one time.

If your installation uses maxRequestThreads settings per Server object, the recommendation is to set the maxRequestThreads value equal to two times the number of CPUs on the server (e.g. 4 CPU means value of 8).

Service Definition Object:

By default, each IdentityIQ host as part of an installation serves in UI, task, and request roles simultaneously. By default, the hosts attribute is set to global for Task and Request ServiceDefinition objects, meaning all connected IdentityIQ hosts function as Request and Task hosts. The CSV delimited list of host names in the hosts attribute must be set to the same value returned by the hostname command when it is run on the application server hosts.

RequestDefinition Object:

RequestDefinition objects govern how IdentityIQ handles items added to the Request queue for processing. Each RequestDefinition object specifies the maximum number of threads per server to use for each request type through its maxThreads attribute. The maxThreads values on each of these mentioned RequestDefinition objects govern the number of threads that IdentityIQ will attempt to use on each request server to run each task of the specified type. 

The recommended best practice is to specify a value for maxThreads in the range of 1-2 times the number of CPUs for all RequestDefinition objects mentioned here. It is strongly recommended that all request/task servers in an IdentityIQ installation have the same number of CPUs, available memory, and allocated disk space.

Aggregation Task Configuration:

Activating partitioning on an aggregation task is simple once other partitioning settings are configured. It only requires selecting the Enable Partitioning option in the task definition user interface page. This must be enabled for each aggregation task which will use partitioning, as this setting is disabled by default. There is a second configuration option for TaskDefinitions that is applicable in some situations: objects per partition. This option sets the maximum number of records to include in each partition. IdentityIQ will then divide the accounts from the data source into as many partitions as required.

Target Resource Mapping:

In sailpoint identityiq Target Resource mapping is used to reflect the changes in target application based on the source application.

Source and Target Mapping Configuration:

The source mappings is used for the attributes coming in from target to IIQ. For ex., you may define a source mapping for status attribute as “employeeStatus”. This attribute can then be used by SailPoint for all internal processing.

The target mappings is used for provisioning the updated values of attributes to target from IIQ. Assume, you have defined source mapping “employeeStatus” coming from HR application and if you wish to populate this value to AD, the target mappings can be utilized.

Refresh Identity Cube Task Configuration:

In Refresh Identity Cube task we have an field which is Synchronize attribute.

After checking that field the identity mappings target will be provisioned if there are any changes in source application

In the following video, I will be providing a detailed demo on IdentityIQ Aggregation Using Multi Threading