- Introduction
- Central servers
- Agent servers
- Cloud endpoint agents
- SharePoint on-premise agents
- Database server
- Basic sizing examples
- Non-production
- Single data center
- Multiple data centers
Introduction
Every organization deploying File Access Manager (formerly known as SecurityIQ) has unique requirements and business needs, thus computing demands vary from deployment to deployment. To assist with planning, SailPoint has created sizing and performance recommendations based on real-world deployments. Because of File Access Manager's architecture, scaling the system vertically (all components) or horizontally (some components) is supported. Additional servers, processors, and/or memory can be added at any time with little or no change required to the File Access Manager configuration.
File Access Manager services are classified into “server” and “agent” categories.
The server service classifications include (also know as "central servers"):
- Event handling
- User interface
- Compliance
- General services
The agent categories vary per application but generally include:
- Permission collection (known as "Entitlement Collector" pre-5.0)
- Activity monitoring
- Data classification
In addition to the above, there is the database (persistence) layer running SQL Server.
Central servers
The central servers contain about a dozen services that provide a shared infrastructure for File Access Manager, such as configuration management and job scheduling. Most of these services are single instance, no matter how many applications are targeted by File Access Manager.
For example, the Agent Configuration Manager is a singleton, central service. No matter how large or small a File Access Manager deployment is, it will only have one Agent Configuration Manager service.
As of 5.1 and later, the following File Access Manager services may be considered as singletons (one per File Access Manager installation):
- Agent Configuration Manager
- Business Asset Control
- Collector Synchronizer
- Crowd Analyzer
- Reporting Service
- Scheduled Task Handler
- Workflow
- User Interface
As of 5.1, the following File Access Manager services may be highly-available with advanced configuration work:
- Business Website
- Elasticsearch
Agent servers
Agent servers collect permissions, monitor events and build data classification indexes for targeted applications. One agent server is needed in each data center that has an application that will be targeted by these functions.
For example, if File Access Manager will collect permissions from a file server in the main data center, an agent server is required in the main data center. To continue the example, if File Access Manager will also collect permissions from a file server in remote data center, an agent server will be deployed in that datacenter as well, for a total of two agent servers.
Cloud endpoint agents
Cloud endpoint agents represent collection and monitoring for cloud endpoints, and they differ from on-premise agents; one cloud agent server could monitor all the cloud endpoints (SharePoint Online, Exchange Online, OneDrive, Box) or each endpoint could have its own agent server, depending on load. They can be shared for all cloud endpoints in the install or can be dedicated (which requires more agent servers for monitoring/collection). These agent servers can reside in any data center that can communicate with the File Access Manager database, with the preference to have them as close to the File Access Manager database as possible.
SharePoint on-premise agents
Also, be aware that SharePoint (on-premise) agents for permissions collection & activity monitoring are installed directly on a SharePoint farm server. The current recommendation is to use a separate farm server to host such components.
As an example, the SharePoint 2013 requirement guide is here (may or may not apply to your version). This would show 4 CPUs, 12 GB RAM, and 80 GB storage for a server added to a three-tier setup. When File Access Manager's agent is factored in, we should increase the RAM to a total of 16 GB (again as a generic example).
Database server
The SQL Server database is a critical piece of the overall File Access Manager server infrastructure. To ensure optimal performance of the File Access Manager system, SailPoint recommends a dedicated SQL Server instance.
Basic sizing examples
The servers mentioned herein are considered for production use. Down-level environments for development or testing can mirror or (more likely) decrease requirements substantially. For example, production may have five servers for core services plus a database server, but a development environment might have one core server and one database server.
The Professional Services team recommends at least a single down-level environment to support upgrade and feature testing out-of-band from production systems.
Note the examples provided herein are for modest systems hosting perhaps about 5,000 identities or less, and less than 15 application endpoints.
If you are not planning for Data Classification, then you can simply omit those servers & services from your builds.
For more advanced installations, a SailPoint Professional Services team member (or partner) can provide more explicit guidance.
Non-production
Simple two-system installation for a development environment. The most common issue with setting up a non-production environment is making sure there are corresponding non-production systems for the connectors to use.
| Server Services | CPU | RAM (GB) |
Storage (GB) |
Notes |
|---|---|---|---|---|
|
UI & misc. services Elasticsearch Event Handler Permission Collector Activity Monitor Data Classificatio4 |
4 | 8 | 40 | e.g. run all File Access Managerservices on a single host |
| SQL Server | 4 | 8 | 100+ |
Single data center
This example would be for a single data center hosting all File Access Manager servers.
| Server Services | CPU | RAM (GB) |
Storage (GB) |
Notes |
|---|---|---|---|---|
| UI & misc. services | 8 | 8 | 20 | |
| Elasticsearch | 8 | 12 | 250+ | Elasticsearch uses 0.5 KB to store each event. Thus, storing 1 million events is about 0.5 GB. Each event is stored in SQL Server as well as Elasticsearch. May also be referred to as indexing server. |
| Event Handler | 8 | 8 | 20 | |
| Permission Collector / Activity Monitor | 8 | 12 | 40 | |
| Data Classification | 8 | 12 | 250+ | Lucene lite index option is recommended for most installations. A general estimate of 70% of total file-share data is used for classification indexing since only document/text files are indexed. |
| SQL Server | 8 | 16 | 500+ |
Multiple data centers
The above single data center example can be expanded upon by adding agent servers in the remote data center.
This table assumes you have the "single data center" example from above and you would just add Data Classification and AM/PC agents to the remote data center.
| Server Services | CPU | RAM (GB) | Storage (GB) | Notes |
|---|---|---|---|---|
| Permission Collector/Activity Monitor | 8 | 12 | 40 | |
| Data Classification | 8 | 12 | 250+ | Lucene lite index option is recommended for most installations. A general estimate of 70% of total file-share data is used for classification indexing since only document/text files are indexed. |
Though a rare occurrence, an additional Event Handler server might be needed if the connector(s) in a remote data center generate a large number of events and you want to discard most of them. An Event Handler in the remote data center can drop events so that they are never sent over the WAN back to the main site.
