|
Topic:
|
Recommendation:
|
Content to Review:
|
|
Performance management for IdentityIQ
|
Please review SailPoint’s Performance Management Guide for IdentityIQ
|
Performance management guide for IdentityIQ
|
|
Hardware sizing
|
Use correct SailPoint Hardware sizing
|
IdentityIQ hardware sizing guide
|
|
Database performance
|
Review database performance
|
IdentityIQ database performance tests
How to interpret IIQ DB performance status
TempDB storage issues and performance related topics in the IdentityIQ environment.
|
|
Use latest JDBC drivers
|
Ensure latest JDBC drivers are being used. This has been a common culprit with performance
|
JDBC driver and IdentityIQ
Where to find JDBC config settings
|
|
Pruning identity cubes
|
Build appropriate database maintenance tasks to prune or archive data per best practices and company policy. Review Data Pruning related documentation that outlines the impact and recommendations concerning data pruning within IIQ. It is imperative to system performance over time that data is actively pruned and maintained
|
Pruning identity cubes
Perform maintenance (housekeeper) task explained
|
|
Task/request server configuration
Background processing in IIQ
|
Verify the correct Task/Request Server Configuration
The Request Processor and Task Scheduler hosts should be on the same back end server(s). With the introduction of partitioning, the Request Processor is now equivalent to a backend processing server and should be set accordingly in the ServiceDefinition objects.
|
Background processing in IdentityIQ: The TaskScheduler & RequestScheduler
|
|
JVM configuration
|
JVM configurations for IdentityIQ can be tuned for better performance.
|
Java JVM memory tuning guide for IdentityIQ
|
|
Identity refresh
|
Do identity refreshes take too long? Consider splitting the identity refresh task. The Identity Refresh tasks could be broken out into separate function-focused sub refreshes to handle specific actions. This type of configuration is a best practice. Separate refresh tasks could be configured to process identity events (triggers), policies and attribute promotion. The identity refresh tasks will undoubtedly run much more quickly when the number of identities are pruned appropriately. However, should performance be an issue going forward, partitioning could be leveraged.
|
Configuring delta identity refresh in IdentityIQ
Partitioning best practices
|
|
Logging and auditing
Keep “tracing” off in all workflows in production
|
Clean up SysLog Entries. The SysLog typically records exceptions in the system. The exceptions often involve issues with misconfigurations, rules and other custom code. The system should only generate syslog entries when there is truly an issue with the software. Enabling this option will lead to the discovery of errors.
As a rule, there should be minimal logging in production; workflow tracing conflict with that standard. Ensure that this flag is set to false in the Production deployment.
|
Logging and auditing
Logging best practices
|
|
Use partitioning in aggregation and refresh tasks where possible and advantageous
|
Partitioning the aggregation and identity refresh tasks allows multiple threads and servers to process the incoming data. Only certain applications support partitioning, so this can be implemented for Active Directory and the delimited file applications.
|
Partitioning best practices
|
|
Service accounts
|
Follow service account best practices.
1. Service accounts should not be directly correlated to human identity cubes
2. Personal accounts should not be utilized as service accounts
Account data should be analyzed and reworked to differentiate between personal and service accounts. Refer to the Compass article for service account best practices.
|
Service accounts best practices
Best practices to manage services accounts in IdentityIQ – Crash course video
|
|
Connecting to apps from a hosted IdentityIQ installation
|
Please make sure you consult SailPoint if you have plans connecting to applications from a Hosted IdentityIQ Installation
|
Servers hosted on cloud platforms (AWS, Azure, etc.)
|
|
Logical applications
|
Logical applications can have performance problems when you configure too many of them. Please make sure you consult SailPoint regarding your logical app requirements.
|
Limitation on number of logical applications
Logical apps vs. roles
|
|
Connectors
|
Review connector troubleshooting tips
|
Troubleshooting guide for connectors
|
|
SSB
|
SailPoint SSB (Service Standard Build) Build Process should be followed
|
Services standard build
|
|
Identity CheckUp (Billable)
|
If you do not have resources on your team with the necessary SailPoint skills sets to take action on the above recommendations you should consider purchasing an Identity CheckUP
If you have already taken action on the above recommendations and are still observing performance issues, you should also consider purchasing an Identity CheckUP
|
SailPoint IdentityIQ CheckUP
|
