Bottlenecks on IDN Workflow Performance (Speed of Executing Steps)

AlexFKing · January 24, 2024, 7:59pm

Hi SailPoint Community!

My client is implementing some basic Leaver workflows to disable accounts and remove entitlements when a user becomes inactive. One concern which has been raised, is around the general speed at which a launched workflow instance proceeds through its constituent steps.

The workflow includes some conditional logic (Compare Strings), a couple calls to Get Access, Get Identity, Send Notifications, two HTTP Request calls making an internal API call, and ultimately a loop which Removes Entitlement for each AD group.

While I can understand that the loop could take a few minutes as it makes an individual API call for each entitlement, it sometimes takes a few minutes even to get through the disabling of the accounts and sending a notification (which happens before entitlements are removed).

1. What specifically accounts for the difference in time this takes in IDN vis a vis IIQ (where this would happen almost instantly)? E.g., is it the authorization of the API calls, or the way that workflow threads/actions are queued, what are the bottlenecks? I understand the high-level answer is “it’s in the cloud” but anything more specific would be useful to myself and my client.

2. Even if each workflow thread is “slow” in this sense, can we expect that they would not become slower when and if many instances are running in parallel? If it takes 5-10 minutes for a simple workflow to run, that’s not ideal, but it’s probably fine as long as that scales so that it still only takes 5-10 minutes per workflow when a bunch of those workflows are running at once.

Also curious if our experience is consistent with, or different from, other customers implementing workflows. Thank you!

Alex King

Carlatto · January 31, 2024, 12:29am

When are you seeing the slowness? When I test Workflows it will often seem slow, especially when running in Sandbox. When I look at the logs of enabled workflows, I don’t see any slowness.

pdgarvey · January 31, 2024, 8:28pm

Hi Carl - thanks for the reply.

I’m from the client in this case, thought I’d chime in with detail.

Here’s an example workflow log from our production tenant. It’s the ‘leaver’ workflow Alex describes above. The total execution time to disable two source accounts, notify, and remove entitlements is about 5 minutes. Which seems like a long time.

It looks like the Manage Accounts tasks that disable the AD and Sailpoint accounts are the culprit - they each show about 2 minutes of execution time.

|timestamp|Action|
|2024-01-22T19:25:55.135331934Z|trigger|
|2024-01-22T19:25:55.260179349Z|compare strings|
|2024-01-22T19:25:55.297808404Z||
|2024-01-22T19:25:55.325253639Z||
|2024-01-22T19:25:55.394485851Z|get identity|
|2024-01-22T19:25:55.431115087Z||
|2024-01-22T19:25:55.702515581Z||
|2024-01-22T19:25:55.843161926Z|HTTP Request: v3 accounts API - get AD acct|
|2024-01-22T19:25:55.893072486Z||
**|2024-01-22T19:25:56.459704604Z||ManageAccounts: disable AD account|**
|2024-01-22T19:25:56.574571694Z||
|2024-01-22T19:27:57.760614609Z||
|2024-01-22T19:27:57.819354116Z|HTTP Request: v3 accounts API - get SP account|
|2024-01-22T19:27:57.846507716Z||
|2024-01-22T19:27:58.245326201Z||
**|2024-01-22T19:27:58.325338476Z|Manage Accounts: disableSailpoint account|**
|2024-01-22T19:27:58.357058566Z||
|2024-01-22T19:29:59.440755305Z||
|2024-01-22T19:29:59.667231262Z|Get Access: get the identity's entitlements|
|2024-01-22T19:29:59.707732713Z||
|2024-01-22T19:29:59.948211615Z||
|2024-01-22T19:30:00.211184183Z|send email|
|2024-01-22T19:30:00.372827201Z||
|2024-01-22T19:30:00.824560172Z||
|2024-01-22T19:30:01.030851183Z|loop over entitlements list|
|2024-01-22T19:30:01.244650877Z||
|2024-01-22T19:30:01.343025814Z||
|2024-01-22T19:30:02.548413788Z|remove AD group|
|2024-01-22T19:30:02.548459449Z|remove AD group|
|2024-01-22T19:30:02.548491719Z|remove AD group|
|2024-01-22T19:30:02.54853621Z|remove AD group|
|2024-01-22T19:30:02.54856875Z|remove AD group|
|2024-01-22T19:30:02.548588531Z|remove AD group|
|2024-01-22T19:30:02.548611821Z|remove AD group|
|2024-01-22T19:30:02.548631391Z|remove AD group|
|2024-01-22T19:30:02.548650972Z|remove AD group|
|2024-01-22T19:30:02.548668922Z|remove AD group|
|2024-01-22T19:30:03.249865684Z||
|2024-01-22T19:30:03.904729721Z||
|2024-01-22T19:30:04.495261429Z||
|2024-01-22T19:30:04.943421198Z||
|2024-01-22T19:30:05.685659978Z||
|2024-01-22T19:30:06.240849956Z||
|2024-01-22T19:30:06.841928698Z||
|2024-01-22T19:30:07.474005009Z||
|2024-01-22T19:30:07.685622209Z||
|2024-01-22T19:30:07.984914884Z||
|2024-01-22T19:30:08.134513194Z|end|

system · March 31, 2024, 8:29pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Intermittent slow provisioning during API calls IIQ Discussion and Questions workflows , apis , identityiq , provisioning	13	151	September 8, 2024
Workflow Slowness IIQ Discussion and Questions workflows , identityiq	7	442	November 21, 2023
Workflow Internal Timeouts ISC Discussion and Questions workflows , identity-security-cloud	4	768	July 19, 2023
Removal of Entitlements added via API ISC Discussion and Questions apis , identity-security-cloud , entitlements	2	632	December 17, 2023
Workflow stuck in Wait action ISC Discussion and Questions workflows , identity-security-cloud	5	681	October 23, 2023

Bottlenecks on IDN Workflow Performance (Speed of Executing Steps)

Related topics