Bulk Active Directory User Access Provisioning using Roles

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

Share all details about your problem, including any error messages you may have received.

Questions:

  1. When a IdentityIQ Business and IT role is created with a filter based on specific identity attribute values to capture a specific population of users to provision access to (An Active Directory Group), are there any issues with IdentityIQ provisioning this access in bulk amounts (Adding 5000 users to a AD Group at one time, Directory performance issues, etc)?
  2. Is IdentityIQ using a asynchronous process where it is sending multiple requests to Active Directory at the same time or is it performing these bulk requests using a synchronous approach where it is sending them one by one?
2

In IdentityIQ, provisioning plans created during Identity Refresh or bulk provisioning are handled sequentially by the Active Directory connector. Large jobs are broken into smaller tasks, which are also processed step by step. Depending on configuration, multiple tasks can run in parallel, but each individual task is executed in sequence.

Also, it would depend if you are using partitioning and multiple task servers to process your requests.

3

The task you are describing is done by the “Refresh Identity Cube” task when you select 2 options “Refresh assigned, detected roles and promote additional entitlements” and “Provision assignments“ (the latter one actually does the provisioning). And by default it processes identities one by one.

Depending on your setting of “Number of Refresh Threads” or “Enable partitioning” with “Number of partitions” this refresh can be parallelized hence IIQ will be doing a lot more provisionings at the same time.

You need to adjust the speed depending on what the AD can handle.

Start from small numbers and increase with the next try and consult with AD administrators if the see any overload.

Keep in mind that Refresh task will be doing provisioning for ALL your applications not just AD so it may complicate this.