Understanding Deferred Evaluation of Criteria-based Groups
Microsoft® Forefront® Identity Manager (FIM) 2010 R2 (FIM 2010 R2) enables you to manage criteria-based groups from a central point. Deploying a large number of criteria-based groups can result in performance issues.
The objective of this document is to explain how you can use a feature called deferred evaluation to address this issue.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 TechNet Forum.
What is Deferred Evaluation
With criteria-based membership, FIM 2010 has introduced a feature to automatically calculate the members of a group based on one or more conditions. Because this method eliminates the need to manually update the membership information of the affected groups, it represents a convenient way to keep the group membership in your environment automatically up to date.
Using a criteria-based mechanism to calculate group membership has an impact on your system’s resources.
When your FIM service updates an attribute of a resource, it also needs to determine whether this update has an impact on the resource’s membership in the criteria-based groups you have deployed.
This means, a processed attribute update might require a resource to be added or removed from a criteria-based group. Determining the impact of an update to a resource’s attribute to its group membership in your criteria-based groups requires additional processing cycles. The higher the number of deployed criteria-based groups in your environment, the greater is the number of additional processing cycles your FIM service has to perform in response to a processed request to update an attribute of a resource.
When you experience performance issues that are related to the responsiveness of your FIM service to issued requests or issues that are related to the amount of time it takes to complete an export of the FIM synchronization service to the FIM service successfully, it is possible that these issues are caused by the number of criteria-based groups you have deployed in your environment.
Deferred evaluation of group membership is a feature introduced in FIM R2 SP1, which enables you to address performance issues that are related to a large number of deployed criteria-based groups.
As indicated by the name, a deferred evaluation postpones the evaluation of group membership related requests for a criteria-based group. Postponing these requests can help to load balance how requests are processed in your environment.
How Deferred Evaluation Works
If you have criteria-based groups deployed in your environment, a processed request to update an attribute of a resource can also have an impact on the resource’s group membership. This is the case when the updated attribute is part of the filter definition in a criteria-based group. This means, when a request to update an attribute of a resource is processed, FIM also needs to determine whether the affected resource needs to be
removed from criteria-based groups it is a member of
added to a criteria-based groups it is not yet a member of
The process of adding or removing a resource from a criteria-based group is also known as group membership transition. A single request to update an attribute of a resource can result in a collection of group membership transitions the FIM service needs to process. The amount of time it takes to calculate these group transitions is proportional to the number of criteria-based groups that have the updated attribute as part of their filter definitions.
These transitions are calculated in real time.
By enabling deferred evaluation, the calculation of group membership transitions changes from real time to schedule based. The following screenshot shows an example for the related configuration setting in the FIM user interface.
.jpg "Deferred Evaluation")
When you select Deferred Evaluation for a criteria-based group, the group membership of criteria-based groups is by default calculated twice a day at 2:30 AM and 2:30 PM.
For a criteria-based group with deferred evaluation, FIM determines the required updates by retrieving the list of group members and comparing it with the current membership.
Configuring deferred evaluation for group membership does not only postpone processing of the requests that are related to group membership transitions, it also improves the performance of your system by bulk updating the membership in more than one group. This means, a request that was created by the deferred evaluation of group membership feature can contain membership changes for multiple groups.
In addition to manually configuring groups for deferred group membership evaluation, you can also configure your environment to automatically create new criteria-based group as deferred. The following screenshot shows an example for this.
.jpg "Deferred By Default")
Limitations of Deferred Evaluation Summary
Deferred evaluation of criteria-based groups is a method to mitigate a specific deployment issue that is related to criteria-based groups. While this feature enables you to significantly increase the number of criteria-based groups you can deploy in your environment, for groups that have this feature enabled group membership is not calculated in real time.
This feature is not supported for:
Temporal groups
Criteria-based groups that have this feature enabled cannot nest other groups.
Note
If your environment is configured to enable deferred evaluation for newly created criteria-based groups by default and a newly created group does not satisfy the basic requirements for enabling this feature, the feature is not enabled. In this case, FIM calculates the member attribute in real time.
Deployment Recommendations for Deferred Evaluation
Deferred evaluation of group membership is a feature you can enable to address performance issues that are caused by the deployment of a large number of criteria-based groups.
For example, if you have more than one thousand criteria-base groups deployed and the response time of your FIM portal to object change requests is unacceptable or exports from the FIM synchronization service to FIM appear to be extremely slow, you should evaluate whether this feature can help to address the issue.
Enabling this feature postpones the calculation of the group membership, which has an impact on the up-to-dateness of the member attribute. While postponing the membership calculation might not be acceptable for all deployed criteria-based groups, you should analyze whether enabling this feature for only a subset can help to address your performance issues. There is no need to enable this feature if your environment is not affected by performance issues that are caused by the deployment of a large number of criteria-based groups.