In one of my recent projects we were implementing a custom solution which was based on Customer Service Management. We didn't use much of the underlying business logic and capabilities of CSM, but we were building our access logic on top of the two core tables customer_contact and customer_account and made use of some of the OOTB roles to speed up implementation time and remain flexible for future requirements.
User Access provisioning was either done manually (with a simple catalog item on the Service Portal) or automatically, depending on the Persona. At the time of writing this article we have 9 different personas.
The largest Persona groups were maintained automatically through a data import from a custom Identity and Access Management API my client provided. The picture below shows the number of users:
As you can see I have 3 large groups (259073 users, 121432 users, 29862 users).
We have a daily delta import running for the users which takes 1..2 minutes give or take. The weekly full load takes about 13 hours (350k records x2 transforms) in total.
Weeks after Go Live I have been asked by the COE to get rid of those large groups because they would degrade platform performance. I know there is a lot of logic built around groups in the platform and we should use them with caution (for example we should never use such large groups in a catalog item variable etc.) and nested groups are not advised to use either.
Honestly I was a bit puzzled and I really have no better way or idea of provisioning access to those users. Each group just contains one single role which then contains all the necessary roles needed for that Persona.
For the sake of fulfilling the demand I have now to change the transform scripts in a way so that a group is not required for those large Persona groups - an exercise which will not help much for the overall performance I would say IMHO. Unless I figure out a way to make the whole script more efficient.
And, unfortunately, the user access provisioning approach will not be consistent any longer for the platform.
Are there any better ways of doing it?
I double checked with the documentation Exploring user administration and here it is recommended to make use of groups, nothing else.
Please let me know if this was helpful for you by clicking below. And feel free to start an open discussion, I really would like to hear your opinion and creative ideas about this topic.
