Best Practice
ForgeRock Identity Platform
Does not apply to Identity Cloud

Best practice for managing groups in DS (All versions)

Last updated Apr 8, 2021

The purpose of this article is to provide best practice advice on managing groups in DS.

Overview

DS utilizes three different types of groups to help manage data:

  • Static Groups: these groups have a list of members.
  • Dynamic Groups: these groups look up membership based on an LDAP filter.
  • Virtual Static Groups: these groups use dynamic group style definition but allow applications to list group members as if they were static.

See Configuration Guide › Groups for more detail on how to create/manage each type of group.

Managing groups

When deciding how to architect groups for your organization, it is important to note there are some performance implications with:

  • Large numbers of groups.
  • Large numbers of entries in a static group.

Large numbers of groups

When you do a search that returns the isMemberOf attribute, it has to scan every group. If you have 10,000+ groups, this can be quite an expensive operation. 

Note

Using isMemberOf as a search filter will not have this performance impact as it is searching the group you specify for members.

Large numbers of entries in a static group

When you do a replace modification on a static group, it has to read/edit all members. if you have 30,000 + members in a static group, this can be quite an expensive operation.

Mitigation

You can use the following methods to mitigate these performance impacts: 

  • Use indexed searches for (member=...). Indexes are very efficient, although this will not find members of nested groups.
  • Implement entry caches for large static groups; this will put the entries into memory so read operations will be much quicker. See Maintenance Guide › Cache for Large Groups for further information. Caching small groups is a waste of memory as the memory devoted to the entry cache is not available for other purposes.
  • Consider using modify-add operations instead of modify-replace operations. See LDAP User Guide › Add Attributes for further information.

You should ensure you fully test performance using the addrate, authrate, modrate, searchrate tools described in the Maintenance Guide › Performance Tuning.

See Also

How do I know what index types are needed for search filters in DS (All versions)?

How do I troubleshoot issues with my indexes in DS (All versions)?

How do I tune DS (All versions) process sizes: JVM heap and database cache?

Performance tuning and monitoring ForgeRock products

Installing and Administering DS

Configuration Reference › Entry Cache

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...