From working some time on the IdM topics there are some basic activities that can help performance of the system if you are new to IdM.
The first good source of information is the ‘SAP Netweaver Identity Management Solution Operation Guide’ found at this link
Section 4.6 of this guide covers Analysing Statement Execution if you need to identify any long running SQL statements in the system. Via the IdM administration UI such statements can be traced based on a minimum runtime threshold as detailed below
For more detailed analysis of SQL statements see Per Krabsetsves’ excellent blog at this link
Section ‘5.6.7 Rebuilding database indexes’ advises
With heavy usage of the system, the database indexes will become fragmented, which may
For further information regarding fragmented indexes and rebuilding the indexes, please refer to
the documentation for you database system.
Most often if your system is suffering this issue you will see system wide performance issues. The UI, jobs and tasks will all perform more slowly than normal or the system could in most severe cases come to a standstill. Keeping the indexes refreshed is essential as much of the processing in the IdM application occurs at database level.
Performance Issues in the UI
If you have a reference attribute assigned to a UI tasks and this takes a long time to open then there maybe an issue in loading all the reference attributes. In the MMC there is the option ‘List Entries on Load’ which can speed up the loading of the UI task until the root cause of the performance issue can be determined. This checkbox when unchecked means all the attributes will not be loaded automatically in the UI rather the user must search them after the UI opens
Secondly complex access controls on UI tasks are a common cause of performance degredation in the UI. Check the SQL statement used in the access control and see if it can refined anyway to make it faster.
Using No Lock on queries MSSQL queries
If you need to read a large dataset from a MSSQL database then (nolock) hint should be used in the SQL statement e.g.
select * from idmv_link_ext with (nolock) where ……….
In addition remember that storing such data to the IdM database involves making numerous updates therefore if the read from the database takes X time it is not that the case that the update to IdM will also take the same time. The same stands for other databases.
Long running Jobs ‘Cookie Does not Match’
If a job runs for a long time it may abort with the error message “Cookie does not match” which means that the Identity Center
does not have this job in its list of active jobs. When the runtime starts running an action task, it will “check out” the job from the Identity Center.
While the job is running, the runtime will periodically signal the Identity Center that it’s still active and running. At this point the Identity Center can
return a status code to force the job to stop running. In this case the runtime will do a controlled exit. such an issue may arise for example where you are running an initial load from an ABAP system that has many abap roles and profiles. It can take some time to read all these into IdM and thi saction can timeout.
There are 2 timeouts for running jobs, The “Start timeout” and the “Idle timeout”. The values are configured in the MMC, on the
Identity Center node, in the “Options” panel:
The “Start timeout” is the maximum time allowed from the job starts running, until it has processed the first entry.
The “Idle timeout” is the maximum time allowed between each time the runtime signals the Identity Center that it’s still active and running.
Top try and resolve this the below settings should be considered
1. The Idle timeout has to be large enough to handle the maximum system load, when there can be a large number of queued jobs.
2. The Start timeout has to be larger then the time it takes to initialize the connector + the time it takes to process the first entry.
3. The Execution timeout has to be larger then the maximum time spent processing one entry.
These are just some small steps that can fix issues that cause severe impact on the running of the IdM application in your organization. I’d welcome any other hints other people have learned over the years of working with IdM 😉
Best of Luck