Improving Performance of User Management
Components 
The following is a list of recommendations to help you improve the performance of your user management components. In each case, if the scenario described under Case x applies, you can perform the action described under What do I do? to improve the performance of the user management components.
Case 1: You wish to improve the performance of the role assignment tool.
What do I do?: Make sure that the attribute displayname is maintained as an attribute of your user object in the corporate LDAP directory. If not, do one of the following
· Remove the attribute mapping for displayname. That is, delete the following lines from the repository_configuration_ldap.xml file:
<attribute>
<logicalattributename>displayname</logicalattributename>
<physicalattributename>displayname</physicalattributename>
</attribute>
If displayname is not part of the attribute mapping, the API will concatenate the values of the attributes lastname and firstname and separate them with a comma: For example, if firstname is Robin and lastname is Hood, the displayname will be 'Hood, Robin'.
· Alternatively, map the attribute displayname to an attribute used by the user object of your corporate LDAP directory.
For example, if the schema of your corporate LDAP directory contains an attribute called cn, you can map displayname to cn by changing the following lines in the repository_configuration_ldap.xml file:
<attribute>
<logicalattributename>displayname</logicalattributename>
<physicalattributename>cn</physicalattributename>
</attribute>
For more information on mapping attributes, see Mapping Attributes.
Where is performance improved?: Role assignment tool.
Why is performance improved?: The role assignment tool searches for users according to the attributes displayname and uid/sAMAccountName (unique user ID). If the attribute displayname does not have a value, part of the search is redundant as it searches for an attribute that does not exist or does not have a value.
Case 2: Your corporate LDAP directory is structured in a flat hierarchy (groups point to their members) and there is only one level of groups. No group is a super-group of another group. The following diagram illustrates this scenario:
What do I do?
...
1. In the Windows registry, select the key for the active user management configuration, and set the entry Enable Group Containment to False.
2. Add the following entry to the usermanagement.properties file:
nested_group = 0
Where is performance improved?: User logon
Why is performance improved?: When a user logs on to the portal, the portal finds all the groups of which he or she is a member. By default a recursive search searches for the super groups of the groups. If the corporate LDAP directory is structured so that there is only one level of groups (no group is a supergroup of another group), the recursive search is redundant. If the Enable Group Containment flag in the Windows registry is set to False, the portal will not perform the recursive search.
Case 3: Your corporate LDAP directory is structured in a flat hierarchy (groups point to their members) and most users are located in a flat list under the People branch as illustrated in the following diagram:
What do I do?: In the Windows registry, select the key for the active user management configuration, and set the entry Users in Flat List to True.
Where is performance improved?: User logon
Why is performance improved?: When a user logs on to the portal, the portal requires his or her distinguished name (for example, ‘o=mycompany, ou=people, uid=myID) in order to search for the groups of which he or she is a member. If all the users are located directly under the People branch, the portal does not need to traverse the tree in the corporate directory to find the user’s distinguished name. If the flag Users in Flat List in the registry is set to True, the portal will first try to create the user’s distinguished name by concatenating the user ID (uid=myID) to the distinguished name of the people root (o=mycompany, ou=people). Only if the concatenated name is not valid, the portal will traverse the tree in the corporate directory.
Case 4: You wish to increase the lifetime of the user and groups cache to improve performance.
What do I do?: In the Windows registry, select the key for the active user management configuration, and modify the entry Cache Expiration Time (Minutes) from a default value of 10 to a higher value for better performance. This defines the number of minutes that must pass before the cache containing user data expires.
You can also change the value of the entry Groups Cache Expiration Time (Minutes) in the Windows registry. This defines the number of minutes that must pass before the groups cache expires. However, as the default value is 720 minutes (12 hours) it is not really necessary to change this flag.
Where is performance improved?: User logon.
Why is performance improved?: Each time a user logs on to the Enterprise Portal, the portal determines his or her user and group data using LDAP queries. The hierarchy of groups and user data is cached for future use of the same user or other users who share the same groups.
Case 5: You wish to cache user data for all users at logon.
What do I do?: Increase user cache size according to number of expected, simultaneous users in the portal. In the usermanagement.properties file, add the following line (case-sensitive):
CacheSize = n
(where n is the number of users for which to enable simultaneous caching).
Where is performance improved?: User logon.
Why is performance improved?: Uncached users slow performance and even cause system failure.
Case 6: You use iPlanet directory server (Sun ONE Directory Server) as your corporate LDAP directory and are experiencing performance problems at logon.
What do I do?: See SAP Note 542632
Where is performance improved?: User logon.
Case 7: You wish to modify the settings of the connection pools for the LDAP servers.
What do I do?: See Settings for Connection Pooling.
Where is performance improved?: Requests to the LDAP directory servers
Case 8: You wish to improve performance by allowing certain branches of the portal virtual directory in the IIS to be accessed without authentication, for example, branches containing insensitive data such as graphics.
What do I do?: In the Windows registry, select the key for the active user management configuration, and change the entry Anonymous Access Path to a list of paths in the IIS separated by a semicolon (‘;’), for example " /SAPPortal/IE/Media;/SAPPortal/Netscape/Media". When URLs starting with these paths are requested, no authentication will be required. You should only enter paths to branches containing insensitive data such as graphics.
Why is performance improved?: Requests for URLs starting with the paths entered in the registry.
The following table summarizes the Windows registry settings described in the above scenarios:
|
Entry in Windows Registry |
Default Value |
Recommended Value |
|
Enable Group Containment |
True |
False (if your corporate LDAP directory is structured in a flat hierarchy and there is only one level of groups). |
|
Users in Flat List |
- |
True (if your corporate LDAP directory is structured in a flat hierarchy and most users are located in a flat list under the People branch) |
|
Cache Expiration Time (Minutes) |
10 |
>10 |
|
Groups Cache Expiration Time (Minutes) |
720 |
720 |
|
Anonymous Access Path |
|
Paths in the virtual directory of the portal in the IIS to which no authentication is required. |