HyperSync Panel is a high performance identity synchronization engine built on top of the Identity Panel application framework. It is configured through the Identity Panel settings interface.
HyperSync executes using a rule application feedback loop, operating in both state and event-based rule modes.
- Data is ingested into Identity Panel via configured connection providers. Any data collected into Time Traveler may be used for synchronization.
- Rules are applied across the join graph in Identity Panel, and any required changes are queued for action processing.
- Changes are written out on the Identity Panel workflow engine and executed by Panel Service(s) against target directories.
- Results are scanned back in, and the loop repeats.
The feedback loop approach to synchronization makes it possible to decouple the different phases. Users accustomed to MIM have experienced the performance challenges of separating the import, synchronize, and export phases of data processing. In HyperSync Panel, data collection (import), synchronization, and workflow execution (export) are expected to run continuously and in parallel, which means no single slow process can hamper the overall system performance.
HyperSync Graph
Rule application is performed efficiently by loading the entire join graph of either all objects, or all objects with recent changes into memory. This allows rapid processing with minimal querying. In performance testing, HyperSync Panel performs a full synchronization between a source and two targets for 500,000 users in about three minutes.
HyperSync Panel improves efficiency by loading only the object types and silos identified as required by sync rule sets. However, the entire required join graph for individual identities is loaded for both delta and full synchronization, and HyperSync fully evaluates every configured rule in both delta and full modes (delta mode only limits the number of identities processed to those with recent changes). HyperSync automatically loads reference attributes bidirectionally. For example, if a rule requires a manager attribute, a manager Of relationship is generated implicitly.
Performance
Because HyperSync loads the entire required data set when the synchronization is initialized, there is zero performance penalty in resolving relationships on any silo. Querying for a user's manager's manager's email address in Azure AD behaves the same as querying the current user's employee Id. Additionally, because HyperSync uses the Identity Panel rule engine for advanced logic, there is virtually no performance penalty to using complex flow logic.
Although HyperSync ingests all identities into memory at once, RAM exhaustion is not a concern (provided basic system requirements are met). Even with hundreds of thousands of users and many connected sources, typical RAM consumption ranges from 1-3 GB during a full sync process due to efficient data algorithms.
The biggest performance concern in HyperSync Panel is database read performance during a full synchronization, because HyperSync Panel must perform table scan queries to retrieve the data. Overall database impact is minimized by reading each collection sequentially (instead of in parallel), but to maximize sync performance, it is important that database sizing conform to recommended system requirements.
Another performance consideration for HyperSync is ensuring that there are sufficient instances of Panel Service to expeditiously handle peak workflow volume. This is usually a consideration on initial deployments or after configuration changes, when thousands or tens of thousands of accounts must be modified off of a single synchronization pass.
Sync Rules
HyperSync Panel supports the following rule modes, to provide flexibility and make it easy to implement business logic:
- Attribute Flow – direct and expression based attribute flow between source and target systems. Allows write-back of changes to external directories, and side-effect operations (e.g. email, PowerShell) when a rule is activated. HyperSync Panel allows attribute flow to operate with granular scope-based flow precedence logic.
- State Rules – Evaluate an expression against the current state of a join graph, and determine if action is required. These rules are most commonly used for account provisioning and deprovisioning operations.
- Event Rules – React to a recent change event and trigger an action. Example events include adding or removing a silo, changing attributes, or transitioning across critical dates.
Rule Scoping
HyperSync Panel reduces duplication of logic by allowing definition of shared scoping rules. Users moving in and out of a scoping expression will activate and deactivate rule sets requiring those scopes.
Throttling
HyperSync Panel includes various throttling features to improve the safety of the system. This includes volume based triggers which allow an approval phase before any actions are executed, as well as the ability to run rules in simulation mode to observe their possible behavior.
VIP Thresholds allow critical actions that target VIP users (e.g. C-suite personnel), to always be flagged for approval. Criteria for identifying VIP users are customizable.
Rules can also be throttled per account to prevent duplicate execution of provisioning actions.
Hyperverse
HyperSync Panel includes a built-in workspace silo called the Hyperverse, for aggregating calculated and authoritative data so that it is conveniently managed for export to other sources. The Hyperverse supports creation of arbitrary schema (both object types and attributes), and the lifecycle of individual Hyperverse objects is managed automatically.
Although the Hyperverse system is available, its use is not manadatory. HyperSync Panel makes it possible to flow data directly from source to target systems.
Comments
0 comments
Please sign in to leave a comment.