A couple of weeks ago I said we had nothing to lose by trying out a new Grouper to Active Directory group membership provisioning mechanism. Well, it turns out we actually had a lot to gain. The new solution has worked better than I could’ve dreamt. (For the record, I don’t dream of Grouper; I have been asked!)
Despite another huge number of corporate data changes at the start of September, we have not had any membership changes waiting more than a day to be provisioned and now, on day 11, we actually have no backlog at all so PSP is back to “real time” provisioning.
The fact that we have got through the entire backlog at least a week sooner than last year has surprised me, but I have a theory as to why this might be.
The obvious conclusion, which you could jump to by looking at the chart, is simply that there have not been as many changes for PSP to process this year.
There might be something in that but I also think the monthly view could be slightly misleading. When broken down by week, you can see that last year’s peak is not that much taller than this year’s – it’s just that we’re only part way through September at the moment.
My theory is that the highly effective new method of updating AD group memberships with changes in Grouper, that we’ve been using since the end of August, has allowed PSP to run through its backlog far quicker, as it’s actually had less work to do.
The PSP provisioning technology works in a three step process: ‘calc’, ‘diff’, ‘sync’.
- ‘Calc’: It firstly, calculates how the AD group should look, after the change from the change log has been applied.
- ‘Diff’: It then works out the difference between how the AD group should look and how it does look, and what needs to be done so that there is no difference.
- ‘Sync’. Finally, it synchronises the groups by applying the output from the the ‘diff’ step.
This is all relatively time-consuming. By using the new solution to synchronise group memberships before PSP gets around to trying, PSP has less to do as it only has to complete the ‘calc’ and ‘diff’ steps for each change and can therefore race through the change log at a much faster pace.