An Oracle White Paper

February 2010

Oracle Identity Analytics Sizing Guide

Disclaimer
The following is intended to outline our general product direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions. The development, release, and timing of any
features or functionality described for Oracleʼs products remains at the sole discretion of Oracle.

2
Table Of Contents
Introduction ............................................................................................................................................................... 4  
Architecture Overview ............................................................................................................................................... 5  
Deployment Considerations ...................................................................................................................................... 7  
Oracle Identity Analytics Web Client..................................................................................................................... 7  
Oracle Identity Analytics Server............................................................................................................................ 7  
Deployment Categories............................................................................................................................................. 8  
Small..................................................................................................................................................................... 8  
Medium ................................................................................................................................................................. 8  
Large..................................................................................................................................................................... 8  
Deployment Architectures ......................................................................................................................................... 9  
Small Deployment................................................................................................................................................. 9  
Medium Deployment ........................................................................................................................................... 10  
Large Deployment .............................................................................................................................................. 11  
Oracle Identity Analytics Database Size Calculation .............................................................................................. 13  
Calculate Account Objects.................................................................................................................................. 13  
Calculate Policy Objects ..................................................................................................................................... 13  
Calculate Total Number of Objects ..................................................................................................................... 13  
Determine Database Disk Space Requirement .................................................................................................. 13  

3
Introduction
Oracle Identity Analytics is a software that provides a comprehensive role lifecycle management and identity
compliance solution that enables companies to proactively enforce internal security control policies and automate
critical identity management processes.

This document outlines an estimate of hardware and software requirements for deploying Oracle Identity
Analytics. Three deployment scenarios are considered, i.e. small, medium, and large and recommendations for
each type are provided. These recommendations should be considered as guidance while planning product
deployment.

Assumptions made in this document are –

• A highly available environment is desired.

• RDMS specific best practices for high availability, backup and recovery are being followed.
• Load balancing specifics, software and hardware, is beyond the scope of this document.

4
Architecture Overview
Oracle Identity Analytics is a Java™ 2 Platform, Enterprise Edition (J2EE platform) web application. The J2EE
platform consists of a set of industry-standard services, APIs, and protocols that provide the functionality for
developing multi-tiered, web-based, enterprise applications. The division of tiers allows Oracle Identity Analytics to
scale according to customerʼs performance demands. Oracle Identity Analytics uses the J2EE specification to
build a flexible, scalable and fault-tolerant cross-platform solution. The main tiers of Oracle Identity Analytics are:

• The presentation tier – A web server layer rendering JSPs, JavaScript, XML etc. to present a UI
accessible through various supported web browsers.

• The logic tier – A J2EE application server forms the middle tier where all business logic of Oracle
Identity Analytics is implemented.

• The data tier – The data tier usually consists of a standalone or clustered RDBMS environment utilizing
Java Database Connectivity (JDBC) to integrate with the logic tier.

The Oracle Identity Analytics application resides on an application server and the central repository of application
data resides on a database server. Figure 1 illustrates the architecture of Oracle Identity Analytics. Figure 2
represents sample architecture for deploying Oracle Identity Analytics.

Figure 1: Oracle Identity Analytics architecture

5
Figure 2: Sample architecture for Oracle Identity Analytics

Typical Oracle Identity Analytics deployments comprise of the following components:

• A clustered web server load balanced using a load balancing router. End-users including administrators
interact with Oracle Identity Analytics through these web servers.

• A clustered J2EE application server on which Oracle Identity Analytics is deployed.

• Oracle Identity Analytics uses a RDBMS as its data repository. Depending on the dataset size, the
database server can be a standalone or clustered, as depicted in this sample architecture, the database
is clustered. For optimized performance, the application servers and RDBMS are co-located, for example
within the same subnet.

• In most cases, Oracle Identity Analytics is integrated with an Identity Management System. The
integration with supported Identity Management Systems is beyond the scope of this document.

• Oracle Identity Analytics utilizes flat files from target systems such as RACF, AD, ACF2 etc. to build its
Identity Warehouse. Typically, the target systems drop flat files on a shared location using SFTP, which is
subsequently imported using Oracle Identity Analytics import process. Such target systems can be
classified as unmanaged resources.

Additional infrastructure such as Single Sign-on servers, proxy servers etc. are not considered as part of the
deployment.

6
Deployment Considerations
Oracle Identity Analytics performance depends on the load faced and response characteristics of each tier
discussed in the previous section. Performance affecting factors are identified and discussed in the following
sections. These factors should be considered during deployment planning.

Oracle Identity Analytics Web Client

The number of concurrent users accessing the system directly affects the web client performance. Performance is
also affected by the activities being performed within each user session i.e. role provisioning, attestation, SoD
monitoring, reporting & dashboarding, etc. Concurrent users and their system activities largely affect CPU and
memory requirements of the application server.

Oracle Identity Analytics Server

The Oracle Identity Analytics server is a J2EE application server that uses J2EE technologies for interaction with
end-users, target systems, database repository etc. Following are some areas of server operation that need to be
considered during Oracle Identity Analytics sizing.

• Oracle Identity Analytics Import Process – Import jobs are created to populate the Oracle Identity
Analytics Identity Warehouse. Data can be imported from a text file or by using direct connections to
provisioning systems. Oracle Identity Analytics inserts or updates data in the warehouse, and archives all
of the data feeds.

Importing a large data set can impose resource constraints on the application server e.g. CPU and
memory usage, and the database e.g. an increase of the table-space size containing Oracle Identity
Analytics repository.

• Oracle Identity Analytics Identity Certification – Identity certification is the process of reviewing user
entitlements to ensure that users have not acquired entitlements that they are not authorized to have.
Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers
use the Identity Certification module to review their employees' entitlements to access applications and
data. Based on changes reported by Oracle Identity Analytics, managers can authorize or revoke
employee access, as needed.

Attestation of a data set of large user entitlements can affect Oracle Identity Analytics performance
caused by resource constraints on the application server and database.

• Oracle Identity Analytics Identity Audit Process – The Identity Audit module is designed to detect
segregation of duties (SoD) violations. A segregation of duties violation is a violation whereby a user
account, a user attribute, or a role has been assigned two entitlements that should not be held in
combination.

While the identity certification module enables managers to certify or revoke access of users, the identity
audit module has a detection mechanism that monitors users' actual access to resources and captures
any violations on a continuous basis. The software can also be programmed to conform to audit policies
and report exceptions. It provides a summary of all exceptions, which helps security analysts, executives,
or auditors accept or mitigate the exceptions.

In Oracle Identity Analytics, audit rules define violations. Audit rules are collected together to create an
audit policy. User accounts and business structures are then scanned for audit policy violations. User
accounts, user attributes, and roles that violate an identity audit policy are flagged and tracked until the
violation is resolved.
7
Deployment Categories
Oracle Identity Analytics deployments have been classified into 3 categories i.e. small, medium and large. Some
factors to be considered during selecting the deployment categories are outlined below. These factors influence
the hardware and software specifications during Oracle Identity Analytics deployment.

Small
Number of Users 5000

Number of Accounts per User 5

Number of Resources 5

Number of Roles 500

Number of Role Requests per Day 5

Number of Policies 500

Number of Certifications per Period 100 - 200

Medium
Number of Users 50000

Number of Accounts per User 50

Number of Resources 100

Number of Roles 1000

Number of Role Requests per Day 100

Number of Policies 5000

Number of Certifications per Period 2500 - 3000

Large
Number of Users 1000000

Number of Accounts per User 100+

Number of Resources 500+

Number of Roles 5000

Number of Role Requests per Day 200

Number of Policies 50000

Number of Certifications per Period 6000+

8
Deployment Architectures
In the following sections, hardware configurations are suggested based on the sizing metrics outlined in the
previous section and on actual customer deployments. Deployment architectures are discussed for each
deployment types. For calculating database size requirements, refer to ʻOracle Identity Analytics Database Size
Calculationʼ section of this guide.

Small Deployment

Application Server Configuration:

CPU Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

JVM Heap Size 2 GB per node

Database Server Configuration –

CPU Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

RAM 2 GB per node

Total SGA Size (for Oracle DB Server) 1 GB

Open Cursors (for Oracle DB Server) 300

Figure 3: A small sized OIA deployment

9
Medium Deployment

For a medium sized deployment, the application server is clustered. The clustered nodes can exist on the same
physical machine as separate node deployments when a high-end machine is used for the application server. A
load balancing router can be used to load balance between the nodes for optimal performance.

Application Server Configuration:

CPU Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

JVM Heap Size 4 GB per node

Database Server Configuration –

CPU Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

RAM 4 GB per node

Total SGA Size (for Oracle DB Server) 2 GB+

Open Cursors (for Oracle DB Server) 500

Figure 4: A medium sized OIA deployment

10
Large Deployment
A large deployment involves a high system load due to large data sets, processing, users etc. To handle this load,
it is recommended to add a dedicated clustered web server and a clustered database server, such as Oracle RAC
Database. Due to the intense computations typically seen at large deployments such as Identity Certifications, a
large JVM heap is highly recommended. Horizontally scaling out by adding more nodes can address increased
performance requirements. It is not necessary to have application servers on different machines, multiple nodes
with Oracle Identity Analytics can be deployed on the same physical machine, assuming that the machine is a
high-end one and has adequate physical memory and CPU.

Application Server Configuration:

CPU 2 Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

JVM Heap Size 8 GB per node

Database Server Configuration –

CPU 2 Intel Xeon X5550 (Quad Core 2.6 GHz) or equivalent

RAM 8 GB per node

Total SGA (for Oracle DB Server) 4 GB+

Open Cursors (for Oracle DB Server) 1500+

For optimal system performance, it is highly recommended to deploy Oracle Identity Analytics on a 64-bit
operating system. Refer to Oracle Technology Network for the Oracle Identity Analytics Platform Certification
Matrix for supported operating systems, application servers and browsers.

11
Figure 5: A large sized OIA deployment

12
Oracle Identity Analytics Database Size Calculation
The following steps can be used to estimate DB size requirements for Oracle Identity Analytics deployment on an
Oracle DB Server:

Calculate Account Objects

To calculate the number of account objects, substitute the corresponding values into the following formula –

Total Account Objects = Number of Resource Types x Number of Resources x Accounts per Resources

Calculate Policy Objects

To calculate the number of policy objects, substitute the corresponding values into the following formula –
Note – each policy version is an object, add number of policy versions during calculation of policy objects.

Total Policy Objects = Number of Resource Types x Number of Resources x Policies per Resources

Calculate Total Number of Objects

To calculate the total number of objects –

Total Number of Objects = Globaluser Objects + Total Account Objects + Total Policy Objects + Total Role
Objects + Total Request Objects

Note – each role version is an object, add number of role versions during calculation of role objects.

Determine Database Disk Space Requirement

Objects are typically 120 Kbytes in size, each report and certification is about 4 Mbytes of data, and each Identity
Audit (Segregation of Duty – SoD) violation is about 500 Kbytes in size. To calculate the approximate object disk
space, substitute the corresponding values into the following formula –

Approximate Object Disk Space = Total Number of Objects x Size Per Object

Total Database Size = Approximate Object Disk Space + (Number of Certifications Annually x Size per Report) +
(Number of Reports Annually x Size per Report) + (Average Number of SoD Violations x Size per Violation)

As the number of accounts per user grows, the disk space increases exponentially. The space required depends
on the following –
• Number of globalusers
• Number of accounts per user
• Number of resource types and resources

If Oracle Database Server is being utilized as Oracle Identity Analytics data repository, the automated snapshots
using journaling and checkpoint systems add extra hard disk space requirements. Such data recovery constraints
must also be factored into the database hard disk free-space requirements when sizing Oracle Identity Analytics
implementation.

13
Oracle Identity Analytics Sizing Guide
February 2010
Author: Anish Chauhan
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and
the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
Oracle Corporation
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
World Headquarters
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
500 Oracle Parkway
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
Redwood Shores, CA 94065
means, electronic or mechanical, for any purpose, without our prior written permission.
U.S.A.

Worldwide Inquiries: Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective

Phone: +1.650.506.7000 owners.

Fax: +1.650.506.7200
oracle.com 0109

14