Table Of Contents
Scenario 2: Centralized Architecture Deployment
Shared-PAP and PDP
Scenario 2: Centralized Architecture Deployment
The shared PAP and shared entitlement-repository option discussed in Chapter 1, "Scenario 1: Distributed Architecture Deployment" may be considered a "centralized" deployment that allows multiple applications to share a common administration and entitlement repository infrastructure.
A shared infrastructure that eliminates the need even to host the PDPs in different geographies is also supported with CEPM via the Shared-PAP and PDP model described in this chapter.
Note The sizing estimates for this type of deployment are composed of the following elements:
•Users: System designed to support 1,000,000 to 2,000,000 users with 5000 concurrent queries.
•Resources: 1000 hierarchical resources each with multiple actions.
•Latency required: User-level queries of less than 0.2 second per query response time for role- and rule-based decisions.
•Distribution: One central enterprise infrastructure covering all geographies.
Shared-PAP and PDP
With the PAP, entitlement repository, and PDP all located in the same data center, which can be fully replicated for high availability and disaster recovery purposes (see Shared-nothing), the PDP can directly work against the database without requiring messaging from the PAP. The Policy Enforcement Points (PEPs) can be set to automatically failover across two instances of the shared PAP and PDP.
Because the PEPs are remote, they need to communicate with the PDPs via an enterprise standard messaging infrastructure such as a standard Message-Oriented Middleware (MOM). Using CEPM, you can configure PEPs to choose the protocol for communication with the PDPs; you can also add custom listeners. Policy decisions are communicated on the wire, along with prefetched policy decisions. In-memory PDP is not an option in this case.
Figure 2-1 Shared PAP and PDP
Because of the diversity of business and organizational needs that change over time, a hybrid approach of PDP deployments is the most effective. In such an approach, some shared PDP deployments can be used by some applications for testing and production purposes. Some distributed PDPs are deployed closer to the applications but they still share the centralized PAP instances using delegated access.
In all of these scenarios, additional requirements may be imposed to restrict sharing of entitlement repositories or PDPs across different applications, which can be handled in one of two ways:
•Delegated administration of PAP so that all actions are scoped within administration domains.
•Delegated administration with entitlement domains. In this approach, entitlement domains can be created where there is no sharing of the entitlement data between entitlement domains. Multiple entitlement domains can be managed from the same instance of the administrative console.
Figure 2-2 shows a deployment with no sharing of entitlement repository data in the context of a shared PAP and PDP:
Figure 2-2 Deployment of Shared PAP and PDP Model
For all workloads, such things as the number of applications, depth of resource, group, and role hierarchy, besides the complexity of rules, affect sizing estimates. For workload 2, the variance may be higher. However, eight servers in New York and four each for the other two geographies should be enough, which totals 16 servers running PDPs for all geographies. With the administrative workload expected to be higher because of increased users, PAP must be deployed in a load-balanced cluster of four servers. Database sizing depends on the actual number of users.
All of the scenarios described in this guide easily coexist with reporting tools, such as Actuate and Microstrategy, via the PAP entitlement review APIs and supported database schemas for logs. Table 2-1 details the requirements for CPUs and memory.
Table 2-1 Hardware Component Specifications
Type of Server
|
Product
|
Model #
|
Processor
|
NIC / IP
|
Memory (min)
|
# CPUs
|
PAP server
|
Sun
|
|
Min. 400MHz
|
|
1GB
|
4
|
PAP server (alternate)
|
Dell
|
|
1.5GHz
|
|
1GB
|
4
|
PDP server
|
Sun
|
|
Min. 400MHz
|
|
1GB
|
4
|
PDP server (alternate)
|
Dell
|
|
2GHz
|
|
1GB
|
4
|
Tip List all the software components (including product components) that the deployment relies on, with number of instances of each type. Indicate if those dependent software components are priced within the product license and maintenance. Mention any license restrictions and explain the significance.
Table 2-2 Software Component Specifications (Scenario 1)
Type of Software
|
Version
|
No. of Instances
|
Comments
|
Oracle
|
9i or 10g
|
2
|
|
JDK
|
1.4 or 1.5
|
Number of PDP and PAP instances
|
|
PAP
|
|
2 server instances
|
|
PDP
|
|
8 server instances
|
|
PEP
|
|
Varies
|
|
Table 2-3 Software Component Specifications (Scenario 2)
Type of Software
|
Version
|
No. of Instances
|
Comments
|
Oracle
|
9i or 10g
|
4
|
|
JDK
|
1.4 or 1.5
|
Number of PDP and PAP instances
|
|
PAP
|
|
4 server instances
|
|
PDP
|
|
16 server instances
|
|
PEP
|
|
Varies
|
|
Table 2-4 Volumetric Analysis for Database (Sizing)
Scenario
|
No. of Application Group
|
No. of Application
|
No. of Resource
|
No. of Roles
|
No. of Users
|
No. of Groups
|
No. of Requests (Per Month)
|
Memory Required when PDP logs Enabled
|
Memory Required when PDP logs Disabled
|
User Tablespace
|
Temporary Tablespace
|
User Tablespace
|
Temporary Tablespace
|
1
|
5
|
10
|
1000
|
600
|
10000
|
75
|
50000
|
2 GB
|
512 MB
|
1 GB
|
512 MB
|
2
|
5
|
10
|
1000
|
600
|
25000
|
75
|
100000
|
4 GB
|
512 MB
|
1 GB
|
512 MB
|
3
|
5
|
10
|
1000
|
600
|
50000
|
75
|
200000
|
8 GB
|
512 MB
|
2 GB
|
512 MB
|
4
|
5
|
10
|
1000
|
600
|
100000
|
75
|
400000
|
10 GB
|
1 GB
|
3 GB
|
512 MB
|
5
|
5
|
10
|
1000
|
600
|
500000
|
75
|
1000000
|
20 GB
|
2 GB
|
5 GB
|
512 MB
|