CEPM Capacity Planning Guide
Centralized Architecture Deployment
Download this chapter
Centralized Architecture DeploymentCentralized Architecture Deployment
Download the complete book
CEPM Capacity Planning GuideCEPM Capacity Planning Guide (PDF - 380 KB)
 Feedback

Table Of Contents

Scenario 2: Centralized Architecture Deployment

Shared-PAP and PDP


Scenario 2: Centralized Architecture Deployment

The shared PAP and shared entitlement-repository option discussed in Chapter 1, "Scenario 1: Distributed Architecture Deployment" may be considered a "centralized" deployment that allows multiple applications to share a common administration and entitlement repository infrastructure.

A shared infrastructure that eliminates the need even to host the PDPs in different geographies is also supported with CEPM via the Shared-PAP and PDP model described in this chapter.

Note The sizing estimates for this type of deployment are composed of the following elements:

Users: System designed to support 1,000,000 to 2,000,000 users with 5000 concurrent queries.

Resources: 1000 hierarchical resources each with multiple actions.

Latency required: User-level queries of less than 0.2 second per query response time for role- and rule-based decisions.

Distribution: One central enterprise infrastructure covering all geographies.

Shared-PAP and PDP

With the PAP, entitlement repository, and PDP all located in the same data center, which can be fully replicated for high availability and disaster recovery purposes (see Shared-nothing), the PDP can directly work against the database without requiring messaging from the PAP. The Policy Enforcement Points (PEPs) can be set to automatically failover across two instances of the shared PAP and PDP.

Because the PEPs are remote, they need to communicate with the PDPs via an enterprise standard messaging infrastructure such as a standard Message-Oriented Middleware (MOM). Using CEPM, you can configure PEPs to choose the protocol for communication with the PDPs; you can also add custom listeners. Policy decisions are communicated on the wire, along with prefetched policy decisions. In-memory PDP is not an option in this case.

Figure 2-1 Shared PAP and PDP

Because of the diversity of business and organizational needs that change over time, a hybrid approach of PDP deployments is the most effective. In such an approach, some shared PDP deployments can be used by some applications for testing and production purposes. Some distributed PDPs are deployed closer to the applications but they still share the centralized PAP instances using delegated access.

In all of these scenarios, additional requirements may be imposed to restrict sharing of entitlement repositories or PDPs across different applications, which can be handled in one of two ways:

Delegated administration of PAP so that all actions are scoped within administration domains.

Delegated administration with entitlement domains. In this approach, entitlement domains can be created where there is no sharing of the entitlement data between entitlement domains. Multiple entitlement domains can be managed from the same instance of the administrative console.

Figure 2-2 shows a deployment with no sharing of entitlement repository data in the context of a shared PAP and PDP:

Figure 2-2 Deployment of Shared PAP and PDP Model

For all workloads, such things as the number of applications, depth of resource, group, and role hierarchy, besides the complexity of rules, affect sizing estimates. For workload 2, the variance may be higher. However, eight servers in New York and four each for the other two geographies should be enough, which totals 16 servers running PDPs for all geographies. With the administrative workload expected to be higher because of increased users, PAP must be deployed in a load-balanced cluster of four servers. Database sizing depends on the actual number of users.

All of the scenarios described in this guide easily coexist with reporting tools, such as Actuate and Microstrategy, via the PAP entitlement review APIs and supported database schemas for logs. Table 2-1 details the requirements for CPUs and memory.

Table 2-1 Hardware Component Specifications 

Type of Server
Product
Model #
Processor
NIC / IP
Memory (min)
# CPUs

PAP server

Sun

 

Min. 400MHz

 

1GB

4

PAP server (alternate)

Dell

 

1.5GHz

 

1GB

4

PDP server

Sun

 

Min. 400MHz

 

1GB

4

PDP server (alternate)

Dell

 

2GHz

 

1GB

4


Tip List all the software components (including product components) that the deployment relies on, with number of instances of each type. Indicate if those dependent software components are priced within the product license and maintenance. Mention any license restrictions and explain the significance.

Table 2-2 Software Component Specifications (Scenario 1) 

Type of Software
Version
No. of Instances
Comments

Oracle

9i or 10g

2

 

JDK

1.4 or 1.5

Number of PDP and PAP instances

 

PAP

 

2 server instances

 

PDP

 

8 server instances

 

PEP

 

Varies

 

Table 2-3 Software Component Specifications (Scenario 2) 

Type of Software
Version
No. of Instances
Comments

Oracle

9i or 10g

4

 

JDK

1.4 or 1.5

Number of PDP and PAP instances

 

PAP

 

4 server instances

 

PDP

 

16 server instances

 

PEP

 

Varies

 

Table 2-4 Volumetric Analysis for Database (Sizing) 

Scenario
No. of Application Group
No. of Application
No. of Resource
No. of Roles
No. of Users
No. of Groups
No. of Requests (Per Month)
Memory Required when PDP logs Enabled
Memory Required when PDP logs Disabled
User Tablespace
Temporary Tablespace
User Tablespace
Temporary Tablespace

1

5

10

1000

600

10000

75

50000

2 GB

512 MB

1 GB

512 MB

2

5

10

1000

600

25000

75

100000

4 GB

512 MB

1 GB

512 MB

3

5

10

1000

600

50000

75

200000

8 GB

512 MB

2 GB

512 MB

4

5

10

1000

600

100000

75

400000

10 GB

1 GB

3 GB

512 MB

5

5

10

1000

600

500000

75

1000000

20 GB

2 GB

5 GB

512 MB