Search code examples
archerrsa-archer-grc

How to make the Automatic Record Permission field to update itself as quickly as possible?

If you are working with access control, you must have faced the issue where the Automatic Record Permission field (with Rules) does not update itself on recalculating the record. You either have to launch full recalculation or wait for a considerable amount of time for the changes to take place.

I am facing this issue where based on 10 different field values in the record, I have to give read/edit access to 10 different groups respectively.

For instance:

  • if rule 1 is true, give edit access to 1st group of users
  • if rule 1 and 2 are true, give edit access to 1st AND 2nd group of users.

I have selected 'No Minimum' and 'No Maximum' in the Auto RP field.

How to make the Automatic Record Permission field to update itself as quickly as possible? Am I missing something important here?

Solution

  • If you are working with access control, you must have faced the issue where the Automatic Record Permission field (with Rules) does not update itself on recalculating the record. You either have to launch full recalculation or wait for a considerable amount of time for the changes to take place.

    Tanveer, in general, this is not a correct statement. You should not face this issue with [a] well-designed architecture (relationships between your applications) and [b] correct calculation order within the application.

    About the case you described. I suggest you check and review the following possibilities:

    1. Calculation order.
    Automatic Record Permissions [ARP from here] are treated by Archer platform in the same way as calculated fields. This means that you can modify the calculation order in which calculated field and automatic record permissions will be updated when you save the record.
    So it is possible that your ARP field is calculated before certain calculated fields you use in the rules in ARP. For example, let say you have two rules in ARP field:
       if A>0 then group AAA
       if B>0 then groub BBB
    Now, you will have a problem if calculation order is the following:
       "ARP", "A", "B"
    ARP will not be updated after you click "Save" or "Apply", but it will be updated after you click "Save" or "Apply" twice within the save record.
    With calculation order "A","B","ARP" your ARP will get recalculated right away.

    2. Full recalculation queue.
    Since ARPs are treated as calculated fields, this mean that every time ARP needs to get updated there will be recalculation job(s) created on the application server on the back end. And if for some reason the calculation queue is full, then record permission will not get updated right away. Job engine recalculation queue can be full if you have a data feed running or if you have a massive amount of recalculations triggered via manual data imports. Recalculation job related to ARP update will be created and added to the queue. Recalculation job will be processed based on the priorities defined for job queue. You can monitor the job queue and alter default job's processing priorities in Archer v5.5 via Archer Control Panel interface. I suggest you check the job queue state next time you see delays in ARP recalculations.

    3. "Avalanche" of recalculations
    It is important to design relationships and security inheritance between your applications so recalculation impact is minimal.
    For example, let's say we have Contacts application and Department application.
    - Record in the Contacts application inherits access using Inherited Record Permission from the Department record.
    -Department record has automatic record permission and Contacts record inherits it.
    -Now the best part - Department D1 has 60 000 Contacts records linked to it, Department D2 has 30 000 Contacts records linked to it.
    The problem you described is reproducible in the described configuration. I will go to the Department record D1 and updated it in a way that ARP in the department record will be forced to recalculate. This will add 60 000 jobs to the job engine queue to recalculate 60k Contacts linked to D1 record. Now without waiting I go to D2 and make change forcing to recalculate ARP in this D2 record. After I save record D2, new job to recalculate D2 and other 30 000 Contacts records will be created in the job engine queue. But record D2 will not be instantly recalculated because first set of 60k records was not recalculated yet and recalculation of the D2 record is still sitting in the queue.
    Unfortunately, there is not a good solution available at this point. However, this is what you can do:
    - review and minimize inheritance
    - review and minimize relationships between records where 1 record reference 1000+ records.
    - modify architecture and break inheritance and relationships and replace them with Archer to Archer data feeds if possible.
    - add more "recalculation" power to you Application server(s). You can configure your web-servers to process recalculation jobs as well if they are not utilized to certain point. Add more job slots.

    Tanveer, I hope this helps. Good luck!