UTILIZED PRODUCTS
- Microsoft Identity Manager 2016 Service Pack 1 (4.4.1302)
- SQL Server 2012
BLOG PURPOSE: Discussion of Criteria Based Groups and the difference between a negative condition vs. a positive condition.
SCENARIO: Use of Negative vs Positive Conditions
Recently, I worked on an issue concerning the use of Negative Conditions within a Criteria Based Group within Microsoft Identity Manager 2016.
ERROR MESSAGE: “An Internal error occurred and your request cannot be processed. Please contact your system administrator.”
The following error message “An Internal error occurred and your request cannot be processed. Please contact your system administrator.” can be seen when using some negative conditions. Here are a few ways that I have tested and been able to get the error message.
- 16+ Negative Conditions
- 13+ Negative Conditions with a single positive condition
| NOTE | The scenarios above are ones I have tested. It is possible that we could see the same error under different circumstances. If you know of other circumstances, feel free to email me. |
NEGATIVE CONDITIONS VERSUS POSITIVE CONDITIONS
| What is a negative condition? | A negative condition, is when we use things like “Is Not“, “Not Ends With“, “Not Starts With“.
In SQL Server, it might be things like, “<>”, “!”, “NOT”, “NOT LIKE”. |
| A negative condition will normally result in an Index Scan instead of an Index Seek. This can negatively affect query performance on the backend SQL Server, which in-turn could affect performance of the Identity Management Service and Portal. | |
| What is a positive condition? | A positive condition is when we use things that do not have the NOT keyword. Example would be “Starts with“, “Is“.
“Ends With” could be considered a positive condition, but it implies a wild card at the beginning of the search criteria, which will result in a Table Scan. Table Scans can cause performance related issues. |
| You can benefit through the use of a positive condition, because the positive condition would allow you to possibly use an “Index Seek” which can provide performance related benefits. |
RECOMMENDATIONS / BEST PRACTICES
- Use Positive Conditions rather than negative conditions in your Criteria for your Criteria Based Groups
- If you need to use Negative Conditions, use a very small amount
- Minimize the overall number of conditions
- Utilize Nested Sets and/or Nested Groups to help minimize the number of conditions
ADDITIONAL RESOURCES
- Best Practices for FIM 2010: https://technet.microsoft.com/en-us/library/ff608274(v=WS.10).aspx
- Understanding Deferred Evaluation of criteria-based groups: https://technet.microsoft.com/en-us/library/jj863243(v=ws.10).aspx
- FIM 2010 Distribution Group Management with Custom Attribute as a Filter Criteria: https://blogs.technet.microsoft.com/meamcs/2011/09/22/fim-2010-distribution-group-management-with-custom-attribute-as-a-filter-criteria/
- Set (and Group) criteria filters: https://blog.msresource.net/2011/10/06/set-and-group-criteria-filters/
- FIM xPath Filter Dialect: https://msdn.microsoft.com/en-us/library/windows/desktop/ee652287(v=vs.100).aspx
- SQL Server: Scans vs. Seeks: https://blogs.msdn.microsoft.com/craigfr/2006/06/26/scans-vs-seeks/
3RD PARTY BLOGS
- SQL Server – Index Seek vs. Index Scan (Table Scan): https://blog.sqlauthority.com/2007/03/30/sql-server-index-seek-vs-index-scan-table-scan/
Comments for this post are currently closed.