• State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 93 subscribers
  • Views 2023 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Time-Based rate limiting for Ad-hoc projections

gwickert
over 5 years ago

Hi All,

Is there any way in One Identity v8.01 to implement time window based rate limiting for ad-hoc projections.

Ideally, I'd like to be able to configure a rule such as "If X amount of ADS password updates occur within Y time, halt ad-hoc projections, notify admin, and do not start projections until approved by an administrator".

X might be 50 password resets, Y may be a time frame of 60 seconds, 5 minutes, etc.

Any help appreciated.

Glen.

  • 0 over 5 years ago

    No way out the box that I'm aware of, you could try this but it would have a negative effect on performance. Modify the generation script and include a dB lookup query to count(*) the number of entries from JobHistory that match your jobchainName. You could then redirect the job onto an inactive queue to be inspected later. It would work i think but i wouldn't recommend it .

  • 0 over 5 years ago in reply to Paul Walker

    Thanks Paul and apologies for the delayed response.

    I was thinking similar - I'll have a play and will post my final solution back here for reference!

  • +1 over 5 years ago

    Old thread but thought I'd post solution.

    Basically I put change tracking on for ADSAccount.UserPassword. I then placed an additional step into the ADS_ADSAccount_Update/(De-)activate process which looks at the password events on the DialogWatch* tables for a given time window, counts up all of the events, and then checks if that count within that window is less than the threshold. If it breaches, the step will freeze and then set a config param (i.e. ThresholdBreached) to true, which will then cause all ADS_ADSAccount_Update/(De-)activate process to error and remain in the queue. An admin can then come in and make a decision RE letting the jobs process or not.

    Works nicely, and is fairly simple to set up.