Authority Lookups, Authority Cache and Performance

[madmitch76@hotmail.com]

Hi, To satisfy an Audit requirement I’ve recently implemented object level security on a large AS/400 model 830 (V5R1). That is to say every production object is secured by an authority list. The contents of the authority list contain Group Profiles with private authorities. The number of authority lookups have increased dramatically and have had a performance impact on the system. The authority lookup process is well understood by us. We know this method causes pretty much the maximum amount of lookups. We understand the many lookups cause CPU to be used. What we do not understand is a means of quantifying the impact. The component report of the performance tools give us a count of the authority lookups. The performance advisor gives a glib statement to the effect of the maximum CPU used due to the authority lookups may have been as high as X%. Questions: 1) Does anyone know a way of estimating the Number of Authority Lookups versus amount of CPU used? Eg 10 000 lookups persecond is roughly equivalent to 5% CPU. Estimates for these figures were provided in one of the redbooks back in the CISC days. But I can’t find a modern equivalent. 2) The performance tools manual describes the RISC implemented ‘Authorisation Lookup Cache’. It says that it can store up to 32 private authorities for objects and authorisation lists. Does this means 32 private authorities for every object or does it mean a total of 32 combinations of object and private authority to it? 3) If a lookup is satisfied by what it finds in the ‘Authorisation Lookup Cache’ does this still signal an authority lookup exception as reported in the Component Report. I assume it does because the Performance manual states that even those lookups satisfied in the cache will be reported. It would be good to know for sure. I can’t believe we are the first people to ask these questions so I’m hoping someone out there has been through this exercise.

[edfishel@us.ibm.com]

Ken, I do not have an answer to question 1. My guess is that it will depend on the security design of the applications being run on the system. The Security Reference manual says "The authority cache contains up to 32 private authorities to objects and up to 32 private authorities to authorization lists." It also says that there is a separate cache for each user profile. I believe that when an authority lookup is satisfied by an entry in the cache that that lookup is still counted on the performance reports. You may be able to improve the authority lookup performance, for some objects, by using primary group authority for those objects, while also removing all private authority from those objects. Check the Security Reference Manual for details. Ed Fishel