This issue is resolved in the following versions:
- RSA Identity Governance & Lifecycle 7.2.1 P12
- RSA Identity Governance & Lifecycle 7.5.0 P07
- SecurID Governance & Lifecycle 7.5.2 P03
Customers may report one or more of the following symptoms.
- Longer collection times for a specific individual Account Data Collector (ADC's).
- Randomly some Account Data Collectors (ADC's) take longer to run.
- Aggregate collection times for all Account Data Collectors (ADC's) are longer.
- Collection times seem longer than in previous versions.
There was a major design change in Role Metric calculations introduced into the product in the versions and patches noted. This results in some Account Data Collection (ADC) runs taking longer than other ADC runs, in the step Indirect Relationship Processing (IRP) specifically in step 11/12 Calculate Role Metrics.
Note that it is not possible to do a direct comparison of the run times in this step with older versions as the changes include both functional improvements in the quality of Role Data along with performance improvements and changes to the frequency of this calculation.
In general, the time required to calculate Role Metrics is greater in current versions due to additional complexity (accuracy and increased scope) in the Roles that are included in this calculation. In particular the current version requires additional processing time to accurately calculate nested Roles (Roles with parent child relationships). This cost is balanced by optimizations in performance for these queries that were done along with these data quality improvements.
Customers may report that the longer runtimes are random, or that the run times of a collector is not commensurate with the change in the data in the collector for that run. This is correct.
In previous versions, the Calculate Role Metric step was done after every collection, even if there were only minor Role Changes. Although the time per collection was small, for customers with a very large number of collectors the aggregate time for Role Metric calculation for all collectors was very large and this resulted in a large proportion of the day being allocated to this process. The major improvement in performance is a new feature that defers Role Metric calculation if the Role Metric calculation has been done recently. Specifically, the product will not do a Role Metric calculation if the last collection occurred within the last 2 hours (by default). This means that 80% of the ADC collections during the day should complete more quickly but about 20% of the collections will have much longer collection times. It is incorrect to compare ADC collection times either against other times for the same collector or other similar collectors or against historical times for any particular ADC. The collection times will vary and the particular times when a collection runs long will appear random.
Note that the Role Metric calculation is not scheduled every 2 hours, instead it is configured to wait for 2 hours after the last collection so it is difficult to predict the period when collections will run longer. Also the actual time for the Role Metric calculation depends on aggregate changes in Role based Entitlements since the last calculation.
For most customers the default wait time of 2 hours for deferring the Role Metric calculation should provide a good compromise between performance and the quality of Roles. The Role Metric deferment time can be changed with a configuration parameter for customers who are unable to complete daily collections within 24 hours.
This parameter can be tuned to 4 or 6 hours for example to reduce the total collection time. Note that the benefit to collection times is not directly proportional to the value for this setting. Although increasing the value of the parameter reduces the frequency of Role Metric calculation the time to complete a specific Role Metric calculation will increase as there will be a larger backlog of data to process. RSA believes the optimum value is (the default) 2 hours but the actual optimum for a specific customer can only be obtained by direct testing.
Note that reducing the frequency of Role Metric calculation has direct negative impact on the quality of Roles. Customers should only consider this change if they can accept the security and operational compromise of reduced Role quality.
If you need to tune this parameter, please open an RSA Customer Support case and quote this knowledge base article and an engineer will contact you to discuss the implications of this change.
- Role Missing Entitlement Metrics calculation is done only for the affected roles in the case of EDC and RDC instead of calculating for all the Roles.
- Role Constraint or Missing Entitlement Metrics is now calculated during Rule execution instead of Indirect Relationship Processing, and this calculation is done only for the affected Roles.
Related Articles
Identity Data Unification longer in Step 8/11 Populate Role Metrics in RSA Governance & Lifecycle Number of Views RSA Identity Governance and Lifecycle Account Data Collector (ADC) and Entitlement Data Collectors (EDC) are slow in step … Number of Views How to ensure Thor Xellerate RACF login macro can properly handle cases where passwords are blank Number of Views RSA Governance & Lifecycle Recipes: Dashboard - Review Results "Outstanding Applications" Number of Views Unification runs into an error called by webservice call in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA Release Notes for RSA Authentication Manager 8.8 Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
