Support-Info: Criteria Based Groups (Negative Conditions vs. Positive Conditions)
UTILIZED PRODUCTS
- Microsoft Identity Manager 2016 Service Pack 1 (4.4.1302)
- SQL Server 2012
BLOG PURPOSE: Discussion of Criteria Based Groups and the difference between a negative condition vs. a positive condition.
SCENARIO: Use of Negative vs Positive Conditions
Recently, I worked on an issue concerning the use of Negative Conditions within a Criteria Based Group within Microsoft Identity Manager 2016.
ERROR MESSAGE: "An Internal error occurred and your request cannot be processed. Please contact your system administrator. "
The following error message "An Internal error occurred and your request cannot be processed. Please contact your system administrator. " can be seen when using some negative conditions. Here are a few ways that I have tested and been able to get the error message.
- 16+ Negative Conditions
- 13+ Negative Conditions with a single positive condition
| NOTE | The scenarios above are ones I have tested. It is possible that we could see the same error under different circumstances. If you know of other circumstances, feel free to email me. |
NEGATIVE CONDITIONS VERSUS POSITIVE CONDITIONS
| What is a negative condition? | A negative condition, is when we use things like "Is Not", "Not Ends With", "Not Starts With".In SQL Server, it might be things like, "<>", "!", "NOT", "NOT LIKE". |
| A negative condition will normally result in an Index Scan instead of an Index Seek. This can negatively affect query performance on the backend SQL Server, which in-turn could affect performance of the Identity Management Service and Portal. | |
| What is a positive condition? | A positive condition is when we use things that do not have the NOT keyword. Example would be "Starts with", "Is"."Ends With" could be considered a positive condition, but it implies a wild card at the beginning of the search criteria, which will result in a Table Scan. Table Scans can cause performance related issues. |
| You can benefit through the use of a positive condition, because the positive condition would allow you to possibly use an "Index Seek" which can provide performance related benefits. |
RECOMMENDATIONS / BEST PRACTICES
- Use Positive Conditions rather than negative conditions in your Criteria for your Criteria Based Groups
- If you need to use Negative Conditions, use a very small amount
- Minimize the overall number of conditions
- Utilize Nested Sets and/or Nested Groups to help minimize the number of conditions
ADDITIONAL RESOURCES
- Best Practices for FIM 2010: https://technet.microsoft.com/en-us/library/ff608274(v=WS.10).aspx
- Understanding Deferred Evaluation of criteria-based groups: https://technet.microsoft.com/en-us/library/jj863243(v=ws.10).aspx
- FIM 2010 Distribution Group Management with Custom Attribute as a Filter Criteria: https://blogs.technet.microsoft.com/meamcs/2011/09/22/fim-2010-distribution-group-management-with-custom-attribute-as-a-filter-criteria/
- Set (and Group) criteria filters: https://blog.msresource.net/2011/10/06/set-and-group-criteria-filters/
- FIM xPath Filter Dialect: https://msdn.microsoft.com/en-us/library/windows/desktop/ee652287(v=vs.100).aspx
- SQL Server: Scans vs. Seeks: https://blogs.msdn.microsoft.com/craigfr/2006/06/26/scans-vs-seeks/
3RD PARTY BLOGS
- SQL Server - Index Seek vs. Index Scan (Table Scan): https://blog.sqlauthority.com/2007/03/30/sql-server-index-seek-vs-index-scan-table-scan/