Improving performance by using RLS algorithms

The row-level security (RLS) feature enables an administrator to filter database content based on user-specific roles.

The AR System server adds constraints to the SQL statement to restrict access. This might increase the complexity of SQL or might affect the AR System server performance. For this, the AR System server provides multiple RLS algorithms. Depending on your requirement, you can select an algorithm at the system level or at a form level.

Using the AR System:RLS Autodiscovery form to set the RLS algorithm

The AR System:RLS Autodiscovery form provides you with some insight into the RLS queries used in the backend. The AR System:RLS Autodiscovery form displays the details of forms where the RLS query takes longer time to fetch the underlying data. For such forms, you can consider switching to an alternative RLS algorithm, such as Subquery.

The AR System:RLS Autodiscovery form displays the following details:

RLS queries that have been run in your environment that cross the threshold limit set in the Rls-Autodiscovery-Minimum-Elapsed-Time setting. This setting is for the com.bmc.arsys.server.shared component.
List of forms where the RLS query crossed the threshold limit set in the Rls-Autodiscovery-Minimum-Elapsed-Time setting.
The number of times RLS query runs on a particular form that crosses the threshold limit set in the Rls-Autodiscovery-Minimum-Elapsed-Time setting.
The time required to fetch data from each RLS query if the query crosses the threshold limit set in the Rls-Autodiscovery-Minimum-Elapsed-Time setting.

For more information, see Rls-Autodiscovery-Minimum-Elapsed-Time.

The following screenshot displays the AR System:RLS Autodiscovery form:

The AR System server adds a record in the AR System:RLS Autodiscovery form through an asynchronous process without impacting the system performance. Before adding a record, the AR System server verifies the following details:

The query is RLS based.
The Subquery algorithm is not enabled on the queried form.
At the database level, the RLS query takes more time than the value specified for the Rls-Autodiscovery-Minimum-Elapsed-Time setting in the Centralized Configuration.
The default value of the Rls-Autodiscovery-Minimum-Elapsed-Time setting is 5 seconds.

RLS algorithm options

The Row Level Security Fields panel on the Definitions tab in the Developer Studio offers the following algorithms to fetch data from the database.

Default
RLS Split
Combined likes
Subquery

Default

The value of the Default algorithm is set by the AR System server and is dependent on the value of Disable-New-RLS-Implementation parameter that is set in the Centralized Configuration.

If the Disable-New-RLS-Implementation parameter is set to True, the Combined likes algorithm is set as the Default algorithm.

If the Disable-New-RLS-Implementation parameter is set to False, the RLS Split algorithm is set as the Default algorithm.

RLS Split

When you select this option, the AR System server builds an SQL query by using the predefined RLS Split function to evaluate the RLS. This option overrides the value of Disable-New-RLS-Implementation parameter for the current form.

Important

You cannot use the RLS Split algorithm on a Vendor form.

Combined likes

When you select this option, the AR System server builds an SQL query by using LIKE and OR operators. This option overrides the value of the Disable-New-RLS-Implementation parameter for the current form.

Subquery

Before using the Subquery algorithm, ensure the following:

On the Row-Level security fields panel, select the Enable Security Table checkbox.

Ensure that the value of the Overlay-mode parameter in the Centralized Configuration is not zero.

When you select this checkbox, the AR System server creates a new Security table (S table) with the same schema ID as that of the database table. This one-time asynchronous operation separates permission data to a new S table.

When performing a query on a form by using the Subquery algorithm, the S table is accessed as a nested query of the main query against the data table (T table). This enables the database to utilize indexes more efficiently and return results faster.

The AR System server might take time to populate initial data in an S table. The time depends on the number of records you have in the database. You can view the status of the S table by using the RLS Migration Pending form. While the AR System server is populating data in the S table for a form and you update another form to populate the S table, the request for populating data in the S table is queued.
We recommend monitoring the RLS Migration Pending form for any failure. If an error occurs, correct the error and resume the migration process.
When you select the Subquery algorithm and you run a query while data is populating in the S table, the AR System server uses the value set for the Default algorithm.

Important

You cannot use the Subquery algorithm on a Vendor form.

Using the Subquery algorithm for Join forms

A join form fetches data from the underlying member forms. Therefore, to use the Subquery algorithm on Join forms, you must enable the Subquery algorithm for the member forms. If any base form migration runs for a long time or fails, the utility skips the join form. In this case, you need to again run the utility after the migration is complete.

When you enable the Subquery algorithm for a join form, the utility waits for completing the migration process on base forms.

To enable the Subquery algorithm on a Join form, you must:

Identify the dynamic access fields on the Join form.
Identify the member forms from where the dynamic access fields are coming.
Enable S table for all member forms that are sourcing the dynamic access fields.

You can use the Subquery algorithm on the Join form as shown in the following example:

In this diagram:

The AST:ComputerSystem is the join form with AST:Attributes and BMC.CORE:BMC_ComputerSystem as member forms.
The BMC.CORE:BMC_ComputerSystem is also a join form with the BMC.CORE:BMC_ComputerSystem_ and BMC.CORE:BMC_BaseElement as member forms.
Since the dynamic access fields 112 and 60989 are coming from the BMC.CORE:BMC_BaseElement form, you must enable the subquery algorithm on the BMC.CORE:BMC_BaseElement form and on the AST:ComputerSystem form.

Learning more about improving performance by using the Subquery algorithm

Watch the following video (37:21) to learn how to use the subquery algorithm to optimize Row Level Security searches. The webinar also covers RLS Subquery implementation, query format, and troubleshooting best practices.

https://youtu.be/qaS1Ha5yigA

List of forms supported for enabling the subquery algorithm

We recommend enabling the subquery algorithm on the following forms:

List of forms to enable the subquery algorithm

AAS:WorkInfo
AST:BaseElement
AST:CI Unavailability
AST:CI Unavailability CI Join
AST:WorkLog
BMC.CORE:BMC_BaseElement
CHG:CollisionChangeCIAssociationsASTBaseElement_Join
CHG:Infrastructure Change
CHG:WorkLog
COM:Company
CTM:People
CTM:People WorkLog
CTM:ServiceCompanySupportGrpAssoc
CTM:Service_Company_People_Assoc_Join
CTM:SprtGrpFunRoleLookup_SvcCpySprtGrp_Join
CTM:Support Group
CTM:Support Group Association
CTM:SupportGroupFunctionalRole
HPD:Help Desk
HPD:Help Desk Assignment Log
HPD:IncidentInterface
HPD:WorkLog
INT:HPDSLM:HelpDesk_SLM_Join_Outer
PBM:Investigation WorkLog
PBM:Known Error
PBM:Known Error WorkLog
PBM:Problem Investigation
RKM:UpdateRequests
RMS:Release
RMS:WorkLog
SHR:Union_OverviewConsole
SLM:Measurement
SMT:Social_FollowConfig
SMT:Social_WorklogView
SMT:UnionSmartIT_Min_Tic_Console
SMT:UnionSmartIT_TicketConsole
SRM:Request
SRM:RequestInterface
SRM:WorkInfo
TMS:Task
TMS:WorkInfo
WOI:WorkInfo
WOI:WorkOrder
WOI:WorkOrderInterface
WOI:WorkOrderInterface_Create

If the AR System:RLS Autodiscovery form or the flat file has supported view forms, the AR System server enables the Subquery algorithm for all corresponding forms and creates S tables for forms.

Changing the Row-level security (RLS) algorithm by using the arrls command

Use the arrls command on the RLS-enabled forms to automatically set the RLS algorithm to Subquery. When you set the Subquery algorithm, it facilitates to fetch search results faster.

The arrls command accepts inputs from the AR System:RLS Autodiscovery form and also from the flat file. You can manually create the flat file. The flat file and the arrls command file (arrls.bat or arrls.sh) must reside in the same folder. For the sample file, see rls_form_list.txt.

The arrls command first updates the form names in the AR System:RLS Autodiscovery form, where the repeat count is more than the value specified in the Rls-Autodiscovery-Minimum-Elapsed-Time setting and then updates the forms specified in the flat file.

The arrls command and options

Perform the following steps to obtain the arrls utility from the BMC Electronic Product Distribution (EPD) site:

On the BMC Electronic Product Distribution (EPD) site, from Products, select BMC Helix Innovation Suite OnPrem.
Select the latest version.
From the Product tab, select BMC Helix Innovation Suite Utilities > AR_UTILITIES.zip.
Download the AR_UTILITIES.zip file.
The AR_UTILITIES.zip file includes AR_UTILITIES\windows\utilities\arrls.bat and AR_UTILITIES\linux\utilities\arrls.sh files.

Run the arrls utility from the command line.

The arrls command syntax

[-u] [-p] [-x] [-t] [-file] [-algo]

The arrls command example

arrls -u Demo -p Password -x vw-pun-ar1 -t 46262 -file /temp/rls_form_list.txt -algo Subquery

The following table describes the arrls command options, which can be used in any order in the command:

Option	Description
-u	Name that identifies the user account for the AR System server.
-p	Password for the user account. If you have a blank password, you can ignore this option.
-x	Name of the server to connect to.
-t	TCP port number to connect to. If the port number is unknown, use -t 0.
-file	Text file with form names specified on a new line. For the sample file, see rls_form_list.txt.
-algo	The RLS algorithm. The options are: Subquery Combined_Likes RLS_Split Default

Important fields on the RLS Migration Pending form

The following RLS Migration Pending form shows the S table population status:

221_RLS-Migration Pending.png

The following table describes some of the important fields on the RLS Migration Pending form:

Field	Description
Form	The source form from which the RLS field data is populated.
Status	Describes the S table status with one of the following options: Pending In Progress Completed Terminated With Error
Processing Start Time	Describes the time when data starts populating in the S table.
Last Processed Entry ID	Indicates the last Entry ID processed from the last chunk of records. If the server stops while populating data in the S table, the thread uses the Entry ID to continue populating data in the S table.
Old RLS Algorithm	Indicates the previously configured algorithm for the form. The AR System Server uses the old algorithm when populating data in the S table.
Total Entries	Indicates the total number of entries to be moved to the S table.
Entries Processed	The number of entries processed so far.
Error Details	Describes errors (if any) encountered while the S table is being populated.
Resume Migration	If an error occurs when the AR System server populates data in the S table, rectify the error, and select this option to resume populating data in the S table.