When defining rules you need to be as granular as possible and use the rule that is most restrictive first so if people do not match that one, they are not evaluated for the remaining and do not degrade performance if you define hundreds of rules.
- Example: If you have a rule based on location, department, and role - and you have 3 locations, 200 departments, and 2 roles - you would want to use 'Department' and the first rule element, then 'location', then 'role' along with the qualifier 'and'.
- This means that if you are not in a certain department, you do not match the first rule, and are not evaluated for the remaining rules.
- Performance is not compromised by having to traverse all 2 roles, 3 locations, and then 200 departments
You can also nest rules which is very important if you have an 'or' condition that you want to combine with an 'and' condition.
We have found this a very effective way to manage our group assignments and permissions in Oracle Internet Directory, Active Directory, and previously eDirectory.
