Force Identity Service Refresh

  • 4 December 2014
  • 10 replies
  • 13670 views

This app will force refresh the K2 Identity cache for specified UserGroupRole. 4.6RTM > 4.6.4 --- The app will work 4.6.6 - Latest --- The app will work 4.6.5 --- App doesn't work but if you expire the identities in the db and then use the app it will work. Sample script to expire the identities. update [K2HostServer].[Identity].[Identity] set ExpireOn = GETDATE(), MembersExpireOn = GETDATE(), ContainersExpireOn = GETDATE() where Name like '%NAME%'


10 replies

HI Vernon, I've a question concerning this app.. I need to know which API or Web Service is being utilised by this app since in my environment the identity service stoped working and I've to force each and every role to be refreshed using this app. So I need to check if this is a configuration issue or what?

Userlevel 3
Badge +10

@SherifAbdelhadySo probably you solved your question long time ago, but is/was it the case when you have an issue with identity cache refresh for all roles or for some specific role/subset of roles? Off the top of my head K2 host service just monitor Identity.Identiy table for and triggers refresh based on "Expires On" time stamp for items and settings inside of Identity.Configuration table. If I am not mistaken this utility manipulates with time stamps in Identity.Identiy table and just gives you convenient of granular way of doing this.


 

Is there a manual or a "how to use" handbook?
After hitting "Clear Cache" how do I know the Indetities are being refreshed on the DB?
Is there a table I can query to see the processes running on the background?
TIA

Userlevel 3
Badge +10

@MikeyE There is no manual for the utility per se, but you have to have solid understanding of URM cache architecture and be aware of couple of gotchas when it comes to forced refresh.


With this utility you have to have understanding of K2 URM cache, and, secondly, be aware that all it does is manipulates with relevant values in K2 DB via API, allowing you to avoid direct DB edits which is never supported/recommended thing to do unless you were following K2 support instruction or 100% sure what you are doing and ready to take responsibility for you action.


And yes it allows you avoid bothering your SQL server admin in case you don't have direct access to the SQL server, but have access to K2 server.


 


Things to consider:


 



  • Main storage unit of User Role Manager cache is Identity.Identity table in K2 DB

  • It existense justified by the fact that direct calls to identity providers (AD, SharePoint) are always too costly to allow not using cache

  • By reading this KB - you will learn how to tweak caching as well get an idea how to check if cache was recently refreshed. Just take a note value of refresh interval configured for your environment and substract it from one of ExpireOn columns - it will give you indication of when it was refreshed last time. You can create SQL script/custom code to get this information more easily

  • Identity.Identity table has accompanying tables, and one of them holds information on relationship (membership) between groups and users. Important point to understand user A membership in a B group for user and information, and information that group B has User A as a member is one record in the DB

  • Based on above, you should never ever refresh membership for large scale groups like Domain Users in Production Environments as it trigger too much work for Identity resolution, and unneeded work - there is hardly a case when you need entire Domain Users group resolved in K2 (just think about all sorts of temp/guest and special accounts it may contain). The only use of this group in K2 you can see is granting Process Start rights, and for this you rather want to have confirm membership of your K2 users in Domain Users group but it does not imply that you want to have entire Domain Users group resolved (see point above to understand why)

  • You can also use SQL scripts to perfrorm forced identity refresh and make it more targeted using WHERE clause in your query. Some more details on this here

  • Eact time user/group is used in K2 for first time K2 makes direct call to provider, but all subsequent calls are asynchronous, meaning K2 serves call from cache quirying provider in parallel if needed

  • In case provider is unreachable for any possible reason (network down, lack of access) or object deleted/disabled on provider side it becoes Disabled in identity cache

  • When using Force Identity Refresh tool enter user/group/role name carefully and make sure you set checkboxes right (not markin user as a group etc.) - otherwise you end up with erroneous entry in identity cache table which you won't be able to delete

  • Very first logon for a user into K2 in a super huge AD DS environments (loads of groups and users) may be really slow for the very first time - this is explained by the fact that at this stage K2 resolves all user's groups (keep in mind group nesting). In large scale high latency AD DS environment this can take minutes. There are scripts you can use to avoid this by means of pre-caching this data into K2 identity cache before user even tries to logon


 


P.S. If you prefer official documentation once again start here - K2 Server Identity Cache Performance

This fails with an uncaught .NET exception. Great tool.

Userlevel 3
Badge +10

@twoormorecharac You don't even show us your ecxception and not provide details as to when you are getting it. Great post 🙂 On a serious note if you provide more information this may be fixed by tool creator. Tool is quite an old one - identity table has  changed tiny bit in 4.7 and .NET versions are different nowadays too...

@ @Mikhail You're right, wasn't very helpful my comment there.

 

If remember correctly I got a Null Reference Exception.

 

Went other ways afterwards, good luck.

How to use tool (refreshing group membership for example):


 


Scenario:



You added another user to the Finance Group (now 5 users).


 



But K2 only shows 4 users, as it is returning from the Identity Service cache.


 


This is because it  may  take 1+ hours from the last time the group membership had updated.  See below for more information:


http://help.k2.com/onlinehelp/K2blackpearl/ICG/4.7/default.htm#Configure/bp_IDCachePerfomance.htm


 


How to use the tool to force a refresh:


 


a. Run the tool (localhost if on the K2 server, otherwise specify the K2ServerName)
b. Specify the GroupName in the format "K2:DOMAINGroupName"
c. Select the "Group" option
e. Select the "MemberShip" option



f. Execute the tool to expire this group's membership; successful execution will return a 'Done' pop-up



g. To initiate the group membership update, run the 'SmartObject Service Tester Tool' located at 'C:Program Files(x86)K2 blackpearlBin'
h. Execute the SmartObject Explorer > All SmartObjects > 'UMUser' SmartObject > 'Get Group Users' method
i. Specify the Group Name in format 'DOMAINGroupName' and LabelName as 'K2'



j. Execute this method at least twice and check if membership reflects the Active Directory

Hey,

 

Is it possible to share Source code ?

 

-

I was experiencing issues with caching but nothing to do with users.  Posted a solution for a for caching issue at https://stackoverflow.com/questions/61073119/stop-k2-returning-cached-smart-object-results/*personal details removed* and linked to it at https://community.k2.com/t5/K2-Blackpearl-Forum-Posts/How-to-Manually-Clear-K2-Cache-C/m-p/87706/highlight/false#M27260.

Reply