Privilege Recommendations

This is one of the data gathering methodologies and recommendations for functional performance improvement. The full list is defined in the Functional Performance Recommendations topic here.

While STEP allows a very granular privilege system and privilege setups, complex privilege models can lead to a degradation in performance. Running STEP as a user with a large number of very specific privileges influences the performance of any action in STEP that goes across a large number of nodes, values, or references. This performance hit includes export, import, bulk update, recursive approval, matching, and 'multi views' like task list and multi editor.

For more information, see the Privilege Rules topic in the System Setup / Super User Guide documentation here.

Privilege Configurations

Privileges are additive only, which means that whenever a basic action is executed, STEP looks for the first privilege that provides the permission.

In terms of performance, the most expensive privilege check is attempting a task for which the user does not have access. The least expensive privilege check is when a user has global permission to everything.

Additionally, consider the following when setting privileges:

• Very specific and granular permissions result in a longer search for the appropriate privilege.
• Assigning privileges on a group of objects (and using the hierarchy to access these objects) provides a less expensive listing than assigning privileges on each object separately.
• Avoid excessive privilege checking to improve performance.

Privileges at Imports and Exports

When importing and exporting data, all privileges are checked for each piece of information imported or exported.

Ensure that any imports / exports happen as a user with as broad and few privileges as possible to avoid excessive privilege-checking and improve the performance dramatically. Only the user configured on the endpoint as the importer / exporter is relevant, this user should generally have relatively few permissions.

Privileges in the Web UI

A typical Web UI screen fetches all attribute values from the attribute group defined in the Web UI screen. The screen then filters out the attributes based on validity for the product type and based on user privileges.

When the Web UI user has complex privilege settings, the filtering of the data based on these settings is excessive, which can have a negative impact on the loading time of the screen.

Additionally, privilege restrictions can be set in the Web UI configuration itself. Use this functionality carefully since excessive privilege checking in the Web UI XML configuration can degrade performance. For example, privilege restrictions can be recognized in the following Web UI XML file image (by searching for 'restrict=').