Very slow processing of attribute-filter.xml with many AttributeFilterPolicy elements

Peter Schober peter.schober at
Thu Nov 27 08:11:19 EST 2014

* Lukas Hämmerle <lukas.haemmerle at> [2014-11-27 13:46]:
> On 27.11.14 11:21, Peter Schober wrote:
> > Jfyi, back when I manually managed filters for Univie's internal SPs
> > that was what I usually did, as it was clear we'd have more SPs than
> > we'd have attributes to release, i.e. this makes for fewer rules to
> > manage.
> > (At the cost of someone wanting to see what a specific SP will get
> > having to look for multiple occurances of that SP's entityID in the
> > filter.)
> Another option we are thinking about is to create rules for attribute
> bundles. This then would reduce the number of AttributeFilterPolicy
> while keeping the possibility to easily see which attributes a
> particular SP gets:
> > <AttributeFilterPolicy id="bundle-email-givenName-sn>

Yup, for Univie I also had a single rule for givenName, sn,
displayName and email, as (a) most of the services need those together
anyway, and (b) by giving away one (e.g. name) you usually also give
away the other (named based email addresses).
But since you already reduce the number of rules (by doing
per-attribute rules instead of per-SP) I doubt losing fine grained
policies is worth it.
And of course there will be exceptions (where you don't want one of
those attributes to be released) and while you could handle
those with <DenyValueRule>s I'm not sure that will make things much
easier. OTOH, as I understand it people will automatically import
those rules and not really look at them much (or at all).

But of course +1 to Anders' comment and I didn't mention Entity
Categories at all since you of course know all about that and still
asked about generating filter policies specifically.

For ACOnet these days I really only document attribute release based
on entity categories. If you hence limit filter rules to those SPs not
currently (sufficiently) covered with entity category-based rules
you'd cur down on the size even more, and more in the future, with
more entities using those categories and more categories popping up.

More information about the users mailing list