Maintaining a label-based access-control implementation
Optimizing database performance can require adjusting the values of configuration parameters for security policies and user credentials.
Run the onstat -g cac lbacplcy and onstat -g cac lbacusrc commands to monitor the label-based access control (LBAC) caches.
Set the following configuration parameters to control the LBAC caches:
- PLCY_HASHSIZE
- Specifies the number of hash buckets in the security policy information cache.
- PLCY_POOLSIZE
- Specifies the maximum number of entries in each hash bucket of the security policy information cache.
- USRC_HASHSIZE
- Specifies the number of hash buckets in the LBAC credential memory cache.
- USRC_POOLSIZE
- Specifies the maximum number of entries in each hash bucket of the LBAC credential memory cache.
Tuning the LBAC caches
Poor performance of a database with tables protected by LBAC can indicate that the system is unnecessarily relying on disk operation more than on LBAC-related caching to retrieve information from memory.
Fine-tuning one or more of the LBAC configuration parameters in the onconfig file can improve performance for queries that are frequently run on protected tables. For example, if the value for the PLCY_HASHSIZE configuration parameter is set too low, there are not enough hash buckets that are allocated for security policy information caching and so some database performance that involves LBAC-protected tables declines.