Idea Details

UUIDs for Accessor IDs, Ownerships, and Permits

Last activity 02-09-2017 10:34 AM
jbaker314's profile image
11-02-2016 11:29 AM

When logging a resource access event to CA Compliance Manager, a logstream record is generated with variable length fields.  However, when that record is offloaded, those fields are placed in fixed positions, resulting in a record that can reach 6468 bytes.  As additional data is added, the record will invariably become even larger.

 

The event record contains the full permit (if any) associated with the event.  This data can occupy a lot of space, up to 2829 bytes.

 

I would like to suggest that a better solution would be to generate UUIDs on the creation of an accessor ID, on the assignment of a resource ownership, and on the issuance of a permit.

 

A UUID (1+36 bytes) associated with the accessor ID could be used in place of EVTUSERID (1+8 bytes) and EVTUSERNAME (1+2+256 bytes), resulting in a net savings of to to 231 bytes.

 

A UUID (1+36) bytes associated with a permit could be used in place of POLKEY (1+2+256), POLRULE (1+2+512), POLLINE (1+2), POLTOD (1+26), POLACIDTYPE (1+1), POLACID (1+8), POLPERMIT (1+2+2048), resulting in a net savings of up to 2829 bytes.

 

A UUID for up to two (2) resource owners (volume + dataset) would add 74 bytes, and for an additional permit (volume + dataset) would add another 37 bytes.

 

Overall, the net savings could amount to as much as 2949 bytes per event record.

 

The display of UUIDs associated with accessor IDs, resource ownerships, and permits could be controlled by a new DATA(...) operand.  For example, DATA(UUID).

 

These UUIDs could be used in the event logs, significantly reducing the size of the event records, and reducing CPU time during event logging.

 

The UUIDs could be recorded in CIA, where they could then be used to match events against specific accessor IDs, resource ownerships, and permits.

 

John P. Baker


Comments

02-09-2017 10:34 AM

In addition to the storage savings that the use of a UUID would provide, it also offers the possibility of performing point-in-time analysis.

If permit-1 has an associated UUID-1 that is valid from time-1 thru time-2, is then revoked, and is then replaced with permit-2 having associated UUID-2, then a reporting program looking at the data can accurately report on the associated resource access events.

John P. Baker

02-07-2017 03:59 PM

Thanks John.   Reviewing with engineering, including any alternative ways of accomplishing the end goal.