System Delay Issue Caused by Repeated Calls to Role.UserFolder.AddRoleMember Function

0050O00000721iMQAQ · April 23, 2024, 12:01pm

The user permission management program under development is adding users to roles through the following SDK via Component Integration.

(Role:VideoOS.Platform.ConfigurationItems.Role)

Role.UserFolder.AddRoleMember(userSid)

The site already has over 50 roles.

When the program repeatedly calls the above function to add the user as a member of all roles, severe system delays occur after around 20 calls.

Symptoms:

-Unable to login through the smart client

-Live video freezes

The symptoms disappear once the last execution is complete in the slowed-down state with increased function execution time.

Testing:

Even adding a 1000ms delay between each AddRoleMember call causes the symptoms to occur.

Request:

Please provide any guidelines or points to check regarding the use of this function.

Attached:

The following function repeatedly calls AddRoleMember.

thanks.

//roles : current milestone system roles

//userSid : sid to add

//thirdpartyRoleKey : target role id (use role desc field)

//ex : exception message

public static int AddUserToRole(List roles, string userSid, string thirdpartyRoleKey, out string ex)

{

ex = string.Empty;

try

{

var role = roles.Find(it => it.Desc == thirdpartyRoleKey);

if (role == null)

{

  return -1; //not found

}

if (role.Role == null)

{

  ex = "ConfigurationItem is null";

  return -1;

}

if (role.Role.UserFolder == null)

{

  ex = "role.Role.UserFolder is null";

  return -1;

}

bool exist = false;

foreach (var user in role.Role.UserFolder.Users)

{

  if (user.Sid == userSid)

  { exist = true; break; }

}

if (exist == true)

{ //already user exist

  return 0;

}

var task = role.Role.UserFolder.AddRoleMember(userSid);

if ((task != null) &&

  (task.State == VideoOS.Platform.ConfigurationItems.StateEnum.Success))

{

  return 1;

}

}

catch (Exception e)

{ ex = e.ToString(); }

return -1;

}

public class MIPRole

{

public MIPRole(VideoOS.Platform.ConfigurationItems.Role role, string name, string thirdpartyRoleKey)

{

Role = role;

Name = name;

Desc = desc;

}

public VideoOS.Platform.ConfigurationItems.Role Role { get; set; } = null;

public string Name { get; set; } = string.Empty;

public string Desc { get; set; } = string.Empty;

public override string ToString()

{

return $"{Name}({Desc})";

}

Bo_Ellegard_Andersen · April 25, 2024, 1:23pm

This is a known limitation in the current design of the XProtect VMS.

When you add the first user, the server invalidates the cached security objects.

When you add the second user, the first step is for the server to validate whether you have the rights to do so, this step will not be performed before a new set of security objects have been loaded from scratch. When the second user is finally added, the server invalidate the cached security objects.

The same picture applies when you continue to add more.

Furthermore the process of invalidating and refreshing the security objects get slower when it grows in size.

The limitation has nothing to do with the Configuration API, you could find yourself in the same situation if you quickly added users in the Management Client.

It is strongly recommended that you instead add an AD group, and then you maintain your AD groups outside of XProtect.

Milestone is looking into changing this. Milestone has a number of ideas for improving and modernizing the XProtect VMS, and the way security is handled and updated has been identified as one area to change. There is currently no information on when this change might be developed and released.

0050O00000721iMQAQ · April 26, 2024, 12:54am

Thank you for your kind explanation.

I will look for a call interval that does not strain the cache scheduling of security objects within the current system.