Policy Limits¶
There are several limits on business entities that should be considered when designing your policies.
As the policies interact with several resources like Asset Model, Time Series Data, Events and Integrated Data Lake, these limits ensure that the performance of Insights Hub remains high.
There are few limits that applies specifically to the subscribers of Capability Packages. The following table depicts the technical limits on various parameters for all Resource Packs (XS, S, M, L, XL).
| Parameter | XS | S | M | L | XL | |
|---|---|---|---|---|---|---|
| No. of Policies per Account | 50 | 100 | 150 | 200 | 250 |
Boundary conditions¶
Once the Resource Access Management feature is switched ON through Settings UI application, certain limits are applicable on the amount of various object types, as mentioned below.
| Object Type | Limit | Remarks |
|---|---|---|
| Subjects (Users / User Groups) per Policy (*) | 10 | This represents the aggregated sum of Users and User Groups in a policy |
| Rules per Policy | 5 | This represents the number of rules in a policy |
| Actions per Rule | 20 | This represents the number of actions in a Rule |
| Resources per Resource Group (*) | 20 | This represents the number of Resources in a Resource Group |
| (Resources / Resource Groups) per Rule | 20 | This represents the aggregated sum of Resources and Resource Groups |
| Resource Groups per Rule (*) | 2 | This limit is set within the above aggregated block |
| Resource Groups per Account (*) | 10 | This represents the number of Resource Groups allocated per account |
| Resource Group associations across Policies | 5 | This represents the number of Policies to which a single Resource Group can be added |
| User Group associations across Policies (*) | 5 | This represents the number of Policies a User Group can be part of |
| Policies per Account (*) | 50 | This represents the number of Policies allocated per account |
(*) For use cases which do not fit within these limits, kindly contact us via Support Team. Once the allocated quota is exhausted, further creation requests will result in the error 400: Bad request with an appropriate error message.
Technical Limits¶
Apart from the above specified boundary conditions, the following technical limits are implemented to ensure reliable system performance.
| Object Type | Technical Limit |
|---|---|
| Subjects (Users / User Groups) per Policy | 25 |
| Resources per Resource Group | 100 |
| Resource Groups per Rule | 4 |
| Resource Groups per Account | 50 |
| User Group associations across Policies | 10 |
| Policies per Account | 350 |
On reaching the system limit, further creation requests will result in the error 400: Bad request with an appropriate error message.
Policy Modelling Recommendations¶
- On exhausting Policy quota, if there are too many inactive policies, those can be reused or cleaned up for configuring more policies.
- Resource Groups are powerful elements for organizing the relevant resources and get better control of the collection. These should be used wherever possible. It also allows managing fine-grained access for a greater number of resources.
- For better performance, a given User or User Group should not be part of more than 5 policies.
- Similarly, for better performance, a given Resource Group should not be part of more than 5 policies.