Hi, In AuthorizableResourceProvider there is a call to principalManager.getPrincipals(searchType);
IIUC that lists all authorizables that match the search type. Eg, all users or all groups or all authorizables. This is probably Ok with 100 users, but not so ok with 25K users and 40K groups, as its called every time to do a call to http://localhost:8080/system/userManager/user/<userid>.json Did I understand correctly or am I reading the code incorrectly ? I think the stack trace is something like AuthorizableResourceProvider.listChildren PrincipalManagerImpl.getPrincipals DefaultPrincipalProvider.getPrincipals DefaultPrincipalProvider.findPrincipals with a null search filter (ie all the known Principals matching that type) Obviously AuthorizableResourceProvider.listChildren *should* list all Authorizables, but since in most systems that identify the users, there could be millions, this is probably not a good idea. AuthorizableResourceProvider should probably not list children as doing so will almost certainly crash the server for anything other than a trivial case. WDYT? Ian BTW, I must apologise for not doing much work on Sling in the last month, our release did not go smoothy and I have been firefighting. (fire still smouldering)
