When a user logs in, CA Identity Manager uses the admin role membership to determine the user capabilities. Each role type contains policies, which are a set of rules to be evaluated. The evaluated policies are stored in the authorization cache. This process improves the performance, because CA Identity Manager takes the policies from the cache when authorization evaluation is next required. CA Identity Manager uses the authorization cache for all security checks. For example,
When a role membership, administration, or ownership calculation is required, CA Identity Manager verifies the authorization cache to find out if the information is calculated. If the cache contains the required information, CA Identity Manager returns the cached information. If the information does not exist in the cache, CA Identity Manager calculates the set of roles, caches the results, and returns the cached information to the user.
When a user is modified, the role cache for the user is flushed. The roles for the modified users are then recalculated on the next request. When a role is modified, each user cache for the specific role is also deleted and is recalculated on the next request.
All the caches use a Least Recently Used (LRU) caching algorithm. If the cache limit exceeds the capacity, the LRU object is removed when a new entry is added.
|
Copyright © 2013 CA.
All rights reserved.
|
|