|
|
|
The Cache configuration folder contains parameters that allow you to tune the Provisioning Server's use of its internal caches. Caches are used in the Provisioning Server to save information read from the provisioning directory so that it does not need to be read repeatedly in the same operation or across multiple operations.
Important! Changes to cache parameters do not take effect until the Provisioning Server service is restarted.
Each cache is controlled by the following parameters:
The maximum time in seconds that an item remains in the cache without being reread from the provisioning directory.
The maximum number of unused items to retain in the cache. While a cache item is being used by an operation, it is considered in-use, and there is no limit on the number of in-use cache items. However, when all operations finish with the cache item, it is marked unused and retained only when the number of used and unused items in the cache is no more than the configured maximum size.
Cache items are also removed from a cache when explicitly canceled. This occurs when a change is made to the provisioning directory data from which the cache item originates. This cache invalidation only occurs on the Provisioning Server that processed that provisioning directory update. If you have multiple provisioning domains or alternative servers serving a single domain, other servers may have cache items still derived from the prior data. That is why there is a cache maximum age parameter.
Cache items also are canceled when access is to be denied. The privilege caches (Admin Profile, Global User and Global User Group) contain privilege information used to perform authorization checks. If you have recently assigned a privilege to someone, you do not want to have to wait up to 10 minutes (the default cache maximum age for these caches) for that privilege addition to be recognized. Therefore if an authorization check using cached privileges is about to report DENIED, the cache items are canceled and re-initialized from the provisioning directory. If the result is still DENIED, that authorization failure is reported to the administrator.
Important! When you remove a privilege from a global user, admin profile, or global user group, expect that this change will take place at most 10 minutes (the default) from the time of the change. In most cases this is sufficient. However, if the reason for removing the access is to remove an imminent security threat, to ensure immediate enforcement of that privilege change requires you to restart all affected Provisioning Server services.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |