Previous Topic: Check Owner Access on Indirect PrivilegesNext Topic: Admin Profile Privilege Cache

Provisioning Reference GuideAdvanced Configuration OptionsDomain ConfigurationCache Parameters

Cache Parameters

The Cache configuration folder contains parameters that allow you to tune the Provisioning Server internal caches.

Important! Changes to cache parameters do not take effect until the Provisioning Server service is restarted.

The following parameters control each cache:

Maximum Age

The maximum time in seconds that an item remains in the cache without being reread from the provisioning directory.

Maximum Size

The maximum number of unused items to retain in the cache. When an operation uses a cache item, the item is considered in-use. There is no limit on the number of in-use cache items. However, when all operations finish with the cache item, the item is marked unused and it is retained only when the number of used and unused items in the cache is no more than the configured maximum size.

Cache items are also removed from a cache when explicitly canceled. This occurs when a change is made to the provisioning directory data from which the cache item originates. This cache invalidation only occurs on the Provisioning Server that processed that provisioning directory update. If you have multiple provisioning domains or alternative servers serving a single domain, other servers may have cache items that are still derived from the prior data. That is why there is a cache maximum age parameter.

Cache items also are canceled when access is to be denied. The privilege caches (Admin Profile, Global User and Global User Group) contain privilege information that is used to perform authorization checks. If you have recently assigned a privilege to someone, you do not want to have to wait up to 10 minutes (the default cache maximum age for these caches) for that privilege addition to be recognized. Therefore if an authorization check using cached privileges is about to report DENIED, the cache items are canceled and re-initialized from the provisioning directory. If the result is still DENIED, that authorization failure is reported to the administrator.

Important! When you remove a privilege from a global user, admin profile, or global user group, expect that this change will take place at most 10 minutes (the default) from the time of the change. In most cases this is sufficient. However, if the reason for removing the access is to remove an imminent security threat, to ensure immediate enforcement of that privilege change requires you to restart all affected Provisioning Server services.