Previous Topic: Add Users by Manual EntryNext Topic: Add an LDAP Expression to a Policy


Enhance Policy Server’s LDAP Authorization Performance

You can enhance the Policy Server’s authorization performance for users stored in LDAP user directories by limiting the role-based authorization to a specific user record rather than the user’s role, as follows:

To enhance the policy server’s performance

  1. Navigate to Modify Policy, Users.

    The User Directories pane opens and contains the group boxes that correspond to the user directories associated with the policy domain.

  2. If the directory on which you want to enhance the authorization performance already appears in a group box, go to Step 8.
  3. If the directory you want does not appear, click Add Members on the directory's group box.

    The Users/Groups pane opens and lists the users and groups in the selected user directory.

  4. Select a Search type from the drop-down list:
    Attribute-value

    Specifies a user attribute name and value pair.

    Expression

    Specifies a CA SiteMinder® expression.

  5. Type the user attribute name and value required for authorization in the Attribute and Value fields on the Users/Groups group box.
  6. Click GO to search the directory.

    A list of directories appears.

  7. Select the check box of the directory you want to add, and then click OK.

    The Users/Groups pane closes and the User Directories pane appears. The directory you selected appears in the group box.

  8. Click the Edit (arrow) icon to the left of the directory.

    The User Directory Search Expression Editor appears.

  9. Ensure that Validate DN appears in the Where to Search drop-down list, and then click OK.

    The User Directory Search Expression Editor closes. The Policy Server’s LDAP search is done within the context of the current user and not in the LDAP server’s base DN. This optimization decreases the load on the LDAP server and Policy Server, which allows quicker authorization responses.