we have a access condition based on user attribute value. i.e if x=0 grant access. we tried following test cases.
1. We tested policy with one value(X=0). since policy was configured to provide access. the user got access to the resource.
2. in the back end(CA directory-User Directory) we changed value x=1. when user tried to access same resource, policy did not take new value. user was getting access based on old value(x=0).
same was observed with value initially x=1 and then changed to x=0
After changing attribute in the back-end we waited for hours but siteminder kept taking old value. the only way we could clear old cache was to flush it or to restart policy server.
following are our queries. 1. We want to understand what is the reason Siteminder is not resolving attribute by comparing against User directory? is there a cache management at Siteminder, if so what is the cache refresh time? 2. If there is a default cache management, we want to understand the performance impact of changing default value.
Siteminder version 12.52 buildnumber 499 update 01.00
CA directory Version r12.0 SP14 (build 9140) Windows_NT/DXgrid 64-Bit
please open a support ticket as we would like to review logs and configuration settings.
i have opened a ticket 00671260 regarding this. feel free to take ownership of this ticket as im fine with any time zone. i can be available anytime between 9:am to 10pm IST.
i would like to understand if this is a siteMinder default behavior or if this has to anything with our configuration,
This is most likely happening because of the Az cache on the policy server.
Cache Management - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
CA Single Sign-On deployments can be configured to maintain the following cache on the Policy Server:The User Authorization Cache stores user distinguished names (DNs) based on the user portion of policies and includes the users’ group membership.
CA Single Sign-On deployments can be configured to maintain the following cache on the Policy Server:
You can consider tweaking , it following this KB : https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec544401.html
However, disabling User Az cache has performance impact on the policy server as it will then have to evaluate the authorisation policy for user every time.