Symantec Access Management

  • Private Community
 View Only

  • 1.  Using nested groups in CA Single Sign-On ?

    Posted Nov 23, 2016 10:10 AM

    Hi Guys,

     

    We currently are looking into implementing Nested groups within CA SSO. Are there any things we should take a look at ? Or just by enabling it in the UI and making changes to our roles and policies is enough ? We fear that there might be a performance downgrade going with nested groups.

     

    I've read somewhere that there's a different between INGROUP() an MEMBEROF() regarding performance is there any documentation about that ?

     

    Thanks,

     

    Steve



  • 2.  Re: Using nested groups in CA Single Sign-On ?

    Posted Nov 24, 2016 06:06 AM

    Hello,

     

     

    There might be some performances impact as we act as LDAP Cloent and request may take more time if we are using NESTED groups.

     

    For your questions regarding INGROUP() and MEMBEROF(), there was an issue in previous release when using INGROUP() that was generating more LDAP Search (fix in 12.52SP1CR02)

     

    Defects Fixed in 12.52 SP1 CR02 - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

      

    Excessive LDAP Search Calls Generated During Authorization When Using INGROUP Expression (147235)

    Symptom:

    When the INGROUP expression is used to search for user membership of an Application object, excessive LDAP search calls are generated.

    Solution:

    This problem has been fixed.

    STAR Issue: 22051787-1

     

    Hope it helps,

    Julien.



  • 3.  Re: Using nested groups in CA Single Sign-On ?

    Posted Nov 24, 2016 09:00 AM

    Is it recommended to use nested groups ?