I'm wondering how others are assigning roles in Policy Manager. We are using CA API Gateway version 8.3 and its associated Policy Manager. It seems we have some serious limitations with it.
A little background. We established folders for our application areas to store their published service policies and we grant access to those folders by virtue of an LDAP group. The intention was to give the application areas the ability to control WHO is in the group, and us the ability to determine what they can do in the Policy Manager. So for example we would create a folder 'myAppFolder'. This would automatically create a 'Manage myAppFolder' role under the 'Manage Roles' task. We would then assign the group to that role.
We had hoped this would allow member of that group to publish services within that folder, but NOT anywhere else, but it didn't quite work out that way. By just assigning the 'Manage' role they are not able to create things in the folder, only read, update, delete. For them to publish policies we have to give the group 'Publish Webservices' role. The problem with this is, they can create policies ANYWHERE. There seems to be no way to limit policy creation within a folder, no way to change the properties of the 'Manage...Folder' role, and no way to create a role that allows publish specifically to a folder. This effectively defeated our entire strategy.
Then we found an apparent side effect.
Our developers were seeing increasing degradation in the time it took to login via Policy Manager, taking on the order of 5 or up to 15 minutes to display the assertions pallet, etc.
The problem with this seems to be related to having group inherited permissions, and non-inherited user pin permissions. When roles are assigned via LDAP group and also by LDAP user pin there seems to be a correlation between the number of those assignments and the time it takes to log in. But here’s the real problem.
When a developer has 'Publish' permission and defines new services, doing so automatically assigns a role to that user for the created service. This results in the duplicate permissions. For example you'll get a 'Manage ..' role for a service with inherited permissions and another with individual permission for the user who created the service, even though their access is already inherited from the folder. The more of these you get, it seems the longer it takes to display the policy manager upon login. It does this both on the desktop and web client. Meanwhile, administrators with 'Administrator' role assigned to their specific user id can login without the delay.
I tried opening a case on this, but they didn't seem to even know what it meant to log in to policy manager. What happened to the good old days when Eric or Dustin would get my cases?