Symantec Access Management

  • 1.  Access management based on user attribute is considering old value. Siteminder cache refresh issue

    Posted Feb 13, 2017 10:01 AM

    Hi,

    we have a access condition based on user attribute value. i.e if x=0 grant access. we tried following test cases.

    1. We tested policy with one value(X=0). since policy was configured to provide access. the user got access to the resource.

    2. in the back end(CA directory-User Directory) we changed value x=1. when user tried to access same resource, policy did not take new value. user was getting access based on old value(x=0).

    same was observed with value initially x=1 and then changed to x=0

    After changing attribute in the back-end we waited for hours but siteminder kept taking old value. the only way we could clear old cache was to flush it or to restart policy server.


    following are our queries.
    1. We want to understand what is the reason Siteminder is not resolving attribute by comparing against User directory? is there a cache management at Siteminder, if so what is the cache refresh time?
    2. If there is a default cache management, we want to understand the performance impact of changing default value.

     

    Siteminder version 12.52 buildnumber 499 update 01.00

    CA directory Version r12.0 SP14 (build 9140) Windows_NT/DXgrid 64-Bit

    Ujwol



  • 2.  Re: Access management based on user attribute is considering old value. Siteminder cache refresh issue

    Posted Feb 13, 2017 11:18 AM

    Hi Sachin,

    please open a support ticket as we would like to review logs and configuration settings.

     

    thanks,

    Justin Leong



  • 3.  Re: Access management based on user attribute is considering old value. Siteminder cache refresh issue

    Posted Feb 13, 2017 12:02 PM

    Hi Justin,

     

    i have opened a ticket 00671260 regarding this. feel free to take ownership of this ticket as im fine with any time zone. i can be available anytime between 9:am to 10pm IST.



  • 4.  Re: Access management based on user attribute is considering old value. Siteminder cache refresh issue

    Posted Feb 13, 2017 12:08 PM

    i would like to understand if this is a siteMinder default behavior or if this has to anything with our configuration,



  • 5.  Re: Access management based on user attribute is considering old value. Siteminder cache refresh issue

    Posted Feb 14, 2017 08:03 PM

    This is most likely happening because of the Az cache on the policy server.

     

    Cache Management - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    CA Single Sign-On deployments can be configured to maintain the following cache on the Policy Server:

    • The User Authorization Cache stores user distinguished names (DNs) based on the user portion of policies and includes the users’ group membership.

    You can consider tweaking , it following this KB : https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec544401.html 

     

    However, disabling User Az cache has performance impact on the policy server as it will then have to evaluate the authorisation policy for user every time.