Integrating ALES with Application Environments
Authorization Caching
This section covers the following topics:
Understanding Authorization Caching
Authorization caching allows the ASI Authorization and ASI Role Mapper providers to cache the result of an authorization call, and use that result if future calls are made by the same caller. The cache match is based on a combination of the following:
- Subject
- Resource
- Privilege
- Roles
- Applicable Context (the portion used in making the original decision)
Additionally, the authorization cache automatically invalidates itself if there is a policy or user profile change.
Configuring Authorization Caching
Authorization caching is on by default. It may be configured from within the Administration Console through the ASI Authorization and ASI Role Mapper provider configuration. Table 8-1 lists the switches affect the authorization cache.
Table 8-1 Authorization Caching
Setting
|
Default Value
|
Description
|
AccessAllowedCaching
|
True
|
Enables/disables caching of authorization decisions.
|
GetRolesCaching
|
True
|
Enables/disables caching of role mapping decisions.
|
SessionExpiration
|
60
|
Specifies the number of seconds that authorization decisions for a user will be cached in memory. Upon expiration, the cached information is cleared and then updated if the user makes a subsequent request.
While increasing this value can improve performance, it may also reduce security by making authorization decisions based on outdated information.
|
SubjectDataCacheExpiration
|
60
|
Defines how long user profile data will be cached. Cached authorization decisions are reset each time this data cache expires. You can increase this value to improve performance.
|
The properties listed in Table 8-2 can be entered as advanced configuration properties to further tune the cache.
Table 8-2 Advanced Configuration Properties
Setting
|
Default Value
|
Description
|
ASI.AuthorizationCacheLimit
|
1000
|
Determines the maximum number of cached decisions per user session. Once exceeded, old cached values are overwritten.
|
ASI.AuthorizationCacheDynamicAttributeLimit
|
10
|
Determines the maximum number of context attributes a decision may use and still be stored in the cache.
|
ASI.PolicyCacheInvalidatorPollingInterval
|
1000
|
Determines how often the cache checks for policy distributions. The value is in milliseconds
|
Authorization Caching Expiration Functions
There is a small subset of data that may change without the knowledge of the cache. This includes internally computed time values, as well as custom evaluation plug-ins. Because the cache is not aware of changes in these values, it does not automatically invalidate a cached decision when they change. For this reason a series of evaluation functions is provided to control the period of cache validity. These functions are only needed in policies that make explicit use of internally computed time values or custom evaluation plug-ins.
Table 8-3 lists the internally computed time values. If these values are referenced in a policy, you should also explicitly set the cache validity for the policy.
Table 8-3 Time Values Used with Expiration Functions
Credential
|
Value
|
Range or Format
|
time24
|
integer
|
0-2359
|
time24gmt
|
integer
|
0-2359
|
dayofweek
|
Dayofweek_type
|
Sunday-Saturday
|
dayofweekgmt
|
Dayofweek_type
|
Sunday-Saturday
|
dayofmonth
|
integer
|
1-31
|
dayofmonthgmt
|
integer
|
1-31
|
dayofyear
|
integer
|
1-366
|
dayofyeargmt
|
integer
|
1-366
|
daysinmonth
|
integer
|
28-31
|
daysinyear
|
integer
|
365-366
|
minute
|
integer
|
0-59
|
minutegmt
|
integer
|
0-59
|
month
|
month_type
|
January-December
|
monthgmt
|
month_type
|
January-December
|
year
|
integer
|
0-9999
|
yeargmt
|
integer
|
0-9999
|
timeofday
|
time
|
HH:MMAM" or "HH:MMPM"
|
timeofdaygmt
|
time
|
HH:MMAM" or "HH:MMPM"
|
hour
|
integer
|
0-23
|
hourgmt
|
integer
|
0-23
|
date
|
Date
|
MM/DD/YYYY"
|
dategmt
|
Date
|
MM/DD/YYYY"
|
Table 8-4 lists the expiration functions for the authorization cache. You can use these functions to set an expiration time for the decision. This way you can instruct the cache to only hold the value for a given period of time, or to not hold it at all. These functions correspond roughly to each of the internally computed time types.
Table 8-4 Expiration Functions
Function
|
Argument
|
Description
|
valid_for_mseconds
|
integer
|
Valid for a given number of milliseconds
|
valid_for_seconds
|
integer
|
Valid for a given number of seconds
|
valid_for_minutes
|
integer
|
Valid for a given number of minutes
|
valid_for_hours
|
integer
|
Valid for a given number of hours
|
valid_until_timeofday
|
time
|
Valid until the specified time on the date the evaluation is performed
|
valid_until_time24
|
integer
|
Valid until the specified time on the date the evaluation is performed
|
valid_until_hour
|
integer
|
Valid until the specified hour on the date the evaluation is performed
|
valid_until_minute
|
integer
|
Valid until the specified minute of the hour the evaluation is performed
|
valid_until_date
|
Date
|
Valid until the specified date
|
valid_until_year
|
integer
|
Valid until the specified year
|
valid_until_month
|
month_type
|
Valid until the specified month of the year the evaluation is performed
|
valid_until_dayofyear
|
integer
|
Valid until the specified day of the year the evaluation is performed
|
valid_until_dayofmonth
|
integer
|
Valid until the specified day of the month the evaluation is performed
|
valid_until_dayofweek
|
Dayofweek_type
|
Valid until the specified day of the week the evaluation is performed
|
valid_until_timeofday_gmt
|
time
|
Valid until the specified time on the date the evaluation is performed in GMT time.
|
valid_until_time24_gmt
|
integer
|
Valid until the specified time on the date the evaluation is performed in GMT time.
|
valid_until_hour_gmt
|
integer
|
Valid until the specified minute of the hour the evaluation is performed in GMT time
|
valid_until_minute_gmt
|
integer
|
Valid until the specified minute of the hour the evaluation is performed in GMT time.
|
valid_until_date_gmt
|
Date
|
Valid until the specified date in GMT time.
|
valid_until_year_gmt
|
integer
|
Valid until the specified year in GMT time.
|
valid_until_month_gmt
|
month_type
|
Valid until the specified month of the year the evaluation is performed in GMT time.
|
valid_until_dayofyear_gmt
|
integer
|
Valid until the specified day of the year the evaluation is performed in GMT time.
|
valid_until_dayofmonth_gmt
|
integer
|
Valid until the specified day of the month the evaluation is performed in GMT time.
|
valid_until_dayofweek_gmt
|
Dayofweek_type
|
Valid until the specified day of the week the evaluation is performed in GMT time.
|
For example, if you had the following policy:
GRANT(//priv/order,//app/resturant/breakfast,//sgrp/customers/allusers/) if hour < 11;
When authorization caching is enabled, you write the policy as:
GRANT(//priv/order,//app/resturant/breakfast,//sgrp/customers/allusers/) if hour < 11 and valid_until_hour(11);
With authorization caching, the result of this policy is cached in the provider until 11:00 AM, at which time, it expires. Not calling valid_until_hour
argument results in this policy being cached until the next policy distribution. Therefore, if you are using authorization caching, it is important to update your time dependent policies appropriately.