Administration Application Guide
Performance and Caching
This section covers the following topics:
Understanding Authorization Caching
Authorization caching allows the ASI Authorization and ASI Role Mapper providers to cache the result of an authorization call, and use that result if future calls are made by the same caller. The cache match is based on a combination of the following:
- Subject
- Resource
- Privilege
- Roles
- Applicable Context (the portion used in making the original decision)
Additionally cache automatically invalidates itself if there is a policy or user profile change.
Configuring Authorization Caching
Authorization caching is on by default. It may be configured from within the Administration Console through the ASI Authorization and ASI Role Mapper provider configuration. Table 10-1 lists the switches affect the authorization cache.
Table 10-1 Authorization Caching
|
Setting
|
Default Value
|
Description
|
|
AccessAllowedCaching
|
True
|
Enables/disables caching of authorization decisions.
|
|
GetRolesCaching
|
True
|
Enables/disables caching of role mapping decisions.
|
|
SessionExpiration
|
60
|
Defines the number of seconds each user session is valid for. Cached authorization decisions is reset each time the session expires. You can increase this value to improve performance.
|
|
SubjectDataCacheExpiration
|
60
|
Defines how long user profile data will be cached. Cached authorization decisions are reset each time this data cache expires. You can increase this value to improve performance.
|
The properties listed in Table 10-2 can be entered as advanced configuration properties to further tune the cache.
Table 10-2 Advanced Configuration Properties
|
Setting
|
Default Value
|
Description
|
|
ASI.AuthorizationCacheLimit
|
1000
|
Determines the maximum number of cached decisions per user session. Once exceeded, old cached values are overwritten.
|
|
ASI.AuthorizationCacheDynamicAttributeLimit
|
10
|
Determines the maximum number of context attributes a decision may use and still be stored in the cache.
|
|
ASI.PolicyCacheInvalidatorPollingInterval
|
1000
|
Determines how often the cache checks for policy distributions. The value is in milliseconds
|
Authorization Caching Expiration Functions
There is a small subset of data that may change without the knowledge of the cache. This includes internally computed time values, as well as custom evaluation plug-ins. Because the cache is not aware of changes in these values, it does not automatically invalidate a cached decision when they change. For this reason a series of evaluation functions is provided to control the period of cache validity. These functions are only needed in rules that make explicit use of internally computed time values or custom evaluation plug-ins.
Table 10-3 lists the internally computed time values. If referenced in a rule, you should also explicitly set the cache validity for the rule.
Table 10-3 Time Values Used with Expiration Functions
|
Credential
|
Value
|
Range or Format
|
|
time24
|
integer
|
0-2359
|
|
time24gmt
|
integer
|
0-2359
|
|
dayofweek
|
Dayofweek_type
|
Sunday-Saturday
|
|
dayofweekgmt
|
Dayofweek_type
|
Sunday-Saturday
|
|
dayofmonth
|
integer
|
1-31
|
|
dayofmonthgmt
|
integer
|
1-31
|
|
dayofyear
|
integer
|
1-366
|
|
dayofyeargmt
|
integer
|
1-366
|
|
daysinmonth
|
integer
|
28-31
|
|
daysinyear
|
integer
|
365-366
|
|
minute
|
integer
|
0-59
|
|
minutegmt
|
integer
|
0-59
|
|
month
|
month_type
|
January-December
|
|
monthgmt
|
month_type
|
January-December
|
|
year
|
integer
|
0-9999
|
|
yeargmt
|
integer
|
0-9999
|
|
timeofday
|
time
|
HH:MMAM" or "HH:MMPM"
|
|
timeofdaygmt
|
time
|
HH:MMAM" or "HH:MMPM"
|
|
hour
|
integer
|
0-23
|
|
hourgmt
|
integer
|
0-23
|
|
date
|
Date
|
MM/DD/YYYY"
|
|
dategmt
|
Date
|
MM/DD/YYYY"
|
Table 10-4 lists the expiration functions for the authorization cache. You can use these functions to set an expiration time for the decision. This way you can instruct the cache to only hold the value for a given period of time, or to not hold it at all. These functions correspond roughly to each of the internally computed time types.
Table 10-4 Expiration Functions
|
Function
|
Argument
|
Description
|
|
valid_for_mseconds
|
integer
|
Valid for a given number of milliseconds
|
|
valid_for_seconds
|
integer
|
Valid for a given number of seconds
|
|
valid_for_minutes
|
integer
|
Valid for a given number of minutes
|
|
valid_for_hours
|
integer
|
Valid for a given number of hours
|
|
valid_until_timeofday
|
time
|
Valid until the specified time on the date the evaluation is performed
|
|
valid_until_time24
|
integer
|
Valid until the specified time on the date the evaluation is performed
|
|
valid_until_hour
|
integer
|
Valid until the specified hour on the date the evaluation is performed
|
|
valid_until_minute
|
integer
|
Valid until the specified minute of the hour the evaluation is performed
|
|
valid_until_date
|
Date
|
Valid until the specified date
|
|
valid_until_year
|
integer
|
Valid until the specified year
|
|
valid_until_month
|
month_type
|
Valid until the specified month of the year the evaluation is performed
|
|
valid_until_dayofyear
|
integer
|
Valid until the specified day of the year the evaluation is performed
|
|
valid_until_dayofmonth
|
integer
|
Valid until the specified day of the month the evaluation is performed
|
|
valid_until_dayofweek
|
Dayofweek_type
|
Valid until the specified day of the week the evaluation is performed
|
|
valid_until_timeofday_gmt
|
time
|
Valid until the specified time on the date the evaluation is performed in GMT time.
|
|
valid_until_time24_gmt
|
integer
|
Valid until the specified time on the date the evaluation is performed in GMT time.
|
|
valid_until_hour_gmt
|
integer
|
Valid until the specified minute of the hour the evaluation is performed in GMT time
|
|
valid_until_minute_gmt
|
integer
|
Valid until the specified minute of the hour the evaluation is performed in GMT time.
|
|
valid_until_date_gmt
|
Date
|
Valid until the specified date in GMT time.
|
|
valid_until_year_gmt
|
integer
|
Valid until the specified year in GMT time.
|
|
valid_until_month_gmt
|
month_type
|
Valid until the specified month of the year the evaluation is performed in GMT time.
|
|
valid_until_dayofyear_gmt
|
integer
|
Valid until the specified day of the year the evaluation is performed in GMT time.
|
|
valid_until_dayofmonth_gmt
|
integer
|
Valid until the specified day of the month the evaluation is performed in GMT time.
|
|
valid_until_dayofweek_gmt
|
Dayofweek_type
|
Valid until the specified day of the week the evaluation is performed in GMT time.
|
For example, if you had the following rule:
GRANT(//priv/order,//app/resturant/breakfast,//sgrp/customers/allusers/) if hour < 11;
When authorization caching is enabled, you write the rule as:
GRANT(//priv/order,//app/resturant/breakfast,//sgrp/customers/allusers/) if hour < 11 and valid_until_hour(11);
With authorization caching, the result of this rule is cached in the provider until 11:00 AM, at which time, it expires. Not calling valid_until_hour argument results in this rule being cached until the next policy distribution. Therefore, if you are using authorization caching, it is important to update your time dependent rules appropriately.
