OAM 10g: Authorization Rule Changes Made Via Policy Management Api Not Taking Effect
(Doc ID 1192438.1)
Last updated on MARCH 08, 2017
Applies to:COREid Access - Version: 10.1.4.2
Information in this document applies to any platform.
Access Server Policy Cache Timeout Not Working.
Upon changes on Policy Authorization Rules, Access Server Cache not being
flushed even after the "Policy Cache Timeout". Access Server must be
restarted for the changes to take effect.
Describe the problem
Customer has a set of applications for which the policies in OAM are
created/edited/managed by a separate application(SAFE) using the Policy
Management API (changes are not made via the OAM admin console directly).
This application uses "<ObAccessManager_Instance>.setCacheUpdates(false)" to
avoid delays and exceptions when any of the access servers in the
environment is down, which means Access Server Caches are not being updated
(flushed) when changes are made on Policies.
The assumption is that the timeouts for the Policy Cache and URLPrefix cache
defined for the Access Servers are what control the time the change should
be reflected in. These are both set to the default values - 2 hours and so
the SAFE team has conveyed to its users that any Policy changes might take
up to 2 hours to reflect.
However, they made a change to remove a group from the Allowed Access tab in
a particular authorization rule. This change is reflected in the admin
console and confirmed when trying using Access Tester. However, at runtime,
the same users have the same access as before including the success actions
returned by the authorization rule, Well over 2 hours - more than a day in
fact since the change was made via the API.
So It looks like, the Access Server Cache is not being flushed after the
"Policy Cache Timeout".
It is only after a restart of the Access Server that the changes go into
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.|