Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-2491

Modifying groups belonging to an Identity Membership Condition should cause re-evaluation of that condition in the agent


    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 9.5.5, 10.0.0, 11.0.0
    • Fix Version/s: None
    • Component/s: idrepo, policy
    • Labels:
    • Rank:
    • Support Ticket IDs:


      When a Identity Membership condition relies on a group, changes to that group should cause the agent to re-evaluate the policy that condition belongs to. Currently those changes aren't pushed through to the agent until the agent's policy cache is updated and the agent is forced to evaluate a decision and not rely on it's cache.

      To recreate this issue simply create a policy which has an Identity Membership condition, add a group to the condition. Try to access a protected resource with a user which does not belong to the group in question. The user should be denied access. Now add the user to the group and try to access the protected resource. Since the user now belongs to the group they should be allowed access, but if the agent hasn't updated it's policy cache yet (force the evaluation) the user will still be denied. Once the policy cache is updated, the user will be allowed to access the resource.

      My investigation led me to believe it might be possible to add a listener object to the group in question, so that on modification the callback could update the policy cache on the agent.


          Issue Links



              • Assignee:
                apforrest Andrew Forrest
                travis.papp travis.papp
              • Votes:
                1 Vote for this issue
                3 Start watching this issue


                • Created: