In the Scheduler, typically the Evaluate User Policies scheduled job runs every 10 minutes.
When testing access policies, it is a good idea to click the Disable button so that the job does not run on its schedule. The job can then be executed using the Run Now button.
When modifying an Access Policy, if the Retrofit Access Policy flag is set to Yes, then every user will be re-evaluated, and if the user fits the policy, that user will have their POLICY_EVAL_NEEDED flag set to 1 in the USER_PROVISIONING_ATTRS table. If you don't want every single user to be re-evaluated, then after modifying the access policy, execute an update query such as:
UPDATE USR_PROVISIONING_ATTRS SET POLICY_EVAL_NEEDED=0
and then when you are prepared to test a user, use a similar query such as:
UPDATE USR_PROVISIONING_ATTRS SET POLICY_EVAL_NEEDED=1 WHERE USR_KEY=2023
It's a good idea to review and document the user that you chose to test before and after the test. To execute the access policy logic, just go back and run the Evaluate User Policies scheduled job.
No comments:
Post a Comment