One can specify which users/groups can be authorized to access an application using Oracle Access Manager.
In general there are 3 types of group memberships allowed in the directory server:
- Static group membershipIn this type of group, each user is explicitly defined as a member.
- Dynamic group membershipThis type of membership is defined by an LDAP rule. Each user that satisfies this LDAP rule is a member of the group.
- Nested group membershipA nested group consists of one or more static groups, dynamic groups, or both.
The way you can authorize groups in Authorization Rule (of Policy Domain) is shown in the below screenshot.
Hardly you will notice the Groups tab here.
However, from the performance perspective one has to be very careful while specifying authorization to groups.Dynamic Groups will provide better performance than Static and Nested groups.
Try to avoid Nested group membership if possible.
If your environment does not have nested groups at all, then you can turn off a parameter to improve the performance.
The parameter that we are talking about is this TurnOffNestedGroupEvaluation.
You can see this parameter in the globalparams.xml file of Access Server installed location $OAM_Access_Server/access/oblix/apps/common/bin. If you have multiple access servers, modifying this parameter in all the access servers.
I have got you a screenshot of this param default value in this file globalparams.xml.
To turn off this parameter, change the value to true as shown below.
Restart the access servers for this parameter to take effect.
Helpful Docs:
Comments are closed.