Policy Service contains the properties that affect the overall operation of the Identity Broker policy service.
↓Relations To this Component
↓Properties
↓dsconfig Usage
The following components have a direct composition relation from Policy Services:
The following components have a direct aggregation relation from Policy Services:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ broker-store | ↓ broker-store-poll-frequency |
| ↓ combining-algorithm | |
| ↓ consent-validity-duration |
| Description | Specifies the Broker Store implementation that should be used to store policy data for the Identity Broker. |
| Default Value | None |
| Allowed Values | The DN of any Broker Store. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The policy combining algorithm for the Policy Decision Point. |
| Default Value | deny-overrides |
| Allowed Values | deny-overrides - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. permit-overrides - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. deny-unless-permit - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an "Indeterminate" or "NotApplicable" must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite "Permit" or "Deny" result. permit-unless-deny - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an "Indeterminate" or "NotApplicable" must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite "Permit" or "Deny" result. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Identity Broker must be restarted for changes to this setting to take effect. This modification requires that you manually restart the server for the change to take effect |
| Description | Specifies the default validity duration of a granted consent. Applications may also specify a different validity duration that is specific to consents generated for that application and will override this property. |
| Default Value | 365 d |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
broker-store-poll-frequency (Advanced Property)
| Description | Length of time between polls determining whether the broker store contents have changed. The Identity Broker polls the broker store at a fixed interval to determine whether the contents have been changed by another Identity Broker instance. If the contents have been changed, then this Identity Broker refreshes its cache of broker store objects. Increasing this value increases the latency between when the broker store has been changed by another Identity Broker instance and the change is reflected in this Identity Broker instance. |
| Default Value | 2 seconds |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the Policy Service configuration:
dsconfig get-policy-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Policy Service configuration:
dsconfig set-policy-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...