Authorization and Identity Injection policies allow you to select conditions, one of which is Roles. If you have thousands of users accessing your resources, you might want to design most of your policies to use roles. Roles are evaluated when a user logs in, and the roles assigned to the user are cached as long as the session is active. When a user accesses a resource protected by a policy that uses role conditions, the policy can be immediately evaluated because the user’s role values are available. This is not true for all conditions. Values for some conditions must be retrieved from the user store. For example, if the policy uses a condition with an LDAP attribute, the user’s value must be retrieved from the LDAP user store before the policy can be evaluated. On a system with medium traffic, this delay is not noticed. On a system with high traffic, the delay might be noticeable.
However, you can design your policies to have the same results without retrieving the LDAP attribute value at resource access. You can create a Role policy for the LDAP attribute and have users assigned to this role at authentication when they match the attribute value requirements. When users access resources, they gain immediate access or are immediately denied access because their role assignments are cached.
If the same LDAP attribute policy is used to grant access to multiple resources, a delay might not be noticeable. The first time a policy is evaluated for a user, the data required for the policy is cached and is immediately available the next time it is requested.
Another option available for LDAP, Credential Profile, Liberty User Profile, and Shared Secret attributes is to have the attribute values sent with the assertion at authentication. You configure an attribute set for the attributes, and then configure the service provider for these attributes. For more information, see Configuring the Attributes Set with Authentication.