Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Policy Rules Order

The Ethical Wall policy rule base is ordered from top to bottom.
More inclusive rules should be on top and less inclusive on the bottom.
Each policy rule can define if the configured feature is allowed, blocked or not set.
If a feature is not set the policy engine will go the next in order policy rule and get the configuration from that rule. 
If no rules are set - the default policy will be in effect.
Same logic is applied to the policy condition, if the condition is matched on the first rule from the top, the policy will be enforced, if not the engine will continue to the next rule.
For this reason, you should configure policies by user above policies by domain.

Learning Mode 

When introducing an new user base (new pool, new installation), it is recommended that you change the operation mode to "Learning Mode". 
This will allow the Ethical Wall Policy Engine to calculate the policies and build a large cache that it will use when the system will go to live mode.
To know if the learning mode had learned enough - go to the "Ethical Wall Learning Cache" Report in the Access Portal (/admin/ewcachereport).

Calculation Validity

The Ethical Wall Policy Engine re-calculates a cached policy if it not longer valid. The calculation validity time period is defined in the Access Portal Ethical Wall Settings (/admin/settings?category=settings_federation_webservice_category_header). 
It is recommended to keep this value as high as possible. The re-calculation is a resource consuming task, that s usually done routinely by the Housekeeping Service and the interval could be configured in Ethical Wall calculation operation interval (minutes) in the Housekeeping Settings (/admin/settings?category=settings_housekeeping_service_category_header).

Memory Cache

The Ethical Wall Policy Engine fetches the policy in order to calculate it. It's recommended this value is not set too low to avoid bottle-necks on the SQL server.

SIP Filter on Front Ends - Ignore Presence

When running SIP filter on the front ends it is recommended to ignore presence handling in order to avoid high CPU utilization during the learning phase.
Image Added