Ethical Wall Best Practice Tips
Policy Rules Order
The Ethical Wall policy rule base is ordered from top to bottom.
More inclusive rules should be on top and less inclusive on the bottom.
Each policy rule can define if the configured feature is allowed, blocked or not set.
If a feature is not set the policy engine will go the next in order policy rule and get the configuration from that rule.
If no rules are set - the default policy will be in effect.
Same logic is applied to the policy condition, if the condition is matched on the first rule from the top, the policy will be enforced, if not the engine will continue to the next rule.
For this reason, you should configure policies by user above policies by domain.
Learning Mode
When introducing a new user base (new pool, new installation, paradigm shift in policy), we recommend changing the operation mode to "Learning Mode".
This will allow the Ethical Wall Policy Engine to calculate the policies and build a large cache that it will use when the system will go to live mode. The policies should be valid policies, to build a cache that will reflect the actual use case of Ethical Wall.
To know if the learning mode had learned enough - go to the "Ethical Wall Learning Cache" Report in the Access Portal (/admin/ewcachereport).
Calculation Validity
The Ethical Wall Policy Engine re-calculates a cached policy if it not longer valid. The calculation validity time period is defined in the Access Portal Ethical Wall Settings (/admin/settings?category=settings_federation_webservice_category_header).
It is recommended to keep this value as high as possible. The re-calculation is a resource consuming task, that s usually done routinely by the Maintenance Service and the interval could be configured in Ethical Wall calculation operation interval (minutes) in the Settings (/admin/settings?category=settings_housekeeping_service_category_header).
Memory Cache
The Ethical Wall Policy Engine fetches the policy to calculate it. It's recommended this value is not set too low to avoid bottle-necks on the SQL server.
SIP Filter on Front Ends - Ignore Presence
When running the SIP filter on the Front Ends it is recommended to ignore presence handling to avoid high CPU utilization during the learning phase.