How do I reduce the number of policy matches in Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on changes you can make to your policy rules to reduce the number of policy matches, which in turn reduces the time it takes for ForgeRock Identity Cloud or AM to evaluate policies.
1 reader recommends this article
Reducing the number of policy matches
There are a number of changes you can make to your policy rules to reduce the number of policy matches including:
Avoid using wildcards (*)
Always use the full protocol, hostname and port number where ever possible in your policy rules rather than using a wildcard (*).
For example, instead of using: http*://*/test/test.dll/* to cover multiple policy rules, you can separate them out and make them more specific to reduce policy matches, for example:
- http://example.com:8080/test/test.dll/*
- https://example.net:8443/test/test.dll/*
- https://example.com:443/test/test.dll/*
Use the not enforced URL list
Add URLs for files such as images, JavaScript and css to the Not Enforced URL list to prevent these URLs being evaluated.
You should also ensure the Fetch Attributes for Not Enforced URLs option is not enabled unless specifically required.
See Also
Authorization and policy decisions
Related Training
ForgeRock Access Management Deep Dive (AM-410)
Related Issue Tracker IDs
N/A