Advanced Access Control known limitations

Consider these known limitations when you are configuring an Advanced Access Control environment on the appliance.

External clients cannot use the session cache

The distributed session cache in the Advanced Access Control does not support external clients.

The Support internal and external clients option on the Session Cache tab on the Cluster Configuration management page is not relevant in an Advanced Access Control environment.

Advanced Access Control disregards the Port, Keyfile, and Label fields, which relate to external clients.

Descriptions of default attribute and obligations might not display in the correct language

If you clear your browser cache while logged into an appliance session, you might not see the descriptions of default attributes and obligations in the correct language. This scenario happens when you perform steps similar to these:

1. Log in to the appliance.
2. Change the language of the local management interface.
3. Clear the browser cache.
4. Display obligations or attributes. For example, to display the attributes:
   1. Select AAC.
   2. Under Policy, select Attributes. Under the name of each default attribute is the description. This description might display in an incorrect language.

Therefore, do not clear the browser cache during an appliance session because you might see an incorrect language displayed in this scenario.

Certain characters in JSON messages are displayed in Unicode

Non-ASCII characters are escaped in the JSON response from the REST API endpoints. This format is specified in RFC 4627.

The non-ASCII character is represented as a six-character sequence: a reverse solidus, followed by the lowercase letter u, and followed by four hexadecimal digits that encode the code point of the character. For example, \u00e9. For more information, see RFC 4627.

The Quick Response (QR) Code generator in Advanced Access Control only accepts US-ASCII alphanumeric characters as valid inputs

Advanced Access Control can display the OAuth 2.0 authorization code as a QR code image.

The QR code endpoint creates the QR code image. The endpoint is designed to accept US-ASCII alphanumeric characters only. This is to ensure maximum interoperability with existing QR code scanners.

Ensure that only US-ASCII alphanumeric characters are used to create the QR code image.

Authentication service cannot use the group information in the credential

You can create a custom authentication mechanism by using the authentication mechanism Software Development Kit. Aside from authenticating the user, the authentication mechanism can modify the credential of the current user.

After the user completes the execution of the authentication policy, which contains your custom authentication mechanism, the authentication service logs in the current user to IBM® Verify Identity Access by using the resulting credential. Advanced Access Control has a limitation that the group information in the resulting credential is not used by the authentication service to log in the current user to IBM Verify Identity Access.