<role> ... <idempotent>true<<idempotence>aggressive</idempotent>idempotence> ... </role>
Marking role as idempotent is likely to result in huge performance improvements in systems with large role hierarchies. But there are also risks of incorrect evaluation of the roles. If an role is idempotent then is is also assumed that any roles included in this role are also idempotent. Therefore please take care when constructing role hierarchies. This flag property has false value by default.a default value that indicates no idempotence.
Role is not idempotent. The role must be evaluated for all situations: all assignment paths, all orders, etc.
This value indicates, that the evaluation of this role gives the same results regardless of its position in the assignment/inducement hierarchy. I.e. evaluation of this roles does not depend on the assignment parameters of focus or any of the preceding roles. However, the role will still be re-evaluated if it is found with assignment path of different depths or orders (e.g. in meta-role situations).
This value indicates, that the evaluation of this role gives the same results regardless of its position in the assignment/inducement hierarchy including different path lengths and evaluation orders. I.e. evaluation of this roles does not depend on the assignment parameters of focus or any of the preceding roles and it has no meta-role capability (e.g. higher-order inducements).
Rules of the thumb:
- Roles that are frequently used, roles that are included in many other roles and roles that combine many other roles should be idempotent. Typical example is a "basic" roles that is assigned to almost any user and that contains a lot of smaller roles.
- Roles that are parametric or very dynamic should NOT be idempotent.