In order to optimize performance and minimize traffic between Authentication Manager and an LDAP directory, Authentication Manager caches information about user group memberships. When a user’s group membership is changed in an LDAP directory, Authentication Manager cannot acknowledge the change until the cache is refreshed. As a result, these changes take effect after the cache refresh interval has elapsed. In the time between the change and the refresh, you may see the following behaviors:
A user added to a group that has access to a restricted agent cannot authenticate to the restricted agent.
A user who has been removed from a group that has access to a restricted agent can still authenticate to the agent.
You can flush the cache immediately using the Operations Console. For more information, see Flush the Cache.