We expose a case type to a customer facing website using web mashup and the authentication is done via an anonymous auth service. Whenever a customer visits the web page, a temporary operator is created. We observe that there're many requestors created and this results in a requestor limit alert. We also note that the requestors are removed after ~2 hours of inactivity (last access time). We would like to timeout the requestors as soon as possible to avoid the accumulation of too many requestors. The following options were tried and none of these seem to be in effect:
1. Set access group timeout (note that there's no 'use access group timeout' setting in anonymous auth service)
You are on the right track you just have not located the correct settings yet.
There is a DSS setting, prconfig/timeout/browser/default value="900". The wording is a little confusing for this setting but what it does is tells the platform how long to allow a session to a browser to sit idle before a session timeout would occur. This setting is in minutes so it coverts to roughly 1.5 hours. Reduce this time and you should have a much shorter requestor life-span.
You're probably wondering why this isn't the 2 hours you've observed. Well there is a browser timeout as well that keeps the session alive, that is typically 30 minutes. Which gives you your 2 hours.
Finally you asked about how the requestors get cleaned up and who is responsible for this. There is a daemon that is responsible for cleaning up requestors. By default it runs every 60 seconds, which should be set low enough for most environments. This setting is configurable as well, but we don't recommend changing this unless there is an issue. It is prconfig/initialization/passivationinterval/default value="60".