Application of GUI Configuration and Authorization Changes

Last modified 19 Oct 2022 12:39 +02:00
Since 4.6
This functionality is available since version 4.6.

Before midPoint 4.6, any changes in GUI configuration and user authorizations required a logout and re-login to be applied. Starting with the version 4.6, selected changes cause the user session or sessions to be automatically refreshed. This means that on the very next access that follows after the change, the session (technically speaking, the compiled user profile) is refreshed.

The following changes are applied in this way:

  • any changes to assignments, activation, and/or admin GUI configuration in:

    • the user,

    • abstract roles (role, org, archetype, …​) directly or indirectly assigned to the user,

  • any changes in the admin GUI configuration in system configuration,

  • activation and deactivation of roles and users based on validFrom and/or validTo data.

Time-based activations (validFrom/validTo in users, roles, or assignments) are supported via Validity Scanner task which updates these objects. Therefore, time-based activations are not applied immediately on the validFrom or validTo time, but during the next run of Validity Scanner, which runs every 15 minutes by default.


The following changes are not guaranteed to be applied immediately:

  • changes that affect the list of roles indirectly assigned to the user (e.g. changes in metaroles).

If the user is deactivated in the sense of setting activation/effectiveStatus, it is logged out automatically on his/her next action in GUI. However, if the deactivation is indirectly via losing all authorizations, the 403 page is shown instead.

Implementation Details

Technically, the compiled user profile is invalidated on the changes listed above: MidPoint watches changes to assignment, activation, and adminGuiConfiguration on the logged-in principal objects, and any roles that were directly or indirectly assigned to him at the time of last compiled profile computation. On the next logged-in user action in the GUI, the compiled GUI profiles is recomputed and the GUI-related changes are applied. The list of roles which affect the GUI is updated.