Application of GUI Configuration and Authorization Changes
|
Since 4.6
This functionality is available since version 4.6.
|
Before midPoint 4.6, any changes in GUI configuration and user authorizations required a logout and re-login to be applied. Starting with the version 4.6, selected changes cause the user session or sessions to be automatically refreshed. This means that on the very next access that follows after the change, the session (technically speaking, the compiled user profile) is refreshed.
The following changes are applied in this way:
-
any changes to assignments, activation, and/or admin GUI configuration in:
-
the user,
-
abstract roles (role, org, archetype, …) directly or indirectly assigned to the user,
-
-
any changes in the admin GUI configuration in system configuration,
-
activation and deactivation of roles and users based on validFrom and/or validTo data.
|
Time-based activations ( |
Limitations
The following changes are not guaranteed to be applied immediately:
-
changes that affect the list of roles indirectly assigned to the user (e.g. changes in metaroles).
If the user is deactivated in the sense of setting activation/effectiveStatus, it is logged out automatically on his/her next action in GUI.
However, if the deactivation is indirectly via losing all authorizations, the 403 page is shown instead.
Implementation Details
Technically, the compiled user profile is invalidated on the changes listed above:
MidPoint watches changes to assignment, activation, and adminGuiConfiguration on the logged-in principal objects, and any roles that were directly or indirectly assigned to him at the time of last compiled profile computation.
On the next logged-in user action in the GUI, the compiled GUI profiles is recomputed and the GUI-related changes are applied.
The list of roles which affect the GUI is updated.