Application of GUI Configuration and Authorization Changes
Since 4.6This functionality is available since version 4.6.
Before midPoint 4.6, any changes in GUI configuration and user authorizations required a logout and re-login to be applied. Starting with the version 4.6, selected changes cause the user session or sessions to be automatically refreshed. This means that on the very next access that follows after the change, the session (technically speaking, the compiled user profile) is refreshed.
The following changes are applied in this way:
any changes to assignments, activation, and/or admin GUI configuration in:
abstract roles (role, org, archetype, …) directly or indirectly assigned to the user,
any changes in the admin GUI configuration in system configuration,
activation and deactivation of roles and users based on validFrom and/or validTo data.
Time-based activations (
The following changes are not guaranteed to be applied immediately:
changes that affect the list of roles indirectly assigned to the user (e.g. changes in metaroles).
If the user is deactivated in the sense of setting
activation/effectiveStatus, it is logged out automatically on his/her next action in GUI.
However, if the deactivation is indirectly via losing all authorizations, the 403 page is shown instead.
Technically, the compiled user profile is invalidated on the changes listed above:
MidPoint watches changes to
adminGuiConfiguration on the logged-in principal objects, and any roles that were directly or indirectly assigned to him at the time of last compiled profile computation.
On the next logged-in user action in the GUI, the compiled GUI profiles is recomputed and the GUI-related changes are applied.
The list of roles which affect the GUI is updated.