Reviewing administrative users
As of PingFederate 10.1, the use of expressions is enabled by default. Additionally, a new administrative role, Expression Admin, has been added.
When upgrading to the PingFederate 10.1 or later from a previous version, administrative users who were granted the Admin role in the earlier installation are granted the Expression Admin role automatically. You can achieve the same result by using the /bulk/import
administrative API endpoint to bulk-import a configuration that was bulk-exported from PingFederate 10.0.
If preferred, administrators can disable the use of expressions by setting evaluateExpressions
to false
as described in Enabling and disabling expressions.
You can also go to System → Server → Administrative Accounts and remove the Expression Admin role from all Admin users. Doing this prevents Admin users from entering expressions into PingFederate if the evaluateExpressions
element is set to true
at a later time. For more information, see Administrative accounts.