Creating a new user or modifying the security roles of an existing user do not take effect until the 2nd auth activity after the creation/modification occurs.
As user admin, create user 'eeyore' via webui.
Attempt to log in as user eeyore in another browser: auth fails.
As soon as anyone else logs in, then eeyore can log in.
Same pattern observed with security role changes.