diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index e046c2865..80179bbfa 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -92,7 +92,7 @@ jobs:
           labels: |
             ${{ steps.docker_meta.outputs.labels }}
             maintainer=Joris Borgdorff <joris@thehyve.nl>, Lee Evans - www.ltscomputingllc.com
-            org.opencontainers.image.authors=Joris Borgdorff <joris@thehyve.nl>, Lee Evans - www.ltscomputingllc.com
+            org.opencontainers.image.authors=Joris Borgdorff <joris@thehyve.nl>, Lee Evans - www.ltscomputingllc.com, Shaun Turner <shaun.turner1@nhs.net>
             org.opencontainers.image.vendor=OHDSI
 
       # If the image was pushed, we need to pull it again to inspect it
diff --git a/Dockerfile b/Dockerfile
index 8179d6f65..7a606e82a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,7 +29,7 @@ RUN find . -type f "(" \
 FROM docker.io/nginxinc/nginx-unprivileged:1.23.3-alpine@sha256:c748ba587e7436aaa8729b64d4e0412410a486f0c592f0eec100fb3804ff9afd
 
 LABEL org.opencontainers.image.title="OHDSI-Atlas"
-LABEL org.opencontainers.image.authors="Joris Borgdorff <joris@thehyve.nl>, Lee Evans - www.ltscomputingllc.com"
+LABEL org.opencontainers.image.authors="Joris Borgdorff <joris@thehyve.nl>, Lee Evans - www.ltscomputingllc.com, Shaun Turner<shaun.turner1@nhs.net>"
 LABEL org.opencontainers.image.description="ATLAS is an open source software tool for researchers to \
 conduct scientific analyses on standardized observational data"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
@@ -37,8 +37,106 @@ LABEL org.opencontainers.image.vendor="OHDSI"
 LABEL org.opencontainers.image.source="https://github.com/OHDSI/Atlas"
 
 # URL where WebAPI can be queried by the client
-ENV WEBAPI_URL=http://localhost:8080/WebAPI/ \
-  CONFIG_PATH=/etc/atlas/config-local.js
+ENV USE_DYNAMIC_WEBAPI_URL="false"
+ENV DYNAMIC_WEBAPI_SUFFIX="/WebAPI/"
+ENV WEBAPI_URL="http://localhost:8080/WebAPI/"
+ENV CONFIG_PATH="/etc/atlas/config-local.js"
+ENV ATLAS_INSTANCE_NAME="OHDSI"
+ENV ATLAS_COHORT_COMPARISON_RESULTS_ENABLED="false"
+ENV ATLAS_USER_AUTH_ENABLED="false"
+ENV ATLAS_PLP_RESULTS_ENABLED="false"
+ENV ATLAS_CLEAR_LOCAL_STORAGE="false"
+ENV ATLAS_DISABLE_BROWSER_CHECK="false"
+ENV ATLAS_ENABLE_PERMISSIONS_MGMT="true"
+ENV ATLAS_CACHE_SOURCES="false"
+ENV ATLAS_POLL_INTERVAL="60000"
+ENV ATLAS_SKIP_LOGIN="false"
+ENV ATLAS_USE_EXECUTION_ENGINE="false"
+ENV ATLAS_VIEW_PROFILE_DATES="false"
+ENV ATLAS_ENABLE_COSTS="false"
+ENV ATLAS_SUPPORT_URL="https://github.com/ohdsi/atlas/issues"
+ENV ATLAS_SUPPORT_MAIL="atlasadmin@your.org"
+ENV ATLAS_FEEDBACK_CONTACTS="For access or questions concerning the Atlas application please contact:"
+ENV ATLAS_FEEDBACK_HTML=""
+ENV ATLAS_COMPANYINFO_HTML=""
+ENV ATLAS_COMPANYINFO_SHOW="true"
+ENV ATLAS_DEFAULT_LOCALE="en"
+
+ENV ATLAS_SECURITY_WIN_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_WIN_PROVIDER_NAME="Windows"
+ENV ATLAS_SECURITY_WIN_PROVIDER_URL="user/login/windows"
+ENV ATLAS_SECURITY_WIN_PROVIDER_AJAX="true"
+ENV ATLAS_SECURITY_WIN_PROVIDER_ICON="fab fa-windows"
+
+ENV ATLAS_SECURITY_KERB_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_KERB_PROVIDER_NAME="Kerberos"
+ENV ATLAS_SECURITY_KERB_PROVIDER_URL="user/login/kerberos"
+ENV ATLAS_SECURITY_KERB_PROVIDER_AJAX="true"
+ENV ATLAS_SECURITY_KERB_PROVIDER_ICON="fab fa-windows"
+
+ENV ATLAS_SECURITY_OID_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_OID_PROVIDER_NAME="OpenID Connect"
+ENV ATLAS_SECURITY_OID_PROVIDER_URL="user/login/openid"
+ENV ATLAS_SECURITY_OID_PROVIDER_AJAX="false"
+ENV ATLAS_SECURITY_OID_PROVIDER_ICON="fa fa-openid"
+
+ENV ATLAS_SECURITY_GGL_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_GGL_PROVIDER_NAME="Google"
+ENV ATLAS_SECURITY_GGL_PROVIDER_URL="user/oauth/google"
+ENV ATLAS_SECURITY_GGL_PROVIDER_AJAX="false"
+ENV ATLAS_SECURITY_GGL_PROVIDER_ICON="fab fa-google"
+
+ENV ATLAS_SECURITY_FB_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_FB_PROVIDER_NAME="Facebook"
+ENV ATLAS_SECURITY_FB_PROVIDER_URL="user/oauth/facebook"
+ENV ATLAS_SECURITY_FB_PROVIDER_AJAX="false"
+ENV ATLAS_SECURITY_FB_PROVIDER_ICON="fab fa-facebook-f"
+
+ENV ATLAS_SECURITY_GH_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_GH_PROVIDER_NAME="Github"
+ENV ATLAS_SECURITY_GH_PROVIDER_URL="user/oauth/github"
+ENV ATLAS_SECURITY_GH_PROVIDER_AJAX="false"
+ENV ATLAS_SECURITY_GH_PROVIDER_ICON="fab fa-github"
+
+ENV ATLAS_SECURITY_DB_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_DB_PROVIDER_NAME="DB"
+ENV ATLAS_SECURITY_DB_PROVIDER_URL="user/login/db"
+ENV ATLAS_SECURITY_DB_PROVIDER_AJAX="true"
+ENV ATLAS_SECURITY_DB_PROVIDER_ICON="fa fa-database"
+ENV ATLAS_SECURITY_DB_PROVIDER_CREDFORM="true"
+
+ENV ATLAS_SECURITY_LDAP_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_LDAP_PROVIDER_NAME="LDAP"
+ENV ATLAS_SECURITY_LDAP_PROVIDER_URL="user/login/ldap"
+ENV ATLAS_SECURITY_LDAP_PROVIDER_AJAX="true"
+ENV ATLAS_SECURITY_LDAP_PROVIDER_ICON="fa fa-cubes"
+ENV ATLAS_SECURITY_LDAP_PROVIDER_CREDFORM="true"
+
+ENV ATLAS_SECURITY_SAML_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_SAML_PROVIDER_NAME="SAML"
+ENV ATLAS_SECURITY_SAML_PROVIDER_URL="user/login/saml"
+ENV ATLAS_SECURITY_SAML_PROVIDER_AJAX="false"
+ENV ATLAS_SECURITY_SAML_PROVIDER_ICON="fab fa-openid"
+
+ENV ATLAS_SECURITY_AD_PROVIDER_ENABLED="false"
+ENV ATLAS_SECURITY_AD_PROVIDER_NAME="Active Directory LDAP"
+ENV ATLAS_SECURITY_AD_PROVIDER_URL="user/login/ad"
+ENV ATLAS_SECURITY_AD_PROVIDER_AJAX="true"
+ENV ATLAS_SECURITY_AD_PROVIDER_ICON="fa fa-cubes"
+ENV ATLAS_SECURITY_AD_PROVIDER_CREDFORM="true"
+
+# for existing broadsea implementations
+ENV ATLAS_SECURITY_PROVIDER_ENABLED="true"
+ENV ATLAS_SECURITY_PROVIDER_NAME="none"
+ENV ATLAS_SECURITY_PROVIDER_TYPE="none"
+ENV ATLAS_SECURITY_USE_AJAX="false"
+ENV ATLAS_SECURITY_PROVIDER_ICON="fa-cubes"
+ENV ATLAS_SECURITY_USE_FORM="false"
+
+ENV ATLAS_ENABLE_TANDCS="true"
+ENV ATLAS_ENABLE_PERSONCOUNT="true"
+ENV ATLAS_ENABLE_TAGGING_SECTION="false"
+ENV ATLAS_REFRESH_TOKEN_THRESHOLD="240"
 
 # Configure webserver
 COPY ./docker/nginx-default.conf /etc/nginx/conf.d/default.conf
diff --git a/docker/30-atlas-env-subst.sh b/docker/30-atlas-env-subst.sh
index 77e079129..f4030d3a6 100755
--- a/docker/30-atlas-env-subst.sh
+++ b/docker/30-atlas-env-subst.sh
@@ -26,7 +26,7 @@ if [ -n "${WEBAPI_URL}" ]; then
   TFILE=`mktemp`
   trap "rm -f $TFILE" 0 1 2 3 15
   # Don't copy but rewrite so that permissions are not changed.
-  envsubst '$WEBAPI_URL' < "$CONFIG_TARGET_PATH" > "$TFILE"
+  envsubst < "$CONFIG_TARGET_PATH" > "$TFILE"
   cat "$TFILE" > "$CONFIG_TARGET_PATH"
   rm -f "$TFILE"
 fi
diff --git a/docker/config-local.js b/docker/config-local.js
index 1d99a873f..15f91a278 100644
--- a/docker/config-local.js
+++ b/docker/config-local.js
@@ -1,15 +1,141 @@
 define([], function () {
 	var configLocal = {};
 
+	if ("${ATLAS_CLEAR_LOCAL_STORAGE}" == "true") {
+		localStorage.clear();
+	}
+
+	var webapi_url = "${WEBAPI_URL}";
+	
+	if ("${USE_DYNAMIC_WEBAPI_URL}" == "true") {
+		var getUrl = window.location;
+	    webapi_url = getUrl.protocol + "//" + getUrl.hostname + "${DYNAMIC_WEBAPI_SUFFIX}";
+	}
+
 	// WebAPI
 	configLocal.api = {
-		name: 'OHDSI',
-		url: '${WEBAPI_URL}'
+		name: '${ATLAS_INSTANCE_NAME}',
+		url: webapi_url
 	};
 
-	configLocal.cohortComparisonResultsEnabled = false;
-	configLocal.userAuthenticationEnabled = false;
-	configLocal.plpResultsEnabled = false;
+	configLocal.cohortComparisonResultsEnabled = ("${ATLAS_COHORT_COMPARISON_RESULTS_ENABLED}" == "true");
+	configLocal.plpResultsEnabled = ("${ATLAS_PLP_RESULTS_ENABLED}" === "true");
+	configLocal.userAuthenticationEnabled = ("${ATLAS_USER_AUTH_ENABLED}" === "true");
+	configLocal.authProviders = [];
+	configLocal.disableBrowserCheck = ("${ATLAS_DISABLE_BROWSER_CHECK}" === "true");
+	configLocal.enablePermissionManagement = ("${ATLAS_ENABLE_PERMISSIONS_MGMT}" === "true");
+	configLocal.cacheSources = ("${ATLAS_CACHE_SOURCES}" === "true");
+	configLocal.enableSkipLogin = ("${ATLAS_SKIP_LOGIN}" === "true"); // automatically opens login window when user is not authenticated
+	configLocal.useExecutionEngine = ("${ATLAS_USE_EXECUTION_ENGINE}" === "true");
+	configLocal.viewProfileDates = ("${ATLAS_VIEW_PROFILE_DATES}" === "true");
+	configLocal.enableCosts = ("${ATLAS_ENABLE_COSTS}" === "true");
+	configLocal.supportUrl = "${ATLAS_SUPPORT_URL}";
+	configLocal.supportMail = "${ATLAS_SUPPORT_MAIL}";
+	configLocal.feedbackContacts = "${ATLAS_FEEDBACK_CONTACTS}";
+	configLocal.feedbackCustomHtmlTemplate = "${ATLAS_FEEDBACK_HTML}";
+	configLocal.companyInfoCustomHtmlTemplate = "${ATLAS_COMPANYINFO_HTML}";
+	configLocal.showCompanyInfo = ("${ATLAS_COMPANYINFO_SHOW}" === "true");
+	configLocal.defaultLocale = "${ATLAS_DEFAULT_LOCALE}";
+	configLocal.pollInterval = parseInt("${ATLAS_POLL_INTERVAL}");
+
+
+	if ("${ATLAS_SECURITY_WIN_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_WIN_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_WIN_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_WIN_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_WIN_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_KERB_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_KERB_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_KERB_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_KERB_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_KERB_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_OID_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_OID_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_OID_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_OID_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_OID_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_GGL_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_GGL_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_GGL_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_GGL_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_GGL_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_FB_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_FB_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_FB_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_FB_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_FB_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_GH_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_GH_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_GH_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_GH_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_GH_PROVIDER_ICON}",
+		});
+	}
+
+	if ("${ATLAS_SECURITY_DB_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_DB_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_DB_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_DB_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_DB_PROVIDER_ICON}",
+			isUseCredentialsForm: ("${ATLAS_SECURITY_DB_PROVIDER_CREDFORM}" === "true")
+		});
+	}
+
+	if ("${ATLAS_SECURITY_LDAP_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_LDAP_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_LDAP_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_LDAP_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_LDAP_PROVIDER_ICON}",
+			isUseCredentialsForm: ("${ATLAS_SECURITY_LDAP_PROVIDER_CREDFORM}" === "true")
+		});
+	}
+
+	if ("${ATLAS_SECURITY_SAML_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_SAML_PROVIDER_NAME}",
+			url: "${ATLAS_SECURITY_SAML_PROVIDER_URL}",
+			ajax: ("${ATLAS_SECURITY_SAML_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_SAML_PROVIDER_ICON}",
+		});
+	}
+
+	// For existing broadsea implementations
+	if ("${ATLAS_SECURITY_PROVIDER_ENABLED}" === "true") {
+		configLocal.authProviders.push(openIdProvider = {
+			name: "${ATLAS_SECURITY_PROVIDER_NAME}",
+			url: "user/login/${ATLAS_SECURITY_PROVIDER_TYPE}",
+			ajax: ("${ATLAS_SECURITY_PROVIDER_AJAX}" === "true"),
+			icon: "${ATLAS_SECURITY_PROVIDER_ICON}",
+		});
+	}
+
+	configLocal.enableTermsAndConditions = ("${ATLAS_ENABLE_TANDCS}" === "true");
+	configLocal.enablePersonCount = ("${ATLAS_ENABLE_PERSONCOUNT}" === "true");
+	configLocal.enableTaggingSection = ("${ATLAS_ENABLE_TAGGING_SECTION}" === "true");
+	configLocal.refreshTokenThreshold = 1000 * 60 * parseInt("${ATLAS_REFRESH_TOKEN_THRESHOLD}");
 
 	return configLocal;
 });
diff --git a/js/components/authorship.html b/js/components/authorship.html
index 6894ee015..d881bdcb4 100644
--- a/js/components/authorship.html
+++ b/js/components/authorship.html
@@ -1,14 +1,12 @@
 <!-- ko if: createdBy && createdDate -->
 <div data-bind="css: classes('container')">
-	<span data-bind="text: createdText"></span>
-	<span data-bind="visible: createdBy, text: ko.i18nformat('components.authorship.byCreated', 'by <%=createdBy%>', {createdBy: createdBy})"></span>
-	<span data-bind="text: ko.i18n('components.authorship.on', 'on')"></span>
-	<span data-bind="text: createdDate"></span><span data-bind="visible: modifiedDate">,</span>
-	<span data-bind="visible: modifiedDate">
-		<span data-bind="text: ko.i18n('components.authorship.modified', 'modified')"></span>
-		<span data-bind="visible: createdBy, text: ko.i18nformat('components.authorship.byModified', 'by <%=modifiedBy%>', {modifiedBy: modifiedBy})"></span>
-		<span data-bind="text: ko.i18n('components.authorship.on', 'on')"></span>
-		<span data-bind="text: modifiedDate"></span>
-	</span>
+	<span data-bind="visible: createdBy,
+	    text: ko.i18nformat('components.authorship.createdLabel',
+						'created by <%=createdBy%> on <%=cratedDate%>',
+						{createdBy: createdBy, createdDate: createdDate})"></span><span data-bind="visible: modifiedDate">,</span>
+    <span data-bind="visible: modifiedDate,
+	    text: ko.i18nformat('components.authorship.modifiedLabel',
+						'modified by <%=modifiedBy%> on <%=modifiedDate%>',
+						{modifiedBy: modifiedBy, modifiedDate: modifiedDate})"></span>
 </div>
-<!-- /ko -->
\ No newline at end of file
+<!-- /ko -->
diff --git a/js/components/cohortbuilder/components/CensoringCriteriaEditor.js b/js/components/cohortbuilder/components/CensoringCriteriaEditor.js
index 1d61a1f9a..ce54de63e 100644
--- a/js/components/cohortbuilder/components/CensoringCriteriaEditor.js
+++ b/js/components/cohortbuilder/components/CensoringCriteriaEditor.js
@@ -140,6 +140,20 @@ define([
                     });
                 },
             },
+            {
+                ...constants.censoringEventList.addObservationPeriod,
+                selected: false,
+                action: function () {
+                    var unwrappedExpression = ko.utils.unwrapObservable(self.expression);
+                    unwrappedExpression
+                        .CensoringCriteria.push({
+                        ObservationPeriod: new criteriaTypes.ObservationPeriod(
+                            null,
+                            unwrappedExpression.ConceptSets
+                        ),
+                    });
+                },
+            },
             {
                 ...constants.censoringEventList.addPayerPlanPeriod,
                 selected: false,
diff --git a/js/components/cohortbuilder/const.js b/js/components/cohortbuilder/const.js
index 755a2ddd2..92cb8edf9 100644
--- a/js/components/cohortbuilder/const.js
+++ b/js/components/cohortbuilder/const.js
@@ -95,7 +95,9 @@ define(["knockout"], function (ko) {
       title: 'const.eventsList.addObservationPeriod.title',
       defaultTitle: 'Add Observation Period',
       descriptionInitial: 'const.eventsList.addObservationPeriod.desc_initial',
-      defaultDescriptionInitial: 'Find patients based on observations.',
+      defaultDescriptionInitial: 'Find patients based on observation period.',
+      descriptionCensoring: 'const.eventsList.addObservationPeriod.desc_censoring',
+      defaultDescriptionCensoring: 'Exit cohort based on observaton period.',
       descriptionGroup: 'const.eventsList.addObservationPeriod.desc_group',
       defaultDescriptionGroup: 'Find patients based on observation periods.',
     },
@@ -1112,6 +1114,7 @@ define(["knockout"], function (ko) {
     'addDrugExposure',
     'addMeasurement',
     'addObservation',
+    'addObservationPeriod',
     'addPayerPlanPeriod',
     'addProcedureOccurrence',
     'addSpecimen',
diff --git a/js/config/app.js b/js/config/app.js
index 975941ed6..ec896db1d 100644
--- a/js/config/app.js
+++ b/js/config/app.js
@@ -1,3 +1,6 @@
+// Please remember to update the environmental variables in the Dockerfile and the docker config-local.js to reflect
+// any new settings introduced here
+
 define(function () {
   var appConfig = {};
 
diff --git a/js/pages/configuration/configuration.html b/js/pages/configuration/configuration.html
index ebbaf5493..831dcf859 100644
--- a/js/pages/configuration/configuration.html
+++ b/js/pages/configuration/configuration.html
@@ -135,6 +135,11 @@
 							<span data-bind="text:ko.i18n('configuration.buttons.clearServerCache', 'Clear Server Cache')"></span>
 						</a>
 					</div>
+					<div class="configuration__padded">
+						<a href="#" class="btn btn-sm btn-primary" data-bind="click: runDiagnostics">
+							<span data-bind="text: 'Run Diagnostics'"></span>
+						</a>
+					</div>
 				</div>
 			</div>
 		</div>
diff --git a/js/pages/configuration/configuration.js b/js/pages/configuration/configuration.js
index 76ac15225..a13723d96 100644
--- a/js/pages/configuration/configuration.js
+++ b/js/pages/configuration/configuration.js
@@ -260,6 +260,24 @@ define([
         buttonClass,
       }
     }
+
+    runDiagnostics() {
+      
+      const startTime = performance.now();
+
+      // get the list of isPermitted functions, except the literal isPermitted
+      for (const key in authApi) {
+        if (typeof authApi[key] === 'function' && key.startsWith('isPermitted') && key != 'isPermitted') {
+          authApi[key](); // Invoke the function
+        }
+      }
+
+      const endTime = performance.now();
+
+      const elapsedTime = endTime - startTime;
+      console.log(`Script execution time: ${elapsedTime} milliseconds`);
+
+    }
   }
 
   return commonUtils.build('ohdsi-configuration', Configuration, view);
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
index 6c5a8a891..cd88bbb32 100644
--- a/js/services/AuthAPI.js
+++ b/js/services/AuthAPI.js
@@ -78,7 +78,7 @@ define(function(require, exports) {
             url: config.api.url + 'user/me',
             method: 'GET',
             success: function (info, textStatus, jqXHR) {
-                permissions(info.permissions.map(p => p.permission));
+                permissions(info.permissionIdx);  // read from permission index of User info
                 subject(info.login);
                 authProvider(jqXHR.getResponseHeader('x-auth-provider'));
                 fullName(info.name ? info.name : info.login);
@@ -176,32 +176,44 @@ define(function(require, exports) {
         }
     }
 
+    // adapted from https://github.com/apache/shiro/blob/fa518ec985fd192497cd04e2569041b2f469aead/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java#L201
+
     var checkPermission = function(permission, etalon) {
-        // etalon may be like '*:read,write:etc'
-        if (!etalon || !permission) {
+        // etalon may be like '*:read,write:etc', and is a permission assigned to the user.
+        // permission is the permission to check
+        if (!etalon || !permission) { // both must be non-null to perform a check
             return false;
         }
 
-        if (permission == etalon) {
+        if (permission == etalon) { // quick check: if equal on both sides, then permission is granted.
             return true;
         }
 
         var etalonLevels = etalon.split(':');
         var permissionLevels = permission.split(':');
 
-        if (etalonLevels.length != permissionLevels.length) {
-            return false;
+        var i = 0;
+        for (let permissionLevel of permissionLevels) {
+            // If this etalon has less parts than the permission, everything after the number of parts contained
+            // in this etalon is automatically implied, so return true
+            if (etalonLevels.length - 1 < i) {
+                return true;
+            } else {
+                var etalonPart = etalonLevels[i].split(',');
+                var permissionPart = permissionLevel.split(',');
+                if (!etalonPart.includes("*") && !permissionPart.every(pp => etalonPart.includes(pp))) {
+                    return false;
+                }
+            }
+            i++;
         }
-
-        for (var i = 0; i < permissionLevels.length; i++) {
-            var pLevel = permissionLevels[i];
-            var eLevels = etalonLevels[i].split(',');
-
-            if (eLevels.indexOf('*') < 0 && eLevels.indexOf(pLevel) < 0) {
+        // If etalon has more parts than the permission, return true if rest of eLevels contains wildcard
+        for (; i < etalonLevels.length; i++) { // loop through remaining etalonLevels
+            var etalonPart = etalonLevels[i].split(',');
+            if (!etalonPart.includes("*")) {
                 return false;
             }
         }
-
         return true;
     };
 
@@ -210,7 +222,11 @@ define(function(require, exports) {
             return true;
         }
 
-        var etalons = permissions();
+        if (!permissions()) return false;
+
+        firstPerm = permission.split(":")[0];
+
+        var etalons = [...(permissions()["*"] || []),  ...(permissions()[firstPerm]||[])];
         if (!etalons) {
             return false;
         }
@@ -254,6 +270,10 @@ define(function(require, exports) {
     }
     var refreshToken = function() {
 
+        if (!config.userAuthenticationEnabled) {
+            return Promise.resolve(true); // no-op if userAuthenticationEnabled == false
+        }
+
         if (!isPromisePending(refreshTokenPromise)) {
           refreshTokenPromise = httpService.doGet(getServiceUrl() + "user/refresh");
           refreshTokenPromise.then(({ data, headers }) => {
@@ -494,7 +514,7 @@ define(function(require, exports) {
 
 	const setAuthParams = (tokenHeader, permissionsStr = '') => {
         !!tokenHeader && token(tokenHeader);
-        !!permissionsStr && permissions(permissionsStr.split('|'));
+        !!permissionsStr && permissions(permissionsStr);
     };
 
     var resetAuthParams = function () {
@@ -517,9 +537,7 @@ define(function(require, exports) {
 
     const executeWithRefresh = async function(httpPromise) {
         const result = await httpPromise;
-        if (config.userAuthenticationEnabled) {
-            await refreshToken();
-        }
+        await refreshToken();
         return result;
     }
 
@@ -620,6 +638,7 @@ define(function(require, exports) {
         TOKEN_HEADER,
         runAs,
         executeWithRefresh,
+
     };
 
     return api;
diff --git a/package.json b/package.json
index 4eedb1fdd..c1d7b1082 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "atlas",
-  "version": "2.14.0-DEV",
+  "version": "2.15.0-DEV",
   "description": "is an open source software tool for researchers to conduct scientific analyses on standardized observational data converted to the OMOP Common Data Model V5",
   "main": "js/main.js",
   "scripts": {