...
After version 2.0.0 when there are changes in group membership, LO now add the user to the access group for every processed request before authorization checks are performed. If the user is not authorized, it will be removed after a certian time.
This means, that you can also configure your SSO (and sometimes it is recommended) to add users to the groups providing application access during authentication with SSO.
...