You can manage LDAP connections and access permissions for domain users on the System → SSO page.
Only administrators of the general tenant can delete a LDAP connection. The LDAP connection will be deleted in all tenants. In addition, the previously configured access permissions will be deleted for domain users associated with this LDAP connection. At the same time, the domain users' sessions will remain active until their lifetime expires.
The domain users' permissions in the tenant are determined by the mapping between Microsoft Active Directory groups and PT AF roles. It is recommended that each domain user has access to only one tenant and one role in it.
In other cases, at their first login to PT AF, the user will be authenticated only in one of the available tenants according to the internal algorithm. This tenant will be assigned as the only tenant available to the user (default tenant). According to the algorithm, a user will be assigned only one role from several matching roles.
Whether or not a domain user can log in after a mapping is deleted depends on the presence of other configured mappings for this user, as well as on the fact of their authorization in PT AF before the mapping was deleted.
If other mappings are configured for a user, they can log in to the same tenant with another role or to a different tenant according to the mapping selected by the internal algorithm. (The default tenant will be changed.) Access rules will be updated after synchronization with Microsoft Active Directory (scheduled or started manually).
If other mappings are missing and the user has previously logged in to PT AF, the user can continue working in PT AF with the previous role. If other mappings are missing and the user has not previously logged in to PT AF, the user will not be able to log in.
Only administrators of the general tenant can start the synchronization process.