In AAP 2.5 there are five different types of authentication mappings, namely: Allow, Organization, Team, Role, Superuser. Consider the following situation:

1. AAP admins configure an authentication mapping to grant superuser permissions to a specific LDAP group or user.
2. A user with the correct attributes logs into AAP and gets superuser permissions.
3. AAP admins now delete that authentication mapping
4. The superuser permission will now never be removed from that user

The above example can also be carried over to all of the five types of authentication mapping and could be a security or compliance issue for the customer if some users continue to have permissions that they shouldn't have.

I'm aware there is the Revoke checkbox on authentication mappings, but that only helps if the mapping is not deleted from AAP.

The AAP platform should somehow ensure that permissions user get from an authentication mapping are removed if that mapping is removed.