Hi ROY30426
1- Yes users can be in different forest (authentication provider server: AD or LDAP) but they will be able to logon only against specific tenant(s). If a user has to be able to access multiple tenants, the Identities service configuration will be more challenging (and requires users and groups filtering at tenant level).
This is only possible with multi-tenancy deployment and from Viya 3.4.
See this section for the case with separate LDAP Servers per Tenant.
https://go.documentation.sas.com/?docsetId=dplyml0phy0lax&docsetTarget=n15hhewllr5ji2n1sxf96imqvtpj.htm&docsetVersion=3.4&locale=en#n1o63hqzwa1ry8n1glia1d2x92ib
Please note that the multi-tenancy configuration is documented partly in the Viya deployment guide and partly in the Viya administration guide.
2- If the deployment is a multi-tenancy deployment, yes this can be configured later. In the initial deployment, the Identities service can use a single authentication provider for all tenant. Then the Identities service can be reconfigure to use different authentication provider per tenant.(However it is impossible to move from a single tenant deployment to a multi-tenancy deployment without having to redeploy Viya.)
Finally, keep in mind that implementing Multi-tenancy is quite complex and has many implications - it answers to specific use cases, so please make sure you understand them well and ensure they correspond to your customer needs. If your goal is only to address the constraint of having Viya users in different LDAPs you might want to explore alternative scenarios such as implementing a LDAP proxy and modify your identities service configuration to use it - or separate the Viya environments (if it is possible in your context).
In any case if you plan to implement Multi-tenancy, I would recommend you to involve your local SAS representative and see how SAS Professional Services could help you.
Hope that helps.
Thanks
Raphael
... View more