From fbd515db0e2bbec4ebf28368e42f4ec36a566dd0 Mon Sep 17 00:00:00 2001
From: Jim Galasyn <jim.galasyn@docker.com>
Date: Tue, 5 Sep 2017 18:08:38 -0700
Subject: [PATCH] Add explanation of default role for new users (#4515)

* Add explanation of default role for new users

* Incorporate feedback
---
 .../admin/configure/external-auth/index.md    | 35 +++++++++++--------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md b/datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md
index c3e18388c1..4afb09d193 100644
--- a/datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md
+++ b/datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md
@@ -28,13 +28,18 @@ authenticate users.
 In the **LDAP Enabled** section, click **Yes** to The LDAP settings appear.
 Now configure your LDAP directory integration.
 
-## Default Role For All Private Collections
+## Default role for all private collections
 
-Click the dropdown to select the permission level assigned by default to
-the private collections of new users.
+Use this setting to change the default permissions of new users.
+
+Click the dropdown to select the permission level that UCP assigns by default
+to the private collections of new users. For example, if you change the value
+to `View Only`, all users who log in for the first time after the setting is
+changed have `View Only` access to their private collections, but permissions
+remain unchanged for all existing users.
 [Learn more about permission levels](../../../access-control/permission-levels.md).
 
-## LDAP Enabled
+## LDAP enabled
 
 Click **Yes** to enable integrating UCP users and teams with LDAP servers.  
 
@@ -48,7 +53,7 @@ Click **Yes** to enable integrating UCP users and teams with LDAP servers.
 | Use Start TLS         | Whether to authenticate/encrypt the connection after connecting to the LDAP server over TCP. If you set the LDAP Server URL field with `ldaps://`, this field is ignored. |
 | Skip TLS verification | Whether to verify the LDAP server certificate when using TLS. The connection is still encrypted but vulnerable to man-in-the-middle attacks.                              |
 | No simple pagination  | If your LDAP server doesn't support pagination.                                                                                                                           |
-| Just-In-Time User Provisioning | Whether to create user accounts only when users log in for the first time. The default valu eof `true` is recommended. |
+| Just-In-Time User Provisioning | Whether to create user accounts only when users log in for the first time. The default value of `true` is recommended. |
 
 ![](../../../images/ldap-integration-1.png){: .with-border}
 
@@ -77,7 +82,7 @@ again. This is useful in cases where users may be found in multiple distinct
 subtrees of your organization's directory. Any user entry which matches at
 least one of the search configurations will be synced as a user.
 
-## LDAP Test Login
+## LDAP test login
 
 | Field    | Description                                                                                                                                                                           |
 | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
@@ -88,7 +93,7 @@ Before you save the configuration changes, you should test that the integration
 is correctly configured. You can do this by providing the credentials of an
 LDAP user, and clicking the **Test** button.
 
-## LDAP Sync Configuration
+## LDAP sync configuration
 
 | Field                      | Description                                                                                                                                                                                                                                                              |
 | :------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -104,20 +109,22 @@ You can also manually synchronize users by clicking **Sync Now**.
 
 ## Revoke user access
 
-When a user is removed from LDAP, that user becomes inactive after the LDAP
-synchronization runs.
+When a user is removed from LDAP, the effect on the user's UCP account depends
+on the **Just-In-Time User Provisioning** setting: 
 
-Also, when you switch from the built-in authentication to using LDAP
-authentication, all manually created users whose usernames do not match any
-LDAP search results become inactive, with the exception of the recovery admin
-user which can still login with the recovery admin password.
+- **Just-In-Time User Provisioning** is `false`: Users deleted from LDAP become
+  inactive in UCP after the next LDAP synchronization runs.
+- **Just-In-Time User Provisioning** is `true`: Users deleted from LDAP can't
+  authenticate, but their UCP accounts remain active. This means that they can
+  use their client bundles to run commands. To prevent this, deactivate their
+  UCP user accounts.
 
 ## Data synced from your organization's LDAP directory
 
 UCP saves a minimum amount of user data required to operate. This includes
 the value of the username and full name attributes that you have specified in
 the configuration as well as the distinguished name of each synced user.
-UCP does not query, or store any additional data from the directory server.
+UCP does not store any additional data from the directory server.
 
 ## Sync teams