Clarify role resolution for users in multiple LDAP groups

docs/authentication/ldap.md

@@ -62,6 +62,14 @@ For the above levels there are 4 role mappings which are required fields:
   - **backupAdminRole** : The user that has administration privileges to create and manage backups. Has read-only access to the rest of the AxonOps server pages and components.
   - **readOnlyRole** : A basic read-only role that cannot modify any configuration in AxonOps.
 
+!!! info "Users in more than one group"
+
+    Group memberships add up — they never cancel each other out. When a user belongs to several of the mapped groups, AxonOps grants them the **highest** level of access that any of those groups provides.
+
+    - A user who is in both a read-only group and a superuser group is granted **superuser** access.
+    - Access granted at a broader scope still applies within narrower ones. A user with a `_global_` admin role plus a read-only role on a single cluster keeps **admin** access on that cluster.
+    - Permissions for different clusters are kept separate. A user who is an admin on one cluster and read-only on another keeps each level on its own cluster.
+
 Distinguished Names that are used in the role mappings can comprise of the following parts which define hierarchical structure in a LDAP directory.
 
   - **CN** = Common Name