When a user's identity is first established for a multi-tenant database connection, the user's tenancy is set using the tenant information stored in the database's own domain configuration. Because a domain in one database can be configured with a different tenant identifier than the same domain configured in another database, the same user identity can have a different tenancy in each multi-tenant database that it accesses.

To help manage the tenancy of a given identity used to access the same set of multi-tenant databases in different ABL sessions (such as multiple AppServer agents), ABL caches its tenancy in the security token for the identity whenever it is first used to authenticate a connection to a multi-tenant database. If the same sealed security token is then used to authenticate a connection to the same database in a different ABL session, the tenancy for the connection identity can then be authorized without having to retrieve the same tenant information from the database. Also, at any point, the application can query the security token for its tenancy in any multi-tenant database it has been used to authenticate a connection identity. For more information on ABL management of tenant authorization across databases and sessions, see Managing identity for multi-tenancy.