Today, we upgraded from 2019.3.5 LTS to 2019.6.0 LTS. Now, any user whose only membership is on a team having the “Project deployer” role restricted to any set of tenants cannot select the associated environment when deploying a release. This is not a least privilege effect, as I can add an affected user to an additional team without tenant restrictions, and they are then able to deploy to the previously disallowed environment.
This effect persisted through deletion and recreation of the teams and restarts of the server and tentacle services. Health checks of the targets were successful.
For now, I have removed all tenants from roles. This gives more access that we wish to, of course. This was working as expected in 2019.3.5.