Is it possible to dynamically change the channels a user has access to without disconnecting?

Yes, this can be achieved by issuing a re-authentication request from the client, which will in turn obtain a new token and send that token to Ably using the existing realtime connection. The capabilities (permissions) specified in that token will be automatically applied.  

Specifically, the client should call auth#authorize()

In some cases might know when it needs to re-authorize (e.g. if you're using an incremental auth model and the client gets an 'insufficient permissions' error when it attaches to a channel). In other cases you might want to remove some permission that the client currently has. There's no special mechanism for this; you can use whatever mechanism you normally use to communicate with the client to tell it to call authorize(), whether over Ably (a message sent by your auth server over an Ably channel that the client is listening on), or out-of-band.

(In the unusual case of a 'rogue client' which is ignoring your reauth instructions, the only option currently is to wait until the token expires, at which point the client will be forced to seek a new token from your auth server. If you're worried about this, you can reduce the token TTL (the duration that the token is valid for) from the default of one hour, though we recommend no longer than 10 minutes). You are now able to use our token revocation API . Please contact us if you are interested.