typo, moved rbac statement

Author: HeidiSteen

articles/search/search-document-level-access-overview.md

@@ -55,8 +55,8 @@ To help you dive deeper into document-level access control in Azure AI Search, h
 
 | Functionality                                   | Reference |  Sample |
 |---|---|  
-| **Index permissions using Push APIs**           | [Index permissions using REST API](search-index-access-control-lists-and-rbac-push-api.md)  |  [https://github.com/Azure-Samples/azure-search-rest-samples/Quickstart-ACL](https://github.com/Azure-Samples/azure-search-rest-samples-pr/tree/main/Quickstart-ACL) or [https://github.com/Azure-Samples/azure-search-python-samples/Quickstart-ACL](https://github.com/Azure-Samples/azure-search-python-samples-pr/blob/main/Quickstart-ACL) or |
-| **Index ADLS Gen2 permissions metadata using built-in indexers** | [Index permissions using ADLS Gen2 indexer](search-indexer-access-control-lists-and-role-based-access.md) |   [https://github.com/Azure-Samples/azure-search-python-samples/Quickstart-Document-Permissions](https://github.com/Azure-Samples/azure-search-python-samples/blob/main/Quickstart-Document-Permissions) |
+| **Index permissions using Push APIs**           | [Index permissions using REST API](search-index-access-control-lists-and-rbac-push-api.md)  |  [azure-search-rest-samples/Quickstart-ACL](https://github.com/Azure-Samples/azure-search-rest-samples-pr/tree/main/Quickstart-ACL) or [azure-search-python-samples/Quickstart-ACL](https://github.com/Azure-Samples/azure-search-python-samples-pr/blob/main/Quickstart-ACL) |
+| **Index ADLS Gen2 permissions metadata using built-in indexers** | [Index permissions using ADLS Gen2 indexer](search-indexer-access-control-lists-and-role-based-access.md) |   [azure-search-python-samples/Quickstart-Document-Permissions](https://github.com/Azure-Samples/azure-search-python-samples/blob/main/Quickstart-Document-Permissions) |
 | **Query using Microsoft Entra token-based permissions** | [Query using Microsoft Entra token-based permissions](https://aka.ms/azs-query-preserving-permissions) | See previous samples. |
 | **Security trimming via filters**              | [Security trimming via filters](search-security-trimming-for-azure-search.md)               |  Not available. |
 

articles/search/search-query-access-control-rbac-enforcement.md

@@ -38,11 +38,11 @@ The end-user application sends user permission as part of the search query reque
 | groupIds | Group membership fetched using the [Microsoft Graph](/graph/api/resources/groups-overview) API |
 | rbacScope | Permissions the user from `x-ms-query-source-authorization` has on a storage container |
 
-For Azure RBAC, permissions are list of resource ID strings, and there must an Azure role assignment (Storage Blob Data Reader) on the data the source that grants access to the security principal token in the authorization header. The filter excludes documents if there's no role assignment for the principal behind the access token on the request.
-
-### 2. Security filter construction  
+### 2. Security filter construction
 Azure AI Search dynamically constructs security filters based on the user permissions provided. These security filters are automatically appended to any filters that might come in with the query if the index has the permission filter option enabled.
 
+For Azure RBAC, permissions are list of resource ID strings, and there must an Azure role assignment (Storage Blob Data Reader) on the data the source that grants access to the security principal token in the authorization header. The filter excludes documents if there's no role assignment for the principal behind the access token on the request.
+
 ### 3. Results filtering  
 The security filter efficiently matches the userIds, groupIds, and rbacScope from the user against each list of ACLs in every document in the search index to limit the results returned to ones the user has access to. It's important to note that each filter is applied independently and a document is considered authorized if any filter succeeds. For example, if a user has access to a document through userIds but not through groupIds, the document is still considered valid and returned to the user.