Add flowchart 1

Author: maxvp

src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx

@@ -9,32 +9,58 @@ sidebar:
 Only available on Enterprise plans. For more information, contact your account team.
 :::
 
-Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With Tenant, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a organization group or account level.
+Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or account level.
 
-The Tenant platform only supports Gateway DNS policies.
+The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post.
 
 ## Get started
 
 {/* Don't need to surface much of the policy creation flow here */}
 
-To set up the Tenant API, refer to [Get started](/tenant/get-started/).
-
-Once you have provisioned your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
+To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
 
 ## Account types
 
-The Gateway Tenant platform supports tiered and siloed accounts.
+The Gateway Tenant platform supports tiered and siloed account configurations.
 
 ### Tiered accounts
 
-{/* TODO: convert first diagram from blog post to mermaid flowchart */}
-
 In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account.
 
-Gateway evaluates parent account policies before a child account policies. To allow a child account to override a parent account's policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`.
+Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`.
+
+```mermaid
+flowchart TD
+%% Accessibility
+ accTitle: How Gateway policies work in a tiered account configuration
+ accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration.
+
+%% Flowchart
+ subgraph s1["Parent account"]
+        n1["Block malware"]
+        n2["Block DNS tunnel"]
+        n3["Block spyware"]
+  end
+ subgraph s2["Child account A"]
+        n4["Block social media"]
+  end
+ subgraph s3["Child account B"]
+        n5["Block instant messaging"]
+  end
+    n1 ~~~ n2
+    n2 ~~~ n3
+    A["Tenant"] --Administers--> s1
+    s1 --> s2 & s3
+
+    n1@{ shape: lean-l}
+    n2@{ shape: lean-l}
+    n3@{ shape: lean-l}
+    n4@{ shape: lean-l}
+    n5@{ shape: lean-l}
+```
 
 ### Siloed accounts
 
 {/* TODO: convert second diagram from blog post to mermaid flowchart */}
 
-Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately.
+In a siloed account configuration, each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately.