Update details about tiered accounts

Author: maxvp

src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx

@@ -11,13 +11,13 @@ Only available on Enterprise plans. For more information, contact your account t
 
 Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level.
 
-The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post.
+The Tenant platform supports [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post.
 
 ## Get started
 
 {/* Don't need to surface much of the policy creation flow here */}
 
-To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
+To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
 
 ## Account types
 

src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx

@@ -17,24 +17,24 @@ Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/)
 
 {/* Don't need to surface much of the policy creation flow here */}
 
-To set up CLoudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
+To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
 
 ## Account types
 
 The Gateway Tenant platform supports tiered and siloed account configurations.
 
 ### Tiered accounts
 
-In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including:
+In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including:
 
 - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/)
 - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/)
 - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/)
 - Creating [lists](/cloudflare-one/policies/gateway/lists/)
 
-Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
+Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
 
-Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`.
+Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately.
 
 ```mermaid
 flowchart TD
@@ -56,7 +56,6 @@ flowchart TD
   end
     n1 ~~~ n2
     n2 ~~~ n3
-    A["Tenant"] --Administers--> s1
     s1 -- "Applies policies to" --> s2 & s3
 
     n1@{ shape: lean-l}
@@ -66,9 +65,13 @@ flowchart TD
     n5@{ shape: lean-l}
 ```
 
+:::caution[Limitations]
+Organizational policies do not support egress policies, device posture selectors, private apps, or virtual networks.
+:::
+
 ### Siloed accounts
 
-In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately.
+In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately.
 
 ```mermaid
 flowchart TD
@@ -86,7 +89,7 @@ flowchart TD
  subgraph s3["Siloed account B"]
         n3["Block news"]
   end
-    A["Tenant"] -- Administers --> s1 & s3 & s2
+    A["Organization owner"] -- Administers --> s1 & s3 & s2
 
     n1@{ shape: lean-l}
     n2@{ shape: lean-l}