Re-add index

maxvp · maxvp · commit b0b16b9d7e39 · 2025-09-15T11:53:14.000-05:00
diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx
@@ -3,12 +3,95 @@ pcx_content_type: navigation
 title: Tiered policies
 sidebar:
   order: 15
-  group:
-    hideIndex: true
 ---
 
-import { DirectoryListing } from "~/components";
+:::note
+Only available on Enterprise plans. For more information, contact your account team.
+:::
 
-Zero Trust supports two types of Gateway tiered policy configurations:
+{/* TODO: Update the Orgs link with most up to date option */}
 
-<DirectoryListing />
+Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered organizational policies support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies.
+
+## Get started
+
+{/* Don't need to surface much of the policy creation flow here */}
+
+To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
+
+## Account types
+
+The Gateway Tenant platform supports tiered and siloed account configurations.
+
+### Tiered accounts
+
+In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including:
+
+- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/)
+- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/)
+- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/)
+- Creating [lists](/cloudflare-one/policies/gateway/lists/)
+
+Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
+
+Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately.
+
+```mermaid
+flowchart TD
+%% Accessibility
+ accTitle: How Gateway policies work in a tiered account configuration
+ accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration.
+
+%% Flowchart
+ subgraph s1["Parent account"]
+        n1["Block malware"]
+        n2["Block DNS tunnel"]
+        n3["Block spyware"]
+  end
+ subgraph s2["Child account A"]
+        n4["Block social media"]
+  end
+ subgraph s3["Child account B"]
+        n5["Block instant messaging"]
+  end
+    n1 ~~~ n2
+    n2 ~~~ n3
+    s1 -- "Applies policies to" --> s2 & s3
+
+    n1@{ shape: lean-l}
+    n2@{ shape: lean-l}
+    n3@{ shape: lean-l}
+    n4@{ shape: lean-l}
+    n5@{ shape: lean-l}
+```
+
+:::caution[Limitations]
+Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks.
+:::
+
+### Siloed accounts
+
+In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately.
+
+```mermaid
+flowchart TD
+%% Accessibility
+ accTitle: How Gateway policies work in a siloed account configuration
+ accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration.
+
+%% Flowchart
+ subgraph s1["Siloed account A"]
+        n1["Block social media"]
+  end
+ subgraph s2["Siloed account C"]
+        n2["Block instant messaing"]
+  end
+ subgraph s3["Siloed account B"]
+        n3["Block news"]
+  end
+    A["Organization owner"] -- Administers --> s1 & s3 & s2
+
+    n1@{ shape: lean-l}
+    n2@{ shape: lean-l}
+    n3@{ shape: lean-l}
+```
diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: get-started
 title: Managed service providers (MSPs)
 sidebar:
-  order: 3
+  order: 2
 ---
 
 :::note
diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx
