[CF1] IA revamp: Users section

public/__redirects

@@ -2382,6 +2382,10 @@
 
 # Cloudflare One nav revamp
 /cloudflare-one/connections/ /cloudflare-one/ 301
+/cloudflare-one/identity/users/ /cloudflare-one/team-and-resources/users/ 301
+/cloudflare-one/identity/users/session-management/ /cloudflare-one/team-and-resources/users/session-management/ 301
+/cloudflare-one/identity/users/seat-management/ /cloudflare-one/team-and-resources/users/seat-management/ 301
+/cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301

src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
+[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
 
 SCIM logs can be found on the Zero Trust Dashboard under **Logs** -> **SCIM provisioning**.
 

src/content/docs/cloudflare-one/access-controls/policies/index.mdx

@@ -133,7 +133,7 @@ To require only one country and one email ending:
 
 When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.
 
-Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/team-and-resources/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
 
 | Selector                 | Description                                                                                                                                                                                                                               | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
 | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
@@ -149,7 +149,7 @@ Non-identity attributes are polled continuously, meaning they are-evaluated with
 | Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account.                                                                                                  | ✅               | ✅                               | ❌                       |
 | Login Methods            | Checks the identity provider used at the time of login.                                                                                                                                                                                   | ✅               | ❌                               | ✅                       |
 | Authentication Method    | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider.                                                                                | ✅               | ❌                               | ✅                       |
-| Identity provider group  | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅               | ❌                               | ✅                       |
+| Identity provider group  | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅               | ❌                               | ✅                       |
 | SAML Group               | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider.                                                             | ✅               | ❌                               | ✅                       |
 | OIDC Claim               | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider.                                                                | ✅               | ❌                               | ✅                       |
 | Device posture           | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider.                                                                                                                | ✅               | ✅                               | ❌                       |

src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx

@@ -17,7 +17,7 @@ To create a reusable Access policy:
 2. Select **Add a policy**.
 3. Enter a **Policy name**.
 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy.
-5. Choose a [**Session duration**](/cloudflare-one/identity/users/session-management/) for the policy.
+5. Choose a [**Session duration**](/cloudflare-one/team-and-resources/users/session-management/) for the policy.
 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed.
 7. (Optional) Configure additional settings for users who match this policy:
    - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/).

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx

@@ -54,7 +54,7 @@ Next, we will obtain **Identity provider metadata** from Zero Trust.
 
 :::caution[Important]
 
-Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/identity/users/scim/). Make sure that:
+Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/). Make sure that:
 
 1. Users are created in both your identity provider and AWS.
 2. Users have matching usernames in your identity provider and AWS.

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx

@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/identity/users/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/team-and-resources/users/session-management/), otherwise the global session would take precedence.
 
 :::note
 

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -102,7 +102,7 @@ To view all available filters, type `warp-cli target list --help`.
 
 ## Revoke a user's session
 
-To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/team-and-resources/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
 
 ## Infrastructure policy selectors
 

src/content/docs/cloudflare-one/changelog/access.mdx

@@ -53,7 +53,7 @@ Admins can now use [Access for Infrastructure](/cloudflare-one/networks/connecto
 
 **Reduce automatic seat deprovisioning minimum to 1 month, down from 2 months.**
 
-Admins can now configure Zero Trust seats to [automatically expire](/cloudflare-one/identity/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months.
+Admins can now configure Zero Trust seats to [automatically expire](/cloudflare-one/team-and-resources/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months.
 
 ## 2024-06-06
 

src/content/docs/cloudflare-one/faq/authentication-faq.mdx

@@ -33,4 +33,4 @@ To log out of an App Launcher session, go to:
 
 `<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout`
 
-For more information, refer to our [session management page](/cloudflare-one/identity/users/session-management/#log-out-as-a-user).
+For more information, refer to our [session management page](/cloudflare-one/team-and-resources/users/session-management/#log-out-as-a-user).

src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx

@@ -63,7 +63,7 @@ The payload contains the actual claim and user information to pass to the applic
 | iss            | The Cloudflare Access domain URL for the application.                                                                                                                                                                                                                                           |
 | type           | The type of Access token (`app` for application token or `org` for global session token).                                                                                                                                                                                                       |
 | identity_nonce | A cache key used to get the [user's identity](#user-identity).                                                                                                                                                                                                                                  |
-| sub            | The ID of the user. This value is unique to an email address per account. The user would get a different `sub` if they are [removed](/cloudflare-one/identity/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. |
+| sub            | The ID of the user. This value is unique to an email address per account. The user would get a different `sub` if they are [removed](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. |
 | country        | The country where the user authenticated from.                                                                                                                                                                                                                                                  |
 
 #### Custom SAML attributes and OIDC claims