diff --git a/public/__redirects b/public/__redirects
index 8e6429f83b0ce1..9966e948cd028a 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -2384,11 +2384,15 @@
 # Cloudflare One nav revamp
 /cloudflare-one/connections/ /cloudflare-one/ 301
 /cloudflare-one/identity/users/ /cloudflare-one/team-and-resources/users/ 301
-/cloudflare-one/identity/users/session-management/ /cloudflare-one/team-and-resources/users/session-management/ 301
+/cloudflare-one/identity/users/session-management/ /cloudflare-one/access-controls/access-settings/session-management/ 301
 /cloudflare-one/identity/users/seat-management/ /cloudflare-one/team-and-resources/users/seat-management/ 301
 /cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/applications/login-page/ /cloudflare-one/reusable-components/custom-pages/access-login-page/ 301
 /cloudflare-one/applications/block-page/ /cloudflare-one/reusable-components/custom-pages/access-block-page/ 301
+/cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301
+/cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301
+/cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301
+/cloudflare-one/applications/ /cloudflare-one/access-controls/applications/http-apps/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301
diff --git a/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx b/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
index 207c7dc04d549f..7a299ce880dfb2 100644
--- a/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
+++ b/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
@@ -12,7 +12,7 @@ import { Aside } from '@astrojs/starlight/components';
 Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.
 
 ### What's New
-- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.
+- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications.
 - **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
 - **[Targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
 
diff --git a/src/content/docs/cloudflare-one/applications/app-launcher.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/app-launcher.mdx
similarity index 93%
rename from src/content/docs/cloudflare-one/applications/app-launcher.mdx
rename to src/content/docs/cloudflare-one/access-controls/access-settings/app-launcher.mdx
index 198993a48dee3e..64a4fcdcd58e98 100644
--- a/src/content/docs/cloudflare-one/applications/app-launcher.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/access-settings/app-launcher.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: App Launcher
 sidebar:
-  order: 11
+  order: 1
 ---
 
 import { Render } from "~/components";
diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/index.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/index.mdx
new file mode 100644
index 00000000000000..11780c38477c80
--- /dev/null
+++ b/src/content/docs/cloudflare-one/access-controls/access-settings/index.mdx
@@ -0,0 +1,13 @@
+---
+pcx_content_type: navigation
+title: Access settings
+sidebar:
+  order: 6
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
+
diff --git a/src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx
similarity index 99%
rename from src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx
rename to src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx
index 5e7d32864531ec..20282fb8b2b70f 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Session management
 sidebar:
-  order: 3
+  order: 2
 ---
 
 import { GlossaryTooltip, Render } from "~/components";
diff --git a/src/content/docs/cloudflare-one/applications/bookmarks.mdx b/src/content/docs/cloudflare-one/access-controls/applications/bookmarks.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/bookmarks.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/bookmarks.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
index 1b44964f412470..4d78c00b846c9f 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
@@ -58,7 +58,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
 
 13. Select **Next**.
 
-14. Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
+14. Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 
@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/team-and-resources/users/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence.
 
 :::note
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx
index 075b543601489a..4c885560a237f1 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx
@@ -54,7 +54,7 @@ If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace,
 
 13. Select **Next**.
 
-14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+14. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx
index 175acfcaad79a9..bfbbc0d9b8cd18 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx
@@ -25,7 +25,7 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana Cloud
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx
index c0e01fb1d7ad00..b2a0fbad297b00 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx
@@ -29,7 +29,7 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx
index 7f8f7973aca8e0..ed1cde2a450878 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx
@@ -32,7 +32,7 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar
    - **Token endpoint**
    - **User info endpoint**
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Salesforce
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx
index 6700b0693198f8..71560831184cc4 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx
@@ -25,7 +25,7 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret** and **Client ID**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
 12. Save the application.
 
 ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
index 1c2a00196619c5..6e013e3bab32f2 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
@@ -102,7 +102,7 @@ To view all available filters, type `warp-cli target list --help`.
 
 ## Revoke a user's session
 
-To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/team-and-resources/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
 
 ## Infrastructure policy selectors
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
index a13ee739bd3f50..b7a9cf2ba68eb6 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
@@ -27,7 +27,7 @@ To create a private network application:
    If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector.
    :::
 
-6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
+6. Configure your [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo.
 
 7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index 611a6d0e175b4b..5e4d417d50c595 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -45,7 +45,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
 
 9.  Select **Next**.
 
-10. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+10. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 11. <Render file="access/access-block-page" product="cloudflare-one" />
 
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
index 897af80ae2bc72..d7ab0453e86219 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
@@ -133,7 +133,7 @@ To require only one country and one email ending:
 
 When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
 
-Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/team-and-resources/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
 
 | Selector                 | Description                                                                                                                                                                                                                               | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
 | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
index 913a3bf26be626..e9c12cdb891a6a 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
@@ -17,7 +17,7 @@ To create a reusable Access policy:
 2. Select **Add a policy**.
 3. Enter a **Policy name**.
 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy.
-5. Choose a [**Session duration**](/cloudflare-one/team-and-resources/users/session-management/) for the policy.
+5. Choose a [**Session duration**](/cloudflare-one/access-controls/access-settings/session-management/) for the policy.
 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed.
 7. (Optional) Configure additional settings for users who match this policy:
    - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/).
@@ -25,7 +25,7 @@ To create a reusable Access policy:
    - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/)
 8. Select **Save**.
 
-You can now add this policy to an [Access application](/cloudflare-one/applications/).
+You can now add this policy to an [Access application](/cloudflare-one/access-controls/applications/http-apps/).
 
 ## Edit a policy
 
@@ -48,7 +48,7 @@ To delete a reusable Access policy:
 
 ## Test your policies
 
-You can test your Access policies against all existing user identities in your Zero Trust organization.  For the policy tester to work, users must have logged into the [App Launcher](/cloudflare-one/applications/app-launcher/) or any other Access application at some point in time.
+You can test your Access policies against all existing user identities in your Zero Trust organization.  For the policy tester to work, users must have logged into the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) or any other Access application at some point in time.
 
 Cloudflare will use the most recent device that was authenticated with Access to test your policies.
 
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx b/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx
index 18cededb5f144f..e6e2ea38de67bd 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx
@@ -17,7 +17,7 @@ With Cloudflare Access, you can require that users obtain approval before they c
 5. Turn on **Temporary authentication**.
 6. Enter the **Email addresses of the approvers**.
 	:::note
-	Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/).
+	Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/access-controls/access-settings/app-launcher/).
 	:::
 7. Save the policy.
 
diff --git a/src/content/docs/cloudflare-one/applications/index.mdx b/src/content/docs/cloudflare-one/applications/index.mdx
deleted file mode 100644
index 115d98656b1ae7..00000000000000
--- a/src/content/docs/cloudflare-one/applications/index.mdx
+++ /dev/null
@@ -1,16 +0,0 @@
----
-pcx_content_type: navigation
-title: Applications
-sidebar:
-  order: 6
----
-
-import { DirectoryListing, Render } from "~/components";
-
-Cloudflare Zero Trust can secure self-hosted and SaaS applications with Zero Trust rules.
-
-Learn how to secure your applications, and how to configure one dashboard for your users to reach all the applications you've secured behind Cloudflare Zero Trust:
-
-<DirectoryListing />
-
-Refer to our [reference architecture](/reference-architecture/architectures/sase/) for an understanding on how to architect a Zero Trust and SASE solution.
diff --git a/src/content/docs/cloudflare-one/faq/authentication-faq.mdx b/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
index cd5a0d9798d49b..d99fc324b06748 100644
--- a/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
+++ b/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
@@ -33,4 +33,4 @@ To log out of an App Launcher session, go to:
 
 `<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout`
 
-For more information, refer to our [session management page](/cloudflare-one/team-and-resources/users/session-management/#log-out-as-a-user).
+For more information, refer to our [session management page](/cloudflare-one/access-controls/access-settings/session-management/#log-out-as-a-user).
diff --git a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
index e4eebd7ee79ae1..21c6e8c8884c63 100644
--- a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
+++ b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
@@ -16,7 +16,7 @@ You can sign up today at [this link](https://one.dash.cloudflare.com). Follow th
 
 ## What is a team domain/team name?
 
-Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `<your-team-name>.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/applications/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Zero Trust under **Settings** > **Custom Pages**.
+Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `<your-team-name>.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Zero Trust under **Settings** > **Custom Pages**.
 
 | team name        | team domain                             |
 | ---------------- | --------------------------------------- |
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
index e0e5852e7c1e22..4e0b8fb55b4797 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
@@ -36,19 +36,19 @@ The following Access cookies are essential to Access functionality. Cookies that
 
 | Details                                                                                                                                                                                                                                                                                          | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly | SameSite | Required? |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
-| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/team-and-resources/users/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Required  |
+| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Required  |
 
 ### CF_Authorization (Access application domain)
 
 | Details                                                                                                                                                                                                                           | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly                     | SameSite                     | Required? |
 | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- |
-| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/team-and-resources/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required  |
+| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required  |
 
 ### CF_Binding
 
 | Details                                                                                  | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly | SameSite | Required? |
 | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
-| Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/team-and-resources/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Optional  |
+| Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Optional  |
 
 ### CF_Session
 
diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
index dbce6bd833fb4d..fc9f3e5318c907 100644
--- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
+++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
@@ -19,7 +19,7 @@ To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP
 
 ### 1. Review applications
 
-The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/applications/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
+The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/team-and-resources/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
 
 <Render file="app-library-review-apps" product="cloudflare-one" />
 
@@ -55,7 +55,7 @@ To create an HTTP status policy directly from Shadow IT Discovery:
 
 The Shadow IT SaaS analytics dashboard includes several insights to help you monitor and manage SaaS application usage.
 
-- **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](/cloudflare-one/applications/app-library/).
+- **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](/cloudflare-one/team-and-resources/app-library/).
 - **Data uploaded per application status**: A time-series graph showing the amount of data (in gigabytes) uploaded to an application in the given status.
 - **Data downloaded per application status**: A time-series graph showing the amount of data (in gigabytes) downloaded from an application in the given status.
 - **User count per application status**: A time-series graph showing the number of users who have interacted with at least one application in a given status. For example, a user can use an **Approved** application shortly followed by an **In review** application, contributing to counts for both of those statuses.
diff --git a/src/content/docs/cloudflare-one/insights/logs/users.mdx b/src/content/docs/cloudflare-one/insights/logs/users.mdx
index 52aaa3da7ec178..924358982b41d7 100644
--- a/src/content/docs/cloudflare-one/insights/logs/users.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/users.mdx
@@ -12,11 +12,11 @@ User logs show a list of all users who have authenticated to Cloudflare Zero Tru
 
 ## View user logs
 
-In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Users**. This page lists all users who have registered the WARP client or authenticated to a Cloudflare Access application. You can select a user's name to view detailed logs, [revoke their session](/cloudflare-one/team-and-resources/users/session-management/#revoke-user-sessions), or [remove their seat](/cloudflare-one/team-and-resources/users/seat-management/).
+In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Users**. This page lists all users who have registered the WARP client or authenticated to a Cloudflare Access application. You can select a user's name to view detailed logs, [revoke their session](/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions), or [remove their seat](/cloudflare-one/team-and-resources/users/seat-management/).
 
 ### Available logs
 
 * **User Registry identity**: Select the user's name to view their last seen identity. This identity is used to evaluate Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/). A refresh occurs when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via <GlossaryTooltip term="SCIM" link="/cloudflare-one/team-and-resources/users/scim/">SCIM provisioning</GlossaryTooltip>. To track how the user's identity has changed over time, go to the **Audit logs** tab.
-* **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/team-and-resources/users/session-management/).
+* **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/access-controls/access-settings/session-management/).
 * **Devices**: Devices registered to the user via WARP.
 * **Recent activities**: The user's five most recent Access login attempts. For more details, refer to your [authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs).
diff --git a/src/content/docs/cloudflare-one/insights/risk-score.mdx b/src/content/docs/cloudflare-one/insights/risk-score.mdx
index ea2967d1d116a1..d0647490d06528 100644
--- a/src/content/docs/cloudflare-one/insights/risk-score.mdx
+++ b/src/content/docs/cloudflare-one/insights/risk-score.mdx
@@ -52,7 +52,7 @@ By default, all predefined behaviors are disabled. When a behavior is enabled, Z
 
 | Risk behaviors                         | Requirements                                                                                                | Description                                                                                                                                                                                                            |
 | -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Impossible travel                      | [A configured Access application](/cloudflare-one/applications/)                                            | User has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your [Access audit logs](/cloudflare-one/insights/logs/audit-logs/). |
+| Impossible travel                      | [A configured Access application](/cloudflare-one/access-controls/applications/http-apps/)                                            | User has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your [Access audit logs](/cloudflare-one/insights/logs/audit-logs/). |
 | High number of DLP policies triggered  | [A configured DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/)                     | User has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/).                                  |
 | SentinelOne threat detected on machine | [SentinelOne service provider integration](/cloudflare-one/integrations/service-providers/sentinelone/) | SentinelOne returns one or more configured [device posture attributes](/cloudflare-one/integrations/service-providers/sentinelone/#device-posture-attributes) for a user.                                          |
 
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
index 184411dc95cd7a..1f8e7527a7bb57 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
@@ -12,7 +12,7 @@ Users can connect to an RDP server without installing an RDP client or the [WARP
 
 There are two ways for users to [reach the RDP server in their browser](#4-connect-as-a-user):
 
-- **App Launcher (recommended)**: Users can log in to the [Access App Launcher](/cloudflare-one/applications/app-launcher/) with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
+- **App Launcher (recommended)**: Users can log in to the [Access App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
 - **Direct URL**: A user may also navigate directly to the Windows server at `https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>`, where `vnet-id` is the <GlossaryTooltip term="Virtual network">virtual network</GlossaryTooltip> assigned to the Cloudflare Tunnel route. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine.
 
 Browser-based RDP can be used in conjunction with [routing over WARP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-warp-to-tunnel/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.
@@ -117,10 +117,10 @@ Ensure that only **Allow** or **Block** policies are present. **Bypass** and **S
 
 14. Select **Next**.
 
-15. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
+15. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
 
         :::note
-        Ensure that users match an Allow rule in your [App Launcher policies](/cloudflare-one/applications/app-launcher/#enable-the-app-launcher).
+        Ensure that users match an Allow rule in your [App Launcher policies](/cloudflare-one/access-controls/access-settings/app-launcher/#enable-the-app-launcher).
         :::
 
 16. <Render file="access/access-block-page" product="cloudflare-one" />
diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx
similarity index 99%
rename from src/content/docs/cloudflare-one/applications/app-library.mdx
rename to src/content/docs/cloudflare-one/team-and-resources/app-library.mdx
index ab0edbb3ab9459..52c86d327ea949 100644
--- a/src/content/docs/cloudflare-one/applications/app-library.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Application Library
 sidebar:
-  order: 4
+  order: 1
 ---
 
 import { Render, GlossaryTooltip } from "~/components";
diff --git a/src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx
index d2b9c9ef50a8c1..b4a3a3963ff35b 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx
@@ -11,7 +11,7 @@ The amount of seats available in your Zero Trust account depends on the amount o
 
 ## Authentication events
 
-A user consumes a seat when they perform an authentication event. For Access, this is any Cloudflare Access authentication event, such as a login to the [App Launcher](/cloudflare-one/applications/app-launcher/) or an application. For Gateway, this is when any devices associated with the user connect to Zero Trust within the [specified period](#enable-seat-expiration).
+A user consumes a seat when they perform an authentication event. For Access, this is any Cloudflare Access authentication event, such as a login to the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) or an application. For Gateway, this is when any devices associated with the user connect to Zero Trust within the [specified period](#enable-seat-expiration).
 
 If either one of these events occurs, that user's identity is added as an Active user to Zero Trust and consumes one seat from your plan. The user will occupy and consume a single seat regardless of the number of applications accessed or login events from their user account. Once the total amount of seats in the subscription has been consumed, additional users who attempt to log in are blocked.
 
diff --git a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
index 9fda356aae1faa..e0f0cd367e52a4 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
@@ -18,7 +18,7 @@ Gateway allows you to create DNS, Network, and HTTP policies based on applicatio
 
 When you choose the _Application_ selector in a Gateway policy builder, the **Value** field will include all supported applications and their respective app types. Alternatively, you can use the [Gateway API](/api/resources/zero_trust/subresources/gateway/subresources/app_types/methods/list/) to fetch a list of applications, app types, and ID numbers.
 
-To manage a consolidated list of applications across Zero Trust, you can use the [Application Library](/cloudflare-one/applications/app-library/).
+To manage a consolidated list of applications across Zero Trust, you can use the [Application Library](/cloudflare-one/team-and-resources/app-library/).
 
 ## App types
 
@@ -58,7 +58,7 @@ Applications categorized by Cloudflare may independently rely on a number of dif
 
 ### Hostnames
 
-Hostnames are domains that are core to the application and not [used by other applications](#overlapping-hostnames). These are the domains that are specifically blocked when you block an application. The App Library surfaces these hostnames in the [Hostnames table](/cloudflare-one/applications/app-library/#overview) for an application.
+Hostnames are domains that are core to the application and not [used by other applications](#overlapping-hostnames). These are the domains that are specifically blocked when you block an application. The App Library surfaces these hostnames in the [Hostnames table](/cloudflare-one/team-and-resources/app-library/#overview) for an application.
 
 ### Support hostnames
 
@@ -86,7 +86,7 @@ To ensure Gateway evaluates traffic with your desired precedence, order your mos
 
 Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected.
 
-When managing applications with the [Application Library](/cloudflare-one/applications/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**.
+When managing applications with the [Application Library](/cloudflare-one/team-and-resources/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**.
 
 :::note[Install Cloudflare certificate manually to allow TLS decryption]
 Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx
index 2c07be759b575b..2b1d9beffc75ab 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx
@@ -293,9 +293,9 @@ For more information on supported file types, refer to [Download and Upload File
 
 ## Isolate or block shadow IT applications
 
-Isolate shadow IT applications discovered by the [Application Library](/cloudflare-one/applications/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization.
+Isolate shadow IT applications discovered by the [Application Library](/cloudflare-one/team-and-resources/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization.
 
-For more information on reviewing shadow IT applications, refer to [Review applications](/cloudflare-one/applications/app-library/#review-applications).
+For more information on reviewing shadow IT applications, refer to [Review applications](/cloudflare-one/team-and-resources/app-library/#review-applications).
 
 ### 1. Isolate unreviewed or in review applications
 
diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx
index cb592e8eb54ce6..74c36d5d291d5e 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx
@@ -402,7 +402,7 @@ Gateway matches HTTP traffic against the following selectors, or criteria:
 
 ### Application Approval Status
 
-The review approval status of an application from [Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) or the [Application Library](/cloudflare-one/applications/app-library/). For more information, refer to [Review applications](/cloudflare-one/applications/app-library/#review-applications).
+The review approval status of an application from [Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) or the [Application Library](/cloudflare-one/team-and-resources/app-library/). For more information, refer to [Review applications](/cloudflare-one/team-and-resources/app-library/#review-applications).
 
 | UI name            | API example                          |
 | ------------------ | ------------------------------------ |
diff --git a/src/content/docs/cloudflare-one/tutorials/cli.mdx b/src/content/docs/cloudflare-one/tutorials/cli.mdx
index 53da6242299bcf..f01fc27c302667 100644
--- a/src/content/docs/cloudflare-one/tutorials/cli.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/cli.mdx
@@ -39,7 +39,7 @@ If the browser window does not launch, you can use the unique URL that is automa
 
 1. Once you have successfully authenticated, the browser returns the token to `cloudflared` in a cryptographic transfer and stores it.
 
-The token is valid for the [session duration](/cloudflare-one/team-and-resources/users/session-management/) configured by the Access administrator.
+The token is valid for the [session duration](/cloudflare-one/access-controls/access-settings/session-management/) configured by the Access administrator.
 
 ## Access your API
 
diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
index 749f596eaba201..7058c18ad77984 100644
--- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
+++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
@@ -60,9 +60,9 @@ If you are setting up the tunnel through the CLI instead ([locally-managed tunne
 
 ## 2. Create and configure Hyperdrive to connect to the Cloudflare Tunnel
 
-To restrict access to the Cloudflare Tunnel to Hyperdrive, a [Cloudflare Access application](/cloudflare-one/applications/) must be configured with a [Policy](/cloudflare-one/traffic-policies/) that requires requests to contain a valid [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth).
+To restrict access to the Cloudflare Tunnel to Hyperdrive, a [Cloudflare Access application](/cloudflare-one/access-controls/applications/http-apps/) must be configured with a [Policy](/cloudflare-one/traffic-policies/) that requires requests to contain a valid [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth).
 
-The Cloudflare dashboard can automatically create and configure the underlying [Cloudflare Access application](/cloudflare-one/applications/), [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth), and [Policy](/cloudflare-one/traffic-policies/) on your behalf. Alternatively, you can manually create the Access application and configure the Policies.
+The Cloudflare dashboard can automatically create and configure the underlying [Cloudflare Access application](/cloudflare-one/access-controls/applications/http-apps/), [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth), and [Policy](/cloudflare-one/traffic-policies/) on your behalf. Alternatively, you can manually create the Access application and configure the Policies.
 
 <Details header="Automatic creation">
 
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
index 0732886786c56f..16d05d749f4446 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
@@ -19,7 +19,7 @@ Access for SaaS integrates directly with your SaaS app using standard protocols
 
 ### SSO integrations
 
-You can pair Access for SaaS with the [App Launcher](/cloudflare-one/applications/app-launcher/) to provide a full replacement to your organization's front door.
+You can pair Access for SaaS with the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) to provide a full replacement to your organization's front door.
 
 :::note[SCIM provisioning limitation]
 
diff --git a/src/content/partials/cloudflare-one/access/bookmarks.mdx b/src/content/partials/cloudflare-one/access/bookmarks.mdx
index bafc089954328a..e79d224b145ac6 100644
--- a/src/content/partials/cloudflare-one/access/bookmarks.mdx
+++ b/src/content/partials/cloudflare-one/access/bookmarks.mdx
@@ -3,7 +3,7 @@
 
 ---
 
-With Cloudflare Zero Trust, you can show applications on the [App Launcher](/cloudflare-one/applications/app-launcher/) even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access.
+With Cloudflare Zero Trust, you can show applications on the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access.
 
 Links to applications not protected by Access can be added as bookmarks. To add a bookmark:
 
diff --git a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
index 566ba1f699efe4..ea8d217047574a 100644
--- a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
+++ b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
@@ -14,11 +14,11 @@ import { Markdown } from "~/components"
 
 4. (Optional) Configure the following settings:
 
-* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/team-and-resources/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/).
+* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/access-controls/access-settings/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/).
 * **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/team-and-resources/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}.
 * **SCIM identity update behavior**: Choose what happens in Zero Trust when the user's identity updates in {props.idp}.
 	- _Automatic identity updates_: Automatically update the [User Registry identity](/cloudflare-one/insights/logs/users/) when {props.idp} sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/); Access will read the user's updated identity when they reauthenticate.
-	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/team-and-resources/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
+	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/access-controls/access-settings/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
 	- _No action_: Update the user's identity the next time they reauthenticate to Access or WARP.
 
 5. Select **Regenerate Secret**. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}.
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
index 2860de52f35ad3..b40e4edb0a64af 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
@@ -16,7 +16,7 @@ import { Render } from "~/components"
 
 5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
 
-   Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/team-and-resources/users/session-management/).
+   Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/access-controls/access-settings/session-management/).
 
 	{
 	props.private && (
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
index b15c3bba7df9ec..351e44499ee181 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
@@ -21,7 +21,7 @@ import { Render } from "~/components"
 
 11. Select **Next**.
 
-12. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+12. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 13. <Render file="access/access-block-page" product="cloudflare-one" />
 
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
index ac412947ed3a64..1f73a0a13cfd29 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
@@ -2,4 +2,4 @@
 {}
 ---
 
-Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](/cloudflare-one/team-and-resources/users/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one.
\ No newline at end of file
+Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](/cloudflare-one/access-controls/access-settings/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/access/tags.mdx b/src/content/partials/cloudflare-one/access/tags.mdx
index e3a58a2b4824ff..332dc4dfdad0e1 100644
--- a/src/content/partials/cloudflare-one/access/tags.mdx
+++ b/src/content/partials/cloudflare-one/access/tags.mdx
@@ -3,7 +3,7 @@
 
 ---
 
-You can label an Access application with up to 25 custom tags. End users can then filter the applications in their [App Launcher](/cloudflare-one/applications/app-launcher/) by their tags.
+You can label an Access application with up to 25 custom tags. End users can then filter the applications in their [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) by their tags.
 
 ### Create a tag
 
diff --git a/src/content/partials/cloudflare-one/warp/manually-reauth.mdx b/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
index 2b1c2100fdcd93..77582cb8d22f06 100644
--- a/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
+++ b/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
@@ -6,4 +6,4 @@ To manually refresh your Cloudflare Access session and update your group informa
 
 `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/refresh-identity`
 
-Reauthenticating resets your [session duration](/cloudflare-one/team-and-resources/users/session-management/) and fetches the latest group information from the organization's IdP.
\ No newline at end of file
+Reauthenticating resets your [session duration](/cloudflare-one/access-controls/access-settings/session-management/) and fetches the latest group information from the organization's IdP.
\ No newline at end of file
diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx
index 7472f504e4aab7..1e44f0f8ba6940 100644
--- a/src/content/partials/fundamentals/account-permissions-table.mdx
+++ b/src/content/partials/fundamentals/account-permissions-table.mdx
@@ -9,7 +9,7 @@ import { Markdown } from "~/components";
 | Name                                                                                                       | Description                                                                                                                                             |
 | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Access: Apps and Policies Read                                                                             | Grants read access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies                                          |
-| Access: Apps and Policies Revoke                                                                           | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/team-and-resources/users/session-management/)                                     |
+| Access: Apps and Policies Revoke                                                                           | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/access-controls/access-settings/session-management/)                                     |
 | Access: Apps and Policies {props.editWord}                                                                 | Grants write access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies                                         |
 | Access: Audit Logs Read                                                                                    | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/).                                                        |
 | Access: Custom Pages Read                                                                                  | Grants read access to [Cloudflare Access custom block pages](/cloudflare-one/reusable-components/custom-pages/access-block-page/).                                                 |