Incorporated Peach’s feedback.

florence-crl · florence-crl · commit 6ec7c8c80449 · 2025-10-28T12:16:46.000-04:00
diff --git a/src/current/_includes/v25.4/performance/lease-preference-system-database.md b/src/current/_includes/v25.4/performance/lease-preference-system-database.md
@@ -6,7 +6,7 @@ ALTER DATABASE system CONFIGURE ZONE USING constraints = '{"+region=us-east1": 1
 ~~~
 
 {{site.data.alerts.callout_info}}
-Access to tables and built-in functions in the `system` database is controlled by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). However, the above `ALTER DATABASE system` statement executes regardless of the variable's setting because it does not access tables or invoke built-in functions.
+Access to tables and built-in functions in the `system` database is controlled by the [`allow_unsafe_internals` session variable]({% link {{ page.version.version }}/session-variables.md %}#allow-unsafe-internals). The above `ALTER DATABASE system` statement executes regardless of the variable's setting because it does not access tables or invoke built-in functions.
 {{site.data.alerts.end}}
 
 Run all subsequent schema changes from a node in the specified region.
diff --git a/src/current/v25.4/crdb-internal.md b/src/current/v25.4/crdb-internal.md
@@ -16,10 +16,10 @@ The `crdb_internal` [system catalog]({% link {{ page.version.version }}/system-c
 SET allow_unsafe_internals = off;
 ~~~
 
-With `allow_unsafe_internals` set to `off`, access only [`information_schema` tables]({% link {{ page.version.version }}/information-schema.md %}).
+With `allow_unsafe_internals` set to `off`, you should access only [`information_schema` tables]({% link {{ page.version.version }}/information-schema.md %}).
 
 {{site.data.alerts.callout_info}}
-If you need information that is not available through production-supported [`information_schema` tables]({% link {{ page.version.version }}/information-schema.md %}), work with your account team or contact [Cockroach Labs support](https://support.cockroachlabs.com).
+If you need information not available through production-supported [`information_schema` tables]({% link {{ page.version.version }}/information-schema.md %}), contact your account team or contact [Cockroach Labs support](https://support.cockroachlabs.com).
 {{site.data.alerts.end}}
 
 When `allow_unsafe_internals` is set to `off`, external sessions can still read allowlisted `crdb_internal` objects that are supported for production use (those marked ✓ in the table below). To access all other tables and built-in functions in `crdb_internal` and `system`, you must explicitly enable `allow_unsafe_internals` for the session.
@@ -31,7 +31,7 @@ SET allow_unsafe_internals = on;
 
 Some `SHOW commands`, such as [`SHOW DATABASES`]({% link {{ page.version.version }}/show-databases.md %}), and CockroachDB tools, such as the [DB Console]({% link {{ page.version.version }}/ui-overview.md %}) and [`cockroach debug zip`]({% link {{ page.version.version }}/cockroach-debug-zip.md %}), rely on internal queries that access restricted data. These commands and tools are designed to bypass the `allow_unsafe_internals` setting and continue to function even when direct access is disabled.
 
-CockroachDB emits [log events to the `SENSITIVE_ACCESS` channel]({% link {{ page.version.version }}/logging-use-cases.md %}#example-unsafe-internals) when a user overrides or is denied access to unsafe internals, creating a record of emergency access to system internals. Monitor these logs to ensure that neither workloads nor you and your users are unintentionally accessing unsafe internals.
+CockroachDB emits log events to the [`SENSITIVE_ACCESS` channel]({% link {{ page.version.version }}/logging-use-cases.md %}#example-unsafe-internals) when a user overrides or is denied access to unsafe internals, creating a record of emergency access to system internals. Monitor these logs to ensure that neither workloads nor you and your users are unintentionally accessing unsafe internals.
 
 {{site.data.alerts.callout_danger}}
 In a future release, the `allow_unsafe_internals` session variable will default to `off`. To prepare for this change and [assess potential downstream impacts]({% link {{ page.version.version }}/logging-use-cases.md %}#unsafe-internals-disabled) on your setup, set `allow_unsafe_internals` to `off` in a non-production environment.
diff --git a/src/current/v25.4/logging-use-cases.md b/src/current/v25.4/logging-use-cases.md
@@ -286,50 +286,50 @@ These events record both successful and denied attempts to access internal syste
 
 ##### Unsafe internals enabled
 
-This command enables access to unsafe internals for the user `allow_unsafe_internals_on`:
+This command enables access to unsafe internals for the user `can_access_unsafe_internals`:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
-ALTER ROLE allow_unsafe_internals_on SET allow_unsafe_internals = on;
+ALTER ROLE can_access_unsafe_internals SET allow_unsafe_internals = on;
 ~~~
 
-When the user `allow_unsafe_internals_on` connects to a session and accesses an unsafe internal object, the event is logged:
+When the user `can_access_unsafe_internals` connects to a session and accesses an unsafe internal object, the event is logged:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
 SELECT count(*) FROM crdb_internal.active_range_feeds;
 ~~~
 
-This `unsafe_internals_accessed` event indicates that the internal table `crdb_internal.active_range_feeds` was accessed by user `allow_unsafe_internals_on`, who issued a [`SELECT`]({% link {{ page.version.version }}/selection-queries.md %}) statement:
+This `unsafe_internals_accessed` event indicates that the internal table `crdb_internal.active_range_feeds` was accessed by user `can_access_unsafe_internals`, who issued a [`SELECT`]({% link {{ page.version.version }}/selection-queries.md %}) statement:
 
 ~~~
-W250930 19:51:01.128927 464484 8@util/log/event_log.go:90 ⋮ [T1,Vsystem,n1,client=127.0.0.1:65020,hostssl,user=‹allow_unsafe_internals_on›] 23 ={"Timestamp":1759261861128925000,"EventType":"unsafe_internals_accessed","Query":"SELECT count(*) FROM \"\".crdb_internal.active_range_feeds"}
+W250930 19:51:01.128927 464484 8@util/log/event_log.go:90 ⋮ [T1,Vsystem,n1,client=127.0.0.1:65020,hostssl,user=‹can_access_unsafe_internals›] 23 ={"Timestamp":1759261861128925000,"EventType":"unsafe_internals_accessed","Query":"SELECT count(*) FROM \"\".crdb_internal.active_range_feeds"}
 ~~~
 
 ##### Unsafe internals disabled
 
-To assess potential downstream impacts, disable `allow_unsafe_internals` in a test or staging environment. Monitoring tools or scripts that rely on these internals may be affected. `unsafe_internals_denied` events indentify which tools or scripts attempted to access these internals.
+To assess potential downstream impacts, disable `allow_unsafe_internals` in a test or staging environment. Monitoring tools or scripts that rely on these internals may be affected. `unsafe_internals_denied` events identify which tools or scripts attempted to access these internals.
 
 This example shows how to identify users denied access to unsafe internal tables.
 
-This command disables access to unsafe internals for the user `allow_unsafe_internals_off`:
+This command disables access to unsafe internals for the user `can_not_access_unsafe_internals`:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
-ALTER ROLE allow_unsafe_internals_off SET allow_unsafe_internals = off;
+ALTER ROLE can_not_access_unsafe_internals SET allow_unsafe_internals = off;
 ~~~
 
-When the user `allow_unsafe_internals_off` connects to a session and attempts to access an unsafe internal object, the event is logged:
+When the user `can_not_access_unsafe_internals` connects to a session and attempts to access an unsafe internal object, the event is logged:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
 SELECT count(*) FROM crdb_internal.active_range_feeds;
 ~~~
 
-This `unsafe_internals_denied` event indicates that access to the internal table `crdb_internal.active_range_feeds` was denied for the user `allow_unsafe_internals_off`, who issued a [`SELECT`]({% link {{ page.version.version }}/selection-queries.md %}) statement:
+This `unsafe_internals_denied` event indicates that access to the internal table `crdb_internal.active_range_feeds` was denied for the user `can_not_access_unsafe_internals`, who issued a [`SELECT`]({% link {{ page.version.version }}/selection-queries.md %}) statement:
 
 ~~~
-W250930 15:47:06.906181 122782 8@util/log/event_log.go:90 ⋮ [T1,Vsystem,n1,client=127.0.0.1:57104,hostssl,user=‹allow_unsafe_internals_off›] 18 ={"Timestamp":1759247226906172000,"EventType":"unsafe_internals_denied","Query":"SELECT count(*) FROM \"\".crdb_internal.active_range_feeds"}
+W250930 15:47:06.906181 122782 8@util/log/event_log.go:90 ⋮ [T1,Vsystem,n1,client=127.0.0.1:57104,hostssl,user=‹can_not_access_unsafe_internals›] 18 ={"Timestamp":1759247226906172000,"EventType":"unsafe_internals_denied","Query":"SELECT count(*) FROM \"\".crdb_internal.active_range_feeds"}
 ~~~
 
 - Preceding the `=` character is the `crdb-v2` event metadata. See the [reference documentation]({% link {{ page.version.version }}/log-formats.md %}#format-crdb-v2) for details on the fields.
