Users and roles: Overviews, cloud org, project custom roles (#340)

Author: shainaraskas

deploy-manage/toc.yml

@@ -594,6 +594,14 @@ toc:
           - file: security/fips-140-2.md
   - file: users-roles.md
     children:
+      - file: users-roles/cloud-organization.md
+        children:
+          - file: users-roles/cloud-organization/manage-users.md
+          - file: users-roles/cloud-organization/user-roles.md
+          - file: users-roles/cloud-organization/configure-saml-authentication.md
+            children:
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
       - file: users-roles/cloud-enterprise-orchestrator.md
         children:
           - file: users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
@@ -604,14 +612,7 @@ toc:
               - file: users-roles/cloud-enterprise-orchestrator/ldap.md
               - file: users-roles/cloud-enterprise-orchestrator/saml.md
           - file: users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md
-      - file: users-roles/cloud-organization.md
-        children:
-          - file: users-roles/cloud-organization/manage-users.md
-          - file: users-roles/cloud-organization/user-roles.md
-          - file: users-roles/cloud-organization/configure-saml-authentication.md
-            children:
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
+      - file: users-roles/custom-roles.md
       - file: users-roles/cluster-or-deployment-auth.md
         children:
           - file: users-roles/cluster-or-deployment-auth/quickstart.md

deploy-manage/users-roles.md

@@ -1,20 +1,129 @@
 ---
-navigation_title: "Access"
+navigation_title: "Users and roles"
 mapped_pages:
   - https://www.elastic.co/guide/en/serverless/current/project-settings-access.html
+applies:
+  serverless: all
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
+# Manage users and roles
 
+To prevent unauthorized access to your Elastic resources, you need a way to identify users and validate that a user is who they claim to be (*authentication*), and control what data users can access and what tasks they can perform (*authorization*).
 
-# Manage users and roles [project-settings-access]
+The methods that you use to authenticate users and control access depends on the way Elastic is deployed. 
 
+::::{note}
+Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
+ 
+* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). 
+* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-endpoints.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md).
+* Maintain an [audit trail](/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md) for security-related events.
+* Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). 
+* Connect your cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable cross-cluster replication and search.
+* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic.
+::::
 
-Go to **Project settings**, then ** Management** to manage your indices, data views, saved objects, settings, and more. You can also open Management by using the [global search field](../explore-analyze/find-and-organize/find-apps-and-objects.md).
+## Cloud organization level
 
-Access to individual features is governed by Elastic user roles. Consult your administrator if you do not have the appropriate access. To learn more about roles, refer to [Assign user roles and privileges](users-roles/cloud-organization/manage-users.md#general-assign-user-roles).
+:::{applies}
+:hosted: all
+:serverless: all
+:::
 
-| Feature | Description | Available in |
-| --- | --- | --- |
-| [Organization members](api-keys/serverless-project-api-keys.md) | Invite and manage your team’s access to your organization. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Project API keys](api-keys/serverless-project-api-keys.md) | Create and manage keys that can interact with your project’s data. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Custom roles](users-roles/cloud-organization/user-roles.md) | Create and manage custom roles for your users. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
+If you’re using {{ecloud}}, then you can perform the following tasks to control access to your Cloud organization, your Cloud Hosted deployments, and your Cloud Serverless projects:
+
+* [Invite users to join your organization](/deploy-manage/users-roles/cloud-organization/manage-users.md)
+* Assign [user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md): 
+  * Manage organization-level roles and high-level access to deployments and projects. 
+  * Assign project-level roles and [create custom roles](/deploy-manage/users-roles/custom-roles.md). ({{serverless-short}} only)
+* Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization
+
+::::{tip}
+For {{ech}} deployments, you can configure SSO at the organization level, the deployment level, or both. Refer to [Cloud organization users](/deploy-manage/users-roles/cloud-organization.md#organization-deployment-sso) for more information.
+::::
+
+{{ech}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md). Cluster-level auth features are not available for {{serverless-full}}.
+
+## Orchestrator level
+
+:::{applies}
+:ece: all
+:::
+
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage passwords for default users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
+
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
+
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+
+:::{note}
+You can't manage users and roles for {{eck}} clusters at the orchestrator level. {{eck}} deployments use cluster-level authentication and authorization only.
+:::
+
+## Project level
+
+:::{applies}
+:serverless: all
+:::
+
+As an extension of the [predefined instance access roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_instance_access_roles) offered for {{serverless-short}} projects, you can create custom roles at the project level to provide more granular control, and provide users with only the access they need within specific projects.
+
+[Learn more about custom roles for {{serverless-full}} projects](/deploy-manage/users-roles/custom-roles.md).
+
+## Cluster or deployment level
+
+:::{applies}
+:ece: all
+:hosted: all
+:eck: all
+:stack: all
+:::
+
+Set up authentication and authorization at the cluster or deployment level, and learn about the underlying security technologies that Elasticsearch uses to authenticate and authorize requests internally and across services.
+
+### User authentication
+
+Set up methods to identify users to the Elasticsearch cluster.
+
+Key tasks for managing user authentication include:
+
+* [Managing default users](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md)
+* [Managing users natively](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md)
+* [Integrating with external authentication providers](/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md)
+
+You can also learn the basics of Elasticsearch authentication, learn about accounts used to communicate within an Elasticsearch cluster and across services, and perform advanced tasks.
+
+[View all user authentication docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md)
+
+### User authorization
+
+After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request.
+
+Key tasks for managing user authorization include: 
+
+* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or [defining your own](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md)
+* [Mapping users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md)
+* [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)
+
+You can also learn the basics of Elasticsearch authorization, and perform advanced tasks.
+
+::::{tip}
+User roles are also used to control access to [{{kib}} spaces](/deploy-manage/manage-spaces.md).
+:::: 
+
+[View all user authorization docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md)

deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md

@@ -0,0 +1,14 @@
+For {{ech}} deployments, you can configure SSO at the [organization level](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md), the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md), or both. 
+
+The option that you choose depends on your requirements:
+
+| Consideration | Organization-level | Deployment-level |
+| --- | --- | --- |
+| **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
+| **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
+| **Role mapping** | [Organization-level roles and instance access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](https://docs.elastic.co/serverless/custom-roles.md) | [Built-in](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles |
+| **User experience** | Users interact with Cloud | Users interact with the deployment directly |
+
+If you want to avoid exposing users to the {{ecloud}} Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
+
+In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.

deploy-manage/users-roles/cloud-enterprise-orchestrator.md

@@ -1,7 +1,24 @@
+---
+navigation_title: "ECE orchestrator"
+applies:
+  ece: all
+---
+
 # Elastic Cloud Enterprise orchestrator users
 
-% What needs to be done: Write from scratch
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage passwords for default users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
 
-⚠️ **This page is a work in progress.** ⚠️
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).

deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md

@@ -50,5 +50,5 @@ To reset the password for the `admin` user if no secrets file exists:
 bash elastic-cloud-enterprise.sh reset-adminconsole-password
 ```
 
-For additional usage examples, check [`elastic-cloud-enterprise.sh reset-adminconsole-password` Reference](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-installation-script-reset.html).
+For additional usage examples, check [`elastic-cloud-enterprise.sh reset-adminconsole-password` Reference](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-installation-script-reset.md).
 

deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md

@@ -23,14 +23,14 @@ Implementing RBAC in your environment benefits you in several ways:
 
 
 ::::{important}
-With RBAC, interacting with API endpoints now requires a [bearer token](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-api-command-line.html) or [API key](../../api-keys/elastic-cloud-enterprise-api-keys.md#ece-api-keys).
+With RBAC, interacting with API endpoints now requires a [bearer token](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-api-command-line.md) or [API key](../../api-keys/elastic-cloud-enterprise-api-keys.md#ece-api-keys).
 ::::
 
 
 
 ## Before you begin [ece_before_you_begin_8]
 
-To prepare for RBAC, you should review the Elastic Cloud Enterprise [limitations and known issues](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-limitations.html).
+To prepare for RBAC, you should review the Elastic Cloud Enterprise [limitations and known issues](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-limitations.md).
 
 
 ## Available roles and permissions [ece-user-role-permissions]

deploy-manage/users-roles/cloud-organization.md

@@ -1,19 +1,33 @@
 ---
+navigation_title: "Cloud organization"
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-organizations.html
+applies:
+  serverless: all
+  hosted: all
 ---
 
 # Cloud organization users [ec-organizations]
 
-When you sign up to Elastic Cloud, you create an organization.
+When you sign up to {{ecloud}}, you create an organization. This organization is the umbrella for all of your {{ecloud}} resources, users, and account settings. Every organization has a unique identifier.
 
-This organization is the umbrella for all of your Elastic Cloud resources, users, and account settings. Every organization has a unique identifier. Bills are invoiced according to the billing contact and details that you set for your organization.
+You can perform the following tasks to control access to your Cloud organization, your {{ech}} deployments, and your {{serverless-full}} projects:
 
-From the Organization page, you can:
+* [Manage users](/deploy-manage/users-roles/cloud-organization/manage-users.md): Invite users to join your organization and manage existing users.
+* Assign [user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md): 
+  * Manage organization-level roles and high-level access to deployments and projects. 
+  * If you have {{serverless-full}} projects, assign project-level roles and create custom roles.
+* Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization.
 
-* [Manage members of your organization](cloud-organization/manage-users.md)
-* [Leave an organization](cloud-organization/manage-users.md#ec-leave-organization)
-* [Assign user roles and privileges](cloud-organization/user-roles.md)
-* [Create API keys for using the Elastic Cloud API](../api-keys/elastic-cloud-api-keys.md#ec-api-keys)
-* [Configure SAML single sign-on for your organization](cloud-organization/configure-saml-authentication.md)
+:::{tip}
+If you're using {{ech}}, then you can also manage users and control access [at the deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+:::
 
+## Should I use organization-level or deployment-level SSO? [organization-deployment-sso] 
+
+:::{applies}
+:hosted: all
+:::
+
+:::{include} _snippets/org-vs-deploy-sso.md
+:::