Users roles 2: just users (#520)

Author: shainaraskas

deploy-manage/deploy/cloud-enterprise/add-custom-bundles-plugins.md

@@ -0,0 +1,43 @@
+---
+applies_to:
+  deployment:
+    ece:
+---
+
+# Add plugins and extensions [ece-adding-plugins]
+
+Plugins extend the core functionality of {{es}}. {{ece}} makes it easy to add plugins to your deployment by providing a number of plugins that work with your version of {{es}}. One advantage of these plugins is that you generally don’t have to worry about upgrading plugins when upgrading to a new {{es}} version, unless there are breaking changes. The plugins are upgraded along with the rest of your deployment.
+
+Adding plugins to a deployment is as simple as selecting it from the list of available plugins, but different versions of {{es}} support different plugins. Plugins are available for different purposes, such as:
+
+* National language support, phonetic analysis, and extended unicode support
+* Ingesting attachments in common formats and ingesting information about the geographic location of IP addresses
+* Adding new field datatypes to {{es}}
+
+Additional plugins might be available. If a plugin is listed for your version of {{es}}, it can be used.
+
+You can also [create](asciidocalypse://elasticsearch/docs/extend/create-elasticsearch-plugins.md) and add custom plugins.
+
+To add plugins when creating a new deployment:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md) and select **Create deployment**.
+2. Make your initial deployment selections, then select **Customize Deployment**.
+3. Beneath the {{es}} master node, expand the **Manage plugins and settings** caret.
+4. Select the plugins you want.
+5. Select **Create deployment**.
+
+The deployment spins up with the plugins installed.
+
+To add plugins to an existing deployment:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. On the **Deployments** page, select your deployment.
+ 
+    Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
+
+3. From your deployment menu, go to the **Edit** page.
+4. Beneath the {{es}} master node, expand the **Manage plugins and settings** caret.
+5. Select the plugins that you want.
+6. Select **Save changes**.
+
+There is no downtime when adding plugins to highly available deployments. The deployment is updated with new nodes that have the plugins installed.

deploy-manage/deploy/cloud-enterprise/add-plugins.md

@@ -179,7 +179,7 @@ $$$azure-integration-azure-user-management$$$Is the {{ecloud}} Azure Native ISV
     :alt: Error message displayed in the {{ecloud}} console: To access the resource {resource-name}
     :::
 
-    Share deployment resources directly with other Azure users by [configuring Active Directory single sign-on with the {{es}} cluster](../../users-roles/cluster-or-deployment-auth/openid-connect.md#ec-securing-oidc-azure).
+    Share deployment resources directly with other Azure users by [configuring Active Directory single sign-on with the {{es}} cluster](/deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md#ec-securing-oidc-azure).
 
 
 $$$azure-integration-azure-rbac$$$Does {{ecloud}} Azure Native ISV Service support recently introduced {{ecloud}} RBAC capability?

deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md

@@ -102,7 +102,7 @@ $$$elasticsearch-pingTimeout$$$ `elasticsearch.pingTimeout`
 :   Time in milliseconds to wait for {{es}} to respond to pings. **Default: the value of the [`elasticsearch.requestTimeout`](#elasticsearch-requestTimeout) setting**
 
 $$$elasticsearch-requestHeadersWhitelist$$$ `elasticsearch.requestHeadersWhitelist`
-:   List of {{kib}} client-side headers to send to {{es}}. To send **no** client-side headers, set this value to [] (an empty list). Removing the `authorization` header from being whitelisted means that you cannot use [basic authentication](../../users-roles/cluster-or-deployment-auth/user-authentication.md#basic-authentication) in {{kib}}. **Default: `[ 'authorization', 'es-client-authentication' ]`**
+:   List of {{kib}} client-side headers to send to {{es}}. To send **no** client-side headers, set this value to [] (an empty list). Removing the `authorization` header from being whitelisted means that you cannot use [basic authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md) in {{kib}}. **Default: `[ 'authorization', 'es-client-authentication' ]`**
 
 $$$elasticsearch-requestTimeout$$$ `elasticsearch.requestTimeout`
 :   Time in milliseconds to wait for responses from the back end or {{es}}. This value must be a positive integer. **Default: `30000`**
@@ -524,4 +524,4 @@ $$$settings-explore-data-in-chart$$$ `xpack.discoverEnhanced.actions.exploreData
 :   Set this value to false to disable the Upgrade Assistant UI. **Default: true**
 
 `i18n.locale` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ess}}")
-:   Set this value to change the {{kib}} interface language. Valid locales are: `en`, `zh-CN`, `ja-JP`, `fr-FR`. **Default: `en`**
+:   Set this value to change the {{kib}} interface language. Valid locales are: `en`, `zh-CN`, `ja-JP`, `fr-FR`. **Default: `en`**

deploy-manage/deploy/self-managed/configure.md

@@ -202,6 +202,8 @@ toc:
               - file: deploy/cloud-enterprise/resize-deployment.md
                 children:
                   - file: deploy/cloud-enterprise/resource-overrides.md
+              - file: deploy/cloud-enterprise/add-plugins.md
+              - file: deploy/cloud-enterprise/add-custom-bundles-plugins.md
               - file: deploy/cloud-enterprise/manage-integrations-server.md
                 children:
                   - file: deploy/cloud-enterprise/switch-from-apm-to-integrations-server-payload.md
@@ -613,14 +615,23 @@ toc:
                   - file: users-roles/cluster-or-deployment-auth/kerberos.md
                   - file: users-roles/cluster-or-deployment-auth/ldap.md
                   - file: users-roles/cluster-or-deployment-auth/openid-connect.md
+                    children:
+                      - file: users-roles/cluster-or-deployment-auth/oidc-examples.md
                   - file: users-roles/cluster-or-deployment-auth/saml.md
+                    children:
+                      - file: users-roles/cluster-or-deployment-auth/saml-entra.md
                   - file: users-roles/cluster-or-deployment-auth/pki.md
                   - file: users-roles/cluster-or-deployment-auth/custom.md
               - file: users-roles/cluster-or-deployment-auth/built-in-users.md
-              - file: users-roles/cluster-or-deployment-auth/user-profiles.md
+                children: 
+                  - file: users-roles/cluster-or-deployment-auth/built-in-sm.md
+              - file: users-roles/cluster-or-deployment-auth/orchestrator-managed-users-overview.md
+                children:
+                  - file: users-roles/cluster-or-deployment-auth/manage-elastic-user-cloud.md
+                  - file: users-roles/cluster-or-deployment-auth/managed-credentials-eck.md
+              - file: users-roles/cluster-or-deployment-auth/kibana-authentication.md
               - file: users-roles/cluster-or-deployment-auth/access-agreement.md
               - file: users-roles/cluster-or-deployment-auth/anonymous-access.md
-              - file: users-roles/cluster-or-deployment-auth/manage-authentication-for-multiple-clusters.md
               - file: users-roles/cluster-or-deployment-auth/token-based-authentication-services.md
               - file: users-roles/cluster-or-deployment-auth/service-accounts.md
               - file: users-roles/cluster-or-deployment-auth/internal-users.md
@@ -629,8 +640,10 @@ toc:
                   - file: users-roles/cluster-or-deployment-auth/configure-operator-privileges.md
                   - file: users-roles/cluster-or-deployment-auth/operator-only-functionality.md
                   - file: users-roles/cluster-or-deployment-auth/operator-privileges-for-snapshot-restore.md
+              - file: users-roles/cluster-or-deployment-auth/user-profiles.md
               - file: users-roles/cluster-or-deployment-auth/looking-up-users-without-authentication.md
               - file: users-roles/cluster-or-deployment-auth/controlling-user-cache.md
+              - file: users-roles/cluster-or-deployment-auth/manage-authentication-for-multiple-clusters.md
           - file: users-roles/cluster-or-deployment-auth/user-roles.md
             children:
               - file: users-roles/cluster-or-deployment-auth/defining-roles.md

deploy-manage/toc.yml

@@ -0,0 +1,20 @@
+ldap
+:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
+
+active_directory
+:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
+
+pki
+:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
+
+saml
+:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. See [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
+
+kerberos
+:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
+
+oidc
+:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. See [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
+
+jwt
+:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).

deploy-manage/users-roles/_snippets/external-realms.md

@@ -0,0 +1,5 @@
+native
+:   Users are stored in a dedicated {{es}} index. This realm supports an authentication token in the form of username and password, and is available by default when no realms are explicitly configured. Users are managed through {{kib}}, or using [user management APIs](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-security). See [Native user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md).
+
+file
+:   Users are defined in files stored on each node in the {{es}} cluster. This realm supports an authentication token in the form of username and password and is always available. See [File-based user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md). Available for {{eck}} and self-managed deployments only.

deploy-manage/users-roles/_snippets/internal-realms.md

@@ -1,7 +1,8 @@
 ---
 navigation_title: "ECE orchestrator"
-applies:
-  ece: all
+applies_to:
+  deployment:
+    ece: all
 ---
 
 # Elastic Cloud Enterprise orchestrator users