diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index d54232ee1c..e869e0adda 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -594,6 +594,14 @@ toc:
           - file: security/fips-140-2.md
   - file: users-roles.md
     children:
+      - file: users-roles/cloud-organization.md
+        children:
+          - file: users-roles/cloud-organization/manage-users.md
+          - file: users-roles/cloud-organization/user-roles.md
+          - file: users-roles/cloud-organization/configure-saml-authentication.md
+            children:
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
       - file: users-roles/cloud-enterprise-orchestrator.md
         children:
           - file: users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
@@ -604,14 +612,7 @@ toc:
               - file: users-roles/cloud-enterprise-orchestrator/ldap.md
               - file: users-roles/cloud-enterprise-orchestrator/saml.md
           - file: users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md
-      - file: users-roles/cloud-organization.md
-        children:
-          - file: users-roles/cloud-organization/manage-users.md
-          - file: users-roles/cloud-organization/user-roles.md
-          - file: users-roles/cloud-organization/configure-saml-authentication.md
-            children:
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
+      - file: users-roles/custom-roles.md
       - file: users-roles/cluster-or-deployment-auth.md
         children:
           - file: users-roles/cluster-or-deployment-auth/quickstart.md
diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md
index 7f7a88511e..ea35a8fd9c 100644
--- a/deploy-manage/users-roles.md
+++ b/deploy-manage/users-roles.md
@@ -1,20 +1,129 @@
 ---
-navigation_title: "Access"
+navigation_title: "Users and roles"
 mapped_pages:
   - https://www.elastic.co/guide/en/serverless/current/project-settings-access.html
+applies:
+  serverless: all
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
+# Manage users and roles
 
+To prevent unauthorized access to your Elastic resources, you need a way to identify users and validate that a user is who they claim to be (*authentication*), and control what data users can access and what tasks they can perform (*authorization*).
 
-# Manage users and roles [project-settings-access]
+The methods that you use to authenticate users and control access depends on the way Elastic is deployed. 
 
+::::{note}
+Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
+ 
+* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). 
+* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-endpoints.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md).
+* Maintain an [audit trail](/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md) for security-related events.
+* Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). 
+* Connect your cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable cross-cluster replication and search.
+* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic.
+::::
 
-Go to **Project settings**, then ** Management** to manage your indices, data views, saved objects, settings, and more. You can also open Management by using the [global search field](../explore-analyze/find-and-organize/find-apps-and-objects.md).
+## Cloud organization level
 
-Access to individual features is governed by Elastic user roles. Consult your administrator if you do not have the appropriate access. To learn more about roles, refer to [Assign user roles and privileges](users-roles/cloud-organization/manage-users.md#general-assign-user-roles).
+:::{applies}
+:hosted: all
+:serverless: all
+:::
 
-| Feature | Description | Available in |
-| --- | --- | --- |
-| [Organization members](api-keys/serverless-project-api-keys.md) | Invite and manage your team’s access to your organization. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Project API keys](api-keys/serverless-project-api-keys.md) | Create and manage keys that can interact with your project’s data. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Custom roles](users-roles/cloud-organization/user-roles.md) | Create and manage custom roles for your users. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
+If you’re using {{ecloud}}, then you can perform the following tasks to control access to your Cloud organization, your Cloud Hosted deployments, and your Cloud Serverless projects:
+
+* [Invite users to join your organization](/deploy-manage/users-roles/cloud-organization/manage-users.md)
+* Assign [user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md): 
+  * Manage organization-level roles and high-level access to deployments and projects. 
+  * Assign project-level roles and [create custom roles](/deploy-manage/users-roles/custom-roles.md). ({{serverless-short}} only)
+* Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization
+
+::::{tip}
+For {{ech}} deployments, you can configure SSO at the organization level, the deployment level, or both. Refer to [Cloud organization users](/deploy-manage/users-roles/cloud-organization.md#organization-deployment-sso) for more information.
+::::
+
+{{ech}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md). Cluster-level auth features are not available for {{serverless-full}}.
+
+## Orchestrator level
+
+:::{applies}
+:ece: all
+:::
+
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage passwords for default users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
+
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
+
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+
+:::{note}
+You can't manage users and roles for {{eck}} clusters at the orchestrator level. {{eck}} deployments use cluster-level authentication and authorization only.
+:::
+
+## Project level
+
+:::{applies}
+:serverless: all
+:::
+
+As an extension of the [predefined instance access roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_instance_access_roles) offered for {{serverless-short}} projects, you can create custom roles at the project level to provide more granular control, and provide users with only the access they need within specific projects.
+
+[Learn more about custom roles for {{serverless-full}} projects](/deploy-manage/users-roles/custom-roles.md).
+
+## Cluster or deployment level
+
+:::{applies}
+:ece: all
+:hosted: all
+:eck: all
+:stack: all
+:::
+
+Set up authentication and authorization at the cluster or deployment level, and learn about the underlying security technologies that Elasticsearch uses to authenticate and authorize requests internally and across services.
+
+### User authentication
+
+Set up methods to identify users to the Elasticsearch cluster.
+
+Key tasks for managing user authentication include:
+
+* [Managing default users](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md)
+* [Managing users natively](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md)
+* [Integrating with external authentication providers](/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md)
+
+You can also learn the basics of Elasticsearch authentication, learn about accounts used to communicate within an Elasticsearch cluster and across services, and perform advanced tasks.
+
+[View all user authentication docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md)
+
+### User authorization
+
+After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request.
+
+Key tasks for managing user authorization include: 
+
+* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or [defining your own](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md)
+* [Mapping users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md)
+* [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)
+
+You can also learn the basics of Elasticsearch authorization, and perform advanced tasks.
+
+::::{tip}
+User roles are also used to control access to [{{kib}} spaces](/deploy-manage/manage-spaces.md).
+:::: 
+
+[View all user authorization docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md)
diff --git a/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md b/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md
new file mode 100644
index 0000000000..9fe33241ce
--- /dev/null
+++ b/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md
@@ -0,0 +1,14 @@
+For {{ech}} deployments, you can configure SSO at the [organization level](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md), the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md), or both. 
+
+The option that you choose depends on your requirements:
+
+| Consideration | Organization-level | Deployment-level |
+| --- | --- | --- |
+| **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
+| **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
+| **Role mapping** | [Organization-level roles and instance access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](https://docs.elastic.co/serverless/custom-roles.md) | [Built-in](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles |
+| **User experience** | Users interact with Cloud | Users interact with the deployment directly |
+
+If you want to avoid exposing users to the {{ecloud}} Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
+
+In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cloud-enterprise-orchestrator.md b/deploy-manage/users-roles/cloud-enterprise-orchestrator.md
index 5fbaaf03dc..996a6c7116 100644
--- a/deploy-manage/users-roles/cloud-enterprise-orchestrator.md
+++ b/deploy-manage/users-roles/cloud-enterprise-orchestrator.md
@@ -1,7 +1,24 @@
+---
+navigation_title: "ECE orchestrator"
+applies:
+  ece: all
+---
+
 # Elastic Cloud Enterprise orchestrator users
 
-% What needs to be done: Write from scratch
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage passwords for default users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
 
-⚠️ **This page is a work in progress.** ⚠️
\ No newline at end of file
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md b/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
index e5dfd7941e..71a47a1825 100644
--- a/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
+++ b/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
@@ -50,5 +50,5 @@ To reset the password for the `admin` user if no secrets file exists:
 bash elastic-cloud-enterprise.sh reset-adminconsole-password
 ```
 
-For additional usage examples, check [`elastic-cloud-enterprise.sh reset-adminconsole-password` Reference](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-installation-script-reset.html).
+For additional usage examples, check [`elastic-cloud-enterprise.sh reset-adminconsole-password` Reference](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-installation-script-reset.md).
 
diff --git a/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md b/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md
index 68097cad43..5501d13d6f 100644
--- a/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md
+++ b/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md
@@ -23,14 +23,14 @@ Implementing RBAC in your environment benefits you in several ways:
 
 
 ::::{important}
-With RBAC, interacting with API endpoints now requires a [bearer token](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-api-command-line.html) or [API key](../../api-keys/elastic-cloud-enterprise-api-keys.md#ece-api-keys).
+With RBAC, interacting with API endpoints now requires a [bearer token](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-api-command-line.md) or [API key](../../api-keys/elastic-cloud-enterprise-api-keys.md#ece-api-keys).
 ::::
 
 
 
 ## Before you begin [ece_before_you_begin_8]
 
-To prepare for RBAC, you should review the Elastic Cloud Enterprise [limitations and known issues](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-limitations.html).
+To prepare for RBAC, you should review the Elastic Cloud Enterprise [limitations and known issues](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-limitations.md).
 
 
 ## Available roles and permissions [ece-user-role-permissions]
diff --git a/deploy-manage/users-roles/cloud-organization.md b/deploy-manage/users-roles/cloud-organization.md
index f37cde0ad1..cee9d93962 100644
--- a/deploy-manage/users-roles/cloud-organization.md
+++ b/deploy-manage/users-roles/cloud-organization.md
@@ -1,19 +1,33 @@
 ---
+navigation_title: "Cloud organization"
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-organizations.html
+applies:
+  serverless: all
+  hosted: all
 ---
 
 # Cloud organization users [ec-organizations]
 
-When you sign up to Elastic Cloud, you create an organization.
+When you sign up to {{ecloud}}, you create an organization. This organization is the umbrella for all of your {{ecloud}} resources, users, and account settings. Every organization has a unique identifier.
 
-This organization is the umbrella for all of your Elastic Cloud resources, users, and account settings. Every organization has a unique identifier. Bills are invoiced according to the billing contact and details that you set for your organization.
+You can perform the following tasks to control access to your Cloud organization, your {{ech}} deployments, and your {{serverless-full}} projects:
 
-From the Organization page, you can:
+* [Manage users](/deploy-manage/users-roles/cloud-organization/manage-users.md): Invite users to join your organization and manage existing users.
+* Assign [user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md): 
+  * Manage organization-level roles and high-level access to deployments and projects. 
+  * If you have {{serverless-full}} projects, assign project-level roles and create custom roles.
+* Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization.
 
-* [Manage members of your organization](cloud-organization/manage-users.md)
-* [Leave an organization](cloud-organization/manage-users.md#ec-leave-organization)
-* [Assign user roles and privileges](cloud-organization/user-roles.md)
-* [Create API keys for using the Elastic Cloud API](../api-keys/elastic-cloud-api-keys.md#ec-api-keys)
-* [Configure SAML single sign-on for your organization](cloud-organization/configure-saml-authentication.md)
+:::{tip}
+If you're using {{ech}}, then you can also manage users and control access [at the deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+:::
 
+## Should I use organization-level or deployment-level SSO? [organization-deployment-sso] 
+
+:::{applies}
+:hosted: all
+:::
+
+:::{include} _snippets/org-vs-deploy-sso.md
+:::
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md
index da931141aa..7bb77e7a8e 100644
--- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md
+++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md
@@ -1,13 +1,13 @@
 ---
-navigation_title: "Configure {{ecloud}} SAML SSO"
+navigation_title: "Configure SAML SSO"
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-saml-sso.html
+applies:
+  hosted: all
+  serverless: all
 ---
 
-
-
-# Configure SAML authentication [ec-saml-sso]
-
+# Configure {{ecloud}} SAML single sign-on [ec-saml-sso]
 
 You can centrally control access to your {{ecloud}} organization by setting up SAML single sign-on (SSO) with a SAML 2.0 identity provider (IdP).
 
@@ -15,21 +15,25 @@ When users log in to {{ecloud}} for the first time using SSO, they’re automati
 
 You can also enhance security by enforcing SSO authentication for members of your organization, and centrally manage role assignments by mapping IdP groups to {{ecloud}} roles.
 
+On this page, you'll learn the following:
 
-## Should I use organization-level or deployment-level SSO? [ec_should_i_use_organization_level_or_deployment_level_sso_2]
+* How to [choose between organization- and deployment-level SSO](#ec_should_i_use_organization_level_or_deployment_level_sso_2)
+* The [prerequisites for using SAML SSO](#ec_prerequisites_4)
+* The [risks and considerations for using SAML SSO](#ec_risks_and_considerations)
+* How to [implement and test SAML SSO](#set-up-sso)
+* How to [enforce SAML SSO](#enforce-sso) for your organization
+* How to [map groups returned by your IdP to Elastic Cloud roles](#role-mappings)
+* How to [disable SAML SSO](#ec_disable_sso)
 
-You can also integrate third-party authentication directly [at the deployment level](../cluster-or-deployment-auth.md). The option that you choose depends on your requirements:
+For detailed examples of implementing SAML SSO using common identity providers, refer to the following topics:
 
-| Consideration | Organization-level | Deployment-level |
-| --- | --- | --- |
-| **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
-| **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
-| **Role mapping** | [Organization-level roles and instance access roles](user-roles.md), Serverless project [custom roles](https://docs.elastic.co/serverless/custom-roles.html) | [Built-in](../cluster-or-deployment-auth/built-in-roles.md) and [custom](../cluster-or-deployment-auth/defining-roles.md) stack-level roles |
-| **User experience** | Users interact with Cloud | Users interact with the deployment directly |
+* [](/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md)
+* [](/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md)
 
-If you want to avoid exposing users to the {{ecloud}} UI, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
+## Should I use organization-level or deployment-level SSO? [ec_should_i_use_organization_level_or_deployment_level_sso_2]
 
-In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.
+:::{include} ../_snippets/org-vs-deploy-sso.md
+:::
 
 
 ## Prerequisites [ec_prerequisites_4]
@@ -47,13 +51,16 @@ Before you configure SAML SSO, familiarize yourself with the following risks and
     To immediately revoke a user’s active sessions, an organization owner must [remove the user from the {{ecloud}} organization](https://cloud.elastic.co/account/members) or remove their assigned roles.
 
 * If you enforce SSO authentication, you can be locked out of {{ecloud}} if your IdP is unavailable or misconfigured. You might need to work with Elastic Support to regain access to your account. To avoid being locked out, you should maintain and store an [{{ecloud}} API key](../../api-keys/elastic-cloud-api-keys.md#ec-api-keys) with organization owner level privileges so that an administrator can disable enforcement in an emergency.
-* If you do not enforce SSO authentication, users can still log in without authenticating with your IdP. You need to manage these users in Elastic Cloud.
-* Cloud passwords are invalidated each time a user logs in using SSO. If a user needs sign in with their email and password again, they need to [change their password](../../../cloud-account/change-your-password.md).
+* If you do not enforce SSO authentication, users can still log in without authenticating with your IdP. You need to manage these users in {{ecloud}}.
+* {{ecloud}} passwords are invalidated each time a user logs in using SSO. If a user needs sign in with their email and password again, they need to [change their password](../../../cloud-account/change-your-password.md).
 * Role mappings only take effect when your organization’s members authenticate using SSO. If SSO authentication is not enforced, users might have roles that are inconsistent with the role mapping when they log in using other methods.
-* Roles manually assigned using the {{ecloud}} UI are overwritten by the role mapping when the user logs in using SSO.
+* Roles manually assigned using the {{ecloud}} Console are overwritten by the role mapping when the user logs in using SSO.
 
+## Set up SSO
 
-## Claim a domain [ec-saml-sso-claim-domain]
+Follow this procedure to set up SAML SSO with your IdP.
+
+### Step 1: Claim a domain [ec-saml-sso-claim-domain]
 
 Before you can register and use your IdP with {{ecloud}}, you must claim one or more domains. Only users that have email addresses that match claimed domains can authenticate with your IdP.
 
@@ -75,7 +82,7 @@ You must have authority to modify your domain’s DNS records and be a member of
     ...
     ```
 
-6. In the {{ecloud}} UI, click **Verify and add domain**.
+6. In the {{ecloud}} Console, click **Verify and add domain**.
 
 ::::{note}
 It might take some time for the DNS records to be updated and propagated in the network. If verification isn’t successful, wait a while and try again.
@@ -83,12 +90,12 @@ It might take some time for the DNS records to be updated and propagated in the
 
 
 
-## Register a SAML IdP [ec-saml-sso-register-idp]
+### Step 2: Register a SAML IdP [ec-saml-sso-register-idp]
 
-After you have claimed one or more domains, you can register your IdP with {{ecloud}}. The steps vary by IdP; for more specific details, refer to [Register {{ecloud}} SAML in Microsoft Entra ID](register-elastic-cloud-saml-in-microsoft-entra-id.md) and [Register {{ecloud}} SAML in Okta](register-elastic-cloud-saml-in-okta.md).
+After you have [claimed one or more domains](#ec-saml-sso-claim-domain), you can register your IdP with {{ecloud}}. The steps vary by IdP; for more specific details, refer to [Register {{ecloud}} SAML in Microsoft Entra ID](register-elastic-cloud-saml-in-microsoft-entra-id.md) and [Register {{ecloud}} SAML in Okta](register-elastic-cloud-saml-in-okta.md).
 
 
-### Create a new SAML 2 application [ec_create_a_new_saml_2_application]
+#### Create a new SAML 2 application [ec_create_a_new_saml_2_application]
 
 Create a new SAML 2 application in your IdP.
 
@@ -100,7 +107,7 @@ Create a new SAML 2 application in your IdP.
 6. Download the public certificate of the SAML 2 application.
 
 
-### Register the IdP with {{ecloud}} [ec_register_the_idp_with_ecloud]
+#### Register the IdP with {{ecloud}} [ec_register_the_idp_with_ecloud]
 
 Add the information that you collected to {{ecloud}}.
 
@@ -108,7 +115,7 @@ Add the information that you collected to {{ecloud}}.
 2. In the **User authentication** section, click **Configure SSO**.
 3. Fill the following fields:
 
-    1. **Identity Provider Entity ID**: The SAML issuer that you collected in the previous step. This is unique identifier of your identity provider that allows Elastic Cloud to verify the source of SAML assertions.
+    1. **Identity Provider Entity ID**: The SAML issuer that you collected in the previous step. This is unique identifier of your identity provider that allows {{ecloud}} to verify the source of SAML assertions.
     2. **Identity Provider SSO URL**: The SSO URL that you collected in the previous step. This should be the HTTP-POST SAML binding of your identity provider. Users will be redirected to this URL when they attempt to log in.
     3. **Public x509 certificate**: The public certificate of the SAML 2 application that you downloaded in the previous step. This is the certificate that SAML responses will be signed with by your IdP. The certificate must be in PEM format.
     4. **Login identifier prefix**: A customizable piece of the {{ecloud}} SSO URL that your organization members can use to authenticate. This could be the name of your business. You can use lowercase alphanumeric characters and hyphens in this value, and you can change it later.
@@ -131,7 +138,7 @@ If your configuration is valid, the following details of the service provider (S
 * **Metadata URL**: The link to an XML metadata file that contains the Elastic service provider metadata. If your IdP accepts metadata files, then you can use this file to configure your IdP.
 
 
-### Update the SAML 2 application in your IdP [ec_update_the_saml_2_application_in_your_idp]
+#### Update the SAML 2 application in your IdP [ec_update_the_saml_2_application_in_your_idp]
 
 Using the details returned in the previous step, update the assertion consumer service (ACS), SP entity ID/audience, and SSO login URL values in your SAML 2 application.
 
@@ -141,7 +148,7 @@ Additional details that you might want to use in your IdP configuration, such as
 
 
 
-## Test SSO [ec_test_sso]
+### Step 3: Test SSO [ec_test_sso]
 
 After you register the IdP in {{ecloud}} and configure your IdP, you can test authentication. To begin SSO, open the identity provider SSO URL in an incognito browsing session. If everything is configured correctly, you should be redirected to your IdP for authentication and then redirected back to {{ecloud}} signed in.
 
@@ -174,7 +181,7 @@ To protect your account from being accidentally locked out when this option is e
 2. In the **User authentication** section, click **Edit**.
 3. Toggle the **Only allow login through my identity provider** option off to disable enforcement.
 
-If you are unable to access the UI for any reason, use the following API call to disable enforcement. The API key that you use must have organization owner level privileges to disable enforcement.
+If you are unable to access the {{ecloud}} Console for any reason, use the following API call to disable enforcement. The API key that you use must have organization owner level privileges to disable enforcement.
 
 ```sh
 curl -XPUT \
@@ -194,12 +201,8 @@ curl -XPUT \
 To automate [role](user-roles.md) assignments to your {{ecloud}} organization’s members, you can use role mappings. Role mappings map groups returned by your IdP in the `groups` SAML attribute to one or more {{ecloud}} roles. The mapping will be evaluated and the applicable roles will be assigned each time your organization’s members log into {{ecloud}} using SSO.
 
 ::::{note}
-If [SSO enforcement](#enforce-sso) is not enabled, user roles might not be consistent with your role mapping and additional manual role assignment might be needed. Roles manually assigned using the {{ecloud}} UI are overwritten by the role mapping when the user logs in using SSO.
-::::
-
-
-::::{note}
-If the `groups` attribute is not included in the SAML response, the user will keep whatever groups they were last assigned by the IdP. If you want to remove all groups for a user as part of an offboarding process, instead unassign the user from the {{ecloud}} application.
+* If [SSO enforcement](#enforce-sso) is not enabled, user roles might not be consistent with your role mapping and additional manual role assignment might be needed. Roles manually assigned using the {{ecloud}} Console are overwritten by the role mapping when the user logs in using SSO.
+* If the `groups` attribute is not included in the SAML response, the user will keep whatever groups they were last assigned by the IdP. If you want to remove all groups for a user as part of an offboarding process, instead unassign the user from the {{ecloud}} application.
 ::::
 
 
diff --git a/deploy-manage/users-roles/cloud-organization/manage-users.md b/deploy-manage/users-roles/cloud-organization/manage-users.md
index b555daa64a..884b28b650 100644
--- a/deploy-manage/users-roles/cloud-organization/manage-users.md
+++ b/deploy-manage/users-roles/cloud-organization/manage-users.md
@@ -3,37 +3,117 @@ mapped_urls:
   - https://www.elastic.co/guide/en/cloud/current/ec-invite-users.html
   - https://www.elastic.co/guide/en/serverless/current/general-manage-organization.html
   - https://www.elastic.co/guide/en/cloud/current/ec-api-organizations.html
+applies:
+  serverless: all
+  hosted: all
 ---
 
 # Manage users
 
-% What needs to be done: Refine
+$$$general-assign-user-roles$$$
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+You can invite users to join your organization to allow them to interact with all or specific instances, projects and settings. After they're invited, you can manage the users in your organization.
 
-% Scope notes: These can all be combined. The tasks are pretty similar between serverless and hosted.
+Alternatively, [configure {{ecloud}} SAML SSO](../../../deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) to enable your organization members to join the {{ecloud}} organization automatically.
 
-% Use migrated content from existing pages that map to this page:
+::::{note}
+Users can only belong to one organization at a time. If a user that you want to invite already belongs to a different organization, that user first needs to leave their current organization, or to use a different email address. Check [Join an organization from an existing {{ecloud}} account](/cloud-account/join-or-leave-an-organization.md).
+::::
 
-% - [ ] ./raw-migrated-files/cloud/cloud/ec-invite-users.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/general-manage-organization.md
-% - [ ] ./raw-migrated-files/cloud/cloud/ec-api-organizations.md
-%      Notes: api examples
+:::{tip}
+If you're using {{ech}}, then you can also manage users and control access [at the deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+:::
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
+## Invite your team [ec-invite-users]
 
-$$$general-assign-user-roles$$$
+To invite users to your organization:
+
+1. Go to the user icon on the header bar and select **Organization**.
+2. On the **Members** page, click **Invite members**.
+3. Enter the email addresses of the users you want to invite in the textbox.
+
+    To add multiple members, enter the member email addresses, separated by a space.
+
+4. If desired, assign roles to the users so that they automatically get the appropriate permissions when they accept the invitation and sign in to {{ecloud}}.
+
+   If you're assigning roles for {{serverless-full}} projects, then you can grant access to all projects of the same type with a unique role, or select individual roles for specific projects. For more details about roles, refer to [](/deploy-manage/users-roles/cloud-organization/user-roles.md).
+
+5. Click **Send invites**.
+
+    Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation before it expires. If the invite has expired, an admin can resend the invitation.
+
+## Manage existing users
+
+On the **Members** tab of the **Organization** page, you can view the list of current members, including status and role.
+
+In the **Actions** column, click the three dots to edit a member’s role, or revoke an invite, or remove a member from your organization.
+
+## Manage users through the {{ecloud}} API [ec-api-organizations]
+
+You can also manage members of your organization using the [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/).
+
+:::{dropdown} Get information about your organization
+
+Get information about your Elasticsearch Service organization.
+
+```sh
+curl -XGET \
+-H "Authorization: ApiKey $EC_API_KEY" \
+"https://api.elastic-cloud.com/api/v1/organizations"
+```
+:::
+
+:::{dropdown} Invite members to your organization
+
+Invite members to your Elasticsearch Service organization.
+
+```sh
+curl -XPOST \
+-H 'Content-Type: application/json' \
+-H "Authorization: ApiKey $EC_API_KEY" \
+"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
+-d '
+{
+  "emails": [
+    "test@test.com" <1>
+  ]
+}'
+```
+
+1. One or more email addresses to invite to the organization
+:::
+
+:::{dropdown} View pending invitations to your organization
+
+View pending invitations to your Elasticsearch Service organization.
+
+```sh
+curl -XGET \
+-H 'Content-Type: application/json' \
+-H "Authorization: ApiKey $EC_API_KEY" \
+"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations"
+```
 
-$$$general-manage-access-to-organization$$$
+:::{dropdown} View members in your organization
 
-$$$general-join-organization-from-existing-cloud-account$$$
+View members in your Elasticsearch Service organization.
 
-$$$general-leave-an-organization$$$
+```sh
+curl -XGET \
+-H "Authorization: ApiKey $EC_API_KEY" \
+"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members"
+```
+:::
 
-$$$general-assign-user-roles-organization-level-roles$$$
+:::{dropdown} Remove members from your organization
 
-$$$general-assign-user-roles-instance-access-roles$$$
+Remove members from your Elasticsearch Service organization.
 
-$$$ec-leave-organization$$$
+```sh
+curl -XDELETE \
+-H "Authorization: ApiKey $EC_API_KEY" \
+"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members/$USER_IDS"
+```
 
-$$$ec-join-invitation$$$
\ No newline at end of file
+`USER_IDS`  One or more comma-delimited user ids to remove from the organization
+:::
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md b/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
index 07a81e6832..e9acef5ee3 100644
--- a/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
+++ b/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
@@ -1,9 +1,13 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-saml-sso-entra.html
+navigation_title: "Microsoft Entra ID"
+applies:
+  hosted: all
+  serverless: all
 ---
 
-# Register Elastic Cloud SAML in Microsoft Entra ID [ec-saml-sso-entra]
+# Register {{ecloud}} SAML in Microsoft Entra ID [ec-saml-sso-entra]
 
 To [configure {{ecloud}} SAML SSO](configure-saml-authentication.md) with Microsoft Entra ID (formerly Azure AD) as the identity provider (IdP), perform the following steps.
 
diff --git a/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md b/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
index 92fe458d06..1d34d5ea23 100644
--- a/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
+++ b/deploy-manage/users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
@@ -1,9 +1,13 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-saml-sso-okta.html
+navigation_title: Okta
+applies:
+  hosted: all
+  serverless: all
 ---
 
-# Register Elastic Cloud SAML in Okta [ec-saml-sso-okta]
+# Register {{ecloud}} SAML in Okta [ec-saml-sso-okta]
 
 To [configure {{ecloud}} SAML SSO](configure-saml-authentication.md) with Okta as the identity provider (IdP), perform the following steps.
 
diff --git a/deploy-manage/users-roles/cloud-organization/user-roles.md b/deploy-manage/users-roles/cloud-organization/user-roles.md
index a38cdf4d75..dace2b649b 100644
--- a/deploy-manage/users-roles/cloud-organization/user-roles.md
+++ b/deploy-manage/users-roles/cloud-organization/user-roles.md
@@ -2,33 +2,119 @@
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud/current/ec-user-privileges.html
   - https://www.elastic.co/guide/en/serverless/current/general-manage-organization.html
-  - https://www.elastic.co/guide/en/serverless/current/custom-roles.html
+applies:
+  hosted: all
+  serverless: all
 ---
 
-# User roles
+# User roles and privileges [ec-user-privileges]
+$$$general-assign-user-roles$$$
 
-% What needs to be done: Refine
+Within an {{ecloud}} organization, users can have one or more roles and each role grants specific privileges.
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+You can assign user roles when you [invite users to join your organization](/deploy-manage/users-roles/cloud-organization/manage-users.md#ec-invite-users). You can also edit the roles assigned to a user later.
 
-% Scope notes: These can be combined, though the list of roles differs between serverless and hosted, but the tasks for managing them are similar.
+On this page, you'll learn the following: 
 
-% Use migrated content from existing pages that map to this page:
+* [How to edit a user's roles](#edit-a-users-roles)
+* The [types of roles](#types-of-roles) available, the levels where they can be applied, and the [scope](#ec-role-scoping) of each role type
+* The predefined roles available for [{{ech}}](#ech-predefined-roles) and [{{serverless-full}}](#general-assign-user-roles-table)
 
-% - [ ] ./raw-migrated-files/cloud/cloud/ec-user-privileges.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/general-manage-organization.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/custom-roles.md
+## Edit a user's roles
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
+To edit the roles assigned to a user:
 
-$$$general-assign-user-roles$$$
+1. Go to the user icon on the header bar and select **Organization**.
+2. Find the user on the **Members** tab of the **Organization** page. Click the member name to view their roles. 
+3. Click **Edit** to change the user's roles.
+
+## Types of roles
+
+There are two types of roles you can assign to users:
+
+* **Oranization-level roles:** These roles apply to the entire organization and are not specific to any serverless project or hosted deployment.
+* **Instance access roles:** These roles are specific to each serverless project or hosted deployment.
+
+### Organization-level roles [ec_organization_level_roles]
+
+* **Organization owner**: The role assigned by default to the user who created the organization. Organization owners have all privileges to instances ({{ech}} deployments and {{serverless-full}} projects), users, organization-level details and properties, billing details and subscription levels. They are also able to sign on to deployments with superuser privileges.
+* **Billing admin**: Can manage an organization’s billing details such as credit card information, subscription and invoice history. Cannot manage other organization or deployment details and properties.
+
+### Instance access roles [ec_instance_access_roles]
+
+You can set instance access roles at two levels:
+
+* **Globally**, for all {{ech}} deployments, or for all {{serverless-full}} projects of the time type ({{es-serverless}}, {{observability}}, or {{elastic-sec}}). In this case, the role will also apply to new deployments, or projects of the specified type type, created later.
+* **Individually**, for specific deployments or projects only. To do that, you have to leave the **Role for all hosted deployments** field, or the **Role for all** for the project type, blank.
+
+{{ech}} deployments and {{serverless-full}} projects each have a set of predefined instance access roles available: 
+
+* [{{ech}} predefined roles](#ech-predefined-roles)
+* [{{serverless-full}} predefined roles](#general-assign-user-roles-table)
+
+If you're using {{serverless-full}}, you can optionally [create custom roles in a project](/deploy-manage/users-roles/cloud-organization/user-roles.md). All custom roles grant the same access as the `Viewer` instance access role with regards to {{ecloud}} privileges. To grant more {{ecloud}} privileges, assign more roles. Users receive a union of all their roles' privileges.To assign a custom role to users, go to **Instance access roles** and select it from the list under the specific project it was created in.
+
+## {{ech}} predefined roles [ech-predefined-roles]
+
+For {{ech}} deployments, the following predefined roles are available:
+
+* **Admin**: Can manage deployment details, properties and security privileges, and is able to sign on to the deployment with superuser privileges. This role can be scoped to one or more deployments. In order to prevent scope expansion, only Admins on all deployments can create new deployments.
+* **Editor**: Has the same rights as Admin, except from deployment creation and management of security privileges. Editors are able to sign on to the deployment with the “editor” stack role. This role can be scoped to one or more deployments.
+* **Viewer**: Can view deployments, and can sign on to the deployment with the viewer Stack role. This role can be scoped to one or more deployments.
+
+
+### Mapping of {{ecloud}} roles with {{stack}} roles [ec-stack-user-org-member]
+
+There are two ways for a user to access {{kib}} instances of an {{ech}} deployment:
+
+* [Directly with {{es}} credentials](/deploy-manage/users-roles/cluster-or-deployment-auth.md). In this case, users and their roles are managed directly in {{kib}}. Users in this case don’t need to be members of the {{ecloud}} organization to access the deployment. Note that if you have several deployments, you need to manage users for each of them, individually.
+* Through your {{ecloud}} organization. In this case, users who are members of your organization log in to {{ecloud}} and can open the deployments they have access to. Their access level is determined by the roles assigned to them from the **Organization** page. {{ecloud}} roles are mapped to [Stack roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md#built-in-roles) on a per-deployment level. When logging in to a specific deployment, users get the stack role that maps to their {{ecloud}} role for that particular deployment.
+
+The following table shows the default mapping:
+
+|  Cloud role  |  Cloud API `role_id`  |  Stack role   |
+| --- | --- | --- |
+| Organization owner | `organization-admin` | superuser |
+| Billing admin | `billing-admin` | none |
+| Admin | `deployment-admin` | superuser |
+| Editor | `deployment-editor` | editor |
+| Viewer | `deployment-viewer` | viewer |
+
+## {{serverless-full}} predefined roles [general-assign-user-roles-table]
+
+You can apply the following predefined roles to {{serverless-full}} projects. Some roles are only available to certain project types.
+
+:::{tip}
+You can optionally [create custom roles in a project](/deploy-manage/users-roles/cloud-organization/user-roles.md) and apply them to your organization users.
+:::
+
+| Name | Description | Available |
+| --- | --- | --- |
+| Admin | Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Developer | Creates API keys, indices, data streams, adds connectors, and builds visualizations. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md) |
+| Viewer | Has read-only access to project details, data, and features. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Editor | Configures all Observability or Security projects. Has read-only access to data indices. Has full access to all project features. | [![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Tier 1 analyst | Ideal for initial alert triage. General read access, can create dashboards and visualizations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Tier 2 analyst | Ideal for alert triage and beginning the investigation process. Can create cases. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Tier 3 analyst | Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Threat intelligence analyst | Access to alerts, investigation tools, and intelligence pages. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Rule author | Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| SOC manager | Access to alerts, cases, investigation tools, endpoint policy management, and response actions. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Endpoint operations analyst | Access to endpoint response actions. Can manage endpoint policies, {{fleet}}, and integrations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Platform engineer | Access to {{fleet}}, integrations, endpoints, and detection content. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Detections admin | All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Endpoint policy manager | Access to endpoint policy management and related artifacts. Can manage {{fleet}} and integrations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+
+## Role scopes [ec-role-scoping]
 
-$$$general-manage-access-to-organization$$$
+Roles are assigned to every member of an organization and can refer (or be scoped) to one or more specific deployments, or all deployments. When a role is scoped to all deployments it grants permissions on all existing and future deployments.
 
-$$$general-join-organization-from-existing-cloud-account$$$
+This list describes the scope of the different roles:
 
-$$$general-leave-an-organization$$$
+* **Organization owner**: This role is always scoped to administer all deployments.
+* **Billing admin**: This role does not refer to any deployment.
+* **Instance access roles**, including **Admin**: These roles can be scoped to either all deployments or projects, or specific deployments, project types, or projects.
 
-$$$general-assign-user-roles-organization-level-roles$$$
+Members are only able to see the role assignments of other members under the organization they belong to, for role assignments they are able to manage. Members with the **Organization owner** role assigned are able to see the role assignments of every member of their organization.
 
-$$$general-assign-user-roles-instance-access-roles$$$
\ No newline at end of file
+Members with the **Admin** role assigned are able to see role assignments for deployments or projects within their scope. For example, admins of all deployments and projects are able to see role assignments scoped to all and specific deployments and projects in the organization, while admins of specific deployments or projects only see role assignments scoped to those specific deployments or projects. This ensures that members assigned to specific deployments or projects do not try to remove role assignments from other members, and that the existence of other deployments or projects are not revealed to these members.
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth.md b/deploy-manage/users-roles/cluster-or-deployment-auth.md
index 70d45367c2..7152066a1e 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth.md
@@ -1,23 +1,56 @@
 ---
+navigation_title: "Cluster or deployment"
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-clusters.html
   - https://www.elastic.co/guide/en/cloud/current/ec-security.html
+applies:
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
-# Cluster or deployment auth
+# Cluster or deployment users
 
-% What needs to be done: Write from scratch
+To prevent unauthorized access to your Elastic resources, you need a way to identify users and validate that a user is who they claim to be (*authentication*), and control what data users can access and what tasks they can perform (*authorization*).
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+In this section, you’ll learn how to set up authentication and authorization at the cluster or deployment level, and learn about the underlying security technologies that Elasticsearch uses to authenticate and authorize requests internally and across services.
 
-% Use migrated content from existing pages that map to this page:
+This section only covers direct access to and communications with an Elasticsearch cluster - sometimes known as a deployment. To learn about managing access to your {{ecloud}} organization or {{ece}} orchestrator, or to learn how to use single sign-on to access a cluster using your {{ecloud}} credentials, refer to [Manage users and roles](/deploy-manage/users-roles.md).
 
-% - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-securing-clusters.md
-% - [ ] ./raw-migrated-files/cloud/cloud/ec-security.md
+## Quickstart
 
-⚠️ **This page is a work in progress.** ⚠️
+If you plan to use native Elasticsearch user and role management, then [follow our quickstart](/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md) to learn how to set up basic authentication and authorization features.
 
-The documentation team is working to combine content pulled from the following pages:
+### User authentication
 
-* [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-clusters.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-clusters.md)
-* [/raw-migrated-files/cloud/cloud/ec-security.md](/raw-migrated-files/cloud/cloud/ec-security.md)
\ No newline at end of file
+Set up methods to identify users to the Elasticsearch cluster.
+
+Key tasks for managing user authentication include:
+
+* [Managing built-in users](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md)
+* [Managing users natively](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md)
+* [Integrating with external authentication providers](/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md)
+
+You can also learn the basics of Elasticsearch authentication, learn about accounts used to communicate within an Elasticsearch cluster and across services, and perform advanced tasks.
+
+[View all user authentication docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md)
+
+### User authorization
+
+After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request.
+
+Key tasks for managing user authorization include: 
+
+* [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md)
+* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or your own roles to users
+* Creating [mappings of users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) for external authentication providers
+* [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)
+
+You can also learn the basics of Elasticsearch authorization, and perform advanced tasks.
+
+::::{tip}
+User roles are also used to control access to [{{kib}} spaces](/deploy-manage/manage-spaces.md).
+:::: 
+
+[View all user authorization docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md)
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-plugins.md b/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-plugins.md
index 3666ac2b35..f3914825d0 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-plugins.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-plugins.md
@@ -60,7 +60,7 @@ In order to register the security extension for your custom roles provider or au
 
 1. Implement a plugin class that extends `org.elasticsearch.plugins.Plugin`
 2. Create a build configuration file for the plugin; Gradle is our recommendation.
-3. Create a `plugin-descriptor.properties` file as described in [Help for plugin authors](https://www.elastic.co/guide/en/elasticsearch/plugins/current/plugin-authors.html).
+3. Create a `plugin-descriptor.properties` file as described in [Help for plugin authors](https://www.elastic.co/guide/en/elasticsearch/plugins/current/plugin-authors.md).
 4. Create a `META-INF/services/org.elasticsearch.xpack.core.security.SecurityExtension` descriptor file for the extension that contains the fully qualified class name of your `org.elasticsearch.xpack.core.security.SecurityExtension` implementation
 5. Bundle all in a single zip file.
 
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/custom.md b/deploy-manage/users-roles/cluster-or-deployment-auth/custom.md
index 2221e27f05..6b9387e12a 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/custom.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/custom.md
@@ -3,7 +3,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/custom-realms.html
 ---
 
-# Custom [custom-realms]
+# Custom realms
 
 If you are using an authentication system that is not supported out-of-the-box by the {{es}} {{security-features}}, you can create a custom realm to interact with it to authenticate users. You implement a custom realm as an SPI loaded security extension as part of an ordinary elasticsearch plugin.
 
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md
index 02c25c2695..00abc83f09 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md
@@ -5,7 +5,7 @@ mapped_urls:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/role-mapping-resources.html
 ---
 
-# Mapping users and groups to roles
+# Map external users and groups to roles
 
 % What needs to be done: Refine
 
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md b/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md
index 36dd2e3048..b6b7406dcf 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md
@@ -2,6 +2,11 @@
 mapped_urls:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/setting-up-authentication.html
   - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html
+applies:
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
 # User authentication
@@ -38,4 +43,37 @@ $$$oidc$$$
 
 $$$saml$$$
 
-$$$token-authentication$$$
\ No newline at end of file
+$$$token-authentication$$$
+
+
+
+Review the following topics to learn about authentication in your Elasticsearch cluster:
+
+### Set up user authentication
+
+* Learn about the available [realms](/deploy-manage/users-roles/cluster-or-deployment-auth/authentication-realms.md) that you can use to authenticate users
+* Manage passwords for [built-in users](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md)
+* Manage users [natively](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md)
+* Integrate with external authentication providers using [external realms](/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md):
+  * [Active Directory](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md)
+  * [JWT](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md)
+  * [Kerberos](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md)
+  * [LDAP](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md)
+  * [OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md)
+  * [SAML](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md)
+  * [PKI](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md)
+  * [Implement a custom realm](/deploy-manage/users-roles/cluster-or-deployment-auth/custom.md)
+* Configure [file-based authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md)
+* Enable [anonymous access](/deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md)
+* Set up a [user access agreement](/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement.md)
+
+### Advanced topics
+
+* Learn about [internal users](/deploy-manage/users-roles/cluster-or-deployment-auth/internal-users.md), which are responsible for the operations that take place inside an Elasticsearch cluster.
+* Learn about [service accounts](/deploy-manage/users-roles/cluster-or-deployment-auth/service-accounts.md), which are used for integration with external services that connect to Elasticsearch
+* Learn about the [services used for token-based authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/token-based-authentication-services.md)
+* Learn about the [services used by orchestrators](/deploy-manage/users-roles/cluster-or-deployment-auth/operator-privileges.md) (applies to {{ece}}, {{ech}}, and {{eck}})
+* Manage [user profiles](/deploy-manage/users-roles/cluster-or-deployment-auth/user-profiles.md)
+* Learn about [user lookup technologies](/deploy-manage/users-roles/cluster-or-deployment-auth/looking-up-users-without-authentication.md)
+* [Manage the user cache](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-user-cache.md)
+* Manage authentication for [multiple clusters](/deploy-manage/users-roles/cluster-or-deployment-auth/manage-authentication-for-multiple-clusters.md) using {{stack}} configuration policies ({{eck}} only)
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md
index 76640be8cd..8ab0b9ab52 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md
@@ -1,10 +1,39 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/authorization.html
+applies:
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
 # User roles [authorization]
 
+
+After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request. The primary method of authorization in a cluster is role-based access control (RBAC). Review the following topics to learn about authorization in your Elasticsearch cluster.
+
+### Set up user authorization
+
+* [Define roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md)
+* Learn about [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md)
+* Learn about the [Elasticsearch](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) and [Kibana](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) privileges you can assign to roles
+* Creating [mappings of users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) for external authentication providers
+* Learn how to [control access at the document and field level](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)
+
+### Advanced topics
+
+* Learn how to [delegate authorization to another realm](/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation.md)
+* Learn how to [build a custom authorization plugin](/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-plugins.md) for unsupported systems or advanced applications
+* Learn how to [submit requests on behalf of other users](/deploy-manage/users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md)
+* Learn about [attribute-based access control](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md#attributes)
+
+::::{tip}
+User roles are also used to control access to [{{kib}} spaces](/deploy-manage/manage-spaces.md). 
+::::
+
+
+
 The {{stack-security-features}} add *authorization*, which is the process of determining whether the user behind an incoming request is allowed to execute the request.
 
 This process takes place after the user is successfully identified and [authenticated](user-authentication.md).
diff --git a/deploy-manage/users-roles/custom-roles.md b/deploy-manage/users-roles/custom-roles.md
new file mode 100644
index 0000000000..3b5c685ff4
--- /dev/null
+++ b/deploy-manage/users-roles/custom-roles.md
@@ -0,0 +1,93 @@
+---
+mapped_urls:
+  - https://www.elastic.co/guide/en/serverless/current/custom-roles.html
+applies:
+  serverless: all
+---
+
+This content applies to: [![Elasticsearch](../../images/serverless-es-badge.svg "")](../../solutions/search.md) [![Security](../../images/serverless-sec-badge.svg "")](../../solutions/security/elastic-security-serverless.md)
+
+# Project custom roles [custom-roles]
+
+Built-in [organization-level roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_organization_level_roles) and [instance access roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_instance_access_roles) are great for getting started with {{serverless-full}}, and for system administrators who do not need more restrictive access.
+
+As an administrator, you can also create roles for users with the access they need within specific projects. For example, you might create a `marketing_user` role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.
+
+All custom roles grant the same access as the `Viewer` instance access role with regards to {{ecloud}} privileges. To grant more {{ecloud}} privileges, assign more roles. Users receive a union of all their roles' privileges.
+
+Roles are a collection of privileges that enable users to access project features and data. When you create a custom role, you can assign {{es}} [cluster](#custom-roles-es-cluster-privileges) and [index](#custom-roles-es-index-privileges) privileges and [{{kib}}](#custom-roles-kib-privileges) privileges.
+
+On this page, you'll learn about how to [manage custom roles in your project](#manage-custom-roles), the types of privileges you can assign, and how to [assign the roles](#assign-custom-roles) that you create.
+
+::::{note}
+You cannot assign [run as privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#_run_as_privilege) in {{serverless-full}} custom roles.
+
+::::
+
+## Manage custom roles
+
+You can manage custom roles from within your project, in **{{project-settings}} > {{manage-app}} > {{custom-roles-app}}**. To create a new custom role, click the **Create role** button. To clone, delete, or edit a role, open the actions menu `⋯`.
+
+## {{es}} cluster privileges [custom-roles-es-cluster-privileges]
+
+Cluster privileges grant access to monitoring and management features in {{es}}. They also enable some stack management capabilities in your project.
+
+:::{image} ../../images/serverless-custom-roles-cluster-privileges.png
+:alt: Create a custom role and define {{es}} cluster privileges
+:class: screenshot
+:::
+
+Refer to [cluster privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-cluster) for a complete description of available options.
+
+
+## {{es}} index privileges [custom-roles-es-index-privileges]
+
+Each role can grant access to multiple data indices, and each index can have a different set of privileges. Typically, you will grant the `read` and `view_index_metadata` privileges to each index that you expect your users to work with. For example, grant access to indices that match an `acme-marketing-*` pattern:
+
+:::{image} ../../images/serverless-custom-roles-index-privileges.png
+:alt: Create a custom role and define {{es}} index privileges
+:class: screenshot
+:::
+
+Refer to [index privileges](asciidocalypse://reference/elasticsearch/security-privileges.md#privileges-list-indices) for a complete description of available options.
+
+### Document-level and field-level security
+
+Document-level and field-level security affords you even more granularity when it comes to granting access to your data: 
+
+* With document-level security (DLS), you can write an {{es}} query to describe which documents this role grants access to. Add your query in the **Granted documents query** field. 
+* With field-level security (FLS), you can instruct {{es}} to grant or deny access to specific fields within each document. List these fields in the **Granted fields** field.
+
+
+## {{kib}} privileges [custom-roles-kib-privileges]
+
+When you create a custom role, click **Add Kibana privilege** to grant access to specific features. The features that are available vary depending on the project type. For example, in {{es-serverless}}:
+
+:::{image} ../../images/serverless-custom-roles-kibana-privileges.png
+:alt: Create a custom role and define {{kib}} privileges
+:class: screenshot
+:::
+
+Open the **Spaces** selection control to specify whether to grant the role access to all spaces or one or more individual spaces. When using the **Customize by feature** option, you can choose either **All**, **Read** or **None** for access to each feature.
+
+All
+:   Grants full read-write access.
+
+Read
+:   Grants read-only access.
+
+None
+:   Does not grant any access.
+
+Some features have finer access control and you can optionally enable sub-feature privileges.
+
+::::{admonition} New features
+:class: note
+
+As new features are added to {{serverless-full}}, roles that use the custom option do not automatically get access to the new features. You must manually update the roles.
+
+::::
+
+## Assign custom roles 
+
+After your roles are set up, the next step to securing access is to assign roles to your users. Click the **Assign roles** link to go to the **Members** tab of the **Organization** page. Learn more in [](/deploy-manage/users-roles/cloud-organization/user-roles.md).
diff --git a/raw-migrated-files/cloud/cloud/ec-api-organizations.md b/raw-migrated-files/cloud/cloud/ec-api-organizations.md
deleted file mode 100644
index 10a339695b..0000000000
--- a/raw-migrated-files/cloud/cloud/ec-api-organizations.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# Organization operations [ec-api-organizations]
-
-
-## Get information about your organization [ec_get_information_about_your_organization] 
-
-Get information about your Elasticsearch Service organization.
-
-```sh
-curl -XGET \
--H "Authorization: ApiKey $EC_API_KEY" \
-"https://api.elastic-cloud.com/api/v1/organizations"
-```
-
-
-## Invite members to your organization [ec_invite_members_to_your_organization] 
-
-Invite members to your Elasticsearch Service organization.
-
-```sh
-curl -XPOST \
--H 'Content-Type: application/json' \
--H "Authorization: ApiKey $EC_API_KEY" \
-"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
--d '
-{
-  "emails": [
-    "test@test.com" <1>
-  ]
-}'
-```
-
-1. One or more email addresses to invite to the organization
-
-
-
-## View pending invitations to your organization [ec_view_pending_invitations_to_your_organization] 
-
-View pending invitations to your Elasticsearch Service organization.
-
-```sh
-curl -XGET \
--H 'Content-Type: application/json' \
--H "Authorization: ApiKey $EC_API_KEY" \
-"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations"
-```
-
-
-## View members in your organization [ec_view_members_in_your_organization] 
-
-View members in your Elasticsearch Service organization.
-
-```sh
-curl -XGET \
--H "Authorization: ApiKey $EC_API_KEY" \
-"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members"
-```
-
-
-## Remove members from your organization [ec_remove_members_from_your_organization] 
-
-Remove members from your Elasticsearch Service organization.
-
-```sh
-curl -XDELETE \
--H "Authorization: ApiKey $EC_API_KEY" \
-"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members/$USER_IDS"
-```
-
-`USER_IDS`  One or more comma-delimited user ids to remove from the organization
-
diff --git a/raw-migrated-files/cloud/cloud/ec-invite-users.md b/raw-migrated-files/cloud/cloud/ec-invite-users.md
deleted file mode 100644
index 1b1fd25e40..0000000000
--- a/raw-migrated-files/cloud/cloud/ec-invite-users.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-navigation_title: "Invite members to your organization"
----
-
-# Invite members to your {{ecloud}} organization [ec-invite-users]
-
-
-By inviting users to join your organization, you can allow them to interact with all or specific instances and settings. To do that, some predefined roles are available for you to assign to your organization’s members.
-
-To invite a new member, go to your avatar in the upper right corner, choose **Organization** and click **Invite members**. You can add multiple members by entering their email addresses separated by a space. You can also assign roles to the users when you invite them, so that they automatically get the appropriate permissions when they accept the invitation and sign in to {{ecloud}}.
-
-::::{note}
-Users can only belong to one organization at a time. If a user that you want to invite already belongs to a different organization, that user first needs to leave their current organization, or to use a different email address. Check [Join an organization from an existing {{ecloud}} account](../../../deploy-manage/users-roles/cloud-organization/manage-users.md#ec-join-invitation).
-::::
-
-
-Alternatively, [configure {{ecloud}} SAML SSO](../../../deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) to enable your organization members to join the {{ecloud}} organization automatically. [preview]
-
-On the **Members** tab of the **Organization** page, you can view the list of current members, their status, and their roles.
-
-:::{image} ../../../images/cloud-ec-org-members-tab.png
-:alt: Members tab
-:::
-
-To edit a member’s roles, in the **Actions** column click the three dots and select **Edit role**.
-
-
-## Accept an invitation [ec-accept-invitation]
-% This section has been already added by @eedugon to the cloud-account section)
-
-Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation. If they do not join within that period, you will have to send a new invitation.
-
-
-## Join an organization from an existing {{ecloud}} account [ec-join-invitation]
-% This section has been already added by @eedugon to the cloud-account section)
-
-You already belong to an organization. If you want to join a new one and bring your deployments over, follow these steps:
-
-1. Backup your deployments to any private repository so that you can restore them to your new organization.
-2. Leave your current organization.
-3. Ask the administrator to invite you to the organization you want to join.
-4. Accept the invitation that you will get by email.
-5. Restore the backup you took in step 1.
-
-If you want to join a new one, but leave your deployments, follow these steps:
-
-1. Make sure you do not have active deployments before you leave your current organization.
-2. Delete your deployments and clear any bills.
-3. Leave your current organization.
-4. Ask the administrator to invite you to the organization you want to join.
-5. Accept the invitation that you will get by email.
-
-
-## Leave an organization [ec-leave-organization]
-% This section has been already added by @eedugon to the cloud-account section)
-
-On the **Members** tab of the **Organization** page, click the three dots corresponding to your email address and select **Leave organization**.
-
-If you’re the only user in the organization, you can only leave if you deleted all your deployments and projects, and you don’t have pending bills.
-
diff --git a/raw-migrated-files/cloud/cloud/ec-security.md b/raw-migrated-files/cloud/cloud/ec-security.md
index c2a1a0533f..03a285d1d2 100644
--- a/raw-migrated-files/cloud/cloud/ec-security.md
+++ b/raw-migrated-files/cloud/cloud/ec-security.md
@@ -19,16 +19,5 @@ In addition, we also enable encryption at rest (EAR) by default. Elasticsearch S
 
 ## Should I use organization-level or deployment-level SSO? [ec_should_i_use_organization_level_or_deployment_level_sso] 
 
-You can also integrate SAML SSO [at the organization level](../../../deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). The option that you choose depends on your requirements:
-
-| Consideration | Organization-level | Deployment-level |
-| --- | --- | --- |
-| **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
-| **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
-| **Role mapping** | [Organization-level roles and instance access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](https://docs.elastic.co/serverless/custom-roles.html) | [Built-in](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles |
-| **User experience** | Users interact with Cloud | Users interact with the deployment directly |
-
-If you want to avoid exposing users to the {{ecloud}} UI, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
-
-In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.
+% added to `deploy-manage/users-roles/cloud-organization.md` by Shaina
 
diff --git a/raw-migrated-files/cloud/cloud/ec-user-privileges.md b/raw-migrated-files/cloud/cloud/ec-user-privileges.md
deleted file mode 100644
index 4fe042ec2c..0000000000
--- a/raw-migrated-files/cloud/cloud/ec-user-privileges.md
+++ /dev/null
@@ -1,77 +0,0 @@
-# User roles and privileges [ec-user-privileges]
-
-Within an {{ecloud}} organization, users can have one or more roles and each role grants specific privileges.
-
-::::{note}
-This page focuses on roles for hosted deployments. Roles for serverless projects are detailed in the [serverless documentation](https://docs.elastic.co/serverless/general/assign-user-roles).
-::::
-
-
-
-## Organization-level roles [ec_organization_level_roles]
-
-* **Organization owner** - The role assigned by default to the user who created the organization. Organization owners have all privileges to instances (hosted deployments and serverless projects), users, organization-level details and properties, billing details and subscription levels. They are also able to sign on to deployments with superuser privileges.
-* **Billing admin** - Can manage an organization’s billing details such as credit card information, subscription and invoice history. Cannot manage other organization or deployment details and properties.
-
-
-## Instance access roles [ec_instance_access_roles]
-
-You can set instance access roles:
-
-* globally, for all hosted deployments. In this case, the role will also apply to new deployments created later.
-* individually, for specific deployments only. To do that, you have to leave the **Role for all hosted deployments** field blank.
-
-For hosted deployments, the predefined roles available are the following:
-
-* **Admin** - Can manage deployment details, properties and security privileges, and is able to sign on to the deployment with superuser privileges. This role can be scoped to one or more deployments. In order to prevent scope expansion, only Admins on all deployments can create new deployments.
-* **Editor** - Has the same rights as Admin, except from deployment creation and management of security privileges. Editors are able to sign on to the deployment with the “editor” stack role. This role can be scoped to one or more deployments.
-* **Viewer** - Can view deployments, and can sign on to the deployment with the viewer Stack role. This role can be scoped to one or more deployments.
-
-Within the same organization, all members share the same set of default permissions. From the Elasticsearch Service main page you can:
-
-* See the organization details.
-* Modify your **Profile** under your avatar in the upper right corner.
-* [Leave](../../../deploy-manage/users-roles/cloud-organization/manage-users.md#ec-leave-organization) the organization.
-
-::::{note}
-The {{ecloud}} UI navigation and access to components is based on user privileges.
-::::
-
-
-
-## Role scoping [ec-role-scoping]
-
-Roles are assigned to every member of an organization and can refer (or be scoped) to one or more specific deployments, or all deployments. When a role is scoped to all deployments it grants permissions on all existing and future deployments.
-
-This list describes the scope of the different roles:
-
-* **Organization owner** - This role is always scoped to administer all deployments.
-* **Billing admin** - This role does not refer to any deployment.
-* **Admin**, **Editor**, and **Viewer** - These roles can be scoped to either all deployments, or specific deployments.
-
-Members are only able to see the role assignments of other members under the organization they belong to, for role assignments they are able to manage. Members with the Organization owner role assigned are able to see the role assignments of every member of their organization.
-
-Members with the Admin role assigned are able to see role assignments for deployments within their scope. For example, Admins of all deployments are able to see role assignments scoped to all and specific deployments in the organization, while Admins of specific deployments only see role assignments scoped to those specific deployments. This ensures that members assigned to specific deployments do not try to remove role assignments from other members, and that the existence of other deployments are not revealed to these members.
-
-
-## Mapping of {{ecloud}} roles with {{stack}} roles [ec-stack-user-org-member]
-
-There are two ways for a user to access {{kib}} instances of an {{ecloud}} deployment:
-
-* Directly with {{es}} credentials. In this case, users and their roles are managed directly in [{{kib}}](https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html). Users in this case don’t need to be members of the {{ecloud}} organization to access the deployment. Note that if you have several deployments, you need to manage users for each of them, individually.
-* Through your {{ecloud}} organization. In this case, users who are members of your organization log in to {{ecloud}} and can open the deployments they have access to. Their access level is determined by the roles assigned to them from the Organization page. {{ecloud}} roles are mapped to [Stack roles](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md#built-in-roles) on a per-deployment level. When logging in to a specific deployment, users get the Stack role that maps to their Cloud role for that particular deployment.
-
-The following table shows the default mapping:
-
-|     |     |     |
-| --- | --- | --- |
-| **Cloud role** | **Cloud API `role_id`** | **Stack role** |
-| Organization owner | `organization-admin` | superuser |
-| Billing admin | `billing-admin` | none |
-| Admin | `deployment-admin` | superuser |
-| Editor | `deployment-editor` | editor |
-| Viewer | `deployment-viewer` | viewer |
-
-::::{note}
-This table applies to deployments running on version 7.13 onwards. For earlier versions, only the superuser role mapping applies.
-::::
diff --git a/raw-migrated-files/docs-content/serverless/custom-roles.md b/raw-migrated-files/docs-content/serverless/custom-roles.md
deleted file mode 100644
index 904060f944..0000000000
--- a/raw-migrated-files/docs-content/serverless/custom-roles.md
+++ /dev/null
@@ -1,83 +0,0 @@
-# Custom roles [custom-roles]
-
-This content applies to: [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md) [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md)
-
-The built-in [organization-level roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-organization-level-roles) and [instance access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-instance-access-roles) are great for getting started with {{serverless-full}}, and for system administrators who do not need more restrictive access.
-
-As an administrator, however, can create roles for users with the access they need within specific projects. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.
-
-All custom roles grant the same access as the `Viewer` instance access role with regards to {{ecloud}} privileges. To grant more {{ecloud}} privileges, assign more roles. Users receive a union of all their roles' privileges.
-
-You can manage custom roles in **{{project-settings}} → {{manage-app}} →{{custom-roles-app}}**. To create a new custom role, click the **Create role** button. To clone, delete, or edit a role, open the actions menu:
-
-:::{image} ../../../images/serverless-custom-roles-ui.png
-:alt: Custom Roles app
-:class: screenshot
-:::
-
-Roles are a collection of privileges that enable users to access project features and data. For example, when you create a custom role, you can assign {{es}} cluster and index privileges and {{kib}} privileges.
-
-::::{note}
-You cannot assign [run as privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#_run_as_privilege) in {{serverless-full}} custom roles.
-
-::::
-
-
-
-## {{es}} cluster privileges [custom-roles-es-cluster-privileges]
-
-Cluster privileges grant access to monitoring and management features in {{es}}. They also enable some {{stack-manage-app}} capabilities in your project.
-
-:::{image} ../../../images/serverless-custom-roles-cluster-privileges.png
-:alt: Create a custom role and define {{es}} cluster privileges
-:class: screenshot
-:::
-
-Refer to [cluster privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-cluster) for a complete description of available options.
-
-
-## {{es}} index privileges [custom-roles-es-index-privileges]
-
-Each role can grant access to multiple data indices, and each index can have a different set of privileges. Typically, you will grant the `read` and `view_index_metadata` privileges to each index that you expect your users to work with. For example, grant access to indices that match an `acme-marketing-*` pattern:
-
-:::{image} ../../../images/serverless-custom-roles-index-privileges.png
-:alt: Create a custom role and define {{es}} index privileges
-:class: screenshot
-:::
-
-Refer to [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-indices) for a complete description of available options.
-
-Document-level and field-level security affords you even more granularity when it comes to granting access to your data. With document-level security (DLS), you can write an {{es}} query to describe which documents this role grants access to. With field-level security (FLS), you can instruct {{es}} to grant or deny access to specific fields within each document.
-
-
-## {{kib}} privileges [custom-roles-kib-privileges]
-
-When you create a custom role, click **Add Kibana privilege** to grant access to specific features. The features that are available vary depending on the project type. For example, in {{es-serverless}}:
-
-:::{image} ../../../images/serverless-custom-roles-kibana-privileges.png
-:alt: Create a custom role and define {{kib}} privileges
-:class: screenshot
-:::
-
-Open the **Spaces** selection control to specify whether to grant the role access to all spaces or one or more individual spaces. When using the **Customize by feature*** option, you can choose either ***All***, ***Read** or **None** for access to each feature.
-
-All
-:   Grants full read-write access.
-
-Read
-:   Grants read-only access.
-
-None
-:   Does not grant any access.
-
-Some features have finer access control and you can optionally enable sub-feature privileges.
-
-::::{admonition} New features
-:class: note
-
-As new features are added to {{serverless-full}}, roles that use the custom option do not automatically get access to the new features. You must manually update the roles.
-
-::::
-
-
-After your roles are set up, the next step to securing access is to assign roles to your users. Click the **Assign roles** link to go to the **Members** tab of the **Organization** page. Learn more in [Assign user roles and privileges](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
diff --git a/raw-migrated-files/docs-content/serverless/general-manage-organization.md b/raw-migrated-files/docs-content/serverless/general-manage-organization.md
deleted file mode 100644
index 31bcfc0ac1..0000000000
--- a/raw-migrated-files/docs-content/serverless/general-manage-organization.md
+++ /dev/null
@@ -1,111 +0,0 @@
-# Manage users and roles [general-manage-organization]
-
-In this article, learn how to:
-
-* [Invite your team](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-manage-access-to-organization): Invite users in your organization to access serverless projects and specify their roles.
-* [Assign user roles and privileges](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles): Assign predefined roles to users in your organization.
-* [Join an organization from an existing Elastic Cloud account](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-join-organization-from-existing-cloud-account): Join a new organization and bring over your projects.
-* [Leave an organization](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-leave-an-organization): Leave an organization.
-
-
-## Invite your team [general-manage-access-to-organization]
-
-To allow other users to interact with your projects, you must invite them to join your organization and grant them access to your organization resources and instances.
-
-Alternatively, [configure {{ecloud}} SAML SSO](../../../deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) to enable your organization members to join the {{ecloud}} organization automatically. [preview]
-
-1. Go to the user icon on the header bar and select **Organization**.
-2. On the **Members** page, click **Invite members**.
-3. Enter the email addresses of the users you want to invite in the textbox.
-
-    To add multiple members, enter the member email addresses, separated by a space.
-
-    Grant access to all projects of the same type with a unique role, or select individual roles for specific projects. For more details about roles, refer to [Assign user roles and privileges](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
-
-4. Click **Send invites**.
-
-    Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation before it expires. If the invite has expired, an admin can resend the invitation.
-
-
-On the **Members** tab of the **Organization** page, view the list of current members, including status and role.
-
-In the **Actions** column, click the three dots to edit a member’s role or revoke the invite.
-
-
-## Assign user roles and privileges [general-assign-user-roles]
-
-Within an organization, users can have one or more roles and each role grants specific privileges.
-
-You must assign user roles when you [invite users to join your organization](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-manage-access-to-organization). To subsequently edit the roles assigned to a user:
-
-1. Go to the user icon on the header bar and select **Organization**.
-2. Find the user on the **Members** tab of the **Organization** page. Click the member name to view and edit its roles.
-
-There are two types of roles you can assign to users:
-
-* **Oranization-level roles:** These roles apply to the entire organization and are not specific to any serverless project or hosted deployment.
-* **Instance access roles:** These roles are specific to each serverless project or hosted deployment.
-
-
-### Organization-level roles [general-assign-user-roles-organization-level-roles]
-
-* **Organization owner**. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization.
-* **Billing admin**. Has access to all invoices and payment methods. Can make subscription changes.
-
-
-### Instance access roles [general-assign-user-roles-instance-access-roles]
-
-Each serverless project type has a set of predefined roles that you can assign to your organization members. To assign the predefined roles:
-
-* globally, for all projects of the same type ({{es-serverless}}, {{observability}}, or {{elastic-sec}}). In this case, the role will also apply to new projects created later.
-* individually, for specific projects only. To do that, you have to set the **Role for all** field of that specific project type to **None**.
-
-For example, assign a user the developer role for a specific {{es-serverless}} project:
-
-:::{image} ../../../images/serverless-individual-role.png
-:alt: Individual role
-:class: screenshot
-:::
-
-You can optionally [create custom roles in a project](../../../deploy-manage/users-roles/cloud-organization/user-roles.md). To assign a custom role to users, go to "Instance access roles" and select it from the list under the specific project it was created in.
-
-$$$general-assign-user-roles-table$$$
-
-| Name | Description | Available |
-| --- | --- | --- |
-| Admin | Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Developer | Creates API keys, indices, data streams, adds connectors, and builds visualizations. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md) |
-| Viewer | Has read-only access to project details, data, and features. | [![Elasticsearch](../../../images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Editor | Configures all Observability or Security projects. Has read-only access to data indices. Has full access to all project features. | [![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 1 analyst | Ideal for initial alert triage. General read access, can create dashboards and visualizations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 2 analyst | Ideal for alert triage and beginning the investigation process. Can create cases. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 3 analyst | Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Threat intelligence analyst | Access to alerts, investigation tools, and intelligence pages. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Rule author | Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| SOC manager | Access to alerts, cases, investigation tools, endpoint policy management, and response actions. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Endpoint operations analyst | Access to endpoint response actions. Can manage endpoint policies, {{fleet}}, and integrations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Platform engineer | Access to {{fleet}}, integrations, endpoints, and detection content. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Detections admin | All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Endpoint policy manager | Access to endpoint policy management and related artifacts. Can manage {{fleet}} and integrations. | [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-
-
-## Leave an organization [general-leave-an-organization]
-% This section has been already added by @eedugon to the cloud-account section)
-
-On the **Organization** page, click **Leave organization**.
-
-If you’re the only user in the organization, you are able to leave only when you have deleted all projects and don’t have any pending bills.
-
-
-## Join an organization from an existing Elastic Cloud account [general-join-organization-from-existing-cloud-account]
-% This section has been already added by @eedugon to the cloud-account section)
-
-If you already belong to an organization, and you want to join a new one you will need to leave your existing organization.
-
-If you want to join a new organization, follow these steps:
-
-1. Make sure you do not have active projects or deployments before you leave your current organization.
-2. Delete your projects and clear any bills.
-3. Leave your current organization.
-4. Ask the administrator to invite you to the organization you want to join.
-5. Accept the invitation that you will get by email.
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 32ed11807f..4dc414acb3 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -134,7 +134,6 @@ toc:
       - file: cloud/cloud/ec-activity-page.md
       - file: cloud/cloud/ec-add-user-settings.md
       - file: cloud/cloud/ec-api-deployment-other.md
-      - file: cloud/cloud/ec-api-organizations.md
       - file: cloud/cloud/ec-autoscaling.md
       - file: cloud/cloud/ec-billing-stop.md
       - file: cloud/cloud/ec-cloud-ingest-data.md
@@ -158,7 +157,6 @@ toc:
       - file: cloud/cloud/ec-getting-started-trial.md
       - file: cloud/cloud/ec-getting-started.md
       - file: cloud/cloud/ec-ingest-guides.md
-      - file: cloud/cloud/ec-invite-users.md
       - file: cloud/cloud/ec-maintenance-mode-routing.md
       - file: cloud/cloud/ec-manage-apm-settings.md
       - file: cloud/cloud/ec-manage-appsearch-settings.md
@@ -193,7 +191,6 @@ toc:
       - file: cloud/cloud/ec-traffic-filtering-vnet.md
       - file: cloud/cloud/ec-traffic-filtering-vpc.md
       - file: cloud/cloud/ec-upgrade-deployment.md
-      - file: cloud/cloud/ec-user-privileges.md
       - file: cloud/cloud/ec-working-with-elasticsearch.md
   - file: docs-content/serverless/index.md
     children:
@@ -205,7 +202,6 @@ toc:
       - file: docs-content/serverless/collect-data-with-aws-firehose.md
       - file: docs-content/serverless/connect-to-byo-llm.md
       - file: docs-content/serverless/cspm-required-permissions.md
-      - file: docs-content/serverless/custom-roles.md
       - file: docs-content/serverless/detections-logsdb-index-mode-impact.md
       - file: docs-content/serverless/elasticsearch-clients.md
       - file: docs-content/serverless/elasticsearch-dev-tools.md
@@ -216,7 +212,6 @@ toc:
       - file: docs-content/serverless/elasticsearch-ingest-data-through-api.md
       - file: docs-content/serverless/elasticsearch-manage-project.md
       - file: docs-content/serverless/general-billing-stop-project.md
-      - file: docs-content/serverless/general-manage-organization.md
       - file: docs-content/serverless/general-ml-nlp-auto-scale.md
       - file: docs-content/serverless/general-serverless-status.md
       - file: docs-content/serverless/general-sign-up-trial.md
diff --git a/troubleshoot/observability/troubleshoot-logs.md b/troubleshoot/observability/troubleshoot-logs.md
index 24b1767afc..a538d37778 100644
--- a/troubleshoot/observability/troubleshoot-logs.md
+++ b/troubleshoot/observability/troubleshoot-logs.md
@@ -34,7 +34,7 @@ You need permission to manage API keys
 
 You need to either:
 
-* Ask an administrator to update your user role to at least **Developer** by going to the user icon on the header bar and opening **Organization** → **Members**. Read more about user roles in [Assign user roles and privileges](../../raw-migrated-files/docs-content/serverless/general-manage-organization.md#general-assign-user-roles). After your use role is updated, restart the onboarding flow.
+* Ask an administrator to update your user role to at least **Developer** by going to the user icon on the header bar and opening **Organization** → **Members**. Read more about user roles in [](/deploy-manage/users-roles/cloud-organization/user-roles.md). After your use role is updated, restart the onboarding flow.
 * Get an API key from an administrator and manually add the API to the {{agent}} configuration. See [Configure the {{agent}}](../../raw-migrated-files/docs-content/serverless/observability-stream-log-files.md#observability-stream-log-files-step-3-configure-the-agent) for more on manually updating the configuration and adding the API key.
 ::::