elastic · shainaraskas · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025 · Feb 14, 2025
@@ -607,6 +607,14 @@ toc:
           - file: security/fips-140-2.md
   - file: users-roles.md
     children:
+      - file: users-roles/cloud-organization.md
+        children:
+          - file: users-roles/cloud-organization/manage-users.md
+          - file: users-roles/cloud-organization/user-roles.md
+          - file: users-roles/cloud-organization/configure-saml-authentication.md
+            children:
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
+              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
       - file: users-roles/cloud-enterprise-orchestrator.md
         children:
           - file: users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md
@@ -617,14 +625,7 @@ toc:
               - file: users-roles/cloud-enterprise-orchestrator/ldap.md
               - file: users-roles/cloud-enterprise-orchestrator/saml.md
           - file: users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md
-      - file: users-roles/cloud-organization.md
-        children:
-          - file: users-roles/cloud-organization/manage-users.md
-          - file: users-roles/cloud-organization/user-roles.md
-          - file: users-roles/cloud-organization/configure-saml-authentication.md
-            children:
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-okta.md
-              - file: users-roles/cloud-organization/register-elastic-cloud-saml-in-microsoft-entra-id.md
+      - file: users-roles/custom-roles.md
       - file: users-roles/cluster-or-deployment-auth.md
         children:
           - file: users-roles/cluster-or-deployment-auth/quickstart.md
@@ -649,6 +650,7 @@ toc:
                   - file: users-roles/cluster-or-deployment-auth/pki.md
                   - file: users-roles/cluster-or-deployment-auth/custom.md
               - file: users-roles/cluster-or-deployment-auth/built-in-users.md
+              - file: users-roles/cluster-or-deployment-auth/kibana-authentication.md
               - file: users-roles/cluster-or-deployment-auth/user-profiles.md
               - file: users-roles/cluster-or-deployment-auth/access-agreement.md
               - file: users-roles/cluster-or-deployment-auth/anonymous-access.md

diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md
@@ -1,20 +1,125 @@
 ---
-navigation_title: "Access"
+navigation_title: "Users and roles"
 mapped_pages:
   - https://www.elastic.co/guide/en/serverless/current/project-settings-access.html
+applies:
+  serverless: all
+  hosted: all
+  ece: all
+  eck: all
+  stack: all
 ---
 
+# Manage users and roles
 
+To prevent unauthorized access to your Elastic resources, you need a way to identify users and validate that a user is who they claim to be (*authentication*), and control what data users can access and what tasks they can perform (*authorization*).
 
-# Manage users and roles [project-settings-access]
+The methods that you use to authenticate users and control access depends on the way Elastic is deployed. 
 
+::::{note}
+Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
+
+* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). 
+* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-endpoints.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md).
+* Maintain an [audit trail](/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md) for security-related events.
+* Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md). 
+* Connect your cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable cross-cluster replication and search.
+* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic.
+::::
 
-Go to **Project settings**, then ** Management** to manage your indices, data views, saved objects, settings, and more. You can also open Management by using the [global search field](../explore-analyze/find-and-organize/find-apps-and-objects.md).
+## Cloud organization level
 
-Access to individual features is governed by Elastic user roles. Consult your administrator if you do not have the appropriate access. To learn more about roles, refer to [Assign user roles and privileges](users-roles/cloud-organization/manage-users.md#general-assign-user-roles).
+:::{applies}
+:hosted: all
+:serverless: all
+:::
 
-| Feature | Description | Available in |
-| --- | --- | --- |
-| [Organization members](api-keys/serverless-project-api-keys.md) | Invite and manage your team’s access to your organization. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Project API keys](api-keys/serverless-project-api-keys.md) | Create and manage keys that can interact with your project’s data. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Observability](../images/serverless-obs-badge.svg "")](../solutions/observability.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
-| [Custom roles](users-roles/cloud-organization/user-roles.md) | Create and manage custom roles for your users. | [![Elasticsearch](../images/serverless-es-badge.svg "")](../solutions/search.md)[![Security](../images/serverless-sec-badge.svg "")](../solutions/security/elastic-security-serverless.md) |
+If you’re using {{ecloud}}, then you can perform the following tasks to control access to your Cloud organization, your Cloud Hosted deployments, and your Cloud Serverless projects:
+
+* [Invite users to join your organization](/deploy-manage/users-roles/cloud-organization/manage-users.md)
+* Assign [user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md): 
+  * Manage organization-level roles and high-level access to deployments and projects. 
+  * Assign project-level roles and [create custom roles](/deploy-manage/users-roles/custom-roles.md). ({{serverless-short}} only)
+* Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization
+
+::::{tip}
+For {{ech}} deployments, you can configure SSO at the organization level, the deployment level, or both. Refer to [Cloud organization users](/deploy-manage/users-roles/cloud-organization.md#organization-deployment-sso) for more information.
+::::
+
+{{ech}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md). Cluster-level auth features are not available for {{serverless-full}}.
+
+## Orchestrator level
+
+:::{applies}
+:ece: all
+:::
+
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage system passwords](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
+
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
+
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+
+## Project level
+
+:::{applies}
+:serverless: all
+:::
+
+As an extension of the [predefined instance access roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_instance_access_roles) offered for {{serverless-short}} projects, you can create custom roles at the project level to provide more granular control, and provide users with only the access they need within specific projects.
+
+[Learn more about custom roles for {{serverless-full}} projects](/deploy-manage/users-roles/custom-roles.md).
+
+## Cluster or deployment level
+
+:::{applies}
+:ece: all
+:hosted: all
+:eck: all
+:stack: all
+:::
+
+Set up authentication and authorization at the cluster or deployment level, and learn about the underlying security technologies that Elasticsearch uses to authenticate and authorize requests internally and across services.
+
+### User authentication
+
+Set up methods to identify users to the Elasticsearch cluster.
+
+Key tasks for managing user authentication include:
+
+* [Managing default users](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md)
+* [Managing users natively](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md)
+* [Integrating with external authentication providers](/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md)
+
+You can also learn the basics of Elasticsearch authentication, learn about accounts used to communicate within an Elasticsearch cluster and across services, and perform advanced tasks.
+
+[View all user authentication docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication.md)
+
+### User authorization
+
+After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request.
+
+Key tasks for managing user authorization include: 
+
+* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or [defining your own](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md)
+* [Mapping users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md)
+* [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)
+
+You can also learn the basics of Elasticsearch authorization, and perform advanced tasks.
+
+::::{tip}
+User roles are also used to control access to [spaces](/deploy-manage/manage-spaces.md).
+:::: 
+
+[View all user authorization docs](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md)
@@ -0,0 +1,20 @@
+ldap
+:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See [LDAP user authentication](ldap.md).
+
+active_directory
+:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See [Active Directory user authentication](active-directory.md).
+
+pki
+:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See [PKI user authentication](pki.md).
+
+saml
+:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. See [SAML authentication](saml.md).
+
+kerberos
+:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See [Kerberos authentication](kerberos.md).
+
+oidc
+:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. See [Configuring single sign-on to the {{stack}} using OpenID Connect](openid-connect.md).
+
+jwt
+:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See [JWT authentication](jwt.md).
@@ -0,0 +1,5 @@
+native
+:   Users are stored in a dedicated {{es}} index. This realm supports an authentication token in the form of username and password, and is available by default when no realms are explicitly configured. Users are managed through {{kib}}, or using [user management APIs](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-security). See [Native user authentication](native.md).
+
+file
+:   Users are defined in files stored on each node in the {{es}} cluster. This realm supports an authentication token in the form of username and password and is always available. See [File-based user authentication](file-based.md).
diff --git a/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md b/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md
@@ -0,0 +1,14 @@
+For {{ech}} deployments, you can configure SSO at the [organization level](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md), the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md), or both. 
+
+The option that you choose depends on your requirements:
+
+| Consideration | Organization-level | Deployment-level |
+| --- | --- | --- |
+| **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
+| **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
+| **Role mapping** | [Organization-level roles and instance access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](https://docs.elastic.co/serverless/custom-roles.md) | [Built-in](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles |
+| **User experience** | Users interact with Cloud | Users interact with the deployment directly |
+
+If you want to avoid exposing users to the {{ecloud}} Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
+
+In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.
diff --git a/deploy-manage/users-roles/cloud-enterprise-orchestrator.md b/deploy-manage/users-roles/cloud-enterprise-orchestrator.md
@@ -1,5 +1,24 @@
+---
+navigation_title: "ECE orchestrator"
+applies:
+  ece: all
+---
+
 # Elastic Cloud Enterprise orchestrator users
 
-% What needs to be done: Write from scratch
+Control access to your {{ece}} [orchestrator](/deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md) and deployments. 
+
+* [Manage system passwords](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-system-passwords.md)
+* [Manage orchestrator users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md):
+  * [Using native users](/deploy-manage/users-roles/cloud-enterprise-orchestrator/native-user-authentication.md)
+  * By integrating with external authentication providers:
+    * [Active Directory](/deploy-manage/users-roles/cloud-enterprise-orchestrator/active-directory.md)
+    * [LDAP](/deploy-manage/users-roles/cloud-enterprise-orchestrator/ldap.md)
+    * [SAML](/deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md)
+* [Configure single sign-on to deployments](/deploy-manage/users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md) for orchestrator users
+
+  ::::{tip}
+  For {{ece}} deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
+  ::::
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/347
+{{ece}} deployments can also use [cluster-level authentication and authorization](/deploy-manage/users-roles/cluster-or-deployment-auth.md).