add restrictions

Author: Charlie-Boyer

docs/hub/enterprise-hub-advanced-sso.md

@@ -19,3 +19,16 @@ Beyond gating access to specific organizational content, Advanced SSO can be con
 
 This feature is particularly beneficial for organizations requiring a higher degree of control, security, and automation in managing their users on Hugging Face.
 
+## Limitations on Managed User Accounts
+
+<Tip warning={true}>
+**Important Considerations for Managed Accounts:**
+</Tip>
+
+To ensure organizational control and data governance, user accounts provisioned and managed via Advanced SSO ("managed user accounts") have specific limitations:
+
+*   **No Public Content Creation**: Managed user accounts cannot create public content on the Hugging Face platform. This includes, but is not limited to, public models, datasets, or Spaces. All content created by these accounts is restricted to within your organization or private visibility.
+*   **No External Collaboration**: Managed user accounts are restricted from collaborating outside of your Hugging Face organization. This means they cannot, for example, join other organizations, contribute to repositories outside their own organization, or engage in public discussions/comments on content not owned by their organization.
+
+These restrictions are in place to maintain the integrity and security boundaries defined by your enterprise. If members of your organization require the ability to create public content or collaborate more broadly on the Hugging Face platform, they will need to do so using a separate, personal Hugging Face account that is not managed by your organization's Advanced SSO.
+