pr review comments

Author: phil198

modules/ROOT/pages/authentication-authorization/manage-users.adoc

@@ -309,7 +309,6 @@ SET AUTH [PROVIDER] 'provider' "{"
 a|
 Modifies the settings for an existing user.
 At least one `SET` or `REMOVE` clause is required.
-`SET` and `REMOVE` clauses cannot be combined in the same command.
 
 For more information, see xref:authentication-authorization/manage-users.adoc#access-control-alter-users[Modifying users].
 
@@ -641,16 +640,16 @@ With `ENCRYPTED`, the password string is expected to be in the format of `<encry
 *** `0` is the first version and refers to the `SHA-256` cryptographic hash function with iterations `1`.
 *** `1` is the second version and refers to the `SHA-256` cryptographic hash function with iterations `1024`.
 * If the optional `SET PASSWORD CHANGE [NOT] REQUIRED` is omitted, the default is `CHANGE REQUIRED`.
-The `SET PASSWORD` part is only optional if it directly follows the `SET PASSWORD` clause.
+* The `SET PASSWORD` prefix of the `CHANGE [NOT] REQUIRED` clause is only optional if it directly follows the `SET PASSWORD 'password'` clause and is not part of a `SET AUTH` clause.
 * The default for `SET STATUS` is `ACTIVE`.
 * `SET HOME DATABASE` can be used to configure a home database for a user.
 A home database will be resolved if it is either pointing to a database or a database alias.
 If no home database is set, the DBMS default database is used as the home database for the user.
-* The `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET STATUS`, and `SET HOME DATABASE` clauses can be applied in any order.
 [role=label--new-5.24]
 * One or more `SET AUTH` clauses can be used to set xref:authentication-authorization/auth-providers.adoc[Auth Providers], which define authentication / authorization providers for the user. This might be used to configure external auth providers like LDAP or OIDC, but can also be used as an alternative way to set the native (password-based) auth settings like `SET PASSWORD` and `SET PASSWORD CHANGE REQUIRED`.
 Examples can be found below for `native`, xref:authentication-authorization/sso-integration.adoc#auth-sso-auth-providers[here] for OIDC and xref:authentication-authorization/ldap-integration.adoc#auth-ldap-auth-providers[here] for LDAP.
 * It is mandatory to specify at least either a `SET PASSWORD` or a `SET AUTH` clause because users must have at least one Auth Provider.
+* The `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET STATUS`, `SET AUTH`, and `SET HOME DATABASE` clauses can be applied in any order.
 
 [NOTE]
 ====
@@ -713,7 +712,7 @@ SET AUTH 'native' {
 
 [NOTE, role=label--enterprise-edition]
 ====
-The `SET STATUS {ACTIVE | SUSPENDED}`, `SET HOME DATABASE` and `SET AUTH` parts of the commands are only available in Neo4j Enterprise Edition.
+The `SET STATUS {ACTIVE | SUSPENDED}`, `SET HOME DATABASE` parts of the commands are only available in Neo4j Enterprise Edition. The `{SET | REMOVE} AUTH` clause for external providers is only available in Neo4j Enterprise Edition. `{SET | REMOVE} AUTH 'native'` can be used in Neo4j Community Edition.
 ====
 
 The `CREATE USER` command is optionally idempotent, with the default behavior to throw an exception if the user already exists.
@@ -838,9 +837,6 @@ SET AUTH [PROVIDER] 'provider' "{"
 ----
 
 * At least one `SET` or `REMOVE` clause is required for the command.
-* `SET` and `REMOVE` clauses cannot be combined in the same command.
-* The `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET STATUS`, and `SET HOME DATABASE` clauses can be applied in any order.
-The `SET PASSWORD` clause must come first, if used.
 * For `SET PASSWORD`:
 ** The `password` can either be a string value or a string parameter.
 ** All passwords are encrypted (hashed) when stored in the Neo4j `system` database.
@@ -854,8 +850,7 @@ With `ENCRYPTED`, the password string is expected to be in the format of `<encry
 *** `0` is the first version and refers to the `SHA-256` cryptographic hash function with iterations `1`.
 *** `1` is the second version and refers to the `SHA-256` cryptographic hash function with iterations `1024`.
 * If the optional `SET PASSWORD CHANGE [NOT] REQUIRED` is omitted, the default is `CHANGE REQUIRED`.
-The `SET PASSWORD` part is only optional if it directly follows the `SET PASSWORD` clause.
-* For `SET PASSWORD CHANGE [NOT] REQUIRED`, the `SET PASSWORD` is only optional if it directly follows the `SET PASSWORD` clause.
+* The `SET PASSWORD` prefix of the `CHANGE [NOT] REQUIRED` clause is only optional if it directly follows the `SET PASSWORD 'password'` clause and is not part of a `SET AUTH` clause.
 * `SET HOME DATABASE` can be used to configure a home database for a user.
 A home database will be resolved if it is either pointing to a database or a database alias.
 If no home database is set, the DBMS default database is used as the home database for the user.
@@ -870,6 +865,7 @@ This results in the DBMS default database being used as the home database for th
 [role=label--new-5.24]
 * `REMOVE AUTH` is used to remove one or many xref:authentication-authorization/auth-providers.adoc[Auth Provider(s)] from a user. It cannot be used in a way that would mean a user has no Auth Providers.
 * `REMOVE ALL AUTH` is used to remove all existing xref:authentication-authorization/auth-providers.adoc[Auth Providers] from a user. It must be used in conjunction with at least one `SET AUTH` clause in order to meet the requirement that a user always has at least one auth provider.
+* The `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET STATUS`, `SET AUTH`, and `SET HOME DATABASE` clauses can be applied in any order.
 
 
 .Modify the user `bob` with a new password and active status, and remove the requirement to change his password:
@@ -934,7 +930,7 @@ For example, leaving out the `CHANGE [NOT] REQUIRED` part of the query will leav
 
 [NOTE, role=label--enterprise-edition]
 ====
-The `SET STATUS {ACTIVE | SUSPENDED}`, `SET HOME DATABASE`, `REMOVE HOME DATABASE`, `SET AUTH` and `REMOVE AUTH` parts of the command are only available in Neo4j Enterprise Edition.
+The `SET STATUS {ACTIVE | SUSPENDED}`, `SET HOME DATABASE`, `REMOVE HOME DATABASE` parts of the command are only available in Neo4j Enterprise Edition.  The `{SET | REMOVE} AUTH` clause for external providers is only available in Neo4j Enterprise Edition. `{SET | REMOVE} AUTH 'native'` can be used in Neo4j Community Edition.
 ====
 
 The changes to the user will appear on the list provided by `SHOW USERS`:

modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc

@@ -329,7 +329,7 @@ dbms.security.oidc.azure.claims.groups=roles
 [role=label--new-5.24]
 . (Optional). If you want to mandate that users exist in the database in order to authenticate and authorize, you can use xref:authentication-authorization/auth-providers.adoc[Auth Providers] to achieve this.
 Set the `dbms.security.require_local_user` configuration setting to `true` in the _neo4j.conf_ file to enable this mode.
-For example to create a user `jake` who can authenticate and authorize using Entra, you can use the following Cypher query:
+For example to create a user `jake` who can authenticate and authorize using Azure, you can use the following Cypher query:
 [source, cypher, role=noplay]
 ----
 CREATE USER jake
@@ -418,7 +418,7 @@ GRANT ROLE reader TO jake
 
 The user will implicitly receive `native` authorization because `native` is in the list of authorization providers and you have explicitly granted the user a role.
 
-Once you have set up your users in this way, you can now disable native authentication for the database completely:
+Once you have set up your users in this way, you can disable native authentication for the database completely (this will prevent all users, including the admin, from logging in with a username and password):
 
 [source, properties]
 ----