Merge pull request #231 from nginx/internal/user-account-docs-feedback

docs: integrate feedback

Author: agong07

content/nginxaas-google/getting-started/manage-users-accounts.md

@@ -14,21 +14,20 @@ This document explains how to manage users and accounts in F5 NGINXaaS for Googl
 
 Before you start, ensure you understand the following concepts:
 
-- **NGINXaaS Account**: Represents a Google Cloud procurement with an active Marketplace NGINXaaS subscription, linked to a billing account. To create an account, see the signup documentation in [prerequisites]({{< ref "/nginxaas-google/getting-started/prerequisites.md" >}}).
-- **User**: A user is anyone who has access to an NGINXaaS Account through their Google Identity. The same Google Identity can be added to multiple NGINXaaS Accounts, but it is treated as a different user in each account.
-- **Authorized Domains**: The list of Google Identity domains (for example, "example.com") allowed to access an NGINXaaS Account using Google authentication.
-   - By default, an NGINXaaS Account has an empty authorized domains field, which means that anyone can log in to the account, if added as a user.
-   - Configuring this field allows you to control which organizations (based on their email domains) are allowed to log in to the NGINXaaS Account. This restricts access to only users from trusted companies or groups, and prevents unauthorized domains from accessing resources in the account.
-   - When updating authorized domains, you cannot make an update if it would prevent any existing user from logging in. This ensures that no current users are accidentally locked out of the account.
+- **NGINXaaS Account**: An NGINXaaS Account is created when you subscribe to *F5 NGINXaaS for Google Cloud* via the Google Cloud Marketplace, as described in [prerequisites]({{< ref "/nginxaas-google/getting-started/prerequisites.md" >}}). You may create multiple NGINXaaS Accounts by signing up with different billing accounts.
+- **User**: NGINXaaS Users are granted access to all resources in the NGINXaaS Account. User authentication is performed securely via Google Cloud, requiring a matching identity. Individuals can be added as users to multiple NGINXaaS Accounts, and can switch between them using the steps documented below.
+- **Authorized Domains**: The list of domains allowed to authenticate into the NGINXaaS Account using Google authentication.
+   - This can be used to restrict access to Google identities within your Google Cloud Organization or Google Workspace, or other known, trusted Workspaces. For example, your Google Cloud Organization may have users created under the `example.com` domain. By setting the Authorized Domains in your NGINXaaS Account to only allow `example.com`, users attempting to log in with the same email associated with `alternative.net` Google Workspace would not be authenticated.
+   - By default, an NGINXaaS Account has an empty authorized domains list, which accepts matching users from any Google Workspace.
 
 ## Add or edit a user
 
-An existing NGINXaaS Account user can additional users following these steps:
+An existing NGINXaaS Account user can add additional users following these steps:
 
 1. Access the [NGINXaaS Console](https://console.nginxaas.net/).
 1. Log in to the console with your Google credentials.
 1. Navigate to **Users** page on the left menu, then select **Add User**.
-1. Enter the **Name** and **Email** for the user to be added.
+1. Enter the **Name** and **Email** for the user to be added. The email must match the individual's Google User to be able to authenticate successfully.
 1. Select **Create User** to save the changes.
 
 The new user will appear in the list of users on the **Users** page. Their **Google Identity Domain** will remain empty until they log in for the first time.
@@ -37,8 +36,7 @@ The new user will appear in the list of users on the **Users** page. Their **Goo
 
 1. Select **Users** under the **Settings** section on the left menu.
 1. Select the ellipsis (three dots) menu for the user you want to update.
-1. Select **Edit**.
-1. Update the user details; currently only the username can be changed.
+1. Select **Edit** and update the user details.
 1. Select **Update** to confirm the changes.
 
 ## Modify account settings
@@ -54,6 +52,8 @@ As an authenticated user, you may modify the authorized domains and name of an N
 1. To remove an existing authorized domain, select the Recycle Bin button next to it.
 1. Select **Update** to save changes.
 
+{{< call-out "note" >}}You cannot remove an authorized domain from the list if it matches an existing user's Google Identity Domain. To remove access from that domain you must first delete every NGINXaaS user that is associated with the domain.{{< /call-out >}}
+
 ### Modify the name of an accoun
 
 1. Select **Account Details** under the **Settings** section on the left menu.

content/nginxaas-google/glossary.md

@@ -18,8 +18,8 @@ This document provides definitions for terms and acronyms commonly used in F5 NG
 | Network attachment       | A Google Cloud resource that enables a VM instance to connect to a VPC network. [More information](https://cloud.google.com/vpc/docs/about-network-attachments).   |
 | VPC network              | A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented within Google Cloud. It provides networking functionality for your Google Cloud resources. [More information](https://cloud.google.com/vpc/docs/vpc). |
 | NGINXaas Account        | Represents a Google Cloud procurement with an active Marketplace NGINXaaS subscription, linked to a billing account. To create an account, see the signup documentation in [prerequisites]({{< ref "/nginxaas-google/getting-started/prerequisites.md" >}}). |
-| User | A user is anyone who has access to an NGINXaaS Account through their Google Identity. The same Google Identity can be added to multiple NGINXaaS Accounts, but it is treated as a different user in each account. |
-| Authorized Domains | The list of Google Identity domains (for example, "example.com") allowed to access an NGINXaaS Account using Google authentication. <br> - By default, an NGINXaaS Account has an empty authorized domains field, which means that anyone can log in to the account, if added as a user. <br> - Configuring this field allows you to control which organizations (based on their email domains) are allowed to log in to the NGINXaaS Account. This restricts access to only users from trusted companies or groups, and prevents unauthorized domains from accessing resources in the account. <br> - When updating authorized domains, you cannot make an update if it would prevent any existing user from logging in. This ensures that no current users are accidentally locked out of the account. |
+| NGINXaaS User | NGINXaaS Users are granted access to all resources in the NGINXaaS Account. User authentication is performed securely via Google Cloud, requiring a matching identity. Individuals can be added as users to multiple NGINXaaS Accounts, and can switch between them using the steps documented below. |
+| Authorized Domains |  The list of domains allowed to authenticate into the NGINXaaS Account using Google authentication. <br>- This can be used to restrict access to Google identities within your Google Cloud Organization or Google Workspace, or other known, trusted Workspaces. For example, your Google Cloud Organization may have users created under the `example.com` domain. By setting the Authorized Domains in your NGINXaaS Account to only allow `example.com`, users attempting to log in with the same email associated with `alternative.net` Google Workspace would not be authenticated. |
 
 
 {{</table>}}