Update and clarify NGINX One RBAC docs

tstraley · tstraley · commit f9e3620c866d · 2025-03-11T18:07:04.000-06:00
diff --git a/content/nginx-one/rbac/rbac-api.md b/content/nginx-one/rbac/rbac-api.md
@@ -7,15 +7,15 @@ product: NGINX One
 docs: DOCS-000
 ---
 
-Beyond [Default roles]({{< relref "/nginx-one/rbac/roles.md" >}}), you may need to set up custom roles. For convenience, we include a list of API groups that you could use to specify permissions for custom roles.
+Beyond the [Default roles]({{< relref "/nginx-one/rbac/roles.md" >}}) for NGINX One Console access, there may be cases where creating [custom roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles#custom-roles) with more precisely defined access is desired. For this use-case, we include a list of API groups that can be used to specify permissions for custom roles with more granular access controls to NGINX One Console APIs.
 
-These are not NGINX One APIs.
+Custom roles can be assigned to users or service accounts, and associated with specific namespaces, facilitating the principle of least privilege across your tenant.
 
 ## F5 API groups for NGINX One
 
-The following table lists the **[F5 XC roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
+The following table lists the available API groups that you can use to construct a Role. These are narrowly scoped API groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
 
-{{< note >}}If you create custom roles using the more granular API Groups, users may not have access until you add the corresponding API Groups to their roles.{{< /note >}}
+{{< note >}}If you create custom roles using these API groups, users may not have access to all capabilities of the browser web portal.{{< /note >}}
 
 | API Group Name                          | Level of Access | Description                                                                                                                   |
 |-----------------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------|
@@ -27,7 +27,7 @@ The following table lists the **[F5 XC roles](https://docs.cloud.f5.com/docs-v2/
 | f5xc-nginx-one-custom-all-instances-manage          | Write           | View and delete all Instances.                                                                                                |
 | f5xc-nginx-one-custom-instance-manage               | Write           | View and edit Instance details.                                                                        |
 | f5xc-nginx-one-custom-instance-read                 | Read            | View Instance and configuration details.                                                                        |
-| f5xc-nginx-one-custom-certificate-manage            | Write           | View TSL/SSL certificate details. Create, update, and delete any managed certificates.                                    |
+| f5xc-nginx-one-custom-certificate-manage            | Write           | View TLS/SSL certificate details. Create, update, and delete any managed certificates.                                    |
 | f5xc-nginx-one-custom-certificate-read              | Read            | View TLS/SSL certificates.                                                                                    |
 | f5xc-nginx-one-custom-all-certificates-manage       | Write           | View all TLS/SSL certificates. Delete managed certificates.                                               |
 | f5xc-nginx-one-custom-data-plane-key-manage         | Write           | View, create, update, and delete any Data Plane Keys. Note: The actual Data Plane Key is shown _only_ when created. |
diff --git a/content/nginx-one/rbac/roles.md b/content/nginx-one/rbac/roles.md
@@ -13,13 +13,13 @@ We provide three default **[roles](https://docs.cloud.f5.com/docs-v2/administrat
 
 ### Admin
 
-The Admin role, identified as <code>f5xc-nginx-one-admin</code>, provides full read and write access to all endpoints and features within the NGINX One Console.
+The Admin role, identified as `f5xc-nginx-one-admin`, provides full read and write access to all endpoints and features within the NGINX One Console and related services.
 
 ### User
 
-Our standard User role, listed as <code>f5xc-nginx-one-user</code> in the role list, provides read and write access to all endpoints and features, save for those considered to be administrator level. An example of an administrator level feature would be **[Instance Settings](https://docs.nginx.com/nginx-one/how-to/nginx-configs/clean-up-unavailable-instances/)** where unavailable instance clean up logic is set.
+Our standard User role, listed as `f5xc-nginx-one-user` in the role list, provides read and write access to all endpoints and features, save for those considered to be administrator level. An example of an administrator level feature would be **[Instance Settings](https://docs.nginx.com/nginx-one/how-to/nginx-configs/clean-up-unavailable-instances/)** where unavailable instance clean up logic is set.
 
 ### Monitor
 
-Our read only or Monitor role, <code>f5xc-nginx-one-monitor</code>, grants read only access to all non-administrator features and endpoints within the NGINX One Console.
+Our read only or Monitor role, `f5xc-nginx-one-monitor`, grants read only access to all non-administrator features and endpoints within the NGINX One Console.
 
