fix(iam): members - MTA-5495 (#4395)

Author: ldecarvalho-doc

macros/iam/login-member.mdx

@@ -0,0 +1,37 @@
+---
+macro: login-member
+---
+
+If you were added to a Scaleway Organization as an [IAM member](/iam/concepts#members), the login process is different.
+
+<Message type="important">
+  Login via [Single Sign-On (SSO)](/account/concepts/#single-sign-on-sso) is currently not available for members.
+</Message>
+
+1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
+2. Click the **Log in as an IAM Member**.
+3. Enter the Organization ID and click **Continue**.
+    <Message type="important">
+      When you are added to an Organization as a member, a Scaleway account is automatically created for you. An Organization administrator must provide a username, email and Organization ID for you to log in.
+    </Message>
+4. Enter the username given to you by your Organization's Owner or administrator.
+5. Select an authentication method between **Send code** and **Enter password**.
+    <Tabs id="create-account">
+      <TabsTab label="Email code">
+      1. Click **Send code** to receive a login code in your email.
+      2. Enter the code you received in your email.
+          <Message type="tip">
+            If you did not receive the email you can follow these steps, in order:
+              - Make sure you check your spam folder
+              - Click **Resend email**
+              - Contact an Organization administrator to make sure your information was correctly registered
+              - If none of the actions above work, ask an administrator to [contact the support](/account/how-to/open-a-support-ticket/#writing-an-effective-subject-and-description)
+          </Message>
+      3. Click **Continue**.
+      </TabsTab>
+      <TabsTab label="Password">
+      1. Click **Enter password**.
+      2. Type your password in the box.
+      3. Click **Continue**.
+      </TabsTab>
+    </Tabs>

menu/navigation.json

@@ -52,10 +52,6 @@
                     "label": "Configure support plans",
                     "slug": "configure-support-plans"
                   },
-                  {
-                    "label": "Enforce multifactor authentication",
-                    "slug": "enforce-mfa"
-                  },
                   {
                     "label": "Use multifactor authentication",
                     "slug": "use-2fa"
@@ -279,6 +275,10 @@
                     "label": "Generate an SSH key",
                     "slug": "create-ssh-key"
                   },
+                  {
+                    "label": "Enforce multifactor authentication",
+                    "slug": "enforce-mfa"
+                  },
                   {
                     "label": "Add resources to a Project",
                     "slug": "add-resources-project"
@@ -336,24 +336,20 @@
               {
                 "items": [
                   {
-                    "label": "Invite a user to an Organization",
+                    "label": "Invite a Guest to an Organization",
                     "slug": "invite-user-to-orga"
                   },
                   {
                     "label": "Accept an invitation to an Organization",
                     "slug": "accept-invitation-to-orga"
                   },
                   {
-                    "label": "Manage users",
-                    "slug": "manage-users"
-                  },
-                  {
-                    "label": "Create an application",
-                    "slug": "create-application"
+                    "label": "Log in as a Member",
+                    "slug": "log-in-as-a-member"
                   },
                   {
-                    "label": "Manage applications",
-                    "slug": "manage-applications"
+                    "label": "Comply with security requirements as a Member",
+                    "slug": "comply-with-sec-requirements-member"
                   },
                   {
                     "label": "Create API keys",
@@ -363,6 +359,26 @@
                     "label": "Manage API keys",
                     "slug": "manage-api-keys"
                   },
+                  {
+                    "label": "Manage users",
+                    "slug": "manage-users"
+                  },
+                  {
+                    "label": "Manage Members",
+                    "slug": "manage-members"
+                  },
+                  {
+                    "label": "Enforce security requirements for Members",
+                    "slug": "enforce-security-requirements-members"
+                  },
+                  {
+                    "label": "Create an application",
+                    "slug": "create-application"
+                  },
+                  {
+                    "label": "Manage applications",
+                    "slug": "manage-applications"
+                  },
                   {
                     "label": "Create a group",
                     "slug": "create-group"

pages/account/concepts.mdx

@@ -50,6 +50,10 @@ Multifactor authentication (MFA) is any form of verification that requires two f
 
 A password is a string of characters associated to your account's email address that allows you to access the [Scaleway console](https://console.scaleway.com/). It is personal and must not be shared with anyone. Alternatively, you can use a [magic link](#magic-link) to authenticate yourself.
 
+## Single Sign-on (SSO)
+
+Single Sign-On (SSO) allows you to use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
+
 ## Support plan
 
 Scaleway provides four different types of [support plans](https://console.scaleway.com/support/plans): Basic, Silver, Gold and Platinum. Your support plan determines the level of service and dedicated assistance you have access to, and the guaranteed response time of your support requests. You can [configure your support plan in the console](/account/how-to/configure-support-plans/).

pages/account/how-to/log-in-to-the-console.mdx

@@ -7,7 +7,7 @@ content:
   paragraph: Steps to log in to the Scaleway console.
 tags: account login password access magic-link magic link SSO
 dates:
-  validation: 2024-12-05 
+  validation: 2024-12-05
   posted: 2024-06-11
 categories:
   - console
@@ -17,7 +17,7 @@ categories:
 
 - A [Scaleway](https://www.scaleway.com/en/) account
 
-## Log in to the console with a Magic Link
+## How to log in with a Magic Link
 
 Instead of using your password, you can use a **Magic Link** to authenticate yourself when you log into the Scaleway console. This provides quick and secure access to your account without the hassle of remembering your password. When you choose to sign in with Magic Link, you receive a unique link sent directly to your email inbox which you can use one time only to authenticate your login. Afterward, it automatically becomes invalid.
 
@@ -36,11 +36,29 @@ A confirmation email is sent to your inbox, confirming that you have authenticat
   The Magic Link becomes invalid as soon as you have used it. If you log out from the console and want to log in again without your password, you will need to request a new magic link by repeating the steps above.
 </Message>
 
-## Log in to the console with SSO
+## How to log in with SSO
 
 Scaleway provides Single Sign-On (SSO) options for a seamless login experience. You can use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
 
 1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
-2. Click the **Log in with Google** , **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.
+2. Click the **Log in with Google**, **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.
 3. You will be redirected to the respective login page of Google, Microsoft or GitHub.
-4. If multifactor authentication (MFA) is activated, enter the authentication code. 
+4. If multifactor authentication (MFA) is activated, enter the authentication code.
+
+## Log in as an IAM member
+
+<Macro id="login-member" />
+
+## How to log in using MFA
+
+If [Multifactor Authentication (MFA)](/account/how-to/use-2fa) is enabled on your account, MFA authentication will be an additional step for all methods of log in described on this page.
+
+If the login information provided in any of the previous methods is valid, you will be redirected the Multifactor Authentication screen.
+
+1. Enter a valid two-factor token or backup key.
+    <Message type="note">
+      This is the the token provided in your MFA app.
+    </Message>
+2. Click **Log in**.
+
+If the code is correct, you are redirected to the Organization dashboard.

pages/account/how-to/use-2fa.mdx

@@ -32,8 +32,10 @@ Download the app of your choice and install it onto your smartphone.
 
 ## How to enable MFA
 
-1. Access the [Security](https://console.scaleway.com/account/security) tab of your **User Account** page.
-  Alternatively, click your Organization name on the top-right corner of the console navigation menu, click **Profile**, then **Security**.
+1. Click your Organization name on the top-right corner of the console navigation menu, click **Profile**, then **Security**.
+    <Message type="important">
+      If you are logged in as an [IAM Member](/iam/concepts/#member), Click **Profile**, then **Credentials** and scroll down to the **Multifactor authentication** section.
+    </Message>
 2. Click **Enable MFA**, in the **Multifactor authentication** section. A pop-up displays.
 3. Enter the code shown on the pop-up into your MFA app, or scan the QR code into your app.
   Your app sets up MFA for your Scaleway account and displays a 6-digit code.
@@ -69,7 +71,7 @@ If you no longer have access to the device in which you set up your MFA, you can
 ## How to disable MFA
 
 <Message type="important">
-  You cannot disable MFA if you are a member of one or more Organizations where MFA is enforced. If you wish to disable MFA, you must first leave these Organizations. If you do not know which of your Organizations enforce MFA, follow the procedure below until step 2. The Organizations will be listed in the **Disable MFA** pop-up.
+  You cannot disable MFA if you are a Member of one or more Organizations where MFA is enforced. If you wish to disable MFA, you must first leave these Organizations. If you do not know which of your Organizations enforce MFA, follow the procedure below until step 2. The Organizations will be listed in the **Disable MFA** pop-up.
 </Message>
 
 1. Access the [Security](https://console.scaleway.com/account/security) tab of your **User Account** page.

pages/iam/concepts.mdx

@@ -40,6 +40,10 @@ The Common Expression Language (CEL) is used to define expressions in [condition
 
 A condition is an additional layer of restrictions for your rule. You can allow access to specific user agents or IP addresses, and allow actions to be performed only at certain dates and times. Conditions are defined through [CEL](#common-expression-language-cel) expressions, and can be set up and configured in the Scaleway console. Refer to the [Understanding policy conditions](/iam/reference-content/understanding-policy-conditions) documentation page to learn how they are set up and how you can define them.
 
+## Grace period
+
+The grace period is the time an [IAM Member](#members) has to comply with the security requirements that are enforced in your Organization before their account is automatically locked. The accounts can be manually unlocked by an Owner or IAM Manager. Upon regaining access, the grace period resets, giving IAM Members another chance to meet security requirements.
+
 ## Group
 
 A group (also known as an IAM group) is a grouping of [users](#user) and/or [applications](#application). Creating groups allows you to attach [policies](#policy) to multiple users and/or applications at the same time.
@@ -62,6 +66,12 @@ Similarly, you may participate as a Guest in someone else's Organization, where
 
 You can also create non-human users in your Organization, called [IAM applications](#application), in order to give applications programmatic access to your Scaleway resources.
 
+## Member
+
+You are a Member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are created. This is one of the methods employed at Scaleway to allow Organizations to have multi-users. Members fufill the same purpose as Guest, while ensuring the security of the Organization.
+
+As a Member you are subject to [complying with the security requirements](/iam/how-to/comply-with-sec-requirements-member) in effect in your Organization.
+
 ## Organization
 
 An Organization is made of one or several [Projects](#project). When you create your Scaleway account, an Organization is automatically created, of which you are the Owner. When you create [IAM rules](#rule), you can set their scope at Organization level.
@@ -79,8 +89,6 @@ The Organization ID identifies the [Organization](#organization) created with yo
 
 You are the [Owner](#owner) of the Organization that is created with your Scaleway account. Owners have full rights and access to all resources and features in their Organization. See also [Guest](#guest).
 
-<Lightbox src="scaleway-iam-owners-guests.webp" alt="" />
-
 ## Permission
 
 A permission is a granular right, which is checked to determine whether to give access to an API endpoint. Permissions are grouped into [permission sets](#permission-set) to facilitate access management within [policies](#policy).
@@ -158,7 +166,7 @@ Keep in mind that:
 A user (also known as an IAM user) is a human user in an Organization. They can be of two types:
 - **Owner**: You are the Owner of the [Organization](#organization) that was created with your account.
 - **Guest**: You are a Guest when invited to another Organization of which you are not the Owner. Similarly, you can invite other users to be Guests in your Organization.
+- **Member**: You are a Member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are created.
 
 Within each Organization, different IAM users can have different rights (defined through [policies](#policy)) to perform actions on resources.
 
-<Lightbox src="scaleway-iam-owners-guests.webp" alt="" />

pages/iam/how-to/accept-invitation-to-orga.mdx

@@ -10,7 +10,7 @@ dates:
   posted: 2022-06-20
 ---
 
-When you [create a Scaleway account](/account/how-to/create-an-account/), an Organization is automatically created, of which you are the [Owner](/iam/concepts/#owner). If you are invited to someone else's Organization, you will simultaneously be the Owner of your own Organization and a guest in the other Organization, where you will have the rights and permissions granted to you via [policies](/iam/concepts/#policy).
+When you [create a Scaleway account](/account/how-to/create-an-account/), an Organization is automatically created, of which you are the [Owner](/iam/concepts/#owner). If you are invited to someone else's Organization, you will simultaneously be the Owner of your own Organization and a Guest in the other Organization, where you will have the rights and permissions granted to you via [policies](/iam/concepts/#policy).
 
 <Lightbox src="scaleway-iam-owners-guests.webp" alt="" />
 
@@ -22,7 +22,9 @@ When you [create a Scaleway account](/account/how-to/create-an-account/), an Org
 When someone invites you to join their Organization, you receive an email to inform you.
 
 <Message type="important">
-  If the Organization you were invited to [enforces MFA](/account/how-to/enforce-mfa/), make sure you have [activated MFA](/account/how-to/use-2fa/) before accepting the invitation.
+  Keep in mind that:
+  - The procedure described on this page applies only to [IAM Guests](/iam/concepts/#guest)
+  - If the Organization you were invited to [enforces MFA](/organizations-and-projects/how-to/enforce-mfa/), make sure you have [activated MFA](/account/how-to/use-2fa/) before accepting the invitation.
 </Message>
 
 ## If you already have a Scaleway account