Remove usage of grant and privileges for Console roles, clarify wording

Author: jhlodin

src/current/_includes/cockroachcloud/org-roles/folder-admin.md

@@ -1,5 +1,5 @@
-    The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role grants permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.
+    The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role allows users to create, rename, move, delete, and manage access to folders where they are assigned the role. Users can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be assigned at the level of the organization or on a specific folder. If assigned at the level of the organization, the role allows users to view all users and service accounts in the organization. If assigned to a specific folder, the role is inherited by descendant folders.
 
-    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can grant themselves, another user, or a service account the Folder Admin role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can assign themselves, another user, or a service account the Folder Admin role.
 
     To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Admin](#cluster-admin) or [Cluster Creator](#cluster-creator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance.

src/current/_includes/cockroachcloud/org-roles/folder-mover.md

@@ -1,7 +1,7 @@
-    The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role grants permissions to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
+    The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role allows users to rename or move descendant folders, and move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
 
     {{site.data.alerts.callout_info}}
     A cluster cannot be renamed.
     {{site.data.alerts.end}}
 
-    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can assign another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to assign themselves the Folder Mover role.

src/current/cockroachcloud/authorization.md

@@ -21,54 +21,56 @@ In CockroachDB {{ site.data.products.cloud }}, an organization corresponds to an
 
 CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization model, where roles can be assigned at different scopes:
 
-1. Organization: A CockroachDB {{ site.data.products.cloud }} organization assigns privileges based on [roles](#organization-user-roles) assigned to a {{ site.data.products.cloud }} Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing.
-1. Folder: {{ site.data.products.cloud }} Console [roles](#organization-user-roles) can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources.
+1. Organization: A CockroachDB {{ site.data.products.cloud }} organization assigns permissions based on [roles](#organization-user-roles) assigned to a {{ site.data.products.cloud }} Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing.
+1. Folder: {{ site.data.products.cloud }} Console [roles](#organization-user-roles) can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role applied with the organization or folder scope is inherited by descendent resources.
 
     {{site.data.alerts.callout_success}}
     Organizing clusters using folders is available in [Preview]({% link {{site.current_cloud_version}}/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}).
     {{site.data.alerts.end}}
 
-1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. 
+1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and SQL user [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. 
 
 The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.
 
-SQL users are assigned a separate set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %})
+{{site.data.alerts.callout_info}}
+SQL users are assigned a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %})
+{{site.data.alerts.end}}
 
 ## Organization user roles
 
-When a user or service account is first added to an organization, they are granted the default role, **Org Member**, which grants no permission and only indicates membership in the organization. Org or Cluster Admins may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider.
+When a user or service account is first added to an organization, they are granted the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider.
 
 {% include_cached cockroachcloud/first-org-user-roles.md %}
 
 To learn more, refer to [Manage organization users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users).
 
 {% include_cached cockroachcloud/org-roles/cloud-roles-table.md %}
 
-The following sections describe available CockroachDB {{ site.data.products.cloud }} roles in more detail:
+The following sections describe the available CockroachDB {{ site.data.products.cloud }} Console roles in more detail:
 
 ### Organization Member
 
 The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role grants no additional permissions.
 
 ### Organization Admin
 
-The **Organization Admin** role grants the following permissions:
+The **Organization Admin** role allows users to perform the following actions:
 
 - [Invite users to join that organization]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization).
 - [Create service accounts]({% link cockroachcloud/managing-access.md %}#create-a-service-account).
-- Grant and revoke roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts).
+- Grant and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts).
 
 Organization Admins automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization.
 
 This role can be assigned only at the organization scope.
 
 ### Billing Coordinator
 
-The **Billing Coordinator** role grants permissions to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview).
+The **Billing Coordinator** role allows users to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview).
 
 ### Cluster Operator
 
-The **Cluster Operator** role grants permissions that are dependent on whether it is assigned to a user or a service account.
+The **Cluster Operator** role allows actions that are dependent on whether it is assigned to a user or a service account.
 
 - *Users* with this role can perform the following *console operations*:
 
@@ -100,17 +102,17 @@ The **Cluster Operator** role grants permissions that are dependent on whether i
   - [View and configure a cluster's Egress Rules]({% link cockroachcloud/egress-perimeter-controls.md %}).
   - [Configure the export of metrics to DataDog or Amazon CloudWatch]({% link cockroachcloud/export-metrics.md %}).
 
-This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role, except that it does **not** allow users to:
+This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role but does **not** allow users to:
 
 - Manage cluster-scoped roles on organization users.
 - Manage SQL users from the cloud console.
 - Create or delete a cluster.
 
-This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, the role is inherited on the folder's clusters, descendent folders, and their descendants.
 
 ### Cluster Admin
 
-The **Cluster Admin** role grants all of the [Cluster Operator](#cluster-operator) permissions, as well as the following:
+The **Cluster Admin** role allows users to perform all [Cluster Operator](#cluster-operator) actions, as well as the following:
 
 - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user).
 - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role).
@@ -120,19 +122,19 @@ The **Cluster Admin** role grants all of the [Cluster Operator](#cluster-operato
 - Access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console).
 - Configure a cluster's [maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window).
 
-This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
 
 ### Cluster Creator
 
-The **Cluster Creator** role grants permissions to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Admin](#cluster-admin) role for that cluster upon creation.
+The **Cluster Creator** role allows users to create clusters in an organization. A cluster's creator is automatically assigned the [Cluster Admin](#cluster-admin) role for that cluster upon creation.
 
-This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+This role can be assigned at the scope of the organization or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
 
 ### Cluster Developer
 
-The **Cluster Developer** role grants permissions to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster.
+The **Cluster Developer** role allows users view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster.
 
-This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
 
 ### Folder Admin
 

src/current/v23.1/security-reference/authorization.md

@@ -7,9 +7,9 @@ docs_area: reference.security
 
 Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.).
 
-This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations.
+This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations.
 
-Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model)
+Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model)
 
 ## Authorization models