Add table describing cloud console roles

src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md

@@ -1,7 +1,7 @@
 You can use the [CockroachDB Cloud API]({% link cockroachcloud/cloud-api.md %}) to [view](#get-information-on-backup-settings) and [modify](#modify-backup-settings-on-a-cluster) managed backup settings.
 
 {{site.data.alerts.callout_info}}
-The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role.
+The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role.
 {{site.data.alerts.end}}
 
 ### Get information on backup settings

src/current/_includes/cockroachcloud/cluster-operator-prereq.md

@@ -1 +1 @@
-Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster.
+Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster.

src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md

@@ -1,3 +1,3 @@
 {{site.data.alerts.callout_info}}
-Only [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) and [Cluster Administrators]({% link cockroachcloud/authorization.md %}#cluster-administrator) can create SQL users and issue credentials.
+Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users and issue credentials.
 {{site.data.alerts.end}}

src/current/_includes/cockroachcloud/first-org-user-roles.md

@@ -1,10 +1,10 @@
 {{site.data.alerts.callout_info}}
 The user who creates a new organization is assigned the following [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) at the organization scope:
 
-- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator)
+- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin)
 - [Billing Coordinator]({% link cockroachcloud/authorization.md %}#billing-coordinator)
-- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator)
+- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 - [Folder Administrator]({% link cockroachcloud/authorization.md %}#folder-admin)
 
-Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
+Any of these roles may subsequently be removed by a user with both the Organization Admin role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
 {{site.data.alerts.end}}

src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md

@@ -0,0 +1,23 @@
+The following table describes the high level permissions granted to each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles that grant different permissions are granted the highest level privileges given by their assigned roles.
+
+| **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** |
+|---|---|---|---|---|---|---|---|---|---|
+| `Organization Member` | None | None | None | None | None | None | None | None | None |
+| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) |
+| `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None |
+| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts |
+| `Cluster Admin` | Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows |
+| `Cluster Creator` | None | None | Create cluster (grants `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None |
+| `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details |
+| `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None |
+| `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None |
+
+Some roles can be assigned to users at specific levels of scope to provide more granular permission control:
+
+| **Scope level** | **Description** | **Applicable roles** |
+|---|---|---|
+| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Admin`, `Cluster Creator`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` |
+| `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` |
+| `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` |
+
+{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions granted, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}

src/current/_includes/cockroachcloud/org-roles/folder-admin.md

@@ -1,5 +1,5 @@
-    A {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.
+    The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role allows users to create, rename, move, delete, and manage access to folders where they are assigned the role. Users can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be assigned at the level of the organization or on a specific folder. If assigned at the level of the organization, the role allows users to view all users and service accounts in the organization. If assigned to a specific folder, the role is inherited by descendant folders.
 
-    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator){% endif %} role can grant themselves, another user, or a service account the Folder Admin role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can assign themselves, another user, or a service account the Folder Admin role.
 
-    To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Administrator](#cluster-administrator) or [Cluster Creator](#cluster-creator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance.
+    To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Admin](#cluster-admin) or [Cluster Creator](#cluster-creator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance.

src/current/_includes/cockroachcloud/org-roles/folder-mover.md

@@ -1,7 +1,7 @@
-    A {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
+    The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role allows users to rename or move descendant folders, and move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
 
     {{site.data.alerts.callout_info}}
     A cluster cannot be renamed.
     {{site.data.alerts.end}}
 
-    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator) or [Folder Admin](#folder-admin){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can assign another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to assign themselves the Folder Mover role.

src/current/advisories/c20230118.md

@@ -31,13 +31,13 @@ All users assigned the Developer role in a CockroachDB Cloud organization will n
 
 See [Role Options](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/alter-user#{% if site.current_cloud_version == "v22.1" %}parameters{% else %}role-options{% endif %}) for more information on these roles.
 
-The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-administrator) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role.
+The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role.
 
 ## Mitigation
 
 A fix has been automatically applied to all CockroachDB Cloud organizations. With this change, the risk related to this issue, of the possibility of accessing data from any cluster in a cloud organization by users that have been assigned the Developer role, has been removed. This change follows the least privilege principle by ensuring that users with the lower-privilege Developer role only have the underlying SQL permissions applicable to their role level.
 
-It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-administrator) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. 
+It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. 
 
 Admins should also ensure that when users access a cluster’s DB Console directly from the CockroachDB Cloud’s [Tools page](https://www.cockroachlabs.com/docs/cockroachcloud/tools-page#access-the-db-console), they authenticate with specific SQL users that have been assigned only the required SQL privileges within the cluster. See [Authorization (Self-Hosted)](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/authorization.html) and [Authorization in CockroachDB](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization) for more information.
 

src/current/cockroachcloud/alerts-page.md

@@ -9,14 +9,14 @@ The **Alerts** page allows you to enable email alerts, send test alerts, and vie
 
 {{site.data.alerts.callout_info}}
 
-The **Alerts** page is applicable for CockroachDB {{ site.data.products.advanced }} clusters in your CockroachDB {{ site.data.products.cloud }} organization. For CockroachDB {{ site.data.products.standard }} and {{ site.data.products.basic }} clusters in your organization, all [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) automatically receive email alerts when your cluster reaches 50%, 75%, and 100% of your [resource limits]({% link {{site.current_cloud_version}}/architecture/glossary.md %}#resource-limits).
+The **Alerts** page is applicable for CockroachDB {{ site.data.products.advanced }} clusters in your CockroachDB {{ site.data.products.cloud }} organization. For CockroachDB {{ site.data.products.standard }} and {{ site.data.products.basic }} clusters in your organization, all [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) automatically receive email alerts when your cluster reaches 50%, 75%, and 100% of your [resource limits]({% link {{site.current_cloud_version}}/architecture/glossary.md %}#resource-limits).
 {{site.data.alerts.end}}
 
 ## Automatic alerts
 
 ### Cluster Maintenance
 
-[Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) receive email alerts when:
+[Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) receive email alerts when:
 
 - A cluster is scheduled for an automatic [patch version upgrade]({% link cockroachcloud/upgrade-policy.md %}#patch-version-upgrades) and again after the upgrade is complete.
 - When a cluster is scheduled for [maintenance]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) that could temporarily impact the cluster's performance.