gravitational · stevenGravy · Oct 17, 2025 · Oct 13, 2025 · Oct 14, 2025 · Oct 17, 2025
diff --git a/docs/pages/reference/architecture/architecture.mdx b/docs/pages/reference/architecture/architecture.mdx
@@ -64,7 +64,7 @@ Administrators can **enroll** infrastructure resources with a Teleport cluster
 to provide secure access, RBAC, and auditing. There are three ways to enroll
 infrastructure resources with a Teleport cluster:
 
-- **Teleport Agents** proxy traffic from human users to and from
+- **Teleport Agents** proxy traffic from users to and from
   Teleport-protected infrastructure resources.
 - **Machine ID Bots** receive short-lived credentials from the `tbot` binary so
   service accounts can access infrastructure.
@@ -74,7 +74,7 @@ infrastructure resources with a Teleport cluster:
 
 ### Teleport Agents
 
-Teleport Agents proxy traffic from users to resources in your infrastructure.
+Teleport Agents proxy traffic from users, human or machine, to resources in your infrastructure.
 Agents are instances of the `teleport` binary configured to run certain
 services, e.g., the Teleport SSH Service and Teleport Kubernetes Service, and
 administrators deploy Agents on their own infrastructure.

diff --git a/docs/pages/zero-trust-access/management/admin/users.mdx b/docs/pages/zero-trust-access/management/admin/users.mdx
@@ -30,11 +30,13 @@ A Teleport administrator creates Teleport user accounts and maps them to the rol
 
 Let's look at this table:
 
-| Teleport User | Allowed OS Logins | Description |
+| Teleport User | SSH Logins | Description |
 | - | - | - |
-| `joe` | `joe`, `root` | Teleport user `joe` can log in to member Nodes as user `joe` or `root` on the OS. |
-| `bob` | `bob` | Teleport user `bob` can log in to member Nodes only as OS user `bob`. |
-| `kim` | | If no OS login is specified, it defaults to the same name as the Teleport user, `kim`. |
+| `joe` | `joe`, `root` | Teleport user `joe` can log in as user `joe` or `root` on SSH servers. |
+| `bob` | `bob` | Teleport user `bob` can log in as user `bob` on SSH servers. |
+| `kim` | | Teleport user 'kim' has no designated SSH logins.  |
+
+SSH logins are some of the user traits available in Teleport roles. For all supported traits, see the reference for [`tctl users add`](../../../reference/cli/tctl.mdx#tctl-users-add).
 
 Let's add a new user to Teleport using the `tctl` tool:
 
@@ -65,10 +67,9 @@ NOTE: Make sure <proxy_host>:443 points at a Teleport proxy which users can acce
 The user completes registration by visiting this URL in their web browser,
 picking a password, and configuring multi-factor authentication. If the
 credentials are correct, the Teleport Auth Service generates and signs a new
-certificate, and the client stores this key and will use it for subsequent
-logins.
+user certificate.
 
-The key will automatically expire after 12 hours by default, after which
+The certificate will automatically expire after 12 hours by default, after which
 the user will need to log back in with their credentials. This TTL can be
 configured to a different value.
 
@@ -77,11 +78,11 @@ Once authenticated, the account will become visible via `tctl`:
 ```code
 $ tctl users ls
 
-# User           Allowed Logins
+# User           Roles
 # ----           --------------
-# admin          admin,root
-# kim            kim
-# joe            joe,root
+# admin          editor
+# kim            access
+# joe            access,editor
 ```
 
 ## Editing users