Merge pull request #19985 from newrelic/update-user-management-concepts

docs(update): updates to user management concepts

src/content/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts.mdx

@@ -84,8 +84,8 @@ Users and groups are located within an [authentication domain](/docs/accounts/ac
 
 We have two default user groups:
 
-* <DNT>**User**</DNT>: A user in this group can use and configure our observability and monitoring features but **not** perform account-level tasks like managing billing or managing other users. It has access to the [<DNT>**All product admin**</DNT>](#standard-roles) role, which grants control over all observability platform tools, but doesn't have any [administration settings](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings), which grant access to the higher level account and user management capabilities.
-* <DNT>**Admin**</DNT>: has the [<DNT>**All product admin**</DNT> role](#standard-roles) and in addition has all available [administration settings](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings). As a result, this group has access to all features, including the higher-level admin features.
+* <DNT>**User**</DNT>: A user in this group can use and configure our observability and monitoring features but **not** perform account-level tasks like managing billing or managing other users. It has access to the [<DNT>**All product admin**</DNT>](#standard-roles) role, which grants control over all observability platform tools, and the [administrative setting](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings) <strong>Org Product Admin</strong>. It does not have access to any other administrative settings that grant access to the higher level account and user management capabilities.
+* <DNT>**Admin**</DNT>: has the [<DNT>**All product admin**</DNT> role](#standard-roles) and in addition has all available [administrative settings](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings). As a result, this group has access to all features, including the higher-level admin features.
 
 To edit the group a user is in, you can go to either the <DNT>**Access management**</DNT> UI and edit a group, or go to the <DNT>**User management**</DNT> UI and edit the user.
 
@@ -97,13 +97,13 @@ Important points about roles:
 
 * Roles are additive: users with multiple roles assigned have the total of all permissions granted by those roles. For example, if you're in a group that gives you the `All product admin` role in an account, and in another group that gives you a `Read only` role for the same account, you have both roles, and are not restricted by the `Read only` role.
 * A user's access is based on the access granted to them by their user type and their permissions ([learn more](/docs/accounts/accounts-billing/new-relic-one-user-management/user-type#user-type-and-roles)).
-* Roles govern observability platform features, while access to organization- and user-related admin settings are governed by [administration settings](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings).
+* Roles govern observability platform features, while access to organization- and user-related admin settings are governed by [administrative settings](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-concepts#admin-settings).
 
 To view roles and their permissions, go to the [<DNT>**Access management**</DNT> UI](/docs/accounts/accounts-billing/new-relic-one-user-management/user-management-ui-and-tasks#where) and click <DNT>**Roles**</DNT>.
 
 ### Our standard (default) roles [#standard-roles]
 
-We have several <DNT>**standard roles**</DNT>, which are roles that are available by default and that satisfy some common user management use cases.
+We have several account-scoped <DNT>**standard roles**</DNT>, which are roles that are available by default and that satisfy some common user management use cases.
 
 <Callout variant="important">
   Note that some of our standard roles have permissions that we don't expose and that aren't available for adding to a custom role. The only standard roles that can be replicated with a custom role are <DNT>**Standard user**</DNT> and <DNT>**Read only**</DNT>; all others have some non-exposed permissions.
@@ -137,7 +137,7 @@ Here's a table with our standard roles. To better understand these roles, go to
       </td>
 
       <td>
-        This role includes all New Relic platform permissions <DNT>**except**</DNT> the ability to manage organization-level settings, users, and billing. It's an admin role in the sense that it allows the configuration of our platform features (for example, the ability to configure <InlinePopover type="apm"/> settings), but it doesn't provide organization-level admin permissions (those require [the administration settings](#admin-settings)).
+        This role includes all New Relic platform permissions <DNT>**except**</DNT> the ability to manage organization-level settings, users, and billing. It's an admin role in the sense that it allows the configuration of our platform features (for example, the ability to configure <InlinePopover type="apm"/> settings), but it doesn't provide organization-level admin permissions (those require [the administrative settings](#admin-settings)).
 
         This role is essentially the <DNT>**Standard user**</DNT> role, below, with the added ability to configure observability features.
       </td>
@@ -185,20 +185,20 @@ Here's a table with our standard roles. To better understand these roles, go to
 
 For more about how you'd assign roles to groups and create custom roles, see the [user management tutorial](/docs/accounts/accounts-billing/new-relic-one-user-management/tutorial-add-new-user-groups-roles-new-relic-one-user-model).
 
-### Administration settings [#admin-settings]
+### Administrative settings [#admin-settings]
 
-You can add various <DNT>**Administration settings**</DNT> to a group. Basic users will not be able to use these settings.
+You can add various <DNT>**Administrative settings**</DNT> to a group, which are roles scoped to your organization. Basic users will not be able to use these settings.
 
 Settings include:
 
-* <DNT>**Organization settings**</DNT>: Permissions related to organization settings, including adding accounts, and changing the name of the organization and accounts.
-* <DNT>**Authentication domain settings**</DNT>: Permissions related to adding and managing users, including configuring authentication domains and customizing groups and roles. Options within this include:
+* <DNT>**Organization manager**</DNT>: Permissions related to organization settings, including adding accounts, and changing the name of the organization and accounts. This also includes sensitive observability tasks, such as deleting certain entities.
+* <DNT>**Authentication domain manager**</DNT>: Permissions related to adding and managing users, including configuring authentication domains and customizing groups and roles. Options within this include:
   * <DNT>**Manage**</DNT>: Can manage all aspects of authentication domains, including configuring domains and adding users.
   * <DNT>**Read only**</DNT>: Can view authentication domain and user information.
   * <DNT>**Add users**</DNT>: Can view user information, and add users to the organization, but lacks other auth domain configuration and mgmt abilities.
   * <DNT>**Read users**</DNT>: Can only view user information.
 * <DNT>**Billing**</DNT>: Lets a user view and manage billing and usage, and data retention. For organizations with multiple accounts, billing is aggregated in the <DNT>**reporting account**</DNT> (usually the first account created in an organization).
-
+* <DNT>**Organization Product Admin**</DNT>: Permissions related to organization-scoped observability features. It's an admin role in the sense that it allows the configuration of our platform features. This is the organization-scoped equivalent to <strong>All Product Admin</strong>.
 ### Group admin [#group-admin]
 
 You can add a <DNT>**Group admin**</DNT> role to a group. This role gives the group the ability to add and remove users for one or more groups you select.