diff --git a/docs/pages/product/workspace/access-control.mdx b/docs/pages/product/workspace/access-control.mdx
index 92e96785ae6c5..ef06077aa6e96 100644
--- a/docs/pages/product/workspace/access-control.mdx
+++ b/docs/pages/product/workspace/access-control.mdx
@@ -1,12 +1,7 @@
----
-redirect_from:
- - /cloud/access-control/
----
-
# Access Control
-As an account administrator, you can define roles with specific permissions for
-resources and apply those roles to users within the account.
+As a Cube Cloud account administrator, you can define roles with specific permissions
+for Cube Cloud resources and apply those roles to users within the account.
@@ -15,25 +10,59 @@ Access control is available in Cube Cloud on
-## List all roles
+You can [manage accounts](#managing-accounts) as an account administrator,
+[manage roles](#managing-roles), [assign them](#assigning-roles-to-users) to users,
+and associate [supported actions](#actions) with those roles.
+
+## Managing accounts
+
+Account administrators have ultimate control over the Cube Cloud account, including
+[managing roles](#managing-roles) and assigning them to users.
+
+You can see which users are account administrators on the Members tab of the
+Team & Security page in your Cube Cloud. Account administrators have the
+Admin toggle enabled next to their name.
+
+## Managing roles
+
+In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned
+_roles_ that are associated with _policies_. Each policy define what _actions_ they can
+perform and on what _resources_ they can perform those actions. This approach makes it
+easier to manage permissions at scale.
-To see a list of roles in your account, first go to the Team settings page by
-clicking on your avatar in the top right corner, then clicking on the "Team"
-button.
+Each role can be associated with one or more of the following policies:
-On the Team settings page, click the "Roles" tab to see all the roles in your
-account:
+| Policy | Description |
+| --- | --- |
+| `Global` | Controls account-level functionality, e.g., as Billing. |
+| `Deployment` | Controls deployment-level functionality, e.g., as Playground. |
+| `Report` | Controls access to specific reports in Saved Reports. |
+| `ReportFolder` | Controls access to specific folders in Saved Reports. |
+
+Each policy can apply to _all resources_ or _specific resources_. For example, a policy
+could apply to all deployments or only to a specific deployment.
+
+Also, each policy can have _all actions_ or only _specific actions_ associated with it.
+For example, a policy could allow a user to view, create, or delete one or more
+deployments if it's associated with those specific actions.
+
+See [actions reference](#actions) for a list of available actions.
+
+### Browsing roles
+
+To see a list of roles, go to the Team & Security page in your Cube Cloud
+account, then navigate to the Roles tab:
-## Create a role
+### Creating a role
-To create a new role, click the "Add Role" button. Enter a name and optional
-description for the role, then click "Add Policy" and select either "Deployment"
-or "Global" for this policy's scope.
+To create a new role, click the Add Role button. Enter a name and an optional
+description for the role, then click Add Policy and select either Deployment
+or Global for this policy's scope.
Deployment policies apply to deployment-level functionality, such as the
Playground and Data Model editor. Global policies apply to account-level
@@ -63,3 +92,51 @@ Existing users' roles can be modified from the "Members" tab on the Team page:
alt="Cube Cloud Team Roles tab"
src="https://ucarecdn.com/a72cad30-487b-484a-b557-0f0e157c89b1/"
/>
+
+## Actions
+
+Policies can have the following actions associated with them.
+
+Actions for the `Global` policy:
+
+| Action | Description |
+| --- | --- |
+| `Alerts Access`
`Alerts Create`
`Alerts Edit`
`Alerts Delete` | View, create, edit, and delete [budgets][ref-budgets]. |
+| `Billing Access` | Access the billing data of the Cube Cloud account. |
+| `Deployment Manage` | Create and delete deployments in the Cube Cloud account. |
+
+Actions for the `Deployment` policy:
+
+| Action | Description |
+| --- | --- |
+| `Deployment View`
`Deployment Edit` | Access the deployment, change its settings. |
+| `Playground Access` | Use [Playground][ref-playground]. |
+| `Data Model View` | View the source code in the [data model][ref-data-model] editor, use [Visual Model][ref-visual-model]. |
+| `Data Model Edit (all branches)`
`Data Model Edit (dev branches only)` | Use the [development mode][ref-dev-mode], edit the data model, perform Git operations (e.g., commit, pull, push). |
+| `Queries & Metrics Access` | Use [Query History][ref-query-history] and [Performance Insights][ref-perf-insights]. |
+| `SQL Runner Access` | Use [SQL Runner][ref-sql-runner]. |
+| `Data Assets Access` | Use [Semantic Catalog][ref-semantic-catalog] and [AI Assistant][ref-ai-assistant]. |
+
+Actions for the `Report` policy:
+
+| Action | Description |
+| --- | --- |
+| `Report Read`
`Report Manage` | View and create/delete reports. |
+
+Actions for the `ReportFolder` policy:
+
+| Action | Description |
+| --- | --- |
+| `Report Read`
`Report Manage` | View and create/delete report folders. |
+
+
+[ref-budgets]: /product/workspace/budgets
+[ref-playground]: /product/workspace/playground
+[ref-data-model]: /product/workspace/data-model
+[ref-visual-model]: /product/workspace/visual-model
+[ref-dev-mode]: /product/workspace/dev-mode
+[ref-query-history]: /product/workspace/query-history
+[ref-perf-insights]: /product/workspace/performance
+[ref-sql-runner]: /product/workspace/sql-runner
+[ref-semantic-catalog]: /product/workspace/semantic-catalog
+[ref-ai-assistant]: /product/workspace/ai-assistant
\ No newline at end of file