fix(user mgmt): clarify aum restriction

newrelic · Nov 16, 2021 · 0ca2bb4 · 0ca2bb4
1 parent bf6712d
commit 0ca2bb4
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/...user-management/tutorial-add-new-user-groups-roles-new-relic-one-user-model.mdx b/...user-management/tutorial-add-new-user-groups-roles-new-relic-one-user-model.mdx
@@ -86,15 +86,14 @@ To create a new access grant that gives a user group access to a role and an acc
 4. Select the **Role** you want to assign. Roles are organization-wide, so regardless of the authentication domain you're in, you have access to our [standard roles](/docs/accounts/accounts-billing/new-relic-one-user-management/new-relic-one-user-model-understand-user-structure/#standard-roles) and any custom roles you've created. For tips on selecting roles, see the tips after these instructions.
 5. Select the **Account** you want to add access to from the dropdown. If you don't see an account that you'd expect to see, this may be for a few reasons. One is that you yourself don't have the proper permissions for that account. Another is that that account is not actually in your organization. For more information, see [Factors affecting access](/docs/accounts/accounts-billing/account-structure/factors-affecting-access-features-data/). If you are still having problems, talk to your account representative. 
 6. If you want to continue adding more grants for that same group, select **Add another** at the bottom before clicking **Add access**. 
-7. When you're done, if your users are already in the group you've added the grant to, they should have access within a few minutes (although for [EU region New Relic accounts](/docs/using-new-relic/welcome-new-relic/get-started/our-eu-us-region-data-centers), this can take up to twenty minutes or so). If your users are not yet in that group (which would be true if you just created an access grant with a new group), you'll need to go to the [**User management** UI](/docs/accounts/accounts-billing/new-relic-one-user-management/add-manage-users-groups-roles/#where) and add that group to those users. 
+7. When you're done, if your users are already in the group you've added the grant to, they should have access within a few minutes (although for [EU region New Relic accounts](/docs/using-new-relic/welcome-new-relic/get-started/our-eu-us-region-data-centers), this can take up to twenty minutes or so). If your users are not yet in that group (which would be true if you just created an access grant with a new group), you'll need to go to the [**User management** UI](/docs/accounts/accounts-billing/new-relic-one-user-management/add-manage-users-groups-roles/#where) and add one or more users to that group. 
 
 Some tips for using this UI:
 
-* Note that if a user has the organization-scoped **Organization manager** and/or **Authentication domain manager** roles, which is true of users in the default **Admin** group, those users will always have those capabilities because those are organization-scoped abilities. This means that when you go to add those users to another account, you only have to add an account-scoped role, and not an organization-scoped role. In other words, once the users in a group have those organization-scoped roles, they will always have them in that organization unless removed.  
+* If your users are managed via [automated user management](/docs/accounts/accounts/automated-user-management/automated-user-provisioning-single-sign/),
+you can't use the [**User management** UI](/docs/accounts/accounts-billing/new-relic-one-user-management/add-manage-users-groups-roles/#where) to add users to groups because your groups are imported from your identity provider. You will need to create access grants for those groups once they are in New Relic, though, to give those groups access. 
+* Note that if a user has the organization-scoped **Organization manager** and/or **Authentication domain manager** roles (which is true of users in our default **Admin** group) those users will always have those capabilities because those are organization-scoped abilities. This means that when you go to add those users to another account, you only have to add an account-scoped role, and not an organization-scoped role. In other words, once the users in a group have those organization-scoped roles, they will always have them for that organization unless removed.  
 * When selecting from amongst our [standard roles](/docs/accounts/accounts-billing/new-relic-one-user-management/new-relic-one-user-model-understand-user-structure/#standard-roles), it's important to understand the difference between **All product admin** and **Standard user**. In short, **All product admin** is more popular a choice because it gives the ability to configure platform features. If you wanted to have your users be able to use platform features but not configure them, you'd choose **Standard user**. 
-* If your users are managed via [automated user management](/docs/accounts/accounts/automated-user-management/automated-user-provisioning-single-sign/), there are some restrictions that may apply. For example,
-you wouldn't be able to use the [**User management** UI](/docs/accounts/accounts-billing/new-relic-one-user-management/add-manage-users-groups-roles/#where) to add users to groups, because groups are managed and imported from your identity provider. 
-* If a group has basic users in it, their [basic user status overrides any group-related restrictions](/docs/accounts/accounts-billing/new-relic-one-user-management/new-relic-one-user-model#user-type). 
 
 ## Create custom role [#roles]