docs: Use "real" access list names for scenario in guide

gravitational · Oct 15, 2024 · 25bc150 · 25bc150
1 parent 2a355ce
commit 25bc150
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 32 deletions.
diff --git a/docs/config.json b/docs/config.json
@@ -1455,6 +1455,11 @@
  "destination": "/admin-guides/access-controls/access-lists/guide/",
  "permanent": true
  },
+ {
+ "source": "/access-controls/access-lists/nested-access-lists/",
+ "destination": "/admin-guides/access-controls/access-lists/nested-access-lists/",
+ "permanent": true
+ },
  {
  "source": "/access-controls/access-lists/reference/",
  "destination": "/reference/access-controls/access-lists/",

diff --git a/docs/pages/admin-guides/access-controls/access-lists/nested-access-lists.mdx b/docs/pages/admin-guides/access-controls/access-lists/nested-access-lists.mdx
@@ -27,62 +27,60 @@ parent Access Lists.
 
 ### How Inheritance Works
 
-- **Membership Inheritance**: If Access List B is added as a member of Access List A,
-all users who are members of Access List B inherit Access List A's member grants (roles and traits).
-- **Ownership Inheritance**: If Access List B is added as an owner of Access List A,
-all users who are members of Access List B inherit Access List A's owner grants, and
-can perform owner actions on Access List A, such as modifying it or managing its members.
+Let's break down inheritance in Access Lists. Imagine two Access Lists you might have in an organization:
+'Engineering Team' and 'Production Access'. 'Engineering Team' represents a group of engineers, while
+'Production Access' is a higher-level Access List that grants access to production resources.
 
-Inheritance is recursive – members of a child Access List can themselves be Access Lists
+- **Membership Inheritance**: If 'Engineering Team' is added as a member of 'Production Access',
+all users who are members of 'Engineering Team' inherit member grants (roles and traits) from 'Production Access'.
+- **Ownership Inheritance**: If 'Engineering Team' is added as an owner of 'Production Access',
+all users who are members of 'Engineering Team' inherit owner grants (roles and traits) from 'Production Access', and
+can perform owner actions, such as modifying it or managing its members.
+
+Inheritance is recursive – members of 'Engineering Team' can themselves be Access Lists
 with their own members, and so on. However, circular nesting is not allowed, and nesting is limited
 to a maximum depth of 10 levels.
 
-For more information, see the [Access Lists reference](../../reference/access-controls/access-lists.mdx).
+For more information, see the [Access Lists reference](../../../reference/access-controls/access-lists.mdx).
 
 ## Creating a Nested Access List
 
-Let's walk through an example of creating a nested Access List and establishing inheritance.
+Now, let's walk through creating a nested Access List and establishing inheritance. In this example, we'll
+create a child Access List, 'Engineering Team', which inherits permissions from a parent, 'Production Access'.
 
-### Step 1/4. Create Parent Access List
+### Step 1/3. Create Child Access List
 
 In the Teleport Web UI, go to the "Identity" tab and select "Access Lists" from the sidebar.
-Click on "Create New Access List", and fill in the details for the parent Access List. For example:
+Click on "Create New Access List", and fill in the details:
 
-- **Title**: Parent Access List
+- **Title**: Engineering Team
 - **Deadline for First Review**: Select a future date.
-- **Member Grants**: Add roles or traits that you want members to inherit, such as the `access` role.
+- **Member Grants**: Leave this empty, as the list will inherit the parent's member grants.
 - **Owners**: Add yourself or any appropriate users as owners.
-- **Members**: Leave this empty for now, as we'll add a child Access List as a member later.
+- **Members**: Add users who should be part of this Access List, such as `test-user`.
 
-Click "Create Access List" to save the new Access List.
+Click "Create Access List" to save the Access List.
 
-### Step 2/4. Create Child Access List
+### Step 2/3. Create Parent Access List
 
-From the "Access Lists" page, create another Access List to serve as the child Access List. For example:
+From the "Access Lists" page, click on "Create New Access List" and fill in the details for our parent list:
 
-- **Title**: Child Access List
+- **Title**: Production Access
 - **Deadline for First Review**: Select a future date.
-- **Member Grants**: Leave this empty for now, as the child will inherit the parent's member grants.
+- **Member Grants**: Add the `access` role.
 - **Owners**: Add yourself or any appropriate users as owners.
-- **Members**: Add users who should be part of this Access List, such as `test-user`.
-
-Click "Create Access List" to save the child Access List.
-
-### Step 3/4. Add Child Access List as a Member
+- **Members**: Select our child Access List, 'Engineering Team', from the dropdown.
 
-To establish inheritance, we need to add the child Access List as a member of the parent Access List.
-Navigate to the "Parent Access List" from the "Access Lists" page, and click "Enroll New Members or Access Lists".
-Search for and select the child Access List, optionally set an expiry date for the membership,
-and click "Enroll New Members" to add it as a member.
+Click "Create Access List" to save the Access List.
 
-### Step 4/4. Verifying Inherited Permissions
+### Step 3/3. Verifying Inherited Permissions
 
-To confirm that members of the child Access List have inherited member grants from the parent, log in as a user
+To confirm that members of 'Engineering Team' have inherited member grants from 'Production Access', log in as a user
 who is a member of the child Access List (e.g., `test-user`). Verify that the user now has access to resources
-granted by both the child Access List and the parent Access List. For example, if a Teleport Application Service
-instance with the debugging application enabled is set up, and the `access` role is granted through the parent,
+granted by both 'Engineering Team' and 'Production Access'. For example, if a Teleport Application Service
+instance with the debugging application enabled is set up, and the `access` role is granted through 'Production Access',
 the "dumper" app should be visible to the user.
 
 ## Next Steps
 
-- Review the [Access Lists reference](../../reference/access-controls/access-lists.mdx) for more detailed information on Access Lists' nesting and inheritance.
+- Review the [Access Lists reference](../../../reference/access-controls/access-lists.mdx) for more detailed information on Access Lists' nesting and inheritance.