docs(rbac): clarify auth_policies:update is sufficient for OIDC policy edits

[danbiwer]

Summary

• Updates the auth_policies:update row in the org-settings RBAC scope reference to clarify that this permission alone is sufficient to edit an OIDC auth policy, regardless of the token types (personal, team, organization) the policy references.

[claude]

Docs Review

Thanks for tightening this scope description. The clarification about OIDC auth policy editing is useful, but the new wording introduces a few small issues worth a second look before merging.

Issues

1. content/docs/administration/access-identity/rbac/scopes/org-settings.md:124 — sentence reads as a fragment

"Sufficient on its own to edit OIDC auth policies, regardless of the token types they reference." drops its subject and parses awkwardly next to the preceding sentence. Recasting it as a full sentence makes the scope read consistently with the rest of the table.

| `auth_policies:update` | Modify authentication policies and identity provider settings. This permission alone is sufficient to edit OIDC auth policies, regardless of the token types (`personal`, `team`, or `organization`) they reference.<br><br>**Granted by default roles**: `Admin` |

The PR description already calls out the three token types — pulling them into the doc itself spares readers from having to infer what "token types" means in this context.

2. content/docs/administration/access-identity/rbac/scopes/org-settings.md:124 — "OIDC auth policies" carve-out is unexplained

The scope is named auth_policies:update (generic), but the new sentence narrows the clarification to OIDC specifically. A reader will reasonably wonder whether SAML or other auth policies behave differently. If the OIDC-specific note is responding to a real ambiguity (e.g., past confusion about whether tokens:* scopes were also required), consider a short why — e.g., "…even though the policy may govern personal, team, or organization tokens, no additional tokens:* scope is required." If that's not accurate, dropping "OIDC" and saying "auth policies" generally would match the row's heading.

Nits

• The replaced sentence ("This allows updating security configurations.") was generic but at least set the broad scope of the permission. The new sentence jumps straight to a specific edge case. The suggested rewrite above keeps both the general framing and the OIDC clarification.

Otherwise

• Single-line content edit; no link, alias, frontmatter, image, or shortcode concerns.
• No build/infra/code-example surface area touched.
• No change needed to surrounding rows.

If you'd like another pass after revising, mention @claude.

[pulumi-bot]

Your site preview for commit 05efd8a is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18805-05efd8a0.s3-website.us-west-2.amazonaws.com

[CamSoper]

LGTM!