From 05efd8a00d99e9d54c946ab544dea64675737c96 Mon Sep 17 00:00:00 2001 From: Dan Biwer Date: Tue, 5 May 2026 13:34:38 -0500 Subject: [PATCH] docs(rbac): clarify auth_policies:update is sufficient to edit OIDC policies Documents that the auth_policies:update permission alone gates editing OIDC auth policies, regardless of the token types referenced by the policy. Pairs with pulumi/pulumi-service#42376. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../administration/access-identity/rbac/scopes/org-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/administration/access-identity/rbac/scopes/org-settings.md b/content/docs/administration/access-identity/rbac/scopes/org-settings.md index 6bee541b3700..629ae32d87d7 100644 --- a/content/docs/administration/access-identity/rbac/scopes/org-settings.md +++ b/content/docs/administration/access-identity/rbac/scopes/org-settings.md @@ -121,7 +121,7 @@ These scopes control access to the legacy Pulumi Copilot conversation API, curre | `oidc_issuers:regenerate_thumbprints` | Regenerate security thumbprints for an OIDC issuer. This is used to maintain secure authentication.

**Granted by default roles**: `Admin` | | `oidc_issuers:update` | Modify OIDC issuer settings. This allows updating identity provider details and authentication parameters.

**Granted by default roles**: `Admin` | | `auth_policies:read` | View authentication policy configurations. This includes access to OIDC, SAML, and other identity provider settings.

**Granted by default roles**: `Admin` | -| `auth_policies:update` | Modify authentication policies and identity provider settings. This allows updating security configurations.

**Granted by default roles**: `Admin` | +| `auth_policies:update` | Modify authentication policies and identity provider settings. Sufficient on its own to edit OIDC auth policies, regardless of the token types they reference.

**Granted by default roles**: `Admin` | ## Organization