access control clean up

Signed-off-by: Michal Wasilewski <[email protected]>

Author: mwasilew2

docs/concepts/spaces/access-control.md

@@ -28,7 +28,7 @@ tailored permissions:
 - **Principle of Least Privilege**: Grant exactly the permissions needed, nothing more
 
 !!! example "Custom Role Example"
-Instead of giving someone full **Space Admin** access, create a custom "Infrastructure Developer" role with just:
+    Instead of giving someone full **Space Admin** access, create a custom "Infrastructure Developer" role with just:
 
     - `space:read` - View space contents
     - `stack:read` - Understand configurations
@@ -62,15 +62,14 @@ account-wide settings.
 
 ## Authorization Methods
 
-### User Management (GUI-Based)
+### User Management
 
-The [User Management](../user-management/) interface provides a graphical way to assign roles to users, groups, and API
+The [User Management](../user-management/) interface provides a way to assign roles to users, groups, and API
 keys:
 
-1. Navigate to **Organization Settings** → **User Management**
-2. Select user, group, or API key
-3. Click **Manage Roles**
-4. Assign predefined or custom roles to specific spaces
+1. Navigate to **Organization Settings** → **Identity Management**
+2. Select **Users**, **IdP group mapping**, or **API keys**
+3. Assign predefined or custom roles to specific spaces
 
 See [assigning roles to users](../authorization/assigning-roles-users.md) for detailed instructions.
 
@@ -86,7 +85,7 @@ The legacy space rules are deprecated in favor of RBAC roles:
 - **space_write** → Use RBAC roles with appropriate write actions
 - **space_admin** → Use RBAC roles with management actions
 
-#### Modern RBAC Role Assignment
+#### RBAC Role Assignment
 
 Use the `roles` rule to assign RBAC roles in login policies:
 
@@ -112,31 +111,23 @@ roles["root"]["space-admin-role-id"] {
 ```
 
 !!! note "Getting Role IDs"
-To use custom roles in login policies, copy the role ID from **Organization Settings** → **Access Control Center** → *
-*Roles** → select role → copy ID.
+    To use custom roles in login policies, copy the role ID from **Organization Settings** → **Access Control Center** → **Roles** → select role → copy ID.
 
 !!! warning
-
     - Please note that Login policies are only allowed to be created in the `root` space, therefore only `root` space admins
     and administrative stacks, as well as `legacy` space administrative stacks can create or modify them.
     - A logged-in user's access levels only get updated when they log out and in again, so newly added spaces might not be
     visible to some users. An exception is that the space's creator immediately gets access to it.
 
 ## Inheritance
 
-Inheritance is a toggle that defines whether a space inherits resources from its parent space or not. When set to true,
-any stack in the child space can use resources such as worker pools or contexts from the parent space. If a space
-inherits from a parent and its parent inherits from the grandparent, then the space inherits from the grandparent as
-well.
+Inheritance is a toggle that defines whether a space inherits resources from its parent space or not. When set to true, any stack in the child space can use resources such as worker pools or contexts from the parent space. If a space inherits from a parent and its parent inherits from the grandparent, then the space inherits from the grandparent as well.
 
 Inheritance also modifies how roles propagate between spaces.
 
-In a scenario when inheritance between spaces is turned off, the roles are propagated only down the space tree. On the
-other hand, when inheritance is enabled, then a user with any role in the child space also gets **Read** role in their
-parent.
+In a scenario when inheritance between spaces is turned off, the roles are propagated only down the space tree. On the other hand, when inheritance is enabled, then a user with any role in the child space also gets **Read** role in their parent.
 
-Below is a diagram that demonstrates how this all works in practice. This is a view for a user that was given the
-following roles by Login policies:
+Below is a diagram that demonstrates how this all works in practice. This is a view for a user that was given the following roles by Login policies:
 
 - **Read** in `read access space`
 - **Write** in `write access space`
@@ -148,17 +139,11 @@ Dashed lines indicate a lack of inheritance, while when it's enabled the lines a
 
 Let's analyze the tree starting from the left.
 
-As mentioned, the user was granted **Space Writer** access to the `write access space` space.
-Because inheritance is enabled, they also received **Space Reader** access to the `access propagates up` space and the
-`root` space. The reason for that is to allow users to see resources that their space can now use.
-
-Next, the user was given **Space Admin** access to the `admin access space` space. Regardless of the inheritance being
-off, they also received **Space Admin** access to the `access propagates down` space.
-This makes sense, as we want to allow admins to still manage their spaces subtree even if they want to disable resource
-sharing between some spaces.
-
-Finally, the user was given **Space Reader** access to the `read access space` space. Because inheritance is off, they
-did not receive **Space Reader** access to the `legacy` space.
+As mentioned, the user was granted **Write** access to the `write access space` space.
+Because inheritance is enabled, they also received **Read** access to the `access propagates up` space and the `root` space. The reason for that is to allow users to see resources that their space can now use.
+Next, the user was given **Admin** access to the `admin access space` space. Regardless of the inheritance being off, they also received **Admin** access to the `access propagates down` space.
+This makes sense, as we want to allow admins to still manage their spaces subtree even if they want to disable resource sharing between some spaces.
+Finally, the user was given **Read** access to the `read access space` space. Because inheritance is off, they did not receive **Read** access to the `legacy` space.
 
 ## Related Topics