diff --git a/app/_landing_pages/gateway/security.yaml b/app/_landing_pages/gateway/security.yaml
index 3fecc626fc..9a7700f797 100644
--- a/app/_landing_pages/gateway/security.yaml
+++ b/app/_landing_pages/gateway/security.yaml
@@ -89,7 +89,7 @@ rows:
icon: /assets/icons/team.svg
cta:
- url: "/teams-and-roles/"
+ url: "/konnect-platform/teams-and-roles/"
- blocks:
- type: card
config:
diff --git a/app/_landing_pages/service-catalog.yaml b/app/_landing_pages/service-catalog.yaml
index f4d3971033..8f789576a4 100644
--- a/app/_landing_pages/service-catalog.yaml
+++ b/app/_landing_pages/service-catalog.yaml
@@ -73,4 +73,4 @@ rows:
- q: "What if I notice discrepancies in Service Catalog data?"
a: "Check integration settings, verify connected tools, and ensure data synchronization is working correctly."
- q: "Can I control access to specific Service Catalog data?"
- a: "Yes, access can be managed through [teams](/konnect/org-management/teams-and-roles/manage/) and [roles](/konnect/org-management/teams-and-roles/roles-reference/)."
+ a: "Yes, access can be managed through [teams and roles](/konnect-platform/teams-and-roles/)."
diff --git a/app/advanced-analytics/dashboard.md b/app/advanced-analytics/dashboard.md
index 9ec488663e..ee0a3086d0 100644
--- a/app/advanced-analytics/dashboard.md
+++ b/app/advanced-analytics/dashboard.md
@@ -36,11 +36,11 @@ This feature allows you to enable or disable data collection for your API traffi
- **On:** Both basic and advanced analytics data is collected, allowing in-depth insights and reporting.
- **Off:** Advanced analytics collection stops, but basic API metrics remain available in Gateway Manager.
-**Note:** If analytics is disabled, new data will not appear in [Custom Reports](/konnect/analytics/custom-reports/)
-or [API Requests](/konnect/analytics/api-requests/), but basic usage stats will still be accessible.
+**Note:** If analytics is disabled, new data will not appear in [Custom Reports](/advanced-analytics/reports/)
+or [API Requests](/api/konnect/analytics-requests/v2/), but basic usage stats will still be accessible.
You can assign users to predefined **Analytics teams** in {{site.konnect_short_name}} to control access levels.
This allows specific users to **view** or **manage** Analytics independently.
-Learn more in the [Teams Reference](/konnect/org-management/teams-and-roles/teams-reference/).
\ No newline at end of file
+Learn more in the [Teams Reference](/konnect-platform/teams-and-roles/).
\ No newline at end of file
diff --git a/app/advanced-analytics/reports.md b/app/advanced-analytics/reports.md
index 294eb44b0b..722fa0d745 100644
--- a/app/advanced-analytics/reports.md
+++ b/app/advanced-analytics/reports.md
@@ -36,11 +36,11 @@ This feature allows you to enable or disable data collection for your API traffi
- **On:** Both basic and advanced analytics data is collected, allowing in-depth insights and reporting.
- **Off:** Advanced analytics collection stops, but basic API metrics remain available in Gateway Manager.
-**Note:** If analytics is disabled, new data will not appear in [Custom Reports](/konnect/analytics/custom-reports/)
-or [API Requests](/konnect/analytics/api-requests/), but basic usage stats will still be accessible.
+**Note:** If analytics is disabled, new data will not appear in [Custom Reports](/advanced-analytics/reports/)
+or [API Requests](/api/konnect/analytics-requests/v2/), but basic usage stats will still be accessible.
You can assign users to predefined **Analytics teams** in {{site.konnect_short_name}} to control access levels.
This allows specific users to **view** or **manage** Analytics independently.
-Learn more in the [Teams Reference](/konnect/org-management/teams-and-roles/teams-reference/).
\ No newline at end of file
+Learn more in the [Teams Reference](/konnect-platform/teams-and-roles/).
\ No newline at end of file
diff --git a/app/konnect-geos.md b/app/konnect-geos.md
index b3b87b1011..780bc73803 100644
--- a/app/konnect-geos.md
+++ b/app/konnect-geos.md
@@ -45,7 +45,7 @@ The following objects are geo-specific:
* [Application registration](/dev-portal/app-reg/)
* [Dev portals](/dev-portal/)
* [Service meshes and mesh zones](/mesh-manager/)
-* [Custom teams and roles](/teams-and-roles/)
+* [Custom teams and roles](/konnect-platform/teams-and-roles/)
## Supported geos
diff --git a/app/konnect-platform/konnect-sso.md b/app/konnect-platform/konnect-sso.md
index dfc284e888..e47ce799d3 100644
--- a/app/konnect-platform/konnect-sso.md
+++ b/app/konnect-platform/konnect-sso.md
@@ -34,7 +34,7 @@ faqs:
---
{{site.konnect_short_name}} supports external single sign-on authentication using an Identity Provider (IdP). Using SSO in {{site.konnect_short_name}}, you can enable authentication for the following:
-* **The {{site.konnect_short_name}} platform:** Allow [Org admins](/teams-and-roles/) to log in with SSO. This is an alternative to {{site.konnect_short_name}}'s [built-in authentication](https://cloud.konghq.com/global/organization/settings#authentication-scheme).
+* **The {{site.konnect_short_name}} platform:** Allow [Org admins](/konnect-platform/teams-and-roles/) to log in with SSO. This is an alternative to {{site.konnect_short_name}}'s [built-in authentication](https://cloud.konghq.com/global/organization/settings#authentication-scheme).
* **Dev Portals:** Allow developers to log in to the [Dev Portal](/dev-portal/) with SSO.
SSO for each of these is configured through different settings, so enabling one doesn't automatically enable the other. Both methods support OIDC and SAML-based SSO.
diff --git a/app/konnect-platform/self-managed-migration.md b/app/konnect-platform/self-managed-migration.md
index 04dbf718e9..34aa1465f3 100644
--- a/app/konnect-platform/self-managed-migration.md
+++ b/app/konnect-platform/self-managed-migration.md
@@ -82,8 +82,8 @@ The following are the general steps for setting up IAM in {{site.konnect_short_n
{{site.konnect_short_name}} (if necessary), and use the [Org Switcher](https://cloud.konghq.com/org-switcher?ref=account)
to create or select the organization you are going to migrate your self-managed deployment to.
2. [Set up single sign-on (SSO) access to {{site.konnect_short_name}} using an existing IdP provider](/konnect-platform/konnect-sso/).
-3. [Create teams](/konnect-platform/teams-reference/) in {{site.konnect_short_name}} or use
- [predefined teams](/konnect-platform/teams-reference/#predefined-teams) to create your desired organizational structure.
+3. [Create teams](/konnect-platform/teams-and-roles/) in {{site.konnect_short_name}} or use
+ [predefined teams](/konnect-platform/teams-and-roles/#predefined-teams) to create your desired organizational structure.
4. For any custom teams, assign the appropriate roles
from the predefined list of available roles in {{site.konnect_short_name}}.
5. Use the {{site.konnect_short_name}} IdP Team Mappings feature to
diff --git a/app/konnect-platform/teams-and-roles.md b/app/konnect-platform/teams-and-roles.md
new file mode 100644
index 0000000000..f646e0c3b7
--- /dev/null
+++ b/app/konnect-platform/teams-and-roles.md
@@ -0,0 +1,268 @@
+---
+title: "{{site.konnect_short_name}} teams and roles"
+content_type: reference
+layout: reference
+
+products:
+ - gateway
+
+works_on:
+ - konnect
+
+description: Explains which teams and roles {{site.konnect_short_name}} has and how to manage them.
+
+related_resources:
+ - text: "{{site.konnect_short_name}} Account, Pricing, and Organization Deactivation"
+ url: /konnect-platform/konnect-account/
+faqs:
+ - q: What is required to manage users, teams, and roles in {{site.konnect_short_name}}?
+ a: You must be part of the **Organization Admin team** to manage users, teams, and roles.
+ - q: What is a team in {{site.konnect_short_name}}?
+ a: A team is a group of users with access to the same roles. Teams allow assigning access to {{site.konnect_short_name}} resources based on roles.
+ - q: What is a role in {{site.konnect_short_name}}?
+ a: |
+ A role defines predefined access to a particular resource or instances of a resource type. For example, API product roles can be scoped to a specific API product or all API products, while Control Plane roles can be scoped to a specific Control Plane or all Control Planes.
+ - q: Can predefined teams in {{site.konnect_short_name}} be modified or deleted?
+ a: No, predefined teams have fixed role sets that cannot be modified or deleted.
+---
+
+To help secure and govern your environment, {{site.konnect_short_name}} provides
+the ability to manage authorization with teams and roles. You can use {{site.konnect_short_name}}'s
+predefined teams for a standard set of roles, or create custom teams with
+any roles you choose. Invite users and add them to these teams to manage user
+access.
+
+You must be part of the Organization Admin team to manage users, teams, and
+roles.
+
+{:.info}
+> **Note:** If the Okta integration is [enabled](/konnect-platform/konnect-sso/),
+{{site.konnect_short_name}} users and teams become read-only. An organization
+admin can view all registered users in {{site.konnect_short_name}}, but cannot
+edit their team membership from the {{site.konnect_short_name}} side. To manage
+automatically-created users, adjust user permissions through Okta, or
+[adjust team mapping](/konnect-platform/konnect-sso/).
+
+## Access precedence
+
+Users can be part of any number of teams, and the roles gained from the teams
+are additive. For example, if you add a user to both the Service Developer and
+Portal Viewer teams, the user can create and manage Services
+through API Products _and_ register applications through the Dev Portal.
+
+If two roles provide access to the same [entity](/gateway/entities/), the role with more access
+takes effect. For example, if you have the Service Admin and Service Deployer
+roles on the same Service, the Service Admin role takes precedence.
+
+## Geographic region assignment
+
+Teams and roles can be assigned to a specific [geographic region](/konnect-geos/) in {{site.konnect_short_name}}. Those teams and roles only access {{site.konnect_short_name}} objects, such as Services, that are also located in the same geo they are assigned to.
+
+## Teams
+
+A team is a group of users with access to the same roles. Teams are useful
+for assigning access by functionality, where they can provide granular access to
+any group of {{site.konnect_short_name}} resources based on roles.
+
+You can create and manage teams by navigating to [**Organization**](https://cloud.konghq.com/organization/) > **Teams** in {{site.konnect_short_name}}.
+
+### Predefined teams
+
+All new and existing organizations in {{site.konnect_short_name}} have predefined default teams. The default teams can't be modified or deleted.
+
+{% table %}
+columns:
+ - title: Team
+ key: team
+ - title: Description
+ key: description
+rows:
+ - team: Analytics Admin
+ description: Users can fully manage all [Analytics](/advanced-analytics/) content, which includes creating, editing, and deleting reports, as well as viewing the analytics summary.
+ - team: Analytics Viewer
+ description: Users can view the [Analytics](/advanced-analytics/) summary and report data.
+ - team: Organization Admin
+ description: Users can fully manage all entities and configuration in the organization.
+ - team: Organization Admin (Read Only)
+ description: Users can view all entities and configuration in the organization.
+ - team: Portal Admin
+ description: Users can fully manage all Dev Portal content, which includes {{site.konnect_short_name}} service pages and supporting content, as well as Dev Portal configuration and Service connections.
To manage app registration requests, members must also be assigned to the Admin or Maintainer roles for the corresponding Services.
+ - team: API Product Admin
+ description: Users can create and manage API products, including publishing API product versions to Dev Portal and enabling application registration.
+ - team: API Product Developer
+ description: Users can create and manage versions of API products.
+ - team: Control Plane Admin
+ description: Users can create and manage Control Planes.
+{% endtable %}
+
+## Roles
+
+Roles predefine access to a particular resource, or
+instances of a particular resource type (for example, API product roles can be scoped to a particular API product or all API products while Control Plane roles can be scoped to a particular Control Plane or all Control Planes).
+
+You can manage a user's roles by navigating to [**Organization**](https://cloud.konghq.com/organization/) > **Users** in {{site.konnect_short_name}} and clicking the **Role Assignments** tab for a user.
+
+### Predefined roles
+
+{{site.konnect_short_name}} provides the following predefined roles.
+
+#### API Products
+
+The following describes the predefined roles for API Products:
+
+
+{% konnect_roles_table %}
+schema: api_products
+{% endkonnect_roles_table %}
+
+
+#### Control Planes
+
+The following describes the predefined roles for Control Planes:
+
+
+{% konnect_roles_table %}
+schema: control_planes
+{% endkonnect_roles_table %}
+
+
+#### Audit logs
+
+The following describes the predefined roles for audit logs:
+
+
+{% konnect_roles_table %}
+schema: audit_logs
+{% endkonnect_roles_table %}
+
+
+#### Identity
+
+The following describes the predefined roles for identity:
+
+
+{% konnect_roles_table %}
+schema: identity
+{% endkonnect_roles_table %}
+
+
+#### Mesh control planes
+
+The following describes the predefined roles for Mesh:
+
+
+{% konnect_roles_table %}
+schema: mesh_control_planes
+{% endkonnect_roles_table %}
+
+
+#### Networks
+
+The following describes the predefined roles for networks:
+
+{% table %}
+columns:
+ - title: Role
+ key: role
+ - title: Description
+ key: description
+rows:
+ - role: "`Network Admin`"
+ description: Access to all read and write permissions related to a network.
+ - role: "`Network Creator`"
+ description: Access to creating networks.
+ - role: "`Network Viewer`"
+ description: Access to read-only permissions to networks.
+{% endtable %}
+
+#### Service Catalog
+
+The following describes the predefined roles for Service Catalog:
+
+{% table %}
+columns:
+ - title: Role
+ key: role
+ - title: Description
+ key: description
+rows:
+ - role: "`Discovery Admin`"
+ description: Access to all read and write permissions related to service discoveries.
+ - role: "`Discovery Viewer`"
+ description: Access to read-only permissions related to service discoveries.
+ - role: "`Integration Admin`"
+ description: Can view and edit all integrations (install/authorize).
+ - role: "`Integration Viewer`"
+ description: Access to read-only permissions to integrations.
+ - role: "`Service Admin`"
+ description: Can view and edit a select list of services, map resources to those services, and manage all resources and discovery rules.
+ - role: "`Service Creator`"
+ description: Can create new services, becomes the service admin for any service they create, and can view, edit, and create all resources and discovery rules.
+ - role: "`Service Viewer`"
+ description: Can view a select list of services and all resources and discovery rules.
+{% endtable %}
+
+#### Dev Portal
+
+The following describes the predefined roles for Dev Portal:
+
+{% table %}
+columns:
+ - title: Role
+ key: role
+ - title: Description
+ key: description
+rows:
+ - role: "`Admin`"
+ description: Owner of an existing Dev Portal instance. The owner has full write access related to any developers and applications in the organization.
+ - role: "`Appearance Maintainer`"
+ description: Access the Portal instance and edit its appearance.
+ - role: "`Creator`"
+ description: Create new Portals.
+ - role: "`Maintainer`"
+ description: Edit, view, and delete Dev Portal applications, and view developers.
+ - role: "`Product Publisher`"
+ description: Manage publishing products to a Dev Portal.
+ - role: "`Viewer`"
+ description: Read-only access to Dev Portal developers and applications.
+{% endtable %}
+
+#### Application auth strategies
+
+The following describes the predefined roles for application auth strategies:
+
+{% table %}
+columns:
+ - title: Role
+ key: role
+ - title: Description
+ key: description
+rows:
+ - role: "`Creator`"
+ description: Create new app auth strategies.
+ - role: "`Maintainer`"
+ description: Edit one or all app auth strategies.
+ - role: "`Viewer`"
+ description: Read-only access to one or all app auth strategies.
+{% endtable %}
+
+
+#### DCR
+
+The following describes the predefined roles for dynamic client registration (DCR):
+
+{% table %}
+columns:
+ - title: Role
+ key: role
+ - title: Description
+ key: description
+rows:
+ - role: "`Creator`"
+ description: Create new DCR providers.
+ - role: "`Maintainer`"
+ description: Edit one or all DCR providers.
+ - role: "`Viewer`"
+ description: Read-only access to one or all DCR providers.
+{% endtable %}
+
diff --git a/app/konnect-platform/teams-reference.md b/app/konnect-platform/teams-reference.md
deleted file mode 100644
index 3058e29138..0000000000
--- a/app/konnect-platform/teams-reference.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: "{{site.konnect_short_name}} Platform Teams and Roles"
-
-description: Learn how to cancel and deactivate an account in {{site.konnect_short_name}}
-content_type: reference
-layout: reference
-
-
-products:
- - gateway
-works_on:
- - konnect
-
-related_resources:
- - text: "{{site.konnect_short_name}} Account, Pricing, and Organization Deactivation"
- url: /konnect-platform/konnect-account/
-faqs:
- - q: What is required to manage users, teams, and roles in {{site.konnect_short_name}}?
- a: You must be part of the **Organization Admin team** to manage users, teams, and roles.
- - q: What is a team in {{site.konnect_short_name}}?
- a: A team is a group of users with access to the same roles. Teams allow assigning access to {{site.konnect_short_name}} resources based on roles.
- - q: What is a role in {{site.konnect_short_name}}?
- a: |
- A role defines predefined access to a particular resource or instances of a resource type. For example, API product roles can be scoped to a specific API product or all API products, while Control Plane roles can be scoped to a specific Control Plane or all Control Planes.
- - q: Can predefined teams in {{site.konnect_short_name}} be modified or deleted?
- a: No, predefined teams have fixed role sets that cannot be modified or deleted.
-
----
-
-Many organizations have strict security requirements. For example, organizations
-need the ability to segregate the duties of an administrator to ensure that a
-mistake or malicious act by one administrator doesn’t cause an outage.
-
-To help secure and govern your environment, {{site.konnect_short_name}} provides
-the ability to manage authorization with teams and roles. You can use {{site.konnect_short_name}}'s
-predefined teams for a standard set of roles, or create custom teams with
-any roles you choose. Invite users and add them to these teams to manage user
-access.
-
-## Teams and roles
-
-{{site.konnect_short_name}} defines teams and roles as the following:
-* **Team:** A group of users with access to the same roles. Teams are useful
-for assigning access by functionality, they can provide granular access to
-any group of {{site.konnect_short_name}} resources based on roles.
-* **Role:** Predefined access to a particular resource, or
-instances of a particular resource type (for example, API product roles can be scoped to a particular API product or all API products while Control Plane roles can be scoped to a particular Control Plane or all Control Planes).
-
-You can find a list of all teams in your organization through **Organization** > **Teams** in {{site.konnect_short_name}}.
-
-You must be part of the Organization Admin team to manage users, teams, and
-roles.
-
-## Predefined teams
-
-All new and existing organizations in {{site.konnect_short_name}} have predefined default teams. The default teams can't be modified or deleted.
-
-| Team | Description |
-|--------------------------------|--------------|
-| Analytics Admin | Users can fully manage all [Analytics](/advanced-analytics/) content, which includes creating, editing, and deleting reports, as well as viewing the analytics summary. |
-| Analytics Viewer | Users can view the [Analytics](/advanced-analytics/) summary and report data.|
-| Organization Admin | Users can fully manage all entities and configuration in the organization. |
-| Organization Admin (Read Only) | Users can view all entities and configuration in the organization. |
-| Portal Admin | Users can fully manage all Dev Portal content, which includes {{site.konnect_short_name}} service pages and supporting content, as well as Dev Portal configuration and Service connections.
To manage app registration requests, members must also be assigned to the Admin or Maintainer roles for the corresponding Services.|
-| API Product Admin | Users can create and manage API products, including publishing API product versions to Dev Portal and enabling application registration.|
-| API Product Developer | Users can create and manage versions of API products. |
-| Control Plane Admin | Users can create and manage Control Planes. |
-
-
-### Access precedence
-
-Users can be part of any number of teams, and the roles gained from the teams
-are additive. For example, if you add a user to both the Service Developer and
-Portal Viewer teams, the user can create and manage Services
-through API Products _and_ register applications through the Dev Portal.
-
-If two roles provide access to the same entity, the role with more access
-takes effect. For example, if you have the Service Admin and Service Deployer
-roles on the same Service, the Service Admin role takes precedence.
-
-### Geographic region assignment
-
-Teams and roles can be assigned to a specific [geographic regions](/konnect-geos/) in {{site.konnect_short_name}}. Those teams and roles can only access {{site.konnect_short_name}} objects, such as Services, that are also located in the same geo they are assigned to.
diff --git a/app/teams-and-roles.md b/app/teams-and-roles.md
deleted file mode 100644
index 1811dde3d5..0000000000
--- a/app/teams-and-roles.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Teams and roles
-content_type: reference
-layout: reference
-
-products:
- - gateway
-
-works_on:
- - konnect
-
-description: placeholder
-
-related_resources:
- - text: "Secure {{site.base_gateway}}"
- url: /gateway/security/
----
-
-@todo
-
-Pull content from:
-* https://docs.konghq.com/konnect/org-management/teams-and-roles/
-* https://docs.konghq.com/konnect/org-management/teams-and-roles/manage/
-* https://docs.konghq.com/konnect/org-management/teams-and-roles/teams-reference/
-* https://docs.konghq.com/konnect/org-management/teams-and-roles/roles-reference/
-
-
-## API Products
-
-
-{% konnect_roles_table %}
-schema: api_products
-{% endkonnect_roles_table %}
-
-
-## Control Planes
-
-
-{% konnect_roles_table %}
-schema: control_planes
-{% endkonnect_roles_table %}
-
-
-## Audit Logs
-
-
-{% konnect_roles_table %}
-schema: audit_logs
-{% endkonnect_roles_table %}
-
-
-## Identity
-
-
-{% konnect_roles_table %}
-schema: identity
-{% endkonnect_roles_table %}
-
-
-## Mesh control planes
-
-
-{% konnect_roles_table %}
-schema: mesh_control_planes
-{% endkonnect_roles_table %}
-
\ No newline at end of file
diff --git a/tools/track-docs-changes/config/sources.yml b/tools/track-docs-changes/config/sources.yml
index c6f0ea52a5..8d0ab64eef 100644
--- a/tools/track-docs-changes/config/sources.yml
+++ b/tools/track-docs-changes/config/sources.yml
@@ -1074,9 +1074,11 @@ app/gateway-manager/control-plane-groups.md:
app/konnect-platform/konnect-account.md:
- app/konnect/org-management/deactivation.md
-app/konnect-platform/teams-reference.md:
+app/konnect-platform/teams-and-roles.md:
- app/konnect/org-management/teams-and-roles/teams-reference.md
-
+ - app/konnect/org-management/teams-and-roles/index.md
+ - app/konnect/org-management/teams-and-roles/roles-reference.md
+ - app/konnect/org-management/teams-and-roles/manage.md
app/service-catalog-integrations.yaml:
- app/konnect/service-catalog/integrations/index.md