Clarify UpdateNamespace actions and permissions (#4167)

* Clarify UpdateNamespace actions and permissions

* Add High Availability to Namespace Admin required list

Confirmed via temporalio/saas-policy actiongroups/config.go that
AddNamespaceRegion, DeleteNamespaceRegion, and FailoverNamespaceRegion
are in namespaceControlPlaneAdminActions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix Admin-only permissions for namespace operations

Operations requiring Namespace Admin (not Write):
- CreateExportSink, DeleteExportSink, UpdateExportSink, ValidateExportSink
- DeleteNamespace, UpdateNamespace
- RenameCustomSearchAttribute, UpdateSearchAttributes (new)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Brian MacDonald <brian.macdonald@temporal.io>

Author: 3 people

docs/cloud/get-started/users.mdx

@@ -200,12 +200,6 @@ For details, see the [tcld user delete](/cloud/tcld/user/#delete) command.
 Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs.
 The following table provides the API details associated with each account-level role and Namespace-level permission.
 
-:::note
-
-Account Owners and Global Admins have Namespace Admin permissions on all Namespaces.
-
-:::
-
 #### Account-level role details
 
 This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.
@@ -281,13 +275,19 @@ This table provides API-level details for the permissions granted to a user thro
 This table provides API-level details for the permissions granted to a user through Namespace-level permissions.
 These permissions are configured per Namespace per user.
 
+:::note
+
+Account Owners and Global Admins inherit Namespace Admin permissions on all Namespaces.
+
+:::
+
 | Permission                         | Read | Write | Namespace Admin |
 | ---------------------------------- | ---- | ----- | --------------- |
 | CountWorkflowExecutions            | ✔    | ✔     | ✔               |
-| CreateExportSink                   |      | ✔     | ✔               |
+| CreateExportSink                   |      |       | ✔               |
 | CreateSchedule                     |      | ✔     | ✔               |
-| DeleteExportSink                   |      | ✔     | ✔               |
-| DeleteNamespace                    |      | ✔     | ✔               |
+| DeleteExportSink                   |      |       | ✔               |
+| DeleteNamespace                    |      |       | ✔               |
 | DeleteSchedule                     |      | ✔     | ✔               |
 | DescribeBatchOperation             | ✔    | ✔     | ✔               |
 | DescribeNamespace                  | ✔    | ✔     | ✔               |
@@ -323,7 +323,7 @@ These permissions are configured per Namespace per user.
 | QueryWorkflow                      | ✔    | ✔     | ✔               |
 | RecordActivityTaskHeartbeat        |      | ✔     | ✔               |
 | RecordActivityTaskHeartbeatById    |      | ✔     | ✔               |
-| RenameCustomSearchAttribute        |      | ✔     | ✔               |
+| RenameCustomSearchAttribute        |      |       | ✔               |
 | RequestCancelWorkflowExecution     |      | ✔     | ✔               |
 | ResetStickyTaskQueue               |      | ✔     | ✔               |
 | ResetWorkflowExecution             |      | ✔     | ✔               |
@@ -343,14 +343,28 @@ These permissions are configured per Namespace per user.
 | StartWorkflowExecution             |      | ✔     | ✔               |
 | StopBatchOperation                 |      | ✔     | ✔               |
 | TerminateWorkflowExecution         |      | ✔     | ✔               |
-| UpdateExportSink                   |      | ✔     | ✔               |
-| UpdateNamespace                    |      | ✔     | ✔               |
+| UpdateExportSink                   |      |       | ✔               |
+| UpdateNamespace                    |      |       | ✔               |
 | UpdateSchedule                     |      | ✔     | ✔               |
+| UpdateSearchAttributes             |      |       | ✔               |
 | UpdateUserNamespacePermissions     |      |       | ✔               |
-| ValidateExportSink                 |      | ✔     | ✔               |
+| ValidateExportSink                 |      |       | ✔               |
 | ValidateGlobalizeNamespace         |      |       | ✔               |
 
-Account Owners and Global Admins will have Namespace Admin permissions on Namespaces.
+:::note UpdateNamespace settings
+
+`UpdateNamespace` requires Namespace Admin permission and covers these settings:
+- [Retention period](/temporal-service/temporal-server#retention-period)
+- [API key auth](/cloud/api-keys#namespace-authentication)
+- [mTLS certificates](/cloud/certificates)
+- [Certificate filters](/cloud/certificates#manage-certificate-filters)
+- [Codec server](/production-deployment/data-encryption)
+- [Connectivity rules](/cloud/connectivity)
+- [Custom Search Attributes](/search-attribute#custom-search-attribute)
+- [Provisioned capacity (TRUs)](/cloud/capacity-modes#provisioned-capacity)
+- [High Availability](/cloud/high-availability)
+
+:::
 
 ## How to troubleshoot account access issues {#troubleshoot-access}