From a337066d46cf9d20740778c390811097792c657f Mon Sep 17 00:00:00 2001
From: Stacey Salamon <stacey.salamon@aiven.io>
Date: Wed, 22 Jan 2025 17:29:30 +0100
Subject: [PATCH] update: org admin permissions limitations

---
 docs/platform/concepts/permissions.md   | 8 ++++----
 docs/platform/howto/make-super-admin.md | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md
index 5d08251b0..c3c7179a2 100644
--- a/docs/platform/concepts/permissions.md
+++ b/docs/platform/concepts/permissions.md
@@ -26,10 +26,10 @@ and services within it.
 
 ### Organization roles
 
-|          Console name           |             API name             |                                                                                                                                                                                                                                                Allowed actions                                                                                                                                                                                                                                                 |
-| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Organization member        | None | This is the default role for all organization users. **You cannot grant this role to users.** <br/> <br/> All non-managed organization users can: <ul> <li> Edit their profiles. </li> <li> Create organizations. </li> <li> Leave organizations. </li> <li> Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies). </li> <li> Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies). </li> <li> Enable and disable feature previews. </li> </ul> <br/> [Managed users](/docs/platform/concepts/managed-users) have more restrictions. |
-| Admin               | `role:organization:admin` | <ul> <li> Full access to the organization. </li> <li> View and change billing information. </li> <li> Change the authentication policy. </li> <li> Invite, deactivate, and remove organization users. </li> <li> Create, edit, and delete groups. </li> <li> Create and delete application users and their tokens. </li> <li> Add and remove domains. </li> <li> Add, enable, disable, and remove identity providers. </li> </ul>                                                                                                                                                                                            |
+|    Console name     |         API name          |                                                                                                                                                                                                                                                                                                                  Allowed actions                                                                                                                                                                                                                                                                                                                   |
+| ------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Organization member | None                      | This is the default role for all organization users. **You cannot grant this role to users.** <br/> <br/> All non-managed organization users can: <ul> <li> Edit their profiles. </li> <li> Create organizations. </li> <li> Leave organizations. </li> <li> Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies). </li> <li> Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies). </li> <li> Enable and disable feature previews. </li> </ul> <br/> [Managed users](/docs/platform/concepts/managed-users) have more restrictions. |
+| Admin               | `role:organization:admin` | <ul> <li> Full access to the organization. </li> <li> View and change billing information. </li> <li> Change the authentication policy. </li> <li> Invite, deactivate, and remove organization users. </li> <li> Create, edit, and delete groups. </li> <li> Create and delete application users and their tokens. </li> <li> Add and remove domains. </li> <li> Add, enable, disable, and remove identity providers. </li> </ul> Cannot delete an organization or manage its super admin.                                                                                                                                                         |
 
 ### Organization permissions
 
diff --git a/docs/platform/howto/make-super-admin.md b/docs/platform/howto/make-super-admin.md
index 9431f4e1f..5bf36c8b8 100644
--- a/docs/platform/howto/make-super-admin.md
+++ b/docs/platform/howto/make-super-admin.md
@@ -10,6 +10,9 @@ The super admin role is a special role that has unrestricted access to an organi
 This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa) for super admin.
 :::
 
+Only super admin can grant or revoke super admin privileges for other users. Super admin
+are also the only users that can delete an organization.
+
 To make a user a super admin:
 
 1.  In the organization, click **Admin**.