diff --git a/docs/img/access-controls/access-lists/create-new-access-list.png b/docs/img/access-controls/access-lists/create-new-access-list.png
index f749d24690a20..91f8e12b9dbfe 100644
Binary files a/docs/img/access-controls/access-lists/create-new-access-list.png and b/docs/img/access-controls/access-lists/create-new-access-list.png differ
diff --git a/docs/img/access-controls/device-trust/hosted-jamf.png b/docs/img/access-controls/device-trust/hosted-jamf.png
index a7e0ed329e0c5..cc92fbb8d7ad7 100644
Binary files a/docs/img/access-controls/device-trust/hosted-jamf.png and b/docs/img/access-controls/device-trust/hosted-jamf.png differ
diff --git a/docs/img/access-controls/device-trust/select-jamf.png b/docs/img/access-controls/device-trust/select-jamf.png
index d517f5b32fe5d..eada2a22eabc4 100644
Binary files a/docs/img/access-controls/device-trust/select-jamf.png and b/docs/img/access-controls/device-trust/select-jamf.png differ
diff --git a/docs/img/access-controls/dual-authz/approve-new-request.png b/docs/img/access-controls/dual-authz/approve-new-request.png
new file mode 100644
index 0000000000000..989a8b9f2287e
Binary files /dev/null and b/docs/img/access-controls/dual-authz/approve-new-request.png differ
diff --git a/docs/img/access-controls/dual-authz/new-role-request-pending.png b/docs/img/access-controls/dual-authz/new-role-request-pending.png
new file mode 100644
index 0000000000000..9f969a8d31c6a
Binary files /dev/null and b/docs/img/access-controls/dual-authz/new-role-request-pending.png differ
diff --git a/docs/img/access-controls/dual-authz/pending-access-request.png b/docs/img/access-controls/dual-authz/pending-access-request.png
new file mode 100644
index 0000000000000..7b199f5fa03e8
Binary files /dev/null and b/docs/img/access-controls/dual-authz/pending-access-request.png differ
diff --git a/docs/img/access-controls/dual-authz/request-success.png b/docs/img/access-controls/dual-authz/request-success.png
new file mode 100644
index 0000000000000..4d15b692ef539
Binary files /dev/null and b/docs/img/access-controls/dual-authz/request-success.png differ
diff --git a/docs/img/access-controls/dual-authz/role-new-request.png b/docs/img/access-controls/dual-authz/role-new-request.png
new file mode 100644
index 0000000000000..e9248e8705d2e
Binary files /dev/null and b/docs/img/access-controls/dual-authz/role-new-request.png differ
diff --git a/docs/img/access-controls/dual-authz/teleport-4-bob-request.png b/docs/img/access-controls/dual-authz/teleport-4-bob-request.png
deleted file mode 100644
index 1ce448265440c..0000000000000
Binary files a/docs/img/access-controls/dual-authz/teleport-4-bob-request.png and /dev/null differ
diff --git a/docs/img/access-controls/dual-authz/teleport-6-ivan-approve.png b/docs/img/access-controls/dual-authz/teleport-6-ivan-approve.png
deleted file mode 100644
index 55c509aee0302..0000000000000
Binary files a/docs/img/access-controls/dual-authz/teleport-6-ivan-approve.png and /dev/null differ
diff --git a/docs/img/access-controls/dual-authz/teleport-7-bob-assume.png b/docs/img/access-controls/dual-authz/teleport-7-bob-assume.png
deleted file mode 100644
index ae2d2d4284049..0000000000000
Binary files a/docs/img/access-controls/dual-authz/teleport-7-bob-assume.png and /dev/null differ
diff --git a/docs/img/access-graph/main-view.png b/docs/img/access-graph/main-view.png
index e7377c0be1dce..f4dee3aa03c6c 100644
Binary files a/docs/img/access-graph/main-view.png and b/docs/img/access-graph/main-view.png differ
diff --git a/docs/img/access-monitoring/privileged_access_report.png b/docs/img/access-monitoring/privileged_access_report.png
index 5ffa35a52a0be..73fc05ff8e257 100644
Binary files a/docs/img/access-monitoring/privileged_access_report.png and b/docs/img/access-monitoring/privileged_access_report.png differ
diff --git a/docs/img/access-requests/approved-request.png b/docs/img/access-requests/approved-request.png
deleted file mode 100644
index e9eac0222959f..0000000000000
Binary files a/docs/img/access-requests/approved-request.png and /dev/null differ
diff --git a/docs/img/access-requests/new-role-request.png b/docs/img/access-requests/new-role-request.png
index 645805031c6aa..e535c3b235eb1 100644
Binary files a/docs/img/access-requests/new-role-request.png and b/docs/img/access-requests/new-role-request.png differ
diff --git a/docs/img/access-requests/role-assumed.png b/docs/img/access-requests/role-assumed.png
deleted file mode 100644
index fb54321c00a9b..0000000000000
Binary files a/docs/img/access-requests/role-assumed.png and /dev/null differ
diff --git a/docs/img/access-requests/submit-request.png b/docs/img/access-requests/submit-request.png
index 7af7825d9709d..1e3873e16bf94 100644
Binary files a/docs/img/access-requests/submit-request.png and b/docs/img/access-requests/submit-request.png differ
diff --git a/docs/img/add-resources.png b/docs/img/add-resources.png
index 9b85c67ef6864..ed17f6eef9f3d 100644
Binary files a/docs/img/add-resources.png and b/docs/img/add-resources.png differ
diff --git a/docs/img/architecture/agent-architecture.png b/docs/img/architecture/agent-architecture.png
index a776d52a45944..10f680da0f791 100644
Binary files a/docs/img/architecture/agent-architecture.png and b/docs/img/architecture/agent-architecture.png differ
diff --git a/docs/img/architecture/k8s-tunnel.png b/docs/img/architecture/k8s-tunnel.png
index 9020a95efa27f..3f1561886d723 100644
Binary files a/docs/img/architecture/k8s-tunnel.png and b/docs/img/architecture/k8s-tunnel.png differ
diff --git a/docs/img/architecture/proxy-peering@1.2x.png b/docs/img/architecture/proxy-peering@1.2x.png
new file mode 100644
index 0000000000000..bb643b2183370
Binary files /dev/null and b/docs/img/architecture/proxy-peering@1.2x.png differ
diff --git a/docs/img/architecture/proxy-peering@1.2x.svg b/docs/img/architecture/proxy-peering@1.2x.svg
deleted file mode 100644
index 38426d728386f..0000000000000
--- a/docs/img/architecture/proxy-peering@1.2x.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/architecture/proxy-tunnel@1.2x.png b/docs/img/architecture/proxy-tunnel@1.2x.png
index c59061e0b2637..5f56105b89543 100644
Binary files a/docs/img/architecture/proxy-tunnel@1.2x.png and b/docs/img/architecture/proxy-tunnel@1.2x.png differ
diff --git a/docs/img/architecture/ssh-direct-mode@1.2x.png b/docs/img/architecture/ssh-direct-mode@1.2x.png
new file mode 100644
index 0000000000000..05b33f3caeeb1
Binary files /dev/null and b/docs/img/architecture/ssh-direct-mode@1.2x.png differ
diff --git a/docs/img/architecture/ssh-direct-mode@1.2x.svg b/docs/img/architecture/ssh-direct-mode@1.2x.svg
deleted file mode 100644
index 0220ed61a488e..0000000000000
--- a/docs/img/architecture/ssh-direct-mode@1.2x.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/architecture/ssh-tunnel-mode@1.2x.png b/docs/img/architecture/ssh-tunnel-mode@1.2x.png
new file mode 100644
index 0000000000000..d2247a64c62f1
Binary files /dev/null and b/docs/img/architecture/ssh-tunnel-mode@1.2x.png differ
diff --git a/docs/img/architecture/tls-routing-alb.png b/docs/img/architecture/tls-routing-alb.png
new file mode 100644
index 0000000000000..b87cfa0679701
Binary files /dev/null and b/docs/img/architecture/tls-routing-alb.png differ
diff --git a/docs/img/architecture/tls-routing-alb.svg b/docs/img/architecture/tls-routing-alb.svg
deleted file mode 100644
index 517452897f881..0000000000000
--- a/docs/img/architecture/tls-routing-alb.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/architecture/tls-routing-connection-upgrade.png b/docs/img/architecture/tls-routing-connection-upgrade.png
new file mode 100644
index 0000000000000..35e76b526c1a3
Binary files /dev/null and b/docs/img/architecture/tls-routing-connection-upgrade.png differ
diff --git a/docs/img/architecture/tls-routing-connection-upgrade.svg b/docs/img/architecture/tls-routing-connection-upgrade.svg
deleted file mode 100644
index efef146cab9a5..0000000000000
--- a/docs/img/architecture/tls-routing-connection-upgrade.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/desktop-access/passwordless-desktop.png b/docs/img/desktop-access/passwordless-desktop.png
index 69add4bd0c576..62e8f8a95a087 100644
Binary files a/docs/img/desktop-access/passwordless-desktop.png and b/docs/img/desktop-access/passwordless-desktop.png differ
diff --git a/docs/img/desktop-access/select-desktop.png b/docs/img/desktop-access/select-desktop.png
deleted file mode 100644
index f299a4ffff871..0000000000000
Binary files a/docs/img/desktop-access/select-desktop.png and /dev/null differ
diff --git a/docs/img/desktop-access/session-recording@2x.png b/docs/img/desktop-access/session-recording@2x.png
index c7830c584e963..249ea812e07ab 100644
Binary files a/docs/img/desktop-access/session-recording@2x.png and b/docs/img/desktop-access/session-recording@2x.png differ
diff --git a/docs/img/doc-submodules.png b/docs/img/doc-submodules.png
index 602284018f094..8250180e268d8 100644
Binary files a/docs/img/doc-submodules.png and b/docs/img/doc-submodules.png differ
diff --git a/docs/img/enterprise/license-expired.png b/docs/img/enterprise/license-expired.png
index 30ea15f3d97e5..298a1888f62b8 100644
Binary files a/docs/img/enterprise/license-expired.png and b/docs/img/enterprise/license-expired.png differ
diff --git a/docs/img/enterprise/license-warning.png b/docs/img/enterprise/license-warning.png
index a27e7d8b06ce7..6f1b4f5a24cdb 100644
Binary files a/docs/img/enterprise/license-warning.png and b/docs/img/enterprise/license-warning.png differ
diff --git a/docs/img/enterprise/license.png b/docs/img/enterprise/license.png
index 656d06ecde634..d5a544bc97cef 100644
Binary files a/docs/img/enterprise/license.png and b/docs/img/enterprise/license.png differ
diff --git a/docs/img/externalauditstorage/integration.png b/docs/img/externalauditstorage/integration.png
index 4f57e19677cb4..1ff0256faa36b 100644
Binary files a/docs/img/externalauditstorage/integration.png and b/docs/img/externalauditstorage/integration.png differ
diff --git a/docs/img/ha-diagram.png b/docs/img/ha-diagram.png
index 48d3857ce7c70..f8cd6b45edf78 100644
Binary files a/docs/img/ha-diagram.png and b/docs/img/ha-diagram.png differ
diff --git a/docs/img/k8s/architecture-diagram.png b/docs/img/k8s/architecture-diagram.png
index bd36aa54a3d18..df348fcacd6b2 100644
Binary files a/docs/img/k8s/architecture-diagram.png and b/docs/img/k8s/architecture-diagram.png differ
diff --git a/docs/img/k8s/auth.png b/docs/img/k8s/auth.png
new file mode 100644
index 0000000000000..9b657ff14ae5a
Binary files /dev/null and b/docs/img/k8s/auth.png differ
diff --git a/docs/img/k8s/auth.svg b/docs/img/k8s/auth.svg
deleted file mode 100644
index 4ec8e52d7372e..0000000000000
--- a/docs/img/k8s/auth.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.png b/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.png
new file mode 100644
index 0000000000000..3f226d9dba2fd
Binary files /dev/null and b/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.png differ
diff --git a/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.svg b/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.svg
deleted file mode 100644
index b1d805c5870ac..0000000000000
--- a/docs/img/k8s/mini-diagrams/k8s-to-teleport-mono.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.png b/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.png
new file mode 100644
index 0000000000000..e9f8562e2dea0
Binary files /dev/null and b/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.png differ
diff --git a/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.svg b/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.svg
deleted file mode 100644
index 4eb63105a1972..0000000000000
--- a/docs/img/k8s/mini-diagrams/teleport-in-k8s-mono.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/linux-server-diagram.png b/docs/img/linux-server-diagram.png
index b372b7a476d25..0375c0fe62c7d 100644
Binary files a/docs/img/linux-server-diagram.png and b/docs/img/linux-server-diagram.png differ
diff --git a/docs/img/login-success.png b/docs/img/login-success.png
deleted file mode 100644
index bbe595dcaa294..0000000000000
Binary files a/docs/img/login-success.png and /dev/null differ
diff --git a/docs/img/management/access-list-web-ui.png b/docs/img/management/access-list-web-ui.png
index 2e1b1b0cd2e99..360d167251056 100644
Binary files a/docs/img/management/access-list-web-ui.png and b/docs/img/management/access-list-web-ui.png differ
diff --git a/docs/img/management/check-users-web-ui.png b/docs/img/management/check-users-web-ui.png
deleted file mode 100644
index 1f291b650a84f..0000000000000
Binary files a/docs/img/management/check-users-web-ui.png and /dev/null differ
diff --git a/docs/img/management/datadog-diagram.png b/docs/img/management/datadog-diagram.png
index 3b4f12f03aee3..71cfb3a6f42d2 100644
Binary files a/docs/img/management/datadog-diagram.png and b/docs/img/management/datadog-diagram.png differ
diff --git a/docs/img/management/fluentd-diagram.png b/docs/img/management/fluentd-diagram.png
index b08432c155f4f..cf525cc5d34dd 100644
Binary files a/docs/img/management/fluentd-diagram.png and b/docs/img/management/fluentd-diagram.png differ
diff --git a/docs/img/management/panther-ingest.png b/docs/img/management/panther-ingest.png
index 0ce0c5ac16d5e..ee8bdd26e2ab3 100644
Binary files a/docs/img/management/panther-ingest.png and b/docs/img/management/panther-ingest.png differ
diff --git a/docs/img/openssh-proxy.svg b/docs/img/openssh-proxy.svg
deleted file mode 100644
index 951de992945eb..0000000000000
--- a/docs/img/openssh-proxy.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/quickstart/welcome.png b/docs/img/quickstart/welcome.png
index ccc008d4c6580..c509e0deb6b82 100644
Binary files a/docs/img/quickstart/welcome.png and b/docs/img/quickstart/welcome.png differ
diff --git a/docs/img/request-access.png b/docs/img/request-access.png
index 6938e77595cf0..aa577df57c2b5 100644
Binary files a/docs/img/request-access.png and b/docs/img/request-access.png differ
diff --git a/docs/img/review-request.png b/docs/img/review-request.png
index 3210b6344e994..989a8b9f2287e 100644
Binary files a/docs/img/review-request.png and b/docs/img/review-request.png differ
diff --git a/docs/img/server-access/architecture.png b/docs/img/server-access/architecture.png
index adad4d267343b..9b45b9a02f2b7 100644
Binary files a/docs/img/server-access/architecture.png and b/docs/img/server-access/architecture.png differ
diff --git a/docs/img/server-access/getting-started-diagram.png b/docs/img/server-access/getting-started-diagram.png
new file mode 100644
index 0000000000000..e5c3e8f23534d
Binary files /dev/null and b/docs/img/server-access/getting-started-diagram.png differ
diff --git a/docs/img/server-access/getting-started-diagram.svg b/docs/img/server-access/getting-started-diagram.svg
deleted file mode 100644
index f7d1ce82dbc07..0000000000000
--- a/docs/img/server-access/getting-started-diagram.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/server-access/openssh-proxy.png b/docs/img/server-access/openssh-proxy.png
new file mode 100644
index 0000000000000..7513260741b33
Binary files /dev/null and b/docs/img/server-access/openssh-proxy.png differ
diff --git a/docs/img/server-access/openssh-proxy.svg b/docs/img/server-access/openssh-proxy.svg
deleted file mode 100644
index 6f0ab4076b37f..0000000000000
--- a/docs/img/server-access/openssh-proxy.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/server-access/teleport_ui.png b/docs/img/server-access/teleport_ui.png
index cfae280711706..80af3d98c5c17 100644
Binary files a/docs/img/server-access/teleport_ui.png and b/docs/img/server-access/teleport_ui.png differ
diff --git a/docs/img/spacelift.png b/docs/img/spacelift.png
index a596db6502566..d78e17ba3ea96 100644
Binary files a/docs/img/spacelift.png and b/docs/img/spacelift.png differ
diff --git a/docs/img/team-diagram.png b/docs/img/team-diagram.png
index 6e4f62e66caad..b62255ad30120 100644
Binary files a/docs/img/team-diagram.png and b/docs/img/team-diagram.png differ
diff --git a/docs/img/teleport-k8s-pod.png b/docs/img/teleport-k8s-pod.png
new file mode 100644
index 0000000000000..ab9991fe9c8b1
Binary files /dev/null and b/docs/img/teleport-k8s-pod.png differ
diff --git a/docs/img/teleport-kubernetes-outside.png b/docs/img/teleport-kubernetes-outside.png
new file mode 100644
index 0000000000000..826a28263f292
Binary files /dev/null and b/docs/img/teleport-kubernetes-outside.png differ
diff --git a/docs/img/teleport-kubernetes-outside.svg b/docs/img/teleport-kubernetes-outside.svg
deleted file mode 100644
index 4d4d30747c668..0000000000000
--- a/docs/img/teleport-kubernetes-outside.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/trusted-clusters/simplified-trusted-cluster-role-mapping.png b/docs/img/trusted-clusters/simplified-trusted-cluster-role-mapping.png
index 76e4d8e15ea20..b5e8794b658bc 100644
Binary files a/docs/img/trusted-clusters/simplified-trusted-cluster-role-mapping.png and b/docs/img/trusted-clusters/simplified-trusted-cluster-role-mapping.png differ
diff --git a/docs/img/trusted-clusters/simplified-trusted-cluster.png b/docs/img/trusted-clusters/simplified-trusted-cluster.png
index d1721e9241095..931901392d267 100644
Binary files a/docs/img/trusted-clusters/simplified-trusted-cluster.png and b/docs/img/trusted-clusters/simplified-trusted-cluster.png differ
diff --git a/docs/img/trusted-clusters/trusted-cluster-service-interaction.png b/docs/img/trusted-clusters/trusted-cluster-service-interaction.png
index 3b9df301d66a6..5b6ea7bcb34ca 100644
Binary files a/docs/img/trusted-clusters/trusted-cluster-service-interaction.png and b/docs/img/trusted-clusters/trusted-cluster-service-interaction.png differ
diff --git a/docs/img/trusted-clusters/trusted-clusters@1.5x.png b/docs/img/trusted-clusters/trusted-clusters@1.5x.png
new file mode 100644
index 0000000000000..97958e1cf41d8
Binary files /dev/null and b/docs/img/trusted-clusters/trusted-clusters@1.5x.png differ
diff --git a/docs/img/trusted-clusters/trusted-clusters@1.5x.svg b/docs/img/trusted-clusters/trusted-clusters@1.5x.svg
deleted file mode 100644
index 526fb303ea510..0000000000000
--- a/docs/img/trusted-clusters/trusted-clusters@1.5x.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/img/use-teleport/kubernetes-login.png b/docs/img/use-teleport/kubernetes-login.png
index d1b9c36cd3084..2f03c83bc4d1d 100644
Binary files a/docs/img/use-teleport/kubernetes-login.png and b/docs/img/use-teleport/kubernetes-login.png differ
diff --git a/docs/img/webui_billing_cycle.png b/docs/img/webui_billing_cycle.png
deleted file mode 100644
index e8ea8b8cc5a88..0000000000000
Binary files a/docs/img/webui_billing_cycle.png and /dev/null differ
diff --git a/docs/img/windows-desktop-admins.yaml b/docs/img/windows-desktop-admins.yaml
new file mode 100644
index 0000000000000..3c12c5f2cbd69
--- /dev/null
+++ b/docs/img/windows-desktop-admins.yaml
@@ -0,0 +1,10 @@
+kind: role
+version: v6
+metadata:
+ name: windows-desktop-admins
+spec:
+ allow:
+ windows_desktop_labels:
+ "*": "*"
+ windows_desktop_logins: ["Administrator", “bob”, “marie.mcallister@goteleport.com”]
+
diff --git a/docs/img/workload-identity/intro-diagram.png b/docs/img/workload-identity/intro-diagram.png
index 04635cfbc355d..67e533499db05 100644
Binary files a/docs/img/workload-identity/intro-diagram.png and b/docs/img/workload-identity/intro-diagram.png differ
diff --git a/docs/pages/admin-guides/access-controls/access-lists/guide.mdx b/docs/pages/admin-guides/access-controls/access-lists/guide.mdx
index 081a5ff5d1ec7..72ebd74d7efb2 100644
--- a/docs/pages/admin-guides/access-controls/access-lists/guide.mdx
+++ b/docs/pages/admin-guides/access-controls/access-lists/guide.mdx
@@ -48,8 +48,7 @@ Try logging into the cluster with the test user to verify that no resources show
## Step 3/4. Create an Access List
Next, we'll create a simple access list that will grant the `access` role to its members.
-Login as the administrative user mentioned in the prerequisites. Navigate to the management pane and
-click on access lists. Click on "Create an Access List."
+Login as the administrative user mentioned in the prerequisites. Click on "Add New" in the left pane, and then "Create an Access List."
diff --git a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx
index 33317081f6135..e1782f1ea8492 100644
--- a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx
+++ b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx
@@ -143,14 +143,10 @@ page and click **ASSUME ROLES** to gain access to additional roles. Note:
role-based access requests are additive. The user will have access to their
standard role set in addition to the roles granted by the request.
-
-
A banner will appear at the top of the page while the approved access request is
active. When elevated access is no longer necessary, click **Switch Back** to revert
to the original set of roles.
-
-
## Next Steps
### Automatically request access for SSH
diff --git a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
index 579c6f62bad81..9968c1b657e29 100644
--- a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
@@ -11,7 +11,7 @@ Here are the most common scenarios:
- Satisfy FedRAMP AC-3 Dual authorization control that requires approval of two authorized individuals.
In this guide, we will set up Teleport's Just-in-Time Access Requests to require
-the approval of two team members for a privileged role `dbadmin`.
+the approval of two team members for a privileged role `elevated-access`.
The steps below describe how to use Teleport with Mattermost. You can also
[integrate with many other providers](../access-requests/access-requests.mdx).
@@ -117,10 +117,10 @@ authorization for a user to assume a role.
### Require dual authorization for a role
Alice and Ivan are reviewers. They can approve requests for assuming role
-`dbadmin`. Bob is a DevOps engineer and can assume the `dbadmin` role if two members
+`elevated-access`. Bob is a DevOps engineer and can assume the `elevated-access` role if two members
of the `reviewer` role approve the request.
-Create the following `dbadmin`, `dbreviewer` and `devops` roles:
+Create the following `elevated-access`, `dbreviewer` and `devops` roles:
```yaml
kind: role
@@ -130,7 +130,7 @@ metadata:
spec:
allow:
review_requests:
- roles: ['dbadmin']
+ roles: ['elevated-access']
---
kind: role
version: v5
@@ -139,7 +139,7 @@ metadata:
spec:
allow:
request:
- roles: ['dbadmin']
+ roles: ['elevated-access']
thresholds:
- approve: 2
deny: 1
@@ -147,7 +147,7 @@ spec:
kind: role
version: v5
metadata:
- name: dbadmin
+ name: elevated-access
spec:
allow:
logins: ['root']
@@ -166,52 +166,47 @@ $ tctl users add ivan@example.com --roles=dbreviewer
### Create an Access Request
-Bob does not have a role `dbadmin` assigned to him, but can create an Access Request for it.
-
-Bob can create an Access Request for the `dbadmin` role in the Web UI or CLI:
+Bob does not have a role `elevated-access` assigned to him, but can create an Access Request for this role in the Web UI or CLI:
- 
+ 
+ 
```code
# Bob has to set valid emails of Alice and Ivan matching in Mattermost.
- $ tsh request create --roles=dbadmin --reviewers=alice@example.com,ivan@example.com
+ $ tsh request create --roles=elevated-access --reviewers=alice@example.com,ivan@example.com
```
-Chatbot will notify both Alice and Ivan:
+The Web UI will notify the admin:
-
+
-Alice and Ivan can review and approve request using Web UI or CLI:
+The request can then be reviewed and approved through the Web UI or CLI:
- 
+ 
```code
$ tsh request list
- # ID User Roles Created (UTC) Status
- # ------------------------------------ --------------- ------- ------------------- -------
- # 9c721e54-b049-4ef8-a7f6-c777aa066764 bob@example.com dbadmin 03 Apr 21 03:58 UTC PENDING
+ # ID User Roles Created (UTC) Status
+ # ------------------------------------ ---------- --------------- ------------------- ------
+ # 0193496f-268c-727e-b696-600a868429ff test (Bob) elevated-access 21 Nov 24 18:50 UTC PENDING
- $ tsh request review --approve --reason="hello" 9c721e54-b049-4ef8-a7f6-c777aa066764
+ $ tsh request review --approve --reason="Need to gain elevated-access for investigation" 0193496f-268c-727e-b696-600a868429ff
# Successfully submitted review. Request state: APPROVED
```
-If Bob has created a request using CLI, he will assume it once it has been approved.
-Bob can also assume granted Access Request roles using Web UI:
-
-
-
+If the user has created a request using CLI, the role will be assumed once it has been approved, or they can assume the role using the Web UI.
## Troubleshooting
diff --git a/docs/pages/admin-guides/access-controls/sso/github-sso.mdx b/docs/pages/admin-guides/access-controls/sso/github-sso.mdx
index 9e34f0bbb94c5..d8c78b6eed021 100644
--- a/docs/pages/admin-guides/access-controls/sso/github-sso.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/github-sso.mdx
@@ -334,9 +334,7 @@ GitHub OAuth app:
Teleport will request only the `read:org` OAuth scope. Read more about OAuth scopes in GitHub's documentation:
[GitHub OAuth scopes](https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/)
-After logging in successfully, you will see the following:
-
-
+After logging in, you will receive a "Login Successful" window, which you can then close.
You will receive the details of your user session within the CLI:
diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx
index a10cfa345a8e1..7b75dc050c066 100644
--- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx
+++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx
@@ -364,10 +364,7 @@ created and granted the correct roles.
-If you have UI access, connect to your Teleport cluster Web UI, open the
-management panel, and select the "Users" tab.
-
-
+If you have UI access, connect to your Teleport cluster Web UI, select the "Users" tab.
Two new users `alice` and `bob` should be present.
diff --git a/docs/pages/enroll-resources/kubernetes-access/controls.mdx b/docs/pages/enroll-resources/kubernetes-access/controls.mdx
index 5332e036201e2..44e9965404176 100644
--- a/docs/pages/enroll-resources/kubernetes-access/controls.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/controls.mdx
@@ -201,7 +201,7 @@ headers](https://kubernetes.io/docs/reference/access-authn-authz/authentication/
to send requests to the API server with one Kubernetes user and zero or more
Kubernetes groups.
-
+
The `kubernetes_users` and `kubernetes_groups` fields indicate which users and
groups to allow a user to assume when they send requests to a Kubernetes API
diff --git a/docs/pages/enroll-resources/server-access/getting-started.mdx b/docs/pages/enroll-resources/server-access/getting-started.mdx
index 540348fc92bf8..9d6f9ffbc052b 100644
--- a/docs/pages/enroll-resources/server-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/server-access/getting-started.mdx
@@ -31,7 +31,7 @@ that a user intends to access.
bordered
caption="Teleport Bastion"
>
- 
+ 
## Prerequisites
diff --git a/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx b/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx
index 2e15c36552bf4..e69b9eb2616a3 100644
--- a/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/recording-proxy-mode.mdx
@@ -12,7 +12,7 @@ when gradually transitioning large server fleets to Teleport.
bordered
caption="Teleport OpenSSH Recording Proxy"
>
- 
+ 
diff --git a/docs/pages/includes/plugins/create-request.mdx b/docs/pages/includes/plugins/create-request.mdx
index 8c12face2823f..77bf2afa9cf9d 100644
--- a/docs/pages/includes/plugins/create-request.mdx
+++ b/docs/pages/includes/plugins/create-request.mdx
@@ -18,8 +18,7 @@
- Users can request access using the Web UI by visiting the "Access Requests"
- tab and clicking "New Request":
+ Users can request access using the Web UI by visiting "Identity", clicking "Access Requests" and then "New Request":
diff --git a/docs/pages/reference/architecture/agents.mdx b/docs/pages/reference/architecture/agents.mdx
index 3d6f11fa5f3bf..1603abeef56db 100644
--- a/docs/pages/reference/architecture/agents.mdx
+++ b/docs/pages/reference/architecture/agents.mdx
@@ -133,7 +133,7 @@ In direct mode, SSH Service instances act like OpenSSH servers that only accept
client SSH certificates. Users can connect to SSH servers through the Teleport
Proxy Service as a jump-host or directly:
-
+
Direct mode is designed for legacy use cases and only supports self-hosted
Teleport clusters. We recommend joining agents through the Teleport Proxy
diff --git a/docs/pages/reference/architecture/proxy-peering.mdx b/docs/pages/reference/architecture/proxy-peering.mdx
index 3fa5a2d2fb60b..4a081e6edef89 100644
--- a/docs/pages/reference/architecture/proxy-peering.mdx
+++ b/docs/pages/reference/architecture/proxy-peering.mdx
@@ -44,7 +44,7 @@ By default, in Proxy Peering mode, agents are configured to connect to a single
Teleport Proxy instance. For high availability a cluster administrator may
configure agents to connect to 2 or more Teleport Proxy instances.
-
+
## Next Steps
- See the [migration guide](../../admin-guides/management/operations/proxy-peering.mdx) to learn how to upgrade an existing cluster to use
diff --git a/docs/pages/reference/architecture/tls-routing.mdx b/docs/pages/reference/architecture/tls-routing.mdx
index 3f72a91f45a91..d05baeef68615 100644
--- a/docs/pages/reference/architecture/tls-routing.mdx
+++ b/docs/pages/reference/architecture/tls-routing.mdx
@@ -145,7 +145,7 @@ Starting from version `13.0`, TLS routing can now be enabled allowing the
Teleport Proxy Service to serve a single port behind a layer 7 load balancer or
reverse proxy.
-
+
It is expected that the layer 7 load balancer or reverse proxy will terminate
TLS with a public certificate, such as using ACM for AWS ALB. This means that
@@ -162,7 +162,7 @@ uses the same connection upgrade principle as WebSockets. Starting from version
15.1, Teleport clients will send native WebSocket upgrades to extend its
compatibility with more load balancers and reverse proxies.
-
+
Non-Teleport clients should require local proxies that can perform the
special connection upgrades.
diff --git a/docs/pages/usage-billing.mdx b/docs/pages/usage-billing.mdx
index 266ca04fd9d11..4e2223087d0fc 100644
--- a/docs/pages/usage-billing.mdx
+++ b/docs/pages/usage-billing.mdx
@@ -72,22 +72,6 @@ calculate two types of billing metrics:
- Monthly Active Users
- Teleport Protected Resources
-### Usage metrics in the Web UI
-
-
-
-This will be displayed only for those on usage-based plans. Users will need permission to read the billing resource.
-
-
-
- 1. Go to https://teleport.sh/ and enter your tenant name.
- 1. Sign in using your administrator credentials.
- 1. Click on "Access Management" at the top.
- 1. Click on "Summary" under "Usage and Billing" at the left-hand side.
- 1. Usage data for the current billing cycle will be displayed. Example:
-
- 
-
### Monthly Active Users
Monthly Active Users (MAU) is the aggregate number of unique active users