security: update OATs UI flow (#22197)

## Description
- small update for new OATs scopes, impacts existing UI flow

## Related issues or tickets
- [ENGDOCS-2476](https://docker.atlassian.net/browse/ENGDOCS-2476)

## Reviews
- [ ] Editorial review

[ENGDOCS-2476]:
https://docker.atlassian.net/browse/ENGDOCS-2476?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com>

content/manuals/security/for-admins/access-tokens.md

@@ -15,14 +15,11 @@ params:
 
 > [!WARNING]
 >
-> Organization access tokens (OATs) are not intended to be used with Docker 
-> Desktop, and are incompatible.
+> Organization access tokens (OATs) are not intended to be used with Docker
+> Desktop or Docker Scout, and are incompatible.
 >
-> OATs are also currently incompatible with the following services:
->
-> - Docker Scout
->
-> If you use Docker Desktop or one of these services, you must use personal access tokens instead.
+> If you use Docker Desktop or Docker Scout, you must use personal
+> access tokens instead.
 
 An organization access token (OAT) is like a [personal access token
 (PAT)](/security/for-developers/access-tokens/), but an OAT is associated with
@@ -37,12 +34,14 @@ OATs provide the following advantages:
   if you find any suspicious activity.
 - You can limit what each OAT has access to, which limits the impact if an OAT
   is compromised.
-- All company or organization owners can manage OATs. If one owner leaves the 
+- All company or organization owners can manage OATs. If one owner leaves the
   organization, the remaining owners can still manage the OATs.
 - OATs have their own Docker Hub usage limits that don't count towards your
   personal account's limits.
 
-If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts:
+If you have existing [service accounts](/docker-hub/service-accounts/),
+Docker recommends that you replace the service accounts with OATs. OATs offer
+the following advantages over service accounts:
 
 - Access permissions are easier to manage with OATs. You can assign access
   permissions to OATs, while service accounts require using teams for access
@@ -60,13 +59,14 @@ If you have existing [service accounts](/docker-hub/service-accounts/), Docker r
 
 > [!IMPORTANT]
 >
-> Treat access tokens like a password and keep them secret. Store your tokens 
+> Treat access tokens like a password and keep them secret. Store your tokens
 > securely in a credential manager for example.
 
-Company or organization owners can create up to 10 organization access tokens 
-(OATs) for organizations with a Team subscription and up to 100 OATs for 
-organizations with a Business subscription. Expired tokens count towards the 
-total amount of tokens.
+Company or organization owners can create up to:
+- 10 OATs for organizations with a Team subscription
+- 100 OATs for organizations with a Business subscription
+
+Expired tokens count towards the total amount of tokens.
 
 To create an OAT:
 
@@ -78,23 +78,31 @@ To create an OAT:
 
 4. Select **Generate access token**.
 
-5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token.
+5. Add a label and optional description for your token. Use something that
+indicates the use case or purpose of the token.
 
 6. Select the expiration date for the token.
 
-7. Select the repository access for the token.
+7. Expand the **Repository** drop-down to set access permission
+scopes for your token. To set Repository access scopes:
+    1. Optional. Select **Read public repositories**.
+    2. Select **Add repository** and choose a repository from the drop-down.
+    3. Set the scopes for your repository — **Image Push** or
+    **Image Pull**.
+    4. Add more repositories as needed. You can add up to 50 repositories.
 
-   The access permissions are scopes that set restrictions in your repositories.
-   For example, for Read & Write permissions, an automation pipeline can build
-   an image and then push it to a repository. However, it can't delete the
-   repository. You can select one of the following options:
+8. Optional. Expand the **Organization** drop-down and select the
+**Allow management access to this organization's resources** checkbox. This
+setting enables organization management scopes for your token. The following
+organization management scopes are available:
+    - **Member Edit**: Edit members of the organization
+    - **Member Read**: Read members of the organization
+    - **Invite Edit**: Invite members to the organization
+    - **Invite Read**: Read invites to the organization
+    - **Group Edit**: Edit groups of the organization
+    - **Group Read**: Read groups of the organization
 
-   - **Public repositories (read only)**
-   - **All repositories**: You can select read access, or read and write access.
-   - **Select repositories**: You can select up to 50 repositories, and then
-     select read access, or read and write access for each repository.
-
-8. Select **Generate token** and then copy the token that appears on the screen
+9. Select **Generate token**. Copy the token that appears on the screen
    and save it. You won't be able to retrieve the token once you exit the
    screen.
 
@@ -123,7 +131,7 @@ deactivate, or delete a token as needed.
 
 3. Under **Security and access**, select **Access tokens**.
 
-4. Select the actions menu on the far right of a token row, then select
+4. Select the actions menu in the token row, then select
    **Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive**
    tokens, you can only select **Delete**.