security: update OATs UI flow (#22197)

## Description - small update for new OATs scopes, impacts existing UI flow ## Related issues or tickets - [ENGDOCS-2476](https://docker.atlassian.net/browse/ENGDOCS-2476) ## Reviews - [ ] Editorial review [ENGDOCS-2476]: https://docker.atlassian.net/browse/ENGDOCS-2476?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ --------- Co-authored-by: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com>
2025-03-11 13:33:24 -04:00 · 2025-03-11 13:33:24 -04:00 · 8aa7128a74
parent 7bfeddc570
commit 8aa7128a74
1 changed files with 35 additions and 27 deletions
--- a/content/manuals/security/for-admins/access-tokens.md
+++ b/content/manuals/security/for-admins/access-tokens.md
@ -16,13 +16,10 @@ params:
 > [!WARNING]
 >
 > Organization access tokens (OATs) are not intended to be used with Docker
-> Desktop, and are incompatible.
+> Desktop or Docker Scout, and are incompatible.
 >
-> OATs are also currently incompatible with the following services:
+> If you use Docker Desktop or Docker Scout, you must use personal
->
+> access tokens instead.
 > - Docker Scout
 >
 > If you use Docker Desktop or one of these services, you must use personal access tokens instead.
 An organization access token (OAT) is like a [personal access token
 (PAT)](/security/for-developers/access-tokens/), but an OAT is associated with
@ -42,7 +39,9 @@ OATs provide the following advantages:
 - OATs have their own Docker Hub usage limits that don't count towards your
  personal account's limits.
-If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts:
+If you have existing [service accounts](/docker-hub/service-accounts/),
 Docker recommends that you replace the service accounts with OATs. OATs offer
 the following advantages over service accounts:
 - Access permissions are easier to manage with OATs. You can assign access
  permissions to OATs, while service accounts require using teams for access
@ -63,10 +62,11 @@ If you have existing [service accounts](/docker-hub/service-accounts/), Docker r
 > Treat access tokens like a password and keep them secret. Store your tokens
 > securely in a credential manager for example.
-Company or organization owners can create up to 10 organization access tokens 
+Company or organization owners can create up to:
-(OATs) for organizations with a Team subscription and up to 100 OATs for 
+- 10 OATs for organizations with a Team subscription
-organizations with a Business subscription. Expired tokens count towards the 
+- 100 OATs for organizations with a Business subscription
-total amount of tokens.
+
 Expired tokens count towards the total amount of tokens.
 To create an OAT:
@ -78,23 +78,31 @@ To create an OAT:
 4. Select **Generate access token**.
-5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token.
+5. Add a label and optional description for your token. Use something that
 indicates the use case or purpose of the token.
 6. Select the expiration date for the token.
-7. Select the repository access for the token.
+7. Expand the **Repository** drop-down to set access permission
 scopes for your token. To set Repository access scopes:
    1. Optional. Select **Read public repositories**.
    2. Select **Add repository** and choose a repository from the drop-down.
    3. Set the scopes for your repository &mdash; **Image Push** or
    **Image Pull**.
    4. Add more repositories as needed. You can add up to 50 repositories.
-   The access permissions are scopes that set restrictions in your repositories.
+8. Optional. Expand the **Organization** drop-down and select the
-   For example, for Read & Write permissions, an automation pipeline can build
+**Allow management access to this organization's resources** checkbox. This
-   an image and then push it to a repository. However, it can't delete the
+setting enables organization management scopes for your token. The following
-   repository. You can select one of the following options:
+organization management scopes are available:
    - **Member Edit**: Edit members of the organization
    - **Member Read**: Read members of the organization
    - **Invite Edit**: Invite members to the organization
    - **Invite Read**: Read invites to the organization
    - **Group Edit**: Edit groups of the organization
    - **Group Read**: Read groups of the organization
-   - **Public repositories (read only)**
+9. Select **Generate token**. Copy the token that appears on the screen
   - **All repositories**: You can select read access, or read and write access.
   - **Select repositories**: You can select up to 50 repositories, and then
     select read access, or read and write access for each repository.
 8. Select **Generate token** and then copy the token that appears on the screen
   and save it. You won't be able to retrieve the token once you exit the
   screen.
@ -123,7 +131,7 @@ deactivate, or delete a token as needed.
 3. Under **Security and access**, select **Access tokens**.
-4. Select the actions menu on the far right of a token row, then select
+4. Select the actions menu in the token row, then select
   **Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive**
   tokens, you can only select **Delete**.