From a6e57009e3846181cc7be609107af81d3b460f1f Mon Sep 17 00:00:00 2001
From: Mike Escalante <mcescalante@gmail.com>
Date: Wed, 13 Nov 2024 16:50:40 -0800
Subject: [PATCH] [IAM] Update dash SCIM docs with new API token role (#18161)

- Add new SCIM Provisioning API token role to SCIM setup docs
- Add note recommending Account Owned Tokens for SCIM
- Improve wording in API token creation fundamentals and add links

Co-authored-by: Mike Escalante <mcescalante@cloudflare.com>
---
 .../account/account-security/scim-setup.mdx    | 18 ++++++++++--------
 .../partials/fundamentals/create-token.mdx     |  2 +-
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx
index 9c04ddbc9810b5..a84ffe8ef5f1f4 100644
--- a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx
+++ b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx
@@ -23,7 +23,7 @@ Currently, we only provide SCIM support for Enterprise customers, and for Micros
 
 :::note
 
-Accounts provisioned with SCIM need to verify their email addresses. 
+Accounts provisioned with SCIM need to verify their email addresses.
 :::
 
 ---
@@ -32,14 +32,16 @@ Accounts provisioned with SCIM need to verify their email addresses.
 
 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
 
-   | Type    | Item             | Permission |
-   | ------- | ---------------- | ---------- |
-   | Account | Account Settings | Read       |
-   | Account | Account Settings | Edit       |
-   | User    | Memberships      | Read       |
-   | User    | Memberships      | Edit       |
+   | Type    | Item              | Permission |
+   | ------- | ----------------- | ---------- |
+   | Account | SCIM Provisioning | Edit       |
 
-2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu.
+   :::note
+
+   Cloudflare recommends using Account Owned API tokens, but User API tokens are also supported.
+   :::
+
+2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable.
 
 3. Select **Continue to summary**.
 
diff --git a/src/content/partials/fundamentals/create-token.mdx b/src/content/partials/fundamentals/create-token.mdx
index 734f92d72ed093..416509ae49a4ec 100644
--- a/src/content/partials/fundamentals/create-token.mdx
+++ b/src/content/partials/fundamentals/create-token.mdx
@@ -13,7 +13,7 @@ Before you begin, [find your zone and account IDs](/fundamentals/setup/find-acco
 
 :::
 
-1. Determine if you want a user token or an account owned token. If you are developing a new service that you want multiple superadministrators to use and the endpoints that you are calling are compatible with account owned tokens, the option exists to use account tokens that are not connected to a specific user.
+1. Determine if you want a user token or an [Account Owned Token](/fundamentals/api/get-started/account-owned-tokens/). Use Account Owned Tokens if you prefer service tokens that are not associated with users and your [desired API endpoints are compatible](/fundamentals/api/get-started/account-owned-tokens/#compatibility-matrix).
 
 2. From the [Cloudflare dashboard](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** > **API Tokens** for user tokens. For Account Tokens, go to **Manage Account** > **API Tokens**.