added additional documentation

Author: Donna-Marie Smith

content/en/docs/2025.9/FAQs/configure-oidc-authentication/microsoft-entra.md

@@ -25,9 +25,9 @@ In order to configure a Microsoft Entra Provider a Microsoft Azure account with
     1. Click `+ Add a platform`.
     1. Select Single-page application and set:
         * `Redirect URIs` to `https://<Gateway-Server>/gateway/redirect`.
-        * `Front-channel logout URL` to `https://localhost:44321/signout-calback-oidc`.
+        * `Front-channel logout URL` to `https://localhost:44321/signout-callback-oidc`.
         * `Implicit grant and hybrid flows` to `ID tokens`.
-    1. Click `Save`.
+    1. Click `Configure`.
 1. Configure application permissions for a web API from Microsoft Graph using API Permissions:
     1. Select the application registration created in Step 1.
     1. Select `API permissions` from the menu on the left.
@@ -61,7 +61,7 @@ In order to configure a Microsoft Entra Provider a Microsoft Azure account with
         The Application ID URI must contain a unique identifier; this is prepopulated by default.
 
         * Click `+ Add a scope`.
-        * Set the `Scope name` to `Flows.Read`.
+        * Enter the `Scope name` as `Flows.Read`.
         * Set `Who can consent?` to `Admins and users`.
         * Enter an `Admin consent display name`, e.g. `Read Flows`.
         * Enter an `Admin consent description`, e.g. `Allows {{% ctx %}} client to read flows`.

content/en/docs/2025.9/Guides/user-guides/user-interfaces/gateway/Admin/Authentication.md

@@ -26,9 +26,9 @@ Groups set up in Microsoft Entra, provide for {{% ctx %}} Role assignment and {{
 The fields available in the OIDC form are:
 
 * `Provider Type` – the OIDC provider type. Currently, only Microsoft is the OIDC provider supported.
-* `Identifier` – Free-format, friendly unique name for this provider
-* `Display Name` – the text displayed in the {{% ctx %}} Gateway sign-in button
-* `Authority` – the URL for authentication to which to send authentication requests
+* `Identifier` – free-format, friendly unique name for this provider.
+* `Display Name` – the text displayed in the {{% ctx %}} Gateway sign-in button.
+* `Authority` – the URL for authentication to which to send authentication requests.
 * `Tenant Identifier` – the Microsoft Entra Tenant ID for the organisation managing authentication.
 * `Client Identifier` – the unique identifier to identify the {{% ctx %}} Gateway application to the authentication provider.
 * `Client Secret` – the client secret that validate the Client Identifier to the authentication provider.
@@ -50,7 +50,7 @@ The fields available in the LDAP form are:
 * `Use SSL` – a checkbox to select the LDAPS protocol rather than LDAP.
 * `Username` – the name of a user with read permissions in Active Directory. A Service Account is used.
 * `Password` – the password associated with the username entered in the Username field.
-* `Base DNs` – the Active Directory objects that can be accessed by {{% ctx %}} Gateway. The identity of the objects is expressed using their Distinguished Names. More than one Distinguished Name can be set to refer to multiple objects within Active Directory. If no Distinguished Names are set, the whole of the Active Directory is accessible.
+* `Base DNs` – the Active Directory objects that can be accessed by {{% ctx %}} Gateway. The identity of the objects is expressed using their Distinguished Names. More than one Distinguished Name can be set to refer to multiple objects within Active Directory. If no Distinguished Names are set, the whole of Active Directory is accessible.
 
 ## Actions
 

content/en/docs/2025.9/Guides/user-guides/user-interfaces/gateway/Admin/Authorisation.md

@@ -13,15 +13,34 @@ The Authorisation page is used to assign roles within {{% ctx %}} Gateway based
 
 ## Anatomy
 
-{{< figure src="/images/Authentication - OIDC.png" title="Open ID Connect Provider Configuration" >}}
+{{< figure src="/images/Authorisation.png" title="Authorisation" >}}
 
-TODO
+The Authorisation grid allows roles to be assigned to groups:
+
+* `Name` shows:
+  * For [LDAP Authentication][], the Active Directory domain, organisational units, containers and Security Groups in a hierarchical tree; these groups are limited to those defined by the Base DNs configured.
+  * For [OIDC Authentication][], the Provider's display name and groups in a hierarchical tree.
+
+* `Type` identifies the type of object for that row.
+* `Admin` and `Studio` are roles that can be assigned and contain checkboxes to indicated which object has access to which role.
+
+  * Admin – provides access to administrative functions within {{% ctx %}} Gateway, including the ability to set user roles and permissions, import and export flows, creation and management of packages, etc.
+  * Studio – provides access to set the permissions to view and/or edit any flow in the Flow Editor.
+
+    * View permissions allow users to view and execute flows in the Flow Editor.
+    * Edit permissions allow users to view, execute, create, edit, delete and commit flows.
+
+  Both the `Admin` and `Studio` roles may be assigned to a single group or groups of groups, to provide access to both the administrative functions in {{% ctx %}} Gateway and flows in the Flow Editor.
+
+  Note: The `LiveView` and `Reporting` roles do not apply to {{% ctx %}}.
 
 ## Actions
 
 ### Assign {{% ctx %}} Roles to Security Groups
 
-TODO
+If an individual Group object is checked (tick on a block background), then its parent objects will also be implicitly set (tick on a muted blue background). If a parent object is checked (tick on a saturated blue background), all its child objects will be implicitly set (tick on a muted grey background). Objects may be individually unset by clicking the checked checkbox.
+
+When all the role assignments have been completed, click the Save Changes button to commit the current role assignments.
 
 See the [Assign {{% ctx %}} Roles to Security Groups][Assign {{% ctx %}} Roles to Security Groups tutorial] tutorial for a step-by-step guide.