diff --git a/_data/sidebars/doc_sidebar.yml b/_data/sidebars/doc_sidebar.yml
index f4c90beab..fe3bb2843 100755
--- a/_data/sidebars/doc_sidebar.yml
+++ b/_data/sidebars/doc_sidebar.yml
@@ -15,10 +15,6 @@ entries:
       url: /wavefront_introduction.html
       output: web
 
-    - title: "Subscription Types"
-      url: /subscriptions-differences.html
-      output: web
-       
     - title: Product FAQ
       output: web
       url: /tobs_faq.html
@@ -27,18 +23,44 @@ entries:
     output: web
     folderitems:
 
-    - title: Start a Free Trial
-      url:  /start_trial.html
+    - title: Subscription Types
+      url: /subscriptions-differences.html
       output: web
 
-    - title: Upgrade from Trial to Paid
-      url: /upgrade_and_purchase.html
-      output: web
+      subfolders:
 
-    - title: Purchase Additional Capacity
-      url: /purchase_additional_capacity.html
+      - title: Differences Explained
+        output: web
+        subfolderitems:
+        
+          - title: "UI Differences"
+            url: /csp-ui-differences.html
+            output: web
+            
+          - title: "Functionality Differences"
+            url: /csp-differences-by-area.html
+            output: web
+
+      - title: Free Trial and Purchases
+        output: web
+        subfolderitems:
+      
+        - title: Start a Free Trial
+          url:  /start_trial.html
+          output: web
+
+        - title: Upgrade from Trial to Paid
+          url: /upgrade_and_purchase.html
+          output: web
+
+        - title: Purchase Additional Capacity
+          url: /purchase_additional_capacity.html
+          output: web
+      
+    - title: "Onboarding Original to VMware Cloud Services"
+      url: /csp_migration.html
       output: web
-  
+   
   - title: Quickstart & Tutorials
     output: web
     folderitems:
@@ -475,6 +497,10 @@ entries:
     - title: Integrations Overview
       url: /integrations.html
       output: web
+    
+    - title: How Integration Authentication Works
+      url: /integrations_onboarded_subscriptions.html
+      output: web
 
     - title: Complete List of Integrations
       url: /label_integrations%20list.html
@@ -926,6 +952,14 @@ entries:
           - title: Manage Server to Server Apps
             url: /csp_server_to_server_apps.html
             output: web
+
+          - title: Manage Service Accounts
+            url: /csp_service_accounts.html
+            output: web
+
+          - title: Manage Tokens
+            url: /csp_api_tokens.html
+            output: web
             
         - title: Manage Access to Objects
           output: web
diff --git a/images/csp-admin-tasks.png b/images/csp-admin-tasks.png
new file mode 100644
index 000000000..9da838f7f
Binary files /dev/null and b/images/csp-admin-tasks.png differ
diff --git a/images/csp-api-token-apps.png b/images/csp-api-token-apps.png
new file mode 100644
index 000000000..3cdf759fa
Binary files /dev/null and b/images/csp-api-token-apps.png differ
diff --git a/images/csp-api-token-user.png b/images/csp-api-token-user.png
new file mode 100644
index 000000000..47e7278b1
Binary files /dev/null and b/images/csp-api-token-user.png differ
diff --git a/images/csp-onboarding-flow.png b/images/csp-onboarding-flow.png
new file mode 100644
index 000000000..f59ebc43e
Binary files /dev/null and b/images/csp-onboarding-flow.png differ
diff --git a/images/csp-replace-api-token.png b/images/csp-replace-api-token.png
new file mode 100644
index 000000000..9529ab6cc
Binary files /dev/null and b/images/csp-replace-api-token.png differ
diff --git a/images/csp-replace-service-account.png b/images/csp-replace-service-account.png
new file mode 100644
index 000000000..b82b39c4d
Binary files /dev/null and b/images/csp-replace-service-account.png differ
diff --git a/images/csp-user-accounts-migration.png b/images/csp-user-accounts-migration.png
new file mode 100644
index 000000000..da7cf2e64
Binary files /dev/null and b/images/csp-user-accounts-migration.png differ
diff --git a/images/csp_API_tokens.png b/images/csp_API_tokens.png
new file mode 100644
index 000000000..e9601f695
Binary files /dev/null and b/images/csp_API_tokens.png differ
diff --git a/images/csp_metrics_s_edit_rule.png b/images/csp_metrics_s_edit_rule.png
new file mode 100644
index 000000000..d8b43d5f6
Binary files /dev/null and b/images/csp_metrics_s_edit_rule.png differ
diff --git a/images/csp_sa_add_permission_global.png b/images/csp_sa_add_permission_global.png
new file mode 100644
index 000000000..734f65b10
Binary files /dev/null and b/images/csp_sa_add_permission_global.png differ
diff --git a/images/new-vs-original-accounts.png b/images/new-vs-original-accounts.png
new file mode 100644
index 000000000..9306c2167
Binary files /dev/null and b/images/new-vs-original-accounts.png differ
diff --git a/images/new-vs-original-menu.png b/images/new-vs-original-menu.png
index aa1c89abc..f6fe7fece 100644
Binary files a/images/new-vs-original-menu.png and b/images/new-vs-original-menu.png differ
diff --git a/images/user-management-comparison.png b/images/user-management-comparison.png
new file mode 100644
index 000000000..38fc7090c
Binary files /dev/null and b/images/user-management-comparison.png differ
diff --git a/pages/doc/2020_10.x_release_notes.md b/pages/doc/2020_10.x_release_notes.md
index ee14b1ff5..1549cff8e 100644
--- a/pages/doc/2020_10.x_release_notes.md
+++ b/pages/doc/2020_10.x_release_notes.md
@@ -32,7 +32,7 @@ If you are currently using an IAM Policy with Limited Access, review our changes
 
 Changes support more efficient and new APIs we are using. For example, in the next release (2010.14.x) we will start querying Cloudwatch using `cloudwatch:GetMetricData` API calls (instead of the older `cloudwatch:GetMetricStatistics` API calls). As a result, we can fetch multiple metrics in one API call and significantly reduce the number of API calls for retrieving metrics from AWS.
 
-
+ 
 ## Operators gt, lt, ge, le, eq, ne
 
 The new operators allow you to easily [filter on the query line](query_language_recipes.html#compare-with-operators-lt-gt-le-ge-eq-ne). You can use multiple operators, for example, to find values that are between specified values, as in this example:
diff --git a/pages/doc/accounts-service.md b/pages/doc/accounts-service.md
index b32d113cf..47980ac0f 100644
--- a/pages/doc/accounts-service.md
+++ b/pages/doc/accounts-service.md
@@ -7,7 +7,7 @@ permalink: service-accounts.html
 summary: Create and manage service accounts.
 ---
 
-{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for **original** subscribers. For VMware Cloud services subscriptions, see [Manage Server to Server Apps](csp_server_to_server_apps.html)."%}
+{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for **original** subscribers. For VMware Cloud services subscriptions, see [Manage Server to Server Apps](csp_server_to_server_apps.html) and [Manage Service Accounts](csp_service_accounts.html)."%}
 
 VMware Aria Operations for Applications (formerly known as Tanzu Observability by Wavefront) supports service accounts that can be used to automate management of objects such as dashboards, alerts, etc. A service account can't perform the **UI operations** that all user accounts can [perform by default](user-accounts.html#what-can-a-new-user-do). There's no limit on the number of service accounts that you can create in your organization. 
 
@@ -19,11 +19,11 @@ Each service account that you create is automatically added to the **Service Acc
 
 Service accounts are used for automating management tasks.
 
-* A service account uses a **token** to authenticate.
+* A service account uses an **API token** to authenticate.
 * Each account is automatically added to the **Service Accounts** group. If a role is assigned to that group, the service account gets the permissions from that role.
 * Service accounts can be added to any group to get that group's role (and permissions).
 
-As a user with the **Accounts** permission, you [generate (and revoke, if needed)](api_tokens.html#generate-and-manage-the-api-tokens-for-a-service-account) authentication tokens for the service account. It’s also possible to deactivate a service account completely. 
+As a user with the **Accounts** permission, you [generate (and revoke, if needed)](api_tokens.html#generate-and-manage-the-api-tokens-for-a-service-account) API tokens for the service account. It’s also possible to deactivate a service account completely. 
 
 ## How Service Accounts Work
 
diff --git a/pages/doc/api_tokens.md b/pages/doc/api_tokens.md
index 19de6d9bc..09fb63429 100644
--- a/pages/doc/api_tokens.md
+++ b/pages/doc/api_tokens.md
@@ -7,7 +7,7 @@ permalink: api_tokens.html
 summary: Learn how you can generate and manage API tokens in VMware Aria Operations for Applications (previously known as Tanzu Observability by Wavefront).
 ---
 
-{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for **original** subscribers. VMware Cloud services subscriptions use VMware Cloud services API tokens. For details, see [Subscription Types](subscriptions-differences.html)."%}
+{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for **original** subscriptions. For VMware Cloud services subscriptions, see [Manage Tokens](csp_api_tokens.html)."%}
 
 Before you can invoke the [REST API](wavefront_api.html) using `curl` or from an API client, you must have an API token. An API token is a string of hexadecimal characters and dashes. For example:
 
diff --git a/pages/doc/csp_access.md b/pages/doc/csp_access.md
index 302c59821..0964f9629 100644
--- a/pages/doc/csp_access.md
+++ b/pages/doc/csp_access.md
@@ -11,19 +11,14 @@ summary: Control access to individual dashboards and alerts.
 
 VMware Cloud services supports the roles and groups authorization paradigm for managing global permissions in VMware Aria Operations for Applications. For example, a user with the **Dashboards** service role can manage *all* dashboards in Operations for Applications. This paradigm is sufficient for many of our customers.
 
-Users with the [**Super Admin** service role](csp_users_roles.html#operations-for-applications-service-roles-built-in) who need finer-grained control can manage access on a per-object basis. We currently support access control for dashboards and alerts.
+Users with the **Admin** and **Super Admin** service roles who need finer-grained control can manage access on a per-object basis. We currently support access control for dashboards and alerts.
 
 {% include note.html content="Permission and access control are additive. To make changes to a dashboard, you must have a role with the **Dashboards** permission and **View and Modify** access for that dashboard." %}
 
-{% include tip.html content="In addition to access control, Operations for Applications also support [metrics security policy rules](csp_metrics_security.html) which allow fine-grained control over which users can see which metrics." %}
+{% include tip.html content="In addition to access control, Operations for Applications also supports [metrics security policy rules](csp_metrics_security.html) which allow fine-grained control over which users can see which metrics." %}
 
-This video shows how to limit access for a dashboard, how to give access (share) that dashboard, and how to set the security setting. You can manage access for alerts the same way. 
 
-Note that this video was created in 2020 and some of the information in it might have changed. It also uses the 2020 version of the UI.
-
-<p><iframe id="kmsembed-1_lckq6foe" width="700" height="400" src="https://vmwaretv.vmware.com/embed/secure/iframe/entryId/1_lckq6foe/uiConfId/49694343/st/0" class="kmsembed" allowfullscreen webkitallowfullscreen mozAllowFullScreen allow="autoplay *; fullscreen *; encrypted-media *" referrerPolicy="no-referrer-when-downgrade" frameborder="0" title="Object-Based Access Control"></iframe></p>
-
-{% include note.html content="After the access setting is set to **Object Creator** in an environment, only the creator of a new object and the users with **Super Admin** service role can view and modify new objects initially. Those users can give access to the object with other groups or users." %}
+{% include note.html content="After the access setting is set to **Object Creator** in an environment, only the creator of a new object and users the **Super Admin** service role can view and modify new objects initially. Those users can give access to the object with other groups or users." %}
 
 
 ## How Access Control Works
@@ -37,10 +32,10 @@ Operations for Applications supports granting and revoking access to dashboards
   - Restrict or grant access for individual alerts from the Alerts browser.
   - Click the **Share** icon on individual alerts to change who has access.
 
-In high-security environments, users with the **Super Admin** service role can change the security setting to **Object Creator**. After that change:
-* Each *new* object (dashboard or alert) is visible only to the creator of the object and to the users with the **Super Admin** service role with enabled Super Admin mode.
+In high-security environments, users with the **Admin** and **Super Admin** service roles can change the security setting to **Object Creator**. After that change:
+* Each *new* object (dashboard or alert) is visible only to the creator of the object and to the users with the **Admin** service role.
 * The object creator and the users with the **Super Admin** service role can then share new dashboards with groups or users.
-* If a user with the **Super Admin** service role changes the security setting back to allow **Everyone** access, then the objects that were created while the strict security setting was set, continue to be governed by access control.
+* If a user with the **Admin** or **Super Admin** service role changes the security setting back to allow **Everyone** access, then the objects that were created while the strict security setting was set, continue to be governed by access control.
 
 ## Change Access for One or More Dashboards or Alerts
 
@@ -79,17 +74,18 @@ Initially, all users can *view* all dashboards and alerts. In addition, global p
 * Users with **Dashboards** permission can modify all dashboards.
 * Users with **Alerts** permission can modify all alerts.
 
-As a user with the **Super Admin** service role, you can restrict access for new dashboards and alerts:
+As a user with the **Admin** or **Super Admin** service role, you can restrict access to new dashboards and alerts:
 
-1. Log in to your service instance and [enable Super Admin mode](csp_users_account_managing.html#enable-or-disable-super-admin-mode).
+1. Log in to your service instance.
+1. If you are a **Super Admin** user, [enable Super Admin mode](csp_users_account_managing.html#enable-or-disable-super-admin-mode).
 1. From the gear icon <i class="fa fa-cog"/> on the toolbar, select **Organization Settings**.
 2. Click the **Security** tab and select **Object Creator**.
 
-After the change, access to new dashboards and new alerts is initially limited to the dashboard creator and the users with the **Super Admin** service role. Those users can share the objects with groups or individual users by giving **View** access or **View & Modify** access.
+After the change, access to new dashboards and new alerts is initially limited to the dashboard creator and the users with the **Admin** or **Super Admin** service roles. Those users can share the objects with groups or individual users by giving **View** access or **View & Modify** access.
 
-{% include note.html content="A change to the security setting applies only to dashboards and alerts created after the change. If you change the setting to **Object Creator**, only new dashboards and alerts have restricted access. If you later change the setting to **Everyone**, all dashboards and alerts that were created while the setting was **Object Creator** keep the restricted access." %}
+{% include note.html content="A change to the security setting applies only to dashboards and alerts created **after** the change. If you change the setting to **Object Creator**, only new dashboards and alerts have restricted access. If you later change the setting to **Everyone**, all dashboards and alerts that were created while the setting was **Object Creator** keep the restricted access." %}
 
-By default, service accounts (which correspond to server to server apps in VMware Cloud services) don't have browse permissions. However, you can also grant access for new dashboards and alerts to service accounts:
+By default, service accounts (which includes the [server to server apps](csp_server_to_server_apps.html) in VMware Cloud services as well as the [service accounts](csp_service_accounts.html) in Operations for Applications) don't have browse permissions. However, you can also grant access for new dashboards and alerts to service accounts:
 
 1. From the gear icon <i class="fa fa-cog"/> on the toolbar, select **Organization Settings**.
 2. Click the **Security** tab, select **Grant Modify Access To:  Everyone** and **Service Accounts**.
@@ -101,7 +97,7 @@ If you can no longer access a dashboard or alert, it was either deleted (moved t
 * If a dashboard was deleted and moved to trash less than 30 days ago, a user with the **Dashboards** permission can [restore the deleted dashboard](ui_dashboards.html#delete-and-recover-a-deleted-dashboard).
 * If an alert was deleted and moved to trash less than 30 days ago, a user with the **Alerts** permission can [restore the deleted alert](alerts_manage.html#restore-a-deleted-alert).
 * If a dashboard was deleted and moved to trash more than 30 days ago, or was permanently deleted, and no one, including users with the **Super Admin** service role, can find the dashboard. A user with the **Super Admin** can attempt to [restore the dashboard by using the API](#recover-a-permanently-deleted-dashboard).
-* If the access settings to a dashboard or alert have changed, you can ask a user with the **Super Admin** service role to [restore the access for you](#changing-access-for-individual-dashboards-or-alerts).
+* If the access settings to a dashboard or alert have changed, you can ask a user with the **Admin** or **Super Admin** service role to [restore the access for you](#changing-access-for-individual-dashboards-or-alerts).
 * If all users and groups can no longer access a specific dashboard or alert, a user with the **Super Admin** service role may need to check if it is in an orphaned state. A user with the **Super Admin** service role can [make orphan dashboards and alerts visible](#make-orphan-dashboards-or-alerts-visible).
 
 Only a user with the **Super Admin** service role can restore dashboard permissions and attempt to restore a permanently deleted dashboard.
@@ -125,10 +121,10 @@ A permanently deleted dashboard does not show in the trash and becomes inaccessi
 2. From the gear icon <i class="fa fa-cog"/> on the toolbar, select **API Documentation**.
 3. Expand the **Dashboard** category and click the `GET api/v2/dashboard/{id}/history/{version}` request.
 4. Enter the dashboard name as the `"id"` parameter.
-   For example, if the dashboard URL is `https://<your_instance>.wavefront.com/dashboards/MY-DASHBOARD`, then the `"id"` that you should enter is *MY-DASHBOARD*.
+   For example, if the dashboard URL is `https://<your_instance>.wavefront.com/dashboards/MY-DASHBOARD`, then the `"id"` that you should enter is `MY-DASHBOARD`.
 5. Enter the last known version of the dashboard as an integer.
 
-   If you don't know the version, you can enter *1*. This way, you also determine whether the dashboard `"id"` input has ever existed.
+   If you don't know the version, you can enter `1`. This way, you also determine whether the dashboard `"id"` input has ever existed.
 
 6. Click **Execute**.
 
@@ -148,17 +144,17 @@ A permanently deleted dashboard does not show in the trash and becomes inaccessi
 
 
    ```
-{
-  "modifyAclAccess":true,
-  "hidden":false,
-  "parameters":{},
-    "name":"MY DASHBOARD",
-    "id":"MY-DASHBOARD",
-    ...
-
-    "favorite":false,
-    "numCharts":2
-}
+   {
+   "modifyAclAccess":true,
+   "hidden":false,
+   "parameters":{},
+      "name":"MY DASHBOARD",
+      "id":"MY-DASHBOARD",
+      ...
+
+      "favorite":false,
+      "numCharts":2
+   }
 
    ```
 8. Click the `POST api/v2/dashboard/` request.
@@ -170,4 +166,4 @@ A permanently deleted dashboard does not show in the trash and becomes inaccessi
 
 10. Validate that the dashboard is now live again.
 
-    For example, navigate to `https://<your_instance>.wavefront.com/dashboards/MY-DASHBOARD/history` and you should now be able to review the dashboard history by using the GUI.
+    For example, navigate to `https://<your_instance>.wavefront.com/dashboards/MY-DASHBOARD/history` and you should now be able to review the dashboard history by using the Operations for Applications UI.
diff --git a/pages/doc/csp_accounts-service.md b/pages/doc/csp_accounts-service.md
new file mode 100644
index 000000000..48ba033dc
--- /dev/null
+++ b/pages/doc/csp_accounts-service.md
@@ -0,0 +1,128 @@
+---
+title: Manage Service Accounts in Operations for Applications on VMware Cloud Services
+keywords: administration
+tags: [administration]
+sidebar: doc_sidebar
+permalink: csp_service_accounts.html
+summary: Learn how you can create and manage service accounts.
+---
+
+{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for VMware Cloud services subscriptions. For **original** subscriptions, see [Manage Service Accounts](service-accounts.html)."%}
+
+{% include important.html content="Service accounts are enabled only for a **limited number** of VMware Cloud services subscriptions, because The usage of service accounts in Operations for Applications on VMware Cloud services is **restricted** to support only a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with Operations for Applications API tokens. We are in the process of updating all of our integrations to authenticate with VMware Cloud services access tokens. Service accounts and Operations for Applications API tokens will be deprecated in the future. To enable service accounts for your service instance, [contact](wavefront_support_feedback.html) our Technical Support team. "%}
+
+If your service was recently onboarded to VMware Cloud services, you might have some legacy service accounts for backward compatibility. It's recommended that you incrementally switch to using [server to server OAuth apps](csp_server_to_server_apps.html) which authenticate with more secure VMware Cloud services access tokens. See [How to Replace a Service Account with a Server to Server App?](csp_migration.html#how-to-replace-a-service-account-with-a-server-to-server-app).
+
+## What Are Service Accounts?
+
+* A service account uses an **Operations for Applications API token** to authenticate.
+* By default, service accounts don't have any permissions, even view permissions. Users with the **Admin** service role must explicitly grant each service account only the permission required for the task that’s being automated (least required privilege). There's no limit on the number of service accounts that you can create in your service instance. 
+
+As a user with the **Admin** service role, you [generate (and revoke, if needed)](csp_api_tokens.html#managing-the-operations-for-applications-api-tokens-for-a-service-account) the API tokens for the service account. It’s also possible to [deactivate](csp_service_accounts.html#deactivate-or-activate-a-service-account) a service account completely. 
+
+{% include note.html content="Operations for Applications includes the **Service Accounts** internal system group, where all service accounts together with the [server to server apps](csp_server_to_server_apps.html) that have access to the service are added automatically. This group doesn't have any roles and permissions. This group can be used when managing [access to dashboards and alerts](csp_access.html), [metrics security policy rules](csp_metrics_security.html), and [ingestion policies](ingestion_policies.html)."%}
+
+## How Service Accounts Work
+
+If you plan to set up an integration that uses a proxy authentication with an Operations for Applications API token, you must create a service account with the **Proxies** permission and generate an API token for it.
+
+1. Create a service account from the UI. The service account name must be unique.
+2. Assign the service account with the **Proxies** permission.
+3. Set up the proxy in your integration to pass the API token of the service account.
+
+   The proxy authenticates seamlessly to the API without embedding secret keys or user credentials in your instance, image, or application code.
+
+You can disable a service account if you temporarily don't need it, or you can delete the service account permanently.
+
+
+## Create a Service Account
+
+Service accounts are created in Operations for Applications.
+
+1. Log in to your service instance as a user with the **Admin** service role.
+1. From the gear icon <i class="fa fa-cog"/> on the toolbar, select **Accounts**.
+2. Click the **Service Accounts** tab and click **Create New Account**.
+3. On the **New Service Account** page, specify the account details and click **Create**.
+
+<table style="width: 100%;">
+<tbody>
+<thead>
+<tr><th width="15%">Field</th><th width="85%">Description</th></tr>
+</thead>
+<tr>
+<td>
+Account ID</td>
+<td>ID of the account. We prefix this ID with <strong>sa::</strong>. <p>A service account name must be unique. Operations for Applications converts a service account ID to lower case to avoid confusion that can result from almost identical account names (e.g. Service-1 and service-1). Users can type upper case or lower case. </p> </td>
+</tr>
+<tr>
+<td>
+Tokens</td>
+<td>List of API tokens that the service account can use to authenticate to the Operations for Applications service instance.
+<ul><li>Click the <strong>Edit</strong> icon to change the token name. </li>
+<li>Click <strong>Revoke</strong> to revoke a token. Any service account that uses the token can no longer authenticate to the service instance. </li>
+<li>Click <strong>Generate</strong> to generate additional tokens. Having multiple active tokens makes it possible to revoke some tokens. For example, if the service connects to several proxies, you can generate a token to connect to each proxy. You can revoke the token for one proxy but leave the others. You can have up to 20 API tokens per service account at any given time.</li>
+<li>Click the <strong>Copy to Clipboard</strong> icon to copy the token for pasting.</li>
+</ul></td>
+</tr>
+<tr>
+<td>Permissions</td>
+<td>Individual permissions assigned to this service account. Assign the service account with the <strong>Proxies</strong> permission, so that you can use it for the proxy setup of an integration that authenticates with an Operations for Applications API token.</td>
+</tr>
+</tbody>
+</table>
+
+## Deactivate or Activate a Service Account
+
+You can temporarily (or permanently) deactivate a service account. When an account is deactivated, none of the corresponding tokens work.
+
+You can activate or deactivate a service account from the **Service Accounts** page or from the **Edit Service Account** page.
+
+<table style="width: 100%;">
+<tbody>
+<tr>
+<td width="50%">
+To activate or deactivate an account from the <strong>Service Accounts</strong> page:
+<ul><li>Click the ellipsis icon in front of the service account. </li>
+<li>Select <strong>Activate</strong> or <strong>Deactivate</strong>.</li>
+</ul></td>
+<td width="50%"><img src="/images/sa_deactivate_multi.png" alt="deactivate or activate a service account"/></td>
+</tr>
+<tr>
+<td width="50%">
+To activate or deactivate an account from the <strong>Edit Service Account</strong> page:
+<ul><li>Click the service account name to open the <strong>Edit Service Account</strong> page. </li>
+<li>Use the toggle to activate or deactivate the account.</li>
+</ul></td>
+<td width="50%"><img src="/images/sa_deactivate.png" alt="deactivate or activate a service account"/></td>
+</tr>
+</tbody>
+</table>
+
+## Grant or Revoke Permissions
+
+You can grant permissions to a service account when you create the account or add permissions later from the **Service Accounts** page or from the **Edit Service Account** page.
+
+The following example shows two ways of explicitly granting or revoking permissions for service accounts.
+
+<table style="width: 100%;">
+<tbody>
+<tr>
+<td width="50%">
+To grant or revoke permissions from the <strong>Service Accounts</strong> page:
+<ol><li>Select one or more service accounts. </li>
+<li>Click <strong>+Permissions</strong> or <strong>-Permissions</strong> and select the permission to add or remove.</li>
+</ol></td>
+<td width="50%"><img src="/images/csp_sa_add_permission_global.png" alt="add or remove service account permissions"/></td>
+</tr>
+<tr>
+<td width="50%">
+To grant or revoke permissions from the <strong>Edit Service Account</strong> page:
+<ol><li>Click the service account name to open the <strong>Edit Service Account</strong> page. </li>
+<li>Select the permissions that you want to grant or revoke.</li>
+</ol></td>
+<td width="50%"><img src="/images/sa_add_permission_single.png" alt="add or remove service account permissions"/></td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/pages/doc/csp_api_tokens.md b/pages/doc/csp_api_tokens.md
new file mode 100644
index 000000000..893fdeb26
--- /dev/null
+++ b/pages/doc/csp_api_tokens.md
@@ -0,0 +1,107 @@
+---
+title: Manage Tokens for Operations for Applications on VMware Cloud Services
+keywords: getting started
+tags: [getting started]
+sidebar: doc_sidebar
+permalink: csp_api_tokens.html
+summary: Learn how you can generate and manage API tokens and access tokens.
+---
+
+{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for VMware Cloud services subscriptions. For **original** subscriptions, see [Manage API Tokens](api_tokens.html)."%}
+
+Invoking the [Operations for Applications REST API](wavefront_api.html), using `curl` or an API client, requires a **VMware Cloud services access token**. In a few cases, when setting up a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-supported-with-service-accounts), authentication with an **Operations for Applications API token** is also supported.
+
+To obtain a VMware Cloud services access token, you must make an API call to the VMware Cloud services REST API and exchange it from:
+* A VMware Cloud services API token associated with your user account.
+* The credentials of a server to server OAuth app associated with the VMware Cloud organization running the service.
+
+To obtain an Operations for Applications API token, you can also create a service account and generate an API token associated with it.
+
+{% include note.html content="If your original Operations for Applications subscription was recently [onboarded to VMware Cloud services](csp_migration.html), for backward compatibility, you might have some legacy Operations for Applications API tokens that are associated with user accounts and service accounts. It’s recommended that you incrementally replace them with VMware Cloud services API tokens and sever to server OAuth apps."%}
+
+## Manage the VMware Cloud Services API Tokens for Your User Account
+
+If you want to make REST API calls on your own behalf, you must generate a VMware Cloud services API token associated with your user account and exchange it for an access token. See [Make API Calls by Using a User Account](using_wavefront_api.html#make-api-calls-by-using-a-user-account).
+
+You can generate VMware Cloud services API tokens only for your user account. You must assign each API token with the minimum required subset of the roles that you own. The access tokens associated with an API token inherit its roles. These roles include:
+* At least one organization role.
+* At least one Operations for Applications service role.
+* Optionally, one or more custom roles.
+
+You must also set each API token with a time to live (TTL), which is the time that the API token will be valid unless revoked earlier. Before an API token expires, you must generate a new API token and update your scripts and API calls.
+
+{% include important.html content="The access token exchanged from a VMware Cloud services API token has a TTL of 30 minutes. Make sure that your scripts periodically renew the access tokens before they expire."%}
+
+For details on how to generate, regenerate, revoke, and secure your API tokens, see [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html) in the VMware Cloud services documentation.
+
+{% include warning.html content="Do not share your API token with anyone. Accounts that have the token can authenticate without a username/password."%}
+
+## Manage the VMware Cloud Services API Tokens in Your VMware Cloud Organization
+
+If your domain is federated and the Identity Governance and Administration (IGA) is activated, the users with the VMware Cloud **Organization Owner** role have access to advanced features, including managing the API tokens within the VMware Cloud organization. For details, see [What is Identity Governance and Administration and how does it work with VMware Cloud Services](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E6661280-A88A-4E26-9008-4C1620641FA1.html) in the VMware Cloud services documentation.
+
+The users with the VMware Cloud **Organization Owner** role can:
+* View the details of all API tokens created in the organization.
+* Deactivate API tokens.
+* Set constraints for idle and maximum TTL for all newly created API tokens.
+
+For details and instructions, see [How do I manage API tokens in my Organization](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-3A9C29E0-460B-4586-B51A-084443A960D0.html) in the VMware Cloud services documentation.
+
+## Manage the Server to Server OAuth Apps in Your VMware Cloud Organization
+
+If you want to make REST API calls on behalf of your VMware Cloud organization, you must create a server to server OAuth app and exchange its credentials (ID and secret) for an access token. See [Make API Calls by Using a Server to Server App](using_wavefront_api.html#make-api-calls-by-using-a-server-to-server-app).
+
+To create and manage server to server OAuth apps in your VMware Cloud organization, you must hold the **Organization Owner**, **Organization Administrator**, or **Organization Member** with **Developer** roles.
+
+You must assign each server to server app only with the minimum required roles for its tasks and add it to your VMware Cloud organization. The access tokens associated with a server to server app inherit its roles within the organizations it belongs. These roles include:
+* At least one organization role.
+* At least one Operations for Applications service role.
+* Optionally, one or more custom roles.
+
+You must also set each server to server app with a time to live (TTL), which is the time that the access tokens associated with the app will be valid. The credentials of a sever to server app never expire, so that your script can periodically exchange them for new access tokens. Only if you regenerate the app secret, you must update your scripts and API calls.
+
+For details on how to create, view, and modify the details of the OAuth 2.0 apps in your organization, see [How to manage OAuth 2.0 apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-229F9BCE-0C1F-4948-8792-23F51B5482BE.html) in the VMware Cloud services documentation.
+
+## Manage the Operations for Applications API Tokens for a Service Account
+
+If you want to set up one of the [integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with an **Operations for Applications API token**, you must create a [service account](csp_service_accounts.html) and generate an API token associated with it.
+
+{% include important.html content="Service accounts are enabled only for a **limited number** of VMware Cloud services subscriptions, because The usage of service accounts in Operations for Applications on VMware Cloud services is **restricted** to support only a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with Operations for Applications API tokens. We are in the process of updating all of our integrations to authenticate with VMware Cloud services access tokens. Service accounts and Operations for Applications API tokens will be deprecated in the future. To enable service accounts for your service instance, [contact](wavefront_support_feedback.html) our Technical Support team. "%}
+
+As a user with the **Admin** service role, you can generate and manage the API tokens for [service accounts](csp_service_accounts.html) upon creation or at a later stage. 
+
+To generate and manage the API tokens for an existing **service account**:
+
+1. Log in to your service instance as an **Admin** user.
+2. Click the gear icon <i class="fa fa-cog"/> on the toolbar and select **Accounts**.
+3. On the **Service Accounts** tab, click the ellipsis icon next to the service account, and select **Edit**.
+   1. To generate a new token, in the **Tokens** section, click **Generate**.
+
+      You can have up to 20 tokens per service account at any given time. If you want to generate a new token but already have 20 tokens, you must revoke one of the existing tokens.
+   2. To revoke a token, click the **Revoke** button for the token.
+
+      Revoking a token cannot be undone.
+   3. To rename an API token, click the **Edit** icon for the token, enter the name, and press Enter.
+6. Select the appropriate permissions for the service account and click **Update**.
+
+## Manage the Operations for Applications API Tokens in Your Service Instance
+
+As a user with the **Admin** service role, you can view and revoke the API tokens of any service account in your service instance.
+
+{% include note.html content="If your original Operations for Applications subscription was onboarded to VMware Cloud services, for backward compatibility, you might have some legacy Operations for Applications API tokens that are associated with user accounts. It’s recommended that you incrementally [replace them with VMware Cloud services API tokens](csp_migration.html#how-to-replace-an-operations-for-applications-api-token-with-a-vmware-cloud-services-access-token)."%}
+
+1. Log in to your service instance as an **Admin** user.
+2. Click the gear icon <i class="fa fa-cog"/> on the toolbar and select **Accounts**.
+3. Click the **API Tokens** tab.
+
+  You see the API tokens for all service accounts in a paginated table format.
+
+![The API Tokens page shows the tokens table, the search field above the table, and the preconfigured filters and the saved searches in the left panel](/images/csp_API_tokens.png)
+
+{% include important.html content="Revoking a token cannot be undone. Any script that uses a revoked token returns an authorization error." %}
+
+On the API Tokens page, you can:
+- Sort the API tokens table by column.
+- Search and, optionally, save and share your search.
+- Filter the API tokens by usage, particular accounts, or your saved search.
+- Revoke an API token from the vertical ellipsis icon for the token.
\ No newline at end of file
diff --git a/pages/doc/csp_area_differences.md b/pages/doc/csp_area_differences.md
new file mode 100644
index 000000000..8ed1530ba
--- /dev/null
+++ b/pages/doc/csp_area_differences.md
@@ -0,0 +1,482 @@
+---
+title: Differences Between Original and VMware Cloud Services Subscriptions
+keywords: 
+tags: [introduction]
+sidebar: doc_sidebar
+permalink: csp-differences-by-area.html
+summary: Learn about the functionality differences between VMware Aria Operations for Applications original subscriptions and VMware Cloud services subscriptions.
+---
+
+Operations for Applications subscriptions are two types: original subscriptions and VMware Cloud Services subscriptions.
+
+## Examples of the Functionality Differences 
+
+### Users, Roles, and Group Management
+
+Most of the user and account management tasks done in the Operations for Applications UI for original subscriptions, are done in the VMware Cloud services for VMware Cloud services subscriptions. For example, the following tasks related to managing users, roles, and groups can be done from the VMware Cloud Services Console.
+
+  * Invite new users
+  * Assign permissions
+  * Create and edit roles
+  * Create and edit groups
+  * Assign roles to users and groups
+
+  ![A graphic showing the differences in the user and account management tasks for original and onboarded subscriptions. The information displayed is already described in the above bullet list.](images/user-management-comparison.png)
+
+
+### Admin Tasks
+
+Some administrative tasks, done by **Super Admins** and users with the **Accounts** permission in original subscriptions, are done by VMware Cloud **Organization Owners** and VMware Cloud **Organization Administrators** in VMware Cloud services subscriptions. Others can be done by Operations for Applications **Admins** in the Operations for Applications UI.
+
+With the 2023-38 release, we introduce the **Admin** permission and service role, which partially correspond to the **Accounts** permission for original subscriptions. Users with the **Admin** service role can manage service accounts and Operations for Applications API tokens. They can also restrict access to new dashboards and alerts and set the organization settings. For example, they can restrict the access to the object creator only and set default settings, such as display settings, PromQL support, default way of building queries, and define Logs settings. 
+
+{% include note.html content="Service accounts are enabled only for a limited number of VMware Cloud services subscriptions, because in most cases they should use [server to server OAuth apps](csp_server_to_server_apps.html). To enable service accounts for your service instance, [contact](wavefront_support_feedback.html) our Technical Support team." %}
+
+![A graphic showing the differences in the admin tasks for original and onboarded subscriptions. The information displayed is described in the table below.](images/csp-admin-tasks.png)
+
+<table style="width: 100%;">
+<tbody>
+<thead>
+<tr><th width="22%">Task</th><th width="39%">Original Subscription</th><th width="39%">VMware Cloud Services Subscription</th></tr>
+</thead>
+<tr>
+<td>Upgrade from trial
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications <strong>Super Admin</strong></li>
+<li><strong>Where:</strong> From the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications  <strong>Super Admin</strong> service role</li>
+<li><strong>Where:</strong> From the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Purchase more PPS
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications  <strong>Super Admin</strong></li>
+<li><strong>Where:</strong> From the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications <strong>Super Admin</strong> service role</li>
+<li><strong>Where:</strong> From the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Invite new Super Admins
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications  <strong>Super Admin</strong></li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong></li>
+<li><strong>Where:</strong> In the VMware Cloud Services Console</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Create and manage service accounts and their Operations for Applications API tokens
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications users with the <strong>Accounts</strong> permission</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications <strong>Admin</strong> service role</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Restore orphan dashboards and alerts
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications <strong>Super Admin</strong></li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications <strong>Super Admin</strong> service role</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Restrict access to new dashboards and alerts
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications users with the <strong>Accounts</strong> permission</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications <strong>Admin</strong> service role</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>Set the service organization settings
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Operations for Applications users with the <strong>Accounts</strong> permission</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+<td>
+<ul>
+<li><strong>Who:</strong> Users with the Operations for Applications <strong>Admin</strong> service role</li>
+<li><strong>Where:</strong> In the Operations for Applications UI</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+### REST API Access
+
+For original subscriptions, using the Operations for Applications REST API requires an API token associated with a user account or a service account. To generate API tokens for your user account you need the **API Tokens** permission. To generate API tokens for service accounts and to manage the API tokens in your Operations for Applications organization, you need the **Accounts** permission.
+
+When your service is onboarded to VMware Cloud services and you want to access the Operations for Applications REST API, you need a VMware Cloud services **access token**. In a few cases, when setting up a Wavefront proxy for a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-supported-with-service-accounts), authentication with an Operations for Applications API token is also supported. However, using a VMware Cloud services **access token** is the recommended way. To obtain such a token, you can:
+
+* Generate a VMware Cloud services API token associated with your user account and exchange it for an access token.
+
+  ![A graphic showing information how to generate API token for the user account for onboarded and original subscriptions.](images/csp-api-token-user.png)
+
+* Create a server to server app (which is the equivalent of a service account), obtain its OAuth credentials (app ID and app secret), and exchange them for an access token.
+
+   ![A graphic showing information how to generate API token for a service account or server to server app  for onboarded and original subscriptions.](images/csp-api-token-apps.png)
+
+## In-Depth Explanation of the Functionality Differences
+
+<table style="width: 100%;">
+<tbody>
+<thead>
+<tr><th width="22%">Functionality</th><th width="39%">Original Subscription</th><th width="39%">VMware Cloud Services Subscription</th></tr>
+</thead>
+<tr>
+<td>User Login
+</td>
+<td>Users log in to their Operations for Applications service instance by using the URL of the service cluster, <code>https://&lt;your_instance&gt;.wavefront.com</code>, and their Operations for Applications accounts. If their corporate domain is configured for SAML SSO with Operations for Applications, users log in with their corporate accounts.
+</td>
+<td>Users log in to their Operations for Applications service instance through the VMware Cloud Services Console with their VMware Cloud services accounts. If their corporate domain is federated with VMware Cloud services, users log in with their corporate accounts. For details, see <a href="csp_sign_up_or_log_in.html#log-in-from-the-vmware-cloud-services-console">Log In from the VMware Cloud Services Console</a>.
+</td>
+</tr>
+<tr>
+<td>User Accounts Management
+</td>
+<td>
+<strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: You can invite new users with or without assigning roles and permissions. For details, see <a href="user-accounts.html">Manage User Accounts</a>.</p>
+</td>
+<td>
+<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
+<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
+<p><strong>How</strong>: To add a user to your Operations for Applications service instance, you must assign that user:
+<ol><li>An organization role for the VMware Cloud organization running the service instance. At a minimum, you must assign the VMware Cloud <strong>Organization Member</strong> role.</li>
+<li>An Operations for Applications service role for your service instance. At a minimum, you must assign the <strong>Viewer</strong> service role.</li>
+<li>Optionally, a custom role with one or more Operations for Applications permissions. A custom role applies to all service instances for which the user has an Operations for Applications service role.</li></ol>
+For details, see <a href="csp_user_management.html">Manage User Accounts</a>.</p>
+</td>
+</tr>
+<tr>
+<td>Service Accounts and Server to Server OAuth Apps Management
+</td>
+<td><strong>Note:</strong> Only service accounts are supported.
+<p><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.</p>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Service accounts authenticate with API tokens. Service accounts can be assigned with roles and permissions, as well as can be added to groups. For details, see <a href="service-accounts.html">Manage Service Accounts</a>.</p>
+</td>
+<td><strong>Note:</strong> Server to server OAuth apps are recommended and fully supported. Service accounts are with limited support and will be deprecated in the future.
+<p><strong>Who</strong>:
+<ul>
+<li>For server to server OAuth apps, users with the VMware Cloud <strong>Organization Owner</strong>, <strong>Organization Administrator</strong>, or <strong>Organization Member</strong> with the <strong>Developer</strong> role assigned. </li>
+<li>For service accounts, users with the <strong>Admin</strong> Operations for Applications service role.</li>
+</ul></p>
+<p><strong>Where</strong>:
+<ul>
+<li>For server to server OAuth apps, in the VMware Cloud Services Console.</li>
+<li>For service accounts, in the Operations for Applications user interface.</li>
+</ul></p>
+<p><strong>How</strong>:
+<ul>
+<li>Server to server OAuth apps authenticate with VMware Cloud services access tokens that can be exchanged from their OAuth credentials. Server to server OAuth app can be assigned with organization roles, service roles, and custom roles, and can belong to one or more VMware Cloud organizations. For details, see <a href="csp_server_to_server_apps.html">Manage Server to Server Apps</a>.</li>
+<li>Service accounts authenticate with Operations for Applications API tokens. Service accounts can be assigned with permissions only, and cannot be added to groups. For details, see <a href="csp_service_accounts.html">Manage Service Accounts</a>.</li>
+</ul></p>
+</td>
+</tr>
+<tr>
+<td id="permissions">Permissions Management
+</td>
+<td><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Permissions can be assigned to roles as well as to individual user accounts and service accounts.</p>
+<p>See:
+<ul>
+<li><a href="users_roles.html#create-a-role">Create a Role</a></li>
+<li><a href="users_roles.html#grant-or-revoke-account-permissions-explicitly">Grant or Revoke Account Permissions Explicitly</a></li>
+</ul></p>
+<p><strong>Note</strong>: The permissions list includes the <strong>Accounts</strong>, <strong>SAML IdP Admin</strong>, and <strong>API token</strong> permissions, because they are required for all of the authorization and authentication tasks which are done in the Operations for Applications.</p>
+<p>In addition, the <strong>Accounts</strong> permission grants privileges for managing the Operations for Applications organization settings.</p>
+<p>See the <a href="permissions_overview.html">Permissions Reference</a>. </p>
+</td>
+<td><strong>Who</strong>:
+<ul>
+<li>For assigning permissions to roles, users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.</li>
+<li>For assigning permissions to service accounts, users with the <strong>Admin</strong> Operations for Applications service role.</li>
+</ul>
+<p><strong>Where</strong>:
+<ul>
+<li>For assigning permissions to roles, in the VMware Cloud Services Console.</li>
+<li>For assigning permissions to service accounts, in the Operations for Applications user interface.</li>
+</ul></p>
+<p><strong>How</strong>: Permissions can be assigned only to roles in the VMware Cloud services organization and service accounts - in the Operations for Applications environment.</p>
+<p>See:
+<ul>
+<li><a href="csp_users_roles.html#create-edit-or-delete-a-custom-role">Create, Edit, or Delete a Custom Role</a></li>
+<li><a href="csp_service_accounts.html#grant-or-revoke-permissions">Grant or Revoke Permissions from a Service Account</a></li>
+</ul>
+</p>
+<p><strong>Note</strong>: The <strong>Accounts</strong>, <strong>SAML IdP Admin</strong>, and <strong>API token</strong> permissions don't exist, because most of the authorization and authentication tasks requiring these permissions are done in the VMware Cloud Services Console.</p>
+<p>The <strong>Admin</strong> Operations for Applications permission grants privileges for managing service accounts, Operations for Applications API tokens, and the Operations for Applications organization settings.</p>
+<p>See the <a href="csp_permissions_overview.html">Operations for Applications Permissions in VMware Cloud Services</a>.</p>
+</td>
+</tr>
+<tr>
+<td>Roles Management
+</td>
+<td><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Roles can be assigned with permissions. Roles can be assigned to user accounts, service accounts, and groups. For details, see <a href="users_roles.html#manage-roles-and-permissions">Manage Roles and Permissions</a>.</p>
+</td>
+<td>
+<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
+<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
+<p><strong>How</strong>: Roles can be assigned with permissions. Roles can be assigned to users, groups, API tokens, and server to server apps. There are:
+<ul>
+<li>Built-in Operations for Applications service roles, which are not editable. Each Operations for Applications permission is represented with a service role. In addition, the <strong>Super Admin</strong> and <strong>Viewer</strong> service roles grant full-administrative and view-only access, respectively.</li>
+<li>Custom roles can be created and assigned with permissions for one or more services.</li>
+</ul>
+For details, see <a href="csp_users_roles.html#manage-roles">Manage Roles</a>.</p>
+</td>
+</tr>
+<tr>
+<td>Groups Management
+</td>
+<td><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: A group of user and service accounts can be assigned with one or more roles. For details, see <a href="users_roles.html#create-a-group">Create a Group</a>.</p>
+</td>
+<td>
+<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
+<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
+<p><strong>How</strong>: A group of users can be assigned with organization and service roles. A group can be shared with other VMware Cloud organizations. In a federated environment, you can add enterprise groups from your corporate domain. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-0BD8A07B-C3C0-4220-8CD0-18FA070D3DAD.html">How do I work with groups</a> in the VMware Cloud services documentation.</p>
+</td>
+</tr>
+<tr>
+<td>Self-Service SAML SSO</td>
+<td>
+<strong>Who</strong>: Users with the <strong>SAML IdP Admin</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Operations for Applications includes predefined authentication integrations. For details, see <a href="auth_self_service_sso.html">Single-Tenant Authentication and Self-Service SAML SSO</a>.</p>
+</td>
+<td>
+<strong>Who</strong>: A user with the VMware Cloud <strong>Organization Owner</strong> role together with an <strong>Enterprise Administrator</strong>.
+<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
+<p><strong>How</strong>: The VMware Cloud <strong>Organization Owner</strong> user kicks off the self-service federation workflow on behalf of the VMware Cloud organization and invites the <strong>Enterprise Administrator</strong> to complete the setup. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html">Setting Up Enterprise Federation with VMware Cloud Services Console</a> in the VMware Cloud services documentation.</p>
+</td>
+</tr>
+<tr>
+<td>Generating API Tokens
+</td>
+<td><strong>Note</strong>: Only Operations for Applications API tokens are supported.
+<p><strong>Who</strong>:
+<ul><li>For API tokens associated with a user account, the corresponding user who must have the <strong>API Tokens</strong> permission.</li>
+<li>For API tokens associated with service accounts, the users with the <strong>Accounts</strong> permission.</li>
+</ul></p>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>:<ul>
+<li>A user with the <strong>API Tokens</strong> permission can generate Operations for Applications API tokens for their own user account. The API tokens inherit all permissions that its associated user account owns.</li>
+<li>Users with the <strong>Accounts</strong> permission can generate Operations for Applications API tokens for service accounts. The API tokens inherit the permissions of their associated service account.</li></ul>
+For details, see <a href="api_tokens.html">Manage API Tokens</a>.</p>
+</td>
+<td><strong>Note</strong>: It is recommended to use VMware Cloud services API tokens and server to server OAuth app credentials for obtaining VMware Cloud services access tokens. Operations for Applications API tokens are with limited support and will be deprecated in a future release. 
+<p><strong>Who</strong>:
+<ul><li>For VMware Cloud services API tokens associated with a user account, the corresponding user.</li>
+<li>For Operations for Applications API tokens associated with service accounts, the users with the <strong>Admin</strong> Operations for Applications service role.</li>
+</ul></p>
+<p><strong>Where</strong>:
+<ul><li>For VMware Cloud services API tokens associated with a user account, in the VMware Cloud Services Console.</li>
+<li>For Operations for Applications API tokens associated with service accounts, in the Operations for Applications user interface.</li>
+</ul>
+</p>
+<p><strong>How</strong>:
+<ul><li>Each user can generate VMware Cloud services API tokens for their user account. An API token can be assigned with roles from the list of roles that the user owns - organization roles, service roles, and custom roles. For details and instructions, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html">How do I generate API tokens</a> in the VMware Cloud services documentation.</li>
+<li>Users with the <strong>Admin</strong> service role can generate Operations for Applications API tokens for service accounts. The API tokens inherit the permissions of their associated service account. For details, see <a href="csp_service_accounts.html">Manage Service Accounts</a>.
+</li>
+</ul>
+</p>
+</td>
+</tr>
+<tr>
+<td>API Tokens Management</td>
+<td>
+<strong>Who</strong>:
+<ul><li>For API tokens associated with a user account, the corresponding user.</li>
+<li>For all API tokens in the Operations for Applications service instance, the users with the <strong>Accounts</strong> permission.</li></ul>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>:<ul><li>All users can view and revoke their own tokens. For details, see <a href="api_tokens.html#generate-and-manage-the-api-tokens-for-your-user-account">Generate and Manage the API Tokens for Your User Account</a>.</li>
+<li>Users with the <strong>Accounts</strong> permission can view and revoke any API token in the service instance. For details, see <a href="api_tokens.html#view-and-manage-the-api-tokens-in-your-organization">View and Manage the API Tokens in Your Organization</a>.</li></ul></p>
+</td>
+<td>
+<strong>Who</strong>:
+<ul><li>For VMware Cloud services API tokens associated with a user account, the corresponding user.</li>
+<li>For all VMware Cloud services API tokens in the VMware Cloud organization, the users with the VMware Cloud <strong>Organization Owner</strong> role if the organization is activated for Identity Governance and Administration (IGA).</li>
+<li>For all Operations for Applications API tokens (limited support), the users with the <strong>Admin</strong> Operations for Applications service role.</li></ul>
+<p><strong>Where</strong>:
+<ul><li>For VMware Cloud services API tokens, in the Cloud Services Console.</li>
+<li>For Operations for Applications API tokens (limited support), in the Operations for Applications user interface.</li></ul>
+</p>
+<p><strong>How</strong>:
+<ul>
+<li>All users can view and revoke their own VMware Cloud services API tokens. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-1BA71988-387C-42E1-8C98-EE2C1370826B.html">How do I manage my API tokens</a> in the VMware Cloud services documentation.</li>
+<li>Users with the VMware Cloud <strong>Organization Owner</strong> role can monitor the API tokens created in the organization and can set constraints for idle and maximum Time to live (TTL) for all newly created tokens. For details and instructions, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-3A9C29E0-460B-4586-B51A-084443A960D0.html">How do I manage API tokens in my Organization</a> in the VMware Cloud services documentation.</li>
+<li>Users with the <strong>Admin</strong> service role can view and revoke any Operations for Applications API token in the service instance. For details, see <a href="csp_api_tokens.html#managing-the-operations-for-applications-api-tokens-in-your-service-instance">Managing the Operations for Applications API Tokens in Your Service Instance</a>.</li>
+</ul></p>
+</td>
+</tr>
+<tr>
+<td>Operations for Applications REST API Access</td>
+<td>
+<strong>Who</strong>: Everyone who has an Operations for Applications API token associated with a user account or a service account.
+<p><strong>Where</strong>: An API client.</p>
+<p><strong>How</strong>: Interacting with the Operations for Application REST API requires an Operations for Application API token.
+<ul><li>To interact with the REST API by using your user account, you must use your API token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-user-account-1">Make API Calls by Using a User Account</a>.</li>
+<li>To interact with the REST API by using a service account, you must use an API token associated with that service account. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-service-account">Make API Calls by Using a Service Account</a>.</li></ul></p>
+</td>
+<td>
+<strong>Who</strong>: Everyone who has a VMware Cloud services API token or the credentials of a server to server OAuth app.
+<p><strong>Where</strong>: An API client.</p>
+<p><strong>How</strong>: Interacting with the Operations for Application REST API requires a VMware Cloud services access token.
+<ul><li>To interact with the REST API on behalf of your user account, you must exchange your VMware Cloud services API token for an access token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-user-account">Make API Calls by Using a User Account</a>.</li>
+<li>To interact with the REST API on behalf of your VMware Cloud organization, you must exchange the OAuth credentials of a server to server app for an access token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-server-to-server-app">Make API Calls by Using a Server to Server App</a>.</li>
+</ul>
+</p>
+</td>
+</tr>
+<tr>
+<td>Operations for Applications Organization Settings</td>
+<td>
+<strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: As a user with the <strong>Accounts</strong> permission, you can configure:
+<ul>
+<li>Default display settings, such as getting started progress and default dashboard display.</li>
+<li>Default query language preferences and optionally, allow users to write queries in PromQL. For details, see <a href="wavefront_prometheus.html#set-promql-organization-settings-administrator-only">Set PromQL Organization Settings (Administrator Only)</a>.</li>
+<li>Default groups for new user accounts. New users are assigned to the Everyone system group and to all additional default groups that you specify. For details, see <a href="user-accounts.html#set-the-default-user-group-for-new-users">Set the Default User Group for New Users</a>.</li>
+<li>Default groups for new service accounts. New service accounts are assigned to the Service Accounts system group and to all additional default groups that you specify. For details, see <a href="service-accounts.html#set-the-default-service-accounts-group-for-new-service-accounts">Set the Default Service Accounts Group for New Service Accounts</a>.</li>
+<li>Default permissions for new user accounts. These permissions don't apply to service accounts. For details, see <a href="user-accounts.html#set-default-permissions-for-new-users">Set Default Permissions for New Users</a>.</li>
+<li>Logs settings, if Logs is enabled for your cluster. For details, see <a href="logging_logs_settings.html">Customize Logs Settings</a>.</li>
+<li>Access to newly created dashboards and alerts. For details, see <a href="access.html">Managing Access to Dashboards and Alerts</a>.</li>
+</ul></p>
+</td>
+<td>
+<strong>Who</strong>: Users with the <strong>Admin</strong> Operations for Applications service role.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: As a user with the <strong>Admin</strong> service role, you can configure:
+<ul>
+<li>Default display settings for new accounts, such as getting started progress and default dashboard display.</li>
+<li>Default query language preferences and optionally, allow users to write queries in PromQL. For details, see <a href="wavefront_prometheus.html#set-promql-organization-settings-administrator-only">Set PromQL Organization Settings (Administrator Only)</a>.</li>
+<li>Logs settings, if Logs is enabled for your cluster. For details, see <a href="logging_logs_settings.html">Customize Logs Settings</a>.</li>
+<li>Access to newly created dashboards and alerts. For details, see <a href="csp_access.html">Managing Access to Dashboards and Alerts</a></li>
+</ul></p>
+</td>
+</tr>
+<tr>
+<td>Wavefront Proxy Installation
+</td>
+<td><strong>Note</strong>: The Wavefront proxy authenticates with an Operations for Applications API token.
+<p><strong>Who</strong>: Users with the <strong>Proxies</strong> permission.</p>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: As a user with the <strong>Proxies</strong> permission, you must configure the proxy to authenticate to Operations for Applications with an Operations for Applications API token that have the <strong>Proxies</strong> permission. For details, see <a href="proxies_installing.html#install-a-proxy-from-the-ui">Install a Proxy from the UI</a>.</p>
+</td>
+<td><strong>Note</strong>: The Wavefront proxy authenticates with a VMware Cloud services access token obtained from server to server OAuth app credentials or from a VMware Cloud services API token. Proxy authentication with an Operations for Applications API token is still possible and supported only for a <a href="integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens">limited list of integrations</a>.
+<p><strong>Who</strong>:
+<ul>
+<li>For proxy installation, users with the <strong>Proxies</strong> Operations for Applications service role.</li>
+<li>For creating server to server OAuth apps, users with the VMware Cloud <strong>Organization Owner</strong>, <strong>Organization Administrator</strong>, or <strong>Organization Member</strong> with <strong>Developer</strong> roles.</li>
+<li>For generating an Operations for Applications API token of a service account, users with the <strong>Admin</strong> Operations for Applications service role.</li>
+</ul></p>
+<p><strong>Where</strong>:
+<ul>
+<li>For generating a VMware Cloud services API token or creating a server to server OAuth app, in the VMware Cloud Services Console.</li>
+<li>For proxy installation and generating an Operations for Applications API token for a service account, in the Operations for Applications user interface.</li>
+</ul></p>
+<p><strong>How</strong>: As a user with the <strong>Proxies</strong> service role, you configure the proxy to authenticate to Operations for Applications. The proxy obtains a VMware Cloud services access token with the <strong>Proxies</strong> service role or use an Operations for Applications API token of a service account with the <strong>Proxies</strong> permission. To obtain a VMware Cloud services access token:
+<ul><li>The proxy can use the credentials of a server to server <strong>OAuth app</strong> - ID and secret, together with the VMware Cloud organization long ID.</li>
+<li>The proxy can use the VMware Cloud services <strong>API token</strong> of an active user account.</li></ul>
+In both ways, the access token is directly issued to the proxy. For details, see <a href="proxies_installing.html#proxy-authentication-types">Proxy Authentication Types</a>.</p>
+</td>
+</tr>
+<tr>
+<td>Integrations Installation
+</td>
+<td><strong>Note</strong>: All <a href="label_integrations%20list.html">integrations</a> that use a Wavefront proxy authenticate with an Operations for Applications API token.
+<p><strong>Who</strong>: Users or service accounts with the <strong>Proxies</strong> permission who have an active Operations for Applications API token.</p>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Follow the instructions on the <strong>Setup</strong> tab of the integration that you want to install.</p>
+</td>
+<td><strong>Note</strong>: <a href="integrations_onboarded_subscriptions.html#integrations-that-use-vmware-cloud-services-access-tokens">Most of the integrations</a> that use a Wavefront proxy authenticate with a VMware Cloud services access token. A <a href="integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens">limited list of integrations</a> still use proxy authentication with an Operations for Applications API token.
+<p><strong>Who</strong>: Users with the <strong>Proxies</strong> Operations for Applications service role who must have one of the following:
+<ul>
+<li>A valid VMware Cloud services API token with the <strong>Proxies</strong> service role assigned.</li>
+<li>The credentials of a server to server OAuth app with the <strong>Proxies</strong> service role assigned.</li>
+<li>An Operations for Applications API token associated with a service account that has the <strong>Proxies</strong> permission.</li>
+</ul></p>
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Follow the instructions on the <strong>Setup</strong> tab of the integration that you want to install. </p>
+</td>
+</tr>
+<tr>
+<td>Metrics Security Policy Management
+</td>
+<td><strong>Who</strong>: Users with the <strong>Metrics</strong> permission.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Privileged users can block or allow access to metrics for:
+<ul><li>Accounts (<a href="user-accounts.html">user accounts</a> and <a href="service-accounts.html">service accounts</a>)</li>
+<li><a href="users_roles.html#create-a-group">Groups</a></li>
+<li><a href="users_roles.html#create-a-role">Roles</a></li></ul>
+For details, see <a href="metrics_security.html">Metrics Security Policy Rules</a>.</p>
+</td>
+<td><strong>Who</strong>: Users with the <strong>Metrics</strong> Operations for Applications service role.
+<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
+<p><strong>How</strong>: Privileged users can block or allow access to metrics for:
+<ul><li>Accounts (<a href="csp_user_management.html">user accounts</a>, <a href="csp_server_to_server_apps.html">server to server apps</a>, and <a href="csp_service_accounts.html">service accounts</a>)</li>
+<li><a href="csp_users_roles.html#manage-user-groups">Groups</a></li></ul>
+For details, see <a href="csp_metrics_security.html">Metrics Security Policy Rules</a>.</p>
+</td>
+</tr>
+</tbody>
+</table>
\ No newline at end of file
diff --git a/pages/doc/csp_authorization.md b/pages/doc/csp_authorization.md
index 700d7db0e..14455dcf8 100644
--- a/pages/doc/csp_authorization.md
+++ b/pages/doc/csp_authorization.md
@@ -9,7 +9,7 @@ summary: Learn about authorization of groups, users, and server to server apps t
 
 {% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for VMware Cloud services subscriptions. For **original** subscriptions, see [Authorization Model](authorization.html)."%}
 
-VMware Cloud services supports role-based access control for the services on its platform, including Operations for Applications. In addition, Operations for Applications supports object-based access control for individual dashboards and alerts as well as metrics security policy.
+VMware Cloud services supports role-based access control for the services on its platform, including Operations for Applications. Operations for Applications supports object-based access control for individual dashboards and alerts as well as metrics security policy.
 
 ## Role-Based Access Control with Global Permissions
 
@@ -18,18 +18,18 @@ VMware Cloud services supports role-based access control for the services on its
 Users with the VMware Cloud **Organization Owner** or **Organization Administrator** role manage authorization with [roles and groups](csp_users_roles.html). They can:
 * Create **groups** and add users to each group.
 * Create **custom roles** and assign one or more permissions to each role.
-* Assign one or more **service roles** and **custom roles** to groups, individual users, and server-to-server apps.
+* Assign one or more **service roles** and **custom roles** to groups, users, and server-to-server apps.
 
 ## Access Control for Dashboards and Charts
 
-Our fine-grained **[access control](csp_access.html)** allows users with the **Super Admin** service role to protect sensitive information, for example, to restrict access to certain dashboards to the Finance team.
+Our fine-grained **[access control](csp_access.html)** allows users with the **Admin** and **Super Admin** service roles to protect sensitive information, for example, to restrict access to certain dashboards to the Finance team.
 
-* **Access control on individual objects** -- While permissions are global and apply, for example, to all dashboards, access control allows you to restrict who can view or view and modify individual objects (initially dashboards and alerts).
-* **Security setting for new objects** -- In high security environments, users with the **Super Admin** service role can set a security setting so that all new dashboards and new alerts are accessible only to the creator and to the users with the **Super Admin** service role.
+* **Access control on individual objects** -- While permissions are global and apply, for example, to all dashboards, access control allows you to restrict who can view or view and modify individual objects (dashboards and alerts).
+* **Security setting for new objects** -- In high security environments, users with the **Admin** and **Super Admin** service roles can set a security setting so that all new dashboards and new alerts are accessible only to the creator and to the users with the **Super Admin** service role.
 
 ## Metrics Security Policy Rules
 
-Users with the **Super Admin** or **Metrics** service role can view, create, and manage  [metrics security policy rules](csp_metrics_security.html).
+Users with the **Super Admin** and **Metrics** service roles can view, create, and manage  [metrics security policy rules](csp_metrics_security.html).
 
 Data protected by a metrics security policy rule can become completely invisible to users.
 * **Not visible in charts**. The chart either includes a warning that some metrics are protected, or, if all metrics are protected, the chart shows only the message.
diff --git a/pages/doc/csp_getting_started.md b/pages/doc/csp_getting_started.md
index a7bf41290..6cd06515b 100644
--- a/pages/doc/csp_getting_started.md
+++ b/pages/doc/csp_getting_started.md
@@ -5,9 +5,9 @@ sidebar: doc_sidebar
 permalink: csp_getting_started.html
 summary: Learn the basics for administering your service on the VMware Cloud services platform.
 ---
-Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. 
+Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. From this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to VMware Cloud services and **original** subscriptions.
 
-{% include note.html content="After July 3, 2023, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to VMware Cloud services and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until they migrate to VMware Cloud services. We are in the process of incrementally migrating original subscriptions to VMware Cloud services. For information about original and VMware Cloud services subscriptions and the differences between them, see [Subscription Types](subscriptions-differences.html). "%}
+Original subscriptions are the existing ones and they remain as is until onboarded to VMware Cloud services. We are in the process of incrementally [onboarding](csp_migration.html) all original subscriptions to VMware Cloud services. For information about original and VMware Cloud services subscriptions and the differences between them, see [Differences Between Original and VMware Cloud Services Subscriptions](csp-differences-by-area.html).
 
 {% include note.html content="Starting September 20, 2023, all [**new trial**](start_trial.html) instances of Operations for Applications are **onboarded** to VMware Cloud services."%}
 
@@ -89,8 +89,8 @@ While the service roles are built-in and not editable, as a VMware Cloud **Organ
 
 If you want to use an application for automating management tasks in your service, for example, in Operations for Applications, your application requires direct access to your service, without user authorization.
 
-For that purpose, VMware Cloud services supports server to server apps, which are based on OAuth 2.0 *client credentials* grant type. You can configure your application to pass the OAuth 2.0 client credentials (id and secret) to the VMware Cloud services REST API and exchange the credentials for a VMware Cloud services access token. Your application can use the VMware Cloud services access token to interact with the Operations for Applications REST API.
+For that purpose, VMware Cloud services supports server to server apps, which are based on OAuth 2.0 client credentials grant type. You can configure your application to pass the OAuth 2.0 client credentials (id and secret) to the VMware Cloud services REST API and exchange the credentials for a VMware Cloud services access token. Your application can use the VMware Cloud services access token to interact with the Operations for Applications REST API.
 
 See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation.
 
-{% include important.html content="In Operations for Applications, server to server apps correspond to **service accounts**. For example, when you configure [the access control security settings](csp_access.html#change-the-access-control-security-setting), [ingestion polices](ingestion_policies.html#step-1-specify-the-scope-and-pps-limit), or [metrics security rules](csp_metrics_security.html), the server to server apps that are assigned with Operations for Applications service roles or custom roles with Operations for Applications permissions are represented as service accounts."%}
+{% include important.html content="For each server to server app with access to an Operations for Applications service instance, we create a corresponding **internal service account** in that service instance and add it the **Service Accounts** internal system group. So that, when you configure [the access control security settings](csp_access.html#change-the-access-control-security-setting), [ingestion polices](ingestion_policies.html#step-1-specify-the-scope-and-pps-limit), or [metrics security rules](csp_metrics_security.html), the server to server apps that are assigned with Operations for Applications service roles are represented as service accounts together with the [service accounts](csp_service_accounts.html) created in Operations for Applications."%}
diff --git a/pages/doc/csp_metrics_security.md b/pages/doc/csp_metrics_security.md
index 54b11bb83..0a4752310 100644
--- a/pages/doc/csp_metrics_security.md
+++ b/pages/doc/csp_metrics_security.md
@@ -22,7 +22,7 @@ In a large enterprise, certain data is confidential. VMware Aria Operations for
 
 ## Video: Metrics Security Policy
 
-Watch this <a href="ttps://vmwaretv.vmware.com/media/t/1_3ea13tor" target="_blank">video<img src="/images/video_camera.png" alt="video camera icon"/></a> for an overview. Note that this video was created in 2020 and some of the information in it might have changed. It also uses the 2020 version of the UI.
+Watch this <a href="ttps://vmwaretv.vmware.com/media/t/1_3ea13tor" target="_blank">video<img src="/images/video_camera.png" alt="video camera icon"/></a> for an overview. Note that this video was created in 2020 and some of the information in it might have changed. It also uses the 2020 version of the UI, which is applicable to original subscriptions and there are some [differences between original and VMware Cloud services subscriptions](csp-ui-differences.html#metrics-security-policy-rule-creation-page). 
 
 <p>
 <iframe id="kmsembed-1_3ea13tor" width="700" height="400" src="https://vmwaretv.vmware.com/embed/secure/iframe/entryId/1_3ea13tor/uiConfId/49694343/st/0" class="kmsembed" allowfullscreen webkitallowfullscreen mozAllowFullScreen allow="autoplay *; fullscreen *; encrypted-media *" frameborder="0" referrerPolicy="no-referrer-when-downgrade"></iframe></td>
@@ -36,9 +36,7 @@ Metrics security policy rules allows fine-grained support for limiting access to
 
 With a metrics security policy, you can block or allow access:
 * To metrics, optionally filtered by source or point tag
-* Based on individual accounts ([user accounts](csp_user_management.html) and [service accounts](csp_server_to_server_apps.html)) or [groups](csp_users_roles.html#manage-user-groups).
-
-{% include note.html content="Service accounts in Operations for Applications correspond to server to server apps in VMware Cloud services." %}
+* Based on individual accounts - [user accounts](csp_user_management.html) and service accounts (which includes the [server to server apps](csp_server_to_server_apps.html) in VMware Cloud services as well as the [service accounts](csp_service_accounts.html)), or [groups](csp_users_roles.html#manage-user-groups).
 
 When an account attempts to access metrics, the backend looks at the rules in priority order. Higher priority rules overwrite lower priority rules.
 
@@ -181,7 +179,7 @@ Before you create rules, plan your strategy.
 * **Metrics Dimensions** allow you to determine what to block or allow.
   - Specify one or more metric prefixes. You can specify an exact match (e.g. `requests` or `request.`) or a wildcard match (e.g. `*.cpu.loadavg.*`, `cpu.*`).
   - Specify a combination of metric sources or point tags to narrow down the metrics. For example, you can block visibility into production environments for some developers, or you can block some development environments metrics for contractors.
-* **Access** allows you to allow or block access for a combination of accounts (user accounts and service accounts) or groups.
+* **Access** allows you to allow or block access for a combination of accounts (user accounts, server to server apps, and service accounts) or groups.
 
 See the Examples further below.
 
@@ -207,7 +205,7 @@ You create a metrics security policy rule following these steps. See the annotat
 
 Here's an annotated screenshot that shows the main actions:
 
-![Annotated Edit Rule screenshot. Highlights Press Enter in Prefix / Source and Point Tag section](images/metrics_s_edit_rule.png)
+![Annotated Edit Rule screenshot. Highlights Press Enter in Prefix / Source and Point Tag section](images/csp_metrics_s_edit_rule.png)
 
 
 
diff --git a/pages/doc/csp_migration.md b/pages/doc/csp_migration.md
new file mode 100644
index 000000000..91833f1d4
--- /dev/null
+++ b/pages/doc/csp_migration.md
@@ -0,0 +1,417 @@
+---
+title: Onboarding Original Subscriptions to VMware Cloud Services
+keywords: administration
+tags: [administration]
+sidebar: doc_sidebar
+permalink: csp_migration.html
+summary: Learn about how we migrate the authorization and authentication from Operations for Applications to VMware Cloud services.
+---
+
+Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. We are in the process of incrementally onboarding all original subscriptions to VMware Cloud services.
+
+## What Should I Do Before the Onboarding?
+
+Currently, all original Operations for Applications subscriptions are integrated with VMware Cloud services for billing and subscription management. Therefore, you must already have a [VMware Cloud organization](csp_getting_started.html#whats-a-vmware-cloud-organization) with at least one user with the [VMware Cloud **Organization Owner** role](csp_getting_started.html#whats-a-vmware-cloud-organization-role).
+
+Before the onboarding:
+* Get familiar with the VMware Cloud service platform. See [Getting Started with Operations for Applications on VMware Cloud Services](csp_getting_started.html).
+* Verify that your VMware Cloud **Organization Owner** user can log in to the [VMware Cloud Services Console](https://console.cloud.vmware.com).
+
+    - If you are the VMware Cloud **Organization Owner** user and cannot log in, try using the **Forgot Password** option.
+    - If your VMware Cloud **Organization Owner** user is unreachable or you don't know the name of your VMware Cloud **Organization Owner** user, contact our Technical Support team for assistance.
+* If you have a [SAML SSO integration](auth_self_service_sso.html), as a VMware Cloud **Organization Owner** user, you must federate your currently integrated enterprise domain with your VMware Cloud organization. For details, see the [Setting Up Enterprise Federation with VMware Cloud Services Guide](https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html) in the VMware Cloud services documentation.
+
+    {% include warning.html content="If you do not federate your currently integrated enterprise domain, after onboarding to VMware Cloud services all users will lose access to the service."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## What's the Onboarding Process?
+
+The onboarding is done by our team. If you are currently using a SAML SSO integration, you must only federate your enterprise domain before the process starts. The following flowchart shows the overall process.
+
+![Onboarding flowchart. Each stage of the process is described below.](images/csp-onboarding-flow.png)
+
+Here's the process:
+1. You receive a notification in your service UI with the date scheduled for your service onboarding to VMware Cloud services.
+1. If you are using a SAML SSO integration, your VMware Cloud **Organization Owner** user federates your currently integrated enterprise domain with your VMware Cloud organization. That must happen before the scheduled onboarding date.
+1. On the scheduled date, we onboard your service instance to VMware Cloud services, that is, we migrate your users, roles, and groups to your VMware Cloud organization. During the process, there's a banner notification in your service UI.
+
+    {% include important.html content="During the onboarding, you should not to do any changes related to users, roles, groups, and permissions. Such changes might be lost."%}
+1. When the onboarding completes, you can see a banner notification in your service UI and, shortly after that, all active users are logged out.
+1. Each user receives an email with an invitation link to sign up to VMware Cloud services.
+
+    The invitation links are valid for seven days.
+1. Each user redeems the invitation link and [signs up](csp_sign_up_or_log_in.html#sign-up-with-an-email-invitation) to the VMware Cloud Services Console.
+
+    - The users of a non-federated domain must create a password for their VMware Cloud services account.
+    
+    - The users of a federated domain must log in with their existing corporate passwords.
+
+{% include tip.html content="From now on, **all** users [log in](csp_sign_up_or_log_in.html#log-in-from-the-vmware-cloud-services-console) to the service instance from the [VMware Cloud Services Console](https://console.cloud.vmware.com)."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## How Are the Users Migrated to VMware Cloud Services?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, we add all your current users to your VMware Cloud organization running the service.
+
+![An image displaying how users are migrated when your Operations for Applications service is onboarded to VMware Cloud services. The information from the image is explained in the bullet list below.](images/csp-user-accounts-migration.png)
+
+* If a user is a **Super Admin** in Operations for Applications, we assign that user with the **Super Admin** Operations for Applications service role in VMware Cloud services.
+* If a user is assigned with individual permissions in Operations for Applications, we assign that user with the corresponding [Operations for Applications service roles](csp_users_roles.html#operations-for-applications-service-roles-built-in) in VMware Cloud services. For example, if a user has the **Alerts** permission in Operations for Applications, we assign that user with the **Alerts** Operations for Applications service role in VMware Cloud services. There are the following exceptions:
+
+    - The **Accounts** permission is replaced by the [VMware Cloud **Organization Administrator** role](csp_getting_started.html#whats-a-vmware-cloud-organization-role) plus the **Admin** Operations for Applications service role.
+    - The **API Tokens** permission is not replaced by any role, because this privilege is not needed in VMware Cloud services. Each VMware Cloud services user can manage their own VMware Cloud services API tokens.
+    - The **SAML IdP Admin** permission is not replaced by any role, because this privilege is not needed in VMware Cloud services. The VMware Cloud **Organization Owner** initiates enterprise federation for your corporate domain and assigns an **Enterprise Administrator**.
+
+    For details, see the [permissions differences](csp-differences-by-area.html#permissions).
+* If a user does not have any permissions and roles in Operations for Applications, we assign that user with the **Viewer** Operations for Applications service role in VMware Cloud services.
+* If a user is assigned with roles in Operations for Applications, we assign that user with the corresponding custom roles in VMware Cloud services. See [How Are the Roles Migrated to VMware Cloud Services?](csp_migration.html#how-are-the-roles-migrated-to-vmware-cloud-services).
+* If a user belongs to a group in Operations for Applications, we add that user to the corresponding group in VMware Cloud services. See [How Are the Groups Migrated to VMware Cloud Services?](csp_migration.html#how-are-the-groups-migrated-to-vmware-cloud-services).
+
+{% include tip.html content="From now on, users with the VMware Cloud **Organization Owner** and **Organization Administrator** roles can [manage the Operations for Applications users](csp_user_management.html) in the VMware Cloud Services Console."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## How Are the Groups Migrated to VMware Cloud Services?
+
+Originally, your Operation for Applications service includes the **Everyone** and **Service Accounts** system groups as well as any other custom groups that you have created.
+
+### How Are the Custom Groups Migrated?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, for each group that you have created in Operations for Applications, we create a corresponding group in your VMware Cloud organization running the service.
+
+* The corresponding VMware Cloud groups are with the same names and descriptions as the original Operations for Applications custom groups.
+* All users from a custom group in Operations for Applications are added to the corresponding VMware Cloud group.
+* The service accounts from the custom groups in Operations for Applications **are not** added to any VMware Cloud group.
+
+    {% include important.html content="Currently, VMware Cloud services supports grouping only for user accounts."%}
+* If a custom group in Operations for Applications is assigned with roles, the corresponding VMware Cloud group is assigned with the corresponding VMware Cloud custom roles. See [How Are the Roles Migrated to VMware Cloud Services?](csp_migration.html#how-are-the-roles-migrated-to-vmware-cloud-services).
+
+{% include tip.html content="From now on, users with the VMware Cloud **Organization Owner** and **Organization Administrator** roles can [manage the user groups](csp_users_roles.html#manage-user-groups) in the VMware Cloud Services Console."%}
+
+### How Is the Everyone System Group Migrated?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, for the **Everyone** system group in Operations for Applications, we create the corresponding **All Operations for Applications Users** group in your VMware Cloud organization running the service as follows:
+
+* All current users are added to the **All Operations for Applications Users** VMware Cloud group.
+
+    {% include important.html content="New users will **no longer** be added automatically to this group."%}
+* The **All Operations for Applications Users** VMware Cloud group is assigned with the **All Operations for Applications Users** VMware Cloud custom role, which corresponds to the **Everyone** role in Operations for Applications. See [How Are the Roles Migrated to VMware Cloud Services?](csp_migration.html#how-are-the-roles-migrated-to-vmware-cloud-services).
+* If the **Everyone** system group in Operations for Applications is assigned with custom roles, the **All Operations for Applications Users** VMware Cloud group is assigned with the corresponding VMware Cloud custom roles. See [How Are the Roles Migrated to VMware Cloud Services?](csp_migration.html#how-are-the-roles-migrated-to-vmware-cloud-services).
+* In Operations for Applications, we continue to maintain the **Everyone** system group only as a local **internal** group that is automatically populated with all new users. This group has no roles and permissions.
+
+{% include tip.html content="From now on, it is up to you to add new users to the **All Operations for Applications Users** VMware Cloud group. The **Everyone** internal system group can be used only when managing [access to dashboards and alerts](csp_access.html), [metrics security policy rules](csp_metrics_security.html), and [ingestion policies](ingestion_policies.html)."%}
+
+### What Happens with the Service Accounts System Group?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, we **do not** migrate the **Service Accounts** system group.
+
+{% include important.html content="Currently, VMware Cloud services supports grouping only for user accounts."%}
+
+* The permissions from the roles assigned to the **Service Accounts** system group in Operations for Applications are now directly assigned to the service accounts. See [What Happens with the Service Accounts?](csp_migration.html#what-happens-with-the-service-accounts).
+* In Operations for Applications, we continue to maintain the **Service Accounts** system group only as a local **internal** group that is automatically populated with all [service accounts](csp_service_accounts.html) and [server to server OAuth apps](csp_server_to_server_apps.html) that have access to the service instance. This group has no roles and permissions.
+
+{% include tip.html content="From now on, the **Service Accounts** internal system group can be used only when managing [access to dashboards and alerts](csp_access.html), [metrics security policy rules](csp_metrics_security.html), and [ingestion policies](ingestion_policies.html)."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## How Are the Roles Migrated to VMware Cloud Services?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, for each role in Operations for Applications, we create a corresponding [custom role](csp_users_roles.html#create-edit-or-delete-a-custom-role) in your VMware Cloud organization running the service as follows:
+
+* For each role that you have created in Operations for Applications, we create a corresponding VMware Cloud custom role with the same name and description.
+* For the **Everyone** role that is assigned to the **Everyone** system group in Operations for Applications, we create the **All Operations for Applications Users** VMware Cloud custom role. See [How Is the Everyone System Group Migrated?](csp_migration.html#how-is-the-everyone-system-group-migrated).
+* For the **Service Accounts** role that is assigned to the **Service Accounts** system group in Operations for Applications, we **do not** create any VMware Cloud custom role, because this group is not migrated. See [What Happens with Service Accounts System Group?](csp_migration.html#what-happens-with-service-accounts-system-group).
+* The corresponding VMware Cloud custom roles are assigned with the same [permissions](csp_permissions_overview.html) as the original roles in Operations for Applications. There are the following exceptions:
+
+    - The **Accounts** permission in Operations for Applications is replaced by the **Admin** Operations for Applications permission in VMware Cloud services. In addition, the users with that permission are assigned with the [VMware Cloud **Organization Administrator** role](csp_getting_started.html#whats-a-vmware-cloud-organization-role).
+    - The **API Tokens** permission in Operations for Applications **is not** replaced by any permission in VMware Cloud services. This permission does not exist in VMware Cloud services, because each user can manage their own VMware Cloud services API tokens.
+    - The **SAML IdP Admin** permission in Operations for Applications **is not** replaced with by permission in VMware Cloud services. This permission does not exist in VMware Cloud services, because the VMware Cloud **Organization Owner** initiates enterprise federation for your corporate domain and assigns an **Enterprise Administrator**.
+
+    For details, see the [permissions differences](csp-differences-by-area.html#permissions).
+
+{% include tip.html content="From now on, users with the VMware Cloud **Organization Owner** and **Organization Administrator** roles can [manage the custom roles](csp_users_roles.html#create-edit-or-delete-a-custom-role) in the VMware Cloud Services Console."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## What Happens with the Service Accounts?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, the service accounts **are not** migrated to VMware Cloud services, because VMware Cloud services supports [server to server OAuth apps](csp_server_to_server_apps.html), which are equivalent to the services accounts in Operations for Applications.
+
+{% include important.html content="The usage of service accounts in Operations for Applications on VMware Cloud services is **restricted** to support only a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with Operations for Applications API tokens. We are in the process of updating all of our integrations to authenticate with VMware Cloud services access tokens. Service accounts and Operations for Applications API tokens will be deprecated in the future."%}
+
+For backward compatibility, all of your service accounts are **preserved** in Operations for Applications as follows:
+
+* The service accounts no longer belong to groups, because the groups management is migrated to VMware Cloud services.
+* The service accounts no longer have roles, because the roles management is migrated to VMware Cloud services.
+* The service accounts are assigned with their existing permissions, including the permissions that they have inherited from roles and group roles. Exceptions are the **API Tokens** and **SAML IdP Admin** permissions, which no longer exist.
+
+    {% include note.html content="The **Accounts** permission in Operations for Applications corresponds to the [**Admin** Operations for Applications permission](csp_permissions_overview.html) in VMware Cloud services."%}
+* All service accounts still belong to the **Service Accounts** system group, which is now only an **internal** Operations for Applications group that is automatically populated with all [service accounts](csp_service_accounts.html) and [server to server OAuth apps](csp_server_to_server_apps.html) that have access to the service instance. This group has no roles and permissions.
+
+You should incrementally [replace](#how-to-replace-a-service-account-with-a-server-to-server-app) your service accounts in Operations for Applications with server to server OAuth apps in VMware Cloud services.
+
+{% include tip.html content="From now on, users with the VMware Cloud **Organization Owner**, **Organization Administrator**, or **Organization Member** with **Developer** roles can [manage server to server apps](csp_server_to_server_apps.html) in the VMware Cloud Services Console. Users with the **Admin** service role can [manage the service accounts](csp_service_accounts.html) in Operations for Applications. The **Service Accounts** internal system group can be used only when managing [access to dashboards and alerts](csp_access.html), [metrics security policy rules](csp_metrics_security.html), and [ingestion policies](ingestion_policies.html)."%}
+
+### How to Replace a Service Account with a Server to Server App?
+
+Service accounts authenticate with Operations for Applications API tokens, while server to server OAuth apps authenticate with the more secure VMware Cloud services access tokens. Service accounts are supported for a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) but will be deprecated in the future.
+
+<table style="width: 100%;">
+<tbody>
+<tr>
+<td width="50%">
+<p>&nbsp;</p>
+<p>&nbsp;</p>
+<p>&nbsp;</p>
+<p>&nbsp;</p>
+<p>&nbsp;</p>
+<p>&nbsp;</p>
+After onboarding to VMware Cloud services, you should incrementally replace your service accounts in Operations for Applications with server to server OAuth apps in VMware Cloud services.
+
+<br /><br /> The flowchart on the right shows the overall process for creating a server to server OAuth app and replacing a service account with it.
+</td>
+<td width="50%">
+<img src="/images/csp-replace-service-account.png" alt="Flowchart showing how to replace a service account with a server to server app. The process is described in the list below"/>
+</td>
+</tr>
+</tbody>
+</table>
+
+1. Log in to the VMware Cloud Services Console as an **Organization Owner**, **Organization Administrator**, or **Organization Member** with the **Developer** role assigned.
+1. Create a server to server OAuth app. See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation.
+
+    - For the server to server app name and description, you can enter the name and the description of the service account that you want to replace.
+    - For the time to live (TTL) of the access tokens that will be issued to that server to server app, you can configure a value from 1 to 300 minutes. This value defines the period in which the access token should be renewed.
+    - For the scopes of the server to server app, you must configure the roles that correspond to the permissions of the service account that you want to replace:
+
+        <table style="width: 100%;">
+        <tbody>
+        <tr>
+        <td width="30%"><strong>Scope</strong>
+        </td>
+        <td width="70%"><strong>Description</strong>
+        </td>
+        </tr>
+        <tr>
+        <td>
+        <strong>Organization Role</strong>
+        </td>
+        <td><strong>Organization Member</strong> is sufficient in most of the cases.
+        </td>
+        </tr>
+        <tr>
+        <td>
+        <strong>Custom Roles</strong>
+        </td>
+        <td>Optional. Use only if you previously created a <a href="csp_users_roles.html#create-edit-or-delete-a-custom-role">custom role</a> with the necessary <a href="csp_permissions_overview.html">Operations for Applications permissions</a>.
+        </td>
+        </tr>
+        <tr>
+        <td><strong>Service Roles</strong>
+        </td>
+        <td>Required for service access. Assign the <a href="csp_users_roles.html#operations-for-applications-service-roles-built-in">Operations for Applications service roles</a> that correspond to the permissions of the service account that you want to replace.
+        <p>If you already assigned a custom role, you must assign at least the <strong>Viewer</strong> Operations for Applications service role.</p>
+        </td>
+        </tr>
+        </tbody>
+        </table>
+1. Make sure that you save the app credentials (ID and secret) of your newly created server to server app to a secure location.
+
+    {% include important.html content="This is the only time you can see and save the app secret. If you miss to copy it or lose it, you must regenerate the app secret."%}
+1. Add the server to server app to your VMware Cloud organization.
+1. Reconfigure your scripts, API calls, or proxies to exchange the app credentials for an access token, instead of using the API tokens associated with the service account.
+
+    {% include important.html content="Depending on the TTL that you configured for the app access tokens, make sure that your script renews the access token periodically before it expires. The Wavefront proxy does this automatically. "%}
+1. Log in to your service instance as a user with the **Admin** service role and [deactivate or delete](csp_service_accounts.html#deactivate-or-activate-a-service-account) the service account that you replaced.
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## What Happens with the Operations for Applications API Tokens?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, the Operations for Applications API tokens **are not** migrated to VMware Cloud services, because Operations for Applications on VMware Cloud services supports authentication with:
+
+* VMware Cloud services API tokens associated with user accounts.
+* Server to server OAuth apps credentials, that is, app ID and app secret. The server to server OAuth app must belong to the organization that is running the Operations for Applications service.
+
+You must exchange a VMware Cloud services API token or the credentials (ID and secret) of server to server OAuth app for a VMware Cloud services **access token**.
+
+For backward compatibility, all of your API tokens are **preserved** in Operations for Applications as follows:
+
+* The Operations for Applications API tokens associated with user accounts are **no longer**  editable. The users can still use, view, and revoke their Operations for Applications API tokens until they expire, but they **cannot** generate new ones.
+* The Operations for Applications API tokens associated with service accounts are editable, because we still support them for a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens).
+
+You should incrementally [replace](#how-to-replace-an-operations-for-applications-api-token-with-a-vmware-cloud-services-access-token) your Operations for Applications API tokens with VMware Cloud services API tokens and server to server OAuth apps.
+
+{% include tip.html content="From now on, all users must generate VMware Cloud services API tokens for their accounts and exchange them for access tokens. Users with the VMware Cloud **Organization Owner**, **Organization Administrator**, or **Organization Member** with **Developer** roles can create server to server OAuth apps and exchange the app credentials for access tokens."%}
+
+### How to View and Manage the Operations for Applications API Tokens?
+
+Users with the **Admin** Operations for Applications service role can [manage](csp_api_tokens.html#managing-the-operations-for-applications-api-tokens-in-your-service-instance) the Operations for Applications API tokens in the service instance.
+
+Each user can view and revoke their own Operations for Applications API tokens:
+
+1. Log in to your service instance.
+1. From the gear icon <i class="fa fa-cog"/> on the toolbar, select your username.
+1. Click the **API Access** tab and view all your Operations for Applications API tokens.
+1. To revoke a token, click the **Revoke** button for the token.
+
+    If you run a script that uses a revoked token, the script returns an authorization error.
+
+### How to Replace an Operations for Applications API Token with a VMware Cloud Services Access Token?
+
+It's recommended to use Operations for Applications API tokens only for a [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens). We will update these integrations to authenticate with VMware Cloud services access tokens in a future release.
+
+<table style="width: 100%;">
+<tbody>
+<tr>
+<td markdown="span">
+<br /><br /><br /><br />
+
+You should incrementally replace your Operations for Applications API tokens with the more secure VMware Cloud services access tokens.
+<br /><br />
+To replace an Operations for Applications API token associated with a service account, you must replace the service account with a server to server OAuth app. See [How to Replace a Service Account with a Server to Server App?](csp_migration.html#how-to-replace-a-service-account-with-a-server-to-server-app).
+<br /><br />
+The flowchart on the right shows the overall process for replacing an Operations for Applications API token with a VMware Cloud services API token.
+</td>
+<td>
+<img src="/images/csp-replace-api-token.png" alt="Flowchart showing how to replace an Operations for Applications API token with a VMware Cloud services API token. The process is described in the list below"/>
+</td>
+</tr>
+</tbody>
+</table>
+
+
+To replace an Operations for Applications API token associated with your user account:
+
+1. Log in to the VMware Cloud Services Console.
+1. Generate an API token. See [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html) in the VMware Cloud services documentation.
+
+    - For the name of the VMware Cloud services API token, you can enter the name of the Operations for Applications API token that you want to replace.
+    - For the time to live (TTL) of the VMware Cloud services API token, you can configure a value from several minutes to several months, or never expire. This value defines the period in which the API token should be renewed.
+    
+        The TTL of the access tokens that will be issued to that API token is 30 minutes and is not configurable.
+    - For the scopes of the API token, you must configure the minimum portion of your roles:
+
+        {% include note.html content="Till now, the Operations for Applications API tokens inherited all your permissions and roles. Now, you can set the VMware Cloud services API token with a subset of the roles that you own."%}
+
+        <table style="width: 100%;">
+        <tbody>
+        <tr>
+        <td width="30%"><strong>Scope</strong>
+        </td>
+        <td width="70%"><strong>Description</strong>
+        </td>
+        </tr>
+        <tr>
+        <td>
+        <strong>Organization Role</strong>
+        </td>
+        <td><strong>Organization Member</strong> is sufficient in most of the cases.
+        </td>
+        </tr>
+        <tr>
+        <td>
+        <strong>Custom Roles</strong>
+        </td>
+        <td>Optional. Use only if you have assigned a <a href="csp_users_roles.html#create-edit-or-delete-a-custom-role">custom role</a>.
+        </td>
+        </tr>
+        <tr>
+        <td><strong>Service Roles</strong>
+        </td>
+        <td>Required for service access.
+        <p>If you already assigned a custom role, you must assign at least the <strong>Viewer</strong> Operations for Applications service role.</p>
+        </td>
+        </tr>
+        </tbody>
+        </table>
+1. Reconfigure your scripts, API calls, or proxies to exchange the newly generated VMware Cloud services API token for an access token, instead of using the Operations for Applications API token.
+
+    {% include important.html content="The TTL of the access tokens associated with user accounts is 30 minutes. Make sure that your script renews the access token periodically before it expires. The Wavefront proxy does this automatically. "%}
+1. [Revoke](csp_migration.html#how-to-view-and-manage-the-operations-for-applications-tokens) the Operations for Applications API token that you replaced.
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## What Happens with the Wavefront Proxies?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, all of the existing Wavefront proxies are **preserved** with their existing Operations for Applications API tokens.
+
+You should incrementally [replace](csp_migration.html#how-to-replace-the-operations-for-application-api-token-of-a-wavefront-proxy) the tokens of your proxies to authenticate with the more secure VMware Cloud services access tokens.
+
+{% include tip.html content="From now on, the users with the **Proxies** service role can create and manage the proxies in your Operations for Applications service. New proxies must authenticate with VMware Cloud services access tokens unless used for the [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with Operations for Applications API tokens."%}
+
+### How to Replace the Operations for Application API Token of a Wavefront Proxy?
+
+{% include important.html content="Make sure the version of your Wavefront proxy is 13.0 or later."%}
+
+1. Log in to the VMware Cloud Services Console.
+1. Obtain OAuth app credentials (recommended) or a VMware Cloud services API token:
+
+    - Create a server to server app with the **Proxies** service role, save its OAuth credentials (app ID and app secret), and add it to your VMware Cloud organization. See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation.
+    
+        Also, obtain the long ID of the VMware Cloud organization. See [View the Organization ID](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-CF9E9318-B811-48CF-8499-9419997DC1F8.html#view-the-organization-id-1) in the VMware Cloud services documentation.
+    - Generate a VMware Cloud services API token with the **Proxies** service role. See [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html) in the VMware Cloud services documentation.
+1. Go to the [proxy configurations location](proxies_configuring.html#proxy-file-paths) and edit the `wavefront.conf` file with the OAuth app credentials or your VMware Cloud services API token:
+
+    - Replace the `token` parameter with the `cspAppId`, `cspAppSecret`, and `cspOrgId` parameters:
+
+        ```
+        cspAppId=<OAuth_app_id>
+        cspAppSecret=<OAuth_app_secret>
+        cspOrgId=<Org_long_ID>
+        ```
+    - Replace the `token` parameter with the `cspAPIToken` parameter:
+
+        ```
+        cspAPIToken=<VMware_Cloud_services_API_token>
+        ```
+        
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
+
+## What Happens with the Integrations?
+
+During the process of onboarding your Operations for Applications service to VMware Cloud services, all of the existing integrations are **preserved** and continue to operate using proxy authentication with Operations for Applications API tokens.
+
+You should incrementally [replace](csp_migration.html#how-to-replace-the-operations-for-application-api-token-of-a-wavefront-proxy) the proxy tokens of your [integrations](integrations_onboarded_subscriptions.html#integrations-that-use-vmware-cloud-services-access-tokens) that are updated to use proxy authentication with the more secure VMware Cloud services access token.
+
+{% include tip.html content="From now on, the users with the **Proxies** and **Integrations** service roles can set up integrations in your Operations for Applications service. New integrations must use proxy authentication with VMware Cloud services access tokens except for the [limited list of integrations](integrations_onboarded_subscriptions.html#integrations-that-use-operations-for-applications-api-tokens) that still authenticate with Operations for Applications API tokens."%}
+
+<table style="width: 100%;">
+<tbody>
+<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_migration.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
+</tbody>
+</table>
\ No newline at end of file
diff --git a/pages/doc/csp_permissions_overview.md b/pages/doc/csp_permissions_overview.md
index e61f43539..0669aec3f 100644
--- a/pages/doc/csp_permissions_overview.md
+++ b/pages/doc/csp_permissions_overview.md
@@ -38,6 +38,10 @@ VMware Cloud services allows users with the VMware Cloud **Organization Owner**
       <th width="30%">Permission</th>
       <th width="70%">Allows to</th>
     </tr>
+    <tr>
+      <th>Admin</th>
+      <td>Manage the Operations for Applications organization settings: set the default display options, PromQL support, and the default way of building queries for all users of the service instance. Can define logs settings, if the logs feature is enabled. Can restrict access to new dashboards and alerts. Can manage service accounts, if enabled for the service instance.</td>
+    </tr>
     <tr>
       <th>Alerts</th>
       <td>Create, edit, and delete <a href="alerts.html">alerts</a>, <a href="webhooks_alert_notification.html">alert targets</a>, and <a href="maintenance_windows_managing.html">maintenance windows</a>. Also, can manage alert tags and view alert history.</td>
diff --git a/pages/doc/csp_server_to_server_apps.md b/pages/doc/csp_server_to_server_apps.md
index ff759d7d0..906f658c0 100644
--- a/pages/doc/csp_server_to_server_apps.md
+++ b/pages/doc/csp_server_to_server_apps.md
@@ -1,5 +1,5 @@
 ---
-title: Manage Server to Server Apps (Service Accounts)
+title: Manage VMware Cloud Services Server to Server Apps
 keywords: administration
 tags: [administration]
 sidebar: doc_sidebar
@@ -11,24 +11,27 @@ summary: Create server to server apps and grant them access to VMware Aria Opera
 
 VMware Cloud services supports server to server apps that you can use to automate management of Operations for Applications objects, such as dashboards, alerts, etc. A server to server app can't perform the **UI operations** that all user accounts can [perform by default](csp_permissions_overview.html#default-tasks).
 
-{% include note.html content="A server to server app must hold roles with certain [permissions](csp_permissions_overview.html#operations-for-applications-permissions) to perform tasks. To run queries, a server to server app must hold the [**Metrics** service role](csp_users_roles.html#operations-for-applications-service-roles-built-in) or a [custom role](csp_users_roles.html#create-edit-or-delete-a-custom-role) with the **Metrics** permission. To manage dashboards and alerts, the server to server app might need both roles with permissions and [access](csp_access.html)." %}
+You can also use a server to server app for a [Wavefront proxy authentication](proxies_installing.html#proxy-authentication-types). For example, see our [Windows Host Integration Tutorial](windows_host_tutorial.html), which includes installing a Wavefront proxy with server to server OAuth app credentials.
+
+{% include note.html content="A server to server app must hold roles with certain [permissions](csp_permissions_overview.html#operations-for-applications-permissions) to perform tasks. For example, to run queries, a server to server app must hold the [**Metrics** service role](csp_users_roles.html#operations-for-applications-service-roles-built-in) or a [custom role](csp_users_roles.html#create-edit-or-delete-a-custom-role) with the **Metrics** permission. To manage dashboards and alerts, the server to server app might need both roles with permissions and [access](csp_access.html)." %}
 
 ## What Are Server to Server Apps?
 
 Server to server apps are used for automating management tasks. 
 
-* A server to server app uses **OAuth 2.0 client credentials** to authenticate. Access tokens are issued directly to the application.
+* A server to server app uses **OAuth 2.0 client credentials** to get a VMware Cloud services **access token** and authenticate.
 * A server to server app can be assigned with organization roles, service roles, and custom roles.
 
   {% include note.html content="You must explicitly grant each server to server app only the role with the permission required for the task that’s being automated (least required privilege). Doing so, you ensure that permissions for server to server app are always very limited." %}
 * A server to server app can be used in multiple organizations. The owner of a server to server app is the organization in which it was created.
-* A server to server app in VMware Cloud services corresponds to a service account in Operations for Applications.
+
+{% include important.html content="For each server to server app with access to an Operations for Applications service instance, we create a corresponding **internal service account** in that service instance and add it the **Service Accounts** internal system group. So that, when you configure [the access control security settings](csp_access.html#change-the-access-control-security-setting), [ingestion polices](ingestion_policies.html#step-1-specify-the-scope-and-pps-limit), or [metrics security rules](csp_metrics_security.html), the server to server apps that are assigned with Operations for Applications service roles are represented as service accounts together with the [service accounts](csp_service_accounts.html) created in Operations for Applications."%}
 
 ## How Server to Server Apps Work
 
-{% include note.html content="To manage server to server apps, you must hold either the VMware Cloud **Organization Owner** role or the VMware Cloud **Developer** additional role. See [What organization roles are available in VMware Cloud Services](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-C11D3AAC-267C-4F16-A0E3-3EDF286EBE53.html) in the VMware Cloud services documentation." %}
+{% include note.html content="To manage server to server apps, you must hold either the VMware Cloud **Organization Owner** role or any other organization role paired with the **Developer** additional role. See [What organization roles are available in VMware Cloud Services](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-C11D3AAC-267C-4F16-A0E3-3EDF286EBE53.html) in the VMware Cloud services documentation." %}
 
-If you build an application or tool that manages proxies or ingests data, then that tool must authenticate to the Operations for Applications REST API with an access token. Here's how it works:
+If you build an application or tool that manages proxies or ingests data, then that tool must authenticate to the Operations for Applications REST API with a VMware Cloud services access token. Here's how it works:
 
 1. Create a server to server app in VMware Cloud services. See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation.
 1. Assign the server to server app with one or more [Operations for Applications service roles](csp_users_roles.html#operations-for-applications-service-roles-built-in) for the service instance.
@@ -51,3 +54,4 @@ If you build an application or tool that manages proxies or ingests data, then t
 
 After you create a server to server app, you can change its roles, share it with other VMware Cloud organizations, and delete it when no longer need it.
 
+{% include important.html content="If you regenerate the app secret, the access token expires and cannot be reissued. You must update your scripts with the new app secret." %}
\ No newline at end of file
diff --git a/pages/doc/csp_sign_up_or_log_in.md b/pages/doc/csp_sign_up_or_log_in.md
index 546e94e2d..e2e24af67 100644
--- a/pages/doc/csp_sign_up_or_log_in.md
+++ b/pages/doc/csp_sign_up_or_log_in.md
@@ -7,8 +7,7 @@ summary: Learn how you can sign up and log in to your service instance if it's o
 ---
 Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform.
 
-{% include note.html content="After July 3, 2023, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to VMware Cloud services and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until they migrate to VMware Cloud services. We are in the process of incrementally migrating original subscriptions to VMware Cloud services. For information about original and VMware Cloud services subscriptions and the differences between them, see [Subscription Types](subscriptions-differences.html). "%}
-
+{% include note.html content="After July 3, 2023, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to VMware Cloud services and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until onboarded to VMware Cloud services. We are in the process of incrementally [onboarding](csp_migration.html) original subscriptions to VMware Cloud services. For information about original and VMware Cloud services subscriptions and the differences between them, see [Subscription Types](subscriptions-differences.html). "%}
 
 When your Operations for Applications instance is onboarded to VMware Cloud services, you use a single [VMware Cloud services account](csp_getting_started.html#whats-a-vmware-cloud-services-account) to access your entire VMware Cloud services portfolio across hybrid and native public clouds, including Operations for Applications.
 
@@ -17,9 +16,13 @@ Here’s how the signup works:
 - A VMware Cloud **Organization Owner** or **Organization Administrator** adds you individually. See [How do I add users to my organization](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-47AA313E-9DAC-447C-B6C8-DF71ED45B0D5.html) in the VMware Cloud services documentation.
 - A VMware Cloud **Organization Owner** and **Enterprise Administrator** federate your corporate domain with VMware Cloud services. See [What is enterprise federation and how does it work](https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html) in the VMware Cloud services documentation.
 2. A VMware Cloud **Organization Owner** or **Organization Administrator** grants you access to the organization's resources with an [organization role](csp_getting_started.html#whats-a-vmware-cloud-organization-role).
-3. A VMware Cloud **Organization Owner** or **Organization Administrator** grants you access to the Operations for Applications service instance with an [Operations for Applications service or custom role](csp_users_roles.html). In a multi-tenancy environment, you can have a different service and custom roles for the different Operations for Applications service instances (tenants).
-4. After you’ve been added to an organization, you receive an email notification with information about the VMware Cloud organization to which you were added, your organization role, and your service or custom role. You can now [sign up](#sign-up-with-an-email-invitation) for the Operations for Applications service instance.
-5. From now on, you can log in to your service instance from the [VMware Cloud Services Console](#log-in-from-the-vmware-cloud-services-console).
+3. A VMware Cloud **Organization Owner** or **Organization Administrator** grants you access to the Operations for Applications service instance with an [Operations for Applications service role](csp_users_roles.html). In addition, they can grant you a custom role with Operations for Application permissions.
+
+    In a multi-tenancy environment, you can have different service and custom roles for the different Operations for Applications service instances (tenants).
+4. After you’ve been added to an organization, you receive an email notification with information about the VMware Cloud organization to which you were added, your organization role, and any other roles. You can now [sign up](#sign-up-with-an-email-invitation) in the VMware Cloud Services Console.
+
+    {% include note.html content="The invitation link is valid for seven days."%}
+5. From now on, you can [log in](#log-in-from-the-vmware-cloud-services-console) to your service instance from the VMware Cloud Services Console.
 
 ## Sign Up with an Email Invitation
 
diff --git a/pages/doc/csp_subscription_types.md b/pages/doc/csp_subscription_types.md
index 87e1d73f1..600123cca 100644
--- a/pages/doc/csp_subscription_types.md
+++ b/pages/doc/csp_subscription_types.md
@@ -1,21 +1,21 @@
 ---
-title: Subscription Types
+title: VMware Cloud Services vs Original Subscriptions
 keywords: 
 tags: [introduction]
 sidebar: doc_sidebar
 permalink: subscriptions-differences.html
-summary: Learn about the VMware Aria Operations for Applications subscription types and how they differ.
+summary: Learn about the VMware Aria Operations for Applications subscription types and the advantages of VMware Cloud services subscriptions over original subscriptions.
 ---
 
-Operations for Applications subscriptions are two types: VMware Cloud services subscriptions and original subscriptions.
+Operations for Applications subscriptions are two types: original subscriptions and VMware Cloud services subscriptions.
 
 ## Why the Two Subscription Types Differ?
 
-Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. After this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to the [VMware Cloud services platform](https://console.cloud.vmware.com/) and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until they migrate to VMware Cloud services.
+Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. After this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to the [VMware Cloud services platform](https://console.cloud.vmware.com/) and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until onboarded to VMware Cloud services.
 
 Starting September 20, 2023, all [**new trial**](start_trial.html) instances of Operations for Applications are **onboarded** to VMware Cloud services.
 
-{% include note.html content="We will support both **original** and **onboarded** subscriptions until all **original** subscriptions are migrated to VMware Cloud services." %}
+{% include note.html content="We will support both **original** and **onboarded** subscriptions until all original subscriptions are onboarded to VMware Cloud services." %}
 
 VMware Cloud services provides single sign-on (SSO) and identity access management (IAM) to your entire VMware Cloud services portfolio across hybrid and native public clouds, including Operations for Applications. Therefore, there are differences in the experience for VMware Cloud services subscribers and original subscribers. 
 
@@ -42,280 +42,4 @@ VMware Cloud services provides single sign-on (SSO) and identity access manageme
 * **Improved Multi-Tenancy**: Support of switching between tenants on different clusters. This unlocks better experience in multi-tenant environments.
 * **Centralized Billing and Subscriptions**: The VMware Cloud Services Console displays billing and subscriptions details, and allows payment methods management. This brings the billing and subscriptions experience at a completely new level as we had no such ability before.
 
-## General UI Differences
 
-* The menu bar differs, because the VMware Cloud services toolbar is added to the top.
-
-  ![An image showing the differences in the menu bar, which are listed below.](images/new-vs-original-toolbar.png)
-
-  From the VMware Cloud services toolbar, you can:
-    1. Switch between tenants (service instances) in a multi-tenant Operations for Applications environment.
-    1. See notifications from VMware Cloud services.
-    1. Manage your VMware Cloud services account and switch to other organizations.
-    1. Go to the VMware Cloud Services Console and switch to other service subscriptions.
-
-* When viewing their own user account settings in the Operations for Applications UI, VMware Cloud services subscribers do not have the **Groups, Roles & Permissions** and the **API Access** tabs (1) and can no longer change their password from the Operations for Applications UI (2), because this is done from the VMware Cloud Services Console.
-
-  ![An image showing that the tabs mentioned above and the change password link are removed from the UI for new subscribers.](images/new-vs-original.png)
-
-* The gear icon menu also differs, because many of the tasks for VMware Cloud services subscribers are done by using the VMware Cloud Services Console. 
-
-  For example, for Super Admin users with Super Admin mode enabled, the gear icon menu looks like this:
- 
-  ![An image showing the differences in the gear icon menu, which are listed below.](images/new-vs-original-menu.png)
-
-   1. The tenant name is missing, because it is shown in the VMware Cloud Services Console when you launch the service instance. In a multi-tenant environment, the current tenant is shown on the top-left of the menu bar and you can click it to switch between tenants.
-   1. The **Self Service SAML** menu item is missing, because the enterprise federation setup is done from the VMware Cloud Services Console.
-   1. The **Accounts** option is also no longer needed, because account management is done in the VMware Cloud Services Console.
-   1. The **Super Admin** menu item is replaced with **Orphaned Objects**, because Super Admin users can no longer invite new Super Admin users, but they can still see and recover orphaned objects, such as orphan dashboards and alerts. See the following bullet point.
-   1. The **Sign Out** menu item is missing, because signing out is done from the User/Organization drop-down menu on the top-right of the menu bar.
-
-* The **Super Admin** page is replaced with **Orphaned Objects**, because Super Admin users no longer can invite new Super Admin users, but they can still see and recover orphaned objects, such as orphan dashboards and alerts.
-
-    ![An image showing the differences in the add new proxy page.](images/new-vs-original-super-admin.png)
-
-* When adding a Wavefront proxy, VMware Cloud services subscribers have two options for the proxy authorization to Operations for Applications. They can configure the proxy with a VMware Cloud services API token or with server to server OAuth app credentials.
-
-    ![An image showing the differences in the add new proxy page.](images/new-vs-original-proxy.png)
-
-* The options for adding default groups for new user and service accounts as well as for setting the default permissions for new user accounts are removed, because VMware Cloud services subscribers manage users and roles through the VMware Cloud Services Console. Users with the **Super Admin** service role can still set the default display settings and language preferences for new users on the **Organization Settings** page.
-
-  ![An image showing that the options mentioned above are removed from the UI for new subscribers.](images/new-vs-original-new-accounts-defaults.png)
-
-* The option for creating a metrics security policy rule based on roles is removed, because VMware Cloud services subscribers can block or allow access to certain metrics only based on accounts (user accounts and service accounts) and groups.
-
-  ![An image showing that the Roles option is removed from the UI for new subscribers.](images/new-vs-original-metricspolicy.png)
-
-
-## Differences by Area
-
-<table style="width: 100%;">
-<tbody>
-<thead>
-<tr><th width="22%">Area</th><th width="39%">Original Subscription</th><th width="39%">VMware Cloud Services Subscription</th></tr>
-</thead>
-<tr>
-<td>User Login
-</td>
-<td>Users log in to their Operations for Applications service instance by using the URL of the service cluster, <code>https://&lt;your_instance&gt;.wavefront.com</code>. and their Operations for Applications accounts. If their corporate domain is configured for SAML SSO with Operations for Applications, users log in with their corporate accounts.
-</td>
-<td>Users log in to their Operations for Applications service instance through the VMware Cloud Services Console with their VMware Cloud services accounts. If their corporate domain is federated with VMware Cloud services, users log in with their corporate accounts. For details, see <a href="csp_sign_up_or_log_in.html#log-in-from-the-vmware-cloud-services-console">Log In from the VMware Cloud Services Console</a>.
-</td>
-</tr>
-<tr>
-<td>Permissions
-</td>
-<td>The <strong>Accounts</strong>, <strong>SAML IdP Admin</strong>, and <strong>API token</strong> permissions exist, because all of the authorization and authentication tasks requiring these permissions are done in the Operations for Applications UI. See the <a href="permissions_overview.html">Permissions Reference</a>.
-</td>
-<td>The <strong>Accounts</strong>, <strong>SAML IdP Admin</strong>, and <strong>API token</strong> permissions don't exist, because all of the authorization and authentication tasks requiring these permissions are done in the VMware Cloud Services Console. See the <a href="csp_users_roles.html">Operations for Applications Permissions in VMware Cloud Services</a>.
-</td>
-</tr>
-<tr>
-<td>Roles and Permissions Management
-</td>
-<td><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: Permissions can be assigned to roles as well as to individual users and service accounts. Roles can be assigned to user accounts, service accounts, and groups. For details, see:</p>
-<ul>
-<li><a href="users_roles.html#create-a-role">Create a Role</a></li>
-<li><a href="users_roles.html#grant-or-revoke-account-permissions-explicitly">Grant or Revoke Account Permissions</a></li>
-</ul>
-</td>
-<td>
-<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
-<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
-<p><strong>How</strong>: Permissions can be assigned only to roles. Roles can be assigned to users, groups, API tokens, and server to server apps. There are built-in Operations for Applications service roles, which are not editable. Custom roles can be created and assigned with permissions for one or more services. For details, see <a href="csp_users_roles.html#manage-roles">Manage Roles</a>.</p>
-</td>
-</tr>
-<tr>
-<td>User Accounts Management
-</td>
-<td>
-<strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: You can invite new users with or without assigning roles and permissions. For details, see <a href="user-accounts.html">Manage User Accounts</a>.</p>
-</td>
-<td>
-<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
-<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
-<p><strong>How</strong>: To add a user to your Operations for Applications service instance, you must assign that user:
-<ol><li>An organization role for the VMware Cloud organization running the service instance.</li>
-<li>An Operations for Applications service role for your service instance. At a minimum, you must assign the <strong>Viewer</strong> service role.</li>
-<li>Optionally, a custom role with an Operations for Applications permission. A custom role applies to all service instances for which the user has an Operations for Applications service role.</li></ol>
-For details, see <a href="csp_user_management.html">Manage User Accounts</a>.</p>
-</td>
-</tr>
-<tr>
-<td>Self-Service SAML SSO</td>
-<td>
-<strong>Who</strong>: Users with the <strong>SAML IdP Admin</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: Operations for Applications includes predefined authentication integrations. For details, see <a href="auth_self_service_sso.html">Single-Tenant Authentication and Self-Service SAML SSO</a>.</p>
-</td>
-<td>
-<strong>Who</strong>: A user with the VMware Cloud <strong>Organization Owner</strong> role together with an <strong>Enterprise Administrator</strong>.
-<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
-<p><strong>How</strong>: The VMware Cloud <strong>Organization Owner</strong> user kicks off the self-service federation workflow on behalf of the VMware Cloud organization and invites the <strong>Enterprise Administrator</strong> to complete the setup. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html">Setting Up Enterprise Federation with VMware Cloud Services Console</a> in the VMware Cloud services documentation.</p>
-</td>
-</tr>
-<tr>
-<td>Service Accounts and Server to Server Apps Management
-</td>
-<td>
-<strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: Service accounts authenticate with API tokens. Service accounts can be assigned with roles and permissions, as well as can be added to groups. For details, see <a href="service-accounts.html">Manage Service Accounts</a>.</p>
-</td>
-<td>
-<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> role or the <strong>Developer</strong> additional role.
-<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
-<p><strong>How</strong>: Server to server OAuth apps in VMware Cloud services correspond to service accounts in Operations for Applications. A server to server app authenticates with OAuth credentials (ID and secret) and an access token is directly issued to the app. To add a service account to your Operations for Applications service instance, you must create a server to server OAuth app and assign that app:
-<ol><li>An organization role for the VMware Cloud organization running the service.</li>
-<li>An Operations for Applications service role for your service instance.</li>
-<li>Optionally, a custom role with an Operations for Applications permission. A custom role applies to all service instances for which the server to server app has an Operations for Applications service role.</li></ol>
-For details, see <a href="csp_server_to_server_apps.html">Manage Server to Server Apps</a>.</p>
-</td>
-</tr>
-<tr>
-<td>Groups Management
-</td>
-<td><strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: A group of user and service accounts can be assigned with one or more roles. For details, see <a href="users_roles.html#create-a-group">Create a Group</a>.</p>
-</td>
-<td>
-<strong>Who</strong>: Users with the VMware Cloud <strong>Organization Owner</strong> or <strong>Organization Administrator</strong> role.
-<p><strong>Where</strong>: In the VMware Cloud Services Console.</p>
-<p><strong>How</strong>: A group of users can be assigned with organization and service roles. A group can be shared with other VMware Cloud organizations. In a federated environment, you can add enterprise groups from your corporate domain. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-0BD8A07B-C3C0-4220-8CD0-18FA070D3DAD.html">How do I work with groups</a> in the VMware Cloud services documentation.</p>
-</td>
-</tr>
-<tr>
-<td>Generating API Tokens
-</td>
-<td>
-<strong>Who</strong>: Depends on whether the API token is associated with a user account or a service account.
-<ul><li>For API tokens associated with a user account, the corresponding user who must have the <strong>API Tokens</strong> permission.</li>
-<li>For API tokens associated with service accounts, the users with the <strong>Accounts</strong> permission.</li></ul>
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>:<ul>
-<li>A user with the <strong>API Tokens</strong> permission can generate Operations for Applications API tokens for their own user account.</li>
-<li>Users with the <strong>Accounts</strong> permission can generate Operations for Applications API tokens for service accounts.</li></ul>
-Each API token inherits the permissions of its associated user or service account. For details, see <a href="api_tokens.html">Manage API Tokens</a>.</p>
-</td>
-<td>
-<strong>Who</strong>: All users.
-<p><strong>Where</strong>: In the Cloud Services Console user interface.</p>
-<p><strong>How</strong>: Each user can generate VMware Cloud services API tokens for their user account. An API token can be assigned with roles from the list of roles that the user owns - organization roles, service roles, and custom roles.</p>
-<p>For access to Operations for Applications, the VMware Cloud services API token must be assigned with an Operations for Applications service role and, optionally, a custom role with an Operations for Applications permission.</p>
-<p>For details and instructions, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html">How do I generate API tokens</a> in the VMware Cloud services documentation.</p>
-</td>
-</tr>
-<tr>
-<td>API Tokens Management</td>
-<td>
-<strong>Who</strong>:
-<ul><li>For API tokens associated with a user account, the corresponding user.</li>
-<li>For all API tokens in the Operations for Applications environment, the users with the <strong>Accounts</strong> permission.</li></ul>
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>:<ul><li>All users can view and revoke their own tokens. For details, see <a href="api_tokens.html#generate-and-manage-the-api-tokens-for-your-user-account">Generate and Manage the API Tokens for Your User Account</a>.</li>
-<li>Users with the <strong>Accounts</strong> permission can view and revoke any API token in the environment. For details, see <a href="api_tokens.html#view-and-manage-the-api-tokens-in-your-organization">View and Manage the API Tokens in Your Organization</a>.</li></ul></p>
-</td>
-<td>
-<strong>Who</strong>:
-<ul><li>For API tokens associated with a user account, the corresponding user.</li>
-<li>For all API tokens in the VMware Cloud organization if activated for Identity Governance and Administration (IGA), the users with the VMware Cloud <strong>Organization Owner</strong> role.</li></ul>
-<p><strong>Where</strong>: In the Cloud Services Console user interface.</p>
-<p><strong>How</strong>:<ul><li>All users can view and revoke their own tokens. For details, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-1BA71988-387C-42E1-8C98-EE2C1370826B.html">How do I manage my API tokens</a> in the VMware Cloud services documentation.</li>
-<li>Users with the VMware Cloud <strong>Organization Owner</strong> role can monitor the API tokens created in the organization and can set constraints for idle and maximum Time to live (TTL) for all newly created tokens. For details and instructions, see <a href="https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-3A9C29E0-460B-4586-B51A-084443A960D0.html">How do I manage API tokens in my Organization</a> in the VMware Cloud services documentation.</li></ul></p>
-</td>
-</tr>
-<tr>
-<td>Operations for Applications REST API Access</td>
-<td>
-<strong>Who</strong>: User and service accounts with an Operations for Applications API token.
-<p><strong>Where</strong>: An API client.</p>
-<p><strong>How</strong>: Interacting with the Operations for Application REST API requires an Operations for Application API token.
-<ul><li>To interact with the REST API by using your user account, you must use your API token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-user-account-1">Make API Calls by Using a User Account</a>.</li>
-<li>To interact with the REST API by using a service account, you must use an API token associated with that service account. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-service-account">Make API Calls by Using a Service Account</a>.</li></ul></p>
-</td>
-<td>
-<strong>Who</strong>: Users with a VMware Cloud services API token and server to server apps with OAuth credentials (ID and secret).
-<p><strong>Where</strong>: An API client.</p>
-<p><strong>How</strong>: Interacting with the Operations for Application REST API requires a VMware Cloud services access token.
-<ul><li>To interact with the REST API by using your user account, you must exchange your API token for an access token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-user-account">Make API Calls by Using a User Account</a>.</li>
-<li>To interact with the REST API by using a server to server app, you must exchange the app ID and secret for an access token. For details, see <a href="using_wavefront_api.html#make-api-calls-by-using-a-server-to-server-app">Make API Calls by Using a Server to Server App</a>.</li></ul>
-</p>
-</td>
-</tr>
-<tr>
-<td>Operations for Applications Organization Settings</td>
-<td>
-<strong>Who</strong>: Users with the <strong>Accounts</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: As a user with the <strong>Accounts</strong> permission, you can configure:
-<ul>
-<li>Default display settings, such as getting started progress and default dashboard display.</li>
-<li>Default query language preferences and optionally, allow users to write queries in PromQL. For details, see <a href="wavefront_prometheus.html#set-promql-organization-settings-administrator-only">Set PromQL Organization Settings (Administrator Only)</a>.</li>
-<li>Default groups for new user accounts. New users are assigned to the Everyone system group and to all additional default groups that you specify. For details, see <a href="user-accounts.html#set-the-default-user-group-for-new-users">Set the Default User Group for New Users</a>.</li>
-<li>Default groups for new service accounts. New service accounts are assigned to the Service Accounts system group and to all additional default groups that you specify. For details, see <a href="service-accounts.html#set-the-default-service-accounts-group-for-new-service-accounts">Set the Default Service Accounts Group for New Service Accounts</a>.</li>
-<li>Default permissions for new user accounts. These permissions don't apply to service accounts. For details, see <a href="user-accounts.html#set-default-permissions-for-new-users">Set Default Permissions for New Users</a>.</li>
-<li>Logs settings, if Logs (Beta) is enabled for your cluster. For details, see <a href="logging_logs_settings.html">Customize Logs Settings</a>.</li>
-<li>Access to newly created dashboards and alerts. For details, see <a href="access.html">Managing Access to Dashboards and Alerts</a>.</li>
-</ul></p>
-</td>
-<td>
-<strong>Who</strong>: Users with the <strong>Super Admin</strong> Operations for Applications service role and Super Admin mode enabled.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: As a user with the <strong>Super Admin</strong> service role, you can configure:
-<ul>
-<li>Default display settings for new accounts, such as getting started progress and default dashboard display.</li>
-<li>Default query language preferences and optionally, allow users to write queries in PromQL. For details, see <a href="wavefront_prometheus.html#set-promql-organization-settings-administrator-only">Set PromQL Organization Settings (Administrator Only)</a>.</li>
-<li>Logs settings, if Logs is enabled for your cluster. For details, see <a href="logging_logs_settings.html">Customize Logs Settings</a>.</li>
-<li>Access to newly created dashboards and alerts. For details, see <a href="csp_access.html">Managing Access to Dashboards and Alerts</a></li>
-</ul></p>
-</td>
-</tr>
-<tr>
-<td>Wavefront Proxy Authentication
-</td>
-<td><strong>Who</strong>: Users with the <strong>Proxies</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: As a user with the <strong>Proxies</strong> permission, you must configure the proxy to authenticate to Operations for Applications with an Operations for Applications API token that have the <strong>Proxies</strong> permission. For details, see <a href="proxies_installing.html#install-a-proxy-from-the-ui">Install a Proxy from the UI</a>.</p>
-</td>
-<td><strong>Who</strong>:<ul><li>For proxy installation, users with the <strong>Proxies</strong> Operations for Applications service role or a custom role with the <strong>Proxies</strong> permission.</li><li>For creating server to server OAuth apps, users with the VMware Cloud <strong>Organization Owner</strong> role or <strong>Developer</strong> additional role.</li></ul>
-<p><strong>Where</strong>:<ul><li>For proxy installation, in the Operations for Applications user interface.</li><li>For generating an API token or creating a server to server OAuth app, in the VMware Cloud Services Console.</li></ul></p>
-<p><strong>How</strong>: As a user with the <strong>Proxies</strong> permission, you must configure the proxy to authenticate to Operations for Applications. The proxy must retrieve a VMware Cloud services access token with the <strong>Proxies</strong> service role. There are two supported authentication types:
-<ul><li>The proxy can use the credentials of a server to server <strong>OAuth app</strong> - ID and secret, together with the VMware Cloud organization ID.</li>
-<li>The proxy can use the <strong>API token</strong> of an active user account.</li></ul>
-In both ways, the access token is directly issued to the proxy. For details, see <a href="proxies_installing.html#proxy-authentication-types">Proxy Authentication Types</a>.</p>
-</td>
-</tr>
-<tr>
-<td>Metrics Security Policy Rules
-</td>
-<td><strong>Who</strong>: Users with the <strong>Metrics</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: Privileged users can block or allow access to metrics for:
-<ul><li>Accounts (<a href="user-accounts.html">user accounts</a> and <a href="service-accounts.html">service accounts</a>)</li>
-<li><a href="users_roles.html#create-a-group">Groups</a></li>
-<li><a href="users_roles.html#create-a-role">Roles</a></li></ul>
-For details, see <a href="metrics_security.html">Metrics Security Policy Rules</a>.</p>
-</td>
-<td><strong>Who</strong>: Users with the <strong>Metrics</strong> Operations for Applications service role or a custom role with the <strong>Metrics</strong> permission.
-<p><strong>Where</strong>: In the Operations for Applications user interface.</p>
-<p><strong>How</strong>: Privileged users can block or allow access to metrics for:
-<ul><li>Accounts (<a href="csp_user_management.html">user accounts</a> and <a href="csp_server_to_server_apps.html">service accounts</a>)</li>
-<li><a href="csp_users_roles.html#manage-user-groups">Groups</a></li></ul>
-For details, see <a href="csp_metrics_security.html">Metrics Security Policy Rules</a>.</p>
-</td>
-</tr>
-<tr>
-<td>Integrations
-</td>
-<td>All integrations are still supported. See the <a href="label_integrations%20list.html">List of Integrations</a>.
-</td>
-<td>You still can see, but cannot configure some of our integrations. For the list of integrations that we support when your Operations for Applications service is onboarded to VMware Cloud services, see <a href="integrations_onboarded_subscriptions.html">Integrations Supported for Onboarded Subscriptions</a>.
-</td>
-</tr>
-</tbody>
-</table>
\ No newline at end of file
diff --git a/pages/doc/supported_integrations.md b/pages/doc/csp_supported_integrations.md
similarity index 65%
rename from pages/doc/supported_integrations.md
rename to pages/doc/csp_supported_integrations.md
index 46bcb1ad3..428b49085 100644
--- a/pages/doc/supported_integrations.md
+++ b/pages/doc/csp_supported_integrations.md
@@ -1,79 +1,61 @@
 ---
-title: Integrations Supported for Onboarded Subscriptions
+title: How Integration Authentication Works
 keywords: integrations
 tags: 
 sidebar: doc_sidebar
 permalink: integrations_onboarded_subscriptions.html
-summary: Learn about the list of integrations supported for Operations for Applications subscriptions onboarded to VMware Cloud services.
+summary: Learn how integration authentication happens, which integrations work with VMware Cloud services access tokens and which integrations still work with Operations for Applications API tokens.
 ---
 
 ## Subscription Types
 
 Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. After this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to the VMware Cloud services platform and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until they migrate to VMware Cloud services.
 
-## Unaffected Integrations  
+For best performance, when you set up most of our integrations, it is recommended to use the Wavefront proxy. The Wavefront proxy ingests metrics and forwards them to Operations for Applications in a secure, fast, and reliable manner. 
 
-The following integrations are working as expected no matter whether your Operations for Applications service is onboarded to VMware Cloud services platform or not.
+### VMware Cloud Services Subscriptions
 
-### Cloud Integrations
+When your Operations for Applications service **is onboarded** to the VMware Cloud services platform you have the following choices for the [Wavefront proxy](proxies_installing.html) authentication:
 
-* [Google Cloud Platform](gcp.html)
-* [Amazon Web Services](aws.html)
-* [Microsoft Azure](azure.html)
-* [AppDynamics](appdynamics.html)
-* [Dynatrace](dynatrace.html)
-* [New Relic](newrelic.html)
-* [VMware Aria Operations (SaaS)](integrations_vrops.html)
-* [Snowflake](snowflake.html)
+**VMware Cloud Services Access Token**
 
-### Notification Integrations
+The Wavefront proxy requires a VMware Cloud services access token with the **Proxies** service role. There are two options for the proxy to retrieve an access token. You can configure the Wavefront proxy to use:
 
-* [BigPanda](bigpanda.html)
-* [Microsoft Teams](msteams.html)
-* [PagerDuty](pagerduty.html)
-* [Slack](slack.html)
-* [Jira](jira.html)
-* [OpsGenie](opsgenie.html)
-* [ServiceNow](servicenow.html)
-* [Splunk On-Call](victorops.html)
+* OAuth App authentication (recommended):
 
+  You must use the credentials (client ID and client secret) of an existing server to server OAuth app which has the **Proxies** service role assigned and is added to the VMware Cloud organization running the service. You must also provide the long ID of the VMware Cloud organization running the service.
 
-### collectd Integrations
+  If you don’t have a server to server app already, you can create one in the VMware Cloud Services Console. For details, see [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation. You can also try out the [Windows host integration tutorial](windows_host_tutorial.html).
 
-* [Apache collectd Integration](integrations_collectd_apache.html)
-* [Cassandra collectd Integration](integrations_collectd_cassandra.html)
-* [Memcached collectd Integration](integrations_collectd_memcached.html)
-* [MySQL collectd Integration](integrations_collectd_mysql.html)
-* [NGiNX collectd Integration](integrations_collectd_nginx.html)
-* [Redis collectd Integration](integrations_collectd_redis.html)
-* [Zookeeper collectd Integration](integrations_collectd_zookeeper.html)
+  When the access token expires, depending on the token TTL configuration of the server to server app, the Wavefront proxy automatically retrieves a new access token.
 
-### Other Integrations
+* API Token authentication:
 
-* [Webhooks](webhooks.html)
-* [Graphite](graphite.html)
-* [Operations for Applications Usage Integration](wavefront_monitoring.html)
+  The API token must be generated in the VMware Cloud Services Console by an active user account. It also must have the **Proxies** service role assigned. For more information, see [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html).
 
+  You might need to regenerate and reconfigure the API token periodically depending on the TTL configuration.
 
-## Integrations Supported for Onboarded Subscriptions
+**Operations for Applications API token**
 
-For best performance, when you configure most of our integrations it is recommended to use the Wavefront proxy. The Wavefront proxy ingests metrics and forwards them to Operations for Applications in a secure, fast, and reliable manner. When your Operations for Applications service **is onboarded** to the VMware Cloud services platform you have two choices for the proxy authentication:
+For a limited number of integrations, you must still use an Operations for Applications API token, associated with a [service account](csp_service_accounts.html) that has the **Proxies** permission. As a user with the **Admin** service role, you can create a service account with the **Proxies** permission and generate an API token for it. Then, you can install the Wavefront proxy and set up your integration to pass the API token of the service account. 
 
-   * Use OAuth App authentication (recommended):
+{% include note.html content=" Service accounts are enabled only for a **limited number** of VMware Cloud services subscriptions, because in most cases they should use [server to server OAuth apps](csp_server_to_server_apps.html). Тo enable service accounts for your service instance, [contact](wavefront_support_feedback.html) our Technical Support team. It is recommended that you gradually switch to using server to server OAuth apps which authenticate with more secure VMware Cloud services access tokens." %}
 
-     You must use the credentials (client ID and client secret) of an existing server to server app which has the **Proxies** service role assigned and is added to the VMware Cloud organization running the service. You must also provide the ID of the VMware Cloud organization running the service.
+To understand how you can manage the API tokens for service accounts, see [Managing the Operations for Applications API Tokens for a Service Account](csp_api_tokens.html#managing-the-operations-for-applications-api-tokens-for-a-service-account).
 
-      If you don’t have a server to server app already, you can create one in the VMware Cloud Services Console. For details, see [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html) in the VMware Cloud services documentation.
 
+### Original Subscriptions
 
-   * Use API Token authentication:
+When your Operations for Applications service instance **is not onboarded** to VMware Cloud services, the proxy requires an Operations for Applications **API token**.
 
-     The API token must be generated in the VMware Cloud Services Console by an active user account. It also must have the **Proxies** service role assigned. For more information, see [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html).
+Before you add a proxy, you must have an API token associated with your user account or a service account with the **Proxies** permission. See [Manage API Tokens](api_tokens.html) for details.
 
 
-We're in the process of incrementally updating our integrations so that you can use them when your Operations for Applications service **is** onboarded to VMware Cloud services. 
+## Integrations That Use VMware Cloud Services Access Tokens
 
-Here's the list of the integrations that are updated as of today (with the 2023-31.x release). This list grows with each release. If you urgently need an integration to become available and configurable for your onboarded service, please contact us at: `tanzu_saas_ops@vmware.com`.
+We're in the process of incrementally updating our integrations so that you can authenticate with a VMware Cloud services API token or OAuth server to server app  credentials. 
+
+When your Operations for Applications service **is onboarded** to the VMware Cloud services platform, the list of the integrations that are updated as of today is in the table below. This list grows with each release. If you urgently need an integration to become available and configurable with a VMware Cloud services access token, please contact [technical support](wavefront_support_feedback.html).
 
 <table style="width: 100%;">
 <thead>
@@ -426,5 +408,88 @@ Here's the list of the integrations that are updated as of today (with the 2023-
 <tr>
 <td markdown="span">Zabbix </td>
 <td markdown="span">[Zabbix  Integration](zabbix.html)</td>
-</tr></tbody>
-</table>
\ No newline at end of file
+</tr>
+<tr>
+<td markdown="span">Zipkin </td>
+<td markdown="span">[Zipkin  Integration](zipkin.html)</td>
+</tr>
+<tr>
+<td markdown="span">Velero </td>
+<td markdown="span">[Velero  Integration](velero.html)</td>
+</tr>
+</tbody>
+</table>
+
+
+## Integrations That Use Operations for Applications API Tokens
+
+Here's the list of the integrations that still use API tokens. Currently, if your service **is onboarded** to VMware Cloud services, direct ingestion by using the Wavefront Output Plugin for Telegraf is supported only when you use a service account<!--(targeting mid-October)-->.
+
+* [AWS Lambda Functions](aws-lambda-functions.html) <!--(targeted for update mid September)-->
+* [Spring Boot](springboot.html) <!--(target mid-end of September)-->
+* [Nagios](nagios.html) <!--(targeting mid-September for customer availability)-->
+* [VMware Tanzu Mission Control Advanced](tmc.html) <!--(TBD)-->
+* [VMware GemFire](gemfire.html) <!--(TBD https://jira.eng.vmware.com/browse/INT-1897)-->
+* [Micrometer](micrometer.html) <!--(Target mid-September)-->
+* [Catchpoint](catchpoint.html) <!--(Target mid-September)-->
+* [VMware Tanzu Kubernetes Grid Integration](tkgi.html) <!--(TBD)-->
+* [Terraform Provider](wavefront-terraform-provider.html) <!--(TBD)-->
+* [Ansible Role](ansible.html) <!--(archive/delete?)-->
+* [VMware Aria Operations for Logs](log-insight-cloud.html) <!--(TBD)-->
+* [VMware Spring Cloud Data Flow for Kubernetes](scdf.html) <!--(TBD)-->
+* [VMware tc Server](vmware-tcserver.html)  <!--(archive/delete?)-->
+* [Microsoft Azure Deployment Manager](adm.html) <!--(archive/delete?)-->
+* [Uptime](uptime.html) <!--(TBD)-->
+* [Datadog](datadog.html) <!--(archive/delete?)-->
+* [Grafana](grafana.html) <!--(TBD)-->
+* [Chef Server](wavefront-chef.html) <!--(TBD)-->
+* [AVI Networks (NSX ALB)](avi_nsx_alb.html) <!--(archive/delete?)-->
+* [VMware Blockchain](vmware_blockchain.html) <!--(archive/delete?)-->
+* [C Sharp](csharp.html) <!--(TBD)-->
+
+## List of Unaffected Integrations
+
+The following integrations do not depend on the subscription type and work as expected, no matter whether your Operations for Applications service is onboarded to VMware Cloud services platform or not.
+
+### Cloud Integrations
+
+* [Google Cloud Platform](gcp.html)
+* [Amazon Web Services](aws.html)
+* [Microsoft Azure](azure.html)
+* [AppDynamics](appdynamics.html)
+* [Dynatrace](dynatrace.html)
+* [New Relic](newrelic.html)
+* [VMware Aria Operations (SaaS)](integrations_vrops.html)
+  
+  Note that currently this integration works with a VMware Cloud services API token only.
+
+* [Snowflake](snowflake.html)
+
+### Notification Integrations
+
+* [BigPanda](bigpanda.html)
+* [Microsoft Teams](msteams.html)
+* [PagerDuty](pagerduty.html)
+* [Slack](slack.html)
+* [Jira](jira.html)
+* [OpsGenie](opsgenie.html)
+* [ServiceNow](servicenow.html)
+* [Splunk On-Call](victorops.html)
+
+
+### collectd Integrations
+
+* [Apache collectd Integration](integrations_collectd_apache.html)
+* [Cassandra collectd Integration](integrations_collectd_cassandra.html)
+* [Memcached collectd Integration](integrations_collectd_memcached.html)
+* [MySQL collectd Integration](integrations_collectd_mysql.html)
+* [NGiNX collectd Integration](integrations_collectd_nginx.html)
+* [Redis collectd Integration](integrations_collectd_redis.html)
+* [Zookeeper collectd Integration](integrations_collectd_zookeeper.html)
+
+### Other Integrations
+
+* [Webhooks](webhooks.html)
+* [Graphite](graphite.html)
+* [Operations for Applications Usage Integration](wavefront_monitoring.html)
+
diff --git a/pages/doc/csp_ui_differences.md b/pages/doc/csp_ui_differences.md
new file mode 100644
index 000000000..d81e26993
--- /dev/null
+++ b/pages/doc/csp_ui_differences.md
@@ -0,0 +1,81 @@
+---
+title: UI Differences Between Original and VMware Cloud Services Subscriptions
+keywords: 
+tags: [introduction]
+sidebar: doc_sidebar
+permalink: csp-ui-differences.html
+summary: Learn about the differences in the UI of VMware Aria Operations for Applications original subscriptions and VMware Cloud services subscriptions.
+---
+
+Operations for Applications subscriptions are two types: original subscriptions and VMware Cloud services subscriptions.
+
+## Menu Bar
+
+The menu bar differs, because the VMware Cloud services toolbar is added to the top.
+
+  ![An image showing the differences in the menu bar, which are listed below.](images/new-vs-original-toolbar.png)
+
+  From the VMware Cloud services toolbar, you can:
+
+  1. Switch between tenants (service instances) in a multi-tenant Operations for Applications environment.
+  1. See notifications from VMware Cloud services.
+  1. Manage your VMware Cloud services account and switch to other organizations.
+  1. Go to the VMware Cloud Services Console and switch to other service subscriptions.
+
+## Own User Account Settings
+
+When viewing their own user account settings in the Operations for Applications UI, VMware Cloud services subscribers do not have the **Groups, Roles & Permissions** and the **API Access** tabs (1) and can no longer change their password from the Operations for Applications UI (2), because this is done from the VMware Cloud Services Console.
+
+  ![An image showing that the tabs mentioned above and the change password link are removed from the UI for new subscribers.](images/new-vs-original.png)
+
+
+## Gear Icon Menu
+
+The gear icon menu also differs, because many of the tasks for VMware Cloud services subscribers are done by using the VMware Cloud Services Console. 
+
+  For example, for **Super Admin** users with **Super Admin** mode enabled, the gear icon menu looks like this:
+ 
+  ![An image showing the differences in the gear icon menu, which are listed below.](images/new-vs-original-menu.png)
+
+   1. The tenant name is missing, because it is shown in the VMware Cloud Services Console when you launch the service instance. In a multi-tenant environment, the current tenant is shown on the top-left of the menu bar and you can click it to switch between tenants.
+   1. The **Self Service SAML** menu item is missing, because the enterprise federation setup is done from the VMware Cloud Services Console.
+   1. The **Accounts** menu item is available only for a **limited number** of VMware Cloud services subscriptions. See the section below.
+   1. The **Super Admin** menu item is replaced with **Orphaned Objects**, because Super Admin users can no longer invite new Super Admin users, but they can still see and recover orphaned objects, such as orphan dashboards and alerts. See the following bullet point.
+   1. The **Sign Out** menu item is missing, because signing out is done from the User/Organization drop-down menu on the top-right of the menu bar.
+
+
+## Accounts Page
+
+Most of the identity and access management tasks for VMware Cloud services subscribers are done by using the VMware Cloud Services Console. Therefore, if you are a user with the **Admin** service role assigned (this role partially covers the **Accounts** permission for original subscriptions), when you click the gear icon on the toolbar and select **Accounts**, you will see only the **Service Accounts** and the **API Tokens** tabs.
+
+{% include note.html content=" This page is available only for a **limited number** of VMware Cloud services subscriptions, because in most cases you should use [server to server OAuth apps](csp_server_to_server_apps.html) and [VMware Cloud services API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-3A9C29E0-460B-4586-B51A-084443A960D0.html)." %}
+
+  ![An image showing the differences in the Accounts menu and the Service Accounts tab.](images/new-vs-original-accounts.png)
+
+  1. The **User Accounts**, **Groups**, and **Roles** tabs are missing, because the management of users, groups, and roles is done from the VMware Cloud Services Console. By using the **Accounts** menu item, the VMware Cloud services subscribers can manage only service accounts and the Operations for Applications API tokens associated with them.
+  1. VMware Cloud services subscribers cannot assign roles to service accounts and also can’t add them to groups. For VMware Cloud services subscriptions, service accounts are local entities in Operations for Applications, while roles and groups management is centralized in VMware Cloud services. VMware Cloud services subscribers can grant only permissions to service accounts.
+  1. Filtering the service accounts can be done only by permissions, because they don’t have roles and don’t belong to groups.
+
+## Super Admin Page
+
+The **Super Admin** page is replaced with **Orphaned Objects**, because Super Admin users no longer can invite new Super Admin users, but they can still see and recover orphaned objects, such as orphan dashboards and alerts.
+
+  ![An image showing the differences in the add new proxy page.](images/new-vs-original-super-admin.png)
+
+## Add New Wavefront Proxy Page
+
+When adding a Wavefront proxy, VMware Cloud services subscribers have two options for the proxy authorization to Operations for Applications. They can configure the proxy with server to server OAuth app credentials or with a VMware Cloud services API token.
+
+  ![An image showing the differences in the add new proxy page.](images/new-vs-original-proxy.png)
+
+## Organization Settings Page
+
+The options for adding default groups for new user and service accounts as well as for setting the default permissions for new user accounts are removed, because VMware Cloud services subscribers manage users and roles through the VMware Cloud Services Console. Users with the **Super Admin** or **Admin** service role can still set the default display settings and language preferences for new users on the **Organization Settings** page.
+
+  ![An image showing that the options mentioned above are removed from the UI for new subscribers.](images/new-vs-original-new-accounts-defaults.png)
+
+## Metrics Security Policy Rule Creation Page
+
+The option for creating a metrics security policy rule based on roles is removed, because VMware Cloud services subscribers can block or allow access to certain metrics only based on accounts (user accounts and service accounts) and groups.
+
+  ![An image showing that the Roles option is removed from the UI for new subscribers.](images/new-vs-original-metricspolicy.png)
diff --git a/pages/doc/csp_user_management.md b/pages/doc/csp_user_management.md
index 55583ff27..efc03d555 100644
--- a/pages/doc/csp_user_management.md
+++ b/pages/doc/csp_user_management.md
@@ -8,7 +8,7 @@ summary: Add and manage users of VMware Aria Operations for Applications on VMwa
 
 {% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. The content in this chapter is valid for VMware Cloud services subscriptions. For **original** subscriptions, see [Manage User Accounts](user-accounts.html)."%}
 
-VMware Cloud services provides identity access management for the users of your services, including Operations for Applications. 
+VMware Cloud services provides identity access management for the users of your services, including Operations for Applications. For example, see our tutorial [Invite New Users from the VMware Cloud Services Console](csp_new_users_tutorial.html).
 
 {% include note.html content="To manage user access to the services in your VMware Cloud organization, you must hold the VMware Cloud **Organization Owner** or **Organization Administrator** role. See [What organization roles are available in VMware Cloud Services](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-C11D3AAC-267C-4F16-A0E3-3EDF286EBE53.html) in the VMware Cloud services documentation."%}
 
@@ -18,17 +18,19 @@ To add a user to your Operations for Applications service instance, you must ass
 
 1. An [organization role](csp_getting_started.html#whats-a-vmware-cloud-organization-role) for the VMware Cloud organization running the service instance.
 
+    {% include note.html content="I you are a VMware Cloud **Organization Administrator**, you can assign only the VMware Cloud **Organization Member** role. Only a VMware Cloud **Organization Owner** can add VMware Cloud **Organization Owners** and VMware Cloud **Organization Administrators**."%}
+
 1. An [Operations for Applications service role](csp_users_roles.html#operations-for-applications-service-roles-built-in) for the service instance.
   
     You can assign a combination of service roles. For example, if the user that you want to invite will set up integrations, make sure that you assign that user both the **Integrations** and the **Proxies** service roles.
 
-    If you plan to assign that user a custom role, you must assign that user at least the **Viewer** Operations for Applications service role.
+    If you plan to assign that user a custom role, you must assign that user at least the **Viewer** Operations for Applications service role, so that the user can access the service instance.
 
     {% include important.html content="Make sure that you assign the [**Super Admin** service role](csp_users_roles.html#operations-for-applications-service-roles-built-in) to at least one user of your Operations for Applications service instance. There are some Super Admin tasks that no one else can perform. "%}
 
 1. Optionally, a [custom role](csp_users_roles.html#create-edit-or-delete-a-custom-role) with an [Operations for Applications permission](csp_permissions_overview.html#operations-for-applications-permissions).
 
-    {% include important.html content="In a multi-tenant Operations for Applications environment, custom roles apply to **all** service instances (tenants) to which the user has access, that is, for which the user has at least one service role."%}
+    {% include important.html content="In a multi-tenant Operations for Applications environment, custom roles apply to **all** service instances (tenants) to which the user has access, that is, for which the user has at least one Operations for Applications service role."%}
 
 You can assign users with these roles in the following ways:
 
@@ -58,7 +60,7 @@ For details, see [How do I change user roles](https://docs.vmware.com/en/VMware-
 
 ## Remove a User
 
-- To remove a user from your service instance, you must remove their [Operations for Applications service roles](csp_users_roles.html#operations-for-applications-service-roles-built-in) and the [custom roles](csp_users_roles.html#create-edit-or-delete-a-custom-role) with [Operations for Applications permissions](csp_permissions_overview.html#operations-for-applications-permissions).
+- To remove a user from your service instance, you must remove their [Operations for Applications service roles](csp_users_roles.html#operations-for-applications-service-roles-built-in).
     - If the roles are individually assigned to the user, edit the user's roles. See [How do I change user roles](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-A70DBFDC-86FD-4C84-8753-0E55C8C98F8E.html) in the VMware Cloud services documentation.
     - If the roles are inherited from a group, edit the group and remove that user from the list of members. See [How do I work with groups](hhttps://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-0BD8A07B-C3C0-4220-8CD0-18FA070D3DAD.html) in the VMware Cloud services documentation.
 
diff --git a/pages/doc/csp_users_account_managing.md b/pages/doc/csp_users_account_managing.md
index 11a9e7583..c142b7db9 100644
--- a/pages/doc/csp_users_account_managing.md
+++ b/pages/doc/csp_users_account_managing.md
@@ -82,8 +82,7 @@ If you hold the [**Super Admin** service role](csp_users_roles.html#operations-f
 
 Operations for Applications allows users to interact with the service instance using the [REST API](wavefront_api.html).
 
-Before you can invoke the Operations for Applications API using `curl` or from an API client, you must have a VMware Cloud services access token with the relevant organization and service access. To retrieve an access token, you must first generate an API token. See [Make API Calls by Using a User Account](using_wavefront_api.html#make-api-calls-by-using-a-user-account).
+Before you can invoke the Operations for Applications API using `curl` or from an API client, you must have a VMware Cloud services access token with the relevant organization and service access. To obtain an access token, you must first generate a VMware Cloud services API token with relevant roles, and then exchange that API token for an access token.
 
-{% include note.html content="You generate VMware Cloud services API tokens only for your user account. You can grant a token all or a portion of your organization, service, and custom roles."%}
+You [manage your VMware Cloud services API tokens](csp_api_tokens.html#managing-the-vmware-cloud-services-api-tokens-for-your-user-account) in the VMware Cloud Services Console.
 
-To generate and manage API tokens for your account, see [How do I generate API tokens](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E2A3B1C1-E9AD-4B00-A6B6-88D31FCDDF7C.html) in the VMware Cloud services documentation.
diff --git a/pages/doc/csp_users_roles.md b/pages/doc/csp_users_roles.md
index ceb13b6c9..3172ba76f 100644
--- a/pages/doc/csp_users_roles.md
+++ b/pages/doc/csp_users_roles.md
@@ -39,12 +39,29 @@ The VMware Cloud Services Console **Roles** page lists all service roles and cus
 ### Operations for Applications Service Roles (Built-in)
 
 The VMware Cloud Services Console **Roles** page includes the following built-in Operations for Applications service roles:
-- A corresponding service role for each [permission](csp_permissions_overview.html#operations-for-applications-permissions) - **Alerts**, **Applications**, **Batch Query Priority**, **Charts Embedding**, **Dashboards**, **Derived Metrics**, **Direct Data Ingestion**, **Events**, **External Links**, **Ingestion Policies**, **Integrations**, **Logs**, **Metrics**, **Proxies**, and **Sources**.
-- Two special service roles - one that grants full administrative access to the service, and another one that grants read-only access to the service:
+- A corresponding Operations for Applications service role for each [Operations for Applications permission](csp_permissions_overview.html#operations-for-applications-permissions), that is, each of the following service roles has only one permission assigned:
+
+  * **Admin**
+  * **Alerts**
+  * **Applications**
+  * **Batch Query Priority**
+  * **Charts Embedding**
+  * **Dashboards**
+  * **Derived Metrics**
+  * **Direct Data Ingestion**
+  * **Events**
+  * **External Links**
+  * **Ingestion Policies**
+  * **Integrations**
+  * **Logs**
+  * **Metrics**
+  * **Proxies**
+  * **Sources**
+- Two special Operations for Applications service roles - one that grants full administrative access to the service, and another one that grants read-only access to the service:
 
   <table>
   <tr>
-    <th width="30%">Special Service Role</th>
+    <th width="30%">Service Role</th>
     <th width="70%">Description</th>
   </tr>
   <tr>
@@ -52,9 +69,7 @@ The VMware Cloud Services Console **Roles** page includes the following built-in
     <td>When users with that service role <a href="csp_users_account_managing.html#enable-or-disable-super-admin-mode">enable Super Admin mode</a>, they:<ul>
     <li>Have all Operations for Applications permissions.</li>
     <li>Have access to all dashboards and alerts.</li>
-    <li>Can set the default preferences for all users of the service instance.</li>
-    <li>Can restrict access for new dashboards and alerts.</li>
-    <li>Can <a href="access.html#make-orphan-dashboards-or-alerts-visible">restore orphan dashboards and alerts</a>.</li>
+    <li>Can <a href="csp_access.html#make-orphan-dashboards-or-alerts-visible">restore orphan dashboards and alerts</a>.</li>
     </ul>
     <p><strong>Tip:</strong> Combine the <strong>Super Admin</strong> service role with the roles that you want the user to have when Super Admin mode is disabled. </p></td>
   </tr>
@@ -63,7 +78,8 @@ The VMware Cloud Services Console **Roles** page includes the following built-in
     <td>Users with that service role:<ul>
     <li>Don't have any Operations for Applications permissions.</li>
     <li>Can perform only the <a href="csp_permissions_overview.html#default-tasks">default tasks</a>.</li>
-    </ul></td>
+    </ul>
+    <p><strong>Tip:</strong> Assign the <strong>Viewer</strong> service role individually or in combination with custom roles.</p></td>
   </tr>
   </table>
 
@@ -101,6 +117,8 @@ For efficient user management, you can create groups of users and assign roles t
 
 See [How do I work with groups](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-0BD8A07B-C3C0-4220-8CD0-18FA070D3DAD.html) in the VMware Cloud services documentation.
 
+{% include note.html content="Operations for Applications includes an internal **Everyone** system group, where any new user account is added automatically. This group doesn't have any roles and permissions. This group can be used when managing [access to dashboards and alerts](csp_access.html), [metrics security policy rules](csp_metrics_security.html), and [ingestion policies](ingestion_policies.html)."%}
+
 ## Grant or Revoke a User's Role Explicitly
 
 To change the roles that are individually assigned to a user, see [How do I change user roles](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-A70DBFDC-86FD-4C84-8753-0E55C8C98F8E.html).
\ No newline at end of file
diff --git a/pages/doc/ingestion_policies.md b/pages/doc/ingestion_policies.md
index acf493d53..eaef3864b 100644
--- a/pages/doc/ingestion_policies.md
+++ b/pages/doc/ingestion_policies.md
@@ -54,12 +54,13 @@ In the **Data** panel, specify the scope and, optionally, a PPS limit and click
     </thead>
     <tr>
     <td><strong>Accounts</strong></td>
-    <td>Depends on your <a href="subscriptions-differences.html">subscription type</a>.<ul><li>If your Operations for Applications service is a VMware Cloud services subscription, individual <a href="csp_user_management.html">users</a> and <a href="csp_server_to_server_apps.html">server to server apps</a>. Service accounts in Operations for Applications correspond to server to server apps in VMware Cloud services.</li>
+    <td>Depends on your <a href="subscriptions-differences.html">subscription type</a>.<ul><li>If your Operations for Applications service is onboarded to VMware Cloud services, individual <a href="csp_user_management.html">users</a>, <a href="csp_server_to_server_apps.html">server to server apps</a>, and <a href="csp_service_accounts.html">service accounts</a>.</li>
     <li>If your Operations for Applications service is an original subscription, individual <a href="authorization-faq.html#what-are-user--service-accounts">user and service accounts</a>.</li></ul></td></tr>
     <tr>
     <td><strong>Groups</strong></td>
-    <td>Depends on your <a href="subscriptions-differences.html">subscription type</a>.<ul><li>If your Operations for Applications service is a VMware Cloud services subscription, <a href="csp_users_roles.html#manage-user-groups">groups</a> of VMware Cloud services users.</li>
-    <li>If your Operations for Applications service is an original subscription, <a href="users_roles.html#create-a-group">groups</a> of user and service accounts.</li></ul>
+    <td>Depends on your <a href="subscriptions-differences.html">subscription type</a>.<ul><li>If your Operations for Applications service is onboarded to VMware Cloud services, <a href="csp_users_roles.html#manage-user-groups">groups</a> of VMware Cloud services users.
+    <p>You can also select the <strong>Everyone</strong> internal system group (which includes all users) or the <strong>Service Accounts</strong> internal system group (which includes all <a href="csp_server_to_server_apps.html">server to server apps</a> that have access to your service as well as all <a href="csp_service_accounts.html">service accounts</a> in your service).</p></li>
+    <li>If your Operations for Applications service is an original subscription, <a href="users_roles.html#create-a-group">groups</a> of user and service accounts, including the <strong>Everyone</strong> and <strong>Service Accounts</strong> system groups.</li></ul>
     </td>
     </tr>
     <tr>
diff --git a/pages/doc/proxies_installing.md b/pages/doc/proxies_installing.md
index 268b22f99..c0acd844e 100644
--- a/pages/doc/proxies_installing.md
+++ b/pages/doc/proxies_installing.md
@@ -38,9 +38,9 @@ In most cases, a Wavefront proxy must be running in your environment before metr
 * If your Operations for Applications service instance **is** onboarded to VMware Cloud services, the proxy requires a VMware Cloud services access token with the **Proxies** [service role](csp_users_roles.html#operations-for-applications-service-roles-built-in). There are two options for the proxy to retrieve an access token. You can configure the proxy with:
     *	The credentials (ID and secret) of a VMware Cloud services server to server **OAuth app** and the ID of the VMware Cloud organization running the service.
 
-        Before you add a proxy with an OAuth app, you must retrieve the credentials (ID and secret) of a server to server app that is assigned with the **Proxies** service role and added to the VMware Cloud organization running the service. See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html?hWord=N4IgpgHiBcIMpgE4DckAIAuB7NBnJqiaAhgA6kgC+QA).
+        Before you add a proxy with an OAuth app, you must retrieve the credentials (ID and secret) of a server to server app that is assigned with the **Proxies** Operations for Applications service role and added to the VMware Cloud organization running the service. See [How to use OAuth 2.0 for server to server apps](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-327AE12A-85DB-474B-89B2-86651DF91C77.html?hWord=N4IgpgHiBcIMpgE4DckAIAuB7NBnJqiaAhgA6kgC+QA) in the VMware Cloud services documentation.
 
-        Also, you must retrieve the VMware Cloud organization ID. See [How do I manage my Cloud Services Organizations](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-CF9E9318-B811-48CF-8499-9419997DC1F8.html).
+        Also, you must retrieve the VMware Cloud organization long ID. See [View the Organization ID](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-CF9E9318-B811-48CF-8499-9419997DC1F8.html#view-the-organization-id-1) in the VMware Cloud services documentation.
 
         {% include note.html content="When the access token expires, depending on the token TTL configuration of the server to server app, the proxy automatically retrieves a new access token."%}
 
diff --git a/pages/doc/upgrade-and-purchase.md b/pages/doc/upgrade-and-purchase.md
index 7520b4d9b..01549ff61 100644
--- a/pages/doc/upgrade-and-purchase.md
+++ b/pages/doc/upgrade-and-purchase.md
@@ -97,4 +97,4 @@ In case of urgency, you can contact the Operations for Applications team by send
    
 After you place your order, you will see a purchase confirmation page. Typically, it takes 24 hours to fulfil an order. Once your subscription becomes active, you'll receive an email notification.
 
-<!--- In case of urgency, you can contact the Operations for Applications team by sending an email to `tanzu_saas_ops@vmware.com` with your service ID and someone from our team will help you. --->
\ No newline at end of file
+<!-- In case of urgency, you can contact the Operations for Applications team by sending an email to `tanzu_saas_ops@vmware.com` with your service ID and someone from our team will help you. -->
diff --git a/pages/doc/wavefront_introduction.md b/pages/doc/wavefront_introduction.md
index 7cec97ec0..31ceb3f1c 100644
--- a/pages/doc/wavefront_introduction.md
+++ b/pages/doc/wavefront_introduction.md
@@ -11,7 +11,7 @@ VMware Aria Operations for Applications (formerly known as Tanzu Observability b
 
 You can [sign up for a free trial](start_trial.html) and try out our service. 
 
-Starting July 3, 2023, Operations for Applications is a service on the [VMware Cloud services platform](https://console.cloud.vmware.com/). After this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to the VMware Cloud services platform and **original** subscriptions. Original subscriptions are the  existing ones and they remain as is until they migrate to VMware Cloud services. For information about the subscription types and how they differ, see [Subscription Types](subscriptions-differences.html).
+Starting July 3, 2023, Operations for Applications is a service on the [VMware Cloud services platform](https://console.cloud.vmware.com/). After this date, we support two types of subscriptions: Operations for Applications subscriptions **onboarded** to the VMware Cloud services platform and **original** subscriptions. Original subscriptions are the existing ones and they remain as is until [onboarded](csp_migration.html) to VMware Cloud services. For information about the subscription types and how they differ, see [Subscription Types](subscriptions-differences.html).
 
 After your free trial expires, you can [upgrade and purchase our service](upgrade_and_purchase.html). 
 
diff --git a/pages/doc/wavefront_prometheus.md b/pages/doc/wavefront_prometheus.md
index 6ae14deb0..2ae002251 100644
--- a/pages/doc/wavefront_prometheus.md
+++ b/pages/doc/wavefront_prometheus.md
@@ -8,7 +8,11 @@ summary: Run PromQL queries in the Query Editor
 
 VMware Aria Operations for Applications (previously known as Tanzu Observability by Wavefront) supports both PromQL and Wavefront Query Language (WQL) queries. The Query Editor includes admin-level organization settings for enabling PromQL and a query line GUI that includes a translation option.
 
-* Users with the **Accounts** permission and **Super Admin** users have control over user defaults:
+{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. For information about VMware Cloud services subscriptions and original subscriptions and the differences between them, see [Subscription Types](subscriptions-differences.html).<br/>
+- For VMware Cloud services subscriptions, users with the **Super Admin** service role (in Super Admin mode) and users with the **Admin** service role can enable the PromQL support. <br/>
+- For original Operations for Applications subscriptions, users with the **Accounts** permission can enable the PromQL support."%}
+
+* Users with an administrative role in Operations for Applications have control over user defaults:
   - On the **Organization Settings** page (New User Defaults) they can enable users to write queries in PromQL.
   - If queries in PromQL are enabled, they can also set other options.
 * Users can then type PromQL or WQL queries into the Query Editor.
@@ -22,9 +26,7 @@ VMware Aria Operations for Applications (previously known as Tanzu Observability
 
 ## Set PromQL Organization Settings (Administrator Only)
 
-{% include note.html content="Starting July 3, 2023, VMware Aria Operations for Applications is a service on the VMware Cloud services platform. For information about VMware Cloud services subscriptions and original subscriptions and the differences between them, see [Subscription Types](subscriptions-differences.html).<br/>
-- For VMware Cloud services subscriptions, only users with the **Super Admin**  service role in Super Admin mode can enable the PromQL support.<br/>
-- For original Operations for Applications subscriptions, users with the **Accounts** permission can enable the PromQL support."%}
+As a user with an administrative role, you can control user defaults. 
 
 * If **PromQL Support** is *not enabled*, other users cannot use PromQL or change PromQL user preferences.
 * If **PromQL Support** is *enabled*, administrators can set additional New User Default query settings, and other users can override those settings.
@@ -56,8 +58,6 @@ If an administrator has enabled PromQL support (discussed above), each user can
       If your default language is set to **PromQL**, you can build your queries only in the Query Editor. Chart Builder was designed for Wavefront query language and doesn't support PromQL.
     * Whether to show the translation to WQL when you click inside the Query Editor.
 
-
-
 ## Video: Wavefront Query Language and PromQL
 
 This short <a href="https://vmwaretv.vmware.com/media/t/1_x5xqthax" target="_blank">video<img src="/images/video_camera.png" alt="video camera icon"/></a> shows how you can create a PromQL chart and an alert. Note that this video was created in 2021 and some of the information in it might have changed. It also uses the 2021 version of the UI.
diff --git a/pages/doc/wavefront_release_notes.md b/pages/doc/wavefront_release_notes.md
index 60ba34344..031ed2aa3 100644
--- a/pages/doc/wavefront_release_notes.md
+++ b/pages/doc/wavefront_release_notes.md
@@ -15,6 +15,11 @@ This page lists new and updated features for the VMware Aria Operations for Appl
 
 ## Announcements
 
+### Onboarding Original VMware Aria Operations for Applications to VMware Cloud Services
+
+In October, 2023, we start to incrementally [onboard](csp_migration.html) all original subscriptions to VMware Cloud services. You will receive a notification in your Operations for Applications UI with the date scheduled for your service onboarding to VMware Cloud services. Make sure that you get familiar with the VMware Cloud services platform and prepare for the onboarding. See [What Should I Do Before the Onboarding?](csp_migration.html#what-should-i-do-before-the-onboarding).
+
+
 ### Free Trial of VMware Aria Operations for Applications on VMware Cloud Services
 
 Starting September 20, 2023, all **new trial** instances of Operations for Applications are **onboarded** to VMware Cloud services. You can [start a free trial](start_trial.html) directly from the VMware Cloud Services Console.
@@ -32,7 +37,12 @@ For information about the two subscription types and how they differ, see [Subsc
  
 {% include note.html content="We will support both original and onboarded subscriptions until all original subscriptions are onboarded to VMware Cloud services."%}
 
-## 2023-37.x Release Notes
+## 2023-38.x Release Notes
+
+### Onboarded Subscriptions
+
+**New Admin Permission and Service Role**: With this release, we introduce the **Admin** [permission](csp_permissions_overview.html#operations-for-applications-permissions) and [service role](csp_users_roles.html#operations-for-applications-service-roles-built-in). **Admin** users can manage the Operations for Applications organization settings.
+
 
 ### Original and Onboarded Subscriptions
 
diff --git a/pages/doc/wavefront_support_feedback.md b/pages/doc/wavefront_support_feedback.md
index 47c1b6eff..d581817bf 100644
--- a/pages/doc/wavefront_support_feedback.md
+++ b/pages/doc/wavefront_support_feedback.md
@@ -12,11 +12,11 @@ summary: Get help with and give feedback.
 VMware Aria Operations for Applications (formerly known as Tanzu Observability by Wavefront) support is available as follows:
 
 * Get in touch with Technical Support and create a support ticket. See the [How to Engage Technical Support](https://help.wavefront.com/hc/en-us/articles/360057219171-How-to-Engage-Technical-Support) KB.
-* Get support from within the product:
-  1. Log in to your product instance.
+* Get support from within Operations for Applications:
+  1. Log in to your service instance.
   1. From the gear icon <i class="fa fa-cog"/> on the toolbar, select <strong>Support</strong>.
     <br/>![support menu item](images/get_support.png)
-
+* Get support from within the VMware Cloud Services Console. See [How do I get support](https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-E4DC731F-C039-4FB2-949E-9A61584CD5BF.html).
 
 ## Documentation Feedback