add more features to access control docs

docs.json

@@ -45,10 +45,16 @@
               {
                 "group": "Access Control",
                 "pages": [
+                  "manage/access-control/create-user",
                   "manage/access-control/rules",
                   "manage/access-control/forwarded-headers",
                   "manage/access-control/login-page",
-                  "manage/geoblocking"
+                  "manage/geoblocking",
+                  "manage/access-control/mfa",
+                  "manage/access-control/password-rotation",
+                  "manage/access-control/session-length",
+                  "manage/access-control/change-password",
+                  "manage/access-control/security-keys"
                 ]
               },
               {

manage/access-control/change-password.mdx

@@ -0,0 +1,22 @@
+---
+title: "Change Password"
+description: "Change or reset your Pangolin account password"
+---
+
+### Change Password
+
+If you're already logged in, you can change your password by clicking your profile menu (top right) and selecting Change Password. You will be required to confirm your old password and enter a new password.
+
+<Tip>
+If you want to require password changes at regular intervals for better security, check out the [password rotation documentation](/manage/access-control/password-rotation).
+</Tip>
+
+### Reset Password
+
+If you forgot your password, you can use the reset password function. On the login page, select Forgot your password?. This will ask for your username or email. A reset code will be sent to that email to complete the reset.
+
+If you're self‑hosting Pangolin, you will need an SMTP server configured to send emails. If you don't have one configured, the server will log the reset code to the server logs for you to retrieve and use to reset the password.
+
+### Force Reset Server Admin Password
+
+For self‑hosted Pangolin, if you need to force reset your server admin account password server‑side, you can use the internal CLI. [See more here](/self-host/advanced/container-cli-tool).

manage/access-control/create-user.mdx

@@ -0,0 +1,24 @@
+---
+title: "Create User"
+description: "Add internal or external users to your organization"
+---
+
+Users can be added to organizations. When a user is added to Pangolin, there is a global user object and an organization‑specific user object that links that user to the organization. This allows a user to exist in one or more organizations.
+
+<Tip>
+Because the root user exists and a per‑organization user exists, a user invited to an organization may be able to create a new organization. You can disable this functionality via a flag in the config file in self‑hosted Pangolin. [Check out the config file documentation](/self-host/advanced/config-file#feature-flags).
+</Tip>
+
+When removing a user from an organization, their account still exists. To completely delete their account, visit the server admin panel as the server admin and delete the global user in the users table.
+
+### Internal Users
+
+An internal user is an identity managed by Pangolin only. When adding the user, you will receive an invite link. The user needs to use this link to either accept the invite, or create an account for the first time and accept the invite.
+
+### External Users
+
+An external user is an identity managed by an external identity provider. When creating an external user, you will need to select an existing identity provider added to Pangolin. [Check out the documentation on adding an IDP](/manage/identity-providers/add-an-idp).
+
+An identity provider may have auto‑provisioning enabled. This means new users who log in with the IDP are automatically created and you do not need to manually create the user. [Check out the auto‑provisioning documentation](/manage/identity-providers/auto-provisioning).
+
+Even if auto‑provisioning is enabled, you can still manually create users.

manage/access-control/mfa.mdx

@@ -0,0 +1,30 @@
+---
+title: "Multi-Factor Authentication"
+description: "Enable and manage two-factor authentication and enforcement for your organization"
+---
+
+Pangolin supports two‑factor authentication (2FA) for Pangolin user accounts.
+
+### Enable or Disable 2FA
+
+- Click your profile menu (top right) to enable two‑factor authentication.
+- You will need to confirm your password and code before enabling/disabling 2FA.
+
+### Supported Methods
+
+- **Time‑based one‑time code (TOTP)**: Use an authenticator app (e.g., 1Password, Google Authenticator).
+- **Push via email**: Contact sales to enable.
+- **Push via Duo**: Contact sales to enable.
+
+### Enforcement
+
+<Note>
+Two‑factor enforcement (requiring 2FA at login) is available in Enterprise Edition only.
+</Note>
+
+To enable enforcement, go to Organization Settings and toggle 2FA enforcement in the Security section.
+
+- Enforcement is configured per organization.
+- MFA enforcement only applies to internal Pangolin user accounts. This policy does not apply to accounts linked to an external identity provider.
+- When enforced, users must enable 2FA before accessing the organization or its resources.
+- Users without 2FA will see a prompt directing them to enable it before proceeding.

manage/access-control/password-rotation.mdx

@@ -0,0 +1,19 @@
+---
+title: "Password Rotation"
+description: "Configure password expiration and rotation requirements for your organization"
+---
+
+By default, Pangolin does not require passwords to be rotated on a regular basis. However, password rotation can be required on a per‑organization basis.
+
+### Configuration
+
+<Note>
+Password expiry and rotation is an Enterprise Edition only feature.
+</Note>
+
+To enable password rotation, go to Organization Settings and select a maximum password age in the Security section. After the configured period expires, users will be prompted to change their password when accessing the organization or its resources.
+
+- Password rotation is enforced on a per‑organization basis.
+- Password rotation only applies to internal Pangolin user accounts. This policy does not apply to accounts linked to an external identity provider.
+- Users who need to change their password will see a prompt directing them to update it before proceeding.
+

manage/access-control/security-keys.mdx

@@ -0,0 +1,12 @@
+---
+title: "Security Keys"
+description: "Use security keys for passwordless login to your Pangolin account"
+---
+
+You can log in with security keys, also known as passwordless login. On the login page, there is an option below the login button to Log in with security key.
+
+### Add a Security Key
+
+To add a security key, you must first be logged in. Then click your profile menu (top right) and select Add Security Keys. Follow the steps to add your key.
+
+Once a security key is added to your account, you can select the Continue with security key option the next time you log in.

manage/access-control/session-length.mdx

@@ -0,0 +1,21 @@
+---
+title: "Session Length"
+description: "Configure maximum session length and expiration policies for your organization"
+---
+
+By default, Pangolin keeps extending a session indefinitely if a user is actively using it. If a user is not actively using the session, it will expire after 30 days.
+
+However, you can require users to log in at regular intervals by enforcing maximum session lengths on a per‑organization basis.
+
+### Configuration
+
+<Note>
+Session length enforcement is an Enterprise Edition only feature.
+</Note>
+
+To enable session length enforcement, go to Organization Settings and set a maximum session length in the Security section. After this amount of time, users will be prompted to log back in to acquire a fresh session.
+
+- Session length enforcement is configured per organization.
+- Session length enforcement applies to both internal Pangolin users and users linked to external identity providers.
+- Users whose session has expired will see a prompt directing them to log in again before proceeding.
+