Update from SAP DITA CMS (squashed):

commit 9023a6ec42d97ff920125a5b2334dda3c36cca95
Author: REDACTED
Date:   Wed Jul 3 11:52:33 2024 +0000

    Update from SAP DITA CMS 2024-07-03 11:52:33
    Project: dita-all/wbz1500991557538
    Project map: 1334e860f4d64684a929f6a7afeea339.ditamap
    Output: loio629f7cb06f6947988dcaf8bedbe45873
    Language: en-US
    Builddable map: 542fb1b8806149fc8f6953d896e46f50.ditamap

commit 0e25de0f193d30f80af7cb578a47afbe41df647d
Author: REDACTED
Date:   Wed Jul 3 11:36:55 2024 +0000

    Update from SAP DITA CMS 2024-07-03 11:36:54
    Project: dita-all/wbz1500991557538
    Project map: 1334e860f4d64684a929f6a7afeea339.ditamap
    Output: loio629f7cb06f6947988dcaf8bedbe45873
    Language: en-US
    Builddable map: 542fb1b8806149fc8f6953d896e46f50.ditamap

commit 6e35b413f10c552d0d35d1189c145ecb12da5654
Author: REDACTED
Date:   Wed Jul 3 11:25:30 2024 +0000

    Update from SAP DITA CMS 2024-07-03 11:25:30
    Project: dita-all/pzw1625492527863
    Project map: 6a8ab14499a34c7baa7b9caf10b910c5.ditamap
    Output: loio7a5e71ddeb694dfcb17beb3fc35a49bf
    Language: en-US
    Builddable map: 64b1fe67adb543adbf8b71c4392094ea.ditamap

##################################################
[Remaining squash message was removed before commit...]

docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md

@@ -174,7 +174,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md

@@ -174,7 +174,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md

@@ -134,7 +134,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md

@@ -134,7 +134,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md

@@ -67,7 +67,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md

@@ -67,7 +67,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md

@@ -134,7 +134,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md

@@ -134,7 +134,7 @@ To configure an OpenID Connect trusted application in the administration console
 
 -   Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
 
--   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+-   Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Public Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
 
     > ### Note:  
     > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.

docs/Operation-Guide/configure-user-authorizations-424b64c.md

@@ -225,6 +225,9 @@ Groups of type `Authorization Policy` with names containing the names of the aut
 > ### Restriction:  
 > You need both read and update access rights to be able to update a field in the administration console. If you can't see a field because of a policy restriction, this field remains also disabled for editing even if update rights are granted to you.
 
+> ### Remember:  
+> To edit a custom schema custom attribute via the administration console, `users.MANAGE_USERS` without restriction is needed. If the policy has a restriction on the `users.MANAGE_USERS` base policy, you won't be able to edit the custom schema custom attribute.
+
 > ### Example:  
 > Michael Adams is an administrator at retail company A. He is located at the company's head office in Germany and as chief administrator of the company he has all the authorizations in the administration console for SAP Cloud Identity Services. Dona Moore is also an administrator at company A. She is responsible for the branch office in the USA. As such she needs to have access only to the users in the USA. Michael Adams creates an authorization policy for read-users access and assigns Dona Moore to that policy. He also removes the *Read Users* and *Manage Users* authorizations that Dona has as an administrator. As a result, now, when Dona accesses the *User Management* section of the administration console, she sees only the users that are located in the USA. All the other users are hidden.
 

docs/Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md

@@ -17,7 +17,7 @@ The attributes are also put in the `id_token` if the application is OpenID conne
 For both, the SAML 2.0 and OpenID Connect applications, you can configure attributes with dynamic values to be added into the assertions in the following pattern: `<prefix> ${attribute_technical_name>} <suffix>`
 
 > ### Restriction:  
-> \(For OpenID Connect applications\) The following claims can't be set via the configuration of attributes with default values: `iss`, `sub`, `zone_uuid`, `exp`, `nbf`, `iat`, `auth_time`, `nonce`, `acr`, `amr`, `cnf`, `azp`, `at_hash`, `c_hash`, `sub_jwk`, and `ias_iss`.
+> \(For OpenID Connect applications\) The following claims can't be set via the configuration of attributes with default values: `iss`, `sub`, `zone_uuid`, `exp`, `nbf`, `iat`, `auth_time`, `nonce`, `acr`, `amr`, `azpacr``cnf`, `azp`, `at_hash`, `c_hash`, `sub_jwk`, and `ias_iss`.
 
 Expand the **Supported Attributes** table below to see the attributes that can take dynamic values:
 

docs/Operation-Guide/send-system-notifications-via-emails-aa04a8b.md

@@ -29,7 +29,7 @@ The tenant administrator can configure the system to send emails to administrato
 > ### Note:  
 > With the Jul 5, 2023 upgrade, the first administrator in every new tenant, created after that date, and all newly created administrators are automatically subscribed for system notifications.
 
-To start sending security alert emails, proceed as follows:
+To start sending system notifications via emails, proceed as follows:
 
 > ### Caution:  
 > When you delete administrators, their emails remain part of the system notifications configuration and they'll continue to receive notifications. To stop sending notifications, remove the emails from the list.
@@ -51,12 +51,12 @@ To start sending security alert emails, proceed as follows:
     -   *New email* - enter the email that you want to receive notifications.
     -   *All administrators* all tenant administrators will receive the notifications.
 
-5.  Confirm your choice by choosing the *Add* button in the popup.
+5.  Confirm your choice by choosing the *Add* button in the pop up.
 
-6.  Configure the notifications by selecting the desired checkboxes for each email.
+6.  Configure the notifications by selecting the desired check-boxes for each email.
 
     > ### Note:  
-    > By default all checkboxes are selected.
+    > By default all check-boxes are selected.
 
 7.  Save your configuration.
 

docs/Security/security-information-6e88d82.md

@@ -30,7 +30,7 @@ Before you secure Identity Authentication, protect the cloud application that tr
 
 SAP BTP Security Recommendations collects information which helps you to secure the configuration and operation of SAP BTP services in your landscape.
 
-For more information, see [Security Recommendations](https://help.sap.com/docs/BTP/c8a9bb59fe624f0981efa0eff2497d7d/531f33def8074ccdb6f1f784a34dafcb.html?seclist-index=BTP-IAS).
+For more information, see [Security Recommendations - Identity Authentication](https://help.sap.com/docs/BTP/c8a9bb59fe624f0981efa0eff2497d7d/531f33def8074ccdb6f1f784a34dafcb.html?seclist-index=BTP-IAS) and [Security Recommendations - Identity Provisioning](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-IPS&version=Cloud).