Mention the Web role editor in the docs

docs/pages/admin-guides/access-controls/access-monitoring.mdx

@@ -177,6 +177,8 @@ spec:
       - use
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Query Editor
 
 The Query Editor in Teleport Access Monitoring provides users with an interface to interactively query audit logs and generate reports.

docs/pages/admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx

@@ -59,8 +59,8 @@ For the purpose of this guide, we will define an `editor-requester` role, which
 can request the built-in `editor` role, and an `editor-reviewer` role that can
 review requests for the `editor` role.
 
-In the Teleport WebUI navigate to **Management -> Access -> Roles**. Then select
-**Create New Role** and create the desired roles.
+In the Teleport WebUI navigate to **Access -> Roles**. Then select **Create New
+Role** and create the desired roles.
 
 
 ```yaml
@@ -248,6 +248,8 @@ spec:
           deny: 1
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ### Trigger an auto-approval
 
 To trigger an auto-approval, login to Teleport as the current on-call user in Datadog,

docs/pages/admin-guides/access-controls/access-request-plugins/opsgenie.mdx

@@ -56,9 +56,8 @@ API.
 
 ### Create a requester role
 
-To create a user first navigate to Management -> Access -> Roles
-
-Then select 'Create New Role' and create the requester role.
+To create a user, first navigate to **Access -> Roles**. Then select **Create
+New Role** and create the requester role.
 
 ```
 kind: role

docs/pages/admin-guides/access-controls/access-request-plugins/servicenow.mdx

@@ -58,6 +58,8 @@ spec:
         - YOUR_SERVICENOW_ROTA_ID_HERE
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 To retrieve the ServiceNow rotation ID, navigate to the group record
 of the ServiceNow group the rotation belongs to and right click on
 header, then click 'Select copy sys_id' to copy the ID.

docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx

@@ -135,6 +135,8 @@ role 'editor-reviewer' has been created
 role 'editor-requester' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ### `demo-role-requester`
 
 Create a file called `demo-role-requester.yaml` with the following content:

docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx

@@ -43,6 +43,8 @@ Define this role in the file `contractor-role.yaml` and create it with `tctl`:
 $ tctl create contractor-role.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Use `tctl` to assign this role to a user (`alice` in this example):
 
 ```code

docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx

@@ -87,6 +87,8 @@ Update the role:
 $ tctl create -f device-enforcement.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Cluster-wide trusted device enforcement
 
 Cluster-wide configuration enforces trusted device access at the cluster level.

docs/pages/admin-guides/access-controls/getting-started.mdx

@@ -244,6 +244,8 @@ $ tctl create -f /tmp/interns.yaml
 $ tctl get roles --format text
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Next steps
 
 - [Mapping SSO and local users traits with role templates](./guides/role-templates.mdx)

docs/pages/admin-guides/access-controls/guides/dual-authz.mdx

@@ -156,6 +156,8 @@ spec:
       'type': 'db'
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 The commands below create the local users Bob, Alice, and Ivan.
 
 ```code

docs/pages/admin-guides/access-controls/guides/impersonation.mdx

@@ -60,6 +60,8 @@ Create the resources:
 $ tctl create -f jenkins.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Step 2/3: Create an impersonator role
 
 Next, we will create a role called `impersonator`. Users with this role will be permitted to

docs/pages/admin-guides/access-controls/guides/locking.mdx

@@ -118,6 +118,8 @@ $ tctl create -f locksmith.yaml
 # role 'locksmith' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="locksmith"!)
 
 </Details>

docs/pages/admin-guides/access-controls/guides/role-templates.mdx

@@ -78,6 +78,8 @@ $ tctl users add alice --roles=alice
 $ tctl users add bob --roles=bob
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Having one role per user is not going to scale well. Because the roles
 are so similar, we can assign variables to each user, and use just one role template
 for both Alice and Bob.

docs/pages/admin-guides/access-controls/idps/saml-grafana.mdx

@@ -45,6 +45,8 @@ $ tctl create sp-manager.yaml
 role 'saml-idp-service-provider-manager' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="saml_idp_service_provider" !)
 
 ## Step 2/3. Configure Grafana to recognize Teleport's identity provider

docs/pages/admin-guides/access-controls/idps/saml-guide.mdx

@@ -220,6 +220,8 @@ $ tctl create sp-manager.yaml
 role 'saml-idp-service-provider-manager' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Next, add the role to your user.
 
 (!docs/pages/includes/add-role-to-user.mdx role="sp-manager"!)

docs/pages/admin-guides/access-controls/login-rules/guide.mdx

@@ -45,6 +45,8 @@ $ tctl create loginrule-manager.yaml
 role 'loginrule-manager' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="loginrule-manager" !)
 
 ## Step 2/5. Draft your Login Rule resource

docs/pages/admin-guides/access-controls/sso/azuread.mdx

@@ -214,6 +214,8 @@ Create the role:
 $ tctl create dev.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/enterprise/samlauthentication.mdx!)
 
 ## Token encryption (Optional)

docs/pages/admin-guides/access-controls/sso/gitlab.mdx

@@ -190,6 +190,8 @@ $ tctl create -f admin.yaml
 $ tctl create -f dev.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Enable default OIDC authentication
 
 (!docs/pages/includes/enterprise/oidcauthentication.mdx!)

docs/pages/admin-guides/access-controls/sso/okta.mdx

@@ -307,6 +307,8 @@ $ tctl create dev.yaml
 We don't need to repeat this process for the "editor" role because this is a
 preset role that is available by default in all Teleport clusters.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Testing
 
 The Web UI now contains a new "Okta" button at the login screen. To

docs/pages/admin-guides/access-controls/sso/one-login.mdx

@@ -157,6 +157,8 @@ Create the role:
 $ tctl create -f dev.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ## Troubleshooting
 
 (!docs/pages/includes/sso/loginerrortroubleshooting.mdx!)

docs/pages/admin-guides/api/automatically-register-agents.mdx

@@ -121,6 +121,8 @@ role 'register-apps' has been created
 user "register-apps" has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 ### Enable impersonation of the client application
 
 As with all Teleport users, the Teleport Auth Service authenticates the

docs/pages/admin-guides/api/rbac.mdx

@@ -142,6 +142,8 @@ role.rbac.authorization.k8s.io/pod-reader created
 rolebinding.rbac.authorization.k8s.io/read-pods created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Next, define a cluster role and cluster role binding that allow users in the
 `ops` group to read, create, and execute commands on pods in all namespaces. Add
 the following to a file called `pod-ops.yaml`:

docs/pages/admin-guides/management/admin/trustedclusters.mdx

@@ -231,6 +231,8 @@ your Teleport username:
    $ tctl create visitor.yaml
    ```
 
+   (!docs/pages/includes/create-role-using-web.mdx!)
+
    You now have a `visitor` role on your leaf cluster. The `visitor` role allows 
    users with the `visitor` login to access nodes in the leaf cluster. In the next step, 
    you must add the `visitor` login to your user so you can satisfy the conditions of 

docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx

@@ -361,6 +361,8 @@ In this step, you will define a Teleport role that confers access to the
    $ tctl create aws-ro-access.yaml
    ```
 
+   (!docs/pages/includes/create-role-using-web.mdx!)
+
 1. (!docs/pages/includes/add-role-to-user.mdx role="aws-ro-access"!)
 
 ## Step 3/4. Set up the Teleport Application Service

docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx

@@ -347,6 +347,8 @@ Create the role:
 $ tctl create -f google-cloud-cli-access.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 </TabItem>
 <TabItem options="Dynamic Identities" label="SAML/OIDC Connectors">
 
@@ -392,6 +394,8 @@ Create the role:
 $ tctl create -f google-cloud-cli-access
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 </TabItem>
 <TabItem options="Static Identities" label="All Authentication Methods">
 

docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx

@@ -164,6 +164,8 @@ Teleport, you must configure these yourself:
    $ tctl users add --roles=demo-app-access appuser
    ```
 
+   (!docs/pages/includes/create-role-using-web.mdx!)
+
    When `appuser` attempts to access the application you enrolled earlier
    through the Teleport Web UI, the the Teleport Proxy Service forwards the
    request with a Teleport-signed JSON web token to the Teleport Application

docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx

@@ -134,6 +134,8 @@ Create the new role:
 $ tctl create -f aws-dynamodb-access.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="aws-dynamodb-access"!)
 
 ## Step 3/4. Install the Teleport Database Service

docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx

@@ -155,6 +155,8 @@ Create the new role:
 $ tctl create -f aws-opensearch-access.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="aws-opensearch-access"!)
 
 ## Step 3/4. Install the Teleport Database Service

docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx

@@ -206,6 +206,8 @@ $ tctl create -f redshift-role.yaml
 role 'redshift-serverless-access' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="redshift-serverless-access"!)
 
 ## Step 5/5. Connect

docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx

@@ -363,6 +363,8 @@ $ tctl create -f azure-database-role.yaml
 role 'azure-database-role.yaml' has been created
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (\!docs/pages/includes/add-role-to-user.mdx role="azure-database-access" \!)
 
 ### Start Teleport Database Service

docs/pages/enroll-resources/database-access/getting-started.mdx

@@ -173,6 +173,8 @@ spec:
 EOF
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Create the Teleport user assigned the `db` role we've just created:
 
 <Tabs>

docs/pages/enroll-resources/desktop-access/directory-sharing.mdx

@@ -170,6 +170,8 @@ Create the role:
 $ tctl create -f role.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="no-sharing"!)
 
 ## Next steps

docs/pages/enroll-resources/desktop-access/getting-started.mdx

@@ -243,6 +243,8 @@ To configure a role for desktop access:
    $ tctl create -f windows-desktop-admins.yaml
    ```
 
+   (!docs/pages/includes/create-role-using-web.mdx!)
+
 1. (\!docs/pages/includes/add-role-to-user.mdx role="windows-desktop-admins" \!)
 
 ## Step 4/4. Connect

docs/pages/enroll-resources/kubernetes-access/getting-started.mdx

@@ -70,13 +70,15 @@ impersonates the `viewers` group when proxying requests from the user.
        - viewers
      deny: {}
    ```
-
+   
 1. Apply your changes:
 
    ```code
    $ tctl create -f kube-access.yaml
    ```
 
+   (!docs/pages/includes/create-role-using-web.mdx!)
+
 1. (!docs/pages/includes/add-role-to-user.mdx role="kube-access"!)
 
 While you have authorized the `kube-access` role to access Kubernetes clusters

docs/pages/enroll-resources/kubernetes-access/manage-access.mdx

@@ -357,6 +357,8 @@ following command:
 $ tctl create kube-access.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="kube-access"!)
 
 ## Step 3/3. Access resources

docs/pages/enroll-resources/kubernetes-access/register-clusters/dynamic-registration.mdx

@@ -202,6 +202,8 @@ Create the role:
 $ tctl create -f kube-manager.yaml
 ```
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 (!docs/pages/includes/add-role-to-user.mdx role="kube-manager"!)
 
 ## Step 3/3. Manage dynamic Kubernetes cluster resources

docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx

@@ -74,6 +74,8 @@ least privilege and reduces damage that exfiltrated credentials can do.
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created:

docs/pages/enroll-resources/machine-id/access-guides/applications.mdx

@@ -48,6 +48,8 @@ will need access to.
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created:

docs/pages/enroll-resources/machine-id/access-guides/databases.mdx

@@ -66,6 +66,8 @@ Replace:
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created:

docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx

@@ -101,6 +101,8 @@ Adjust the `allow` field for your environment:
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created:

docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx

@@ -57,6 +57,8 @@ of least privilege and limits the damage that exfiltrated credentials can do.
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created:

docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx

@@ -56,6 +56,8 @@ Replace `example-role` with a descriptive name related to your use case.
 
 Use `tctl create -f ./role.yaml` to create the role.
 
+(!docs/pages/includes/create-role-using-web.mdx!)
+
 Now, use `tctl bots update` to add the role to the Bot. Replace `example`
 with the name of the Bot you created in the deployment guide and `example-role`
 with the name of the role you just created: