Cloud: Add clarifying note to IDP and groups

[tmjd]

Product Version(s):
Calico Cloud

Issue:
User thought a user given Admin through IDP groups should have Team Management permissions. This PR clarifies that is not the case.

Link to docs preview:

SME review:

• An SME has approved this change.

DOCS review:

• A member of the docs team has approved this change.

Additional information:

Merge checklist:

• Deploy preview inspected wherever changes were made
• Build completed successfully
• Test have passed

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	41c8f6b
🔍 Latest deploy log	https://app.netlify.com/projects/calico-docs-preview-next/deploys/69af21cbe5dbb100081a3e3f
😎 Deploy Preview	https://deploy-preview-2576--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview succeeded!

Name	Link
🔨 Latest commit	41c8f6b
🔍 Latest deploy log	https://app.netlify.com/projects/tigera/deploys/69af21cb5643ec0008ac7094
😎 Deploy Preview	https://deploy-preview-2576--tigera.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 68 (🟢 up 1 from production) Accessibility: 98 (no change from production) Best Practices: 92 (no change from production) SEO: 100 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ctauchen]

We should be specific about the permissions that can't be assigned this way. Do you have a complete list?

If I can't assign them with IdP groups, what's the workaround?

[ctauchen]

@tmjd

[tmjd]

The user and role management are the only two permissions that I'm aware of.
The expectation is that any user needing to have Organization Admin needs to be explicitly assigned the Admin role.

[tmjd]

I missed that this include access to the Usage page. So roles assigned through IDP groups will not give access to the Manage Team or Usage pages.

[ctauchen]

@tmjd Let's move this note out of the procedure and into a dedicated Limitations section before Prerequisites. Here's the suggested wording:

## Limitations

The following organization-level permissions cannot be assigned through IdP groups:

- Manage Team
- Usage Metrics

To grant these permissions, assign them directly to individual users in the Calico Cloud web console.

---

Also, please remember to put this through to vNext.