backport of commit cf43d3eeed23a8f098e002ccd094c2dfc4385b55 (#22788)

Co-authored-by: Bianca Moreira <48203644+biazmoreira@users.noreply.github.com>
2023-09-06 10:07:09 -04:00 · 2023-09-06 10:07:09 -04:00 · 4969480dfb
parent ba9806c971
commit 4969480dfb
36 changed files with 247 additions and 48 deletions
--- a/website/content/api-docs/system/audit-hash.mdx
+++ b/website/content/api-docs/system/audit-hash.mdx
@ -14,6 +14,8 @@ for a hashed value when the original value is known.

 ## Calculate hash

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint hashes the given input data with the specified audit device's
 hash function and salt. This endpoint can be used to discover whether a given
 plaintext string (the `input` parameter) appears in the audit log in obfuscated
--- a/website/content/api-docs/system/auth.mdx
+++ b/website/content/api-docs/system/auth.mdx
@ -12,6 +12,8 @@ token which can be used for all future requests.

 ## List auth methods

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all enabled auth methods.

 | Method | Path        |
@ -81,6 +83,8 @@ $ curl \

 ## Enable auth method

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint enables a new auth method. After enabling, the auth method can
 be accessed and configured via the auth path specified as part of the URL. This
 auth path will be nested under the `auth` prefix.
@ -182,6 +186,8 @@ $ curl \

 ## Read auth method configuration

+@include 'alerts/restricted-admin.mdx'
+
 This endpoints returns the configuration of the auth method at the given path.

 | Method | Path              |
@ -231,6 +237,8 @@ $ curl \

 ## Disable auth method

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint disables the auth method at the given auth path.

 - **`sudo` required** – This endpoint requires `sudo` capability in addition to
@ -256,7 +264,9 @@ $ curl \

 ## Read auth method tuning

-This endpoint reads the given auth path's configuration. _This endpoint requires
+@include 'alerts/restricted-admin.mdx'
+
+- This endpoint reads the given auth path's configuration. This endpoint requires
 `sudo` capability on the final path, but the same functionality can be achieved
 without `sudo` via `sys/mounts/auth/[auth-path]/tune`._

@ -293,6 +303,8 @@ $ curl \

 ## Tune auth method

+@include 'alerts/restricted-admin.mdx'
+
 Tune configuration parameters for a given auth path. _This endpoint
 requires `sudo` capability on the final path, but the same functionality
 can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
--- a/website/content/api-docs/system/capabilities-self.mdx
+++ b/website/content/api-docs/system/capabilities-self.mdx
@ -16,6 +16,8 @@ memberships.

 ## Query self capabilities

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the capabilities of client token on the given paths. The
 client token is the Vault token with which this API call is made. Multiple
 paths are taken in at once and the capabilities of the token for each path is
--- a/website/content/api-docs/system/capabilities.mdx
+++ b/website/content/api-docs/system/capabilities.mdx
@ -15,6 +15,8 @@ through the entity and entity's group memberships.

 ## Query token capabilities

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the list of capabilities of a given token on the given
 paths. Multiple paths are taken in at once and the capabilities of the token
 for each path is returned. For backwards compatibility, if a single path is
--- a/website/content/api-docs/system/config-control-group.mdx
+++ b/website/content/api-docs/system/config-control-group.mdx
@ -13,6 +13,8 @@ settings.

 ## Read control group settings

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the current Control Group configuration.

 | Method | Path                        |
@ -37,6 +39,8 @@ $ curl \

 ## Configure control group settings

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint allows configuring control groups.

 | Method | Path                        |
@ -67,6 +71,8 @@ $ curl \

 ## Delete control group settings

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint removes any control group configuration.

 | Method   | Path                        |
--- a/website/content/api-docs/system/control-group.mdx
+++ b/website/content/api-docs/system/control-group.mdx
@ -7,6 +7,7 @@ description: The '/sys/control-group' endpoint handles the Control Group workflo
 ## Authorize control group request

@include 'alerts/enterprise-and-hcp-plus.mdx'
+@include 'alerts/restricted-admin.mdx'

 This endpoint authorizes a control group request.

@ -48,6 +49,8 @@ $ curl \

 ## Check control group request status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint checks the status of a control group request.

 | Method | Path                         |
--- a/website/content/api-docs/system/ha-status.mdx
+++ b/website/content/api-docs/system/ha-status.mdx
@ -11,6 +11,8 @@ It lists the active node and the peers that it's heard from since it became acti

 ## HA status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the HA status of the Vault cluster.

 | Method | Path               |
--- a/website/content/api-docs/system/internal-counters.mdx
+++ b/website/content/api-docs/system/internal-counters.mdx
@ -13,6 +13,8 @@ The `/sys/internal/counters` endpoints are used to return data about the number

 ## Entities

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the total number of Entities.

 | Method | Path                              |
@ -51,6 +53,8 @@ $ curl \

 ## Tokens

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the total number of Tokens.

 | Method | Path                            |
@ -89,6 +93,8 @@ $ curl \

 ## Client count

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns client activity information for a given billing
 period, which is represented by the `start_time` and `end_time` parameters.

@ -720,6 +726,8 @@ $ curl \

 ## Partial month client count

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the client activity in the current month. The response
 will have activity attributions per namespace, per mount within each namespaces,
 and new clients information.
@ -863,6 +871,8 @@ $ curl \

 ## Update the client count configuration

+@include 'alerts/restricted-admin.mdx'
+
 The `/sys/internal/counters/config` endpoint is used to configure logging of active clients.

 | Method | Path                            |
@ -901,6 +911,8 @@ $ curl \

 ## Read the client count configuration

+@include 'alerts/restricted-admin.mdx'
+
 Reading the configuration shows the current settings, as well as a flag as to whether any data can be queried.

 - `enabled` `(string)` - returns `default-enabled` or `default-disabled` if the configuration is `default`.
@ -938,6 +950,8 @@ $ curl \

 ## Activity export

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns an export of the clients that had activity within the
 provided start and end times. The returned set of client information will be
 deduplicated over the time window and will show the earliest activity logged for
--- a/website/content/api-docs/system/internal-specs-openapi.mdx
+++ b/website/content/api-docs/system/internal-specs-openapi.mdx
@ -25,6 +25,8 @@ structure, and other endpoints will be modified incrementally.

 ## Get OpenAPI document

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns a single OpenAPI document describing all paths visible to the requester.

 | Method | Path                          |
--- a/website/content/api-docs/system/internal-ui-feature.mdx
+++ b/website/content/api-docs/system/internal-ui-feature.mdx
@ -16,6 +16,8 @@ guarantee on backwards compatibility for this endpoint.

 ## Get enabled feature flags

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists the enabled feature flags relevant to the UI.

 | Method | Path                             |
--- a/website/content/api-docs/system/internal-ui-mounts.mdx
+++ b/website/content/api-docs/system/internal-ui-mounts.mdx
@ -22,6 +22,8 @@ compatibility for this endpoint.

 ## Get available visible mounts

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all enabled auth methods.

 | Method | Path                      |
@ -59,6 +61,8 @@ $ curl \

 ## Get single mount details

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists details for a specific mount path. This is an
 authenticated endpoint, and is currently only being used internally.

--- a/website/content/api-docs/system/internal-ui-resultant-acl.mdx
+++ b/website/content/api-docs/system/internal-ui-resultant-acl.mdx
@ -15,6 +15,8 @@ intended usage, there is no guarantee on backwards compatibility for this endpoi

 ## Get resultant-acl

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists the resultant-acl relevant to the UI.

 | Method | Path                             |
--- a/website/content/api-docs/system/leader.mdx
+++ b/website/content/api-docs/system/leader.mdx
@ -13,6 +13,8 @@ current leader of Vault.

 ## Read leader status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the high availability status and current leader instance
 of Vault.

--- a/website/content/api-docs/system/leases.mdx
+++ b/website/content/api-docs/system/leases.mdx
@ -10,6 +10,8 @@ The `/sys/leases` endpoints are used to view and manage leases in Vault.

 ## Read lease

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieve lease metadata.

 | Method | Path                 |
@ -53,6 +55,8 @@ $ curl \

 ## List leases

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns a list of lease ids.

 **This endpoint requires 'sudo' capability.**
@ -82,6 +86,8 @@ $ curl \

 ## Renew lease

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint renews a lease, requesting to extend the lease. Token leases
 cannot be renewed using this endpoint, use instead the auth/token/renew endpoint.

@ -130,6 +136,8 @@ $ curl \

 ## Revoke lease

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint revokes a lease immediately.

 | Method | Path                 |
@ -166,6 +174,8 @@ $ curl \

 ## Revoke force

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint revokes all secrets or tokens generated under a given prefix
 immediately. Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors
 encountered during revocation. This is _potentially very dangerous_ and should
@ -198,6 +208,8 @@ $ curl \

 ## Revoke prefix

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the
 tokens' path property) generated under a given prefix immediately. This requires
 `sudo` capability and access to it should be tightly controlled as it can be
@ -228,6 +240,8 @@ $ curl \

 ## Tidy leases

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint cleans up the dangling storage entries for leases: for each lease
 entry in storage, Vault will verify that it has an associated valid non-expired
 token in storage, and if not, the lease will be revoked.
@ -251,6 +265,8 @@ $ curl \

 ## Lease counts

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the total count of a `type` of lease, as well as a count
 per mount point. Note that it currently only supports type "irrevocable".

@ -281,6 +297,8 @@ $ curl \

 ## Leases list

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the total count of a `type` of lease, as well as a list
 of leases per mount point. Note that it currently only supports type
 "irrevocable".
--- a/website/content/api-docs/system/license.mdx
+++ b/website/content/api-docs/system/license.mdx
@ -15,6 +15,8 @@ Vault.

 ## License status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns information about licensing. See [license autoloading](/vault/docs/enterprise/license/autoloading) for additional background.

 In the response:
--- a/website/content/api-docs/system/managed-keys.mdx
+++ b/website/content/api-docs/system/managed-keys.mdx
@ -11,6 +11,8 @@ See the [Managed Keys](/vault/docs/enterprise/managed-keys) section for further

 ## List managed keys.

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all the Managed Keys of a certain type within the namespace.

 | Method | Path                      |
@ -43,6 +45,8 @@ $ curl \

 ## Create/Update managed key

+@include 'alerts/restricted-admin.mdx'
+
 An endpoint that will create or update a Managed Key within a given namespace. The :type refers to the backend type
 that the key is to use, such as `pkcs11`. The :name argument is unique name within all managed key types in
 the namespace.
@ -262,6 +266,8 @@ $ curl \

 ## Read managed key

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the managed key configuration at the given path.

 | Method | Path                            |
@ -306,6 +312,8 @@ $ curl \

 ## Test sign with a managed key

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint allows an operator to validate that a managed key configuration works
 by signing and verifying some randomly generated data. If the call returns a successful HTTP
 status code, the configuration can be considered valid.
@ -347,6 +355,8 @@ $ curl \

 ## Delete managed key

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the managed key at the given path provided it is not
 listed within any mount point's `allowed_managed_keys`.

--- a/website/content/api-docs/system/mfa/index.mdx
+++ b/website/content/api-docs/system/mfa/index.mdx
@ -8,6 +8,8 @@ description: >-

 # `/sys/mfa`

+@include 'alerts/restricted-admin.mdx'
+
 The `/sys/mfa` endpoint focuses on managing Multi-factor Authentication (MFA)
 behaviors in Vault Enterprise MFA.

--- a/website/content/api-docs/system/monitor.mdx
+++ b/website/content/api-docs/system/monitor.mdx
@ -13,6 +13,8 @@ some log lines will be dropped.

 ## Monitor system logs

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint streams logs back to the client from Vault. Note that unlike most API endpoints in Vault, this one
 does not return JSON by default. This will send back data in whatever log format Vault has been configured with. By
 default, this is text.
--- a/website/content/api-docs/system/mounts.mdx
+++ b/website/content/api-docs/system/mounts.mdx
@ -10,6 +10,8 @@ The `/sys/mounts` endpoint is used to manage secrets engines in Vault.

 ## List mounted secrets engines

+@include 'alerts/restricted-admin.mdx'
+
 This endpoints lists all the mounted secrets engines.

 | Method | Path          |
@ -119,6 +121,8 @@ are used by this backend.

 ## Enable secrets engine

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint enables a new secrets engine at the given path.

 | Method | Path                |
@ -215,6 +219,8 @@ $ curl \

 ## Disable secrets engine

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint disables the mount point specified in the URL.

 | Method   | Path                |                    |
@ -249,6 +255,8 @@ in dangling credentials. This is meant for extreme circumstances.

 ## Get the configuration of a secret engine

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the configuration of a specific secret engine.

 | Method | Path                |
@ -310,6 +318,8 @@ $ curl \

 ## Read mount configuration

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint reads the given mount's configuration. Unlike the `mounts`
 endpoint, this will return the current time in seconds for each TTL, which may
 be the system default or a mount-specific value.
@ -338,6 +348,8 @@ $ curl \

 ## Tune mount configuration

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint tunes configuration parameters for a given mount point.

 | Method | Path                     |
--- a/website/content/api-docs/system/plugins-catalog.mdx
+++ b/website/content/api-docs/system/plugins-catalog.mdx
@ -12,6 +12,8 @@ once registered backends can use the plugin by querying the catalog.

 ## LIST plugins

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists the plugins in the catalog by type.

 | Method | Path                   |
@ -83,6 +85,8 @@ $ curl \

 ## LIST plugins

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists the plugins in the catalog by type.

 | Method | Path                            |
@ -118,6 +122,8 @@ $ curl \

 ## Register plugin

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint registers a new plugin, or updates an existing one with the
 supplied name.

@ -175,6 +181,8 @@ $ curl \

 ## Read plugin

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the configuration data for the plugin with the given name.

 - **`sudo` required** – This endpoint requires `sudo` capability in addition to
@ -221,6 +229,8 @@ $ curl \

 ## Remove plugin from catalog

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint removes the plugin with the given name.

 - **`sudo` required** – This endpoint requires `sudo` capability in addition to
--- a/website/content/api-docs/system/plugins-reload-backend.mdx
+++ b/website/content/api-docs/system/plugins-reload-backend.mdx
@ -13,6 +13,8 @@ provided, all mounted paths that use that plugin backend will be reloaded.

 ## Reload plugins

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint reloads mounted plugin backends.

 | Method | Path -                        |
--- a/website/content/api-docs/system/policies-password.mdx
+++ b/website/content/api-docs/system/policies-password.mdx
@ -18,6 +18,8 @@ as well as the syntax of the policies themselves.

 ## Create/Update password policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint adds a new or updates an existing password policy. Once a policy is updated,
 it takes effect immediately to all associated secret engines.

@ -79,6 +81,8 @@ $ vault write sys/policies/password/my-policy policy=@my-policy.hcl

 ## List password policies

+@include 'alerts/restricted-admin.mdx'
+
 This endpoints list the password policies.

 | Method  | Path                               |
@ -116,6 +120,8 @@ $ curl \

 ## Read password policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieves information about the named password policy.

 | Method | Path                           |
@ -145,6 +151,8 @@ $ curl \

 ## Delete password policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the password policy with the given name. This does not check if any
 secret engines are using it prior to deletion, so you should ensure that any engines that
 are utilizing this password policy are changed to a different policy (or to that engines'
@ -170,6 +178,8 @@ $ curl \

 ## Generate password from password policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint generates a password from the specified existing password policy.

 | Method | Path                                    |
--- a/website/content/api-docs/system/policies.mdx
+++ b/website/content/api-docs/system/policies.mdx
@ -18,6 +18,8 @@ Vault Open Source or basic Vault Enterprise installations.

 ## List ACL policies

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all configured ACL policies.

 | Method | Path                |
@ -42,6 +44,8 @@ $ curl \

 ## Read ACL policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieves information about the named ACL policy.

 | Method | Path                      |
@ -72,6 +76,8 @@ $ curl \

 ## Create/Update ACL policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint adds a new or updates an existing ACL policy. Once a policy is
 updated, it takes effect immediately to all associated users.

@ -107,6 +113,8 @@ $ curl \

 ## Delete ACL policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the ACL policy with the given name. This will immediately
 affect all users associated with this policy. (A deleted policy set on a token
 acts as an empty policy.)
@ -131,6 +139,8 @@ $ curl \

 ## List RGP policies

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all configured RGP policies.

 | Method | Path                |
@ -155,6 +165,8 @@ $ curl \

 ## Read RGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieves information about the named RGP policy.

 | Method | Path                      |
@ -186,6 +198,8 @@ $ curl \

 ## Create/Update RGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint adds a new or updates an existing RGP policy. Once a policy is
 updated, it takes effect immediately to all associated users.

@ -226,6 +240,8 @@ $ curl \

 ## Delete RGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the RGP policy with the given name. This will immediately
 affect all users associated with this policy. (A deleted policy set on a token
 acts as an empty policy.)
@ -250,6 +266,8 @@ $ curl \

 ## List EGP policies

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all configured EGP policies. Since EGP policies act on a
 path, this endpoint returns two identifiers:

@ -280,6 +298,8 @@ $ curl \

 ## Read EGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieves information about the named EGP policy.

 | Method | Path                      |
@ -312,6 +332,8 @@ $ curl \

 ## Create/Update EGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint adds a new or updates an existing EGP policy. Once a policy is
 updated, it takes effect immediately to all associated users.

@ -358,6 +380,8 @@ $ curl \

 ## Delete EGP policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the EGP policy with the given name from all paths on which it was configured.

 | Method   | Path                      |
--- a/website/content/api-docs/system/policy.mdx
+++ b/website/content/api-docs/system/policy.mdx
@ -10,6 +10,8 @@ The `/sys/policy` endpoint is used to manage ACL policies in Vault.

 ## List policies

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint lists all configured policies.

 | Method | Path          |
@ -34,6 +36,8 @@ $ curl \

 ## Read policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint retrieve the policy body for the named policy.

 | Method | Path                |
@ -64,6 +68,8 @@ $ curl \

 ## Create/Update policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint adds a new or updates an existing policy. Once a policy is
 updated, it takes effect immediately to all associated users.

@ -98,6 +104,8 @@ $ curl \

 ## Delete policy

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint deletes the policy with the given name. This will immediately
 affect all users associated with this policy.

--- a/website/content/api-docs/system/remount.mdx
+++ b/website/content/api-docs/system/remount.mdx
@ -12,11 +12,14 @@ The Remount documentation details the endpoints required to trigger and monitor

 ## Move backend

-The `/sys/remount` endpoint moves an already-mounted backend to a new mount point. This process works for both secret 
+@include 'alerts/restricted-admin.mdx'
+
+The `/sys/remount` endpoint moves an already-mounted backend to a new mount point. Remounting works for both secret
 engines and auth methods.

-The remount operation returns a migration ID to the user. The user may utilize the migration ID to look up 
-the status of the mount migration. More details about the remount operation are described in 
+Vault returns a migration ID when the remount operation completes. You
+can use the migration ID to look up the status of the mount migration.
+More details about the remount operation are described in
 [Mount Migration](/vault/docs/concepts/mount-migration).

 ~> Note: This endpoint requires a policy with both `sudo` and `update` capabilities to `sys/remount`
@ -82,6 +85,8 @@ $ curl \

 ## Monitor migration status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint is used to monitor the status of a mount migration operation, using the ID returned in the response
 of the `sys/remount` call. The response contains the passed-in ID, the source and target mounts, and a status field
 that displays `in-progress`, `success` or `failure`.
--- a/website/content/api-docs/system/seal-status.mdx
+++ b/website/content/api-docs/system/seal-status.mdx
@ -10,6 +10,8 @@ The `/sys/seal-status` endpoint is used to check the seal status of a Vault.

 ## Seal status

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the seal status of the Vault. This is an unauthenticated
 endpoint.

--- a/website/content/api-docs/system/tools.mdx
+++ b/website/content/api-docs/system/tools.mdx
@ -10,6 +10,8 @@ The `/sys/tools` endpoints are a general set of tools.

 ## Generate random bytes

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns high-quality random bytes of the specified length.

 | Method | Path                                   |
@ -59,6 +61,8 @@ $ curl \

 ## Hash data

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the cryptographic hash of given data using the specified
 algorithm.

--- a/website/content/api-docs/system/user-lockout.mdx
+++ b/website/content/api-docs/system/user-lockout.mdx
@ -8,11 +8,13 @@ description: The `/sys/locked-users` endpoint is used to manage locked users in

 The `/sys/locked-users` endpoint is used to list and unlock locked users in Vault.

-Please visit [user lockout](/vault/docs/concepts/user-lockout) concepts page for more details about the feature. 
+Refer to the [user lockout](/vault/docs/concepts/user-lockout) overview for more details about how Vault handles lockouts.

 ## List locked users

-This endpoint lists the locked users information in Vault. 
+@include 'alerts/restricted-admin.mdx'
+
+The list endpoint returns information on the users currently locked by Vault.

 The response will include all child namespaces of the namespace in which the
 request was made. If some namespace has subsequently been deleted, its path will
@ -31,7 +33,7 @@ This endpoint was added in Vault 1.13.

 - `mount_accessor` `(string, optional)` -  Specifies the identifier of the auth mount entry to which the user
 belongs in the namespace in which the request was made. If no mount accessor is specified,
-the response will include locked users in all child namespaces of the namespace in which the request was made. 
+the response includes locked users in all child namespaces of the namespace in which the request was made.

 ### Sample request

@ -193,8 +195,10 @@ $ curl \

 ## Unlock user

-This endpoint unlocks a locked user with provided mount_accessor and alias_identifier in namespace in which the request was made if locked. 
-This command is idempotent, meaning it succeeds even if user with the given mount_accessor and alias_identifier is not locked. 
+@include 'alerts/restricted-admin.mdx'
+
+The unlock user endpoint frees a locked user with the provided `mount_accessor` and `alias_identifier` in the given namespace.
+The unlock command is idempotent. Calls to the endpoint succeed even if the user matching the provided `mount_accessor` and `alias_identifier` is not currently locked.


 This endpoint was added in Vault 1.13.
@ -207,7 +211,7 @@ This endpoint was added in Vault 1.13.

 - `mount_accessor` `(string, required)` - Specifies the identifier of the auth mount entry to which the user
 belongs
- `alias_identifier` `(string, required)` - It is the name of the alias (user). For example, if the alias 
+- `alias_identifier` `(string, required)` - The name of the alias (user). For example, if the alias
 belongs to userpass backend, the name should be a valid username within userpass auth method. If the alias belongs
 to an approle auth method, the name should be a valid RoleID. If the alias belongs to an ldap auth method, the name
 should be a valid username.
--- a/website/content/api-docs/system/version-history.mdx
+++ b/website/content/api-docs/system/version-history.mdx
@ -13,6 +13,8 @@ The `/sys/version-history` endpoint is used to retrieve the version history of a

 ## Read version history

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the version history of the Vault. The response will contain the following keys:

 - `keys`: a list of installed versions in chronological order based on the time installed
--- a/website/content/api-docs/system/wrapping-lookup.mdx
+++ b/website/content/api-docs/system/wrapping-lookup.mdx
@ -10,6 +10,8 @@ The `/sys/wrapping/lookup` endpoint returns wrapping token properties.

 ## Wrapping lookup

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint looks up wrapping properties for the given token.

 | Method | Path                   |
--- a/website/content/api-docs/system/wrapping-rewrap.mdx
+++ b/website/content/api-docs/system/wrapping-rewrap.mdx
@ -13,6 +13,8 @@ refresh its TTL.

 ## Wrapping rewrap

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint rewraps a response-wrapped token. The new token will use the same
 creation TTL as the original token and contain the same response. The old token
 will be invalidated. This can be used for long-term storage of a secret in a
--- a/website/content/api-docs/system/wrapping-unwrap.mdx
+++ b/website/content/api-docs/system/wrapping-unwrap.mdx
@ -10,6 +10,8 @@ The `/sys/wrapping/unwrap` endpoint unwraps a wrapped response.

 ## Wrapping unwrap

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint returns the original response inside the given wrapping token.
 Unlike simply reading `cubbyhole/response` (which is deprecated), this endpoint
 provides additional validation checks on the token, returns the original value
--- a/website/content/api-docs/system/wrapping-wrap.mdx
+++ b/website/content/api-docs/system/wrapping-wrap.mdx
@ -13,6 +13,8 @@ token.

 ## Wrapping wrap

+@include 'alerts/restricted-admin.mdx'
+
 This endpoint wraps the given user-supplied data inside a response-wrapped
 token.

--- a/website/content/docs/enterprise/namespaces.mdx
+++ b/website/content/docs/enterprise/namespaces.mdx
@ -60,6 +60,19 @@ identities. This behavior can be configured using the [group-policy-application]
 can be set to allow policies to be applied irrespective of namespace hierarchy, allowing sharing
 across any namespace.

+### Administrative namespaces
+
+The Vault API includes system backend endpoints, which are mounted under the sys/ path.
+System endpoints let you interact with the internal features of your Vault instance.
+For security reasons, some of the system backend endpoints are restricted, and can only be called
+from the root namespace or using a token in the root namespace with elevated permissions.
+
+By default, Vault allows non-root calls to the less sensitive system backend endpoints.
+However, there may be instances where a Vault operator needs to provide access to a subset
+of the restricted endpoints, like sys/audit-hash and sys/monitor, without granting access
+to the full set of privileged sys/ paths. An administrative namespace lets Vault operators grant
+access to a subset of privileged endpoints by setting a parameter in their Vault configuration file.
+
 ## Usage

 API operations performed under a namespace can be done by providing the relative
--- a/website/content/partials/alerts/restricted-admin.mdx
+++ b/website/content/partials/alerts/restricted-admin.mdx
@ -0,0 +1,3 @@
+<Note title="Restricted endpoint">
+  The API path can only be called from the root or administrative namespace.
+</Note>
--- a/website/content/partials/alerts/restricted-root.mdx
+++ b/website/content/partials/alerts/restricted-root.mdx
@ -0,0 +1,3 @@
+<Note title="Restricted endpoint">
+  The API path can only be called from the root namespace.
+</Note>