diff --git a/content/operate/_index.md b/content/operate/_index.md
index 00e10da784..88ed416974 100644
--- a/content/operate/_index.md
+++ b/content/operate/_index.md
@@ -45,9 +45,9 @@ hideListLinks: true
 | | <nobr>{{<color-bubble color="bg-blue-bubble" >}} Redis</nobr> Cloud | <nobr>{{<color-bubble color="bg-yellow-bubble">}} Redis</nobr> Software | <nobr>{{<color-bubble color="bg-purple-bubble">}} Redis</nobr> Open Source | <nobr><div class="h-3 w-3 rounded-md border border-redis-pen-600 inline-block mr-1" style="background-color: #8A99A0"></div> Redis for</nobr> Kubernetes |
 |:-----------|:--------------|:-----------|:--------------|:--------------|
 | Transport Layer Security (TLS) | [TLS]({{<relref "/operate/rc/security/database-security/tls-ssl">}}) | [TLS]({{<relref "/operate/rs/security/encryption/tls">}}) | [TLS]({{< relref "/operate/oss_and_stack/management/security/encryption" >}}) | [REDB tlsMode]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_database_api/#spec">}}) |
-| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials/">}}) |
-| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/ldap/">}}) |
+| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials/">}}) |
+| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap/">}}) |
 | Single sign-on (SSO) | [SAML SSO]({{< relref "/operate/rc/security/access-control/saml-sso" >}}) |  |  |  |
-| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/manage-rec-certificates/">}}) |
-| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/internode-encryption/">}}) |
+| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/certificates/manage-rec-certificates/">}}) |
+| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/certificates/internode-encryption/">}}) |
 | Auditing |  | [Audit events]({{<relref "/operate/rs/security/audit-events">}}) | [Keyspace notifications]({{< relref "/develop/pubsub/keyspace-notifications" >}}) |  |
diff --git a/content/operate/kubernetes/_index.md b/content/operate/kubernetes/_index.md
index d387bafb00..ffb2408e2c 100644
--- a/content/operate/kubernetes/_index.md
+++ b/content/operate/kubernetes/_index.md
@@ -67,10 +67,10 @@ Set up globally distributed [Active-Active databases]({{< relref "/operate/kuber
 
 Manage [secure connections]({{< relref "/operate/kubernetes/security" >}}) and access control for your Redis Enterprise deployment.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}})
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}})
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
+- [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}})
+- [LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}})
 
 ## Reference
 
diff --git a/content/operate/kubernetes/active-active/_index.md b/content/operate/kubernetes/active-active/_index.md
index d271fd34f0..8507cdd046 100644
--- a/content/operate/kubernetes/active-active/_index.md
+++ b/content/operate/kubernetes/active-active/_index.md
@@ -72,7 +72,7 @@ For examples, see the [YAML examples]({{< relref "/operate/kubernetes/reference/
 
 The operator automates Active-Active certificate updates. When you update the proxy or syncer certificate secret on a participating cluster's REC, the operator detects the change and propagates the new certificate to the other participating clusters.
 
-For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}).
+For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}).
 
 ### Limitations
 
diff --git a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
index bf6c86d8d6..32d1cb1379 100644
--- a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
+++ b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
@@ -69,7 +69,7 @@ You'll need to create DNS aliases to resolve your API hostname `<api-hostname>`,
   - Description: Combined with database name to create the Active-Active database hostname
   - Format: string
   - Example value: `-cluster.ijk.example.com`
-- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) `<username> <password>`:
+- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}}) `<username> <password>`:
   - Description: Admin username and password for the REC stored in a secret
   - Format: string
   - Example value: username: `user@example.com`, password: `something`
diff --git a/content/operate/kubernetes/architecture/_index.md b/content/operate/kubernetes/architecture/_index.md
index d92a0d1040..7443e0432b 100644
--- a/content/operate/kubernetes/architecture/_index.md
+++ b/content/operate/kubernetes/architecture/_index.md
@@ -84,25 +84,25 @@ See the [RedisEnterpriseDatabase (REDB) API Reference]({{<relref "/operate/kuber
 
 ## Security
 
-Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
+Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/certificates/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
 
 ### REC credentials
 
 Redis Enterprise for Kubernetes uses the [RedisEnterpriseCluster (REC)]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api">}}) [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to create a Redis Enterprise cluster. During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the name of the cluster.
 
-See [Manage REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials">}}) for more details.
+See [Manage REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials">}}) for more details.
 
 ### REC certificates
 
 By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes in the cluster.
 
-See [Manage REC certificates]({{<relref "/operate/kubernetes/security/manage-rec-certificates">}}) for more details.
+See [Manage REC certificates]({{<relref "/operate/kubernetes/security/certificates/manage-rec-certificates">}}) for more details.
 
 ### Client certificates
 
 For each client certificate you want to use, you need to create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) to hold it. You can then reference that secret in your [Redis Enterprise database (REDB)](#redisenterprisedatabase-redb) custom resource.
 
-See [Add client certificates]({{<relref "/operate/kubernetes/security/add-client-certificates">}}) for more details.
+See [Add client certificates]({{<relref "/operate/kubernetes/security/certificates/add-client-certificates">}}) for more details.
 
 ## Storage
 
diff --git a/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
index 28d266c67e..b386151d70 100644
--- a/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
+++ b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
@@ -27,7 +27,7 @@ API support has been added for the following features:
 - REAADB alerts<!--RED-170896-->
 - User-defined modules <!--RED-168227-->
 - Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}) <!--RED-172935-->
-- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) <!--RED-173229-->
+- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) <!--RED-173229-->
 - SAML 2.0 single sign-on (SSO) authentication <!--RED-176765-->
 - Redis Flex
 
diff --git a/content/operate/kubernetes/security/_index.md b/content/operate/kubernetes/security/_index.md
index a04831b1ed..f9c0ef8acc 100644
--- a/content/operate/kubernetes/security/_index.md
+++ b/content/operate/kubernetes/security/_index.md
@@ -5,40 +5,30 @@ categories:
 - docs
 - operate
 - kubernetes
-description: Configure security settings for Redis Enterprise clusters and databases on Kubernetes.
+description: Configure security settings for Redis Software clusters and databases on Kubernetes.
 hideListLinks: true
 linkTitle: Security
 weight: 50
 ---
 
-Configure security settings for your Redis Enterprise deployment on Kubernetes. Redis Enterprise for Kubernetes provides comprehensive security features including TLS encryption, authentication, access control, and certificate management.
+Configure security settings for Redis for Kubernetes. Security covers access control, cluster credentials, external identity providers, TLS certificates and encryption, and external secret management.
 
-## Credentials and authentication
+## Access control
 
-Manage cluster credentials and authentication settings:
+- [Access control]({{< relref "/operate/kubernetes/security/access-control" >}}) — manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) - Configure and manage Redis Enterprise cluster credentials
-- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}) - Integrate with LDAP for centralized authentication
-- [SSO authentication]({{< relref "/operate/kubernetes/security/sso" >}}) - Enable SAML-based single sign-on for Cluster Manager UI access
+## Authentication
 
-## Certificates and encryption
+- [Authentication]({{< relref "/operate/kubernetes/security/authentication" >}}) — manage cluster credentials, LDAP, SAML SSO, and configuration secrets.
 
-Configure TLS certificates and encryption for secure communications:
+## Certificates and encryption
 
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
-- [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}) - Automate TLS certificate management with cert-manager
-- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
+- [Certificates and encryption]({{< relref "/operate/kubernetes/security/certificates" >}}) — provision TLS certificates, integrate cert-manager, add client certificates, and enable internode encryption.
 
 ## Secret management
 
-Configure external secret management systems:
-
-- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) - Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes
+- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) — use HashiCorp Vault as the centralized secret store for Redis for Kubernetes.
 
 ## Resource management
 
-Configure security-related resource settings:
-
-- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) - Enable automatic adjustment of system resources for security compliance
+- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) — enable automatic adjustment of system resources for security compliance.
diff --git a/content/operate/kubernetes/security/access-control/_index.md b/content/operate/kubernetes/security/access-control/_index.md
new file mode 100644
index 0000000000..723d548785
--- /dev/null
+++ b/content/operate/kubernetes/security/access-control/_index.md
@@ -0,0 +1,148 @@
+---
+Title: Access control
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage Redis Software users, roles, ACLs, and role bindings on Kubernetes with custom resources.
+hideListLinks: true
+linkTitle: Access control
+weight: 20
+---
+
+Access control lets you manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources. The operator reconciles each resource into the corresponding Redis Software object, so you can use GitOps workflows and Kubernetes Secrets instead of working only through the Redis Software REST API or Cluster Manager UI.
+
+## How access control works on Redis for Kubernetes
+
+You declare these `app.redislabs.com/v1alpha1` custom resources:
+
+| Resource | Scope | Purpose |
+| --- | --- | --- |
+| `RedisEnterpriseUser` | — | A Redis Software user, with credentials in a Kubernetes Secret. |
+| `RedisEnterpriseACL` | — | A Redis ACL rule, mapped to a Redis Software ACL object. |
+| `RedisEnterpriseRole` | Database | A management role and/or ACL applied to one or more REDBs selected by `spec.scopes`. |
+| `RedisEnterpriseRoleBinding` | Database | Assigns a `RedisEnterpriseRole` to a user. |
+| `RedisEnterpriseClusterRole` | Cluster | A management role and/or ACL applied across every REDB in the cluster. |
+| `RedisEnterpriseClusterRoleBinding` | Cluster | Assigns a `RedisEnterpriseClusterRole` to a user. |
+
+When you apply one of these resources, the operator:
+
+1. Validates the spec.
+2. Creates or updates the matching object in Redis Software.
+3. Reports the resolved Redis Software UID and other state in the resource's `status`.
+4. Emits Kubernetes events on reconciliation problems.
+
+## Roles and bindings
+
+The role and binding CRDs follow the same pattern as Kubernetes' own RBAC: a `Role` paired with a `RoleBinding` for the narrower scope, and a `ClusterRole` paired with a `ClusterRoleBinding` for cluster-wide access. The narrower scope is the unqualified default — that's why `RedisEnterpriseRole` (no qualifier) is the database-scoped kind, while `RedisEnterpriseClusterRole` carries the explicit `Cluster` prefix.
+
+### Database scope vs. cluster scope
+
+| | `RedisEnterpriseRole` | `RedisEnterpriseClusterRole` |
+| --- | --- | --- |
+| Scope | One or more REDBs | Every REDB in the cluster |
+| Selects targets via | `spec.scopes` (REDB name or label selector) — required | No selector; applies cluster-wide |
+| `managementRole` values | `DBMember`, `DBViewer`, `None` | `Admin`, `ClusterMember`, `ClusterViewer`, `DBMember`, `DBViewer`, `UserManager`, `None` |
+| Binding kind | `RedisEnterpriseRoleBinding` | `RedisEnterpriseClusterRoleBinding` |
+
+A `RedisEnterpriseClusterRole` applies to REDBs even when they're represented by resources in other namespaces — the access flows through Redis Software, not through explicit REDB references.
+
+### What a role grants
+
+Every role carries permissions on two independent planes. Set either, or both:
+
+- **`spec.managementRole`** — Redis Software API and Cluster Manager UI permissions, chosen from the built-in roles listed in the table above. Same set of roles you'd assign in Cluster Manager today.
+- **`spec.acls`** — a list of `RedisEnterpriseACL` references. Each ACL controls Redis data-path access (commands, key patterns, categories). Duplicate references are rejected; for different ACLs on different databases, create separate roles.
+
+### How a user gets permissions
+
+`RedisEnterpriseUser.spec` has no role references. Permissions reach a user through a binding:
+
+1. Create a `RedisEnterpriseACL` if you need data-path access.
+2. Create a `RedisEnterpriseRole` or `RedisEnterpriseClusterRole` that sets `managementRole`, references the ACL, or both.
+3. Create a `RedisEnterpriseRoleBinding` or `RedisEnterpriseClusterRoleBinding` whose `roleRef` points at the role and whose `subjects` list includes the user.
+
+The user's effective roles appear in `status.roles`. A user with no binding gets the Redis Software `none` role so it's never roleless, but it has zero permissions until a binding lands.
+
+### Worked example
+
+End-to-end: an ACL, a database-scoped role that uses it, a binding that hands the role to a user, and the user itself. All four resources live in the operator namespace.
+
+```yaml
+---
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseACL
+metadata:
+  name: read-only
+spec:
+  acl: "+@read ~*"
+---
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseRole
+metadata:
+  name: orders-viewer
+spec:
+  managementRole: DBViewer
+  scopes:
+  - name: orders
+  acls:
+  - name: read-only
+---
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseRoleBinding
+metadata:
+  name: alice-orders-viewer
+spec:
+  roleRef:
+    name: orders-viewer
+  subjects:
+  - name: alice
+---
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseUser
+metadata:
+  name: alice
+spec:
+  email: alice@example.com
+  username: alice
+  passwordSecrets:
+  - name: alice-password
+```
+
+After applying this and a Secret named `alice-password` with a `password` key, Alice can sign in to Redis Software with `DBViewer` permissions on the `orders` REDB and run read-only Redis commands on every key in that database.
+
+## What's the same as Redis Software
+
+The underlying Redis Software behavior is unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) — what `Admin`, `ClusterMember`, `ClusterViewer`, and `UserManager` grant.
+- [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}) — what `DBMember` and `DBViewer` grant.
+- [Combined cluster and database roles]({{< relref "/operate/rs/security/access-control/create-combined-roles" >}}) — when a role grants both planes.
+- [Redis ACL syntax]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}) — rule format for `RedisEnterpriseACL` resources.
+- [Login lockout and unlock]({{< relref "/operate/rs/security/access-control/manage-users/login-lockout" >}}) — how locked users are recovered.
+- [Password complexity rules]({{< relref "/operate/rs/security/access-control/manage-passwords/password-complexity-rules" >}}) and [password expiration]({{< relref "/operate/rs/security/access-control/manage-passwords/password-expiration" >}}) — applied by Redis Software regardless of how the password is delivered.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — the built-in cluster admin account.
+
+## What's different on Kubernetes
+
+- **Resources are declarative.** You define users, roles, ACLs, and bindings in YAML and let the operator apply them. The Cluster Manager UI and REST API still work but are no longer the source of truth.
+- **Role assignment lives on the binding, not the user.** In Redis Software, you assign roles by editing the user. On Kubernetes, you create a separate `RedisEnterpriseRoleBinding` or `RedisEnterpriseClusterRoleBinding`. See [Roles and bindings](#roles-and-bindings).
+- **Passwords live in Kubernetes Secrets.** Each `RedisEnterpriseUser` references one or more Secrets. A `Rotatable` mode supports two Secrets at once for zero-downtime rotation. The operator marks Kubernetes Secrets immutable to prevent in-place edits.
+
+## Known limitations
+
+Access control resources are reconciled only in the operator namespace. Password Secrets must live in the same namespace, and database scopes resolve to REDBs in that namespace.
+
+## In this section
+
+- [Manage users]({{< relref "/operate/kubernetes/security/access-control/manage-users" >}}) — create `RedisEnterpriseUser` resources, rotate passwords, recover from lockouts.
+- [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}) — create database and cluster roles with the right scope and management permissions.
+- [Manage ACLs]({{< relref "/operate/kubernetes/security/access-control/manage-acls" >}}) — create and update `RedisEnterpriseACL` resources used by roles.
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — assign roles to users with `RedisEnterpriseRoleBinding` and `RedisEnterpriseClusterRoleBinding`.
+- [Migrate from REDB rolesPermissions]({{< relref "/operate/kubernetes/security/access-control/migrate-rolespermissions" >}}) — move from the deprecated `RedisEnterpriseDatabase.spec.rolesPermissions` field to the new CRD model.
+
+## Related topics
+
+- [Redis for Kubernetes operator API reference]({{< relref "/operate/kubernetes/reference/api" >}}) — field-by-field specification for every CRD in the `app.redislabs.com/v1alpha1` group.
+- [Redis databases (REDB)]({{< relref "/operate/kubernetes/re-databases" >}}) — the resources that role scopes resolve against.
diff --git a/content/operate/kubernetes/security/access-control/manage-acls.md b/content/operate/kubernetes/security/access-control/manage-acls.md
new file mode 100644
index 0000000000..effd9890e1
--- /dev/null
+++ b/content/operate/kubernetes/security/access-control/manage-acls.md
@@ -0,0 +1,119 @@
+---
+Title: Manage ACLs
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Create and update RedisEnterpriseACL resources to control Redis data-path permissions on Kubernetes.
+linkTitle: Manage ACLs
+weight: 30
+---
+
+A `RedisEnterpriseACL` resource holds a Redis ACL rule that controls which commands, keys, and categories a user can access at the Redis data path. The operator reconciles the resource into a Redis Software ACL object that roles can reference.
+
+ACLs are reusable: one `RedisEnterpriseACL` can be attached to any number of `RedisEnterpriseRole` or `RedisEnterpriseClusterRole` resources. The role decides which databases the ACL applies to; the ACL itself just defines the rule.
+
+To grant a user the permissions in an ACL, reference the ACL from a role and bind the role to the user. See [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}) and [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}).
+
+## Before you start
+
+- The `RedisEnterpriseACL` resource must live in the operator namespace.
+- The rule string uses Redis ACL syntax — key patterns, command categories, and explicit commands. See [Redis ACL overview]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}) for the full syntax.
+
+## Create an ACL
+
+`spec.acl` is a single Redis ACL rule string.
+
+```yaml
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseACL
+metadata:
+  name: read-only
+spec:
+  acl: "+@read ~*"
+```
+
+Apply the resource and confirm reconciliation:
+
+```sh
+kubectl apply -f read-only-acl.yaml
+kubectl get redisenterpriseacl read-only -o yaml
+```
+
+`status.uid` holds the Redis Software ACL UID once the operator has created the object.
+
+### Common rule patterns
+
+| Use case | Rule |
+| --- | --- |
+| Read-only access to all keys | `+@read ~*` |
+| Read and write access to all keys | `+@all ~*` |
+| Read-only access to a key prefix | `+@read ~customer:*` |
+| A specific command set | `+get +set +del ~app:*` |
+| Block dangerous commands | `+@all -@dangerous ~*` |
+
+For category names (`@read`, `@write`, `@admin`, `@dangerous`, etc.) and the full operator precedence rules, see [Redis ACL overview]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}).
+
+## Update an ACL
+
+Edit `spec.acl` and re-apply. The operator updates the Redis Software ACL object in place, so the change immediately affects every database that uses the ACL through a role.
+
+```sh
+kubectl edit redisenterpriseacl read-only
+```
+
+`status.observedGeneration` reaches the resource's `metadata.generation` once the update has been applied.
+
+Because an update changes effective permissions for every connected user, treat ACL changes the same way you would treat role changes — validate them on a non-production cluster first, and prefer creating a new ACL plus swapping the role reference if you need a safer rollout.
+
+## Inspect ACL status
+
+The `status` block is minimal:
+
+| Field | Meaning |
+| --- | --- |
+| `uid` | Internal Redis Software ACL UID. Present once reconciliation succeeds. |
+| `observedGeneration` | The `metadata.generation` the operator last acted on. |
+
+To find roles that reference this ACL, scan the role resources:
+
+```sh
+kubectl get redisenterpriserole -o yaml | \
+  yq '.items[] | select(.spec.acls[]?.name == "read-only") | .metadata.name'
+kubectl get redisenterpriseclusterrole -o yaml | \
+  yq '.items[] | select(.spec.acls[]?.name == "read-only") | .metadata.name'
+```
+
+## Delete an ACL
+
+Delete any roles that reference the ACL first, then delete the ACL itself:
+
+```sh
+kubectl delete redisenterpriseacl read-only
+```
+
+If a role still references the ACL, Redis Software may reject the deletion. The operator emits an `RSOperationFailed` event with the underlying message. Remove the reference (or delete the role) and retry.
+
+## Troubleshoot
+
+Watch reconciliation events with `kubectl describe redisenterpriseacl <name>`. Common events:
+
+| Event | Meaning |
+| --- | --- |
+| `RSObjectNotFound` | The Redis Software ACL the resource previously resolved against no longer exists. The operator will recreate it on the next reconcile. |
+| `RSOperationFailed` | A Redis Software API call failed. The message typically includes the syntax error or in-use conflict. |
+
+Other things to check:
+
+- **`status.uid` is empty** — The operator hasn't reconciled the ACL yet, or Redis Software rejected the rule. Check the events for an `RSOperationFailed` with the syntax message.
+- **Rule parses but grants nothing** — A common cause is an explicit `-@all` later in the rule overriding earlier `+` clauses. Redis ACL evaluation is order-sensitive; see the [Redis ACL overview]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}).
+- **Delete is blocked** — A `RedisEnterpriseRole` or `RedisEnterpriseClusterRole` still references the ACL in `spec.acls`. Remove the reference or delete the role first.
+
+For full field details, see the [`RedisEnterpriseACL`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_acl_api" >}}) API reference.
+
+## Related topics
+
+- [Redis ACL overview]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}) — rule syntax, categories, and evaluation order.
+- [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}) — attach ACLs to `RedisEnterpriseRole` and `RedisEnterpriseClusterRole` resources.
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — grant the role to a user.
diff --git a/content/operate/kubernetes/security/access-control/manage-roles.md b/content/operate/kubernetes/security/access-control/manage-roles.md
new file mode 100644
index 0000000000..8df5990573
--- /dev/null
+++ b/content/operate/kubernetes/security/access-control/manage-roles.md
@@ -0,0 +1,201 @@
+---
+Title: Manage roles
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Create RedisEnterpriseRole and RedisEnterpriseClusterRole resources to grant Redis Software permissions on Kubernetes.
+linkTitle: Manage roles
+weight: 20
+---
+
+A role defines a reusable set of Redis Software permissions — Cluster Manager and API access, Redis data-path access, or both — that you grant to users by creating a binding. Redis Software for Kubernetes supports two role kinds, one scoped to one or more databases, the other scoped to the entire cluster:
+
+- `RedisEnterpriseRole` — applies to one or more REDBs selected by `spec.scopes`. Use when you want to grant access to a specific database or set of databases.
+- `RedisEnterpriseClusterRole` — applies cluster-wide, across every REDB. Use for administrative access or for permissions you want everywhere.
+
+For details on how roles and bindings work together, see [Roles and bindings]({{< relref "/operate/kubernetes/security/access-control/_index#roles-and-bindings" >}}). To assign a role to a user, see [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}).
+
+## Before you start
+
+- The role resource must live in the operator namespace. Database scopes resolve to REDBs in that namespace.
+- Decide whether you need [management permissions](#choose-a-management-role), [data-path permissions](#attach-acls), or both.
+- If the role references one or more `RedisEnterpriseACL` resources, create those first. See [Manage ACLs]({{< relref "/operate/kubernetes/security/access-control/manage-acls" >}}).
+
+## Choose a management role
+
+`spec.managementRole` picks a Redis Software built-in role that controls API and Cluster Manager UI permissions. The allowed values differ by CRD:
+
+| CRD | Allowed `managementRole` values |
+| --- | --- |
+| `RedisEnterpriseRole` | `DBMember`, `DBViewer`, `None` |
+| `RedisEnterpriseClusterRole` | `Admin`, `ClusterMember`, `ClusterViewer`, `DBMember`, `DBViewer`, `UserManager`, `None` |
+
+`None` grants no management permissions and is the default when `managementRole` is omitted. For what each Redis Software role grants, see [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) and [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}).
+
+## Create a database role
+
+A `RedisEnterpriseRole` must reference at least one database in `spec.scopes`. Each scope picks REDBs by name or by label selector — not both.
+
+### Scope a role by REDB name
+
+```yaml
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseRole
+metadata:
+  name: orders-viewer
+spec:
+  managementRole: DBViewer
+  scopes:
+  - kind: RedisEnterpriseDatabase
+    name: orders
+  acls:
+  - kind: RedisEnterpriseACL
+    name: read-only
+```
+
+`kind` defaults to `RedisEnterpriseDatabase` and can be omitted.
+
+To scope a role to several databases by name, list each one as its own scope entry:
+
+```yaml
+spec:
+  managementRole: DBViewer
+  scopes:
+  - name: orders
+  - name: customers
+  - name: inventory
+  acls:
+  - name: read-only
+```
+
+Every ACL in `spec.acls` applies to every REDB in `spec.scopes`. If a database needs a different ACL, create a separate role for it.
+
+### Scope a role by label selector
+
+Use a selector when you want the role to follow a set of REDBs that share labels, rather than naming each one:
+
+```yaml
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseRole
+metadata:
+  name: prod-db-viewer
+spec:
+  managementRole: DBViewer
+  scopes:
+  - selector:
+      matchLabels:
+        environment: production
+  acls:
+  - name: read-only
+```
+
+`selector.matchExpressions` is also supported.
+
+### Scope rules
+
+- At least one entry in `spec.scopes` is required.
+- Each scope must set `name` or `selector`, not both.
+- `scopes[].kind` must be `RedisEnterpriseDatabase` or empty.
+
+## Create a cluster-scoped role
+
+A `RedisEnterpriseClusterRole` has no `scopes` field — it applies across every REDB in the Redis Software cluster.
+
+```yaml
+apiVersion: app.redislabs.com/v1alpha1
+kind: RedisEnterpriseClusterRole
+metadata:
+  name: support-readonly
+spec:
+  managementRole: ClusterViewer
+  acls:
+  - name: read-only
+```
+
+Common patterns:
+
+- **Read-only operator** — `managementRole: ClusterViewer`, no ACL.
+- **Cluster admin** — `managementRole: Admin`, no ACL. Use sparingly; consider a [default-user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) alternative for break-glass access.
+- **User-manager-only** — `managementRole: UserManager`, no ACL. Lets a delegated administrator manage users without granting database access.
+- **Cluster-wide data access** — `managementRole: None` (or omit) with one or more `acls`. The ACLs apply to every REDB in the cluster.
+
+## Attach ACLs
+
+Both role kinds carry a list of `RedisEnterpriseACL` references in `spec.acls`. Each ACL grants Redis data-path permissions (commands, key patterns, categories) to users who hold the role.
+
+```yaml
+spec:
+  acls:
+  - kind: RedisEnterpriseACL
+    name: read-only
+  - name: customer-data    # kind defaults to RedisEnterpriseACL
+```
+
+Rules:
+
+- `acls[].kind` must be `RedisEnterpriseACL` or empty.
+- Duplicate `name` entries are rejected.
+- For a `RedisEnterpriseRole`, every referenced ACL applies to every database the role's scopes select. If you need different ACLs for different databases, create separate roles.
+- For a `RedisEnterpriseClusterRole`, ACLs apply to every REDB in the cluster.
+
+Set `spec.managementRole` alone, `spec.acls` alone, or both. A role with neither set effectively grants nothing.
+
+## Update a role
+
+`kubectl apply` (or `kubectl edit`) updates the underlying Redis Software role. The operator reconciles changes to:
+
+- `managementRole` — replaces the management permission set on the Redis Software role.
+- `scopes` — re-resolves which REDBs the role attaches to. REDBs that drop out of the scope have the role's permissions removed.
+- `acls` — re-applies the data-path permissions to scoped REDBs (or cluster-wide for cluster roles).
+
+`status.observedGeneration` reaches the resource's `metadata.generation` once the update has been applied.
+
+## Inspect role status
+
+The `status` block is intentionally minimal:
+
+| Field | Meaning |
+| --- | --- |
+| `uid` | Internal Redis Software role UID. Present once the role has reconciled successfully. A role must have a `uid` before it can contribute permissions to any database. |
+| `observedGeneration` | The `metadata.generation` the operator last acted on. Compare with `metadata.generation` to confirm the latest spec has been processed. |
+
+To see which users currently hold the role, list bindings that reference it:
+
+```sh
+kubectl get redisenterpriserolebinding -o yaml | \
+  yq '.items[] | select(.spec.roleRef.name == "orders-viewer")'
+```
+
+For cluster roles, replace `redisenterpriserolebinding` with `redisenterpriseclusterrolebinding`.
+
+## Delete a role
+
+Delete any bindings that reference the role first, then delete the role:
+
+```sh
+kubectl delete redisenterpriserolebinding --selector app=orders
+kubectl delete redisenterpriserole orders-viewer
+```
+
+If a binding still references the role at the moment of deletion, Redis Software may reject the delete and the operator emits a `RoleDeletionBlocked` event. Resolve the blocking binding and retry.
+
+## Troubleshoot
+
+Watch reconciliation events with `kubectl describe redisenterpriserole <name>` (or `redisenterpriseclusterrole`). Common issues:
+
+- **`status.uid` is empty** — The role hasn't reconciled. Check the events. Common causes: an ACL reference points to a non-existent `RedisEnterpriseACL`, or admission rejected the spec (missing scopes, scope with both `name` and `selector`, wrong `kind`).
+- **Scope selector matches nothing** — A label-selector scope is valid even if no REDB currently matches. The role contributes permissions only to REDBs that match at reconcile time. Add the labels or fix the selector.
+- **Permissions don't reach the database** — Check `status.uid` on the role, the matching REDB's `status.rolesPermissions`, and confirm a binding assigns the role to the user.
+- **`RoleDeletionBlocked`** — A binding still references the role in Redis Software. Delete the binding first.
+
+For full field details, see the [`RedisEnterpriseRole`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_role_api" >}}) and [`RedisEnterpriseClusterRole`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_role_api" >}}) API reference.
+
+## Related topics
+
+- [Roles and bindings]({{< relref "/operate/kubernetes/security/access-control/_index#roles-and-bindings" >}}) — the conceptual model.
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — assign a role to a user.
+- [Manage ACLs]({{< relref "/operate/kubernetes/security/access-control/manage-acls" >}}) — define the data-path permissions a role references.
+- [Manage users]({{< relref "/operate/kubernetes/security/access-control/manage-users" >}}) — create the users that bindings target.
+- [Migrate from REDB rolesPermissions]({{< relref "/operate/kubernetes/security/access-control/migrate-rolespermissions" >}}) — move from the deprecated `RedisEnterpriseDatabase.spec.rolesPermissions` field to the new CRD model.
diff --git a/content/operate/kubernetes/security/access-control/manage-users.md b/content/operate/kubernetes/security/access-control/manage-users.md
new file mode 100644
index 0000000000..d6395bb4fd
--- /dev/null
+++ b/content/operate/kubernetes/security/access-control/manage-users.md
@@ -0,0 +1,198 @@
+---
+Title: Manage users
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Create and update Redis Software users on Kubernetes with the RedisEnterpriseUser custom resource.
+linkTitle: Manage users
+weight: 10
+---
+
+A `RedisEnterpriseUser` resource defines a Redis Software user. The operator creates the user in Redis Software and keeps it in sync with the resource. Passwords live in Kubernetes Secrets that the resource references by name.
+
+This page covers creating users, changing passwords, and recovering locked accounts. To grant a user permissions, see [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}).
+
+## Before you start
+
+- The `RedisEnterpriseUser` resource and every referenced password Secret must live in the operator namespace.
+- Passwords must satisfy the cluster's [password complexity rules]({{< relref "/operate/rs/security/access-control/manage-passwords/password-complexity-rules" >}}).
+- To assign roles, you need a `RedisEnterpriseRole` or `RedisEnterpriseClusterRole` and a matching binding. See [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}).
+
+## Create a user
+
+1. Create a Secret with the password under the key `password`:
+
+    ```sh
+    kubectl create secret generic alice-password \
+      --from-literal=password='S0me-Str0ng-Passw0rd!'
+    ```
+
+2. Create the `RedisEnterpriseUser` resource:
+
+    ```yaml
+    apiVersion: app.redislabs.com/v1alpha1
+    kind: RedisEnterpriseUser
+    metadata:
+      name: alice
+    spec:
+      email: alice@example.com
+      username: alice
+      passwordSecrets:
+      - name: alice-password
+    ```
+
+3. Apply the resource and confirm the operator created the user:
+
+    ```sh
+    kubectl apply -f alice.yaml
+    kubectl get redisenterpriseuser alice -o yaml
+    ```
+
+    `status.uid` holds the Redis Software user ID once reconciliation succeeds. `status.signinStatus` reports the user's current sign-in state.
+
+The new user has no permissions until you create a role binding. The operator assigns the Redis Software `none` role so the user is never roleless.
+
+### Required and optional fields
+
+| Field | Required | Notes |
+| --- | --- | --- |
+| `spec.email` | Yes | Must be unique in the cluster. |
+| `spec.username` | No | Defaults to a generated value. ASCII only, excluding `&`, `<`, `>`, `"`. The effective value appears in `status.username`. |
+| `spec.passwordSecrets` | Yes | At least one Secret. Each Secret must have a `password` key. |
+| `spec.passwordMode` | No | `Single` (default) or `Rotatable`. See [Choose a password mode](#choose-a-password-mode). |
+| `spec.alerts` | No | Email alert settings. Effective only when [cluster alerts]({{< relref "/operate/rs/clusters/configure/cluster-settings#alert-settings" >}}) are configured. |
+
+For the full schema, see [`RedisEnterpriseUser`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_user_api" >}}).
+
+### Use a generated username
+
+If you omit `spec.username`, the operator assigns one and reports it in `status.username`. Read it with:
+
+```sh
+kubectl get redisenterpriseuser alice -o jsonpath='{.status.username}'
+```
+
+Use that value when you reference the user from a binding's `subjects` list or when you sign in to Redis Software.
+
+## Choose a password mode
+
+`spec.passwordMode` controls how passwords change.
+
+- **`Single`** (default) — Exactly one entry in `passwordSecrets`. To change the password, update the value in the Secret or point the resource at a different Secret. Suitable for interactive users.
+- **`Rotatable`** — One or two entries in `passwordSecrets`. The operator marks each referenced Kubernetes Secret immutable so the password can't be edited in place. Suitable for service accounts that need zero-downtime credential rotation. Vault-backed secrets are treated as immutable but aren't modified by the operator.
+
+You can't switch modes while the user has two password secrets. Reduce to one secret first.
+
+## Change a password
+
+### Single mode
+
+Edit the Secret value, then re-apply it. The operator detects the new version and updates the user's password.
+
+```sh
+kubectl create secret generic alice-password \
+  --from-literal=password='N3w-Str0ng-Passw0rd!' \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+Alternatively, create a new Secret and update `spec.passwordSecrets[0].name` to point at it.
+
+### Rotatable mode (zero-downtime rotation)
+
+In Rotatable mode the operator makes referenced Kubernetes Secrets immutable, so you rotate by adding a new Secret alongside the old one.
+
+1. Create a new Secret with the next password.
+2. Add it to `spec.passwordSecrets`. Both passwords now authenticate.
+3. Update clients to use the new password.
+4. Remove the old Secret from `spec.passwordSecrets`. Only the new password authenticates.
+5. Delete the old Secret when nothing else references it.
+
+`status.passwordSecrets` lists each active Secret with its resolved version.
+
+## Update the email address
+
+You can change `spec.email` only while `passwordSecrets` contains exactly one entry. If a Rotatable rotation is in progress, reduce to a single secret first, change the email, then add the second secret back.
+
+## Configure email alerts
+
+Email alerts deliver only when the cluster has alert email settings configured. To opt this user in to all configured alerts:
+
+```yaml
+spec:
+  alerts:
+    enabled: true
+    clusterAlerts:
+      enabled: true
+    databaseAlerts:
+      databases:
+      - name: my-database
+```
+
+Omit `databaseAlerts.databases` to receive alerts for every database.
+
+## Inspect user status
+
+The `status` block reports observed state from Redis Software:
+
+| Field | Meaning |
+| --- | --- |
+| `uid` | Internal Redis Software user ID. Appears once the user is reconciled. |
+| `username` | Effective username, including any default the operator assigned. |
+| `roles` / `rolesDisplay` | Roles currently bound to the user. |
+| `signinStatus` | `Unknown`, `Active`, `Locked`, or `PasswordExpired`. |
+| `passwordIssueDate` | When Redis Software last accepted the user's password. |
+| `passwordSecrets` | Each referenced Secret with the resolved version the operator reconciled. |
+| `observedGeneration` | The `metadata.generation` the operator last acted on. Compare with `metadata.generation` to confirm reconciliation has caught up. |
+| `conditions` | The `RolesBound` condition reports whether every bound role resolves. |
+
+## Recover a locked user
+
+`status.signinStatus: Locked` means the user failed too many sign-in attempts. The operator skips password changes while the user is locked, so you must update the resource before unlocking — otherwise the operator can later reconcile the old desired password back onto the user.
+
+1. Update the password in the `RedisEnterpriseUser` source of truth: change the referenced Secret value (Single mode) or add a new Secret reference (Rotatable mode).
+2. Follow the [Redis Software unlock procedure]({{< relref "/operate/rs/security/access-control/manage-users/login-lockout#unlock-locked-user-accounts" >}}) to reset and unlock the account in the cluster.
+
+`status.signinStatus: PasswordExpired` clears once you set a new password through the resource.
+
+## Delete a user
+
+Delete bindings that reference the user before deleting the user itself, then remove the user:
+
+```sh
+kubectl delete redisenterpriserolebinding --selector ...
+kubectl delete redisenterpriseuser alice
+```
+
+The operator removes the user from Redis Software. A finalizer keeps the Kubernetes resource until the Redis Software user and any related Secret finalizers are cleaned up; deletion may take longer or stall if the Redis Software API is unavailable.
+
+Password Secrets aren't deleted — remove them separately when nothing else references them.
+
+## Troubleshoot
+
+Watch reconciliation events with `kubectl describe redisenterpriseuser <name>`. Common events:
+
+| Event | Meaning |
+| --- | --- |
+| `PasswordSecretMissing` | A name in `passwordSecrets` doesn't exist in the operator namespace. |
+| `PasswordSecretInvalid` | The Secret exists but has no `password` key, or the value is empty. |
+| `UserPasswordAdded` / `UserPasswordReplaced` / `UserPasswordDeleted` | Normal reconciliation actions. Useful for confirming a rotation step. |
+| `UserLocked` | Password operations are skipped because the user is locked. See [Recover a locked user](#recover-a-locked-user). |
+| `MissingRoleUIDs` | The user has Redis Software role UIDs that no longer map back to a Kubernetes role resource. |
+| `RSObjectNotFound` | A Redis Software object the user previously resolved against is gone. |
+| `RSOperationFailed` | A Redis Software API call failed; check the message for details. |
+
+Other things to check:
+
+- **`status.signinStatus: Unknown`** — The operator hasn't reconciled the user yet, or it can't read the referenced Secret. Check `PasswordSecretMissing` and `PasswordSecretInvalid` events.
+- **`RolesBound` condition is `False` with reason `RoleNotFound`** — A binding references this user but points at a role that doesn't exist. Create the role or fix the binding.
+- **Secret edit rejected** — In Rotatable mode the operator sets `immutable: true` on the Secret. Create a new Secret instead of editing an existing one.
+- **Cluster Manager UI shows a different role than expected** — Roles come from `RedisEnterpriseRoleBinding` and `RedisEnterpriseClusterRoleBinding` resources, not from the user spec. Check the bindings, not the user.
+
+## Related topics
+
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — assign roles to this user.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — the built-in cluster admin account, managed outside the CRD model.
+- [Password complexity rules]({{< relref "/operate/rs/security/access-control/manage-passwords/password-complexity-rules" >}}) and [password expiration]({{< relref "/operate/rs/security/access-control/manage-passwords/password-expiration" >}}).
+- [`RedisEnterpriseUser` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_user_api" >}}).
diff --git a/content/operate/kubernetes/security/allow-resource-adjustment.md b/content/operate/kubernetes/security/allow-resource-adjustment.md
index b3be0f7800..472c746b76 100644
--- a/content/operate/kubernetes/security/allow-resource-adjustment.md
+++ b/content/operate/kubernetes/security/allow-resource-adjustment.md
@@ -6,7 +6,7 @@ categories:
 description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.
 linkTitle: Auto resource adjustment
 title: Allow automatic resource adjustment
-weight: 98
+weight: 50
 ---
 
 Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.
diff --git a/content/operate/kubernetes/security/authentication/_index.md b/content/operate/kubernetes/security/authentication/_index.md
new file mode 100644
index 0000000000..613935757e
--- /dev/null
+++ b/content/operate/kubernetes/security/authentication/_index.md
@@ -0,0 +1,45 @@
+---
+Title: Authentication
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage Redis Software cluster credentials, LDAP, SSO, and configuration secrets on Kubernetes.
+hideListLinks: true
+linkTitle: Authentication
+weight: 10
+---
+
+Authentication covers cluster credentials, external identity providers (LDAP and SAML SSO), and configuration secrets. The operator generates the initial cluster admin credentials, applies LDAP and SSO settings from the `RedisEnterpriseCluster` spec, and reads configuration values from Kubernetes Secrets you can update without a cluster restart.
+
+## How authentication works on Redis for Kubernetes
+
+- **Cluster credentials** are auto-generated at install and stored in a Kubernetes Secret named after the REC resource. Retrieve and update them with `kubectl`.
+- **LDAP** is configured on the `RedisEnterpriseCluster` spec. The operator applies the configuration through the Redis Software REST API.
+- **SAML SSO** is enabled on the REC spec. The operator configures the identity provider connection in Redis Software.
+- **Configuration secrets** let you store sensitive configuration items in Kubernetes Secrets that the operator references. Updates to the Secret reconcile automatically.
+
+## What's the same as Redis Software
+
+The underlying Redis Software behavior is unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [LDAP authentication overview]({{< relref "/operate/rs/security/access-control/ldap" >}}) — server requirements, supported attributes, and the LDAP model.
+- [Enable role-based LDAP]({{< relref "/operate/rs/security/access-control/ldap/enable-role-based-ldap" >}}) — concepts behind role-based LDAP.
+- [Map LDAP groups to roles]({{< relref "/operate/rs/security/access-control/ldap/map-ldap-groups-to-roles" >}}) — group-to-role mapping rules.
+- [SAML single sign-on]({{< relref "/operate/rs/security/access-control/saml-sso" >}}) — identity provider requirements and SAML attribute mappings.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — what the bootstrap admin account is for.
+
+## What's different on Kubernetes
+
+- **Initial credentials are auto-generated.** You don't choose them at install; you retrieve them from the credentials Secret after the REC is up.
+- **Change credentials by updating the Kubernetes Secret**, not by editing the user in the Cluster Manager UI.
+- **LDAP and SSO configuration is part of the REC spec.** The operator applies it through the Redis Software REST API, so the configuration is source-controlled.
+- **Sensitive values live in Kubernetes Secrets** (or HashiCorp Vault) instead of in Redis Software configuration files.
+
+## In this section
+
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}}) — retrieve and update the cluster admin credentials Secret.
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/authentication/configuration-secrets" >}}) — store config items in Kubernetes Secrets and reconcile updates automatically.
+- [LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) — configure LDAP for Cluster Manager and database access.
+- [SSO authentication]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) — configure SAML single sign-on for the Cluster Manager UI.
diff --git a/content/operate/kubernetes/security/configuration-secrets.md b/content/operate/kubernetes/security/authentication/configuration-secrets.md
similarity index 92%
rename from content/operate/kubernetes/security/configuration-secrets.md
rename to content/operate/kubernetes/security/authentication/configuration-secrets.md
index aa432b10bb..6efa72a6e5 100644
--- a/content/operate/kubernetes/security/configuration-secrets.md
+++ b/content/operate/kubernetes/security/authentication/configuration-secrets.md
@@ -3,10 +3,11 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/configuration-secrets/]
 description: Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management.
 linkTitle: Configuration secrets
 title: Store configuration in Kubernetes Secrets
-weight: 96
+weight: 20
 ---
 
 You can store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management. When you update these Secrets, the operator immediately reads the changes and propagates them to the Redis Enterprise Cluster (REC).
@@ -70,7 +71,7 @@ You can customize the credential secret name during cluster creation using the `
 The `clusterCredentialSecretName` field cannot be changed after cluster creation.
 {{</note>}}
 
-For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/manage-rec-credentials#customize-the-credential-secret-name" >}}).
+For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials#customize-the-credential-secret-name" >}}).
 
 ## TLS certificate configuration
 
@@ -84,7 +85,7 @@ You can store TLS certificates in Kubernetes Secrets to secure communication bet
     kubectl -n <namespace> create secret generic client-cert-secret --from-file=cert=<path-to-cert>
     ```
 
-2. Add the secret to your REDB using the `clientAuthenticationCertificates` property. See [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) for details.
+2. Add the secret to your REDB using the `clientAuthenticationCertificates` property. See [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) for details.
 
 ### Service certificates
 
@@ -115,7 +116,7 @@ kubectl create secret generic dp-internode-cert \
   --from-literal=name=dp_internode_encryption
 ```
 
-Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for complete configuration details.
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) for complete configuration details.
 
 ## Secrets and PEM files in Redis Enterprise pods
 
@@ -150,7 +151,7 @@ Field names vary by deployment.
 
 ## See also
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
-- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}})
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
+- [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}})
 - [Redis Enterprise Cluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})
diff --git a/content/operate/kubernetes/security/ldap.md b/content/operate/kubernetes/security/authentication/ldap.md
similarity index 99%
rename from content/operate/kubernetes/security/ldap.md
rename to content/operate/kubernetes/security/authentication/ldap.md
index e839618640..e106befad6 100644
--- a/content/operate/kubernetes/security/ldap.md
+++ b/content/operate/kubernetes/security/authentication/ldap.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/ldap/]
 description: Enable LDAP authentication for Redis Enterprise for Kubernetes.
 linkTitle: Enable LDAP
-weight: 95
+weight: 30
 ---
 
 ## LDAP support for Redis Enterprise Software
diff --git a/content/operate/kubernetes/security/manage-rec-credentials.md b/content/operate/kubernetes/security/authentication/manage-rec-credentials.md
similarity index 98%
rename from content/operate/kubernetes/security/manage-rec-credentials.md
rename to content/operate/kubernetes/security/authentication/manage-rec-credentials.md
index 6af331b9be..9924ede82b 100644
--- a/content/operate/kubernetes/security/manage-rec-credentials.md
+++ b/content/operate/kubernetes/security/authentication/manage-rec-credentials.md
@@ -5,8 +5,9 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/manage-rec-credentials/]
 linkTitle: Manage REC credentials
-weight: 93
+weight: 10
 ---
 Redis Enterprise for Kubernetes uses a custom resource called [`RedisEnterpriseCluster`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) to create a Redis Enterprise cluster (REC). During creation, it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the cluster name and is specified by the `clusterCredentialSecretName` field in the REC specification.
 
diff --git a/content/operate/kubernetes/security/sso.md b/content/operate/kubernetes/security/authentication/sso.md
similarity index 99%
rename from content/operate/kubernetes/security/sso.md
rename to content/operate/kubernetes/security/authentication/sso.md
index 87f1b94cb7..81538dc629 100644
--- a/content/operate/kubernetes/security/sso.md
+++ b/content/operate/kubernetes/security/authentication/sso.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/sso/]
 description: Enable SAML-based SSO authentication for Redis Enterprise for Kubernetes.
 linkTitle: Enable SSO
-weight: 94
+weight: 40
 ---
 
 
diff --git a/content/operate/kubernetes/security/certificates/_index.md b/content/operate/kubernetes/security/certificates/_index.md
new file mode 100644
index 0000000000..f698cce5f6
--- /dev/null
+++ b/content/operate/kubernetes/security/certificates/_index.md
@@ -0,0 +1,48 @@
+---
+Title: Certificates and encryption
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage TLS certificates, client certificates, and internode encryption for Redis Software on Kubernetes.
+hideListLinks: true
+linkTitle: Certificates and encryption
+weight: 30
+---
+
+Certificates and encryption use Kubernetes Secrets and cert-manager integration to provision, distribute, and rotate the TLS certificates that Redis Software relies on. The operator distributes referenced certificates across every cluster node.
+
+## How certificates work on Redis for Kubernetes
+
+- **Cluster certificates** live in Kubernetes Secrets that the `RedisEnterpriseCluster` spec references. The operator distributes them to every cluster node.
+- **cert-manager** can issue and rotate certificates automatically.
+- **Client certificates** live in a Secret that the database references for mutual TLS authentication.
+- **Internode encryption** is configured on the REC spec. The operator places the certificates on each node.
+
+## What's the same as Redis Software
+
+The underlying certificate roles, requirements, and TLS behavior are unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [Certificate roles and types]({{< relref "/operate/rs/security/certificates" >}}) — which certificate is used for what.
+- [Create certificates]({{< relref "/operate/rs/security/certificates/create-certificates" >}}) — certificate requirements (SAN, CN, validity).
+- [Update certificates]({{< relref "/operate/rs/security/certificates/updating-certificates" >}}) — rotation considerations on Redis Software.
+- [Monitor certificates]({{< relref "/operate/rs/security/certificates/monitor-certificates" >}}) — certificate expiration alerts.
+- [Client certificate authentication]({{< relref "/operate/rs/security/certificates/certificate-based-authentication" >}}) — how the cluster validates client certificates.
+- [TLS protocols]({{< relref "/operate/rs/security/encryption/tls/tls-protocols" >}}) and [ciphers]({{< relref "/operate/rs/security/encryption/tls/ciphers" >}}) — protocol and cipher selection.
+- [Enable TLS]({{< relref "/operate/rs/security/encryption/tls/enable-tls" >}}) — TLS for management, replication, and client connections.
+- [Internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}) — purpose and scope.
+- [PEM encryption]({{< relref "/operate/rs/security/encryption/pem-encryption" >}}) — encrypted private keys.
+
+## What's different on Kubernetes
+
+- **Certificates live in Kubernetes Secrets**, not in `/etc/opt/redislabs/`. The REC spec references them by name.
+- **cert-manager can issue and rotate certificates automatically**, replacing manual rotation steps.
+- **The operator distributes certificates across cluster nodes**; you don't copy files between nodes yourself.
+
+## In this section
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) — configure cluster TLS certificates.
+- [cert-manager integration]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}) — automate certificate issuance and rotation with cert-manager.
+- [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) — enable client certificate authentication for databases.
+- [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) — enable encryption between cluster nodes.
diff --git a/content/operate/kubernetes/security/add-client-certificates.md b/content/operate/kubernetes/security/certificates/add-client-certificates.md
similarity index 93%
rename from content/operate/kubernetes/security/add-client-certificates.md
rename to content/operate/kubernetes/security/certificates/add-client-certificates.md
index 3fe87b1828..082095a87b 100644
--- a/content/operate/kubernetes/security/add-client-certificates.md
+++ b/content/operate/kubernetes/security/certificates/add-client-certificates.md
@@ -3,10 +3,11 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/add-client-certificates/]
 description: Add client certificates to your REDB custom resource.
 linkTitle: Add client certificates
 title: Add client certificates
-weight: 95
+weight: 30
 ---
 
 For each client certificate you want to use with your database, you need to create a Kubernetes secret to hold it. You can then reference that secret in your Redis Enterprise database (REDB) custom resource spec.
diff --git a/content/operate/kubernetes/security/cert-manager.md b/content/operate/kubernetes/security/certificates/cert-manager.md
similarity index 98%
rename from content/operate/kubernetes/security/cert-manager.md
rename to content/operate/kubernetes/security/certificates/cert-manager.md
index 562d68e7fc..5cc3503781 100644
--- a/content/operate/kubernetes/security/cert-manager.md
+++ b/content/operate/kubernetes/security/certificates/cert-manager.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/cert-manager/]
 description: Automate TLS certificate management for Redis for Kubernetes using cert-manager.
 linkTitle: cert-manager
-weight: 89
+weight: 20
 ---
 
 [cert-manager](https://cert-manager.io/) is a Kubernetes add-on that automates the management and issuance of TLS certificates. The Redis operator integrates with cert-manager, so you can use automatically managed certificates for:
@@ -173,7 +174,7 @@ spec:
         port: 636
 ```
 
-For more details on LDAP configuration, see [Enable LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}).
+For more details on LDAP configuration, see [Enable LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}).
 
 ## Active-Active databases with automatic certificate sync
 
@@ -371,7 +372,7 @@ If you encounter certificate chain validation errors:
 ## See also
 
 - [cert-manager documentation](https://cert-manager.io/docs/)
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
 - [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})
 - [RedisEnterpriseDatabase API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}})
 - [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}})
diff --git a/content/operate/kubernetes/security/internode-encryption.md b/content/operate/kubernetes/security/certificates/internode-encryption.md
similarity index 94%
rename from content/operate/kubernetes/security/internode-encryption.md
rename to content/operate/kubernetes/security/certificates/internode-encryption.md
index ffe28eea28..a72dfb07bc 100644
--- a/content/operate/kubernetes/security/internode-encryption.md
+++ b/content/operate/kubernetes/security/certificates/internode-encryption.md
@@ -4,9 +4,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/internode-encryption/]
 description: Enable encryption for communication between REC nodes and configure custom certificates.
 linkTitle: Internode encryption
-weight: 99
+weight: 40
 ---
 
 Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
@@ -130,6 +131,6 @@ When you remove a certificate secret reference from the REC specification, the o
 
 ## More info
 
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
-- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/authentication/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
 - [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works
diff --git a/content/operate/kubernetes/security/manage-rec-certificates.md b/content/operate/kubernetes/security/certificates/manage-rec-certificates.md
similarity index 94%
rename from content/operate/kubernetes/security/manage-rec-certificates.md
rename to content/operate/kubernetes/security/certificates/manage-rec-certificates.md
index c51a2b1508..c6a5fbd2e1 100644
--- a/content/operate/kubernetes/security/manage-rec-certificates.md
+++ b/content/operate/kubernetes/security/certificates/manage-rec-certificates.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/manage-rec-certificates/]
 description: Install your own certificates to replace the self-signed certificates used by a Redis Enterprise cluster on Kubernetes.
 linkTitle: Manage REC certificates
-weight: 94
+weight: 10
 ---
 
 Redis Software for Kubernetes generates self-signed TLS certificates for each new cluster. You can replace any of those certificates with your own.
@@ -21,7 +22,7 @@ For the list of certificates and what each one encrypts, see the [certificates t
 
 ## Method 1: Manage certificates with the REC custom resource
 
-This is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually, or have [cert-manager]({{< relref "/operate/kubernetes/security/cert-manager" >}}) issue and renew it automatically.
+This is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually, or have [cert-manager]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}) issue and renew it automatically.
 
 ### Supported certificates
 
@@ -65,7 +66,7 @@ The operator accepts several key names for the certificate and private key, so y
 
 {{<note>}}On Redis Software for Kubernetes versions older than 8.0.18, also include `--from-literal=name=<certificate-name>` in the `kubectl create secret` command, where `<certificate-name>` is the value from the **Certificate name in Redis Software** column in the [supported certificates](#supported-certificates) table.{{</note>}}
 
-For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for the full setup, which covers enabling internode encryption alongside the certificate configuration.
+For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) for the full setup, which covers enabling internode encryption alongside the certificate configuration.
 
 ### Step 2: Reference the secret in the REC custom resource
 
@@ -116,7 +117,7 @@ After the update, verify the rotation as described in [Step 3](#step-3-verify-th
 
 The operator automates certificate updates for [Active-Active]({{< relref "/operate/kubernetes/active-active" >}}) databases. When you update the proxy or syncer certificate secret referenced by the REC, the operator detects the change and propagates the new certificate to all participating clusters.
 
-This automation applies whether you manage the secret directly or with [cert-manager]({{< relref "/operate/kubernetes/security/cert-manager#active-active-databases-with-automatic-certificate-sync" >}}).
+This automation applies whether you manage the secret directly or with [cert-manager]({{< relref "/operate/kubernetes/security/certificates/cert-manager#active-active-databases-with-automatic-certificate-sync" >}}).
 
 ## More info
 
diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md
index 70bfbff9f1..08531d61cd 100644
--- a/content/operate/kubernetes/security/vault.md
+++ b/content/operate/kubernetes/security/vault.md
@@ -7,7 +7,7 @@ categories:
 - kubernetes
 description: Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes.
 linkTitle: HashiCorp Vault integration
-weight: 97
+weight: 40
 ---
 
 You can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging.
@@ -22,18 +22,18 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
 | **Cluster secrets** |  |  |  |
 |  | [Cluster credentials]({{< relref "/operate/kubernetes/deployment/quick-start" >}}) | [`clusterCredentialSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | Authentication credentials for cluster access |
 |  | [License]({{< relref "/operate/kubernetes/deployment/quick-start#install-the-license" >}}) | [`licenseSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | Redis Enterprise license key |
-|  | [API certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`apiCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for API server |
-|  | [Cluster manager certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`cmCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for cluster manager |
+|  | [API certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`apiCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for API server |
+|  | [Cluster manager certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`cmCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for cluster manager |
 |  | [Metrics exporter certificate]({{< relref "/operate/kubernetes/re-clusters/connect-prometheus-operator" >}}) | [`metricsExporterCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for metrics exporter |
-|  | [Proxy certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for proxy |
+|  | [Proxy certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for proxy |
 |  | [Syncer certificate]({{< relref "/operate/kubernetes/active-active" >}}) | [`syncerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for Active-Active syncer |
-|  | [LDAP client certificate]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for LDAP client authentication |
-|  | [LDAP bind credentials]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`bindCredentialsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specldap" >}}) | Credentials for authenticating to the LDAP server |
-|  | [CPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`cpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Control Plane Internode Encryption (CPINE) |
-|  | [DPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`dpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Data Plane Internode Encryption (DPINE) |
-|  | [SSO service certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoServiceCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Service Provider (SP) certificate for SAML SSO |
-|  | [SSO issuer certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoIssuerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Identity Provider (IdP) public certificate for SAML SSO |
-|  | [SSO IdP metadata]({{< relref "/operate/kubernetes/security/sso" >}}) | [`idpMetadataSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specssosaml" >}}) | SAML Identity Provider metadata XML |
+|  | [LDAP client certificate]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) | [`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for LDAP client authentication |
+|  | [LDAP bind credentials]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) | [`bindCredentialsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specldap" >}}) | Credentials for authenticating to the LDAP server |
+|  | [CPINE certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`cpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Control Plane Internode Encryption (CPINE) |
+|  | [DPINE certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`dpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Data Plane Internode Encryption (DPINE) |
+|  | [SSO service certificate]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`ssoServiceCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Service Provider (SP) certificate for SAML SSO |
+|  | [SSO issuer certificate]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`ssoIssuerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Identity Provider (IdP) public certificate for SAML SSO |
+|  | [SSO IdP metadata]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`idpMetadataSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specssosaml" >}}) | SAML Identity Provider metadata XML |
 |  | [User-defined module credentials]({{< relref "/operate/kubernetes/re-databases/modules" >}}) | [`credentialsSecret`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specuserdefinedmodulessourcehttps" >}}) | Credentials for downloading user-defined modules from authenticated repositories |
 | **Database secrets** |  |  |  |
 |  | [Database passwords]({{< relref "/operate/kubernetes/networking/database-connectivity/#credentials-and-secrets-management" >}}) | Various | Passwords for Redis databases |
@@ -44,7 +44,7 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
 |  | [Swift backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`swiftSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Swift storage credentials for database backups |
 |  | [Azure Blob backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`absSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Azure Blob storage credentials for database backups |
 |  | [Google Cloud backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`gcsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Google Cloud storage credentials for database backups |
-|  | [Client authentication certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) | Various | TLS client certificates for authentication |
+|  | [Client authentication certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) | Various | TLS client certificates for authentication |
 | **Other secrets** |  |  |  |
 |  | [Remote cluster secrets]({{< relref "/operate/kubernetes/active-active" >}}) | [`secretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_remote_cluster_api#redisenterpriseremoteclusterspec" >}}) | Credentials for Redis Enterprise Remote Cluster (RERC) configurations |
 |  | [Active-Active database secrets]({{< relref "/operate/kubernetes/active-active" >}}) | [`globalConfigurations`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api#redisenterpriseactiveactivedatabasespec" >}}) | All secret names specified in REAADB global configurations |