diff --git a/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png b/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png
new file mode 100644
index 0000000000..e10b29d367
Binary files /dev/null and b/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png differ
diff --git a/en/includes/guides/admin-portal/manage-console-access.md b/en/includes/guides/admin-portal/manage-console-access.md
index 42126fc293..c36586438b 100644
--- a/en/includes/guides/admin-portal/manage-console-access.md
+++ b/en/includes/guides/admin-portal/manage-console-access.md
@@ -46,11 +46,86 @@ To customize login for the Console,
3. Click **Update** to save the changes.
-
## Manage Console roles
Roles are a collection of permissions. You can create roles and assign users and groups to them so that they gain limited access to Console features. Follow the sections below to learn about managing Console roles.
+### Console role permissions
+
+When you create a Console role, you grant it access to one or more **Console components** — features such as **Applications**, **Connections**, **Users**, **Groups**, and **Roles**. You assign these permissions at two levels:
+
+
+
+ | Tenant Permissions |
+ The permissions the role has for the root organization. |
+
+
+ | Organization Permissions |
+ The permissions the role has for the child organizations. |
+
+
+
+#### Permission levels
+
+By default, you can assign each Console component one of the following permission levels:
+
+
+
+ | View |
+ Assigns read permissions for the component. |
+
+
+ | Edit |
+ Assigns read, create, update, and delete permissions for the component. |
+
+
+
+!!! note
+
+ Selecting **View** or **Edit** for a given Console component assigns the role several scopes pertaining to it. For example, if you select **Applications** and assign the **View** permission, the role is assigned the following scopes.
+
+ {: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+
+#### Granular console permissions
+
+By default, Console roles use the combined **View** and **Edit** permission model described above, where **Edit** grants **Create**, **Update**, and **Delete** access together.
+
+You can optionally enable a more granular permission model that lets you assign **Create**, **Update**, and **Delete** permissions independently for each Console component. This is controlled by the `use_granular_console_permissions` setting, which is `false` by default. Enable it only when you need this level of control over Console permissions. To do so, add the following configuration to the `deployment.toml` file and restart the server.
+
+```toml
+[console_settings]
+use_granular_console_permissions = true
+```
+
+Once enabled, you can assign each Console component the following permission levels:
+
+
+
+ | View |
+ Assigns read permissions for the component. |
+
+
+ | Create |
+ Assigns read and create permissions for the component. |
+
+
+ | Update |
+ Assigns read and update permissions for the component. |
+
+
+ | Delete |
+ Assigns read and delete permissions for the component. |
+
+
+
+
+
+!!! note
+ **View** is required whenever **Create**, **Update**, or **Delete** is selected for a component, and it cannot be turned off while any of those write permissions remain active.
+
+!!! note "Compatibility with existing roles"
+ Console roles created earlier with the combined **Edit** permission continue to work when the granular model is enabled. **Edit** grants **Create**, **Update**, and **Delete** together.
+
### Create a role
!!! warning "Important"
@@ -66,37 +141,6 @@ To create a role for the Console,
{: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
-
-
- | Role Name |
- Provide a meaningful name that describes the level of access the role has to the Console e.g. application:read |
-
-
- | Tenant Permissions |
- Select the permissions the role has for the root organization. For each Console component,
-
- - Select View if you wish to assign read permissions for the component.
- - Select Edit if you wish to assign read, create, update and delete permissions for the component.
-
- |
-
-
- | Organization Permissions |
- Select the permissions the role has for the child organizations. For each Console component,
-
- - Select View if you wish to assign read permissions for the component.
- - Select Edit if you wish to assign read, create, update and delete permissions for the component.
-
- |
-
-
-
- !!! note
-
- When choosing tenant and organization permissions, selecting **View** or **Edit** for a given Console component gives the role access to several scopes pertaining to it. For example, if you select `Applications` and assign the `View` permission, the role will be assigned the following scopes.
-
- {: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
-
4. Click **Add** to save the role.
### Assign users/groups to a role