updated feature flags for pricing and tags for IAM flow

about-pricing.md

@@ -0,0 +1,111 @@
+---
+
+copyright:
+  years: 2022
+lastupdated: "2022-07-22"
+
+keywords: authentication, authorization, app id cost, identity, app security, cloud directory, app id pricing
+
+subcollection: appid
+
+---
+
+{:codeblock: .codeblock}
+{:screen: .screen}
+{:download: .download}
+{:external: target="_blank" .external}
+{:faq: data-hd-content-type='faq'}
+{:gif: data-image-type='gif'}
+{:important: .important}
+{:note: .note}
+{:pre: .pre}
+{:tip: .tip}
+{:preview: .preview}
+{:deprecated: .deprecated}
+{:beta: .beta}
+{:term: .term}
+{:shortdesc: .shortdesc}
+{:script: data-hd-video='script'}
+{:support: data-reuse='support'}
+{:table: .aria-labeledby="caption"}
+{:troubleshoot: data-hd-content-type='troubleshoot'}
+{:help: data-hd-content-type='help'}
+{:tsCauses: .tsCauses}
+{:tsResolve: .tsResolve}
+{:tsSymptoms: .tsSymptoms}
+{:java: .ph data-hd-programlang='java'}
+{:javascript: .ph data-hd-programlang='javascript'}
+{:swift: .ph data-hd-programlang='swift'}
+{:curl: .ph data-hd-programlang='curl'}
+{:video: .video}
+{:step: data-tutorial-type='step'}
+{:tutorial: data-hd-content-type='tutorial'}
+{:ui: .ph data-hd-interface='ui'}
+{:cli: .ph data-hd-interface='cli'}
+{:api: .ph data-hd-interface='api'}
+{:release-note: data-hd-content-type='release-note'}
+
+
+# How does {{site.data.keyword.appid_short_notm}} calculate pricing?
+{: #pricing}
+
+When you work with {{site.data.keyword.appid_short_notm}}, you are charged based on the number of authentication events, the number of authorized users, and the number of advanced security events. 
+{: shortdesc} 
+
+For the most up-to-date pricing information, you can create a cost estimate by clicking **Add to estimate** in the {{site.data.keyword.appid_short_notm}} section of the [{{site.data.keyword.cloud_notm}} catalog](https://cloud.ibm.com/catalog/services/app-id).
+{: tip}
+
+## Pricing plans
+{: #pricing-plans}
+
+The service offers two pricing plans. 
+
+Lite
+:   Each month, your first 1000 authentication events and 1000 authorized users per service instance are free, except for any advanced security events. You incur an extra charge for any advanced security events. In this plan, you can issue access and anonymous tokens when a user or an app initiates a sign-in request.
+
+Graduated tier
+:   In the graduated tier plan, you are charged each month after you reach the limits of the lite plan. The cost is based on the summary of three parts: the number of authentication events, the number of authorized users, and the number of advanced security events. 
+
+    For example, if these quantities are in the 1 - 10,000 tier, the charge for each authentication event, authorized user, and advanced security event is assessed by multiplying each quantity by the unit price that is set for that tier. Then, the total price is calculated by combining the charges for authentication events, authorized users, and advanced security events.
+
+
+## What are authorized users? 
+{: #authorized-users-pricing}
+
+An authorized user is a unique user that signs in with your service whether directly or indirectly, including anonymous users. You are charged for one authorized user each time a new user signs in to your application, including anonymous users. For example, if a user signs in with Facebook and later signs in by using Google, they are considered two separate authorized users. The total number of your authorized users includes future users that you preregistered to your app because you already know who they are going to be. You are charged for each future user at the time of registration. For example, you work at a company and recently hired a team lead. When you preregister them to your application, they become an authorized user and count toward your total. As an authorized user, they can sign in for the first time without needing to interact with you. [Learn more](/docs/appid?topic=appid-preregister). 
+
+
+## What are authentication events?
+{: #authentication-events-pricing} 
+
+An authentication event happens when you issue a new regular or anonymous access token. Tokens can be issued in response to a sign-in request that is initiated by the user, or by an app on behalf of the user. By default, your users' access tokens are valid for 1 hour and anonymous tokens are valid for 30 days. After the tokens expire, your users must create a new token to access protected resources. You can manage the expiration time of your {{site.data.keyword.appid_short_notm}} tokens on the **Manage Authentication > Authentication Settings** page of the service dashboard.
+
+
+## What are advanced security features? 
+{: #security-features-pricing}
+
+You can strengthen the security of your application with advanced security features such as Multi-Factor authentication (MFA), runtime activity tracking, and password policy management. An advanced authentication event happens when you issue tokens for advanced security features.
+
+By default, advanced features are disabled. You incur an extra charge when you enable them. For example, if you obtain 10,000 access tokens, then you turn on password policy management and obtain 10,000 more. You would pay for 20,000 authentication events and 10,000 advanced security events. If you disable all the advanced features, your account reverts to the original-cost policy.
+
+| Feature | Benefit | 
+|-----|----| 
+|Multi-factor authentication | With [MFA for Cloud Directory](/docs/appid?topic=appid-cd-mfa#cd-mfa), you can confirm a user’s identity by requiring them to enter a one time passcode that is sent to their email or SMS after they enter their email and password. |
+| Runtime authentication activity tracking | By integrating {{site.data.keyword.at_short}} with {{site.data.keyword.appid_short_notm}}, you can track different types of authentication events at run time. For example, a password reset request, authentication failures, or a user logout. For more information, see [Viewing runtime events](/docs/appid?topic=appid-at-events#at-monitor-runtime). | 
+| Password policy management | As an account owner, you can enforce more secure passwords for Cloud Directory by configuring a set of rules that user passwords must conform to. Examples include, the number of attempted sign-ins before lockout, expiration times, minimum time span between password updates, or the number of times that a password can't be repeated. For a complete list of the options and setup information, see [Advanced password management](/docs/appid?topic=appid-cd-strength#cd-advanced-password). | 
+{: caption="Table 1. Description of the benefits that are gained with advanced authentication events" caption-side="top"}
+
+These features are available only to those instances that are on the graduated tier pricing plan and that were created after 15 March 2018.
+{: note}
+
+## When am I charged? 
+{: #when-charge}
+
+Your first 1000 authentication events and 1000 authorized users per service instance are free of charge. You are charged monthly for any additional authentication events and authorized users, as well as any advanced security features that are enabled for each service instance. 
+
+## How do I stop getting charged for {{site.data.keyword.appid_short_notm}}? 
+{: #stop-charge}
+
+If you no longer want to be charged for authentication events and authorized users, you need to ensure that no user can authenticate by using {{site.data.keyword.appid_short_notm}}. You must remove the {{site.data.keyword.appid_short_notm}} configuration from your app code or confirm that your users are not able to use the configuration to log in to your app. To stop getting charged for advance security features, you must disable them on the **Manage Authentication > Authentication Settings** page of the service dashboard.
+
+

data-security.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2017, 2022
-lastupdated: "2022-05-23"
+lastupdated: "2022-07-22"
 
 keywords: data encryption in app id, data storage for app id, personal data in app id, data deletion for app id, data in app id, data security in app id
 
@@ -74,11 +74,13 @@ If you choose to work with a key that you manage, you must ensure that valid IAM
 2. [Generate or import your own root key](/docs/key-protect?topic=key-protect-create-root-keys) to your instance of {{site.data.keyword.keymanagementserviceshort}}. When you use {{site.data.keyword.keymanagementserviceshort}} to create a root key, the service generates cryptographic key material that is rooted in cloud-based HSMs. Be sure that the name of your key does not contain any personal information such as your name or location.
 3. Grant service access to {{site.data.keyword.keymanagementserviceshort}}. You must be the account owner or an administrator for the instance of {{site.data.keyword.keymanagementserviceshort}} that you're working with. You must also have at least Viewer access for the {{site.data.keyword.appid_short_notm}} service. 
    1. Go to **Manage > Access IAM > Authorizations**.
-   2. Select the {{site.data.keyword.appid_short_notm}} service as your source service.
-   3. Select an instance of {{site.data.keyword.keymanagementserviceshort}} as your target service.
-   4. Select the key that you created in the previous steps.
-   5. Assign the Reader role.
-   6. Click **Authorize** to confirm the delegated authorization.
+   2. Create an authorization to allow access to {{site.data.keyword.keymanagementserviceshort}}.
+   3. Select the source account.
+   4. Select {{site.data.keyword.appid_short_notm}} as your source service.
+   5. Select {{site.data.keyword.keymanagementserviceshort}} as your target service.
+   6. Specify the scope of the access. 
+   7. Assign the Reader role.
+   8. Click **Authorize**.
 4. Create an instance of the {{site.data.keyword.appid_short_notm}} service.
    1. Select your {{site.data.keyword.keymanagementserviceshort}} instance.
    2. Select the root key that you previously authorized.
@@ -108,12 +110,14 @@ If you choose to work with a key that you manage, you must ensure that valid IAM
 2. [Initialize your instance](/docs/hs-crypto?topic=hs-crypto-initialize-hsm) by loading a master key from smart cards or from your workstation.
 3. [Generate or import your own root key](/docs/hs-crypto?topic=hs-crypto-create-root-keys) to your instance of {{site.data.keyword.hscrypto}}. When you use {{site.data.keyword.hscrypto}} to create a root key, the service generates cryptographic key material that is rooted in cloud-based HSMs. Be sure that the name of your key does not contain any personal information such as your name or location.
 4. Grant service access to {{site.data.keyword.hscrypto}}. You must be the account owner or an administrator for the instance of {{site.data.keyword.hscrypto}} that you're working with. You must also have at least Viewer access for the {{site.data.keyword.appid_short_notm}} service. 
-   1. Go to **Manage > Access IAM > Authorizations**.
-   2. Select the {{site.data.keyword.appid_short_notm}} service as your source service.
-   3. Select an instance of {{site.data.keyword.hscrypto}} as your target service.
-   4. Select the key that you created in the previous steps.
-   5. Assign the Reader role.
-   6. Click **Authorize** to confirm the delegated authorization.
+   1. Go to **Manage > Access IAM > Authorizations**. 
+   2. Create an authorization to allow access to {{site.data.keyword.keymanagementserviceshort}}.
+   3. Select the source account.
+   4. Select {{site.data.keyword.appid_short_notm}} as your source service.
+   5. Select {{site.data.keyword.hscrypto}} as your target service.
+   6. Specify the scope of the access. 
+   7. Assign the Reader role.
+   8. Click **Authorize**.
 5. Create an instance of the {{site.data.keyword.appid_short_notm}} service.
    1. Select your {{site.data.keyword.hscrypto}} instance.
    2. Select the root key that you previously authorized.

faq.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2017, 2022
-lastupdated: "2022-02-07"
+lastupdated: "2022-07-22"
 
 keywords: pricing, advanced security, authentication events, authorized users, activity tracking, runtime activity, password policies, keycloak, allow list redirect url, redirect uri 
 
@@ -74,49 +74,6 @@ Using the Slack channel is not a replacement for opening a support ticket. If yo
 {: note}
 
 
-## How does {{site.data.keyword.appid_short_notm}} calculate pricing?
-{: #faq-pricing}
-{: faq}
-
-With {{site.data.keyword.appid_short_notm}}, the more your users authenticate, the less you pay per authentication.
-{: shortdesc}
-
-For the most up-to-date pricing information, you can create a cost estimate by clicking **Add to estimate** in the {{site.data.keyword.appid_short_notm}} section of the [{{site.data.keyword.cloud_notm}} catalog](https://cloud.ibm.com/catalog/services/app-id).
-{: tip}
-
-The graduated tier plan consists of three parts: the number of authentication events, both regular and advanced security, and the number of authorized users. You are charged each month, based on the summary of the three parts. The total price is the cumulative charge for each level of usage, consisting of your quantity multiplied by the unit price at that tier.
-
-Your first 1000 authentication events and first 1000 authorized users per service instance are free each month, except for any advanced security events. Any advanced security events incur an extra charge.
-
-### Authentication events
-{: #faq-authentication}
-
-An authentication event occurs when a new access token, whether regular or anonymous, is issued. Tokens can be issued as a response to a sign-in request that is initiated by a user, or on behalf of the user by an app. By default, access tokens are valid for one hour and anonymous tokens are valid for 30 days. After the token expires, you must create a new token to access protected resources. You can update the expiration time of your {{site.data.keyword.appid_short_notm}} tokens on the **Manage Authentication > Authentication Settings** page of the service dashboard.
-
-#### Advanced security features
-{: #faq-advanced}
-
-Advanced security features give you the ability to strengthen the security of your application.
-{: shortdesc}
-
-By default, advanced security features are disabled. If you turn on MFA, runtime activity tracking, or password policy management you incur an extra charge. For example, if you obtained 10,000 access tokens. Then, you turned on password policy management and obtained 10,000 more. You would pay for 20,000 authentication events and 10,000 advanced security events. If you disable all the advanced features, your account reverts to the original-cost policy.
-
-| Feature | Benefit | 
-|-----|----| 
-|Multi-factor authentication | [MFA for Cloud Directory](/docs/appid?topic=appid-cd-mfa#cd-mfa) confirms a user’s identity by requiring a user to enter a one time passcode that is sent to their email or SMS in addition to their entering their email and password. |
-| Runtime authentication activity tracking | By integrating {{site.data.keyword.at_short}} with {{site.data.keyword.appid_short_notm}}, you can track different types of authentication events at run time. For example, a password reset request, authentication failures, or a user logout. For more information, see [Viewing runtime events](/docs/appid?topic=appid-at-events#at-monitor-runtime). | 
-| Password policy management | As an account owner, you can enforce more secure passwords for Cloud Directory by configuring a set of rules that user passwords must conform to. Examples include, the number of attempted sign-ins before lockout, expiration times, minimum time span between password updates, or the number of times that a password can't be repeated. For a complete list of the options and setup information, see [Advanced password management](/docs/appid?topic=appid-cd-strength#cd-advanced-password). | 
-{: caption="Table 1. Description of the benefits that are gained with advanced authentication events" caption-side="top"}
-
-These features are available only to those instances that are on the graduated tier pricing plan and that were created after 15 March 2018.
-{: note}
-
-### Authorized users
-{: #faq-authorized}
-
-An authorized user is a unique user that signs in with your service whether directly or indirectly, including anonymous users. You are charged for one authorized user each time a new user signs in to your application, including anonymous users. For example, if a user signs in with Facebook and later signs in by using Google, they are considered two separate authorized users.
-
-
 
 ## Why do I need to allowlist my redirect URI?
 {: #faq-redirect}

profiles.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2017, 2022
-lastupdated: "2022-07-11"
+lastupdated: "2022-07-22"
 
 keywords: profile, custom attributes, predefined attributes, attributes, app users, app interaction, personalized experience, access user info, identity provider information, access token, authentication, user sign in, android, java, node, swift, ios, user, preferences
 
@@ -333,7 +333,7 @@ By default, custom attributes are modifiable and can be updated by using an {{si
 3. Obtain an IAM token.
 
    1. In the {{site.data.keyword.cloud_notm}} dashboard, click **Manage > Access (IAM)**.
-   2. Select **{{site.data.keyword.cloud_notm}} API keys**.
+   2. Select **API keys**.
    3. Click **Create an {{site.data.keyword.cloud_notm}} API key**.
    4. Give a name and description to your key. Click **Create**. A screen displays your key.
    5. Click **Copy** or **Download** your key. When you close the screen, you can no longer access the key.

toc.yaml

@@ -15,7 +15,12 @@ toc:
       id: learn
       topics:
       - getting-started.md
-      - about.md
+      - topicgroup: 
+          label: About
+          topics: 
+          - about.md
+          - topic: about-pricing.md
+            navtitle: Pricing
       - topicgroup: 
           label: Key concepts
           topics: