Merge pull request #7841 from ahardin-rh/accidental-access

Update the docs to highlight that -z can prevent typos that can cause unintentional access

Author: ahardin-rh

admin_guide/manage_scc.adoc

@@ -476,6 +476,14 @@ can use the `-z` flag and just specify the `<serviceaccount_name>`.
 $ oc adm policy add-scc-to-user <scc_name> -z <serviceaccount_name>
 ----
 
+[IMPORTANT]
+====
+Usage of the `-z` flag as described above is highly recommended, as it helps
+prevent typos and ensures that access is granted only to the specified service
+account. If not in the project, use the `-n` option to indicate the project
+namespace it applies to.
+====
+
 To add an SCC to a group:
 
 ----

admin_guide/service_accounts.adoc

@@ -45,6 +45,22 @@ For example, to add the *view* role to the *robot* service account in the
 $ oc policy add-role-to-user view system:serviceaccount:top-secret:robot
 ----
 
+[IMPORTANT]
+====
+If you want to grant access to a specific service account in a project, you can
+use the `-z` flag. From the project to which the service account belongs, use
+the `-z` flag and specify the `<serviceaccount_name>`. This is highly
+recommended, as it helps prevent typos and ensures that access is granted only
+to the specified service account. For example:
+
+----
+ $ oc policy add-role-to-user <role_name> -z <serviceaccount_name>
+----
+
+If not in the project, use the `-n` option to indicate the project namespace it
+applies to, as shown in the examples below.
+====
+
 Every service account is also a member of two groups:
 
 system:serviceaccounts:: Includes all service accounts in the system.
@@ -64,6 +80,7 @@ To allow all service accounts in the *managers* project to edit resources in the
 ----
 $ oc policy add-role-to-group edit system:serviceaccounts:managers -n top-secret
 ----
+
 // end::sa-user-names-and-groups[]