diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md
index 81950a28..e0836eb4 100644
--- a/docs/platform/concepts/permissions.md
+++ b/docs/platform/concepts/permissions.md
@@ -20,20 +20,20 @@ Permissions are not yet fully supported in the Aiven Console. They are intended
use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.
:::
-## Organization roles
+## Organization roles and permissions
-You can grant the following roles to principals at the organization level. The permissions
-for each role apply to the organization and all units, projects, and services within it.
+You can grant the following roles and permissions to principals at the organization level.
+Roles and permissions at this level apply to the organization and all units, projects,
+and services within it.
+
+### Organization roles
| Console name | API name | Permissions |
| ------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin | `role:organization:admin` |
- Full access to the organization.
- View and change billing information.
- Change the authentication policy.
- Invite, deactivate, and remove organization users.
- Create, edit, and delete groups.
- Create and delete application users and their tokens.
- Add and remove domains.
- Add, enable, disable, and remove identity providers.
|
| Organization member | `role:organization:member` | Non-managed users can: - Edit their profiles.
- Create organizations.
- Leave organizations.
- Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies).
- Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies).
- Enable and disable feature previews.
This is the default role assigned to all organization users. |
-## Organization permissions
-
-You can grant the following permissions to principals. The actions listed for each
-permission apply to the organization and all units, projects, and services within it.
+### Organization permissions
| Console name | API name | Allowed actions |
| ------------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -52,10 +52,11 @@ permission apply to the organization and all units, projects, and services withi
| Manage projects | `organization:projects:write` | - Create and delete projects.
- Change the billing group the project is assigned to.
- Move a project to another organization or unit.
- Add and remove project tags.
No access to other project settings or services. |
-## Project roles
+## Project roles and permissions
+You can grant the following permissions to principals. Roles and permissions granted at
+this level apply to the project and all services within it.
-You can grant the following roles for projects to principals. The permissions for each
-role apply to the project and all services within it.
+### Project roles
| Console name | API name | Permissions |
| ------------ | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -64,13 +65,7 @@ role apply to the project and all services within it.
| Operator | `operator` | - View project audit log.
- View project permissions.
- Full access to all services in the project and their configuration.
|
| Read only | `read_only` | - View all services and their configuration.
|
-Project admin do not have access to organization settings such as billing unless
-they are also a [super admin](/docs/platform/howto/make-super-admin).
-
-## Project and service permissions
-
-You can grant the following permissions to principals. The actions listed for each
-permission apply to the project and all services within it.
+### Project permissions
| Console name | API name | Allowed actions |
| ------------------------- | --------------------------- | ------------------------------------------------------------------------------------------------- |