docs: HCP organization "owner" role changes (#1150)

### Description

This PR updates HCP platform documentation. Previously, an organization
supported a single non-transferrable owner. To better support business
continuity, organizations now allow up to 3 users with the `owner` role.
These owners can be added or removed as desired, although one user must
always be an `owner` for the organization.

## Preview links

Author: boruszak

content/hcp-docs/content/docs/changelog.mdx

@@ -6,6 +6,11 @@ description: |-
 ---
 
 # Changelog
+### 2025-11-27
+HCP organizations now support the assignment of the Owner role to multiple users. This enhancement creates a more resilient administrative model, eliminating the business continuity risks and operational bottlenecks associated with single-principal ownership. For more information, refer to the [access management documentation.](/hcp/docs/hcp/iam/access-management)                  
+
+Key Update:
+* Multi-Owner Support: Owners can now delegate the Owner role to additional users, ensuring redundancy if another owner is unavailable.
 
 ### 2025-11-12
 HCP Consul dedicated reached its End-of-Life (EOL) on November 12, 2025, and is no longer available. All active clusters and associated project data were decommissioned in accordance with our EOL policy. For questions about your account and data, or for help migrating to a self-managed Consul deployment, contact our support team.

content/hcp-docs/content/docs/hcp/admin/orgs.mdx

@@ -11,11 +11,11 @@ This page describes how to create and manage an organization in HashiCorp Cloud
 ## Introduction
 
 An _organization_ is a top-level entity in HCP for organizing resources. It contains one or more
-[HCP projects](/hcp/docs/hcp/admin/projects), which separate access to resources such as [HashiCorp Virtual Networks (HVN)](/hcp/docs/hcp/network) according to [user permissions](/hcp/docs/iam/users#user-permissions).
+[HCP projects](/hcp/docs/hcp/admin/projects), which separate access to resources such as [HashiCorp Virtual Networks (HVN)](/hcp/docs/hcp/network) according to [user permissions](/hcp/docs/iam/users#user-permissions). An organization can have up to 100 projects.
 
-Users can be a member of multiple organizations if invited by the admin of other organizations. However, you can only create and own one organization for your HCP account.
+Users can be a member of multiple organizations, and organizations can have a maximum of 3 users with the `owner` role. Users with the `owner` role can add and remove other organization owners over time, but organizations require at least one owner at all times.
 
-An organization can have up to 100 projects.
+You cannot create an organization if you are already the owner of an existing organization.
 
 ## Create an organization
 
@@ -31,17 +31,29 @@ After you create your organization, you can [invite users to your organization](
 
 To locate the organization ID:
 
-1. At the bottom left, click the name of the current organization to open the organization and project selector.
-1. Select an organization to open the organization's dashboard.
-1. From the organization's dashboard, click **Organization settings**.
+1. At the top, click the dropdown to open the organization and project selector. Select **View all organizations**.
+1. Click the name of the organization.
+1. From the **Organization dashboard**, click **Organization settings**.
+1. Click the clipboard icon next to the ID to copy the **Organization ID**.
+
+## Find organization owners
+
+An organization can have one to three users with the `owner` role. Owners can change, but there must always be at least one owner per organization.
+
+To find the organization's current owners, perform the following steps:
+
+1. At the top, click the dropdown to open the organization and project selector. Select **View all organizations**.
+1. Click the name of the organization.
+1. From the **Organization dashboard**, click **Organization settings**.
 1. To copy the **Organization ID**, click the clipboard icon next to the ID.
 
 ## Manage an organization
 
 To change your organization's name:
 
-1. Sign in to [the HCP Portal](https://portal.cloud.hashicorp.com/).
-1. From the organization's dashboard, click **Organization settings**.
+1. At the top, click the dropdown to open the organization and project selector. Select **View all organizations**.
+1. Click the name of the organization.
+1. From the **Organization dashboard**, click **Organization settings**.
 1. At the top-right, click **Manage**, and then click **Rename organization**.
 1. Enter a new organization name. The name must contain between 3 and 40 characters, and it may include ASCII letters, numbers, hyphens, and underscores. The name must be unique. If another organization is already using the name, you will receive a prompt to choose a different one.
 1. Click **Save**.

content/hcp-docs/content/docs/hcp/admin/projects/index.mdx

@@ -6,36 +6,26 @@ description: |-
 
 # Projects
 
-Projects are lightweight containers for resources or use cases that require similar access. An organization contains one or more projects. HCP resources such as [HashiCorp Virtual Networks
-(HVN)](/hcp/docs/hcp/network) and server clusters reside within Projects.
+Projects are lightweight containers for resources or use cases that require similar access. An organization contains one or more projects. HCP resources such as [HashiCorp Virtual Networks (HVN)](/hcp/docs/hcp/network) and server clusters reside within projects.
 
-Use projects to segment access within an organization. For example, projects can separate teams, use cases, or environments, such as development, staging, and production. The billing summary reports usage per project. 
+Use projects to segment access within an organization. For example, projects can separate teams, use cases, or environments, such as development, staging, and production. The billing summary reports usage per project.
 
 Here are important characteristics about HCP projects:
 
 - _Global_ [HCP service quotas](/hcp/docs/hcp/admin/support#service-quotas) remain at the
-  organization level and they are not enforced per project.
+  organization level and they are not enforced per project. Refer the [HCP Support](/hcp/docs/hcp/admin/support) page to learn more about the service quotas.
 
 - An [organization](/hcp/docs/hcp/admin/orgs) can contain 1 or more projects. 
 
-   <Note>
+- HCP resource names, such as a cluster name, are unique to projects.
 
-   Refer the [HCP
-   Support](/hcp/docs/hcp/admin/support) page to learn more about the service
-   quotas.
-
-   </Note>
-
-- HCP resource names (e.g. cluster name) are unique per project and not per
-  organization.
-
-- You cannot deploy an HCP Vault Dedicated cluster if an
-  HVN belongs to a different project.
+- You cannot deploy an HCP Vault Dedicated cluster if an HVN belongs to a different project.
 
 - To delete a project, all resources under the project must be deleted or
-  deactivated first. See the [manage resources](#manage-resources) section.
+  deactivated first. Refer to [manage resources](#manage-resources) for more information.
+
+## Use Cases 
 
-### Use Cases 
 Taking advantage of segregating access within your organization via projects is the best way to enforce least privileged access. Deploying all HCP services or resources within one project, can lead to several unintended consequences. 
 
 - Increased likelihood of over privileging identities within the project
@@ -46,55 +36,42 @@ Taking advantage of segregating access within your organization via projects is
 
 Users with organization contributor, admin, or owner roles can create new
 projects. If an organization contributor creates a new project, the user
-automatically becomes the admin of that project. (Refer to the [User
-Permissions](/hcp/docs/hcp/admin/users#user-permissions) for information about
-the roles you can assign.)
+automatically becomes the admin of that project. Refer to the [User Permissions](/hcp/docs/hcp/admin/users#user-permissions) for information about
+the roles you can assign.
 
 1. Log into [HCP Portal](https://portal.cloud.hashicorp.com/) and choose your
-   organization.
-
-   <Note>
-
-   If you have logged in before, the portal opens the last project you were in.
-   Navigate back to the organization level from the breadcrumbs, or click on the
-   HashiCorp icon at the top-left to choose your organization.
-   
-   </Note>
+   organization. If you have logged in before, the portal opens the last project you were in.
+   Navigate to the Organization to change projects.
 
 1. Select **Projects** in the sidebar.
 
-1. Click **+ Create project**.
+1. Click **Create project**.
 
 1. Enter the **Project name** and **Project description**.
 
 1. Click **Create project** to complete.
 
-
 ## Manage projects
 
-Users with project admin role can edit the existing project name and
-description, or delete the project. (Refer to the [User
-Permissions](/hcp/docs/hcp/admin/users#user-permissions) for information about
-the roles you can assign.)
+Users with project owner and admin roles can edit the existing project name and
+description, or delete the project. Refer to [User Permissions](/hcp/docs/hcp/admin/users#user-permissions) for information about
+the roles you can assign.
 
 1. Log into [HCP Portal](https://portal.cloud.hashicorp.com/) and choose your
    organization.
 
 1. Select **Projects** in the sidebar.
 
-1. Expand the menu next to the project you wish to modify, and select **Edit
-   project** to edit the project name or description, or select **Delete** to
+1. Expand the menu next to the project you wish to modify. 
+   Select **Edit project** to edit the project name or description, or select **Delete** to
    delete the project.
-   ![Projects overview](/img/docs/hcp-core/project-menu.png)
-
-1. Select **View project** will take you to the project setting page where you
-   can find the **project ID**.
 
+1. Select **View project** to find information about the project, such as the project ID.
 
 ## Manage resources
 
 ![HCP Organization Structure](/img/docs/hcp-core/diagram-hcp_organization_project-resources.png)
 
-A resource is any item that the access management system controls access to. Examples of resources are a HCP Vault Dedicated cluster, HCP Packer Bucket, HashiCorp Virtual Network (HVN) or a HCP Vault Secret App.   The **Active Resources** page lists all resources created in the project. To delete a project, all resources must be deleted. If an resource exists, HCP will block users from deleting the project. This page helps you to identify what resources are still in the project.
+A resource is any item that the access management system controls access to. Examples of resources are an HCP Vault Dedicated cluster, an HCP Packer Bucket, or a HashiCorp Virtual Network (HVN). The **Active Resources** page lists all resources created in the project. To delete a project, all resources must be deleted. If a resource exists, HCP blocks users from deleting the project. This page helps you to identify what resources are still in the project.
 
 ![Active Resources](/img/docs/hcp-core/active-resources-page.png)

content/hcp-docs/content/docs/hcp/admin/support.mdx

@@ -40,11 +40,12 @@ The following table describes the quotas and default values.
 | Hashicorp Cloud Platform | [HVN Routes](/hcp/docs/hcp/network/hvn-aws/routes)                                                 | 15                | Global             | Yes              |
 | Hashicorp Cloud Platform | [Transit Gateway Attachments](/hcp/docs/hcp/network/hvn-aws/routes)                                | 10                | Global             | Yes              |
 | Hashicorp Cloud Platform | [HVN Peering Connections](/hcp/docs/hcp/network/hvn-aws/hvn-peering)                               | 10                | Global             | Yes              |
+| Hashicorp Cloud Platform | [Users assigned Owner role](/hcp/docs/hcp/iam/access-management)                                   | 3                 | Global             | No               |
 | HCP Vault Dedicated      | [Vault clusters](/hcp/docs/vault)                                                                  | 6                 | Global             | Yes              |
 | HCP Vault Dedicated      | [Vault performance secondaries](/hcp/docs/vault/perf-replication)                                  | 5                 | Global             | Yes              |
 | HCP Boundary             | [Boundary clusters](/hcp/docs/boundary)                                                            | 1 per **project** | Global             | No               |
 
-Last Update: March 4, 2024
+Last Update: Novemeber 25, 2025
 
 <Warning>
 

content/hcp-docs/content/docs/hcp/create-account.mdx

@@ -12,7 +12,7 @@ This page explains how to create an account in HashiCorp Cloud Platform (HCP) an
 
 To meet data residency requirements, HCP requires separate accounts for the global and European geographies.
 
-To create a global HCP account, sign up on [the HCP portal](https://portal.cloud.hashicorp.com/). To an HCP Europe account, sign up on [the HCP Europe portal](https://portal.cloud.eu.hashicorp.com/).
+To create a global HCP account, sign up on [the HCP portal](https://portal.cloud.hashicorp.com/). To create an HCP Europe account, sign up on [the HCP Europe portal](https://portal.cloud.eu.hashicorp.com/).
 
 For more information, refer to [HCP Europe](/hcp/docs/hcp/europe).
 

content/hcp-docs/content/docs/hcp/iam/access-management.mdx

@@ -8,21 +8,37 @@ description: |-
 
 This topic describes HCP's access management features. You can set roles and permissions at either the _organization level_ , _project level_ or _resource level_ to secure access to HCP resources.
 
-## Roles & Permissions
+## Roles and permissions
 
 @include '/hcp-administration/permission-intro.mdx'
 
-### Organization
+## Add new role assignment
 
-The following tables describe role permissions assigned at the organization level.
+To assign roles at a fine-grained level using the HCP platform, users must have one of the following permissions:
 
-<Tabs>
-<Tab heading="All Services" group="all-services">
+- `owner` role for the HCP organization
+- `admin` role for the HCP organization
+- `Organization IAM policies administrator` role
+
+To assign a new role:
+
+1. At the top, click the dropdown to open the organization and project selector. Select **View all organizations**.
+1. Click the name of the organization.
+1. From the **Organization dashboard**, click **Access Control (IAM)**.
+1. Click **Add new assignment**. If you are not an organization's owner, this option does not appear.
+1. Enter the user's email address.
+
+You can change the user's role assignment and the service associated with that role assignment using the drop-down menus. When you set a role assignment for all services, it sets the user's role in the organization.
+
+## Organization level roles and permissions
+
+The following table describes the roles and permissions available at the organizational level.
 
 | HCP Organization Permissions      |  Owner  |  Admin   | Contributor |  Viewer  | Browser  | No role  |
 | --------------------------------- | :-----: | :------: | :---------: | :------: | :------: | :------: |
 | Add and delete users              | &#9989; | &#9989;  |  &#10060;   | &#10060; | &#10060; | &#10060; |
 | Manage user permissions           | &#9989; | &#9989;  |  &#10060;   | &#10060; | &#10060; | &#10060; |
+| Add or remove owners              | &#9989; | &#10060; |  &#10060;   | &#10060; | &#10060; | &#10060; |
 | View users                        | &#9989; | &#9989;  |   &#9989;   | &#9989;  | &#9989;  | &#9989;  |
 | View groups                       | &#9989; | &#9989;  |   &#9989;   | &#9989;  | &#9989;  | &#9989;  |
 | Manage service principals         | &#9989; | &#9989;  |  &#10060;   | &#10060; | &#10060; | &#10060; |
@@ -35,7 +51,9 @@ The following tables describe role permissions assigned at the organization leve
 | Manage SSO configuration          | &#9989; | &#9989;  |  &#10060;   | &#10060; | &#10060; | &#10060; |
 | Manage billing resources          | &#9989; | &#9989;  |  &#10060;   | &#10060; | &#10060; | &#10060; |
 
-</Tab>
+The following tables provide additional ways to understand permissions, based on needs such as billing and SSO management.
+
+<Tabs>
 
 <Tab heading="Resource Manager" group="resource-manager">
 
@@ -75,7 +93,6 @@ The following tables describe role permissions assigned at the organization leve
 | Manage SSO and SCIM configuration |       &#10060;        |
 | Manage billing resources          |        &#9989;        |
 
-
 </Tab>
 
 <Tab heading="IAM" group="iam">
@@ -128,7 +145,17 @@ To learn more about each permission, refer to [HCP Terraform organization permis
 
 A user can be a part of an organization with no roles assigned directly to them through the [SSO default role settings](/hcp/docs/hcp/admin/iam/sso) or IAM settings. To enforce least-privileged access, new users will have a limited experience within the platform until an Admin assigns either an organization or project role to the user.
 
-### Project
+## View current role assignments
+
+To view a list of current role assignments in an organization, perform the following steps:
+
+1. At the top, click the dropdown to open the organization and project selector. Select **View all organizations**.
+1. Click the name of the organization.
+1. From the **Organization dashboard**, click **Access Control (IAM)**.
+
+The **Role assignments** page lists the currently assigned roles and provides an interface to search and filter the current assignments.
+
+## Project level roles and permissions
 
 The following tables describe role permissions scope to the project level.
 
@@ -227,19 +254,20 @@ To learn more about each permission, refer to [HCP Terraform project permissions
 
 </Tabs>
 
-#### Assign a project role
+## Assign a project role
 
 @include '/hcp-administration/assign-project-role.mdx'
 
-# Role Names and Role IDs
+## Role names and role IDs
 
-To interact with the HCP Access Management system using the [HCP Terraform provider](https://registry.terraform.io/providers/hashicorp/hcp/latest) or public APIs, you must properly format the role IDs you reference.The table lists role names and the formatting of their Role IDs.
+To interact with the HCP Access Management system using the [HCP Terraform provider](https://registry.terraform.io/providers/hashicorp/hcp/latest) or public APIs, you must properly format the role IDs you reference. The following able lists role names and the formatting of their Role IDs.
 
 <Tabs>
 <Tab heading="All Services" group="all-services">
 
 | Role name   |             Role ID              |
 | ----------- | :------------------------------: |
+| Owner       |          `roles/owner`           |
 | Admin       |          `roles/admin`           |
 | Contributor |       `roles/contributor`        |
 | Viewer      |          `roles/viewer`          |

content/hcp-docs/content/docs/hcp/iam/users.mdx

@@ -6,14 +6,14 @@ description: |-
 
 # Users
 
+This page describes how to add users to your HashiCorp Cloud Platform (HCP) account and manage their access to resources.
+
+## Introduction
+
 When you sign up for a HashiCorp Cloud Platform (HCP) account for the first
-time, the HCP Portal takes you to the [create
-organization](https://portal.cloud.hashicorp.com/orgs/create) page to set up
-your organization. You can invite additional users to the organization so that
+time, the HCP Portal takes you to the [create organization](https://portal.cloud.hashicorp.com/orgs/create) page to set up your organization. You can invite additional users to the organization so that
 they can access the resources.
 
-This page describes how to add users to your HashiCorp Cloud Platform (HCP) account and manage their access to resources.
-
 ## Invite users
 
 Use the following procedure to invite users into your organization using email.
@@ -30,5 +30,6 @@ users.
 
 @include '/hcp-administration/permission-intro.mdx'
 
-## Access Management
+## Access management
+
 For more information about permissions, the different types of roles and how they can be used within HCP, checkout the [Access Management](/hcp/docs/hcp/iam/access-management)  page. 

content/hcp-docs/content/partials/hcp-administration/invite-users.mdx

@@ -1,8 +1,7 @@
 <Note>
 
 If [Single Sign-On](/hcp/docs/hcp/iam/sso) is enabled, manage the users
-through the configured identity providers instead. The option to manually invite
-users as described in this section will not be available.
+through the configured identity providers instead.
 
 </Note>