tmihoc
diff --git a/‎index.md‎
Lines changed: 1 addition & 2 deletions b/‎index.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎explanation/images/jaas.png‎ renamed to ‎reference/jaas/jaas-architecture.png‎ b/‎explanation/images/jaas.png‎ renamed to ‎reference/jaas/jaas-architecture.png‎
diff --git a/‎explanation/images/jaas-diagram.rtb‎ renamed to ‎reference/jaas/jaas-diagram.rtb‎ b/‎explanation/images/jaas-diagram.rtb‎ renamed to ‎reference/jaas/jaas-diagram.rtb‎
diff --git a/‎reference/jaas/jaas_architecture.md‎
Lines changed: 26 additions & 3 deletions b/‎reference/jaas/jaas_architecture.md‎
Lines changed: 26 additions & 3 deletions
@@ -11,7 +11,6 @@ reference/index
 explanation/index
 ```
 
-
 JAAS is an enterprise layer on top of [Juju](https://canonical-juju.readthedocs-hosted.com/en/latest/).
 
 JAAS provides:
@@ -32,7 +31,7 @@ When you use an existing Juju on Kubernetes controller to deploy JIMM and its de
 - use ReBAC for authorisation;
 - use the Juju CLI, Juju Dashboard, and the Terraform Provider for Juju to interact with multiple Juju controllers from a single point of contact.
 
-If you want to take Juju to the enterprise level, you need JAAS.
+If you are a site reliability engineer looking to take Juju to the enterprise level, you need JAAS.
 
 ---------
 
 
@@ -1,9 +1,32 @@
 # JAAS Architecture
 
-This document briefly goes into more detail on JAAS' deployment and scalability.
+The diagram below shows an overall picture of JAAS architecture.
 
-We recommend first reading the {doc}`JAAS overview <./jaas_overview>` to understand the
-components that make up JAAS.
+<!--
+Note: JAAS diagram is already in a Miro board here: https://miro.com/app/board/uXjVKUIUKAc=/
+
+There is also a backup of the board in this directory (named `jaas-diagram.rtb`) which can be used to restore on Miro (in case the original board mentioned above was no longer available).
+-->
+
+![JAAS architecture](images/jaas-architecture.png)
+
+This includes the following components:
+
+- Juju Intelligent Model Manager (JIMM)
+- ReBAC authorisation (OpenFGA)
+- Database (PostgreSQL)
+- Secure storage (Vault)
+
+JIMM is an API server that implements a number of Juju facades (i.e. endpoints) and behaves as a *Juju Controller*,
+which under the hood proxies operations to underlying controllers. This enables
+other tools, like the Juju Dashboard or Juju CLI, that communicate with a
+Juju Controller to work seamlessly with JIMM.
+
+For authentication of users or service accounts, JAAS requires an *OIDC Provider*
+(Hydra) that handles the standard OAuth2.0 flows including browser flow, device flow,
+and client credentials.
+
+The remainder of this document briefly goes into more detail on JAAS' deployment and scalability.
 
 ## Deployment