openshift · agantony · May 16, 2026 · May 16, 2026
diff --git a/cli/command-reference/roxctl-declarative-config.adoc b/cli/command-reference/roxctl-declarative-config.adoc
@@ -6,25 +6,15 @@ include::modules/common-attributes.adoc[]
 
 toc::[]
 
-Manage the declarative configuration.
+[role="_abstract"]
+Use the `roxctl declarative-config` command to manage declarative configurations. This reference covers the command syntax, available subcommands, and configuration options.
 
-.Usage
-[source,terminal]
-----
-$ roxctl declarative-config [command] [flags]
-----
+//roxctl declarative-config overview
+include::modules/roxctl-declarative-config-overview.adoc[leveloffset=+1]
 
-.Available commands
-[cols="2,2",options="header"]
-|===
-|Command |Description
+include::modules/roxctl-declarative-config-usage.adoc[leveloffset=+2]
 
-|`create`      
-|Create declarative configurations.
-
-|`lint`       
-| Lint an existing declarative configuration YAML file.
-|===
+include::modules/roxctl-declarative-config-available-commands.adoc[leveloffset=+2]
 
 //Options inherited from the parent command
 :commandname: roxctl declarative-config
@@ -34,29 +24,85 @@ include::modules/options-inherited-from-the-parent-command.adoc[leveloffset=+1]
 //roxctl declarative-config lint
 include::modules/roxctl-declarative-config-lint.adoc[leveloffset=+1]
 
+include::modules/roxctl-declarative-config-lint-usage.adoc[leveloffset=+2]
+
+include::modules/roxctl-declarative-config-lint-options.adoc[leveloffset=+2]
+
 //roxctl declarative-config create
 include::modules/roxctl-declarative-config-create.adoc[leveloffset=+1]
 
+include::modules/roxctl-declarative-config-create-usage.adoc[leveloffset=+2]
+
+include::modules/roxctl-declarative-config-create-options.adoc[leveloffset=+2]
+
 include::modules/roxctl-declarative-config-create-role.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-role-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-role-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-notifier.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-notifier-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-notifier-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-access-scope.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-access-scope-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-access-scope-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-auth-provider.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-auth-provider-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-permission-set.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-permission-set-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-permission-set-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-notifier-splunk.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-notifier-splunk-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-notifier-splunk-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-notifier-generic.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-notifier-generic-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-notifier-generic-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-auth-provider-iap.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-auth-provider-iap-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-iap-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-auth-provider-oidc.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-auth-provider-oidc-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-oidc-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-auth-provider-saml.adoc[leveloffset=+2]
 
+include::modules/roxctl-declarative-config-create-auth-provider-saml-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-saml-options.adoc[leveloffset=+3]
+
 include::modules/roxctl-declarative-config-create-auth-provider-userpki.adoc[leveloffset=+2]
 
-include::modules/roxctl-declarative-config-create-auth-provider-openshift-auth.adoc[leveloffset=+2]
+include::modules/roxctl-declarative-config-create-auth-provider-userpki-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-userpki-options.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-openshift-auth.adoc[leveloffset=+2]
+
+include::modules/roxctl-declarative-config-create-auth-provider-openshift-auth-usage.adoc[leveloffset=+3]
+
+include::modules/roxctl-declarative-config-create-auth-provider-openshift-auth-options.adoc[leveloffset=+3]
diff --git a/modules/options-inherited-from-the-parent-command.adoc b/modules/options-inherited-from-the-parent-command.adoc
@@ -25,43 +25,44 @@ endif::[]
 [id="options-inherited-from-the-parent-command_{context}"]
 = {commandname} command options inherited from the parent command
 
+[role="_abstract"]
 The `{commandname}` command supports the following options inherited from the parent `roxctl` command:
 
 [cols="2,2",options="header"]
 |===
 |Option |Description
 
-|`--ca string` 
+|`--ca string`
 |Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the `ROX_CA_CERT_FILE` environment variable.
 
-|`--direct-grpc`  
+|`--direct-grpc`
 |Set `--direct-grpc` for improved connection performance. Alternatively, by setting the `ROX_DIRECT_GRPC_CLIENT` environment variable to `true`, you can enable direct gRPC . The default value is `false`.
 
-|`-e`, `--endpoint string` 
+|`-e`, `--endpoint string`
 |Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the `ROX_ENDPOINT` environment variable. The default value is `localhost:8443`.
 
-|`--force-http1` 
+|`--force-http1`
 |Force the use of HTTP/1 for all connections. Alternatively, by setting the `ROX_CLIENT_FORCE_HTTP1` environment variable to `true`, you can force the use of HTTP/1. The default value is `false`.
 
-|`--insecure` 
+|`--insecure`
 |Enable insecure connection options. Alternatively, by setting the `ROX_INSECURE_CLIENT` environment variable to `true`, you can enable insecure connection options. The default value is `false`.
 
-|`--insecure-skip-tls-verify` 
+|`--insecure-skip-tls-verify`
 a|Skip the TLS certificate validation. Alternatively, by setting the `ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY` environment variable to `true`, you can skip the TLS certificate validation. The default value is `false`.
 
-|`--no-color` 
+|`--no-color`
 |Disable the color output. Alternatively, by setting the `ROX_NO_COLOR environment variable` to `true`, you can disable the color output. The default value is `false`.
 
-|`-p`, `--password string` 
+|`-p`, `--password string`
 |Specify the password for basic authentication. Alternatively, you can set the password by using the `ROX_ADMIN_PASSWORD` environment variable.
 
-|`--plaintext` 
+|`--plaintext`
 |Use an unencrypted connection. Alternatively, by setting the `ROX_PLAINTEXT` environment variable to `true`, you can enable an unencrypted connection. The default value is `false`.
 
-|`-s`, `--server-name string` 
+|`-s`, `--server-name string`
 |Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the `ROX_SERVER_NAME` environment variable. 
 
-|`--token-file string` 
+|`--token-file string`
 |Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the `ROX_API_TOKEN` environment variable.
 |===
 

diff --git a/modules/roxctl-declarative-config-available-commands.adoc b/modules/roxctl-declarative-config-available-commands.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-available-commands_{context}"]
+= Available commands
+
+[role="_abstract"]
+Available commands for the `roxctl declarative-config` command.
+
+[cols="2,2",options="header"]
+|===
+|Command |Description
+
+|`create`
+|Create declarative configurations.
+
+|`lint`
+| Lint an existing declarative configuration YAML file.
+|===
diff --git a/modules/roxctl-declarative-config-create-access-scope-options.adoc b/modules/roxctl-declarative-config-create-access-scope-options.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-access-scope-options_{context}"]
+= Options
+
+[role="_abstract"]
+Options for the `roxctl declarative-config create access-scope` command.
+
+[cols="6,3",options="header"]
+|===
+|Option |Description
+
+|`--cluster-label-selector requirement`
+|Specify the criteria for creating a label selector based on the cluster's labels. The key-value pairs represent requirements, and you can use this flag many times to create a combination of requirements. The default value is `[ [ ] ]`. For more details, run the `roxctl declarative-config create access-scope --help` command.
+
+|`--description string`
+|Set a description for the access scope.
+
+|`--included included-object`
+|Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is `[null]`.
+
+|`--name string`
+|Specify the name of the access scope.
+
+|`--namespace-label-selector requirement`
+|Specify the criteria for creating a label selector based on the namespace's labels. Similar to the cluster-label-selector, you can use this flag many times for the combination of requirements. For more details, run the `roxctl declarative-config create access-scope --help` command.
+|===
diff --git a/modules/roxctl-declarative-config-create-access-scope-usage.adoc b/modules/roxctl-declarative-config-create-access-scope-usage.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-access-scope-usage_{context}"]
+= roxctl declarative-config create access-scope usage
+
+[role="_abstract"]
+Usage syntax for the `roxctl declarative-config create access-scope` command.
+
+.Usage
+[source,terminal]
+----
+$ roxctl declarative-config create access-scope [flags]
+----
diff --git a/modules/roxctl-declarative-config-create-access-scope.adoc b/modules/roxctl-declarative-config-create-access-scope.adoc
@@ -2,35 +2,9 @@
 //
 // * command-reference/roxctl-declarative-config.adoc
 
-:_mod-docs-content-type: REFERENCE
+:_mod-docs-content-type: CONCEPT
 [id="roxctl-declarative-config-create-access-scope_{context}"]
 = roxctl declarative-config create access-scope
 
+[role="_abstract"]
 Create a declarative configuration for an access scope.
-
-.Usage
-[source,terminal]
-----
-$ roxctl declarative-config create access-scope [flags]
-----
-
-.Options
-[cols="6,3",options="header"]
-|===
-|Option |Description
-
-|`--cluster-label-selector requirement`
-|Specify the criteria for creating a label selector based on the cluster's labels. The key-value pairs represent requirements, and you can use this flag multiple times to create a combination of requirements. The default value is `[ [ ] ]`. For more details, run the `roxctl declarative-config create access-scope --help` command.
-
-|`--description string`
-|Set a description for the access scope.
-
-|`--included included-object`
-|Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is `[null]`.
-
-|`--name string`
-|Specify the name of the access scope.
-
-|`--namespace-label-selector requirement`
-|Specify the criteria for creating a label selector based on the namespace's labels. Similar to the cluster-label-selector, you can use this flag multiple times for the combination of requirements. For more details, run the `roxctl declarative-config create access-scope --help` command.
-|===
diff --git a/modules/roxctl-declarative-config-create-auth-provider-iap-options.adoc b/modules/roxctl-declarative-config-create-auth-provider-iap-options.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-auth-provider-iap-options_{context}"]
+= Options
+
+[role="_abstract"]
+Options for the `roxctl declarative-config create auth-provider iap` command.
+
+[cols="2,2",options="header"]
+|===
+|Option |Description
+
+|`--audience string`
+|Specify the target group that you want to validate.
+|===
diff --git a/modules/roxctl-declarative-config-create-auth-provider-iap-usage.adoc b/modules/roxctl-declarative-config-create-auth-provider-iap-usage.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-auth-provider-iap-usage_{context}"]
+= roxctl declarative-config create auth-provider iap usage
+
+[role="_abstract"]
+Usage syntax for the `roxctl declarative-config create auth-provider iap` command.
+
+.Usage
+[source,terminal]
+----
+$ roxctl declarative-config create auth-provider iap [flags]
+----
diff --git a/modules/roxctl-declarative-config-create-auth-provider-iap.adoc b/modules/roxctl-declarative-config-create-auth-provider-iap.adoc
@@ -2,23 +2,9 @@
 //
 // * command-reference/roxctl-declarative-config.adoc
 
-:_mod-docs-content-type: REFERENCE
+:_mod-docs-content-type: CONCEPT
 [id="roxctl-declarative-config-create-auth-provider-iap_{context}"]
 = roxctl declarative-config create auth-provider iap
 
-Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.  
-
-.Usage
-[source,terminal]
-----
-$ roxctl declarative-config create auth-provider iap [flags]
-----
-
-.Options
-[cols="2,2",options="header"]
-|===
-|Option |Description
-
-|`--audience string`
-|Specify the target group that you want to validate.
-|===
+[role="_abstract"]
+Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.
diff --git a/modules/roxctl-declarative-config-create-auth-provider-oidc-options.adoc b/modules/roxctl-declarative-config-create-auth-provider-oidc-options.adoc
@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-auth-provider-oidc-options_{context}"]
+= Options
+
+[role="_abstract"]
+Options for the `roxctl declarative-config create auth-provider oidc` command.
+
+[cols="6,3",options="header"]
+|===
+|Option |Description
+
+|`--claim-mappings stringToString`
+|Specify a list of non-standard claims from the identity provider (IdP) token that  you want to include in the authentication provider's rules. The default value is `[]`.
+
+|`--client-id string`
+|Specify the client ID of the OIDC client.
+
+|`--client-secret string`
+|Specify the client secret of the OIDC client.
+
+|`--disable-offline-access`
+|Disable the request for the offline_access from the OIDC IdP. You need to use this option if the OIDC IdP limits the number of sessions with the `offline_access` scope. The default value is `false`.
+
+|`--issuer string`
+|Specify the issuer of the OIDC client.
+
+|`--mode string`
+|Specify the callback mode that you want to use. Valid values include `auto`, `post`, `query` and `fragment`. The default value is `auto`.
+|===
diff --git a/modules/roxctl-declarative-config-create-auth-provider-oidc-usage.adoc b/modules/roxctl-declarative-config-create-auth-provider-oidc-usage.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * command-reference/roxctl-declarative-config.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="roxctl-declarative-config-create-auth-provider-oidc-usage_{context}"]
+= roxctl declarative-config create auth-provider oidc usage
+
+[role="_abstract"]
+Usage syntax for the `roxctl declarative-config create auth-provider oidc` command.
+
+.Usage
+[source,terminal]
+----
+$ roxctl declarative-config create auth-provider oidc [flags]
+----