diff --git a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml
index b179efdbf905..8ca2e4ae5f81 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeter.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeter.yaml
@@ -261,9 +261,11 @@ properties:
                 - name: 'identities'
                   type: Array
                   description: |
-                    A list of identities that are allowed access through this ingress policy.
-                    Should be in the format of email address. The email address should represent
-                    individual user or service account only.
+                    Identities can be an individual user, service account, Google group,
+                    or third-party identity. For third-party identity, only single identities
+                    are supported and other identity types are not supported.The v1 identities
+                    that have the prefix user, group and serviceAccount in
+                    https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
                   is_set: true
                   item_type:
                     type: String
@@ -398,9 +400,11 @@ properties:
                 - name: 'identities'
                   type: Array
                   description: |
-                    A list of identities that are allowed access through this `EgressPolicy`.
-                    Should be in the format of email address. The email address should
-                    represent individual user or service account only.
+                    Identities can be an individual user, service account, Google group,
+                    or third-party identity. For third-party identity, only single identities
+                    are supported and other identity types are not supported.The v1 identities
+                    that have the prefix user, group and serviceAccount in
+                    https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
                   is_set: true
                   item_type:
                     type: String
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml
index fbd5951f1a23..2def63b66f4f 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunEgressPolicy.yaml
@@ -112,9 +112,11 @@ properties:
       - name: 'identities'
         type: Array
         description: |
-          A list of identities that are allowed access through this `EgressPolicy`.
-          Should be in the format of email address. The email address should
-          represent individual user or service account only.
+          Identities can be an individual user, service account, Google group,
+          or third-party identity. For third-party identity, only single identities
+          are supported and other identity types are not supported.The v1 identities
+          that have the prefix user, group and serviceAccount in
+          https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
         item_type:
           type: String
       - name: 'sources'
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml
index a88b19d8fb52..d012a7986984 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeterDryRunIngressPolicy.yaml
@@ -114,9 +114,11 @@ properties:
       - name: 'identities'
         type: Array
         description: |
-          A list of identities that are allowed access through this ingress policy.
-          Should be in the format of email address. The email address should represent
-          individual user or service account only.
+          Identities can be an individual user, service account, Google group,
+          or third-party identity. For third-party identity, only single identities
+          are supported and other identity types are not supported.The v1 identities
+          that have the prefix user, group and serviceAccount in
+          https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
         item_type:
           type: String
       - name: 'sources'
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
index bcd05a39ec54..aa134684c045 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeterEgressPolicy.yaml
@@ -109,9 +109,11 @@ properties:
       - name: 'identities'
         type: Array
         description: |
-          A list of identities that are allowed access through this `EgressPolicy`.
-          Should be in the format of email address. The email address should
-          represent individual user or service account only.
+          Identities can be an individual user, service account, Google group,
+          or third-party identity. For third-party identity, only single identities
+          are supported and other identity types are not supported.The v1 identities
+          that have the prefix user, group and serviceAccount in
+          https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
         item_type:
           type: String
       - name: 'sources'
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
index 6fd8a3df51ff..4512d903033a 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeterIngressPolicy.yaml
@@ -111,9 +111,11 @@ properties:
       - name: 'identities'
         type: Array
         description: |
-          A list of identities that are allowed access through this ingress policy.
-          Should be in the format of email address. The email address should represent
-          individual user or service account only.
+          Identities can be an individual user, service account, Google group,
+          or third-party identity. For third-party identity, only single identities
+          are supported and other identity types are not supported.The v1 identities
+          that have the prefix user, group and serviceAccount in
+          https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
         item_type:
           type: String
       - name: 'sources'
diff --git a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml
index f7a4d16b79b7..0d0c4e97a441 100644
--- a/mmv1/products/accesscontextmanager/ServicePerimeters.yaml
+++ b/mmv1/products/accesscontextmanager/ServicePerimeters.yaml
@@ -662,9 +662,11 @@ properties:
                       - name: 'identities'
                         type: Array
                         description: |
-                          A list of identities that are allowed access through this `EgressPolicy`.
-                          Should be in the format of email address. The email address should
-                          represent individual user or service account only.
+                          Identities can be an individual user, service account, Google group,
+                          or third-party identity. For third-party identity, only single identities
+                          are supported and other identity types are not supported.The v1 identities
+                          that have the prefix user, group and serviceAccount in
+                          https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported.
                         is_set: true
                         item_type:
                           type: String