docs: include a separate page for OSS access requests (#22947)

OSS Teleport supports access requests in a very limited fashion.
Make this clear by adding a separate page that covers the supported OSS
features.

Closes #4818
Closes #13175
Closes #14889
Closes #15979
Closes #22587

docs/config.json

@@ -322,6 +322,7 @@
         {
           "title": "Access Requests",
           "slug": "/access-controls/access-requests/",
+          "forScopes": ["oss", "enterprise", "cloud"],
           "entries": [
             {
               "title": "Role Requests",
@@ -331,6 +332,11 @@
               "title": "Resource Requests",
               "slug": "/access-controls/access-requests/resource-requests/",
               "forScopes": ["enterprise", "cloud"]
+            },
+            {
+              "title": "Role Requests in OSS Teleport",
+              "slug": "/access-controls/access-requests/oss-role-requests/",
+              "forScopes": ["oss", "enterprise", "cloud"]
             }
           ]
         },

docs/pages/access-controls/access-requests.mdx

@@ -1,28 +1,27 @@
 ---
-title: Just-in-Time Access Requests
-description: Teleport allows users to request new access capabilities from the CLI or UI. Requests can be escalated via ChatOps or anywhere else via our flexible Authorization Workflow API.
+title: Just-in-time Access Requests
+description: Use Just-in-time Access Requests to request elevated privileges.
 layout: tocless-doc
 ---
 
 Teleport Just-in-Time Access Requests allow any user to request access to
 a resource or role depending on need. The request can then be approved or
 denied based on a configurable number of approvers.
 
-Just-in-Time Access Requests are a powerful way to implement the principle of
+Just-in-time Access Requests are a powerful way to implement the principle of
 least privilege in your organization, leaving an attacker with no permanent
 admins to target. Users receive elevated privileges for a limited period of
-time. And aside from their reviewer privileges, users who review requests can
-have limited access to cluster resources.
+time. Request approvers can be configured with limited cluster access so they
+are not high value targets.
 
-<ScopedBlock scope={["oss"]}>
-
-Just-in-Time Access Requests are a feature of Teleport Enterprise.
+Just-in-time Access Requests are a feature of Teleport Enterprise.
 Open-source Teleport users can get a preview of how Access Requests work by
 requesting a role via the Teleport CLI. Full Access Request functionality,
 including Resource Access Requests and an intuitive and searchable UI are
 available in Teleport Enterprise.
 
-</ScopedBlock>
+For information on how to use Just-in-time Access Requests with OSS Teleport,
+see the [OSS Guide](./access-requests/oss-role-requests.mdx).
 
 ## Resource Access Requests
 

docs/pages/access-controls/access-requests/oss-role-requests.mdx

@@ -0,0 +1,160 @@
+---
+title: Just-in-time Access Requests in OSS Teleport
+description: OSS Teleport allows users to request access to roles from the CLI.
+h1: Teleport Resource Access Requests
+---
+
+Just-in-time Access Requests are a feature of Teleport Enterprise.
+
+Open-source Teleport users can get a preview of how Access Requests work by
+requesting a role via the Teleport CLI. Full Access Request functionality,
+including Resource Access Requests and an intuitive and searchable UI are
+available in Teleport Enterprise.
+
+## RBAC Setup
+
+Teleport's role-based access control (RBAC) allows you to configure what roles
+users can request access to. In this example, we will define two roles:
+
+1. `contractor`: users with this role can request elevated access to the `dba` role
+2. `dba`: this role grants access to databases
+
+There is no role for request approvers, because request approval rules can only
+be configured for Teleport Enterprise. In Open Source Teleport, approvals must
+be performed by running `tctl` on the Auth Server.
+
+**Contractor Role**
+
+Users with this role can request access to the `dba` role.
+
+```yaml
+kind: role
+version: v5
+metadata:
+  name: contractor
+spec:
+  allow:
+    request:
+      roles: ['dba']
+```
+
+Define this role in the file `contractor-role.yaml` and create it with `tctl`:
+
+```code
+$ tctl create contractor-role.yaml
+```
+
+Use `tctl` to assign this role to a user (`alice` in this example):
+
+```code
+$ tctl users update --set-roles \
+    $(tctl get users/alice --format=json | jq -r '.[].spec.roles | join(",")'),contractor alice
+```
+
+**DBA Role**
+
+This role grants access to databases.
+
+```yaml
+kind: role
+version: v5
+metadata:
+  name: dba
+spec:
+  allow:
+    db_labels:
+      '*': '*'
+  options:
+    # Only allows the contractor to use this role for 1 hour from time of request.
+    max_session_ttl: 1h
+```
+
+Define this role in the file `dba-role.yaml` and create it with `tctl`:
+
+```code
+$ tctl create dba-role.yaml
+```
+
+## Requesting Access
+
+In OSS Teleport, requests are made from the `tsh` CLI. To create an access
+request, use the `tsh request create` command.
+
+```code
+$ tsh request create \
+    --roles=dba \
+    --reviewers=bob \
+    --reason="performing DB migration tonight"
+```
+
+By default, this command will block until the request is approved. To submit the
+request without waiting for approval, add the `--nowait` flag.
+
+Alternatively, `tsh` can automatically create an access request during the login
+process. To activate this behavior, specify the `--request-roles` flag:
+
+```code
+$ tsh login --user=alice --request-roles=dba
+# Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)
+```
+
+This will wait for the request to be approved, and then issue credentials with
+the `dba` role automatically when the request is approved.
+
+To log in and submit the request without waiting for approval, add the
+`--request-nowait` flag. In this scenario, you will receive your regular roles
+upon login, and can elevate your access after the request is approved.
+
+```code
+# log in with an approved access request
+$ tsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9
+```
+
+You can list requests using `tsh request ls`.
+
+```code
+$ tsh request ls
+# Token                                Requestor Metadata       Created At (UTC)    Status
+# ------------------------------------ --------- -------------- ------------------- -------
+# bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice     roles=dba      07 Nov 19 19:38 UTC PENDING
+```
+
+## Reviewing requests
+
+In OSS Teleport, Access Requests must be reviewed by a cluster administrator
+with the ability to run `tctl` on the Auth Server.
+
+Administrators can list requests with `tctl requests ls`, and view the details
+of a particular request with `tctl requests get <id>`.
+
+To  approve or deny a request, use `tctl request approve` or `tctl request deny`.
+For example, to deny a request:
+
+```code
+$ tctl request deny \
+    --reason="today's migration has been canceled" \
+    bc8ca931-fec9-4b15-9a6f-20c13c5641a9
+```
+
+<Admonition type="warning">
+Granting access to a role with the ability to edit other roles could allow a
+user to **permanently** upgrade their privileges. When reviewing requests, it's
+important to carefully consider the role(s) being requested and what permissions
+will be applied to the user if the request is approved.
+</Admonition>
+
+Reviewers can approve the request while also overriding the set of roles in the request:
+
+```code
+$ tctl request approve \
+    --roles="db-support" \
+    --reason="approved access to db-support, dba is not necessary" \
+    bc8ca931-fec9-4b15-9a6f-20c13c5641a9
+```
+
+## Next Steps
+
+- Learn more about [Access Requests](../access-requests.mdx)
+- See what additional features are available for
+  [role requests](./role-requests.mdx) in Teleport Enterprise
+- Request access to [specific resources](./resource-requests.mdx) with Teleport Enterprise