security: update IAM/RAM docs for OATs compatibility (#22915)

sarahsanders-docker · web-flow · commit 101db0dc4ad2 · 2025-06-25T10:04:23.000-04:00
## Description - IAM and RAM do not work with OATs - This adds callouts/clarification on incompatibility ## Related issues or tickets https://docker.atlassian.net/browse/ENGDOCS-2759?atlOrigin=eyJpIjoiMWY0ODA5ZmRlMzNjNDlkZTlhYjZmY2NlY2M1NWU1MjUiLCJwIjoiaiJ9 ## Reviews - [ ] Technical review - [ ] Editorial review - [ ] Product review
diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md
@@ -10,9 +10,10 @@ linkTitle: Organization access tokens
 
 > [!WARNING]
 >
-> Organization access tokens (OATs) are incompatible with Docker Desktop.
+> Organization access tokens (OATs) are incompatible with Docker Desktop,
+> [Image Access Management (IAM)](/manuals/security/for-admins/hardened-desktop/image-access-management.md), and [Registry Access Management (RAM)](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).
 >
-> If you use Docker Desktop, you must use personal
+> If you use Docker Desktop, IAM, or RAM, you must use personal
 > access tokens instead.
 
 An organization access token (OAT) is like a [personal access token
diff --git a/content/manuals/security/for-admins/hardened-desktop/image-access-management.md b/content/manuals/security/for-admins/hardened-desktop/image-access-management.md
@@ -21,6 +21,10 @@ For example, a developer, who is part of an organization, building a new contain
 
 You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since Image Access Management requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.
 
+> [!IMPORTANT]
+>
+> You must use [personal access tokens (PATs)](/manuals/security/for-developers/access-tokens.md) with Image Access Management. Organization access tokens (OATs) are not compatible.
+
 ## Configure
 
 {{< tabs >}}
diff --git a/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md b/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md
@@ -43,6 +43,10 @@ always authenticate to your organization, even though they can authenticate
 without it and the feature will take effect. Enforcing sign-in guarantees the
 feature always takes effect.
 
+> [!IMPORTANT]
+>
+> You must use [personal access tokens (PATs)](/manuals/security/for-developers/access-tokens.md) with Registry Access Management. Organization access tokens (OATs) are not compatible.
+
 ## Configure Registry Access Management permissions
 
 {{< tabs >}}

Original file line number	Diff line number	Diff line change
`@@ -10,9 +10,10 @@ linkTitle: Organization access tokens`
`10`	`10`
`11`	`11`	`> [!WARNING]`
`12`	`12`	`>`
`13`		`-> Organization access tokens (OATs) are incompatible with Docker Desktop.`
	`13`	`+> Organization access tokens (OATs) are incompatible with Docker Desktop,`
	`14`	`+> [Image Access Management (IAM)](/manuals/security/for-admins/hardened-desktop/image-access-management.md), and [Registry Access Management (RAM)](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).`
`14`	`15`	`>`
`15`		`-> If you use Docker Desktop, you must use personal`
	`16`	`+> If you use Docker Desktop, IAM, or RAM, you must use personal`
`16`	`17`	`> access tokens instead.`
`17`	`18`
`18`	`19`	`An organization access token (OAT) is like a [personal access token`