Reorganize Teleport Policy docs

Backports #45229

The Teleport Policy docs are currently in two sections of
`/admin-guides/access-controls` with overlapping subject areas. This
change merges the two sections into a single subsection of
`/admin-guides`.

To preserve the convention of moving all self-hosted guides into
`/admin-guides/deploy-a-cluster`, this change also moves guides to
self-hosting the Access Graph Service into
`/admin-guides/deploy-a-cluster/access-graph`.

More specific changes:

- Add a subsection of the Policy section for integrations.
- Make the Policy section a top-level section within Admin Guides, since
  we add another directory, to keep the max sidebar depth at four.
- Move the contents of `/admin-guides/access-controls/access-graph` to
  the `/admin-guides/teleport-policy/integrations` directory, since all
  of the guides in `access-graph` had to do with integrations.
- Change the Teleport Policy Integrations page into a menu. The page
  overlaps with the instructions on the AWS integration, so repurpose
  the guide as an overview.
- Turn the Policy Get Started guide into a menu. The guide is a brief
  overview, so it functions well as the introduction to a menu page.
- Rename the usage guide so it appears first on the auto-generated
  sidebar section.

docs/pages/admin-guides/access-controls/sso/one-login.mdx

@@ -61,7 +61,7 @@ to define policies like:
 
    ![New Field](../../../../img/sso/onelogin/onelogin-saml-3.png)
 
-   ![New Field Group](../../../img/sso/onelogin/onelogin-saml-4.png)
+   ![New Field Group](../../../../img/sso/onelogin/onelogin-saml-4.png)
 
    <Admonition
      type="warning"

docs/pages/admin-guides/deploy-a-cluster/access-graph/access-graph.mdx

@@ -0,0 +1,11 @@
+---
+title: "Self-Hosting Teleport Access Graph"
+description: Explains how to deploy Teleport Access Graph alongside a self-hosted Teleport cluster.
+---
+
+If you run a self-hosted Teleport cluster, using Teleport Access Graph (part of
+Teleport Policy) requires running the Access Graph Service on your own
+infrastructure. The following guides show you how to deploy the Access Graph
+Service.
+
+(!toc!)

docs/pages/admin-guides/access-controls/access-graph/aws-sync.mdx → docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx

@@ -26,11 +26,10 @@ Access Graph options can be found under the Permission Management section.
 
 ## How TAG discovers AWS access patterns
 
-Teleport Access Graph synchronizes various AWS resources,
-including IAM Policies, Groups, Users, User Groups, EC2 instances, 
-EKS clusters, and RDS databases. These resources are then visualized
-using the graph representation detailed in the
-[Access Graph page](../../../admin-guides/access-controls/access-graph/access-graph.mdx).
+Access Graph discovers AWS access patterns, synchronizes various AWS resources,
+including IAM Policies, Groups, Users, User Groups, EC2 instances, EKS clusters, and RDS databases. 
+These resources are then visualized using the graph representation detailed in the
+[Teleport Policy usage page](../teleport-policy.mdx).
 
 The importing process involves two primary steps:
 
@@ -66,9 +65,9 @@ graphical representation thereof.
 
 - A running Teleport Enterprise cluster v14.3.9/v15.2.0 or later.
 - For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
-- For self-hosted clusters, a running Teleport Access Graph node v1.17.0 or later. 
-Check [Access Graph page](self-hosted.mdx) for details on
-how to setup Teleport Access Graph.
+- For self-hosted clusters, a running Access Graph node v1.17.0 or later. 
+Check [Access Graph page](../teleport-policy.mdx) for details on
+how to set up Access Graph.
 - The node running the Access Graph service must be reachable
 from Teleport Auth Service and Discovery Service. 
 

docs/pages/admin-guides/access-controls/access-graph/gitlab.mdx → docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx

@@ -20,7 +20,7 @@ under the Permission Management section.
 
 Access Graph synchronizes various GitLab resources, including users, projects and groups.
 These resources are then visualized using the graph representation detailed in the
-[Access Graph page](access-graph.mdx).
+[Access Graph page](../teleport-policy.mdx).
 
 The importing process involves two primary steps:
 
@@ -48,7 +48,7 @@ graphical representation thereof.
 - A running Teleport Enterprise cluster v14.3.20/v15.3.1/v16.0.0 or later.
 - For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
 - For self-hosted clusters, a running Access Graph node v1.21.4 or later.
-Check [Access Graph page](access-graph.mdx) for details on
+Check [Access Graph page](../teleport-policy.mdx) for details on
 how to set up Access Graph.
 - For self-hosted clusters, the node running the Access Graph service must be reachable
 from Teleport Auth Service.

docs/pages/admin-guides/teleport-policy/integrations/integrations.mdx

@@ -0,0 +1,54 @@
+---
+title: Teleport Policy Integrations
+description: Integrations in Access Graph with Teleport Policy.
+---
+
+Teleport can integrate with identity providers (IdPs) like Okta and AWS OIDC 
+which can then be used with Access Graph, providing a comprehensive, 
+interactive view of how users, roles, and resources are interconnected, 
+enabling administrators to better understand and control access policies.
+
+Read the following guides for information on using Teleport Access Graph to
+visualize role-based access controls from third-party services:
+
+(!toc!)
+
+## Viewing available integrations
+
+The Integrations page shows integrations that can be enabled or are already
+enabled in Access Graph.
+
+![Integrations](../../../../img/access-graph/integrations.png)
+
+Resources imported into Teleport through Teleport-enabled integrations are
+automatically imported into Teleport Policy without any additional
+configuration.
+
+To access the interface, your user must have a role that allows `list` and `read` verbs on the `access_graph` resource, e.g.:  
+
+```yaml
+kind: role
+version: v7
+metadata:
+  name: my-role
+spec:
+  allow:
+    rules:
+    - resources:
+      - access_graph
+      verbs:
+      - list
+      - read
+```
+
+The preset `editor` role has the required permissions by default.
+
+## Set up a new integration
+
+Visit the Teleport Web UI and click **Access Management** on the menu bar at the
+top of the screen. 
+
+On the left sidebar, click **Access Graph**. Click the connection icon: 
+![Connection view](../../../../img/access-graph/connection_view.png) 
+Choose an application to integrate with.
+

docs/pages/admin-guides/teleport-policy/teleport-policy.mdx

@@ -0,0 +1,31 @@
+---
+title: Teleport Policy
+description: A reference for Access Graph with Teleport Policy.
+---
+
+Teleport Policy unifies management of access policies across your infrastructure. 
+It hardens your access controls and visually shows up-to-date relationships and policies of all users, groups, and computing resources
+It can help you answer questions like:
+
+- What resources can a specific user access?
+- What users can access a specific resource?
+- What are the relationships between users, roles, and resources?
+
+## Getting started with Teleport Policy
+
+Teleport Policy is a separately licensed product and is available to Teleport Enterprise customers.
+Access Graph is a major capability of Teleport Policy that visually shows the relationships of 
+policies of users, groups, and computing resources.
+
+After logging into the Teleport UI, go to the Management tab. If enabled, Teleport Policy’s Access Graph options 
+can be found under the Permission Management section.
+
+<Admonition type="note">
+Note: For managed Enterprise customers, Teleport Policy is enabled by default.
+If you are a self-hosted Teleport customer, you will need to [deploy the Access Graph Service](../deploy-a-cluster/access-graph/access-graph.mdx) and ensure you have an updated 
+`license.pem` with Teleport Policy enabled to use it.
+</Admonition>
+
+## Teleport Policy guides
+
+(!toc!)

docs/pages/index.mdx

@@ -102,7 +102,7 @@ Get started with Teleport Identity:
 infrastructure. With Teleport Policy’s Access Graph feature, you gain insights into role-based
 access control policies within Teleport and your cloud provider.
 
-Get started with [Teleport Policy](admin-guides/access-controls/teleport-policy/teleport-policy.mdx).
+Get started with [Teleport Policy](admin-guides/teleport-policy/teleport-policy.mdx).
 
 ## Architecture
 

docs/pages/reference/access-controls/roles.mdx

@@ -503,7 +503,7 @@ sign-on provider.
 The `internal` trait namespace includes only the exact internal trait names
 included in the above table.
 For local Teleport users, these traits can be set in the `spec.traits` field of the
-[user resource](../reference/resources.mdx#user).
+[user resource](../resources.mdx#user).
 These trait names can also be set for SSO users if they are included in an
 attribute or claim from your IdP.
 
@@ -535,7 +535,7 @@ included in the `spec.allow.logins` field of roles the user holds in the root cl
 #### Referring to external traits in Teleport roles
 
 For local Teleport users, the `external` trait namespace includes all values
-from the `spec.traits` field of the [user resource](../reference/resources.mdx#user).
+from the `spec.traits` field of the [user resource](../resources.mdx#user).
 This includes any custom trait names, as well as names matching the `internal`
 traits listed above.
 For example, `{{internal.logins}}` and `{{external.logins}}` are both valid ways

docs/pages/reference/helm-reference/teleport-access-graph.mdx

@@ -5,7 +5,7 @@ description: Values that can be set using the teleport-access-graph Helm chart
 
 The `teleport-access-graph` Helm chart deploys the Teleport Access Graph service.
 
-See [Teleport Policy's Access Graph on Self-Hosted Clusters with Helm](../../admin-guides/access-controls/access-graph/self-hosted-helm.mdx)
+See [Teleport Policy's Access Graph on Self-Hosted Clusters with Helm](../../admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx)
 for more details.
 
 <Admonition type="warning" title="Version Compatibility">