pomerium · ZPain8464 · Feb 21, 2024 · Feb 21, 2024
@@ -35,4 +35,3 @@ The default view shows all changes made through Pomerium Enterprise. Use the **C
 [namespace-concept]: /docs/concepts/namespacing
 [namespace-reference]: /docs/enterprise/reference/configure#namespaces
 [service-accounts-concept]: /docs/capabilities/service-accounts.md
-[policy-reference]: /docs/concepts/policies
@@ -24,7 +24,7 @@ keywords:
 
 ## Routes
 
-A [Route](/docs/concepts/routes) defines how to access a service running behind Pomerium. This includes authentication (both for Pomerium and passed through to the service), rewrites, header management, load balancing, etc.
+A **Route** defines how to access a service running behind Pomerium. This includes authentication (both for Pomerium and passed through to the service), rewrites, header management, load balancing, etc.
 
 When first installing Pomerium Enterprise, users may want to import existing routes from the open-source Pomerium core. The **Migrate Routes** button accepts the open-source `config.yaml` file and imports routes from it to Pomerium Enterprise.
 

@@ -262,9 +262,7 @@ toc_max_heading_level: 5
 
 [`signing key`]: /docs/reference/signing-key
 [google cloud serverless]: /docs/reference/routes/enable-google-cloud-serverless-authentication
-[policies]: /docs/concepts/policies
 [policy language]: /docs/capabilities/ppl
 [runtime]: /docs/capabilities/reports.md#runtime
-[service accounts]: /docs/concepts/service-accounts
 [spdy]: /docs/reference/routes/timeouts#spdy
 [telemetry]: /docs/capabilities/reports.md#traffic
@@ -159,7 +159,7 @@ To complete this guide, you need:
 
 ### Configure Pomerium
 
-In your Console, create a [policy](/docs/concepts/policies) that allows any authenticated user to access the route:
+In your Console, create a [policy](/docs/capabilities/ppl) that allows any authenticated user to access the route:
 
 1. Select **New Policy**
 2. Enter a **Name** for your policy, like `any authenticated`

@@ -1,4 +1,6 @@
 ---
+# cSpell:ignore localdomain
+
 title: Glossary
 lang: en-US
 keywords:
@@ -60,11 +62,27 @@ The term "Perimeter" in the context of Pomerium and general networking usually r
 
 ### Policy
 
-Pomerium allows administrators to define authorization policies dictating what combination of users, groups, devices, etc, have access to protected services. Open-source Pomerium defines a unique policy to every [route], while Pomerium Enterprise can define reusable policies at the global and [namespace] level.
+A Policy defines what services behind Pomerium a user is authorized to access based on policy criteria, such as user identity and device identity, and the associated request context.
+
+Policies can be applied to [Routes](/docs/capabilities/routing) directly, or enforced within a [Namespace](/docs/capabilities/namespacing). Policies allow operators to add authorization and access control to a single route or collection of routes.
 
 ### Route
 
-Specific to Pomerium, a route is a defined path from outside the network (via a public domain) to an internal service. Routes can be defined in the [configuration](/docs/reference/routes) for open-source Pomerium or the [Pomerium Enterprise Console][pom-routes].
+Specific to Pomerium, a route is a defined path from outside the network (through a public domain) to an internal service. At a very basic level, a route sends traffic from `external-address.company.com` to `internalService-address.localdomain`; a route is restricted by its associated policies and encrypted by your TLS certificates.
+
+Routes can be defined in the [configuration](/docs/reference/routes) for open-source Pomerium or the [Pomerium Enterprise Console][/docs/deploy/enterprise].
+
+More advanced configurations allow identity header pass-through, path and prefix rewrites, request and response header modification, load balancer services, and other full featured ingress capabilities.
+
+For more information, see the [Routing Capabilities])(/docs/capabilities/routing) page.
+
+### Service Account
+
+A service account provides bearer token based authentication for machine-to-machine communication through Pomerium to your protected endpoints. A service account can provide authentication for monitoring services, create API integrations, and other non-human driven scripts or services.
+
+A service account identity can either be based on a user entry in your IdP Directory, or exist as a custom identity managed in a Pomerium Console [Namespace](/docs/capabilities/namespacing).
+
+See the [Service Accounts](/docs/capabilities/service-accounts) capabilities page for more information on how to use service accounts in Pomerium.
 
 ### Single Sign-On
 
@@ -145,7 +163,6 @@ Zero trust is a philosophy and/or framework for security models that includes se
 [policies]: #policy
 [pomerium enterprise]: /docs/deploy/enterprise/install
 [pom-namespace]: /docs/internals/glossary
-[pom-routes]: /docs/concepts/routes
 [route]: #route
 [routes]: #route
 [secure enclave]: #secure-enclave

@@ -91,6 +91,9 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co
 # Reference, capabilities, topics, concepts links
 /docs/reference/readme.html /docs/
 /docs/concepts/namespacing /docs/capabilities/namespacing
+/docs/concepts/policies /docs/internals/glossary#policy
+/docs/concepts/routes /docs/internals/glossary#route
+/docs/concepts/service-accounts /docs/internals/glossary#service-account
 # Redirects incorrectly
 /docs/reference/certificates.html /docs/topics/certificates
 /docs/topics/certificates /docs/concepts/certificates