Update desktop access docs for 9.0 (#10406)

* Update desktop access docs for 9.0

- Remove admonition about being in preview
- Add audit events listing
- Break reference.mdx up into separate pages

* Update tile icons

* Address review suggestions

* Another review pass

docs/pages/desktop-access/getting-started.mdx

@@ -4,12 +4,6 @@ description: Connect Teleport to Active Directory and log into a Windows Desktop
 videoBanner: YvMqgcq0MTQ
 ---
 
-<Admonition type="warning" title="Warning">
-  Desktop Access is currently in Preview. Do not use this feature for any
-  critical infrastructure and keep a backup option for accessing your desktop
-  hosts.
-</Admonition>
-
 # Getting Started
 
 In this guide we will connect an Active Directory domain to Teleport using
@@ -365,7 +359,8 @@ the filepath to the `der_ca_file` configuration variable.
 
 In order to enable Desktop Access in Teleport, add the following section in
 `teleport.yaml` on your Linux server. For a detailed description of these
-configuration fields, see the [reference](./reference.mdx) page.
+configuration fields, see the
+[configuration reference](./reference/configuration.mdx) page.
 
 <Details title="Desktop Service Configuration" min="7.0" scopeOnly={true} scope={["oss", "enterprise"]}>
 ```yaml
@@ -437,8 +432,13 @@ spec:
     windows_desktop_logins: ["Administrator"]
 ```
 
-See the [RBAC section](./reference.mdx#rbac) in the Reference documentation
-for more information about setting up Windows Desktop Access permissions.
+<Admonition type="warning" title="RBAC Configuration">
+Ensure that each Teleport user is only assigned Windows logins that they should
+be allowed to access.
+</Admonition>
+
+See the [RBAC page](./rbac.mdx) for more information about setting up
+Windows Desktop Access permissions.
 
 See the [Access Controls Getting Started](../access-controls/getting-started.mdx#step-13-add-local-users-with-preset-roles)
 guide for instructions on how to create or update a user with a given role.

docs/pages/desktop-access/introduction.mdx

@@ -4,22 +4,6 @@ description: Teleport Desktop Access introduction and resources.
 videoBanner: n2h0GisWdss
 ---
 
-<Admonition
-  type="warning"
-  title="Warning"
->
-  Desktop Access is currently in Preview. Do not use this feature for any critical
-  infrastructure and keep a backup option for accessing your desktop hosts.
-
-  Desktop Access Preview:
-
-  - is not compatible with HSM integration.
-  - does not support clipboard sharing.
-  - does not support session recording.
-  - does not support per-session MFA.
-  - may have worse performance than a native RDP client.
-</Admonition>
-
 # Desktop Access
 
 Teleport manages graphical desktop access to remote hosts. With Teleport
@@ -34,7 +18,7 @@ Desktop Access, you get:
   type="note"
   title="Supported platforms"
 >
-  Only Windows hosts accessible over RDP are supported currently. Specifically:
+  Only Windows hosts accessible over RDP are supported. Specifically:
 
   - Windows Server 2012 R2 / Windows 10 or newer
   - Hosts connected to an Active Directory domain
@@ -50,17 +34,20 @@ Desktop Access, you get:
 
 ## Resources
 
-{/*
-
-To learn more about configuring role-based access control for Desktop Access,
-check out [RBAC](./rbac.mdx) section.
-
-TODO: Complete the RBAC section
-
-*/}
-
-See [Reference](./reference.mdx) for an overview of
-Desktop Access related configuration and CLI commands.
+<TileSet>
+  <Tile icon="wrench" title="Configuration" href="./reference/configuration.mdx">
+    Configure Windows Desktop Service
+  </Tile>
+  <Tile icon="lock" title="RBAC" href="./rbac.mdx">
+    Role-based Access Control for Teleport Desktop Access
+  </Tile>
+  <Tile icon="window" title="CLI" href="./reference/cli.mdx">
+    CLI Reference
+  </Tile>
+  <Tile icon="list" title="Audit" href="./reference/audit.mdx">
+    Audit Events
+  </Tile>
+</TileSet>
 
 ## Troubleshooting
 

docs/pages/desktop-access/rbac.mdx

@@ -0,0 +1,138 @@
+---
+title:  Role-Based Access Control for Desktop Access
+description: Role-based access control (RBAC) for Teleport Desktop Access
+---
+
+# Desktop Access Role-Based Access Control
+
+Teleport's RBAC allows administrators to set up granular access policies for
+Windows desktops connected to Teleport.
+
+Teleport's `role` resource provides the following options for controlling
+desktop access:
+
+```yaml
+kind: role
+version: v4
+metadata:
+  name: developer
+spec:
+  options:
+    # Specify whether or not to record the user's desktop sessions.
+    # Desktop session recording is enabled if one or more of the user's
+    # roles has enabled recording. Defaults to true if unspecified.
+    # Desktop sessions will never be recorded if auth_service.session_recording
+    # is set to 'off' in teleport.yaml or if the cluster's session_recording_config
+    # resource has set 'mode: off'.
+    record_sessions:
+      desktop: true
+
+    # Specify whether clipboard sharing should be allowed with the
+    # remote desktop (requires a supported browser). Defaults to true
+    # if unspecified. If one or more of the user's roles has disabled
+    # the clipboard, then it will be disabled.
+    desktop_clipboard: true
+  allow:
+    # Label selectors for desktops this role has access to.
+    windows_desktop_labels:
+      environment: ["dev", "stage"]
+
+    # Windows user accounts this role can connect as.
+    windows_desktop_logins: ["Administrator", "{{internal.windows_logins}}"]
+```
+
+<Admonition type="warning" title="Active Directory Configuration">
+Teleport's RBAC system is not a replacement for proper Active Directory
+administration. Teleport-issued Windows certificates are valid for a small
+amount of time, but they do apply to the entire domain. Proper care should be
+taken to ensure that each Teleport user's roles reflect only the necesary
+Windows logins, and that these Windows users are properly secured.
+</Admonition>
+
+## Labeling
+
+Both `allow` and `deny` rules support `windows_desktop_labels` selectors. These
+selectors are matched against the labels set on the desktop. It is possible to
+use wildcards (`"*"`) to match all desktop labels.
+
+Windows desktops acquire labels in two ways:
+
+1. The `host_labels` rules defined in the `windows_desktop_service` section of
+   your Teleport configuration file.
+2. Automatic `teleport.dev/` labels applied by Teleport (for desktops discovered
+   via LDAP only)
+
+For example, the following `host_labels` configuration would apply the
+`environment: dev` label to a Windows desktop named `test.dev.example.com`
+and the `environment: prod` label to `desktop.prod.example.com`:
+
+```yaml
+  host_labels:
+  - match: '^.*\.dev\.example\.com$'
+    labels:
+      environment: dev
+  - match: '^.*\.prod\.example\.com$'
+    labels:
+      environment: prod
+```
+
+For desktops discovered via LDAP, Teleport applies the following labels automatically:
+
+| Label | LDAP Attribute | Example |
+| ----- | -------------- | ------- |
+| `teleport.dev/computer_name` | `name` | `WIN-I5G06B8RT33`
+| `teleport.dev/dns_host_name` | [`dNSHostName`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-dnshostname) | `WIN-I5G06B8RT33.example.com`
+| `teleport.dev/os` | [`operatingSystem`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-operatingsystem) | `Windows Server 2012`
+| `teleport.dev/os_version`| [`osVersion`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-operatingsystemversion) | `4.0`
+| `teleport.dev/windows_domain`| Sourced from config | `example.com`
+| `teleport.dev/is_domain_controller` | `primaryGroupID` | `true`
+
+## Logins
+
+The `windows_desktop_logins` role setting lists the Windows user accounts that
+the role permits access to. For local users, the `{{internal.windows_logins}}`
+variable can be used as a placeholder for the user's `windows_logins` trait. The
+`windows_logins` trait can be specified when the user is created with
+`tctl users add alice --windows-logins=Administrator,DBUser`.
+
+New clusters automatically populate the preset `access` role with the following:
+
+```yaml
+allow:
+  windows_desktop_logins: ["{{internal.windows_logins}}"]
+```
+
+## Clipboard Access
+
+In order for a user to copy and paste between a remote desktop and their local
+workstation, clipboard sharing must be enabled for the user. The
+`desktop_clipboard` role option defaults to enabled if unspecified. To disable
+clipboard sharing for a Teleport user, ensure that they are assigned at least
+one role that explicitly disables clipboard sharing:
+
+```yaml
+desktop_clipboard: false
+```
+
+## Session Recording
+
+In order for a Teleport user's desktop sessions to be recorded, the following must
+both be true:
+
+- Session recording is enabled (i.e. not set to `off`) on the cluster. This
+  setting resides in `teleport.yaml` under `auth_service.session_recording`, but
+  can also be configured dynamically via the cluster's
+  `session_recording_config` resource.
+- The user's roles enable desktop session recording.
+
+By default, desktop session recording is considered enabled in Teleport roles
+unless it is explicitly disabled:
+
+```yaml
+record_sessions:
+  desktop: false
+```
+
+In order to disable desktop session recording for a user, *all* of the user's
+roles must disable it. In other words, the presence of a single role which
+enables recording is enough to ensure sessions are recorded.