Clarifying security and access terminology

I was brought in to clarify confusing terminology in a critical IAM settings page for IBM Cloud. I renamed ambiguous labels, updated guidance to reflect changes in backend observability, and aligned content with users’ mental models—making it easier for enterprise users to manage external access to their cloud resources with confidence.

Role

Lead content designer

Scope

Research

SME interviews

Writing

Information architecture

Timeline

6 weeks

Tools

Figma

Overview

 

IBM Cloud IAM provides account-level settings that govern how users interact with services across accounts. One particular setting allowed customers to limit an external user’s access to resources in their account. This setting was buried under unclear labeling.

I was brought in to evaluate and improve the language, making sure it was:

  • Technically accurate

  • Aligned with the mental models of enterprise cloud customers

  • Consistent with other settings in the IAM UI

Through content strategy and UX writing, we made meaningful improvements to labeling and guidance—improving clarity while supporting a concurrent backend observability update.

 
 

Problem statement

 

The original naming, “Cross-account restrictions,” was:

  • Too technical and ambiguous for many users

  • Inconsistent with the surrounding tabs like "Authentication" and "Public access"

  • Not descriptive of the setting's purpose: limiting external account access to resources

Additional confusion stemmed from:

  • The outdated event tracking tool (Activity Tracker) being referenced in the UI, despite a platform-wide move to Cloud Logs

  • The overall settings experience lacking cohesion in voice and terminology

This led to:

  • Increased support requests for clarifying what the setting did

  • Hesitation from users about changing the setting due to unclear consequences

  • A fragmented and inconsistent experience in a critical security context

Before

  1. The term “Cross-account” lacked context.

  2. “Cross-account restrictions” sounded negative and technical, instead of describing what users could do.

  3. Activity Tracker was deprecated but still referenced, creating confusion and eroding trust.

After

  1. “Resources” aligns with existing IAM tab naming conventions and better reflects the nature of the setting.

  2. “External identity interactions” clearly describes the scope: managing access from other accounts’ identities.

  3. The description emphasizes control and customization, not just restriction.

  4. Updated references to Cloud Logs reflect the current observability model and provide next steps for users.

  5. “Learn more” links are more accessible for screen readers because they give context around where the link is going.

Conclusion

This project showed how language can either create or remove friction in technical settings. By renaming and reframing a key IAM control, I helped make external access management clearer and more trustworthy for enterprise users.