diff --git a/docs/coming-soon/_category_.json b/docs/coming-soon/_category_.json
new file mode 100644
index 0000000..d6872b5
--- /dev/null
+++ b/docs/coming-soon/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Coming Soon",
+ "position": 7,
+ "link": {
+ "type": "doc",
+ "id": "coming-soon/index"
+ }
+}
diff --git a/docs/coming-soon/index.md b/docs/coming-soon/index.md
new file mode 100644
index 0000000..bbbdcfd
--- /dev/null
+++ b/docs/coming-soon/index.md
@@ -0,0 +1,18 @@
+---
+id: index
+title: Coming Soon
+sidebar_position: 1
+---
+
+# Coming Soon
+
+These features are currently in **early access** and will be fully available in upcoming releases.
+
+## Hub 1.5.0
+
+- [User & Group Management](/hub/user-group-management) — Manage users, groups, roles, and permissions directly in Hub
+- Emergency Access {/* TODO: Replace with link once docs are created */}
+
+## Desktop 1.19.0
+
+- Files-in-use {/* TODO: Replace with link once docs are created */}
diff --git a/docs/hub/user-group-management.md b/docs/hub/user-group-management.md
index ec11037..bbbbf21 100644
--- a/docs/hub/user-group-management.md
+++ b/docs/hub/user-group-management.md
@@ -6,69 +6,185 @@ sidebar_position: 3
# User & Group Management
-Users and groups are managed in [Keycloak](https://www.keycloak.org/), a powerful, open source identity and access management solution.
-In the default configuration Cryptomator Hub provides its own Keycloak instance, but you can also integrate an existing instance.
+:::info Early Access
+This feature is currently in **early access** and will be fully available in an upcoming release.
+:::
-You can access the Keycloak management interface over the admin section of Hub.
+Users and groups are managed directly in the Cryptomator Hub admin interface. As an administrator, you can create, edit, and delete users and groups, assign roles, and manage group memberships.
-
+Access the user and group management from the navigation bar in the admin area.
-There you can perform all users or groups related tasks, such as
-[creating new users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide),
-[deleting users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-deleting-user_server_administration_guide) or
-[manage groups](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide).
+## User Management {#user-management}
+
+### User List {#user-list}
+
+The user list displays all users in your Hub instance. You can search for users by name or email and see key metrics for each user:
+
+- Number of accessible **vaults**
+- Number of **group** memberships
+- Number of registered **devices**
+
+
+
+### Create User {#create-user}
+
+To create a new user, click the "Create User" button in the user list. Fill in the following fields:
+
+- **Profile Picture URL**: Optional URL to a profile picture
+- **First Name**: The user's first name
+- **Last Name**: The user's last name
+- **Username**: A unique identifier for the user (cannot be changed later)
+- **Email**: The user's email address
+- **Roles**: Assign roles to the user (see [Roles](#roles))
+- **Password**: Set an initial password for the user
+
+
+
+After creation, the user can log in with their credentials and complete the [account setup](your-account.md#account-setup).
+
+### Edit User {#edit-user}
+
+To edit a user, navigate to the user's detail page and click "Edit". You can modify:
+
+- Profile Picture URL
+- First Name
+- Last Name
+- Email
+- Roles
+- Password (set a new password)
:::note
-Subgroups are not supported at this time.
+Username cannot be changed after user creation.
:::
-## Connect External IAM {#connect-external-iam}
+### Delete User {#delete-user}
-Alternatively to the in-house administration, you can also connect Keycloak to other identity and access management solutions (IAM) to keep your user management centralized.
-You can either only synchronize existing users and groups from your IAM (using LDAP or Active Directory) or completely delegate the authentication process to your IAM via OpenID Connect or SAML.
+To delete a user, you can either click the delete button in the user list or navigate to the user's detail page and click on the options button next to the "Edit" button, then select "Delete". A confirmation dialog will appear. Deleting a user will:
-Setting up LDAP synchronization is described in the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#_ldap).
-For OpenID Connect and SAML, the Keycloak documentation provides [general information](https://www.keycloak.org/docs/latest/server_admin/#_identity_broker).
-A good step-by-step guide for connecting Microsoft Entra with OpenID Connect can be found [here](https://dev.to/andremoriya/keycloak-azure-active-directory-4cg4).
+- Remove the user from all groups
+- Revoke access to all vaults
+- Delete all registered devices
-:::note
-With `LDAP`, all users and groups are imported and synchronized with Keycloak, so they are available immediately after setup.
-With `OpenID Connect` or `SAML`, users are unknown to Keycloak and Hub *until they log in for the first time*.
+:::warning
+This action cannot be undone.
:::
+### User Details {#user-details}
+
+The user detail page shows comprehensive information about a user:
+
+- **Groups**: All groups the user is a member of
+- **Accessible Vaults**: Vaults the user has access to (directly or through group membership)
+- **Devices**: All registered devices of the user
+- **Legacy Devices**: Devices registered with older Hub versions (see [Legacy Devices](your-account.md#legacy-devices))
+
+
+
+## Group Management {#group-management}
+
+Groups allow you to organize users and grant vault access to multiple users at once.
+
+### Group List {#group-list}
+
+The group list displays all groups with:
+
+- Number of **members**
+- Number of accessible **vaults**
+
+
+
+### Create Group {#create-group}
+
+To create a new group, click the "Create Group" button. Fill in:
+
+- **Profile Picture URL**: Optional URL to a group picture
+- **Name**: A descriptive name for the group
+
+
+
+### Edit Group {#edit-group}
+
+To edit a group, navigate to the group's detail page and click "Edit". You can modify the group name and profile picture URL.
+
+### Delete Group {#delete-group}
+
+To delete a group, you can either click the delete button in the group list or navigate to the group's detail page and click on the options button next to the "Edit" button, then select "Delete". A confirmation dialog will appear. Deleting a group will:
+
+- Remove all members from the group
+- Revoke group-based vault access (users may still have direct access)
+
:::warning
-Regardless of your choice, your Keycloak instance always contains two local users: `admin` and `syncer`. **Do not edit or delete them!** The first one is for administration tasks and the second one is used to synchronize users and groups between Keycloak and Hub.
+This action cannot be undone.
+:::
+
+### Group Details {#group-details}
+
+The group detail page shows:
+
+- **Members**: All users who are members of this group
+- **Accessible Vaults**: Vaults the group has access to
+
+
+
+### Manage Group Members {#manage-group-members}
+
+From the group detail page, you can:
+
+- **Add Members**: Click "Add Member" to search for and add users to the group
+- **Remove Members**: Click the remove button next to a member to remove them from the group
+
+
+
+:::note
+Subgroups are not supported at this time.
:::
## Roles {#roles}
-There are four different roles in Cryptomator Hub:
+There are three roles in Cryptomator Hub:
-* **user**: A user can open vaults and manage their own account.
-* **admin**: An admin manages the Keycloak realm, can see the audit log, and can create vaults.
-* **create-vault**: Only users with this role can create vaults. The role is inherited by the `admin` role.
+| Role | Description |
+|------|-------------|
+| **user** | Default role. Can open vaults and manage their own account. |
+| **admin** | Can manage users and groups, view audit logs, and create vaults. |
+| **create-vault** | Allows users to create new vaults. Inherited by the admin role. |
-The `user`, `admin`, and `create-vault` roles are assigned to users or groups via the Keycloak admin console by an existing user with the `admin` role.
+Roles are assigned when creating or editing a user. The `user` role is assigned by default to all users.
### Create Vault Role {#create-vault-role}
-By default, this role is only assigned to the `admin` role. This means that only users with the `admin` role can create vaults. If you want to allow other users to create vaults, you can assign the `create-vault` role to them directly or via a group.
+By default, only users with the `admin` role can create vaults. To allow other users to create vaults, assign the `create-vault` role to them when creating or editing the user.
+
+## User Avatars {#user-avatars}
-If you want that all users can create vaults, assigning the `create-vault` role as transient role to the `user` role. This way, every user will have the `create-vault` role as well.
+Users can have profile pictures displayed throughout Hub (e.g., in vault member lists). As an administrator, you can set the profile picture URL when creating or editing a user.
-To allow all users vault creation, assign `create-vault` as a transient role to the `user` role:
+The avatar can be provided as a URL to an image (e.g., `https://example.com/avatar.png`).
-1. Open the Keycloak admin console.
-2. Select `Realm roles`.
-3. Select the `user` role.
-4. Select `Assign role`.
-5. Select the `create-vault` role.
-6. Apply with `Assign`.
+If no profile picture is set, a generated avatar based on the user's name will be displayed.
-## User Avatars {#user-avatars}
+## Enterprise: External Identity Management {#enterprise-external-iam}
+
+
+
+:::info Enterprise Feature
+Connecting external identity and access management (IAM) solutions is available as an Enterprise feature. This allows you to:
+
+- Synchronize users and groups from LDAP or Active Directory
+- Delegate authentication via OpenID Connect or SAML
+- Keep your user management centralized in your existing IAM
-Cryptomator Hub supports user avatars. As an administrator, you can enable this feature in the administration area by creating a user "picture" profile attribute in the "User Profile" setting in the Realm in Keycloak. See [Keycloak Documentation](https://www.keycloak.org/ui-customization/avatars#_setting_a_picture_attribute_from_the_admin_console) for more information.
+You can access the Keycloak management interface from the admin section of Hub. There you can perform all user and group related tasks, such as
+[creating new users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide),
+[deleting users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-deleting-user_server_administration_guide) or
+[managing groups](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide).
+
+Setting up LDAP synchronization is described in the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#_ldap).
+For OpenID Connect and SAML, the Keycloak documentation provides [general information](https://www.keycloak.org/docs/latest/server_admin/#_identity_broker).
+
+Visit [cryptomator.org](https://cryptomator.org/hub/) for more information about Enterprise features.
-When enabled, users can define their avatar in their Keycloak profile page. The avatar is then displayed in Cryptomator Hub, for example in the vault member list.
-The avatar needs to be provided as a URL (e.g. https://path_to_image.png) or as a Base64 encoded data image (e.g. `data:image/svg+xml;base64,content`).
+:::warning
+Regardless of your IAM setup, your Hub instance always contains two system users: `admin` and `syncer`. **Do not edit or delete them!** These accounts are required for administration and synchronization tasks.
+:::
diff --git a/src/pages/index.module.css b/src/pages/index.module.css
index 62e2b29..73cabfb 100644
--- a/src/pages/index.module.css
+++ b/src/pages/index.module.css
@@ -1,3 +1,20 @@
+.announcementPill {
+ display: inline-block;
+ padding: 0.4rem 1rem;
+ margin-bottom: 1rem;
+ border-radius: 2rem;
+ background-color: rgba(255, 255, 255, 0.15);
+ color: white;
+ font-size: 0.9rem;
+ text-decoration: none;
+}
+
+.announcementPill:hover {
+ background-color: rgba(255, 255, 255, 0.25);
+ color: white;
+ text-decoration: none;
+}
+
.heroLogo {
width: 160px;
height: 160px;
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index b6b2340..96ed669 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -15,7 +15,12 @@ function HomepageHeader() {
return (