[Improvement]: Add section that describes the factors that determine what a PAT can access (#51694)

content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user.md

@@ -31,6 +31,8 @@ Once a user has authorized your app, you can generate a user access token, which
 
 Requests made with a user access token are sometimes called "user-to-server" requests.
 
+{% data reusables.user-settings.token_access_capabilities %}
+
 If you want to attribute app activity to the app instead of to a user, you should authenticate as an app installation instead. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)."
 
 {% note %}

content/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps.md

@@ -51,6 +51,8 @@ When you want to use an {% data variables.product.prodname_oauth_app %} that int
 
 {% endtip %}
 
+{% data reusables.user-settings.token_access_capabilities %} For example, an application can create an access token that is configured with an `admin:org` scope, but if the user of the application is not an organization owner, the application will not be granted administrative access to the organization.
+
 {% data reusables.apps.oauth-token-limit %}
 
 ### Types of requested data

content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md

@@ -33,6 +33,8 @@ For more information, see "[Keeping your {% data variables.product.pat_generic %
 
 {% data variables.product.pat_generic_caps %}s are intended to access {% data variables.product.company_short %} resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a {% data variables.product.prodname_github_app %}. For more information, see "[AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/about-creating-github-apps)."
 
+{% data reusables.user-settings.token_access_capabilities %} For example, a {% data variables.product.pat_generic %} can be configured with an `admin:org` scope, but if the owner of the token is not an organization owner, the token will not give administrative access to the organization.
+
 {% ifversion pat-v2 %}
 
 ### Types of {% data variables.product.pat_generic %}s

content/rest/authentication/keeping-your-api-credentials-secure.md

@@ -34,6 +34,8 @@ When creating a {% data variables.product.pat_generic %}, only select the minimu
 
 {% endif %}
 
+{% data reusables.user-settings.token_access_capabilities %}
+
 When creating a {% data variables.product.prodname_github_app %}, select the minimum permissions that your {% data variables.product.prodname_github_app %} will need. For more information, see "[AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app)."
 
 When authenticating with `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow, only give the minimum amount of permissions needed. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)."

data/reusables/user-settings/token_access_capabilities.md

@@ -0,0 +1 @@
+A token has the same capabilities to access resources and perform actions on those resources, that the owner of the token has, and is further limited by any scopes or permissions granted to the token. A token cannot grant additional access capabilities to a user.